From: Sasha Levin Date: Sun, 28 Jul 2019 19:12:22 +0000 (-0400) Subject: fixes for 5.2 X-Git-Tag: v5.2.5~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e1b76013997246a0d14b7443acbb393577d2a1e8;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 5.2 Signed-off-by: Sasha Levin --- diff --git a/queue-5.2/9p-pass-the-correct-prototype-to-read_cache_page.patch b/queue-5.2/9p-pass-the-correct-prototype-to-read_cache_page.patch new file mode 100644 index 00000000000..f0638fc15f7 --- /dev/null +++ b/queue-5.2/9p-pass-the-correct-prototype-to-read_cache_page.patch @@ -0,0 +1,51 @@ +From 6cdb2279ae37a21884b466fd6513bb3baa701f42 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Thu, 11 Jul 2019 20:55:26 -0700 +Subject: 9p: pass the correct prototype to read_cache_page + +[ Upstream commit f053cbd4366051d7eb6ba1b8d529d20f719c2963 ] + +Fix the callback 9p passes to read_cache_page to actually have the +proper type expected. Casting around function pointers can easily +hide typing bugs, and defeats control flow protection. + +Link: http://lkml.kernel.org/r/20190520055731.24538-5-hch@lst.de +Signed-off-by: Christoph Hellwig +Reviewed-by: Kees Cook +Cc: Sami Tolvanen +Cc: Nick Desaulniers +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/9p/vfs_addr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c +index bc57ae9e2963..cce9ace651a2 100644 +--- a/fs/9p/vfs_addr.c ++++ b/fs/9p/vfs_addr.c +@@ -35,8 +35,9 @@ + * @page: structure to page + * + */ +-static int v9fs_fid_readpage(struct p9_fid *fid, struct page *page) ++static int v9fs_fid_readpage(void *data, struct page *page) + { ++ struct p9_fid *fid = data; + struct inode *inode = page->mapping->host; + struct bio_vec bvec = {.bv_page = page, .bv_len = PAGE_SIZE}; + struct iov_iter to; +@@ -107,7 +108,8 @@ static int v9fs_vfs_readpages(struct file *filp, struct address_space *mapping, + if (ret == 0) + return ret; + +- ret = read_cache_pages(mapping, pages, (void *)v9fs_vfs_readpage, filp); ++ ret = read_cache_pages(mapping, pages, v9fs_fid_readpage, ++ filp->private_data); + p9_debug(P9_DEBUG_VFS, " = %d\n", ret); + return ret; + } +-- +2.20.1 + diff --git a/queue-5.2/arm64-assembler-switch-esb-instruction-with-a-vanill.patch b/queue-5.2/arm64-assembler-switch-esb-instruction-with-a-vanill.patch new file mode 100644 index 00000000000..2e6633c0ef2 --- /dev/null +++ b/queue-5.2/arm64-assembler-switch-esb-instruction-with-a-vanill.patch @@ -0,0 +1,51 @@ +From 1eaf8fab3e5a140276c1691a9a19e6b27c6681a1 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Tue, 18 Jun 2019 16:17:33 +0100 +Subject: arm64: assembler: Switch ESB-instruction with a vanilla nop if + !ARM64_HAS_RAS + +[ Upstream commit 2b68a2a963a157f024c67c0697b16f5f792c8a35 ] + +The ESB-instruction is a nop on CPUs that don't implement the RAS +extensions. This lets us use it in places like the vectors without +having to use alternatives. + +If someone disables CONFIG_ARM64_RAS_EXTN, this instruction still has +its RAS extensions behaviour, but we no longer read DISR_EL1 as this +register does depend on alternatives. + +This could go wrong if we want to synchronize an SError from a KVM +guest. On a CPU that has the RAS extensions, but the KConfig option +was disabled, we consume the pending SError with no chance of ever +reading it. + +Hide the ESB-instruction behind the CONFIG_ARM64_RAS_EXTN option, +outputting a regular nop if the feature has been disabled. + +Reported-by: Julien Thierry +Signed-off-by: James Morse +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/assembler.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h +index 570d195a184d..e3a15c751b13 100644 +--- a/arch/arm64/include/asm/assembler.h ++++ b/arch/arm64/include/asm/assembler.h +@@ -96,7 +96,11 @@ + * RAS Error Synchronization barrier + */ + .macro esb ++#ifdef CONFIG_ARM64_RAS_EXTN + hint #16 ++#else ++ nop ++#endif + .endm + + /* +-- +2.20.1 + diff --git a/queue-5.2/block-bio-integrity-fix-a-memory-leak-bug.patch b/queue-5.2/block-bio-integrity-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..33374a344fc --- /dev/null +++ b/queue-5.2/block-bio-integrity-fix-a-memory-leak-bug.patch @@ -0,0 +1,50 @@ +From 47b9ef5ce313153a3285ea8424afc1cb2d1316b8 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Thu, 11 Jul 2019 14:22:02 -0500 +Subject: block/bio-integrity: fix a memory leak bug + +[ Upstream commit e7bf90e5afe3aa1d1282c1635a49e17a32c4ecec ] + +In bio_integrity_prep(), a kernel buffer is allocated through kmalloc() to +hold integrity metadata. Later on, the buffer will be attached to the bio +structure through bio_integrity_add_page(), which returns the number of +bytes of integrity metadata attached. Due to unexpected situations, +bio_integrity_add_page() may return 0. As a result, bio_integrity_prep() +needs to be terminated with 'false' returned to indicate this error. +However, the allocated kernel buffer is not freed on this execution path, +leading to a memory leak. + +To fix this issue, free the allocated buffer before returning from +bio_integrity_prep(). + +Reviewed-by: Ming Lei +Acked-by: Martin K. Petersen +Signed-off-by: Wenwen Wang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bio-integrity.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/block/bio-integrity.c b/block/bio-integrity.c +index 4db620849515..fb95dbb21dd8 100644 +--- a/block/bio-integrity.c ++++ b/block/bio-integrity.c +@@ -276,8 +276,12 @@ bool bio_integrity_prep(struct bio *bio) + ret = bio_integrity_add_page(bio, virt_to_page(buf), + bytes, offset); + +- if (ret == 0) +- return false; ++ if (ret == 0) { ++ printk(KERN_ERR "could not attach integrity payload\n"); ++ kfree(buf); ++ status = BLK_STS_RESOURCE; ++ goto err_end_io; ++ } + + if (ret < bytes) + break; +-- +2.20.1 + diff --git a/queue-5.2/block-init-flush-rq-ref-count-to-1.patch b/queue-5.2/block-init-flush-rq-ref-count-to-1.patch new file mode 100644 index 00000000000..8ff599e3cac --- /dev/null +++ b/queue-5.2/block-init-flush-rq-ref-count-to-1.patch @@ -0,0 +1,46 @@ +From cfea71abc4f8a177e9e8fb004373b82e5f2f10b2 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 7 Mar 2019 21:37:18 +0000 +Subject: block: init flush rq ref count to 1 + +[ Upstream commit b554db147feea39617b533ab6bca247c91c6198a ] + +We discovered a problem in newer kernels where a disconnect of a NBD +device while the flush request was pending would result in a hang. This +is because the blk mq timeout handler does + + if (!refcount_inc_not_zero(&rq->ref)) + return true; + +to determine if it's ok to run the timeout handler for the request. +Flush_rq's don't have a ref count set, so we'd skip running the timeout +handler for this request and it would just sit there in limbo forever. + +Fix this by always setting the refcount of any request going through +blk_init_rq() to 1. I tested this with a nbd-server that dropped flush +requests to verify that it hung, and then tested with this patch to +verify I got the timeout as expected and the error handling kicked in. +Thanks, + +Signed-off-by: Josef Bacik +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/blk-core.c b/block/blk-core.c +index 8340f69670d8..5183fca0818a 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -117,6 +117,7 @@ void blk_rq_init(struct request_queue *q, struct request *rq) + rq->internal_tag = -1; + rq->start_time_ns = ktime_get_ns(); + rq->part = NULL; ++ refcount_set(&rq->ref, 1); + } + EXPORT_SYMBOL(blk_rq_init); + +-- +2.20.1 + diff --git a/queue-5.2/cxgb4-reduce-kernel-stack-usage-in-cudbg_collect_mem.patch b/queue-5.2/cxgb4-reduce-kernel-stack-usage-in-cudbg_collect_mem.patch new file mode 100644 index 00000000000..9dfa2a1c822 --- /dev/null +++ b/queue-5.2/cxgb4-reduce-kernel-stack-usage-in-cudbg_collect_mem.patch @@ -0,0 +1,72 @@ +From 9976d8628e578a612d72affeb33802b71468287b Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:06:33 +0200 +Subject: cxgb4: reduce kernel stack usage in cudbg_collect_mem_region() + +[ Upstream commit 752c2ea2d8e7c23b0f64e2e7d4337f3604d44c9f ] + +The cudbg_collect_mem_region() and cudbg_read_fw_mem() both use several +hundred kilobytes of kernel stack space. One gets inlined into the other, +which causes the stack usage to be combined beyond the warning limit +when building with clang: + +drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c:1057:12: error: stack frame size of 1244 bytes in function 'cudbg_collect_mem_region' [-Werror,-Wframe-larger-than=] + +Restructuring cudbg_collect_mem_region() lets clang do the same +optimization that gcc does and reuse the stack slots as it can +see that the large variables are never used together. + +A better fix might be to avoid using cudbg_meminfo on the stack +altogether, but that requires a larger rewrite. + +Fixes: a1c69520f785 ("cxgb4: collect MC memory dump") +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/chelsio/cxgb4/cudbg_lib.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c b/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c +index a76529a7662d..c2e92786608b 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c +@@ -1054,14 +1054,12 @@ static void cudbg_t4_fwcache(struct cudbg_init *pdbg_init, + } + } + +-static int cudbg_collect_mem_region(struct cudbg_init *pdbg_init, +- struct cudbg_buffer *dbg_buff, +- struct cudbg_error *cudbg_err, +- u8 mem_type) ++static unsigned long cudbg_mem_region_size(struct cudbg_init *pdbg_init, ++ struct cudbg_error *cudbg_err, ++ u8 mem_type) + { + struct adapter *padap = pdbg_init->adap; + struct cudbg_meminfo mem_info; +- unsigned long size; + u8 mc_idx; + int rc; + +@@ -1075,7 +1073,16 @@ static int cudbg_collect_mem_region(struct cudbg_init *pdbg_init, + if (rc) + return rc; + +- size = mem_info.avail[mc_idx].limit - mem_info.avail[mc_idx].base; ++ return mem_info.avail[mc_idx].limit - mem_info.avail[mc_idx].base; ++} ++ ++static int cudbg_collect_mem_region(struct cudbg_init *pdbg_init, ++ struct cudbg_buffer *dbg_buff, ++ struct cudbg_error *cudbg_err, ++ u8 mem_type) ++{ ++ unsigned long size = cudbg_mem_region_size(pdbg_init, cudbg_err, mem_type); ++ + return cudbg_read_fw_mem(pdbg_init, dbg_buff, mem_type, size, + cudbg_err); + } +-- +2.20.1 + diff --git a/queue-5.2/dlm-check-if-workqueues-are-null-before-flushing-des.patch b/queue-5.2/dlm-check-if-workqueues-are-null-before-flushing-des.patch new file mode 100644 index 00000000000..97f8c7d1e96 --- /dev/null +++ b/queue-5.2/dlm-check-if-workqueues-are-null-before-flushing-des.patch @@ -0,0 +1,64 @@ +From bffed451d263e8d100e5614ea32a49e9c790964d Mon Sep 17 00:00:00 2001 +From: David Windsor +Date: Tue, 2 Apr 2019 08:37:10 -0400 +Subject: dlm: check if workqueues are NULL before flushing/destroying + +[ Upstream commit b355516f450703c9015316e429b66a93dfff0e6f ] + +If the DLM lowcomms stack is shut down before any DLM +traffic can be generated, flush_workqueue() and +destroy_workqueue() can be called on empty send and/or recv +workqueues. + +Insert guard conditionals to only call flush_workqueue() +and destroy_workqueue() on workqueues that are not NULL. + +Signed-off-by: David Windsor +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lowcomms.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c +index 114ebfe30929..3951d39b9b75 100644 +--- a/fs/dlm/lowcomms.c ++++ b/fs/dlm/lowcomms.c +@@ -1628,8 +1628,10 @@ static void clean_writequeues(void) + + static void work_stop(void) + { +- destroy_workqueue(recv_workqueue); +- destroy_workqueue(send_workqueue); ++ if (recv_workqueue) ++ destroy_workqueue(recv_workqueue); ++ if (send_workqueue) ++ destroy_workqueue(send_workqueue); + } + + static int work_start(void) +@@ -1689,13 +1691,17 @@ static void work_flush(void) + struct hlist_node *n; + struct connection *con; + +- flush_workqueue(recv_workqueue); +- flush_workqueue(send_workqueue); ++ if (recv_workqueue) ++ flush_workqueue(recv_workqueue); ++ if (send_workqueue) ++ flush_workqueue(send_workqueue); + do { + ok = 1; + foreach_conn(stop_conn); +- flush_workqueue(recv_workqueue); +- flush_workqueue(send_workqueue); ++ if (recv_workqueue) ++ flush_workqueue(recv_workqueue); ++ if (send_workqueue) ++ flush_workqueue(send_workqueue); + for (i = 0; i < CONN_HASH_SIZE && ok; i++) { + hlist_for_each_entry_safe(con, n, + &connection_hash[i], list) { +-- +2.20.1 + diff --git a/queue-5.2/dma-remap-avoid-de-referencing-null-atomic_pool.patch b/queue-5.2/dma-remap-avoid-de-referencing-null-atomic_pool.patch new file mode 100644 index 00000000000..93aa6a8b975 --- /dev/null +++ b/queue-5.2/dma-remap-avoid-de-referencing-null-atomic_pool.patch @@ -0,0 +1,164 @@ +From 5e2f89871c7a366f8cefab052dc2349410026115 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 10 Jun 2019 15:54:37 -0700 +Subject: dma-remap: Avoid de-referencing NULL atomic_pool + +[ Upstream commit 4b4b077cbd0a998aebaa72c199e06b8a4c8dcfee ] + +With architectures allowing the kernel to be placed almost arbitrarily +in memory (e.g.: ARM64), it is possible to have the kernel resides at +physical addresses above 4GB, resulting in neither the default CMA area, +nor the atomic pool from successfully allocating. This does not prevent +specific peripherals from working though, one example is XHCI, which +still operates correctly. + +Trouble comes when the XHCI driver gets suspended and resumed, since we +can now trigger the following NPD: + +[ 12.664170] usb usb1: root hub lost power or was reset +[ 12.669387] usb usb2: root hub lost power or was reset +[ 12.674662] Unable to handle kernel NULL pointer dereference at virtual address 00000008 +[ 12.682896] pgd = ffffffc1365a7000 +[ 12.686386] [00000008] *pgd=0000000136500003, *pud=0000000136500003, *pmd=0000000000000000 +[ 12.694897] Internal error: Oops: 96000006 [#1] SMP +[ 12.699843] Modules linked in: +[ 12.702980] CPU: 0 PID: 1499 Comm: pml Not tainted 4.9.135-1.13pre #51 +[ 12.709577] Hardware name: BCM97268DV (DT) +[ 12.713736] task: ffffffc136bb6540 task.stack: ffffffc1366cc000 +[ 12.719740] PC is at addr_in_gen_pool+0x4/0x48 +[ 12.724253] LR is at __dma_free+0x64/0xbc +[ 12.728325] pc : [] lr : [] pstate: 60000145 +[ 12.735825] sp : ffffffc1366cf990 +[ 12.739196] x29: ffffffc1366cf990 x28: ffffffc1366cc000 +[ 12.744608] x27: 0000000000000000 x26: ffffffc13a8568c8 +[ 12.750020] x25: 0000000000000000 x24: ffffff80098f9000 +[ 12.755433] x23: 000000013a5ff000 x22: ffffff8009c57000 +[ 12.760844] x21: ffffffc13a856810 x20: 0000000000000000 +[ 12.766255] x19: 0000000000001000 x18: 000000000000000a +[ 12.771667] x17: 0000007f917553e0 x16: 0000000000001002 +[ 12.777078] x15: 00000000000a36cb x14: ffffff80898feb77 +[ 12.782490] x13: ffffffffffffffff x12: 0000000000000030 +[ 12.787899] x11: 00000000fffffffe x10: ffffff80098feb7f +[ 12.793311] x9 : 0000000005f5e0ff x8 : 65776f702074736f +[ 12.798723] x7 : 6c2062756820746f x6 : ffffff80098febb1 +[ 12.804134] x5 : ffffff800809797c x4 : 0000000000000000 +[ 12.809545] x3 : 000000013a5ff000 x2 : 0000000000000fff +[ 12.814955] x1 : ffffff8009c57000 x0 : 0000000000000000 +[ 12.820363] +[ 12.821907] Process pml (pid: 1499, stack limit = 0xffffffc1366cc020) +[ 12.828421] Stack: (0xffffffc1366cf990 to 0xffffffc1366d0000) +[ 12.834240] f980: ffffffc1366cf9e0 ffffff80086004d0 +[ 12.842186] f9a0: ffffffc13ab08238 0000000000000010 ffffff80097c2218 ffffffc13a856810 +[ 12.850131] f9c0: ffffff8009c57000 000000013a5ff000 0000000000000008 000000013a5ff000 +[ 12.858076] f9e0: ffffffc1366cfa50 ffffff80085f9250 ffffffc13ab08238 0000000000000004 +[ 12.866021] fa00: ffffffc13ab08000 ffffff80097b6000 ffffffc13ab08130 0000000000000001 +[ 12.873966] fa20: 0000000000000008 ffffffc13a8568c8 0000000000000000 ffffffc1366cc000 +[ 12.881911] fa40: ffffffc13ab08130 0000000000000001 ffffffc1366cfa90 ffffff80085e3de8 +[ 12.889856] fa60: ffffffc13ab08238 0000000000000000 ffffffc136b75b00 0000000000000000 +[ 12.897801] fa80: 0000000000000010 ffffff80089ccb92 ffffffc1366cfac0 ffffff80084ad040 +[ 12.905746] faa0: ffffffc13a856810 0000000000000000 ffffff80084ad004 ffffff80084b91a8 +[ 12.913691] fac0: ffffffc1366cfae0 ffffff80084b91b4 ffffffc13a856810 ffffff80080db5cc +[ 12.921636] fae0: ffffffc1366cfb20 ffffff80084b96bc ffffffc13a856810 0000000000000010 +[ 12.929581] fb00: ffffffc13a856870 0000000000000000 ffffffc13a856810 ffffff800984d2b8 +[ 12.937526] fb20: ffffffc1366cfb50 ffffff80084baa70 ffffff8009932ad0 ffffff800984d260 +[ 12.945471] fb40: 0000000000000010 00000002eff0a065 ffffffc1366cfbb0 ffffff80084bafbc +[ 12.953415] fb60: 0000000000000010 0000000000000003 ffffff80098fe000 0000000000000000 +[ 12.961360] fb80: ffffff80097b6000 ffffff80097b6dc8 ffffff80098c12b8 ffffff80098c12f8 +[ 12.969306] fba0: ffffff8008842000 ffffff80097b6dc8 ffffffc1366cfbd0 ffffff80080e0d88 +[ 12.977251] fbc0: 00000000fffffffb ffffff80080e10bc ffffffc1366cfc60 ffffff80080e16a8 +[ 12.985196] fbe0: 0000000000000000 0000000000000003 ffffff80097b6000 ffffff80098fe9f0 +[ 12.993140] fc00: ffffff80097d4000 ffffff8008983802 0000000000000123 0000000000000040 +[ 13.001085] fc20: ffffff8008842000 ffffffc1366cc000 ffffff80089803c2 00000000ffffffff +[ 13.009029] fc40: 0000000000000000 0000000000000000 ffffffc1366cfc60 0000000000040987 +[ 13.016974] fc60: ffffffc1366cfcc0 ffffff80080dfd08 0000000000000003 0000000000000004 +[ 13.024919] fc80: 0000000000000003 ffffff80098fea08 ffffffc136577ec0 ffffff80089803c2 +[ 13.032864] fca0: 0000000000000123 0000000000000001 0000000500000002 0000000000040987 +[ 13.040809] fcc0: ffffffc1366cfd00 ffffff80083a89d4 0000000000000004 ffffffc136577ec0 +[ 13.048754] fce0: ffffffc136610cc0 ffffffffffffffea ffffffc1366cfeb0 ffffffc136610cd8 +[ 13.056700] fd00: ffffffc1366cfd10 ffffff800822a614 ffffffc1366cfd40 ffffff80082295d4 +[ 13.064645] fd20: 0000000000000004 ffffffc136577ec0 ffffffc136610cc0 0000000021670570 +[ 13.072590] fd40: ffffffc1366cfd80 ffffff80081b5d10 ffffff80097b6000 ffffffc13aae4200 +[ 13.080536] fd60: ffffffc1366cfeb0 0000000000000004 0000000021670570 0000000000000004 +[ 13.088481] fd80: ffffffc1366cfe30 ffffff80081b6b20 ffffffc13aae4200 0000000000000000 +[ 13.096427] fda0: 0000000000000004 0000000021670570 ffffffc1366cfeb0 ffffffc13a838200 +[ 13.104371] fdc0: 0000000000000000 000000000000000a ffffff80097b6000 0000000000040987 +[ 13.112316] fde0: ffffffc1366cfe20 ffffff80081b3af0 ffffffc13a838200 0000000000000000 +[ 13.120261] fe00: ffffffc1366cfe30 ffffff80081b6b0c ffffffc13aae4200 0000000000000000 +[ 13.128206] fe20: 0000000000000004 0000000000040987 ffffffc1366cfe70 ffffff80081b7dd8 +[ 13.136151] fe40: ffffff80097b6000 ffffffc13aae4200 ffffffc13aae4200 fffffffffffffff7 +[ 13.144096] fe60: 0000000021670570 ffffffc13a8c63c0 0000000000000000 ffffff8008083180 +[ 13.152042] fe80: ffffffffffffff1d 0000000021670570 ffffffffffffffff 0000007f917ad9b8 +[ 13.159986] fea0: 0000000020000000 0000000000000015 0000000000000000 0000000000040987 +[ 13.167930] fec0: 0000000000000001 0000000021670570 0000000000000004 0000000000000000 +[ 13.175874] fee0: 0000000000000888 0000440110000000 000000000000006d 0000000000000003 +[ 13.183819] ff00: 0000000000000040 ffffff80ffffffc8 0000000000000000 0000000000000020 +[ 13.191762] ff20: 0000000000000000 0000000000000000 0000000000000001 0000000000000000 +[ 13.199707] ff40: 0000000000000000 0000007f917553e0 0000000000000000 0000000000000004 +[ 13.207651] ff60: 0000000021670570 0000007f91835480 0000000000000004 0000007f91831638 +[ 13.215595] ff80: 0000000000000004 00000000004b0de0 00000000004b0000 0000000000000000 +[ 13.223539] ffa0: 0000000000000000 0000007fc92ac8c0 0000007f9175d178 0000007fc92ac8c0 +[ 13.231483] ffc0: 0000007f917ad9b8 0000000020000000 0000000000000001 0000000000000040 +[ 13.239427] ffe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +[ 13.247360] Call trace: +[ 13.249866] Exception stack(0xffffffc1366cf7a0 to 0xffffffc1366cf8d0) +[ 13.256386] f7a0: 0000000000001000 0000007fffffffff ffffffc1366cf990 ffffff80083c0df8 +[ 13.264331] f7c0: 0000000060000145 ffffff80089b5001 ffffffc13ab08130 0000000000000001 +[ 13.272275] f7e0: 0000000000000008 ffffffc13a8568c8 0000000000000000 0000000000000000 +[ 13.280220] f800: ffffffc1366cf960 ffffffc1366cf960 ffffffc1366cf930 00000000ffffffd8 +[ 13.288165] f820: ffffff8009931ac0 4554535953425553 4544006273753d4d 3831633d45434956 +[ 13.296110] f840: ffff003832313a39 ffffff800845926c ffffffc1366cf880 0000000000040987 +[ 13.304054] f860: 0000000000000000 ffffff8009c57000 0000000000000fff 000000013a5ff000 +[ 13.311999] f880: 0000000000000000 ffffff800809797c ffffff80098febb1 6c2062756820746f +[ 13.319944] f8a0: 65776f702074736f 0000000005f5e0ff ffffff80098feb7f 00000000fffffffe +[ 13.327884] f8c0: 0000000000000030 ffffffffffffffff +[ 13.332835] [] addr_in_gen_pool+0x4/0x48 +[ 13.338398] [] xhci_mem_cleanup+0xc8/0x51c +[ 13.344137] [] xhci_resume+0x308/0x65c +[ 13.349524] [] xhci_brcm_resume+0x84/0x8c +[ 13.355174] [] platform_pm_resume+0x3c/0x64 +[ 13.360997] [] dpm_run_callback+0x5c/0x15c +[ 13.366732] [] device_resume+0xc0/0x190 +[ 13.372205] [] dpm_resume+0x144/0x2cc +[ 13.377504] [] dpm_resume_end+0x20/0x34 +[ 13.382980] [] suspend_devices_and_enter+0x104/0x704 +[ 13.389585] [] pm_suspend+0x320/0x53c +[ 13.394881] [] state_store+0xbc/0xe0 +[ 13.400094] [] kobj_attr_store+0x14/0x24 +[ 13.405655] [] sysfs_kf_write+0x60/0x70 +[ 13.411128] [] kernfs_fop_write+0x130/0x194 +[ 13.416954] [] __vfs_write+0x60/0x150 +[ 13.422254] [] vfs_write+0xc8/0x164 +[ 13.427376] [] SyS_write+0x70/0xc8 +[ 13.432412] [] el0_svc_naked+0x34/0x38 +[ 13.437800] Code: 92800173 97f6fb9e 17fffff5 d1000442 (f8408c03) +[ 13.444033] ---[ end trace 2effe12f909ce205 ]--- + +The call path leading to this problem is xhci_mem_cleanup() -> +dma_free_coherent() -> dma_free_from_pool() -> addr_in_gen_pool. If the +atomic_pool is NULL, we can't possibly have the address in the atomic +pool anyway, so guard against that. + +Signed-off-by: Florian Fainelli +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/remap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/dma/remap.c b/kernel/dma/remap.c +index 7a723194ecbe..0207e3764d52 100644 +--- a/kernel/dma/remap.c ++++ b/kernel/dma/remap.c +@@ -158,6 +158,9 @@ int __init dma_atomic_pool_init(gfp_t gfp, pgprot_t prot) + + bool dma_in_atomic_pool(void *start, size_t size) + { ++ if (unlikely(!atomic_pool)) ++ return false; ++ + return addr_in_gen_pool(atomic_pool, (unsigned long)start, size); + } + +-- +2.20.1 + diff --git a/queue-5.2/drm-amd-display-always-allocate-initial-connector-st.patch b/queue-5.2/drm-amd-display-always-allocate-initial-connector-st.patch new file mode 100644 index 00000000000..e5c780914db --- /dev/null +++ b/queue-5.2/drm-amd-display-always-allocate-initial-connector-st.patch @@ -0,0 +1,59 @@ +From 8e31ec03e29a84dc4bb229ef883055591e1f87af Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Tue, 4 Jun 2019 15:21:14 -0400 +Subject: drm/amd/display: Always allocate initial connector state state + +[ Upstream commit f04bee34d6e35df26cbb2d65e801adfd0d8fe20d ] + +[Why] +Unlike our regular connectors, MST connectors don't start off with +an initial connector state. This causes a NULL pointer dereference to +occur when attaching the bpc property since it tries to modify the +connector state. + +We need an initial connector state on the connector to avoid the crash. + +[How] +Use our reset helper to allocate an initial state and reset the values +to their defaults. We were already doing this before, just not for +MST connectors. + +Signed-off-by: Nicholas Kazlauskas +Reviewed-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 0e482349a5cb..dc3ac66a4450 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -4627,6 +4627,13 @@ void amdgpu_dm_connector_init_helper(struct amdgpu_display_manager *dm, + { + struct amdgpu_device *adev = dm->ddev->dev_private; + ++ /* ++ * Some of the properties below require access to state, like bpc. ++ * Allocate some default initial connector state with our reset helper. ++ */ ++ if (aconnector->base.funcs->reset) ++ aconnector->base.funcs->reset(&aconnector->base); ++ + aconnector->connector_id = link_index; + aconnector->dc_link = link; + aconnector->base.interlace_allowed = false; +@@ -4809,9 +4816,6 @@ static int amdgpu_dm_connector_init(struct amdgpu_display_manager *dm, + &aconnector->base, + &amdgpu_dm_connector_helper_funcs); + +- if (aconnector->base.funcs->reset) +- aconnector->base.funcs->reset(&aconnector->base); +- + amdgpu_dm_connector_init_helper( + dm, + aconnector, +-- +2.20.1 + diff --git a/queue-5.2/drm-amd-display-cs_tfm_1d-only-applied-post-eotf.patch b/queue-5.2/drm-amd-display-cs_tfm_1d-only-applied-post-eotf.patch new file mode 100644 index 00000000000..b1cf5b00c97 --- /dev/null +++ b/queue-5.2/drm-amd-display-cs_tfm_1d-only-applied-post-eotf.patch @@ -0,0 +1,42 @@ +From 602d6728b1716703f9b42a1227f5415feeebf45b Mon Sep 17 00:00:00 2001 +From: Krunoslav Kovac +Date: Thu, 16 May 2019 11:14:55 -0400 +Subject: drm/amd/display: CS_TFM_1D only applied post EOTF + +[ Upstream commit 6ad34adeaec5b56a5ba90e90099cabf1c1fe9dd2 ] + +[Why] +There's some unnecessary mem allocation for CS_TFM_ID. What's worse, it +depends on LUT size and since it's 4K for CS_TFM_1D, it is 16x bigger +than in regular case when it's actually needed. This leads to some +crashes in stress conditions. + +[How] +Skip ramp combining designed for RGB256 and DXGI gamma with CS_TFM_1D. + +Signed-off-by: Krunoslav Kovac +Reviewed-by: Aric Cyr +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/modules/color/color_gamma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/modules/color/color_gamma.c b/drivers/gpu/drm/amd/display/modules/color/color_gamma.c +index a1055413bade..31f867bb5afe 100644 +--- a/drivers/gpu/drm/amd/display/modules/color/color_gamma.c ++++ b/drivers/gpu/drm/amd/display/modules/color/color_gamma.c +@@ -1564,7 +1564,8 @@ bool mod_color_calculate_regamma_params(struct dc_transfer_func *output_tf, + + output_tf->type = TF_TYPE_DISTRIBUTED_POINTS; + +- if (ramp && (mapUserRamp || ramp->type != GAMMA_RGB_256)) { ++ if (ramp && ramp->type != GAMMA_CS_TFM_1D && ++ (mapUserRamp || ramp->type != GAMMA_RGB_256)) { + rgb_user = kvcalloc(ramp->num_entries + _EXTRA_POINTS, + sizeof(*rgb_user), + GFP_KERNEL); +-- +2.20.1 + diff --git a/queue-5.2/drm-amd-display-disable-abm-before-destroy-abm-struc.patch b/queue-5.2/drm-amd-display-disable-abm-before-destroy-abm-struc.patch new file mode 100644 index 00000000000..0c0c505d850 --- /dev/null +++ b/queue-5.2/drm-amd-display-disable-abm-before-destroy-abm-struc.patch @@ -0,0 +1,40 @@ +From 6bad7fe2b4e1aa7c1674510f4cbafcdb2505ea5e Mon Sep 17 00:00:00 2001 +From: Paul Hsieh +Date: Fri, 3 May 2019 23:50:10 +0800 +Subject: drm/amd/display: Disable ABM before destroy ABM struct + +[ Upstream commit 1090d58d4815b1fcd95a80987391006c86398b4c ] + +[Why] +When disable driver, OS will set backlight optimization +then do stop device. But this flag will cause driver to +enable ABM when driver disabled. + +[How] +Send ABM disable command before destroy ABM construct + +Signed-off-by: Paul Hsieh +Reviewed-by: Anthony Koo +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dce/dce_abm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_abm.c b/drivers/gpu/drm/amd/display/dc/dce/dce_abm.c +index da96229db53a..2959c3c9390b 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce/dce_abm.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_abm.c +@@ -473,6 +473,8 @@ void dce_abm_destroy(struct abm **abm) + { + struct dce_abm *abm_dce = TO_DCE_ABM(*abm); + ++ abm_dce->base.funcs->set_abm_immediate_disable(*abm); ++ + kfree(abm_dce); + *abm = NULL; + } +-- +2.20.1 + diff --git a/queue-5.2/drm-amd-display-disable-cursor-when-offscreen-in-neg.patch b/queue-5.2/drm-amd-display-disable-cursor-when-offscreen-in-neg.patch new file mode 100644 index 00000000000..5790c5a72ef --- /dev/null +++ b/queue-5.2/drm-amd-display-disable-cursor-when-offscreen-in-neg.patch @@ -0,0 +1,80 @@ +From 867a54c5c4ea5957dbc50e1c3b26077fb74f0092 Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Thu, 18 Apr 2019 12:42:32 -0400 +Subject: drm/amd/display: Disable cursor when offscreen in negative direction + +[ Upstream commit e371e19c10a264bd72c2ff1d21e2167b994710d1 ] + +[Why] +When x or y is negative we set the x and y values to 0 and compensate +with a positive cursor hotspot in DM since DC expects positive cursor +values. + +When x or y is less than or equal to the maximum cursor width or height +the cursor hotspot is clamped so the hotspot doesn't exceed the +cursor size: + +if (x < 0) { + xorigin = min(-x, amdgpu_crtc->max_cursor_width - 1); + x = 0; +} + +if (y < 0) { + yorigin = min(-y, amdgpu_crtc->max_cursor_height - 1); + y = 0; +} + +This incorrectly forces the cursor to be at least 1 pixel on the screen +in either direction when x or y is sufficiently negative. + +[How] +Just disable the cursor when it goes far enough off the screen in one +of these directions. + +This fixes kms_cursor_crc@cursor-256x256-offscreen. + +Signed-off-by: Nicholas Kazlauskas +Reviewed-by: Sun peng Li +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index ab7c5c3004ee..fa268dd736f4 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -4952,12 +4952,12 @@ static int get_cursor_position(struct drm_plane *plane, struct drm_crtc *crtc, + int x, y; + int xorigin = 0, yorigin = 0; + +- if (!crtc || !plane->state->fb) { +- position->enable = false; +- position->x = 0; +- position->y = 0; ++ position->enable = false; ++ position->x = 0; ++ position->y = 0; ++ ++ if (!crtc || !plane->state->fb) + return 0; +- } + + if ((plane->state->crtc_w > amdgpu_crtc->max_cursor_width) || + (plane->state->crtc_h > amdgpu_crtc->max_cursor_height)) { +@@ -4971,6 +4971,10 @@ static int get_cursor_position(struct drm_plane *plane, struct drm_crtc *crtc, + x = plane->state->crtc_x; + y = plane->state->crtc_y; + ++ if (x <= -amdgpu_crtc->max_cursor_width || ++ y <= -amdgpu_crtc->max_cursor_height) ++ return 0; ++ + if (crtc->primary->state) { + /* avivo cursor are offset into the total surface */ + x += crtc->primary->state->src_x >> 16; +-- +2.20.1 + diff --git a/queue-5.2/drm-amd-display-fill-plane-attrs-only-for-valid-pxl-.patch b/queue-5.2/drm-amd-display-fill-plane-attrs-only-for-valid-pxl-.patch new file mode 100644 index 00000000000..274a28a2f17 --- /dev/null +++ b/queue-5.2/drm-amd-display-fill-plane-attrs-only-for-valid-pxl-.patch @@ -0,0 +1,40 @@ +From 7c2c726ef74608f785bdb6b4f7620b523ea95888 Mon Sep 17 00:00:00 2001 +From: Roman Li +Date: Thu, 25 Apr 2019 11:02:30 -0400 +Subject: drm/amd/display: Fill plane attrs only for valid pxl format + +[ Upstream commit 1894478ad1f8fd7366edc5cee49ee9caea0e3d52 ] + +[Why] +In fill_plane_buffer_attributes() we calculate chroma/luma +assuming that the surface_pixel_format is always valid. +If it's not the case, there's a risk of divide by zero error. + +[How] +Check if format valid before calculating pixel format attributes + +Signed-off-by: Roman Li +Reviewed-by: David Francis +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index fa268dd736f4..31530bfd002a 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -2592,7 +2592,7 @@ fill_plane_buffer_attributes(struct amdgpu_device *adev, + address->type = PLN_ADDR_TYPE_GRAPHICS; + address->grph.addr.low_part = lower_32_bits(afb->address); + address->grph.addr.high_part = upper_32_bits(afb->address); +- } else { ++ } else if (format < SURFACE_PIXEL_FORMAT_INVALID) { + uint64_t chroma_addr = afb->address + fb->offsets[1]; + + plane_size->video.luma_size.x = 0; +-- +2.20.1 + diff --git a/queue-5.2/drm-amd-display-fill-prescale_params-scale-for-rgb56.patch b/queue-5.2/drm-amd-display-fill-prescale_params-scale-for-rgb56.patch new file mode 100644 index 00000000000..c7e9ad911ff --- /dev/null +++ b/queue-5.2/drm-amd-display-fill-prescale_params-scale-for-rgb56.patch @@ -0,0 +1,43 @@ +From 219a5d022c8af78b48c926b6c2e38d9aa81f9500 Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Tue, 16 Apr 2019 10:30:29 -0400 +Subject: drm/amd/display: Fill prescale_params->scale for RGB565 + +[ Upstream commit 1352c779cb74d427f4150cbe779a2f7886f70cae ] + +[Why] +An assertion is thrown when using SURFACE_PIXEL_FORMAT_GRPH_RGB565 +formats on DCE since the prescale_params->scale wasn't being filled. + +Found by a dmesg-fail when running the +igt@kms_plane@pixel-format-pipe-a-planes test on Baffin. + +[How] +Fill in the scale parameter. + +Signed-off-by: Nicholas Kazlauskas +Reviewed-by: Roman Li +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c +index 7ac50ab1b762..7d7e93c87c28 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c +@@ -242,6 +242,9 @@ static void build_prescale_params(struct ipp_prescale_params *prescale_params, + prescale_params->mode = IPP_PRESCALE_MODE_FIXED_UNSIGNED; + + switch (plane_state->format) { ++ case SURFACE_PIXEL_FORMAT_GRPH_RGB565: ++ prescale_params->scale = 0x2082; ++ break; + case SURFACE_PIXEL_FORMAT_GRPH_ARGB8888: + case SURFACE_PIXEL_FORMAT_GRPH_ABGR8888: + prescale_params->scale = 0x2020; +-- +2.20.1 + diff --git a/queue-5.2/drm-amd-display-fix-compilation-error.patch b/queue-5.2/drm-amd-display-fix-compilation-error.patch new file mode 100644 index 00000000000..ae2956d50fa --- /dev/null +++ b/queue-5.2/drm-amd-display-fix-compilation-error.patch @@ -0,0 +1,41 @@ +From 467b5aa380e644bd6491ea9f9156ce51588548e7 Mon Sep 17 00:00:00 2001 +From: Hariprasad Kelam +Date: Thu, 13 Jun 2019 08:02:08 +0530 +Subject: drm/amd/display: fix compilation error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 88099f53cc3717437f5fc9cf84205c5b65118377 ] + +this patch fixes below compilation error + +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_hw_sequencer.c: In +function ‘dcn10_apply_ctx_for_surface’: +drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_hw_sequencer.c:2378:3: +error: implicit declaration of function ‘udelay’ +[-Werror=implicit-function-declaration] + udelay(underflow_check_delay_us); + +Signed-off-by: Hariprasad Kelam +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +index 33d311cea28c..9e4d70a0055e 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +@@ -23,6 +23,7 @@ + * + */ + ++#include + #include "dm_services.h" + #include "core_types.h" + #include "resource.h" +-- +2.20.1 + diff --git a/queue-5.2/drm-amd-display-fix-multi-display-seamless-boot-case.patch b/queue-5.2/drm-amd-display-fix-multi-display-seamless-boot-case.patch new file mode 100644 index 00000000000..9111572f9a7 --- /dev/null +++ b/queue-5.2/drm-amd-display-fix-multi-display-seamless-boot-case.patch @@ -0,0 +1,70 @@ +From 03285c953da5cb180c9f082f63f9712afd41465d Mon Sep 17 00:00:00 2001 +From: Anthony Koo +Date: Fri, 12 Apr 2019 21:23:45 -0400 +Subject: drm/amd/display: fix multi display seamless boot case + +[ Upstream commit 4cd75ff096f4ef49c343093b52a952f27aba7796 ] + +[Why] +There is a scenario that causes eDP to become blank if +there are multiple displays connected, and the external +display is set as the primary display such that the first +flip comes to the external display. + +In this scenario, we call our optimize function before +the eDP even has a chance to flip. + +[How] +There is a check that prevents bandwidth optimize from +occurring before first flip is complete on the seamless boot +display. +But actually it assumed the seamless boot display is the +first one to flip. But in this scenario it is not. +Modify the check to ensure the steam with the seamless +boot flag set is the one that has completed the first flip. + +Signed-off-by: Anthony Koo +Reviewed-by: Aric Cyr +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 18c775a950cc..ee6b646180b6 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1138,9 +1138,6 @@ static enum dc_status dc_commit_state_no_check(struct dc *dc, struct dc_state *c + const struct dc_link *link = context->streams[i]->link; + struct dc_stream_status *status; + +- if (context->streams[i]->apply_seamless_boot_optimization) +- context->streams[i]->apply_seamless_boot_optimization = false; +- + if (!context->streams[i]->mode_changed) + continue; + +@@ -1792,10 +1789,15 @@ static void commit_planes_for_stream(struct dc *dc, + if (dc->optimize_seamless_boot && surface_count > 0) { + /* Optimize seamless boot flag keeps clocks and watermarks high until + * first flip. After first flip, optimization is required to lower +- * bandwidth. ++ * bandwidth. Important to note that it is expected UEFI will ++ * only light up a single display on POST, therefore we only expect ++ * one stream with seamless boot flag set. + */ +- dc->optimize_seamless_boot = false; +- dc->optimized_required = true; ++ if (stream->apply_seamless_boot_optimization) { ++ stream->apply_seamless_boot_optimization = false; ++ dc->optimize_seamless_boot = false; ++ dc->optimized_required = true; ++ } + } + + if (update_type == UPDATE_TYPE_FULL && !dc->optimize_seamless_boot) { +-- +2.20.1 + diff --git a/queue-5.2/drm-amd-display-increase-backlight-gain-step-size.patch b/queue-5.2/drm-amd-display-increase-backlight-gain-step-size.patch new file mode 100644 index 00000000000..fe1514776ed --- /dev/null +++ b/queue-5.2/drm-amd-display-increase-backlight-gain-step-size.patch @@ -0,0 +1,55 @@ +From e0dda14d64ae1d1ec10082b1055d95869d11f9e6 Mon Sep 17 00:00:00 2001 +From: Eryk Brol +Date: Wed, 15 May 2019 15:12:41 -0400 +Subject: drm/amd/display: Increase Backlight Gain Step Size + +[ Upstream commit e25228b02e4833e5b0fdd262801a2ae6cc72b39d ] + +[Why] +Some backlight tests fail due to backlight settling +taking too long. This happens because the step +size used to change backlight levels is too small. + +[How] +1. Change the size of the backlight gain step size +2. Change how DMCU firmware gets the step size value + so that it is passed in by driver during DMCU initn + +Signed-off-by: Eryk Brol +Reviewed-by: Jun Lei +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dce/dce_dmcu.c | 3 +++ + drivers/gpu/drm/amd/display/dc/dce/dce_dmcu.h | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_dmcu.c b/drivers/gpu/drm/amd/display/dc/dce/dce_dmcu.c +index 818536eea00a..c6a607cd0e4b 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce/dce_dmcu.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_dmcu.c +@@ -388,6 +388,9 @@ static bool dcn10_dmcu_init(struct dmcu *dmcu) + /* Set initialized ramping boundary value */ + REG_WRITE(MASTER_COMM_DATA_REG1, 0xFFFF); + ++ /* Set backlight ramping stepsize */ ++ REG_WRITE(MASTER_COMM_DATA_REG2, abm_gain_stepsize); ++ + /* Set command to initialize microcontroller */ + REG_UPDATE(MASTER_COMM_CMD_REG, MASTER_COMM_CMD_REG_BYTE0, + MCP_INIT_DMCU); +diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_dmcu.h b/drivers/gpu/drm/amd/display/dc/dce/dce_dmcu.h +index 60ce56f60ae3..5bd0df55aa5d 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce/dce_dmcu.h ++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_dmcu.h +@@ -263,4 +263,6 @@ struct dmcu *dcn10_dmcu_create( + + void dce_dmcu_destroy(struct dmcu **dmcu); + ++static const uint32_t abm_gain_stepsize = 0x0060; ++ + #endif /* _DCE_ABM_H_ */ +-- +2.20.1 + diff --git a/queue-5.2/drm-amd-display-reset-planes-for-color-management-ch.patch b/queue-5.2/drm-amd-display-reset-planes-for-color-management-ch.patch new file mode 100644 index 00000000000..788ffacd34c --- /dev/null +++ b/queue-5.2/drm-amd-display-reset-planes-for-color-management-ch.patch @@ -0,0 +1,44 @@ +From b370b2735e7d808530b755bcb14df5ffd3a9564f Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Wed, 1 May 2019 10:26:09 -0400 +Subject: drm/amd/display: Reset planes for color management changes + +[ Upstream commit 7316c4ad299663a16ca9ce13e5e817b4ca760809 ] + +[Why] +For commits with allow_modeset=false and CRTC degamma changes the planes +aren't reset. This results in incorrect rendering. + +[How] +Reset the planes when color management has changed on the CRTC. +Technically this will include regamma changes as well, but it doesn't +really after legacy userspace since those commit with +allow_modeset=true. + +Signed-off-by: Nicholas Kazlauskas +Reviewed-by: Harry Wentland +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 31530bfd002a..0e482349a5cb 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -6331,6 +6331,10 @@ static bool should_reset_plane(struct drm_atomic_state *state, + if (!new_crtc_state) + return true; + ++ /* CRTC Degamma changes currently require us to recreate planes. */ ++ if (new_crtc_state->color_mgmt_changed) ++ return true; ++ + if (drm_atomic_crtc_needs_modeset(new_crtc_state)) + return true; + +-- +2.20.1 + diff --git a/queue-5.2/drm-amd-display-set-link-dongle_max_pix_clk-to-0-on-.patch b/queue-5.2/drm-amd-display-set-link-dongle_max_pix_clk-to-0-on-.patch new file mode 100644 index 00000000000..0a92a3390a5 --- /dev/null +++ b/queue-5.2/drm-amd-display-set-link-dongle_max_pix_clk-to-0-on-.patch @@ -0,0 +1,48 @@ +From fad64ad09b96de573669e3f4e9391ad998dbb4e2 Mon Sep 17 00:00:00 2001 +From: Samson Tam +Date: Tue, 28 May 2019 14:44:40 -0400 +Subject: drm/amd/display: set link->dongle_max_pix_clk to 0 on a disconnect + +[ Upstream commit 233d87a579b8adcc6da5823fa507ecb6675e7562 ] + +[Why] +Found issue in EDID Emulation where if we connect a display using + a passive HDMI-DP dongle, disconnect it and then try to emulate + a display using DP, we could not see 4K modes. This was because + on a disconnect, dongle_max_pix_clk was still set so when we + emulate using DP, in dc_link_validate_mode_timing(), it would + think we were still using a dongle and limit the modes we support. + +[How] +In dc_link_detect(), set dongle_max_pix_clk to 0 when we detect + a hotplug out ( if new_connection_type = dc_connection_none ). + +Signed-off-by: Samson Tam +Reviewed-by: Jun Lei +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_link.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +index b37ecc3ede61..a3ff33ff6da1 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +@@ -960,6 +960,12 @@ bool dc_link_detect(struct dc_link *link, enum dc_detect_reason reason) + + link->type = dc_connection_none; + sink_caps.signal = SIGNAL_TYPE_NONE; ++ /* When we unplug a passive DP-HDMI dongle connection, dongle_max_pix_clk ++ * is not cleared. If we emulate a DP signal on this connection, it thinks ++ * the dongle is still there and limits the number of modes we can emulate. ++ * Clear dongle_max_pix_clk on disconnect to fix this ++ */ ++ link->dongle_max_pix_clk = 0; + } + + LINK_INFO("link=%d, dc_sink_in=%p is now %s prev_sink=%p dpcd same=%d edid same=%d\n", +-- +2.20.1 + diff --git a/queue-5.2/drm-amd-display-update-link-rate-from-dpcd-10.patch b/queue-5.2/drm-amd-display-update-link-rate-from-dpcd-10.patch new file mode 100644 index 00000000000..cc3a1857b9e --- /dev/null +++ b/queue-5.2/drm-amd-display-update-link-rate-from-dpcd-10.patch @@ -0,0 +1,64 @@ +From 2c345ffab896b04d245be908997eccee64a93455 Mon Sep 17 00:00:00 2001 +From: Wesley Chalmers +Date: Thu, 16 May 2019 12:40:25 -0400 +Subject: drm/amd/display: Update link rate from DPCD 10 + +[ Upstream commit 53c81fc7875bc2dca358485dac3999e14ec91a00 ] + +[WHY] +Some panels return a link rate of 0 (unknown) in DPCD 0. In this case, +an appropriate mode cannot be set, and certain panels will show +corruption as they are forced to use a mode they do not support. + +[HOW] +Read DPCD 10 in the case where supported link rate from DPCD 0 is +unknown, and pass that value on to the reported link rate. +This re-introduces behaviour present in previous versions that appears +to have been accidentally removed. + +Signed-off-by: Wesley Chalmers +Reviewed-by: Anthony Koo +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c +index 1ee544a32ebb..253311864cdd 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c +@@ -1624,8 +1624,7 @@ static bool decide_edp_link_settings(struct dc_link *link, struct dc_link_settin + uint32_t link_bw; + + if (link->dpcd_caps.dpcd_rev.raw < DPCD_REV_14 || +- link->dpcd_caps.edp_supported_link_rates_count == 0 || +- link->dc->config.optimize_edp_link_rate == false) { ++ link->dpcd_caps.edp_supported_link_rates_count == 0) { + *link_setting = link->verified_link_cap; + return true; + } +@@ -2597,7 +2596,8 @@ void detect_edp_sink_caps(struct dc_link *link) + memset(supported_link_rates, 0, sizeof(supported_link_rates)); + + if (link->dpcd_caps.dpcd_rev.raw >= DPCD_REV_14 && +- link->dc->config.optimize_edp_link_rate) { ++ (link->dc->config.optimize_edp_link_rate || ++ link->reported_link_cap.link_rate == LINK_RATE_UNKNOWN)) { + // Read DPCD 00010h - 0001Fh 16 bytes at one shot + core_link_read_dpcd(link, DP_SUPPORTED_LINK_RATES, + supported_link_rates, sizeof(supported_link_rates)); +@@ -2612,6 +2612,9 @@ void detect_edp_sink_caps(struct dc_link *link) + link_rate = linkRateInKHzToLinkRateMultiplier(link_rate_in_khz); + link->dpcd_caps.edp_supported_link_rates[link->dpcd_caps.edp_supported_link_rates_count] = link_rate; + link->dpcd_caps.edp_supported_link_rates_count++; ++ ++ if (link->reported_link_cap.link_rate < link_rate) ++ link->reported_link_cap.link_rate = link_rate; + } + } + } +-- +2.20.1 + diff --git a/queue-5.2/drm-amdgpu-reserve-shared-fence-for-eviction-fence.patch b/queue-5.2/drm-amdgpu-reserve-shared-fence-for-eviction-fence.patch new file mode 100644 index 00000000000..e19181ce055 --- /dev/null +++ b/queue-5.2/drm-amdgpu-reserve-shared-fence-for-eviction-fence.patch @@ -0,0 +1,47 @@ +From a4d3b2d563556551bc87f1dedb4bde58dfcc825a Mon Sep 17 00:00:00 2001 +From: Felix Kuehling +Date: Wed, 1 May 2019 17:43:10 -0400 +Subject: drm/amdgpu: Reserve shared fence for eviction fence +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit dd68722c427d5b33420dce0ed0c44b4881e0a416 ] + +Need to reserve space for the shared eviction fence when initializing +a KFD VM. + +Signed-off-by: Felix Kuehling +Acked-by: Christian König +Reviewed-by: Harish Kasiviswanathan +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +index a6e5184d436c..4b192e0ce92f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -896,6 +896,9 @@ static int init_kfd_vm(struct amdgpu_vm *vm, void **process_info, + AMDGPU_FENCE_OWNER_KFD, false); + if (ret) + goto wait_pd_fail; ++ ret = reservation_object_reserve_shared(vm->root.base.bo->tbo.resv, 1); ++ if (ret) ++ goto reserve_shared_fail; + amdgpu_bo_fence(vm->root.base.bo, + &vm->process_info->eviction_fence->base, true); + amdgpu_bo_unreserve(vm->root.base.bo); +@@ -909,6 +912,7 @@ static int init_kfd_vm(struct amdgpu_vm *vm, void **process_info, + + return 0; + ++reserve_shared_fail: + wait_pd_fail: + validate_pd_fail: + amdgpu_bo_unreserve(vm->root.base.bo); +-- +2.20.1 + diff --git a/queue-5.2/drm-amdgpu-sriov-need-to-initialize-the-hdp_nonsurfa.patch b/queue-5.2/drm-amdgpu-sriov-need-to-initialize-the-hdp_nonsurfa.patch new file mode 100644 index 00000000000..78797bd1c4b --- /dev/null +++ b/queue-5.2/drm-amdgpu-sriov-need-to-initialize-the-hdp_nonsurfa.patch @@ -0,0 +1,42 @@ +From 0a3f682f66d1b1b86ddc18e42c64f35aaac5c8a5 Mon Sep 17 00:00:00 2001 +From: Tiecheng Zhou +Date: Tue, 14 May 2019 10:03:35 +0800 +Subject: drm/amdgpu/sriov: Need to initialize the HDP_NONSURFACE_BAStE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit fe2b5323d2c3cedaa3bf943dc7a0d233c853c914 ] + +it requires to initialize HDP_NONSURFACE_BASE, so as to avoid +using the value left by a previous VM under sriov scenario. + +v2: it should not hurt baremetal, generalize it for both sriov +and baremetal + +Signed-off-by: Emily Deng +Signed-off-by: Tiecheng Zhou +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +index 72837b8c7031..c2086eb00555 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +@@ -1163,6 +1163,9 @@ static int gmc_v9_0_gart_enable(struct amdgpu_device *adev) + tmp = RREG32_SOC15(HDP, 0, mmHDP_HOST_PATH_CNTL); + WREG32_SOC15(HDP, 0, mmHDP_HOST_PATH_CNTL, tmp); + ++ WREG32_SOC15(HDP, 0, mmHDP_NONSURFACE_BASE, (adev->gmc.vram_start >> 8)); ++ WREG32_SOC15(HDP, 0, mmHDP_NONSURFACE_BASE_HI, (adev->gmc.vram_start >> 40)); ++ + /* After HDP is initialized, flush HDP.*/ + adev->nbio_funcs->hdp_flush(adev, NULL); + +-- +2.20.1 + diff --git a/queue-5.2/drm-amdkfd-fix-a-potential-memory-leak.patch b/queue-5.2/drm-amdkfd-fix-a-potential-memory-leak.patch new file mode 100644 index 00000000000..c4a5af770b8 --- /dev/null +++ b/queue-5.2/drm-amdkfd-fix-a-potential-memory-leak.patch @@ -0,0 +1,45 @@ +From 6df690f95491efb59d56d58328901c2ebfa2d872 Mon Sep 17 00:00:00 2001 +From: Oak Zeng +Date: Tue, 27 Nov 2018 22:08:25 -0600 +Subject: drm/amdkfd: Fix a potential memory leak + +[ Upstream commit e73390d181103a19e1111ec2f25559a0570e9fe0 ] + +Free mqd_mem_obj it GTT buffer allocation for MQD+control stack fails. + +Signed-off-by: Oak Zeng +Reviewed-by: Felix Kuehling +Signed-off-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c +index 9dbba609450e..8fe74b821b32 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c +@@ -76,6 +76,7 @@ static int init_mqd(struct mqd_manager *mm, void **mqd, + struct v9_mqd *m; + struct kfd_dev *kfd = mm->dev; + ++ *mqd_mem_obj = NULL; + /* From V9, for CWSR, the control stack is located on the next page + * boundary after the mqd, we will use the gtt allocation function + * instead of sub-allocation function. +@@ -93,8 +94,10 @@ static int init_mqd(struct mqd_manager *mm, void **mqd, + } else + retval = kfd_gtt_sa_allocate(mm->dev, sizeof(struct v9_mqd), + mqd_mem_obj); +- if (retval != 0) ++ if (retval) { ++ kfree(*mqd_mem_obj); + return -ENOMEM; ++ } + + m = (struct v9_mqd *) (*mqd_mem_obj)->cpu_ptr; + addr = (*mqd_mem_obj)->gpu_addr; +-- +2.20.1 + diff --git a/queue-5.2/drm-amdkfd-fix-sdma-queue-map-issue.patch b/queue-5.2/drm-amdkfd-fix-sdma-queue-map-issue.patch new file mode 100644 index 00000000000..7d8f46c2965 --- /dev/null +++ b/queue-5.2/drm-amdkfd-fix-sdma-queue-map-issue.patch @@ -0,0 +1,64 @@ +From 9ae91cc67dbd13e98927fe5de1aa588cb49c275c Mon Sep 17 00:00:00 2001 +From: Oak Zeng +Date: Fri, 8 Feb 2019 15:44:35 -0600 +Subject: drm/amdkfd: Fix sdma queue map issue + +[ Upstream commit 065e4bdfa1f3ab2884c110394d8b7e7ebe3b988c ] + +Previous codes assumes there are two sdma engines. +This is not true e.g., Raven only has 1 SDMA engine. +Fix the issue by using sdma engine number info in +device_info. + +Signed-off-by: Oak Zeng +Reviewed-by: Felix Kuehling +Signed-off-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/amdkfd/kfd_device_queue_manager.c | 21 +++++++++++-------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +index ae381450601c..afbaf6f5131e 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -1268,12 +1268,17 @@ int amdkfd_fence_wait_timeout(unsigned int *fence_addr, + return 0; + } + +-static int unmap_sdma_queues(struct device_queue_manager *dqm, +- unsigned int sdma_engine) ++static int unmap_sdma_queues(struct device_queue_manager *dqm) + { +- return pm_send_unmap_queue(&dqm->packets, KFD_QUEUE_TYPE_SDMA, +- KFD_UNMAP_QUEUES_FILTER_DYNAMIC_QUEUES, 0, false, +- sdma_engine); ++ int i, retval = 0; ++ ++ for (i = 0; i < dqm->dev->device_info->num_sdma_engines; i++) { ++ retval = pm_send_unmap_queue(&dqm->packets, KFD_QUEUE_TYPE_SDMA, ++ KFD_UNMAP_QUEUES_FILTER_DYNAMIC_QUEUES, 0, false, i); ++ if (retval) ++ return retval; ++ } ++ return retval; + } + + /* dqm->lock mutex has to be locked before calling this function */ +@@ -1312,10 +1317,8 @@ static int unmap_queues_cpsch(struct device_queue_manager *dqm, + pr_debug("Before destroying queues, sdma queue count is : %u\n", + dqm->sdma_queue_count); + +- if (dqm->sdma_queue_count > 0) { +- unmap_sdma_queues(dqm, 0); +- unmap_sdma_queues(dqm, 1); +- } ++ if (dqm->sdma_queue_count > 0) ++ unmap_sdma_queues(dqm); + + retval = pm_send_unmap_queue(&dqm->packets, KFD_QUEUE_TYPE_COMPUTE, + filter, filter_param, false, 0); +-- +2.20.1 + diff --git a/queue-5.2/drm-bochs-fix-connector-leak-during-driver-unload.patch b/queue-5.2/drm-bochs-fix-connector-leak-during-driver-unload.patch new file mode 100644 index 00000000000..1bddaf9f736 --- /dev/null +++ b/queue-5.2/drm-bochs-fix-connector-leak-during-driver-unload.patch @@ -0,0 +1,46 @@ +From ed0856e62ddba21bad13b5b9cad3d16e3c171034 Mon Sep 17 00:00:00 2001 +From: Sam Bobroff +Date: Tue, 21 May 2019 15:28:39 +1000 +Subject: drm/bochs: Fix connector leak during driver unload + +[ Upstream commit 3c6b8625dde82600fd03ad1fcba223f1303ee535 ] + +When unloading the bochs-drm driver, a warning message is printed by +drm_mode_config_cleanup() because a reference is still held to one of +the drm_connector structs. + +Correct this by calling drm_atomic_helper_shutdown() in +bochs_pci_remove(). + +Fixes: 6579c39594ae ("drm/bochs: atomic: switch planes to atomic, wire up helpers.") +Signed-off-by: Sam Bobroff +Link: http://patchwork.freedesktop.org/patch/msgid/93b363ad62f4938d9ddf3e05b2a61e3f66b2dcd3.1558416473.git.sbobroff@linux.ibm.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bochs/bochs_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/bochs/bochs_drv.c b/drivers/gpu/drm/bochs/bochs_drv.c +index b86cc705138c..d8b945596b09 100644 +--- a/drivers/gpu/drm/bochs/bochs_drv.c ++++ b/drivers/gpu/drm/bochs/bochs_drv.c +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include + + #include "bochs.h" + +@@ -171,6 +172,7 @@ static void bochs_pci_remove(struct pci_dev *pdev) + { + struct drm_device *dev = pci_get_drvdata(pdev); + ++ drm_atomic_helper_shutdown(dev); + drm_dev_unregister(dev); + bochs_unload(dev); + drm_dev_put(dev); +-- +2.20.1 + diff --git a/queue-5.2/drm-bridge-sii902x-pixel-clock-unit-is-10khz-instead.patch b/queue-5.2/drm-bridge-sii902x-pixel-clock-unit-is-10khz-instead.patch new file mode 100644 index 00000000000..1d0f73f1456 --- /dev/null +++ b/queue-5.2/drm-bridge-sii902x-pixel-clock-unit-is-10khz-instead.patch @@ -0,0 +1,42 @@ +From 88860fb9ff9b333327fe81bac335a1f275446c49 Mon Sep 17 00:00:00 2001 +From: Jyri Sarha +Date: Mon, 27 May 2019 16:47:54 +0300 +Subject: drm/bridge: sii902x: pixel clock unit is 10kHz instead of 1kHz + +[ Upstream commit 8dbfc5b65023b67397aca28e8adb25c819f6398c ] + +The pixel clock unit in the first two registers (0x00 and 0x01) of +sii9022 is 10kHz, not 1kHz as in struct drm_display_mode. Division by +10 fixes the issue. + +Signed-off-by: Jyri Sarha +Reviewed-by: Andrzej Hajda +Reviewed-by: Laurent Pinchart +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/1a2a8eae0b9d6333e7a5841026bf7fd65c9ccd09.1558964241.git.jsarha@ti.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/sii902x.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/sii902x.c b/drivers/gpu/drm/bridge/sii902x.c +index 1211b5379df1..8e3c5e599eba 100644 +--- a/drivers/gpu/drm/bridge/sii902x.c ++++ b/drivers/gpu/drm/bridge/sii902x.c +@@ -229,10 +229,11 @@ static void sii902x_bridge_mode_set(struct drm_bridge *bridge, + struct regmap *regmap = sii902x->regmap; + u8 buf[HDMI_INFOFRAME_SIZE(AVI)]; + struct hdmi_avi_infoframe frame; ++ u16 pixel_clock_10kHz = adj->clock / 10; + int ret; + +- buf[0] = adj->clock; +- buf[1] = adj->clock >> 8; ++ buf[0] = pixel_clock_10kHz & 0xff; ++ buf[1] = pixel_clock_10kHz >> 8; + buf[2] = adj->vrefresh; + buf[3] = 0x00; + buf[4] = adj->hdisplay; +-- +2.20.1 + diff --git a/queue-5.2/drm-bridge-tc358767-read-display_props-in-get_modes.patch b/queue-5.2/drm-bridge-tc358767-read-display_props-in-get_modes.patch new file mode 100644 index 00000000000..b7df8965d24 --- /dev/null +++ b/queue-5.2/drm-bridge-tc358767-read-display_props-in-get_modes.patch @@ -0,0 +1,44 @@ +From c971c885db18d4aa9117d6143d03b88f0da71b04 Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Tue, 28 May 2019 11:27:44 +0300 +Subject: drm/bridge: tc358767: read display_props in get_modes() + +[ Upstream commit 3231573065ad4f4ecc5c9147b24f29f846dc0c2f ] + +We need to know the link bandwidth to filter out modes we cannot +support, so we need to have read the display props before doing the +filtering. + +To ensure we have up to date display props, call tc_get_display_props() +in the beginning of tc_connector_get_modes(). + +Signed-off-by: Tomi Valkeinen +Reviewed-by: Andrzej Hajda +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/20190528082747.3631-22-tomi.valkeinen@ti.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358767.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/bridge/tc358767.c b/drivers/gpu/drm/bridge/tc358767.c +index 4655bb1eb88f..f59a51e19dab 100644 +--- a/drivers/gpu/drm/bridge/tc358767.c ++++ b/drivers/gpu/drm/bridge/tc358767.c +@@ -1141,6 +1141,13 @@ static int tc_connector_get_modes(struct drm_connector *connector) + struct tc_data *tc = connector_to_tc(connector); + struct edid *edid; + unsigned int count; ++ int ret; ++ ++ ret = tc_get_display_props(tc); ++ if (ret < 0) { ++ dev_err(tc->dev, "failed to read display props: %d\n", ret); ++ return 0; ++ } + + if (tc->panel && tc->panel->funcs && tc->panel->funcs->get_modes) { + count = tc->panel->funcs->get_modes(tc->panel); +-- +2.20.1 + diff --git a/queue-5.2/drm-bridge-tfp410-fix-use-of-cancel_delayed_work_syn.patch b/queue-5.2/drm-bridge-tfp410-fix-use-of-cancel_delayed_work_syn.patch new file mode 100644 index 00000000000..2c5ed14c0fa --- /dev/null +++ b/queue-5.2/drm-bridge-tfp410-fix-use-of-cancel_delayed_work_syn.patch @@ -0,0 +1,41 @@ +From f741858ebb682d193b91f78ec5d84586bcd99b22 Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Mon, 10 Jun 2019 16:57:39 +0300 +Subject: drm/bridge: tfp410: fix use of cancel_delayed_work_sync + +[ Upstream commit b1622cb3be4557fd086831ca7426eafe5f1acc2e ] + +We use delayed_work in HPD handling, and cancel any scheduled work in +tfp410_fini using cancel_delayed_work_sync(). However, we have only +initialized the delayed work if we actually have a HPD interrupt +configured in the DT, but in the tfp410_fini, we always cancel the work, +possibly causing a WARN(). + +Fix this by doing the cancel only if we actually had the delayed work +set up. + +Signed-off-by: Tomi Valkeinen +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/20190610135739.6077-2-tomi.valkeinen@ti.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ti-tfp410.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/ti-tfp410.c b/drivers/gpu/drm/bridge/ti-tfp410.c +index a879aac21246..3a8af9978ebd 100644 +--- a/drivers/gpu/drm/bridge/ti-tfp410.c ++++ b/drivers/gpu/drm/bridge/ti-tfp410.c +@@ -372,7 +372,8 @@ static int tfp410_fini(struct device *dev) + { + struct tfp410 *dvi = dev_get_drvdata(dev); + +- cancel_delayed_work_sync(&dvi->hpd_work); ++ if (dvi->hpd_irq >= 0) ++ cancel_delayed_work_sync(&dvi->hpd_work); + + drm_bridge_remove(&dvi->bridge); + +-- +2.20.1 + diff --git a/queue-5.2/drm-crc-debugfs-also-sprinkle-irqrestore-over-early-.patch b/queue-5.2/drm-crc-debugfs-also-sprinkle-irqrestore-over-early-.patch new file mode 100644 index 00000000000..c9414127c55 --- /dev/null +++ b/queue-5.2/drm-crc-debugfs-also-sprinkle-irqrestore-over-early-.patch @@ -0,0 +1,54 @@ +From 2756ab28745da9c6ad60bcf9d608c0afc2d450ed Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Thu, 6 Jun 2019 23:15:44 +0200 +Subject: drm/crc-debugfs: Also sprinkle irqrestore over early exits +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit d99004d7201aa653658ff2390d6e516567c96ebc ] + +I. was. blind. + +Caught with vkms, which has some really slow crc computation function. + +Fixes: 1882018a70e0 ("drm/crc-debugfs: User irqsafe spinlock in drm_crtc_add_crc_entry") +Cc: Rodrigo Siqueira +Cc: Tomeu Vizoso +Cc: Emil Velikov +Cc: Benjamin Gaignard +Cc: Ville Syrjälä +Reviewed-by: Emil Velikov +Reviewed-by: Benjamin Gaignard +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20190606211544.5389-1-daniel.vetter@ffwll.ch +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_debugfs_crc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_debugfs_crc.c b/drivers/gpu/drm/drm_debugfs_crc.c +index 1a6a5b78e30f..fde298d9f510 100644 +--- a/drivers/gpu/drm/drm_debugfs_crc.c ++++ b/drivers/gpu/drm/drm_debugfs_crc.c +@@ -395,7 +395,7 @@ int drm_crtc_add_crc_entry(struct drm_crtc *crtc, bool has_frame, + + /* Caller may not have noticed yet that userspace has stopped reading */ + if (!crc->entries) { +- spin_unlock(&crc->lock); ++ spin_unlock_irqrestore(&crc->lock, flags); + return -EINVAL; + } + +@@ -406,7 +406,7 @@ int drm_crtc_add_crc_entry(struct drm_crtc *crtc, bool has_frame, + bool was_overflow = crc->overflow; + + crc->overflow = true; +- spin_unlock(&crc->lock); ++ spin_unlock_irqrestore(&crc->lock, flags); + + if (!was_overflow) + DRM_ERROR("Overflow of CRC buffer, userspace reads too slow.\n"); +-- +2.20.1 + diff --git a/queue-5.2/drm-crc-debugfs-user-irqsafe-spinlock-in-drm_crtc_ad.patch b/queue-5.2/drm-crc-debugfs-user-irqsafe-spinlock-in-drm_crtc_ad.patch new file mode 100644 index 00000000000..8781ce75861 --- /dev/null +++ b/queue-5.2/drm-crc-debugfs-user-irqsafe-spinlock-in-drm_crtc_ad.patch @@ -0,0 +1,55 @@ +From 7795c36c07f893be8e33d24f4272a1dc1de26d77 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Wed, 5 Jun 2019 21:45:56 +0200 +Subject: drm/crc-debugfs: User irqsafe spinlock in drm_crtc_add_crc_entry +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 1882018a70e06376234133e69ede9dd743b4dbd9 ] + +We can be called from any context, we need to be prepared. + +Noticed this while hacking on vkms, which calls this function from a +normal worker. Which really upsets lockdep. + +Cc: Rodrigo Siqueira +Cc: Tomeu Vizoso +Cc: Emil Velikov +Cc: Benjamin Gaignard +Reviewed-by: Benjamin Gaignard +Reviewed-by: Ville Syrjälä +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20190605194556.16744-1-daniel.vetter@ffwll.ch +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_debugfs_crc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_debugfs_crc.c b/drivers/gpu/drm/drm_debugfs_crc.c +index 00e743153e94..1a6a5b78e30f 100644 +--- a/drivers/gpu/drm/drm_debugfs_crc.c ++++ b/drivers/gpu/drm/drm_debugfs_crc.c +@@ -389,8 +389,9 @@ int drm_crtc_add_crc_entry(struct drm_crtc *crtc, bool has_frame, + struct drm_crtc_crc *crc = &crtc->crc; + struct drm_crtc_crc_entry *entry; + int head, tail; ++ unsigned long flags; + +- spin_lock(&crc->lock); ++ spin_lock_irqsave(&crc->lock, flags); + + /* Caller may not have noticed yet that userspace has stopped reading */ + if (!crc->entries) { +@@ -421,7 +422,7 @@ int drm_crtc_add_crc_entry(struct drm_crtc *crtc, bool has_frame, + head = (head + 1) & (DRM_CRC_ENTRIES_NR - 1); + crc->head = head; + +- spin_unlock(&crc->lock); ++ spin_unlock_irqrestore(&crc->lock, flags); + + wake_up_interruptible(&crc->wq); + +-- +2.20.1 + diff --git a/queue-5.2/drm-edid-fix-a-missing-check-bug-in-drm_load_edid_fi.patch b/queue-5.2/drm-edid-fix-a-missing-check-bug-in-drm_load_edid_fi.patch new file mode 100644 index 00000000000..8ec592b880f --- /dev/null +++ b/queue-5.2/drm-edid-fix-a-missing-check-bug-in-drm_load_edid_fi.patch @@ -0,0 +1,40 @@ +From f498f460edb48abd41dbd7482d451b71b46d78cd Mon Sep 17 00:00:00 2001 +From: Gen Zhang +Date: Fri, 24 May 2019 10:32:22 +0800 +Subject: drm/edid: Fix a missing-check bug in drm_load_edid_firmware() + +[ Upstream commit 9f1f1a2dab38d4ce87a13565cf4dc1b73bef3a5f ] + +In drm_load_edid_firmware(), fwstr is allocated by kstrdup(). And fwstr +is dereferenced in the following codes. However, memory allocation +functions such as kstrdup() may fail and returns NULL. Dereferencing +this null pointer may cause the kernel go wrong. Thus we should check +this kstrdup() operation. +Further, if kstrdup() returns NULL, we should return ERR_PTR(-ENOMEM) to +the caller site. + +Signed-off-by: Gen Zhang +Reviewed-by: Jani Nikula +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20190524023222.GA5302@zhanggen-UX430UQ +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_edid_load.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/drm_edid_load.c b/drivers/gpu/drm/drm_edid_load.c +index 1e5593575d23..6192b7b20d84 100644 +--- a/drivers/gpu/drm/drm_edid_load.c ++++ b/drivers/gpu/drm/drm_edid_load.c +@@ -278,6 +278,8 @@ struct edid *drm_load_edid_firmware(struct drm_connector *connector) + * the last one found one as a fallback. + */ + fwstr = kstrdup(edid_firmware, GFP_KERNEL); ++ if (!fwstr) ++ return ERR_PTR(-ENOMEM); + edidstr = fwstr; + + while ((edidname = strsep(&edidstr, ","))) { +-- +2.20.1 + diff --git a/queue-5.2/drm-lima-handle-shared-irq-case-for-lima_pp_bcast_ir.patch b/queue-5.2/drm-lima-handle-shared-irq-case-for-lima_pp_bcast_ir.patch new file mode 100644 index 00000000000..e6e1044f4fe --- /dev/null +++ b/queue-5.2/drm-lima-handle-shared-irq-case-for-lima_pp_bcast_ir.patch @@ -0,0 +1,44 @@ +From 928025928bb7604ce517c34b811f9cd7fb458711 Mon Sep 17 00:00:00 2001 +From: Peter Griffin +Date: Fri, 19 Apr 2019 09:33:01 +0100 +Subject: drm/lima: handle shared irq case for lima_pp_bcast_irq_handler + +[ Upstream commit 409c53f07a81f8db122c461f3255c6f43558c881 ] + +On Hikey board all lima ip blocks are shared with one irq. +This patch avoids a NULL ptr deref crash on this platform +on startup. Tested with Weston and kmscube. + +Signed-off-by: Peter Griffin +Cc: Rob Herring +Cc: Daniel Vetter +Cc: Qiang Yu +Signed-off-by: Qiang Yu +Link: https://patchwork.freedesktop.org/patch/msgid/1555662781-22570-7-git-send-email-peter.griffin@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/lima/lima_pp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/lima/lima_pp.c b/drivers/gpu/drm/lima/lima_pp.c +index d29721e177bf..8fef224b93c8 100644 +--- a/drivers/gpu/drm/lima/lima_pp.c ++++ b/drivers/gpu/drm/lima/lima_pp.c +@@ -64,7 +64,13 @@ static irqreturn_t lima_pp_bcast_irq_handler(int irq, void *data) + struct lima_ip *pp_bcast = data; + struct lima_device *dev = pp_bcast->dev; + struct lima_sched_pipe *pipe = dev->pipe + lima_pipe_pp; +- struct drm_lima_m450_pp_frame *frame = pipe->current_task->frame; ++ struct drm_lima_m450_pp_frame *frame; ++ ++ /* for shared irq case */ ++ if (!pipe->current_task) ++ return IRQ_NONE; ++ ++ frame = pipe->current_task->frame; + + for (i = 0; i < frame->num_pp; i++) { + struct lima_ip *ip = pipe->processor[i]; +-- +2.20.1 + diff --git a/queue-5.2/drm-msm-a6xx-avoid-freeing-gmu-resources-multiple-ti.patch b/queue-5.2/drm-msm-a6xx-avoid-freeing-gmu-resources-multiple-ti.patch new file mode 100644 index 00000000000..7a6db537f77 --- /dev/null +++ b/queue-5.2/drm-msm-a6xx-avoid-freeing-gmu-resources-multiple-ti.patch @@ -0,0 +1,113 @@ +From 26cf8a05daa39ab4456c5daf62397ffca319d1bb Mon Sep 17 00:00:00 2001 +From: Sean Paul +Date: Thu, 23 May 2019 13:16:40 -0400 +Subject: drm/msm/a6xx: Avoid freeing gmu resources multiple times + +[ Upstream commit 606ec90fc2266284f584a96ebf7f874589f56251 ] + +The driver checks for gmu->mmio as a sign that the device has been +initialized, however there are failures in probe below the mmio init. +If one of those is hit, mmio will be non-null but freed. + +In that case, a6xx_gmu_probe will return an error to a6xx_gpu_init which +will in turn call a6xx_gmu_remove which checks gmu->mmio and tries to free +resources for a second time. This causes a great boom. + +Fix this by adding an initialized member to gmu which is set on +successful probe and cleared on removal. + +Changes in v2: +- None + +Cc: Jordan Crouse +Reviewed-by: Jordan Crouse +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20190523171653.138678-1-sean@poorly.run +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 14 +++++++++----- + drivers/gpu/drm/msm/adreno/a6xx_gmu.h | 1 + + 2 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +index 418bb08bbed7..6910d0468e3c 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +@@ -74,7 +74,7 @@ bool a6xx_gmu_sptprac_is_on(struct a6xx_gmu *gmu) + u32 val; + + /* This can be called from gpu state code so make sure GMU is valid */ +- if (IS_ERR_OR_NULL(gmu->mmio)) ++ if (!gmu->initialized) + return false; + + val = gmu_read(gmu, REG_A6XX_GMU_SPTPRAC_PWR_CLK_STATUS); +@@ -90,7 +90,7 @@ bool a6xx_gmu_gx_is_on(struct a6xx_gmu *gmu) + u32 val; + + /* This can be called from gpu state code so make sure GMU is valid */ +- if (IS_ERR_OR_NULL(gmu->mmio)) ++ if (!gmu->initialized) + return false; + + val = gmu_read(gmu, REG_A6XX_GMU_SPTPRAC_PWR_CLK_STATUS); +@@ -697,7 +697,7 @@ int a6xx_gmu_resume(struct a6xx_gpu *a6xx_gpu) + struct a6xx_gmu *gmu = &a6xx_gpu->gmu; + int status, ret; + +- if (WARN(!gmu->mmio, "The GMU is not set up yet\n")) ++ if (WARN(!gmu->initialized, "The GMU is not set up yet\n")) + return 0; + + gmu->hung = false; +@@ -767,7 +767,7 @@ bool a6xx_gmu_isidle(struct a6xx_gmu *gmu) + { + u32 reg; + +- if (!gmu->mmio) ++ if (!gmu->initialized) + return true; + + reg = gmu_read(gmu, REG_A6XX_GPU_GMU_AO_GPU_CX_BUSY_STATUS); +@@ -1229,7 +1229,7 @@ void a6xx_gmu_remove(struct a6xx_gpu *a6xx_gpu) + { + struct a6xx_gmu *gmu = &a6xx_gpu->gmu; + +- if (IS_ERR_OR_NULL(gmu->mmio)) ++ if (!gmu->initialized) + return; + + a6xx_gmu_stop(a6xx_gpu); +@@ -1247,6 +1247,8 @@ void a6xx_gmu_remove(struct a6xx_gpu *a6xx_gpu) + iommu_detach_device(gmu->domain, gmu->dev); + + iommu_domain_free(gmu->domain); ++ ++ gmu->initialized = false; + } + + int a6xx_gmu_probe(struct a6xx_gpu *a6xx_gpu, struct device_node *node) +@@ -1311,6 +1313,8 @@ int a6xx_gmu_probe(struct a6xx_gpu *a6xx_gpu, struct device_node *node) + /* Set up the HFI queues */ + a6xx_hfi_init(gmu); + ++ gmu->initialized = true; ++ + return 0; + err: + a6xx_gmu_memory_free(gmu, gmu->hfi); +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.h b/drivers/gpu/drm/msm/adreno/a6xx_gmu.h +index bedd8e6a63aa..39a26dd63674 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.h ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.h +@@ -75,6 +75,7 @@ struct a6xx_gmu { + + struct a6xx_hfi_queue queues[2]; + ++ bool initialized; + bool hung; + }; + +-- +2.20.1 + diff --git a/queue-5.2/drm-msm-a6xx-check-for-err-or-null-before-iounmap.patch b/queue-5.2/drm-msm-a6xx-check-for-err-or-null-before-iounmap.patch new file mode 100644 index 00000000000..a29b5307d8c --- /dev/null +++ b/queue-5.2/drm-msm-a6xx-check-for-err-or-null-before-iounmap.patch @@ -0,0 +1,42 @@ +From 0d3420ee0fa09dac24c180197db295238bac727d Mon Sep 17 00:00:00 2001 +From: Sean Paul +Date: Thu, 23 May 2019 13:16:42 -0400 +Subject: drm/msm/a6xx: Check for ERR or NULL before iounmap + +[ Upstream commit 5ca4a094ba7e1369363dcbcbde8baf06ddcdc2d1 ] + +pdcptr and seqptr aren't necessarily valid, check them before trying to +unmap them. + +Changes in v2: +- None + +Cc: Jordan Crouse +Reviewed-by: Jordan Crouse +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20190523171653.138678-3-sean@poorly.run +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +index 38e2cfa9cec7..418bb08bbed7 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +@@ -504,8 +504,10 @@ static void a6xx_gmu_rpmh_init(struct a6xx_gmu *gmu) + wmb(); + + err: +- devm_iounmap(gmu->dev, pdcptr); +- devm_iounmap(gmu->dev, seqptr); ++ if (!IS_ERR_OR_NULL(pdcptr)) ++ devm_iounmap(gmu->dev, pdcptr); ++ if (!IS_ERR_OR_NULL(seqptr)) ++ devm_iounmap(gmu->dev, seqptr); + } + + /* +-- +2.20.1 + diff --git a/queue-5.2/drm-msm-adreno-ensure-that-the-zap-shader-region-is-.patch b/queue-5.2/drm-msm-adreno-ensure-that-the-zap-shader-region-is-.patch new file mode 100644 index 00000000000..56adfd87dae --- /dev/null +++ b/queue-5.2/drm-msm-adreno-ensure-that-the-zap-shader-region-is-.patch @@ -0,0 +1,48 @@ +From 27f9a8d6cf44c83c267d5d9a3c1214bb515a6c3a Mon Sep 17 00:00:00 2001 +From: Jordan Crouse +Date: Fri, 31 May 2019 16:09:38 -0600 +Subject: drm/msm/adreno: Ensure that the zap shader region is big enough + +[ Upstream commit 6672e11cad662ce6631e04c38f92a140a99c042c ] + +Before loading the zap shader we should ensure that the reserved memory +region is big enough to hold the loaded file. + +Signed-off-by: Jordan Crouse +Reviewed-by: Bjorn Andersson +Reviewed-by: Jeffrey Hugo +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/adreno_gpu.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c +index a9c0ac937b00..9acbbc0f3232 100644 +--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c +@@ -56,7 +56,6 @@ static int zap_shader_load_mdt(struct msm_gpu *gpu, const char *fwname, + return ret; + + mem_phys = r.start; +- mem_size = resource_size(&r); + + /* Request the MDT file for the firmware */ + fw = adreno_request_fw(to_adreno_gpu(gpu), fwname); +@@ -72,6 +71,13 @@ static int zap_shader_load_mdt(struct msm_gpu *gpu, const char *fwname, + goto out; + } + ++ if (mem_size > resource_size(&r)) { ++ DRM_DEV_ERROR(dev, ++ "memory region is too small to load the MDT\n"); ++ ret = -E2BIG; ++ goto out; ++ } ++ + /* Allocate memory for the firmware image */ + mem_region = memremap(mem_phys, mem_size, MEMREMAP_WC); + if (!mem_region) { +-- +2.20.1 + diff --git a/queue-5.2/drm-msm-depopulate-platform-on-probe-failure.patch b/queue-5.2/drm-msm-depopulate-platform-on-probe-failure.patch new file mode 100644 index 00000000000..138f95c78d5 --- /dev/null +++ b/queue-5.2/drm-msm-depopulate-platform-on-probe-failure.patch @@ -0,0 +1,60 @@ +From c3f0a938277a4785765b0cbb43316c37310e0c0e Mon Sep 17 00:00:00 2001 +From: Sean Paul +Date: Mon, 17 Jun 2019 16:12:51 -0400 +Subject: drm/msm: Depopulate platform on probe failure + +[ Upstream commit 4368a1539c6b41ac3cddc06f5a5117952998804c ] + +add_display_components() calls of_platform_populate, and we depopluate +on pdev remove, but not when probe fails. So if we get a probe deferral +in one of the components, we won't depopulate the platform. This causes +the core to keep references to devices which should be destroyed, which +causes issues when those same devices try to re-initialize on the next +probe attempt. + +I think this is the reason we had issues with the gmu's device-managed +resources on deferral (worked around in commit 94e3a17f33a5). + +Reviewed-by: Rob Clark +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20190617201301.133275-3-sean@poorly.run +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_drv.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c +index f38d7367bd3b..4a0fe8a25ad7 100644 +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -1306,16 +1306,24 @@ static int msm_pdev_probe(struct platform_device *pdev) + + ret = add_gpu_components(&pdev->dev, &match); + if (ret) +- return ret; ++ goto fail; + + /* on all devices that I am aware of, iommu's which can map + * any address the cpu can see are used: + */ + ret = dma_set_mask_and_coherent(&pdev->dev, ~0); + if (ret) +- return ret; ++ goto fail; ++ ++ ret = component_master_add_with_match(&pdev->dev, &msm_drm_ops, match); ++ if (ret) ++ goto fail; + +- return component_master_add_with_match(&pdev->dev, &msm_drm_ops, match); ++ return 0; ++ ++fail: ++ of_platform_depopulate(&pdev->dev); ++ return ret; + } + + static int msm_pdev_remove(struct platform_device *pdev) +-- +2.20.1 + diff --git a/queue-5.2/drm-omap-don-t-check-dispc-timings-for-dsi.patch b/queue-5.2/drm-omap-don-t-check-dispc-timings-for-dsi.patch new file mode 100644 index 00000000000..766a3a1d989 --- /dev/null +++ b/queue-5.2/drm-omap-don-t-check-dispc-timings-for-dsi.patch @@ -0,0 +1,56 @@ +From 3083af7cbadb663083fe0bd9f51ffc942a3a1d5c Mon Sep 17 00:00:00 2001 +From: Sebastian Reichel +Date: Thu, 23 May 2019 22:07:54 +0200 +Subject: drm/omap: don't check dispc timings for DSI + +[ Upstream commit ad9df7d91b4a6e8f4b20c2bf539ac09b3b2ad6eb ] + +While most display types only forward their VM to the DISPC, this +is not true for DSI. DSI calculates the VM for DISPC based on its +own, but it's not identical. Actually the DSI VM is not even a valid +DISPC VM making this check fail. Let's restore the old behaviour +and avoid checking the DISPC VM for DSI here. + +Fixes: 7c27fa57ef31 ("drm/omap: Call dispc timings check operation directly") +Acked-by: Pavel Machek +Tested-by: Tony Lindgren +Tested-by: Pavel Machek +Signed-off-by: Sebastian Reichel +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/omapdrm/omap_crtc.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/omapdrm/omap_crtc.c b/drivers/gpu/drm/omapdrm/omap_crtc.c +index 8712af79a49c..4c43dd282acc 100644 +--- a/drivers/gpu/drm/omapdrm/omap_crtc.c ++++ b/drivers/gpu/drm/omapdrm/omap_crtc.c +@@ -384,10 +384,20 @@ static enum drm_mode_status omap_crtc_mode_valid(struct drm_crtc *crtc, + int r; + + drm_display_mode_to_videomode(mode, &vm); +- r = priv->dispc_ops->mgr_check_timings(priv->dispc, omap_crtc->channel, +- &vm); +- if (r) +- return r; ++ ++ /* ++ * DSI might not call this, since the supplied mode is not a ++ * valid DISPC mode. DSI will calculate and configure the ++ * proper DISPC mode later. ++ */ ++ if (omap_crtc->pipe->output->next == NULL || ++ omap_crtc->pipe->output->next->type != OMAP_DISPLAY_TYPE_DSI) { ++ r = priv->dispc_ops->mgr_check_timings(priv->dispc, ++ omap_crtc->channel, ++ &vm); ++ if (r) ++ return r; ++ } + + /* Check for bandwidth limit */ + if (priv->max_bandwidth) { +-- +2.20.1 + diff --git a/queue-5.2/drm-panel-simple-fix-panel_simple_dsi_probe.patch b/queue-5.2/drm-panel-simple-fix-panel_simple_dsi_probe.patch new file mode 100644 index 00000000000..05ad68ad8a8 --- /dev/null +++ b/queue-5.2/drm-panel-simple-fix-panel_simple_dsi_probe.patch @@ -0,0 +1,41 @@ +From fcde15bec173b3245337d5bc5098ad61acdc49e8 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Tue, 26 Feb 2019 10:11:53 +0200 +Subject: drm/panel: simple: Fix panel_simple_dsi_probe + +[ Upstream commit 7ad9db66fafb0f0ad53fd2a66217105da5ddeffe ] + +In case mipi_dsi_attach() fails remove the registered panel to avoid added +panel without corresponding device. + +Signed-off-by: Peter Ujfalusi +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20190226081153.31334-1-peter.ujfalusi@ti.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 569be4efd8d1..48e2fa7bbe48 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -3098,7 +3098,14 @@ static int panel_simple_dsi_probe(struct mipi_dsi_device *dsi) + dsi->format = desc->format; + dsi->lanes = desc->lanes; + +- return mipi_dsi_attach(dsi); ++ err = mipi_dsi_attach(dsi); ++ if (err) { ++ struct panel_simple *panel = dev_get_drvdata(&dsi->dev); ++ ++ drm_panel_remove(&panel->base); ++ } ++ ++ return err; + } + + static int panel_simple_dsi_remove(struct mipi_dsi_device *dsi) +-- +2.20.1 + diff --git a/queue-5.2/drm-rockchip-properly-adjust-to-a-true-clock-in-adju.patch b/queue-5.2/drm-rockchip-properly-adjust-to-a-true-clock-in-adju.patch new file mode 100644 index 00000000000..91310b0e6d6 --- /dev/null +++ b/queue-5.2/drm-rockchip-properly-adjust-to-a-true-clock-in-adju.patch @@ -0,0 +1,46 @@ +From 2af77b8d61cb9e45eaacd020a0214a53b820c273 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Fri, 14 Jun 2019 15:47:29 -0700 +Subject: drm/rockchip: Properly adjust to a true clock in adjusted_mode + +[ Upstream commit 99b9683f2142b20bad78e61f7f829e8714e45685 ] + +When fixing up the clock in vop_crtc_mode_fixup() we're not doing it +quite correctly. Specifically if we've got the true clock 266666667 Hz, +we'll perform this calculation: + 266666667 / 1000 => 266666 + +Later when we try to set the clock we'll do clk_set_rate(266666 * +1000). The common clock framework won't actually pick the proper clock +in this case since it always wants clocks <= the specified one. + +Let's solve this by using DIV_ROUND_UP. + +Fixes: b59b8de31497 ("drm/rockchip: return a true clock rate to adjusted_mode") +Signed-off-by: Douglas Anderson +Signed-off-by: Sean Paul +Reviewed-by: Yakir Yang +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20190614224730.98622-1-dianders@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +index 12ed5265a90b..09046135e720 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +@@ -1011,7 +1011,8 @@ static bool vop_crtc_mode_fixup(struct drm_crtc *crtc, + struct vop *vop = to_vop(crtc); + + adjusted_mode->clock = +- clk_round_rate(vop->dclk, mode->clock * 1000) / 1000; ++ DIV_ROUND_UP(clk_round_rate(vop->dclk, mode->clock * 1000), ++ 1000); + + return true; + } +-- +2.20.1 + diff --git a/queue-5.2/drm-virtio-add-memory-barriers-for-capset-cache.patch b/queue-5.2/drm-virtio-add-memory-barriers-for-capset-cache.patch new file mode 100644 index 00000000000..a30efd7eefd --- /dev/null +++ b/queue-5.2/drm-virtio-add-memory-barriers-for-capset-cache.patch @@ -0,0 +1,50 @@ +From b8776768ca0de9cd381b85bdfc36a9b24ca01d71 Mon Sep 17 00:00:00 2001 +From: David Riley +Date: Mon, 10 Jun 2019 14:18:10 -0700 +Subject: drm/virtio: Add memory barriers for capset cache. + +[ Upstream commit 9ff3a5c88e1f1ab17a31402b96d45abe14aab9d7 ] + +After data is copied to the cache entry, atomic_set is used indicate +that the data is the entry is valid without appropriate memory barriers. +Similarly the read side was missing the corresponding memory barriers. + +Signed-off-by: David Riley +Link: http://patchwork.freedesktop.org/patch/msgid/20190610211810.253227-5-davidriley@chromium.org +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_ioctl.c | 3 +++ + drivers/gpu/drm/virtio/virtgpu_vq.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_ioctl.c b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +index 949a264985fc..19fbffd0f7a3 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c ++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +@@ -542,6 +542,9 @@ static int virtio_gpu_get_caps_ioctl(struct drm_device *dev, + if (!ret) + return -EBUSY; + ++ /* is_valid check must proceed before copy of the cache entry. */ ++ smp_rmb(); ++ + ptr = cache_ent->caps_cache; + + copy_exit: +diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c +index 5bb0f0a084e9..a7684f9c80db 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_vq.c ++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c +@@ -583,6 +583,8 @@ static void virtio_gpu_cmd_capset_cb(struct virtio_gpu_device *vgdev, + cache_ent->id == le32_to_cpu(cmd->capset_id)) { + memcpy(cache_ent->caps_cache, resp->capset_data, + cache_ent->size); ++ /* Copy must occur before is_valid is signalled. */ ++ smp_wmb(); + atomic_set(&cache_ent->is_valid, 1); + break; + } +-- +2.20.1 + diff --git a/queue-5.2/drm-virtio-set-seqno-for-dma-fence.patch b/queue-5.2/drm-virtio-set-seqno-for-dma-fence.patch new file mode 100644 index 00000000000..c906a581775 --- /dev/null +++ b/queue-5.2/drm-virtio-set-seqno-for-dma-fence.patch @@ -0,0 +1,109 @@ +From 72a7094c132afcd9f5b88bb899ce991e4101fe7b Mon Sep 17 00:00:00 2001 +From: Chia-I Wu +Date: Mon, 29 Apr 2019 15:08:23 -0700 +Subject: drm/virtio: set seqno for dma-fence + +[ Upstream commit efe2bf965522bf0796d413b47a2abbf81d471d6f ] + +This is motivated by having meaningful ftrace events, but it also +fixes use cases where dma_fence_is_later is called, such as in +sync_file_merge. + +In other drivers, fence creation and cmdbuf submission normally +happen atomically, + + mutex_lock(); + fence = dma_fence_create(..., ++timeline->seqno); + submit_cmdbuf(); + mutex_unlock(); + +and have no such issue. But in our driver, because most ioctls +queue commands into ctrlq, we do not want to grab a lock. Instead, +we set seqno to 0 when a fence is created, and update it when the +command is finally queued and the seqno is known. + +Signed-off-by: Chia-I Wu +Reviewed-by: Emil Velikov +Link: http://patchwork.freedesktop.org/patch/msgid/20190429220825.156644-1-olvaffe@gmail.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_drv.h | 1 - + drivers/gpu/drm/virtio/virtgpu_fence.c | 17 ++++++++++------- + 2 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.h b/drivers/gpu/drm/virtio/virtgpu_drv.h +index b69ae10ca238..d724fb3de44e 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_drv.h ++++ b/drivers/gpu/drm/virtio/virtgpu_drv.h +@@ -102,7 +102,6 @@ struct virtio_gpu_fence { + struct dma_fence f; + struct virtio_gpu_fence_driver *drv; + struct list_head node; +- uint64_t seq; + }; + #define to_virtio_fence(x) \ + container_of(x, struct virtio_gpu_fence, f) +diff --git a/drivers/gpu/drm/virtio/virtgpu_fence.c b/drivers/gpu/drm/virtio/virtgpu_fence.c +index 87d1966192f4..72b4f7561432 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_fence.c ++++ b/drivers/gpu/drm/virtio/virtgpu_fence.c +@@ -40,16 +40,14 @@ bool virtio_fence_signaled(struct dma_fence *f) + { + struct virtio_gpu_fence *fence = to_virtio_fence(f); + +- if (atomic64_read(&fence->drv->last_seq) >= fence->seq) ++ if (atomic64_read(&fence->drv->last_seq) >= fence->f.seqno) + return true; + return false; + } + + static void virtio_fence_value_str(struct dma_fence *f, char *str, int size) + { +- struct virtio_gpu_fence *fence = to_virtio_fence(f); +- +- snprintf(str, size, "%llu", fence->seq); ++ snprintf(str, size, "%llu", f->seqno); + } + + static void virtio_timeline_value_str(struct dma_fence *f, char *str, int size) +@@ -76,6 +74,11 @@ struct virtio_gpu_fence *virtio_gpu_fence_alloc(struct virtio_gpu_device *vgdev) + return fence; + + fence->drv = drv; ++ ++ /* This only partially initializes the fence because the seqno is ++ * unknown yet. The fence must not be used outside of the driver ++ * until virtio_gpu_fence_emit is called. ++ */ + dma_fence_init(&fence->f, &virtio_fence_ops, &drv->lock, drv->context, 0); + + return fence; +@@ -89,13 +92,13 @@ int virtio_gpu_fence_emit(struct virtio_gpu_device *vgdev, + unsigned long irq_flags; + + spin_lock_irqsave(&drv->lock, irq_flags); +- fence->seq = ++drv->sync_seq; ++ fence->f.seqno = ++drv->sync_seq; + dma_fence_get(&fence->f); + list_add_tail(&fence->node, &drv->fences); + spin_unlock_irqrestore(&drv->lock, irq_flags); + + cmd_hdr->flags |= cpu_to_le32(VIRTIO_GPU_FLAG_FENCE); +- cmd_hdr->fence_id = cpu_to_le64(fence->seq); ++ cmd_hdr->fence_id = cpu_to_le64(fence->f.seqno); + return 0; + } + +@@ -109,7 +112,7 @@ void virtio_gpu_fence_event_process(struct virtio_gpu_device *vgdev, + spin_lock_irqsave(&drv->lock, irq_flags); + atomic64_set(&vgdev->fence_drv.last_seq, last_seq); + list_for_each_entry_safe(fence, tmp, &drv->fences, node) { +- if (last_seq < fence->seq) ++ if (last_seq < fence->f.seqno) + continue; + dma_fence_signal_locked(&fence->f); + list_del(&fence->node); +-- +2.20.1 + diff --git a/queue-5.2/drm-vkms-forward-timer-right-after-drm_crtc_handle_v.patch b/queue-5.2/drm-vkms-forward-timer-right-after-drm_crtc_handle_v.patch new file mode 100644 index 00000000000..2767aeee442 --- /dev/null +++ b/queue-5.2/drm-vkms-forward-timer-right-after-drm_crtc_handle_v.patch @@ -0,0 +1,115 @@ +From abccf11949c2fae52be53bc4eb7d68cdacc87fc6 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Thu, 6 Jun 2019 10:44:04 +0200 +Subject: drm/vkms: Forward timer right after drm_crtc_handle_vblank + +[ Upstream commit 7355965da22b8d9ebac8bce4b776399fb0bb9d32 ] + +In + +commit def35e7c592616bc09be328de8795e5e624a3cf8 +Author: Shayenne Moura +Date: Wed Jan 30 14:06:36 2019 -0200 + + drm/vkms: Bugfix extra vblank frame + +we fixed the vblank counter to give accurate results outside of +drm_crtc_handle_vblank, which fixed bugs around vblank timestamps +being off-by-one and causing the vblank counter to jump when it +shouldn't. + +The trouble is that this completely broke crc generation. Shayenne and +Rodrigo tracked this down to the vblank timestamp going backwards in +time somehow. Which then resulted in an underflow in drm_vblank.c +code, which resulted in all kinds of things breaking really badly. + +The reason for this is that once we've called drm_crtc_handle_vblank +and the hrtimer isn't forwarded yet, we're returning a vblank +timestamp in the past. This race is really hard to hit since it's +small, except when you enable crc generation: In that case there's a +call to drm_crtc_accurate_vblank right in-betwen, so we're guaranteed +to hit the bug. + +The fix is to roll the hrtimer forward _before_ we do the vblank +processing (which has a side-effect of incrementing the vblank +counter), and we always subtract one frame from the hrtimer - since +now it's always one frame in the future. + +To make sure we don't hit this again also add a WARN_ON checking for +whether our timestamp is somehow moving into the past, which is never +should. + +This also aligns more with how real hw works: +1. first all registers are updated with the new timestamp/vblank +counter values. +2. then an interrupt is generated +3. kernel interrupt handler eventually fires. + +So doing this aligns vkms closer with what drm_vblank.c expects. +Document this also in a comment. + +Cc: Shayenne Moura +Cc: Rodrigo Siqueira +Signed-off-by: Daniel Vetter +Tested-by: Rodrigo Siqueira +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Rodrigo Siqueira +Link: https://patchwork.freedesktop.org/patch/msgid/20190606084404.12014-1-daniel.vetter@ffwll.ch +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vkms/vkms_crtc.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c +index bb66dbcd5e3f..e447b7588d06 100644 +--- a/drivers/gpu/drm/vkms/vkms_crtc.c ++++ b/drivers/gpu/drm/vkms/vkms_crtc.c +@@ -15,6 +15,10 @@ static enum hrtimer_restart vkms_vblank_simulate(struct hrtimer *timer) + + spin_lock(&output->lock); + ++ ret_overrun = hrtimer_forward_now(&output->vblank_hrtimer, ++ output->period_ns); ++ WARN_ON(ret_overrun != 1); ++ + ret = drm_crtc_handle_vblank(crtc); + if (!ret) + DRM_ERROR("vkms failure on handling vblank"); +@@ -35,10 +39,6 @@ static enum hrtimer_restart vkms_vblank_simulate(struct hrtimer *timer) + DRM_WARN("failed to queue vkms_crc_work_handle"); + } + +- ret_overrun = hrtimer_forward_now(&output->vblank_hrtimer, +- output->period_ns); +- WARN_ON(ret_overrun != 1); +- + spin_unlock(&output->lock); + + return HRTIMER_RESTART; +@@ -74,11 +74,21 @@ bool vkms_get_vblank_timestamp(struct drm_device *dev, unsigned int pipe, + { + struct vkms_device *vkmsdev = drm_device_to_vkms_device(dev); + struct vkms_output *output = &vkmsdev->output; ++ struct drm_vblank_crtc *vblank = &dev->vblank[pipe]; + + *vblank_time = output->vblank_hrtimer.node.expires; + +- if (!in_vblank_irq) +- *vblank_time -= output->period_ns; ++ if (WARN_ON(*vblank_time == vblank->time)) ++ return true; ++ ++ /* ++ * To prevent races we roll the hrtimer forward before we do any ++ * interrupt processing - this is how real hw works (the interrupt is ++ * only generated after all the vblank registers are updated) and what ++ * the vblank core expects. Therefore we need to always correct the ++ * timestampe by one frame. ++ */ ++ *vblank_time -= output->period_ns; + + return true; + } +-- +2.20.1 + diff --git a/queue-5.2/dt-bindings-backlight-lm3630a-correct-schema-validat.patch b/queue-5.2/dt-bindings-backlight-lm3630a-correct-schema-validat.patch new file mode 100644 index 00000000000..ccf69613188 --- /dev/null +++ b/queue-5.2/dt-bindings-backlight-lm3630a-correct-schema-validat.patch @@ -0,0 +1,89 @@ +From 142f337a7103cc355896eee533ee64ca6b5395ba Mon Sep 17 00:00:00 2001 +From: Brian Masney +Date: Mon, 20 May 2019 04:58:46 -0400 +Subject: dt-bindings: backlight: lm3630a: correct schema validation + +[ Upstream commit ef4db28c1f45cda6989bc8a8e45294894786d947 ] + +The '#address-cells' and '#size-cells' properties were not defined in +the lm3630a bindings and would cause the following error when +attempting to validate the examples against the schema: + +Documentation/devicetree/bindings/leds/backlight/lm3630a-backlight.example.dt.yaml: +'#address-cells', '#size-cells' do not match any of the regexes: +'^led@[01]$', 'pinctrl-[0-9]+' + +Correct this by adding those two properties. + +While we're here, move the ti,linear-mapping-mode property to the +led@[01] child nodes to correct the following validation error: + +Documentation/devicetree/bindings/leds/backlight/lm3630a-backlight.example.dt.yaml: +led@0: 'ti,linear-mapping-mode' does not match any of the regexes: +'pinctrl-[0-9]+' + +Fixes: 32fcb75c66a0 ("dt-bindings: backlight: Add lm3630a bindings") +Signed-off-by: Brian Masney +Reported-by: Rob Herring +Acked-by: Daniel Thompson +Acked-by: Dan Murphy +[robh: also drop maxItems from child reg] +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + .../leds/backlight/lm3630a-backlight.yaml | 21 ++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/Documentation/devicetree/bindings/leds/backlight/lm3630a-backlight.yaml b/Documentation/devicetree/bindings/leds/backlight/lm3630a-backlight.yaml +index 4d61fe0a98a4..dc129d9a329e 100644 +--- a/Documentation/devicetree/bindings/leds/backlight/lm3630a-backlight.yaml ++++ b/Documentation/devicetree/bindings/leds/backlight/lm3630a-backlight.yaml +@@ -23,16 +23,17 @@ properties: + reg: + maxItems: 1 + +- ti,linear-mapping-mode: +- description: | +- Enable linear mapping mode. If disabled, then it will use exponential +- mapping mode in which the ramp up/down appears to have a more uniform +- transition to the human eye. +- type: boolean ++ '#address-cells': ++ const: 1 ++ ++ '#size-cells': ++ const: 0 + + required: + - compatible + - reg ++ - '#address-cells' ++ - '#size-cells' + + patternProperties: + "^led@[01]$": +@@ -48,7 +49,6 @@ patternProperties: + in this property. The two current sinks can be controlled + independently with both banks, or bank A can be configured to control + both sinks with the led-sources property. +- maxItems: 1 + minimum: 0 + maximum: 1 + +@@ -73,6 +73,13 @@ patternProperties: + minimum: 0 + maximum: 255 + ++ ti,linear-mapping-mode: ++ description: | ++ Enable linear mapping mode. If disabled, then it will use exponential ++ mapping mode in which the ramp up/down appears to have a more uniform ++ transition to the human eye. ++ type: boolean ++ + required: + - reg + +-- +2.20.1 + diff --git a/queue-5.2/f2fs-avoid-out-of-range-memory-access.patch b/queue-5.2/f2fs-avoid-out-of-range-memory-access.patch new file mode 100644 index 00000000000..1dc6fd9108f --- /dev/null +++ b/queue-5.2/f2fs-avoid-out-of-range-memory-access.patch @@ -0,0 +1,39 @@ +From ac07b9b8aab45b1ceef6f5a8addc767e7aa58a1f Mon Sep 17 00:00:00 2001 +From: Ocean Chen +Date: Mon, 8 Jul 2019 12:34:56 +0800 +Subject: f2fs: avoid out-of-range memory access + +[ Upstream commit 56f3ce675103e3fb9e631cfb4131fc768bc23e9a ] + +blkoff_off might over 512 due to fs corrupt or security +vulnerability. That should be checked before being using. + +Use ENTRIES_IN_SUM to protect invalid value in cur_data_blkoff. + +Signed-off-by: Ocean Chen +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 291f7106537c..ce15fbcd7cff 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -3403,6 +3403,11 @@ static int read_compacted_summaries(struct f2fs_sb_info *sbi) + seg_i = CURSEG_I(sbi, i); + segno = le32_to_cpu(ckpt->cur_data_segno[i]); + blk_off = le16_to_cpu(ckpt->cur_data_blkoff[i]); ++ if (blk_off > ENTRIES_IN_SUM) { ++ f2fs_bug_on(sbi, 1); ++ f2fs_put_page(page, 1); ++ return -EFAULT; ++ } + seg_i->next_segno = segno; + reset_curseg(sbi, i, 0); + seg_i->alloc_type = ckpt->alloc_type[i]; +-- +2.20.1 + diff --git a/queue-5.2/f2fs-fix-accounting-for-unusable-blocks.patch b/queue-5.2/f2fs-fix-accounting-for-unusable-blocks.patch new file mode 100644 index 00000000000..59ad54516e2 --- /dev/null +++ b/queue-5.2/f2fs-fix-accounting-for-unusable-blocks.patch @@ -0,0 +1,62 @@ +From 7ac9cb6b639784736272b5e858bbfcc1f4e9a70c Mon Sep 17 00:00:00 2001 +From: Daniel Rosenberg +Date: Wed, 29 May 2019 17:49:05 -0700 +Subject: f2fs: Fix accounting for unusable blocks + +[ Upstream commit a4c3ecaaadac5693f555cfef1c9eecf4c39df818 ] + +Fixes possible underflows when dealing with unusable blocks. + +Signed-off-by: Daniel Rosenberg +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index d1b64cb77326..9e6721e15b24 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1767,8 +1767,12 @@ static inline int inc_valid_block_count(struct f2fs_sb_info *sbi, + + if (!__allow_reserved_blocks(sbi, inode, true)) + avail_user_block_count -= F2FS_OPTION(sbi).root_reserved_blocks; +- if (unlikely(is_sbi_flag_set(sbi, SBI_CP_DISABLED))) +- avail_user_block_count -= sbi->unusable_block_count; ++ if (unlikely(is_sbi_flag_set(sbi, SBI_CP_DISABLED))) { ++ if (avail_user_block_count > sbi->unusable_block_count) ++ avail_user_block_count -= sbi->unusable_block_count; ++ else ++ avail_user_block_count = 0; ++ } + if (unlikely(sbi->total_valid_block_count > avail_user_block_count)) { + diff = sbi->total_valid_block_count - avail_user_block_count; + if (diff > *count) +@@ -1968,7 +1972,7 @@ static inline int inc_valid_node_count(struct f2fs_sb_info *sbi, + struct inode *inode, bool is_inode) + { + block_t valid_block_count; +- unsigned int valid_node_count; ++ unsigned int valid_node_count, user_block_count; + int err; + + if (is_inode) { +@@ -1995,10 +1999,11 @@ static inline int inc_valid_node_count(struct f2fs_sb_info *sbi, + + if (!__allow_reserved_blocks(sbi, inode, false)) + valid_block_count += F2FS_OPTION(sbi).root_reserved_blocks; ++ user_block_count = sbi->user_block_count; + if (unlikely(is_sbi_flag_set(sbi, SBI_CP_DISABLED))) +- valid_block_count += sbi->unusable_block_count; ++ user_block_count -= sbi->unusable_block_count; + +- if (unlikely(valid_block_count > sbi->user_block_count)) { ++ if (unlikely(valid_block_count > user_block_count)) { + spin_unlock(&sbi->stat_lock); + goto enospc; + } +-- +2.20.1 + diff --git a/queue-5.2/f2fs-fix-is_idle-check-for-discard-type.patch b/queue-5.2/f2fs-fix-is_idle-check-for-discard-type.patch new file mode 100644 index 00000000000..6055514ffc0 --- /dev/null +++ b/queue-5.2/f2fs-fix-is_idle-check-for-discard-type.patch @@ -0,0 +1,59 @@ +From 841dc8bbcb42f941fd6aaddabb78f51743ebf604 Mon Sep 17 00:00:00 2001 +From: Sahitya Tummala +Date: Thu, 6 Jun 2019 15:08:13 +0530 +Subject: f2fs: fix is_idle() check for discard type + +[ Upstream commit 56659ce838456c6f2315ce8a4bd686ac4b23e9d1 ] + +The discard thread should issue upto dpolicy->max_requests at once +and wait for all those discard requests at once it reaches +dpolicy->max_requests. It should then sleep for dpolicy->min_interval +timeout before issuing the next batch of discard requests. But in the +current code of is_idle(), it checks for dcc_info->queued_discard and +aborts issuing the discard batch of max_requests. This +dcc_info->queued_discard will be true always once one discard command +is issued. + +It is thus resulting into this type of discard request pattern - + +- Issue discard request#1 +- is_idle() returns false, discard thread waits for request#1 and then + sleeps for min_interval 50ms. +- Issue discard request#2 +- is_idle() returns false, discard thread waits for request#2 and then + sleeps for min_interval 50ms. +- and so on for all other discard requests, assuming f2fs is idle w.r.t + other conditions. + +With this fix, the pattern will look like this - + +- Issue discard request#1 +- Issue discard request#2 + and so on upto max_requests of 8 +- Issue discard request#8 +- wait for min_interval 50ms. + +Signed-off-by: Sahitya Tummala +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 9e6721e15b24..cbdc2f88a98c 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -2204,7 +2204,7 @@ static inline bool is_idle(struct f2fs_sb_info *sbi, int type) + get_pages(sbi, F2FS_DIO_WRITE)) + return false; + +- if (SM_I(sbi) && SM_I(sbi)->dcc_info && ++ if (type != DISCARD_TIME && SM_I(sbi) && SM_I(sbi)->dcc_info && + atomic_read(&SM_I(sbi)->dcc_info->queued_discard)) + return false; + +-- +2.20.1 + diff --git a/queue-5.2/f2fs-fix-to-avoid-deadloop-if-data_flush-is-on.patch b/queue-5.2/f2fs-fix-to-avoid-deadloop-if-data_flush-is-on.patch new file mode 100644 index 00000000000..0dc72daf034 --- /dev/null +++ b/queue-5.2/f2fs-fix-to-avoid-deadloop-if-data_flush-is-on.patch @@ -0,0 +1,158 @@ +From 4837910cc6a4bc54474471c3e8041f2b1ed8ee1f Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 20 May 2019 17:36:59 +0800 +Subject: f2fs: fix to avoid deadloop if data_flush is on + +[ Upstream commit 040d2bb318d1aea4f28cc22504b44e446666c86e ] + +As Hagbard Celine reported: + +[ 615.697824] INFO: task kworker/u16:5:344 blocked for more than 120 seconds. +[ 615.697825] Not tainted 5.0.15-gentoo-f2fslog #4 +[ 615.697826] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" +disables this message. +[ 615.697827] kworker/u16:5 D 0 344 2 0x80000000 +[ 615.697831] Workqueue: writeback wb_workfn (flush-259:0) +[ 615.697832] Call Trace: +[ 615.697836] ? __schedule+0x2c5/0x8b0 +[ 615.697839] schedule+0x32/0x80 +[ 615.697841] schedule_preempt_disabled+0x14/0x20 +[ 615.697842] __mutex_lock.isra.8+0x2ba/0x4d0 +[ 615.697845] ? log_store+0xf5/0x260 +[ 615.697848] f2fs_write_data_pages+0x133/0x320 +[ 615.697851] ? trace_hardirqs_on+0x2c/0xe0 +[ 615.697854] do_writepages+0x41/0xd0 +[ 615.697857] __filemap_fdatawrite_range+0x81/0xb0 +[ 615.697859] f2fs_sync_dirty_inodes+0x1dd/0x200 +[ 615.697861] f2fs_balance_fs_bg+0x2a7/0x2c0 +[ 615.697863] ? up_read+0x5/0x20 +[ 615.697865] ? f2fs_do_write_data_page+0x2cb/0x940 +[ 615.697867] f2fs_balance_fs+0xe5/0x2c0 +[ 615.697869] __write_data_page+0x1c8/0x6e0 +[ 615.697873] f2fs_write_cache_pages+0x1e0/0x450 +[ 615.697878] f2fs_write_data_pages+0x14b/0x320 +[ 615.697880] ? trace_hardirqs_on+0x2c/0xe0 +[ 615.697883] do_writepages+0x41/0xd0 +[ 615.697885] __filemap_fdatawrite_range+0x81/0xb0 +[ 615.697887] f2fs_sync_dirty_inodes+0x1dd/0x200 +[ 615.697889] f2fs_balance_fs_bg+0x2a7/0x2c0 +[ 615.697891] f2fs_write_node_pages+0x51/0x220 +[ 615.697894] do_writepages+0x41/0xd0 +[ 615.697897] __writeback_single_inode+0x3d/0x3d0 +[ 615.697899] writeback_sb_inodes+0x1e8/0x410 +[ 615.697902] __writeback_inodes_wb+0x5d/0xb0 +[ 615.697904] wb_writeback+0x28f/0x340 +[ 615.697906] ? cpumask_next+0x16/0x20 +[ 615.697908] wb_workfn+0x33e/0x420 +[ 615.697911] process_one_work+0x1a1/0x3d0 +[ 615.697913] worker_thread+0x30/0x380 +[ 615.697915] ? process_one_work+0x3d0/0x3d0 +[ 615.697916] kthread+0x116/0x130 +[ 615.697918] ? kthread_create_worker_on_cpu+0x70/0x70 +[ 615.697921] ret_from_fork+0x3a/0x50 + +There is still deadloop in below condition: + +d A +- do_writepages + - f2fs_write_node_pages + - f2fs_balance_fs_bg + - f2fs_sync_dirty_inodes + - f2fs_write_cache_pages + - mutex_lock(&sbi->writepages) -- lock once + - __write_data_page + - f2fs_balance_fs_bg + - f2fs_sync_dirty_inodes + - f2fs_write_data_pages + - mutex_lock(&sbi->writepages) -- lock again + +Thread A Thread B +- do_writepages + - f2fs_write_node_pages + - f2fs_balance_fs_bg + - f2fs_sync_dirty_inodes + - .cp_task = current + - f2fs_sync_dirty_inodes + - .cp_task = current + - filemap_fdatawrite + - .cp_task = NULL + - filemap_fdatawrite + - f2fs_write_cache_pages + - enter f2fs_balance_fs_bg since .cp_task is NULL + - .cp_task = NULL + +Change as below to avoid this: +- add condition to avoid holding .writepages mutex lock in path +of data flush +- introduce mutex lock sbi.flush_lock to exclude concurrent data +flush in background. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/data.c | 3 +++ + fs/f2fs/f2fs.h | 1 + + fs/f2fs/segment.c | 4 ++++ + fs/f2fs/super.c | 1 + + 4 files changed, 9 insertions(+) + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index eda4181d2092..923923603a7d 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -2262,6 +2262,9 @@ static inline bool __should_serialize_io(struct inode *inode, + return false; + if (IS_NOQUOTA(inode)) + return false; ++ /* to avoid deadlock in path of data flush */ ++ if (F2FS_I(inode)->cp_task) ++ return false; + if (wbc->sync_mode != WB_SYNC_ALL) + return true; + if (get_dirty_pages(inode) >= SM_I(F2FS_I_SB(inode))->min_seq_blocks) +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 06b89a9862ab..d1b64cb77326 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1207,6 +1207,7 @@ struct f2fs_sb_info { + /* for inode management */ + struct list_head inode_list[NR_INODE_TYPE]; /* dirty inode list */ + spinlock_t inode_lock[NR_INODE_TYPE]; /* for dirty inode list lock */ ++ struct mutex flush_lock; /* for flush exclusion */ + + /* for extent tree cache */ + struct radix_tree_root extent_tree_root;/* cache extent cache entries */ +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 8dee063c833f..a96b9e964733 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -546,9 +546,13 @@ void f2fs_balance_fs_bg(struct f2fs_sb_info *sbi) + if (test_opt(sbi, DATA_FLUSH)) { + struct blk_plug plug; + ++ mutex_lock(&sbi->flush_lock); ++ + blk_start_plug(&plug); + f2fs_sync_dirty_inodes(sbi, FILE_INODE); + blk_finish_plug(&plug); ++ ++ mutex_unlock(&sbi->flush_lock); + } + f2fs_sync_fs(sbi->sb, true); + stat_inc_bg_cp_count(sbi->stat_info); +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 856f9081c599..4b47ac994daf 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -3296,6 +3296,7 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) + INIT_LIST_HEAD(&sbi->inode_list[i]); + spin_lock_init(&sbi->inode_lock[i]); + } ++ mutex_init(&sbi->flush_lock); + + f2fs_init_extent_cache_info(sbi); + +-- +2.20.1 + diff --git a/queue-5.2/f2fs-fix-to-avoid-long-latency-during-umount.patch b/queue-5.2/f2fs-fix-to-avoid-long-latency-during-umount.patch new file mode 100644 index 00000000000..ff2129b6b06 --- /dev/null +++ b/queue-5.2/f2fs-fix-to-avoid-long-latency-during-umount.patch @@ -0,0 +1,38 @@ +From 4f1568b4ee46818c666b5cfb0e9ff4086b65e6e0 Mon Sep 17 00:00:00 2001 +From: Heng Xiao +Date: Wed, 3 Jul 2019 10:29:57 +0800 +Subject: f2fs: fix to avoid long latency during umount + +[ Upstream commit 6e0cd4a9dd4df1a0afcb454f1e654b5c80685913 ] + +In umount, we give an constand time to handle pending discard, previously, +in __issue_discard_cmd() we missed to check timeout condition in loop, +result in delaying long time, fix it. + +Signed-off-by: Heng Xiao +[Chao Yu: add commit message] +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 8903b61457e7..291f7106537c 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -1486,6 +1486,10 @@ static int __issue_discard_cmd(struct f2fs_sb_info *sbi, + list_for_each_entry_safe(dc, tmp, pend_list, list) { + f2fs_bug_on(sbi, dc->state != D_PREP); + ++ if (dpolicy->timeout != 0 && ++ f2fs_time_over(sbi, dpolicy->timeout)) ++ break; ++ + if (dpolicy->io_aware && i < dpolicy->io_aware_gran && + !is_idle(sbi, DISCARD_TIME)) { + io_interrupted = true; +-- +2.20.1 + diff --git a/queue-5.2/f2fs-fix-to-check-layout-on-last-valid-checkpoint-pa.patch b/queue-5.2/f2fs-fix-to-check-layout-on-last-valid-checkpoint-pa.patch new file mode 100644 index 00000000000..267b96cd684 --- /dev/null +++ b/queue-5.2/f2fs-fix-to-check-layout-on-last-valid-checkpoint-pa.patch @@ -0,0 +1,109 @@ +From 89827dee990dd36a4133d4375b403589cc8e612e Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 20 May 2019 10:09:22 +0800 +Subject: f2fs: fix to check layout on last valid checkpoint park + +[ Upstream commit 5dae2d39074dde941cc3150dcbb7840d88179743 ] + +As Ju Hyung reported: + +" +I was semi-forced today to use the new kernel and test f2fs. + +My Ubuntu initramfs got a bit wonky and I had to boot into live CD and +fix some stuffs. The live CD was using 4.15 kernel, and just mounting +the f2fs partition there corrupted f2fs and my 4.19(with 5.1-rc1-4.19 +f2fs-stable merged) refused to mount with "SIT is corrupted node" +message. + +I used the latest f2fs-tools sent by Chao including "fsck.f2fs: fix to +repair cp_loads blocks at correct position" + +It spit out 140M worth of output, but at least I didn't have to run it +twice. Everything returned "Ok" in the 2nd run. +The new log is at +http://arter97.com/f2fs/final + +After fixing the image, I used my 4.19 kernel with 5.2-rc1-4.19 +f2fs-stable merged and it mounted. + +But, I got this: +[ 1.047791] F2FS-fs (nvme0n1p3): layout of large_nat_bitmap is +deprecated, run fsck to repair, chksum_offset: 4092 +[ 1.081307] F2FS-fs (nvme0n1p3): Found nat_bits in checkpoint +[ 1.161520] F2FS-fs (nvme0n1p3): recover fsync data on readonly fs +[ 1.162418] F2FS-fs (nvme0n1p3): Mounted with checkpoint version = 761c7e00 + +But after doing a reboot, the message is gone: +[ 1.098423] F2FS-fs (nvme0n1p3): Found nat_bits in checkpoint +[ 1.177771] F2FS-fs (nvme0n1p3): recover fsync data on readonly fs +[ 1.178365] F2FS-fs (nvme0n1p3): Mounted with checkpoint version = 761c7eda + +I'm not exactly sure why the kernel detected that I'm still using the +old layout on the first boot. Maybe fsck didn't fix it properly, or +the check from the kernel is improper. +" + +Although we have rebuild the old deprecated checkpoint with new layout +during repair, we only repair last checkpoint park, the other old one is +remained. + +Once the image was mounted, we will 1) sanity check layout and 2) decide +which checkpoint park to use according to cp_ver. So that we will print +reported message unnecessarily at step 1), to avoid it, we simply move +layout check into f2fs_sanity_check_ckpt() after step 2). + +Reported-by: Park Ju Hyung +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 11 ----------- + fs/f2fs/super.c | 9 +++++++++ + 2 files changed, 9 insertions(+), 11 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index ed70b68b2b38..d0539ddad6e2 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -832,17 +832,6 @@ static int get_checkpoint_version(struct f2fs_sb_info *sbi, block_t cp_addr, + return -EINVAL; + } + +- if (__is_set_ckpt_flags(*cp_block, CP_LARGE_NAT_BITMAP_FLAG)) { +- if (crc_offset != CP_MIN_CHKSUM_OFFSET) { +- f2fs_put_page(*cp_page, 1); +- f2fs_msg(sbi->sb, KERN_WARNING, +- "layout of large_nat_bitmap is deprecated, " +- "run fsck to repair, chksum_offset: %zu", +- crc_offset); +- return -EINVAL; +- } +- } +- + crc = f2fs_checkpoint_chksum(sbi, *cp_block); + if (crc != cur_cp_crc(*cp_block)) { + f2fs_put_page(*cp_page, 1); +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 6b959bbb336a..856f9081c599 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2718,6 +2718,15 @@ int f2fs_sanity_check_ckpt(struct f2fs_sb_info *sbi) + return 1; + } + ++ if (__is_set_ckpt_flags(ckpt, CP_LARGE_NAT_BITMAP_FLAG) && ++ le32_to_cpu(ckpt->checksum_offset) != CP_MIN_CHKSUM_OFFSET) { ++ f2fs_msg(sbi->sb, KERN_WARNING, ++ "layout of large_nat_bitmap is deprecated, " ++ "run fsck to repair, chksum_offset: %u", ++ le32_to_cpu(ckpt->checksum_offset)); ++ return 1; ++ } ++ + if (unlikely(f2fs_cp_error(sbi))) { + f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck"); + return 1; +-- +2.20.1 + diff --git a/queue-5.2/f2fs-lower-threshold-for-disable_cp_again.patch b/queue-5.2/f2fs-lower-threshold-for-disable_cp_again.patch new file mode 100644 index 00000000000..c9778f5925e --- /dev/null +++ b/queue-5.2/f2fs-lower-threshold-for-disable_cp_again.patch @@ -0,0 +1,75 @@ +From 84dbf067f9c6e2d080d381180fb24f930499485d Mon Sep 17 00:00:00 2001 +From: Daniel Rosenberg +Date: Wed, 29 May 2019 17:49:03 -0700 +Subject: f2fs: Lower threshold for disable_cp_again + +[ Upstream commit ae4ad7ea09d32ff1b6fb908ff12f8c1bd5241b29 ] + +The existing threshold for allowable holes at checkpoint=disable time is +too high. The OVP space contains reserved segments, which are always in +the form of free segments. These must be subtracted from the OVP value. + +The current threshold is meant to be the maximum value of holes of a +single type we can have and still guarantee that we can fill the disk +without failing to find space for a block of a given type. + +If the disk is full, ignoring current reserved, which only helps us, +the amount of unused blocks is equal to the OVP area. Of that, there +are reserved segments, which must be free segments, and the rest of the +ovp area, which can come from either free segments or holes. The maximum +possible amount of holes is OVP-reserved. + +Now, consider the disk when mounting with checkpoint=disable. +We must be able to fill all available free space with either data or +node blocks. When we start with checkpoint=disable, holes are locked to +their current type. Say we have H of one type of hole, and H+X of the +other. We can fill H of that space with arbitrary typed blocks via SSR. +For the remaining H+X blocks, we may not have any of a given block type +left at all. For instance, if we were to fill the disk entirely with +blocks of the type with fewer holes, the H+X blocks of the opposite type +would not be used. If H+X > OVP-reserved, there would be more holes than +could possibly exist, and we would have failed to find a suitable block +earlier on, leading to a crash in update_sit_entry. + +If H+X <= OVP-reserved, then the holes end up effectively masked by the OVP +region in this case. + +Signed-off-by: Daniel Rosenberg +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index a96b9e964733..8903b61457e7 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -876,7 +876,9 @@ void f2fs_dirty_to_prefree(struct f2fs_sb_info *sbi) + int f2fs_disable_cp_again(struct f2fs_sb_info *sbi) + { + struct dirty_seglist_info *dirty_i = DIRTY_I(sbi); +- block_t ovp = overprovision_segments(sbi) << sbi->log_blocks_per_seg; ++ int ovp_hole_segs = ++ (overprovision_segments(sbi) - reserved_segments(sbi)); ++ block_t ovp_holes = ovp_hole_segs << sbi->log_blocks_per_seg; + block_t holes[2] = {0, 0}; /* DATA and NODE */ + struct seg_entry *se; + unsigned int segno; +@@ -891,10 +893,10 @@ int f2fs_disable_cp_again(struct f2fs_sb_info *sbi) + } + mutex_unlock(&dirty_i->seglist_lock); + +- if (holes[DATA] > ovp || holes[NODE] > ovp) ++ if (holes[DATA] > ovp_holes || holes[NODE] > ovp_holes) + return -EAGAIN; + if (is_sbi_flag_set(sbi, SBI_CP_DISABLED_QUICK) && +- dirty_segments(sbi) > overprovision_segments(sbi)) ++ dirty_segments(sbi) > ovp_hole_segs) + return -EAGAIN; + return 0; + } +-- +2.20.1 + diff --git a/queue-5.2/fixdep-check-return-value-of-printf-and-putchar.patch b/queue-5.2/fixdep-check-return-value-of-printf-and-putchar.patch new file mode 100644 index 00000000000..414e36c5231 --- /dev/null +++ b/queue-5.2/fixdep-check-return-value-of-printf-and-putchar.patch @@ -0,0 +1,185 @@ +From ada94fcdd4ce92e6b1a0e0c9162af92fa4ca30cf Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Tue, 25 Jun 2019 15:54:19 +0900 +Subject: fixdep: check return value of printf() and putchar() + +[ Upstream commit 6f9ac9f4427ec0470ccffbf852cfaf326677cc21 ] + +When there is not enough space on your storage device, the build will +fail with 'No space left on device' error message. + +The reason is obvious from the message, so you will free up some disk +space, then you will resume the build. + +However, sometimes you may still see a mysterious error message: + + unterminated call to function 'wildcard': missing ')'. + +If you run out of the disk space, fixdep may end up with generating +incomplete .*.cmd files. + +For example, if the disk-full error occurs while fixdep is running +print_dep(), the .*.cmd might be truncated like this: + + $(wildcard include/config/ + +When you run 'make' next time, this broken .*.cmd will be included, +then Make will terminate parsing since it is a wrong syntax. + +Once this happens, you need to run 'make clean' or delete the broken +.*.cmd file manually. + +Even if you do not see any error message, the .*.cmd files after any +error could be potentially incomplete, and unreliable. You may miss +the re-compilation due to missing header dependency. + +If printf() cannot output the string for disk shortage or whatever +reason, it returns a negative value, but currently fixdep does not +check it at all. Consequently, fixdep *successfully* generates a +broken .*.cmd file. Make never notices that since fixdep exits with 0, +which means success. + +Given the intended usage of fixdep, it must respect the return value +of not only malloc(), but also printf() and putchar(). + +This seems a long-standing issue since the introduction of fixdep. + +In old days, Kbuild tried to provide an extra safety by letting fixdep +output to a temporary file and renaming it after everything is done: + + scripts/basic/fixdep $(depfile) $@ '$(make-cmd)' > $(dot-target).tmp;\ + rm -f $(depfile); \ + mv -f $(dot-target).tmp $(dot-target).cmd) + +It was no help to avoid the current issue; fixdep successfully created +a truncated tmp file, which would be renamed to a .*.cmd file. + +This problem should be fixed by propagating the error status to the +build system because: + +[1] Since commit 9c2af1c7377a ("kbuild: add .DELETE_ON_ERROR special + target"), Make will delete the target automatically on any failure + in the recipe. + +[2] Since commit 392885ee82d3 ("kbuild: let fixdep directly write to + .*.cmd files"), .*.cmd file is included only when the corresponding + target already exists. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/basic/fixdep.c | 51 +++++++++++++++++++++++++++++++++--------- + 1 file changed, 41 insertions(+), 10 deletions(-) + +diff --git a/scripts/basic/fixdep.c b/scripts/basic/fixdep.c +index facbd603adf6..9ba47b0a47b9 100644 +--- a/scripts/basic/fixdep.c ++++ b/scripts/basic/fixdep.c +@@ -99,6 +99,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -109,6 +110,36 @@ static void usage(void) + exit(1); + } + ++/* ++ * In the intended usage of this program, the stdout is redirected to .*.cmd ++ * files. The return value of printf() and putchar() must be checked to catch ++ * any error, e.g. "No space left on device". ++ */ ++static void xprintf(const char *format, ...) ++{ ++ va_list ap; ++ int ret; ++ ++ va_start(ap, format); ++ ret = vprintf(format, ap); ++ if (ret < 0) { ++ perror("fixdep"); ++ exit(1); ++ } ++ va_end(ap); ++} ++ ++static void xputchar(int c) ++{ ++ int ret; ++ ++ ret = putchar(c); ++ if (ret == EOF) { ++ perror("fixdep"); ++ exit(1); ++ } ++} ++ + /* + * Print out a dependency path from a symbol name + */ +@@ -116,7 +147,7 @@ static void print_dep(const char *m, int slen, const char *dir) + { + int c, prev_c = '/', i; + +- printf(" $(wildcard %s/", dir); ++ xprintf(" $(wildcard %s/", dir); + for (i = 0; i < slen; i++) { + c = m[i]; + if (c == '_') +@@ -124,10 +155,10 @@ static void print_dep(const char *m, int slen, const char *dir) + else + c = tolower(c); + if (c != '/' || prev_c != '/') +- putchar(c); ++ xputchar(c); + prev_c = c; + } +- printf(".h) \\\n"); ++ xprintf(".h) \\\n"); + } + + struct item { +@@ -324,13 +355,13 @@ static void parse_dep_file(char *m, const char *target) + */ + if (!saw_any_target) { + saw_any_target = 1; +- printf("source_%s := %s\n\n", +- target, m); +- printf("deps_%s := \\\n", target); ++ xprintf("source_%s := %s\n\n", ++ target, m); ++ xprintf("deps_%s := \\\n", target); + } + is_first_dep = 0; + } else { +- printf(" %s \\\n", m); ++ xprintf(" %s \\\n", m); + } + + buf = read_file(m); +@@ -353,8 +384,8 @@ static void parse_dep_file(char *m, const char *target) + exit(1); + } + +- printf("\n%s: $(deps_%s)\n\n", target, target); +- printf("$(deps_%s):\n", target); ++ xprintf("\n%s: $(deps_%s)\n\n", target, target); ++ xprintf("$(deps_%s):\n", target); + } + + int main(int argc, char *argv[]) +@@ -369,7 +400,7 @@ int main(int argc, char *argv[]) + target = argv[2]; + cmdline = argv[3]; + +- printf("cmd_%s := %s\n\n", target, cmdline); ++ xprintf("cmd_%s := %s\n\n", target, cmdline); + + buf = read_file(depfile); + parse_dep_file(buf, target); +-- +2.20.1 + diff --git a/queue-5.2/genksyms-teach-parser-about-128-bit-built-in-types.patch b/queue-5.2/genksyms-teach-parser-about-128-bit-built-in-types.patch new file mode 100644 index 00000000000..4461b66e99e --- /dev/null +++ b/queue-5.2/genksyms-teach-parser-about-128-bit-built-in-types.patch @@ -0,0 +1,67 @@ +From 222eba53c93af5feec41c0319b14245bd089435e Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Tue, 18 Jun 2019 14:10:48 +0100 +Subject: genksyms: Teach parser about 128-bit built-in types + +[ Upstream commit a222061b85234d8a44486a46bd4df7e2cda52385 ] + +__uint128_t crops up in a few files that export symbols to modules, so +teach genksyms about it and the other GCC built-in 128-bit integer types +so that we don't end up skipping the CRC generation for some symbols due +to the parser failing to spot them: + + | WARNING: EXPORT symbol "kernel_neon_begin" [vmlinux] version + | generation failed, symbol will not be versioned. + | ld: arch/arm64/kernel/fpsimd.o: relocation R_AARCH64_ABS32 against + | `__crc_kernel_neon_begin' can not be used when making a shared + | object + | ld: arch/arm64/kernel/fpsimd.o:(.data+0x0): dangerous relocation: + | unsupported relocation + +Reported-by: Arnd Bergmann +Signed-off-by: Will Deacon +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/genksyms/keywords.c | 4 ++++ + scripts/genksyms/parse.y | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/scripts/genksyms/keywords.c b/scripts/genksyms/keywords.c +index e93336baaaed..c586d32dd2c3 100644 +--- a/scripts/genksyms/keywords.c ++++ b/scripts/genksyms/keywords.c +@@ -25,6 +25,10 @@ static struct resword { + { "__volatile__", VOLATILE_KEYW }, + { "__builtin_va_list", VA_LIST_KEYW }, + ++ { "__int128", BUILTIN_INT_KEYW }, ++ { "__int128_t", BUILTIN_INT_KEYW }, ++ { "__uint128_t", BUILTIN_INT_KEYW }, ++ + // According to rth, c99 defines "_Bool", __restrict", __restrict__", "restrict". KAO + { "_Bool", BOOL_KEYW }, + { "_restrict", RESTRICT_KEYW }, +diff --git a/scripts/genksyms/parse.y b/scripts/genksyms/parse.y +index 00a6d7e54971..1ebcf52cd0f9 100644 +--- a/scripts/genksyms/parse.y ++++ b/scripts/genksyms/parse.y +@@ -76,6 +76,7 @@ static void record_compound(struct string_list **keyw, + %token ATTRIBUTE_KEYW + %token AUTO_KEYW + %token BOOL_KEYW ++%token BUILTIN_INT_KEYW + %token CHAR_KEYW + %token CONST_KEYW + %token DOUBLE_KEYW +@@ -263,6 +264,7 @@ simple_type_specifier: + | VOID_KEYW + | BOOL_KEYW + | VA_LIST_KEYW ++ | BUILTIN_INT_KEYW + | TYPE { (*$1)->tag = SYM_TYPEDEF; $$ = $1; } + ; + +-- +2.20.1 + diff --git a/queue-5.2/gpu-host1x-increase-maximum-dma-segment-size.patch b/queue-5.2/gpu-host1x-increase-maximum-dma-segment-size.patch new file mode 100644 index 00000000000..141aa2827dd --- /dev/null +++ b/queue-5.2/gpu-host1x-increase-maximum-dma-segment-size.patch @@ -0,0 +1,56 @@ +From 7d35b2f623bfc530192a9b799bbc5d7848fb9194 Mon Sep 17 00:00:00 2001 +From: Thierry Reding +Date: Wed, 5 Jun 2019 10:46:05 +0200 +Subject: gpu: host1x: Increase maximum DMA segment size + +[ Upstream commit 1e390478cfb527e34c9ab89ba57212cb05c33c51 ] + +Recent versions of the DMA API debug code have started to warn about +violations of the maximum DMA segment size. This is because the segment +size defaults to 64 KiB, which can easily be exceeded in large buffer +allocations such as used in DRM/KMS for framebuffers. + +Technically the Tegra SMMU and ARM SMMU don't have a maximum segment +size (they map individual pages irrespective of whether they are +contiguous or not), so the choice of 4 MiB is a bit arbitrary here. The +maximum segment size is a 32-bit unsigned integer, though, so we can't +set it to the correct maximum size, which would be the size of the +aperture. + +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/host1x/bus.c | 3 +++ + include/linux/host1x.h | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c +index 9797ccb0a073..6387302c1245 100644 +--- a/drivers/gpu/host1x/bus.c ++++ b/drivers/gpu/host1x/bus.c +@@ -414,6 +414,9 @@ static int host1x_device_add(struct host1x *host1x, + + of_dma_configure(&device->dev, host1x->dev->of_node, true); + ++ device->dev.dma_parms = &device->dma_parms; ++ dma_set_max_seg_size(&device->dev, SZ_4M); ++ + err = host1x_device_parse_dt(device, driver); + if (err < 0) { + kfree(device); +diff --git a/include/linux/host1x.h b/include/linux/host1x.h +index cfff30b9a62e..e6eea45e1154 100644 +--- a/include/linux/host1x.h ++++ b/include/linux/host1x.h +@@ -297,6 +297,8 @@ struct host1x_device { + struct list_head clients; + + bool registered; ++ ++ struct device_dma_parameters dma_parms; + }; + + static inline struct host1x_device *to_host1x_device(struct device *dev) +-- +2.20.1 + diff --git a/queue-5.2/i2c-nvidia-gpu-resume-ccgx-i2c-client.patch b/queue-5.2/i2c-nvidia-gpu-resume-ccgx-i2c-client.patch new file mode 100644 index 00000000000..869f54c1950 --- /dev/null +++ b/queue-5.2/i2c-nvidia-gpu-resume-ccgx-i2c-client.patch @@ -0,0 +1,76 @@ +From 763e4d6cf23513f6d3181d70779642faaf120186 Mon Sep 17 00:00:00 2001 +From: Ajay Gupta +Date: Fri, 7 Jun 2019 09:34:22 -0700 +Subject: i2c: nvidia-gpu: resume ccgx i2c client + +[ Upstream commit 9f2e244d0a39eb437f98324ac315e605e48636db ] + +Cypress USB Type-C CCGx controller firmware version 3.1.10 +(which is being used in many NVIDIA GPU cards) has known issue of +not triggering interrupt when a USB device is hot plugged to runtime +resume the controller. If any GPU card gets latest kernel with runtime +pm support but does not get latest fixed firmware then also it should +continue to work and therefore a workaround is required to check for +any connector change event + +The workaround is to request runtime resume of i2c client +which is UCSI Cypress CCGx driver. CCG driver will call the ISR +for any connector change event only if NVIDIA GPU has old +CCG firmware with the known issue. + +Signed-off-by: Ajay Gupta +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-nvidia-gpu.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-nvidia-gpu.c b/drivers/i2c/busses/i2c-nvidia-gpu.c +index 1c8f708f212b..ee2412b7459c 100644 +--- a/drivers/i2c/busses/i2c-nvidia-gpu.c ++++ b/drivers/i2c/busses/i2c-nvidia-gpu.c +@@ -51,6 +51,7 @@ struct gpu_i2c_dev { + void __iomem *regs; + struct i2c_adapter adapter; + struct i2c_board_info *gpu_ccgx_ucsi; ++ struct i2c_client *ccgx_client; + }; + + static void gpu_enable_i2c_bus(struct gpu_i2c_dev *i2cd) +@@ -261,8 +262,6 @@ static const struct property_entry ccgx_props[] = { + + static int gpu_populate_client(struct gpu_i2c_dev *i2cd, int irq) + { +- struct i2c_client *ccgx_client; +- + i2cd->gpu_ccgx_ucsi = devm_kzalloc(i2cd->dev, + sizeof(*i2cd->gpu_ccgx_ucsi), + GFP_KERNEL); +@@ -274,8 +273,8 @@ static int gpu_populate_client(struct gpu_i2c_dev *i2cd, int irq) + i2cd->gpu_ccgx_ucsi->addr = 0x8; + i2cd->gpu_ccgx_ucsi->irq = irq; + i2cd->gpu_ccgx_ucsi->properties = ccgx_props; +- ccgx_client = i2c_new_device(&i2cd->adapter, i2cd->gpu_ccgx_ucsi); +- if (!ccgx_client) ++ i2cd->ccgx_client = i2c_new_device(&i2cd->adapter, i2cd->gpu_ccgx_ucsi); ++ if (!i2cd->ccgx_client) + return -ENODEV; + + return 0; +@@ -354,6 +353,13 @@ static __maybe_unused int gpu_i2c_resume(struct device *dev) + struct gpu_i2c_dev *i2cd = dev_get_drvdata(dev); + + gpu_enable_i2c_bus(i2cd); ++ /* ++ * Runtime resume ccgx client so that it can see for any ++ * connector change event. Old ccg firmware has known ++ * issue of not triggering interrupt when a device is ++ * connected to runtime resume the controller. ++ */ ++ pm_request_resume(&i2cd->ccgx_client->dev); + return 0; + } + +-- +2.20.1 + diff --git a/queue-5.2/i2c-stm32f7-fix-the-get_irq-error-cases.patch b/queue-5.2/i2c-stm32f7-fix-the-get_irq-error-cases.patch new file mode 100644 index 00000000000..18bda10a88d --- /dev/null +++ b/queue-5.2/i2c-stm32f7-fix-the-get_irq-error-cases.patch @@ -0,0 +1,86 @@ +From ece5fefcec5f931abbc78f41b2e83e1fc1de1d05 Mon Sep 17 00:00:00 2001 +From: Fabrice Gasnier +Date: Mon, 17 Jun 2019 09:53:01 +0200 +Subject: i2c: stm32f7: fix the get_irq error cases + +[ Upstream commit 79b4499524ed659fb76323efc30f3dc03967c88f ] + +During probe, return the "get_irq" error value instead of -EINVAL which +allows the driver to be deferred probed if needed. +Fix also the case where of_irq_get() returns a negative value. +Note : +On failure of_irq_get() returns 0 or a negative value while +platform_get_irq() returns a negative value. + +Fixes: aeb068c57214 ("i2c: i2c-stm32f7: add driver") +Reviewed-by: Pierre-Yves MORDRET +Signed-off-by: Fabien Dessenne +Signed-off-by: Fabrice Gasnier +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-stm32f7.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-stm32f7.c b/drivers/i2c/busses/i2c-stm32f7.c +index 48337bef5b87..3d90c0bb049e 100644 +--- a/drivers/i2c/busses/i2c-stm32f7.c ++++ b/drivers/i2c/busses/i2c-stm32f7.c +@@ -25,7 +25,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -1816,15 +1815,14 @@ static struct i2c_algorithm stm32f7_i2c_algo = { + + static int stm32f7_i2c_probe(struct platform_device *pdev) + { +- struct device_node *np = pdev->dev.of_node; + struct stm32f7_i2c_dev *i2c_dev; + const struct stm32f7_i2c_setup *setup; + struct resource *res; +- u32 irq_error, irq_event, clk_rate, rise_time, fall_time; ++ u32 clk_rate, rise_time, fall_time; + struct i2c_adapter *adap; + struct reset_control *rst; + dma_addr_t phy_addr; +- int ret; ++ int irq_error, irq_event, ret; + + i2c_dev = devm_kzalloc(&pdev->dev, sizeof(*i2c_dev), GFP_KERNEL); + if (!i2c_dev) +@@ -1836,16 +1834,20 @@ static int stm32f7_i2c_probe(struct platform_device *pdev) + return PTR_ERR(i2c_dev->base); + phy_addr = (dma_addr_t)res->start; + +- irq_event = irq_of_parse_and_map(np, 0); +- if (!irq_event) { +- dev_err(&pdev->dev, "IRQ event missing or invalid\n"); +- return -EINVAL; ++ irq_event = platform_get_irq(pdev, 0); ++ if (irq_event <= 0) { ++ if (irq_event != -EPROBE_DEFER) ++ dev_err(&pdev->dev, "Failed to get IRQ event: %d\n", ++ irq_event); ++ return irq_event ? : -ENOENT; + } + +- irq_error = irq_of_parse_and_map(np, 1); +- if (!irq_error) { +- dev_err(&pdev->dev, "IRQ error missing or invalid\n"); +- return -EINVAL; ++ irq_error = platform_get_irq(pdev, 1); ++ if (irq_error <= 0) { ++ if (irq_error != -EPROBE_DEFER) ++ dev_err(&pdev->dev, "Failed to get IRQ error: %d\n", ++ irq_error); ++ return irq_error ? : -ENOENT; + } + + i2c_dev->clk = devm_clk_get(&pdev->dev, NULL); +-- +2.20.1 + diff --git a/queue-5.2/ib-ipoib-add-child-to-parent-list-only-if-device-ini.patch b/queue-5.2/ib-ipoib-add-child-to-parent-list-only-if-device-ini.patch new file mode 100644 index 00000000000..381a2e2a790 --- /dev/null +++ b/queue-5.2/ib-ipoib-add-child-to-parent-list-only-if-device-ini.patch @@ -0,0 +1,95 @@ +From 9eba68a69d04b362a085ee4580749c827997016d Mon Sep 17 00:00:00 2001 +From: Valentine Fatiev +Date: Sun, 30 Jun 2019 16:48:41 +0300 +Subject: IB/ipoib: Add child to parent list only if device initialized + +[ Upstream commit 91b01061fef9c57d2f5b712a6322ef51061f4efd ] + +Despite failure in ipoib_dev_init() we continue with initialization flow +and creation of child device. It causes to the situation where this child +device is added too early to parent device list. + +Change the logic, so in case of failure we properly return error from +ipoib_dev_init() and add child only in success path. + +Fixes: eaeb39842508 ("IB/ipoib: Move init code to ndo_init") +Signed-off-by: Valentine Fatiev +Reviewed-by: Feras Daoud +Signed-off-by: Leon Romanovsky +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 34 +++++++++++++---------- + 1 file changed, 20 insertions(+), 14 deletions(-) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c +index 04ea7db08e87..ac0583ff280d 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -1893,12 +1893,6 @@ static void ipoib_child_init(struct net_device *ndev) + struct ipoib_dev_priv *priv = ipoib_priv(ndev); + struct ipoib_dev_priv *ppriv = ipoib_priv(priv->parent); + +- dev_hold(priv->parent); +- +- down_write(&ppriv->vlan_rwsem); +- list_add_tail(&priv->list, &ppriv->child_intfs); +- up_write(&ppriv->vlan_rwsem); +- + priv->max_ib_mtu = ppriv->max_ib_mtu; + set_bit(IPOIB_FLAG_SUBINTERFACE, &priv->flags); + memcpy(priv->dev->dev_addr, ppriv->dev->dev_addr, INFINIBAND_ALEN); +@@ -1941,6 +1935,17 @@ static int ipoib_ndo_init(struct net_device *ndev) + if (rc) { + pr_warn("%s: failed to initialize device: %s port %d (ret = %d)\n", + priv->ca->name, priv->dev->name, priv->port, rc); ++ return rc; ++ } ++ ++ if (priv->parent) { ++ struct ipoib_dev_priv *ppriv = ipoib_priv(priv->parent); ++ ++ dev_hold(priv->parent); ++ ++ down_write(&ppriv->vlan_rwsem); ++ list_add_tail(&priv->list, &ppriv->child_intfs); ++ up_write(&ppriv->vlan_rwsem); + } + + return 0; +@@ -1958,6 +1963,14 @@ static void ipoib_ndo_uninit(struct net_device *dev) + */ + WARN_ON(!list_empty(&priv->child_intfs)); + ++ if (priv->parent) { ++ struct ipoib_dev_priv *ppriv = ipoib_priv(priv->parent); ++ ++ down_write(&ppriv->vlan_rwsem); ++ list_del(&priv->list); ++ up_write(&ppriv->vlan_rwsem); ++ } ++ + ipoib_neigh_hash_uninit(dev); + + ipoib_ib_dev_cleanup(dev); +@@ -1969,15 +1982,8 @@ static void ipoib_ndo_uninit(struct net_device *dev) + priv->wq = NULL; + } + +- if (priv->parent) { +- struct ipoib_dev_priv *ppriv = ipoib_priv(priv->parent); +- +- down_write(&ppriv->vlan_rwsem); +- list_del(&priv->list); +- up_write(&ppriv->vlan_rwsem); +- ++ if (priv->parent) + dev_put(priv->parent); +- } + } + + static int ipoib_set_vf_link_state(struct net_device *dev, int vf, int link_state) +-- +2.20.1 + diff --git a/queue-5.2/ib-mlx5-fixed-reporting-counters-on-2nd-port-for-dua.patch b/queue-5.2/ib-mlx5-fixed-reporting-counters-on-2nd-port-for-dua.patch new file mode 100644 index 00000000000..db2e13af51f --- /dev/null +++ b/queue-5.2/ib-mlx5-fixed-reporting-counters-on-2nd-port-for-dua.patch @@ -0,0 +1,178 @@ +From 267bc265244b9f261adc65a9beac9a65df587603 Mon Sep 17 00:00:00 2001 +From: Parav Pandit +Date: Sun, 30 Jun 2019 10:52:52 +0300 +Subject: IB/mlx5: Fixed reporting counters on 2nd port for Dual port RoCE + +[ Upstream commit 2f40cf30c8644360d37287861d5288f00eab35e5 ] + +Currently during dual port IB device registration in below code flow, + +ib_register_device() + ib_device_register_sysfs() + ib_setup_port_attrs() + add_port() + get_counter_table() + get_perf_mad() + process_mad() + mlx5_ib_process_mad() + +mlx5_ib_process_mad() fails on 2nd port when both the ports are not fully +setup at the device level (because 2nd port is unaffiliated). + +As a result, get_perf_mad() registers different PMA counter group for 1st +and 2nd port, namely pma_counter_ext and pma_counter. However both ports +have the same capability and counter offsets. + +Due to this when counters are read by the user via sysfs in below code +flow, counters are queried from wrong location from the device mainly from +PPCNT instead of VPORT counters. + +show_pma_counter() + get_perf_mad() + process_mad() + mlx5_ib_process_mad() + process_pma_cmd() + +This shows all zero counters for 2nd port. + +To overcome this, process_pma_cmd() is invoked, and when unaffiliated port +is not yet setup during device registration phase, make the query on the +first port. while at it, only process_pma_cmd() needs to work on the +native port number and underlying mdev, so shift the get, put calls to +where its needed inside process_pma_cmd(). + +Fixes: 212f2a87b74f ("IB/mlx5: Route MADs for dual port RoCE") +Signed-off-by: Parav Pandit +Reviewed-by: Daniel Jurgens +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mad.c | 60 +++++++++++++++++++------------- + 1 file changed, 36 insertions(+), 24 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/mad.c b/drivers/infiniband/hw/mlx5/mad.c +index 6c529e6f3a01..348c1df69cdc 100644 +--- a/drivers/infiniband/hw/mlx5/mad.c ++++ b/drivers/infiniband/hw/mlx5/mad.c +@@ -200,19 +200,33 @@ static void pma_cnt_assign(struct ib_pma_portcounters *pma_cnt, + vl_15_dropped); + } + +-static int process_pma_cmd(struct mlx5_core_dev *mdev, u8 port_num, ++static int process_pma_cmd(struct mlx5_ib_dev *dev, u8 port_num, + const struct ib_mad *in_mad, struct ib_mad *out_mad) + { +- int err; ++ struct mlx5_core_dev *mdev; ++ bool native_port = true; ++ u8 mdev_port_num; + void *out_cnt; ++ int err; + ++ mdev = mlx5_ib_get_native_port_mdev(dev, port_num, &mdev_port_num); ++ if (!mdev) { ++ /* Fail to get the native port, likely due to 2nd port is still ++ * unaffiliated. In such case default to 1st port and attached ++ * PF device. ++ */ ++ native_port = false; ++ mdev = dev->mdev; ++ mdev_port_num = 1; ++ } + /* Declaring support of extended counters */ + if (in_mad->mad_hdr.attr_id == IB_PMA_CLASS_PORT_INFO) { + struct ib_class_port_info cpi = {}; + + cpi.capability_mask = IB_PMA_CLASS_CAP_EXT_WIDTH; + memcpy((out_mad->data + 40), &cpi, sizeof(cpi)); +- return IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_REPLY; ++ err = IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_REPLY; ++ goto done; + } + + if (in_mad->mad_hdr.attr_id == IB_PMA_PORT_COUNTERS_EXT) { +@@ -221,11 +235,13 @@ static int process_pma_cmd(struct mlx5_core_dev *mdev, u8 port_num, + int sz = MLX5_ST_SZ_BYTES(query_vport_counter_out); + + out_cnt = kvzalloc(sz, GFP_KERNEL); +- if (!out_cnt) +- return IB_MAD_RESULT_FAILURE; ++ if (!out_cnt) { ++ err = IB_MAD_RESULT_FAILURE; ++ goto done; ++ } + + err = mlx5_core_query_vport_counter(mdev, 0, 0, +- port_num, out_cnt, sz); ++ mdev_port_num, out_cnt, sz); + if (!err) + pma_cnt_ext_assign(pma_cnt_ext, out_cnt); + } else { +@@ -234,20 +250,23 @@ static int process_pma_cmd(struct mlx5_core_dev *mdev, u8 port_num, + int sz = MLX5_ST_SZ_BYTES(ppcnt_reg); + + out_cnt = kvzalloc(sz, GFP_KERNEL); +- if (!out_cnt) +- return IB_MAD_RESULT_FAILURE; ++ if (!out_cnt) { ++ err = IB_MAD_RESULT_FAILURE; ++ goto done; ++ } + +- err = mlx5_core_query_ib_ppcnt(mdev, port_num, ++ err = mlx5_core_query_ib_ppcnt(mdev, mdev_port_num, + out_cnt, sz); + if (!err) + pma_cnt_assign(pma_cnt, out_cnt); +- } +- ++ } + kvfree(out_cnt); +- if (err) +- return IB_MAD_RESULT_FAILURE; +- +- return IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_REPLY; ++ err = err ? IB_MAD_RESULT_FAILURE : ++ IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_REPLY; ++done: ++ if (native_port) ++ mlx5_ib_put_native_port_mdev(dev, port_num); ++ return err; + } + + int mlx5_ib_process_mad(struct ib_device *ibdev, int mad_flags, u8 port_num, +@@ -259,8 +278,6 @@ int mlx5_ib_process_mad(struct ib_device *ibdev, int mad_flags, u8 port_num, + struct mlx5_ib_dev *dev = to_mdev(ibdev); + const struct ib_mad *in_mad = (const struct ib_mad *)in; + struct ib_mad *out_mad = (struct ib_mad *)out; +- struct mlx5_core_dev *mdev; +- u8 mdev_port_num; + int ret; + + if (WARN_ON_ONCE(in_mad_size != sizeof(*in_mad) || +@@ -269,19 +286,14 @@ int mlx5_ib_process_mad(struct ib_device *ibdev, int mad_flags, u8 port_num, + + memset(out_mad->data, 0, sizeof(out_mad->data)); + +- mdev = mlx5_ib_get_native_port_mdev(dev, port_num, &mdev_port_num); +- if (!mdev) +- return IB_MAD_RESULT_FAILURE; +- +- if (MLX5_CAP_GEN(mdev, vport_counters) && ++ if (MLX5_CAP_GEN(dev->mdev, vport_counters) && + in_mad->mad_hdr.mgmt_class == IB_MGMT_CLASS_PERF_MGMT && + in_mad->mad_hdr.method == IB_MGMT_METHOD_GET) { +- ret = process_pma_cmd(mdev, mdev_port_num, in_mad, out_mad); ++ ret = process_pma_cmd(dev, port_num, in_mad, out_mad); + } else { + ret = process_mad(ibdev, mad_flags, port_num, in_wc, in_grh, + in_mad, out_mad); + } +- mlx5_ib_put_native_port_mdev(dev, port_num); + return ret; + } + +-- +2.20.1 + diff --git a/queue-5.2/iio-adc-stm32-dfsdm-manage-the-get_irq-error-case.patch b/queue-5.2/iio-adc-stm32-dfsdm-manage-the-get_irq-error-case.patch new file mode 100644 index 00000000000..1c117346002 --- /dev/null +++ b/queue-5.2/iio-adc-stm32-dfsdm-manage-the-get_irq-error-case.patch @@ -0,0 +1,37 @@ +From 33dd582e06cbcbcfc29c6b768f58647f683b0b73 Mon Sep 17 00:00:00 2001 +From: Fabien Dessenne +Date: Wed, 24 Apr 2019 14:51:25 +0200 +Subject: iio: adc: stm32-dfsdm: manage the get_irq error case + +[ Upstream commit 3e53ef91f826957dec013c47707ffc1bb42b42d7 ] + +During probe, check the "get_irq" error value. + +Signed-off-by: Fabien Dessenne +Acked-by: Fabrice Gasnier +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/stm32-dfsdm-adc.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/iio/adc/stm32-dfsdm-adc.c b/drivers/iio/adc/stm32-dfsdm-adc.c +index 19adc2b23472..588907cc3b6b 100644 +--- a/drivers/iio/adc/stm32-dfsdm-adc.c ++++ b/drivers/iio/adc/stm32-dfsdm-adc.c +@@ -1456,6 +1456,12 @@ static int stm32_dfsdm_adc_probe(struct platform_device *pdev) + * So IRQ associated to filter instance 0 is dedicated to the Filter 0. + */ + irq = platform_get_irq(pdev, 0); ++ if (irq < 0) { ++ if (irq != -EPROBE_DEFER) ++ dev_err(dev, "Failed to get IRQ: %d\n", irq); ++ return irq; ++ } ++ + ret = devm_request_irq(dev, irq, stm32_dfsdm_irq, + 0, pdev->name, adc); + if (ret < 0) { +-- +2.20.1 + diff --git a/queue-5.2/iio-adc-stm32-dfsdm-missing-error-case-during-probe.patch b/queue-5.2/iio-adc-stm32-dfsdm-missing-error-case-during-probe.patch new file mode 100644 index 00000000000..99112ed1e76 --- /dev/null +++ b/queue-5.2/iio-adc-stm32-dfsdm-missing-error-case-during-probe.patch @@ -0,0 +1,47 @@ +From bccc3df340f031fa9fb7c66ae41a85c36918321c Mon Sep 17 00:00:00 2001 +From: Fabien Dessenne +Date: Wed, 24 Apr 2019 14:51:26 +0200 +Subject: iio: adc: stm32-dfsdm: missing error case during probe + +[ Upstream commit d2fc0156963cae8f1eec8e2dd645fbbf1e1c1c8e ] + +During probe, check the devm_ioremap_resource() error value. +Also return the devm_clk_get() error value instead of -EINVAL. + +Signed-off-by: Fabien Dessenne +Acked-by: Fabrice Gasnier +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/stm32-dfsdm-core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/adc/stm32-dfsdm-core.c b/drivers/iio/adc/stm32-dfsdm-core.c +index 0a4d3746d21c..26e2011c5868 100644 +--- a/drivers/iio/adc/stm32-dfsdm-core.c ++++ b/drivers/iio/adc/stm32-dfsdm-core.c +@@ -233,6 +233,8 @@ static int stm32_dfsdm_parse_of(struct platform_device *pdev, + } + priv->dfsdm.phys_base = res->start; + priv->dfsdm.base = devm_ioremap_resource(&pdev->dev, res); ++ if (IS_ERR(priv->dfsdm.base)) ++ return PTR_ERR(priv->dfsdm.base); + + /* + * "dfsdm" clock is mandatory for DFSDM peripheral clocking. +@@ -242,8 +244,10 @@ static int stm32_dfsdm_parse_of(struct platform_device *pdev, + */ + priv->clk = devm_clk_get(&pdev->dev, "dfsdm"); + if (IS_ERR(priv->clk)) { +- dev_err(&pdev->dev, "No stm32_dfsdm_clk clock found\n"); +- return -EINVAL; ++ ret = PTR_ERR(priv->clk); ++ if (ret != -EPROBE_DEFER) ++ dev_err(&pdev->dev, "Failed to get clock (%d)\n", ret); ++ return ret; + } + + priv->aclk = devm_clk_get(&pdev->dev, "audio"); +-- +2.20.1 + diff --git a/queue-5.2/iio-adxl372-fix-iio_triggered_buffer_-pre-post-enabl.patch b/queue-5.2/iio-adxl372-fix-iio_triggered_buffer_-pre-post-enabl.patch new file mode 100644 index 00000000000..06f9141c829 --- /dev/null +++ b/queue-5.2/iio-adxl372-fix-iio_triggered_buffer_-pre-post-enabl.patch @@ -0,0 +1,91 @@ +From 9cdbfaffca4f18b37746bd044852299e91df9998 Mon Sep 17 00:00:00 2001 +From: Alexandru Ardelean +Date: Wed, 29 May 2019 16:01:08 +0300 +Subject: iio: adxl372: fix iio_triggered_buffer_{pre,post}enable positions + +[ Upstream commit 0e4f0b42f42d88507b48282c8915f502551534e4 ] + +The iio_triggered_buffer_{predisable,postenable} functions attach/detach +the poll functions. + +For the predisable hook, the disable code should occur before detaching +the poll func, and for the postenable hook, the poll func should be +attached before the enable code. + +Signed-off-by: Alexandru Ardelean +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/adxl372.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/drivers/iio/accel/adxl372.c b/drivers/iio/accel/adxl372.c +index 3b84cb243a87..055227cb3d43 100644 +--- a/drivers/iio/accel/adxl372.c ++++ b/drivers/iio/accel/adxl372.c +@@ -782,10 +782,14 @@ static int adxl372_buffer_postenable(struct iio_dev *indio_dev) + unsigned int mask; + int i, ret; + +- ret = adxl372_set_interrupts(st, ADXL372_INT1_MAP_FIFO_FULL_MSK, 0); ++ ret = iio_triggered_buffer_postenable(indio_dev); + if (ret < 0) + return ret; + ++ ret = adxl372_set_interrupts(st, ADXL372_INT1_MAP_FIFO_FULL_MSK, 0); ++ if (ret < 0) ++ goto err; ++ + mask = *indio_dev->active_scan_mask; + + for (i = 0; i < ARRAY_SIZE(adxl372_axis_lookup_table); i++) { +@@ -793,8 +797,10 @@ static int adxl372_buffer_postenable(struct iio_dev *indio_dev) + break; + } + +- if (i == ARRAY_SIZE(adxl372_axis_lookup_table)) +- return -EINVAL; ++ if (i == ARRAY_SIZE(adxl372_axis_lookup_table)) { ++ ret = -EINVAL; ++ goto err; ++ } + + st->fifo_format = adxl372_axis_lookup_table[i].fifo_format; + st->fifo_set_size = bitmap_weight(indio_dev->active_scan_mask, +@@ -814,26 +820,25 @@ static int adxl372_buffer_postenable(struct iio_dev *indio_dev) + if (ret < 0) { + st->fifo_mode = ADXL372_FIFO_BYPASSED; + adxl372_set_interrupts(st, 0, 0); +- return ret; ++ goto err; + } + +- return iio_triggered_buffer_postenable(indio_dev); ++ return 0; ++ ++err: ++ iio_triggered_buffer_predisable(indio_dev); ++ return ret; + } + + static int adxl372_buffer_predisable(struct iio_dev *indio_dev) + { + struct adxl372_state *st = iio_priv(indio_dev); +- int ret; +- +- ret = iio_triggered_buffer_predisable(indio_dev); +- if (ret < 0) +- return ret; + + adxl372_set_interrupts(st, 0, 0); + st->fifo_mode = ADXL372_FIFO_BYPASSED; + adxl372_configure_fifo(st); + +- return 0; ++ return iio_triggered_buffer_predisable(indio_dev); + } + + static const struct iio_buffer_setup_ops adxl372_buffer_ops = { +-- +2.20.1 + diff --git a/queue-5.2/iio-iio-utils-fix-possible-incorrect-mask-calculatio.patch b/queue-5.2/iio-iio-utils-fix-possible-incorrect-mask-calculatio.patch new file mode 100644 index 00000000000..bd770874151 --- /dev/null +++ b/queue-5.2/iio-iio-utils-fix-possible-incorrect-mask-calculatio.patch @@ -0,0 +1,53 @@ +From dec82adc7b6144e9a44e85f79cc3557d3b750762 Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Thu, 27 Jun 2019 09:20:45 +0200 +Subject: iio: iio-utils: Fix possible incorrect mask calculation + +[ Upstream commit 208a68c8393d6041a90862992222f3d7943d44d6 ] + +On some machines, iio-sensor-proxy was returning all 0's for IIO sensor +values. It turns out that the bits_used for this sensor is 32, which makes +the mask calculation: + +*mask = (1 << 32) - 1; + +If the compiler interprets the 1 literals as 32-bit ints, it generates +undefined behavior depending on compiler version and optimization level. +On my system, it optimizes out the shift, so the mask value becomes + +*mask = (1) - 1; + +With a mask value of 0, iio-sensor-proxy will always return 0 for every axis. + +Avoid incorrect 0 values caused by compiler optimization. + +See original fix by Brett Dutro in +iio-sensor-proxy: +https://github.com/hadess/iio-sensor-proxy/commit/9615ceac7c134d838660e209726cd86aa2064fd3 + +Signed-off-by: Bastien Nocera +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + tools/iio/iio_utils.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/iio/iio_utils.c b/tools/iio/iio_utils.c +index a22b6e8fad46..7399eb7f1378 100644 +--- a/tools/iio/iio_utils.c ++++ b/tools/iio/iio_utils.c +@@ -156,9 +156,9 @@ int iioutils_get_type(unsigned *is_signed, unsigned *bytes, unsigned *bits_used, + *be = (endianchar == 'b'); + *bytes = padint / 8; + if (*bits_used == 64) +- *mask = ~0; ++ *mask = ~(0ULL); + else +- *mask = (1ULL << *bits_used) - 1; ++ *mask = (1ULL << *bits_used) - 1ULL; + + *is_signed = (signchar == 's'); + if (fclose(sysfsfp)) { +-- +2.20.1 + diff --git a/queue-5.2/io_uring-fix-io_sq_thread_stop-running-in-front-of-i.patch b/queue-5.2/io_uring-fix-io_sq_thread_stop-running-in-front-of-i.patch new file mode 100644 index 00000000000..9bf65a5a2c8 --- /dev/null +++ b/queue-5.2/io_uring-fix-io_sq_thread_stop-running-in-front-of-i.patch @@ -0,0 +1,121 @@ +From 5d2a5d4c52e18c7b54f9e915cd7bbf50754c75fb Mon Sep 17 00:00:00 2001 +From: Jackie Liu +Date: Mon, 8 Jul 2019 13:41:12 +0800 +Subject: io_uring: fix io_sq_thread_stop running in front of io_sq_thread + +[ Upstream commit a4c0b3decb33fb4a2b5ecc6234a50680f0b21e7d ] + +INFO: task syz-executor.5:8634 blocked for more than 143 seconds. + Not tainted 5.2.0-rc5+ #3 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +syz-executor.5 D25632 8634 8224 0x00004004 +Call Trace: + context_switch kernel/sched/core.c:2818 [inline] + __schedule+0x658/0x9e0 kernel/sched/core.c:3445 + schedule+0x131/0x1d0 kernel/sched/core.c:3509 + schedule_timeout+0x9a/0x2b0 kernel/time/timer.c:1783 + do_wait_for_common+0x35e/0x5a0 kernel/sched/completion.c:83 + __wait_for_common kernel/sched/completion.c:104 [inline] + wait_for_common kernel/sched/completion.c:115 [inline] + wait_for_completion+0x47/0x60 kernel/sched/completion.c:136 + kthread_stop+0xb4/0x150 kernel/kthread.c:559 + io_sq_thread_stop fs/io_uring.c:2252 [inline] + io_finish_async fs/io_uring.c:2259 [inline] + io_ring_ctx_free fs/io_uring.c:2770 [inline] + io_ring_ctx_wait_and_kill+0x268/0x880 fs/io_uring.c:2834 + io_uring_release+0x5d/0x70 fs/io_uring.c:2842 + __fput+0x2e4/0x740 fs/file_table.c:280 + ____fput+0x15/0x20 fs/file_table.c:313 + task_work_run+0x17e/0x1b0 kernel/task_work.c:113 + tracehook_notify_resume include/linux/tracehook.h:185 [inline] + exit_to_usermode_loop arch/x86/entry/common.c:168 [inline] + prepare_exit_to_usermode+0x402/0x4f0 arch/x86/entry/common.c:199 + syscall_return_slowpath+0x110/0x440 arch/x86/entry/common.c:279 + do_syscall_64+0x126/0x140 arch/x86/entry/common.c:304 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x412fb1 +Code: 80 3b 7c 0f 84 c7 02 00 00 c7 85 d0 00 00 00 00 00 00 00 48 8b 05 cf +a6 24 00 49 8b 14 24 41 b9 cb 2a 44 00 48 89 ee 48 89 df <48> 85 c0 4c 0f +45 c8 45 31 c0 31 c9 e8 0e 5b 00 00 85 c0 41 89 c7 +RSP: 002b:00007ffe7ee6a180 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 +RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000412fb1 +RDX: 0000001b2d920000 RSI: 0000000000000000 RDI: 0000000000000003 +RBP: 0000000000000001 R08: 00000000f3a3e1f8 R09: 00000000f3a3e1fc +R10: 00007ffe7ee6a260 R11: 0000000000000293 R12: 000000000075c9a0 +R13: 000000000075c9a0 R14: 0000000000024c00 R15: 000000000075bf2c + +============================================= + +There is an wrong logic, when kthread_park running +in front of io_sq_thread. + +CPU#0 CPU#1 + +io_sq_thread_stop: int kthread(void *_create): + +kthread_park() + __kthread_parkme(self); <<< Wrong +kthread_stop() + << wait for self->exited + << clear_bit KTHREAD_SHOULD_PARK + + ret = threadfn(data); + | + |- io_sq_thread + |- kthread_should_park() << false + |- schedule() <<< nobody wake up + +stuck CPU#0 stuck CPU#1 + +So, use a new variable sqo_thread_started to ensure that io_sq_thread +run first, then io_sq_thread_stop. + +Reported-by: syzbot+94324416c485d422fe15@syzkaller.appspotmail.com +Suggested-by: Jens Axboe +Signed-off-by: Jackie Liu +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 4ef62a45045d..fef2cd44b2ac 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -231,6 +231,7 @@ struct io_ring_ctx { + struct task_struct *sqo_thread; /* if using sq thread polling */ + struct mm_struct *sqo_mm; + wait_queue_head_t sqo_wait; ++ struct completion sqo_thread_started; + + struct { + /* CQ ring */ +@@ -403,6 +404,7 @@ static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p) + ctx->flags = p->flags; + init_waitqueue_head(&ctx->cq_wait); + init_completion(&ctx->ctx_done); ++ init_completion(&ctx->sqo_thread_started); + mutex_init(&ctx->uring_lock); + init_waitqueue_head(&ctx->wait); + for (i = 0; i < ARRAY_SIZE(ctx->pending_async); i++) { +@@ -2009,6 +2011,8 @@ static int io_sq_thread(void *data) + unsigned inflight; + unsigned long timeout; + ++ complete(&ctx->sqo_thread_started); ++ + old_fs = get_fs(); + set_fs(USER_DS); + +@@ -2243,6 +2247,7 @@ static int io_sqe_files_unregister(struct io_ring_ctx *ctx) + static void io_sq_thread_stop(struct io_ring_ctx *ctx) + { + if (ctx->sqo_thread) { ++ wait_for_completion(&ctx->sqo_thread_started); + /* + * The park is a bit of a work-around, without it we get + * warning spews on shutdown with SQPOLL set and affinity +-- +2.20.1 + diff --git a/queue-5.2/ipmi_si-fix-unexpected-driver-unregister-warning.patch b/queue-5.2/ipmi_si-fix-unexpected-driver-unregister-warning.patch new file mode 100644 index 00000000000..82d09f3d9b9 --- /dev/null +++ b/queue-5.2/ipmi_si-fix-unexpected-driver-unregister-warning.patch @@ -0,0 +1,58 @@ +From 7cdd0498faba4f319ec425635c401693c4d1c4c9 Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Fri, 17 May 2019 18:12:44 +0800 +Subject: ipmi_si: fix unexpected driver unregister warning + +[ Upstream commit 2f66353963043e1d8dfacfbdf509acc5d3be7698 ] + +If ipmi_si_platform_init()->platform_driver_register() fails, +platform_driver_unregister() called unconditionally will trigger +following warning, + +ipmi_platform: Unable to register driver: -12 +------------[ cut here ]------------ +Unexpected driver unregister! +WARNING: CPU: 1 PID: 7210 at drivers/base/driver.c:193 driver_unregister+0x60/0x70 drivers/base/driver.c:193 + +Fix it by adding platform_registered variable, only unregister platform +driver when it is already successfully registered. + +Reported-by: Hulk Robot +Signed-off-by: Kefeng Wang +Message-Id: <20190517101245.4341-1-wangkefeng.wang@huawei.com> + +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_si_platform.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/ipmi_si_platform.c b/drivers/char/ipmi/ipmi_si_platform.c +index f2a91c4d8cab..0cd849675d99 100644 +--- a/drivers/char/ipmi/ipmi_si_platform.c ++++ b/drivers/char/ipmi/ipmi_si_platform.c +@@ -19,6 +19,7 @@ + #include "ipmi_si.h" + #include "ipmi_dmi.h" + ++static bool platform_registered; + static bool si_tryplatform = true; + #ifdef CONFIG_ACPI + static bool si_tryacpi = true; +@@ -469,9 +470,12 @@ void ipmi_si_platform_init(void) + int rv = platform_driver_register(&ipmi_platform_driver); + if (rv) + pr_err("Unable to register driver: %d\n", rv); ++ else ++ platform_registered = true; + } + + void ipmi_si_platform_shutdown(void) + { +- platform_driver_unregister(&ipmi_platform_driver); ++ if (platform_registered) ++ platform_driver_unregister(&ipmi_platform_driver); + } +-- +2.20.1 + diff --git a/queue-5.2/ipmi_ssif-fix-unexpected-driver-unregister-warning.patch b/queue-5.2/ipmi_ssif-fix-unexpected-driver-unregister-warning.patch new file mode 100644 index 00000000000..44125a7e002 --- /dev/null +++ b/queue-5.2/ipmi_ssif-fix-unexpected-driver-unregister-warning.patch @@ -0,0 +1,62 @@ +From 9b2fff535f3cc10d9952b4fbeb0c62c28ff9c287 Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Fri, 24 May 2019 22:37:24 +0800 +Subject: ipmi_ssif: fix unexpected driver unregister warning + +[ Upstream commit 2cd0e54489e65b8e22124a8b053aff40815487f7 ] + +If platform_driver_register() fails from init_ipmi_ssif(), +platform_driver_unregister() called unconditionally will +trigger following warning, + +ipmi_ssif: Unable to register driver: -12 +------------[ cut here ]------------ +Unexpected driver unregister! +WARNING: CPU: 1 PID: 6305 at drivers/base/driver.c:193 driver_unregister+0x60/0x70 drivers/base/driver.c:193 + +Fix it by adding platform_registered variable, only unregister platform +driver when it is already successfully registered. + +Reported-by: Hulk Robot +Signed-off-by: Kefeng Wang +Message-Id: <20190524143724.43218-1-wangkefeng.wang@huawei.com> + +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_ssif.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c +index cf8156d6bc07..305fa5054274 100644 +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -303,6 +303,7 @@ struct ssif_info { + ((unsigned int) atomic_read(&(ssif)->stats[SSIF_STAT_ ## stat])) + + static bool initialized; ++static bool platform_registered; + + static void return_hosed_msg(struct ssif_info *ssif_info, + struct ipmi_smi_msg *msg); +@@ -2088,6 +2089,8 @@ static int init_ipmi_ssif(void) + rv = platform_driver_register(&ipmi_driver); + if (rv) + pr_err("Unable to register driver: %d\n", rv); ++ else ++ platform_registered = true; + } + + ssif_i2c_driver.address_list = ssif_address_list(); +@@ -2111,7 +2114,7 @@ static void cleanup_ipmi_ssif(void) + + kfree(ssif_i2c_driver.address_list); + +- if (ssif_trydmi) ++ if (ssif_trydmi && platform_registered) + platform_driver_unregister(&ipmi_driver); + + free_ssif_clients(); +-- +2.20.1 + diff --git a/queue-5.2/kallsyms-exclude-kasan-local-symbols-on-s390.patch b/queue-5.2/kallsyms-exclude-kasan-local-symbols-on-s390.patch new file mode 100644 index 00000000000..594a46baaf5 --- /dev/null +++ b/queue-5.2/kallsyms-exclude-kasan-local-symbols-on-s390.patch @@ -0,0 +1,68 @@ +From 2636d70e4f5f7c91a712a971dfc70ebc28b54e61 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Fri, 28 Jun 2019 19:22:47 +0200 +Subject: kallsyms: exclude kasan local symbols on s390 + +[ Upstream commit 33177f01ca3fe550146bb9001bec2fd806b2f40c ] + +gcc asan instrumentation emits the following sequence to store frame pc +when the kernel is built with CONFIG_RELOCATABLE: +debug/vsprintf.s: + .section .data.rel.ro.local,"aw" + .align 8 +.LC3: + .quad .LASANPC4826@GOTOFF +.text + .align 8 + .type number, @function +number: +.LASANPC4826: + +and in case reloc is issued for LASANPC label it also gets into .symtab +with the same address as actual function symbol: +$ nm -n vmlinux | grep 0000000001397150 +0000000001397150 t .LASANPC4826 +0000000001397150 t number + +In the end kernel backtraces are almost unreadable: +[ 143.748476] Call Trace: +[ 143.748484] ([<000000002da3e62c>] .LASANPC2671+0x114/0x190) +[ 143.748492] [<000000002eca1a58>] .LASANPC2612+0x110/0x160 +[ 143.748502] [<000000002de9d830>] print_address_description+0x80/0x3b0 +[ 143.748511] [<000000002de9dd64>] __kasan_report+0x15c/0x1c8 +[ 143.748521] [<000000002ecb56d4>] strrchr+0x34/0x60 +[ 143.748534] [<000003ff800a9a40>] kasan_strings+0xb0/0x148 [test_kasan] +[ 143.748547] [<000003ff800a9bba>] kmalloc_tests_init+0xe2/0x528 [test_kasan] +[ 143.748555] [<000000002da2117c>] .LASANPC4069+0x354/0x748 +[ 143.748563] [<000000002dbfbb16>] do_init_module+0x136/0x3b0 +[ 143.748571] [<000000002dbff3f4>] .LASANPC3191+0x2164/0x25d0 +[ 143.748580] [<000000002dbffc4c>] .LASANPC3196+0x184/0x1b8 +[ 143.748587] [<000000002ecdf2ec>] system_call+0xd8/0x2d8 + +Since LASANPC labels are not even unique and get into .symtab only due +to relocs filter them out in kallsyms. + +Signed-off-by: Vasily Gorbik +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kallsyms.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c +index e17837f1d3f2..ae6504d07fd6 100644 +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -150,6 +150,9 @@ static int read_symbol(FILE *in, struct sym_entry *s) + /* exclude debugging symbols */ + else if (stype == 'N' || stype == 'n') + return -1; ++ /* exclude s390 kasan local symbols */ ++ else if (!strncmp(sym, ".LASANPC", 8)) ++ return -1; + + /* include the type field in the symbol name, so that it gets + * compressed together */ +-- +2.20.1 + diff --git a/queue-5.2/kbuild-add-werror-unknown-warning-option-to-clang_fl.patch b/queue-5.2/kbuild-add-werror-unknown-warning-option-to-clang_fl.patch new file mode 100644 index 00000000000..308aec8ce81 --- /dev/null +++ b/queue-5.2/kbuild-add-werror-unknown-warning-option-to-clang_fl.patch @@ -0,0 +1,63 @@ +From 7d720e69c9185722fca55ef17a9446bacf412f4b Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 11 Jun 2019 11:43:31 -0700 +Subject: kbuild: Add -Werror=unknown-warning-option to CLANG_FLAGS + +[ Upstream commit 589834b3a0097a4908f4112eac0ca2feb486fa32 ] + +In commit ebcc5928c5d9 ("arm64: Silence gcc warnings about arch ABI +drift"), the arm64 Makefile added -Wno-psabi to KBUILD_CFLAGS, which is +a GCC only option so clang rightfully complains: + +warning: unknown warning option '-Wno-psabi' [-Wunknown-warning-option] + +https://clang.llvm.org/docs/DiagnosticsReference.html#wunknown-warning-option + +However, by default, this is merely a warning so the build happily goes +on with a slew of these warnings in the process. + +Commit c3f0d0bc5b01 ("kbuild, LLVMLinux: Add -Werror to cc-option to +support clang") worked around this behavior in cc-option by adding +-Werror so that unknown flags cause an error. However, this all happens +silently and when an unknown flag is added to the build unconditionally +like -Wno-psabi, cc-option will always fail because there is always an +unknown flag in the list of flags. This manifested as link time failures +in the arm64 libstub because -fno-stack-protector didn't get added to +KBUILD_CFLAGS. + +To avoid these weird cryptic failures in the future, make clang behave +like gcc and immediately error when it encounters an unknown flag by +adding -Werror=unknown-warning-option to CLANG_FLAGS. This can be added +unconditionally for clang because it is supported by at least 3.0.0, +according to godbolt [1] and 4.0.0, according to its documentation [2], +which is far earlier than we typically support. + +[1]: https://godbolt.org/z/7F7rm3 +[2]: https://releases.llvm.org/4.0.0/tools/clang/docs/DiagnosticsReference.html#wunknown-warning-option + +Link: https://github.com/ClangBuiltLinux/linux/issues/511 +Link: https://github.com/ClangBuiltLinux/linux/issues/517 +Suggested-by: Peter Smith +Signed-off-by: Nathan Chancellor +Tested-by: Nick Desaulniers +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Makefile b/Makefile +index 68ee97784c4d..fa0f48c43ab2 100644 +--- a/Makefile ++++ b/Makefile +@@ -528,6 +528,7 @@ ifneq ($(GCC_TOOLCHAIN),) + CLANG_FLAGS += --gcc-toolchain=$(GCC_TOOLCHAIN) + endif + CLANG_FLAGS += -no-integrated-as ++CLANG_FLAGS += -Werror=unknown-warning-option + KBUILD_CFLAGS += $(CLANG_FLAGS) + KBUILD_AFLAGS += $(CLANG_FLAGS) + export CLANG_FLAGS +-- +2.20.1 + diff --git a/queue-5.2/kvm-nvmx-intercept-vmwrites-to-guest_-cs-ss-_ar_byte.patch b/queue-5.2/kvm-nvmx-intercept-vmwrites-to-guest_-cs-ss-_ar_byte.patch new file mode 100644 index 00000000000..064093a7f08 --- /dev/null +++ b/queue-5.2/kvm-nvmx-intercept-vmwrites-to-guest_-cs-ss-_ar_byte.patch @@ -0,0 +1,106 @@ +From 2a2c914b5dfcbbdffbe813c7519ae3a97a174ddc Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 7 May 2019 08:36:24 -0700 +Subject: KVM: nVMX: Intercept VMWRITEs to GUEST_{CS,SS}_AR_BYTES + +[ Upstream commit b643780562af5378ef7fe731c65b8f93e49c59c6 ] + +VMMs frequently read the guest's CS and SS AR bytes to detect 64-bit +mode and CPL respectively, but effectively never write said fields once +the VM is initialized. Intercepting VMWRITEs for the two fields saves +~55 cycles in copy_shadow_to_vmcs12(). + +Because some Intel CPUs, e.g. Haswell, drop the reserved bits of the +guest access rights fields on VMWRITE, exposing the fields to L1 for +VMREAD but not VMWRITE leads to inconsistent behavior between L1 and L2. +On hardware that drops the bits, L1 will see the stripped down value due +to reading the value from hardware, while L2 will see the full original +value as stored by KVM. To avoid such an inconsistency, emulate the +behavior on all CPUS, but only for intercepted VMWRITEs so as to avoid +introducing pointless latency into copy_shadow_to_vmcs12(), e.g. if the +emulation were added to vmcs12_write_any(). + +Since the AR_BYTES emulation is done only for intercepted VMWRITE, if a +future patch (re)exposed AR_BYTES for both VMWRITE and VMREAD, then KVM +would end up with incosistent behavior on pre-Haswell hardware, e.g. KVM +would drop the reserved bits on intercepted VMWRITE, but direct VMWRITE +to the shadow VMCS would not drop the bits. Add a WARN in the shadow +field initialization to detect any attempt to expose an AR_BYTES field +without updating vmcs12_write_any(). + +Note, emulation of the AR_BYTES reserved bit behavior is based on a +patch[1] from Jim Mattson that applied the emulation to all writes to +vmcs12 so that live migration across different generations of hardware +would not introduce divergent behavior. But given that live migration +of nested state has already been enabled, that ship has sailed (not to +mention that no sane VMM will be affected by this behavior). + +[1] https://patchwork.kernel.org/patch/10483321/ + +Cc: Jim Mattson +Cc: Liran Alon +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/nested.c | 15 +++++++++++++++ + arch/x86/kvm/vmx/vmcs_shadow_fields.h | 4 ++-- + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index 543d7d82479b..ac98b1328124 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -91,6 +91,10 @@ static void init_vmcs_shadow_fields(void) + pr_err("Missing field from shadow_read_write_field %x\n", + field + 1); + ++ WARN_ONCE(field >= GUEST_ES_AR_BYTES && ++ field <= GUEST_TR_AR_BYTES, ++ "Update vmcs12_write_any() to expose AR_BYTES RW"); ++ + /* + * PML and the preemption timer can be emulated, but the + * processor cannot vmwrite to fields that don't exist +@@ -4500,6 +4504,17 @@ static int handle_vmwrite(struct kvm_vcpu *vcpu) + vmcs12 = get_shadow_vmcs12(vcpu); + } + ++ /* ++ * Some Intel CPUs intentionally drop the reserved bits of the AR byte ++ * fields on VMWRITE. Emulate this behavior to ensure consistent KVM ++ * behavior regardless of the underlying hardware, e.g. if an AR_BYTE ++ * field is intercepted for VMWRITE but not VMREAD (in L1), then VMREAD ++ * from L1 will return a different value than VMREAD from L2 (L1 sees ++ * the stripped down value, L2 sees the full value as stored by KVM). ++ */ ++ if (field >= GUEST_ES_AR_BYTES && field <= GUEST_TR_AR_BYTES) ++ field_value &= 0x1f0ff; ++ + if (vmcs12_write_any(vmcs12, field, field_value) < 0) + return nested_vmx_failValid(vcpu, + VMXERR_UNSUPPORTED_VMCS_COMPONENT); +diff --git a/arch/x86/kvm/vmx/vmcs_shadow_fields.h b/arch/x86/kvm/vmx/vmcs_shadow_fields.h +index 132432f375c2..97dd5295be31 100644 +--- a/arch/x86/kvm/vmx/vmcs_shadow_fields.h ++++ b/arch/x86/kvm/vmx/vmcs_shadow_fields.h +@@ -40,14 +40,14 @@ SHADOW_FIELD_RO(VM_EXIT_INSTRUCTION_LEN) + SHADOW_FIELD_RO(IDT_VECTORING_INFO_FIELD) + SHADOW_FIELD_RO(IDT_VECTORING_ERROR_CODE) + SHADOW_FIELD_RO(VM_EXIT_INTR_ERROR_CODE) ++SHADOW_FIELD_RO(GUEST_CS_AR_BYTES) ++SHADOW_FIELD_RO(GUEST_SS_AR_BYTES) + SHADOW_FIELD_RW(CPU_BASED_VM_EXEC_CONTROL) + SHADOW_FIELD_RW(EXCEPTION_BITMAP) + SHADOW_FIELD_RW(VM_ENTRY_EXCEPTION_ERROR_CODE) + SHADOW_FIELD_RW(VM_ENTRY_INTR_INFO_FIELD) + SHADOW_FIELD_RW(VM_ENTRY_INSTRUCTION_LEN) + SHADOW_FIELD_RW(TPR_THRESHOLD) +-SHADOW_FIELD_RW(GUEST_CS_AR_BYTES) +-SHADOW_FIELD_RW(GUEST_SS_AR_BYTES) + SHADOW_FIELD_RW(GUEST_INTERRUPTIBILITY_INFO) + SHADOW_FIELD_RW(VMX_PREEMPTION_TIMER_VALUE) + +-- +2.20.1 + diff --git a/queue-5.2/kvm-nvmx-stash-l1-s-cr3-in-vmcs01.guest_cr3-on-neste.patch b/queue-5.2/kvm-nvmx-stash-l1-s-cr3-in-vmcs01.guest_cr3-on-neste.patch new file mode 100644 index 00000000000..9d68995d4f2 --- /dev/null +++ b/queue-5.2/kvm-nvmx-stash-l1-s-cr3-in-vmcs01.guest_cr3-on-neste.patch @@ -0,0 +1,162 @@ +From 95048466b90c01bcd25befe638a5d533547a1ab3 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 7 Jun 2019 11:55:34 -0700 +Subject: KVM: nVMX: Stash L1's CR3 in vmcs01.GUEST_CR3 on nested entry w/o EPT + +[ Upstream commit f087a02941feacf7d6f097522bc67c602fda18e6 ] + +KVM does not have 100% coverage of VMX consistency checks, i.e. some +checks that cause VM-Fail may only be detected by hardware during a +nested VM-Entry. In such a case, KVM must restore L1's state to the +pre-VM-Enter state as L2's state has already been loaded into KVM's +software model. + +L1's CR3 and PDPTRs in particular are loaded from vmcs01.GUEST_*. But +when EPT is disabled, the associated fields hold KVM's shadow values, +not L1's "real" values. Fortunately, when EPT is disabled the PDPTRs +come from memory, i.e. are not cached in the VMCS. Which leaves CR3 +as the sole anomaly. + +A previously applied workaround to handle CR3 was to force nested early +checks if EPT is disabled: + + commit 2b27924bb1d48 ("KVM: nVMX: always use early vmcs check when EPT + is disabled") + +Forcing nested early checks is undesirable as doing so adds hundreds of +cycles to every nested VM-Entry. Rather than take this performance hit, +handle CR3 by overwriting vmcs01.GUEST_CR3 with L1's CR3 during nested +VM-Entry when EPT is disabled *and* nested early checks are disabled. +By stuffing vmcs01.GUEST_CR3, nested_vmx_restore_host_state() will +naturally restore the correct vcpu->arch.cr3 from vmcs01.GUEST_CR3. + +These shenanigans work because nested_vmx_restore_host_state() does a +full kvm_mmu_reset_context(), i.e. unloads the current MMU, which +guarantees vmcs01.GUEST_CR3 will be rewritten with a new shadow CR3 +prior to re-entering L1. + +vcpu->arch.root_mmu.root_hpa is set to INVALID_PAGE via: + + nested_vmx_restore_host_state() -> + kvm_mmu_reset_context() -> + kvm_mmu_unload() -> + kvm_mmu_free_roots() + +kvm_mmu_unload() has WARN_ON(root_hpa != INVALID_PAGE), i.e. we can bank +on 'root_hpa == INVALID_PAGE' unless the implementation of +kvm_mmu_reset_context() is changed. + +On the way into L1, VMCS.GUEST_CR3 is guaranteed to be written (on a +successful entry) via: + + vcpu_enter_guest() -> + kvm_mmu_reload() -> + kvm_mmu_load() -> + kvm_mmu_load_cr3() -> + vmx_set_cr3() + +Stuff vmcs01.GUEST_CR3 if and only if nested early checks are disabled +as a "late" VM-Fail should never happen win that case (KVM WARNs), and +the conditional write avoids the need to restore the correct GUEST_CR3 +when nested_vmx_check_vmentry_hw() fails. + +Signed-off-by: Sean Christopherson +Message-Id: <20190607185534.24368-1-sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/include/uapi/asm/vmx.h | 1 - + arch/x86/kvm/vmx/nested.c | 44 +++++++++++++++++---------------- + 2 files changed, 23 insertions(+), 22 deletions(-) + +diff --git a/arch/x86/include/uapi/asm/vmx.h b/arch/x86/include/uapi/asm/vmx.h +index d213ec5c3766..f0b0c90dd398 100644 +--- a/arch/x86/include/uapi/asm/vmx.h ++++ b/arch/x86/include/uapi/asm/vmx.h +@@ -146,7 +146,6 @@ + + #define VMX_ABORT_SAVE_GUEST_MSR_FAIL 1 + #define VMX_ABORT_LOAD_HOST_PDPTE_FAIL 2 +-#define VMX_ABORT_VMCS_CORRUPTED 3 + #define VMX_ABORT_LOAD_HOST_MSR_FAIL 4 + + #endif /* _UAPIVMX_H */ +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index c1d118f4dc72..ef6575ab60ed 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -2973,6 +2973,25 @@ int nested_vmx_enter_non_root_mode(struct kvm_vcpu *vcpu, bool from_vmentry) + !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)) + vmx->nested.vmcs01_guest_bndcfgs = vmcs_read64(GUEST_BNDCFGS); + ++ /* ++ * Overwrite vmcs01.GUEST_CR3 with L1's CR3 if EPT is disabled *and* ++ * nested early checks are disabled. In the event of a "late" VM-Fail, ++ * i.e. a VM-Fail detected by hardware but not KVM, KVM must unwind its ++ * software model to the pre-VMEntry host state. When EPT is disabled, ++ * GUEST_CR3 holds KVM's shadow CR3, not L1's "real" CR3, which causes ++ * nested_vmx_restore_host_state() to corrupt vcpu->arch.cr3. Stuffing ++ * vmcs01.GUEST_CR3 results in the unwind naturally setting arch.cr3 to ++ * the correct value. Smashing vmcs01.GUEST_CR3 is safe because nested ++ * VM-Exits, and the unwind, reset KVM's MMU, i.e. vmcs01.GUEST_CR3 is ++ * guaranteed to be overwritten with a shadow CR3 prior to re-entering ++ * L1. Don't stuff vmcs01.GUEST_CR3 when using nested early checks as ++ * KVM modifies vcpu->arch.cr3 if and only if the early hardware checks ++ * pass, and early VM-Fails do not reset KVM's MMU, i.e. the VM-Fail ++ * path would need to manually save/restore vmcs01.GUEST_CR3. ++ */ ++ if (!enable_ept && !nested_early_check) ++ vmcs_writel(GUEST_CR3, vcpu->arch.cr3); ++ + vmx_switch_vmcs(vcpu, &vmx->nested.vmcs02); + + prepare_vmcs02_early(vmx, vmcs12); +@@ -3784,18 +3803,8 @@ static void nested_vmx_restore_host_state(struct kvm_vcpu *vcpu) + vmx_set_cr4(vcpu, vmcs_readl(CR4_READ_SHADOW)); + + nested_ept_uninit_mmu_context(vcpu); +- +- /* +- * This is only valid if EPT is in use, otherwise the vmcs01 GUEST_CR3 +- * points to shadow pages! Fortunately we only get here after a WARN_ON +- * if EPT is disabled, so a VMabort is perfectly fine. +- */ +- if (enable_ept) { +- vcpu->arch.cr3 = vmcs_readl(GUEST_CR3); +- __set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail); +- } else { +- nested_vmx_abort(vcpu, VMX_ABORT_VMCS_CORRUPTED); +- } ++ vcpu->arch.cr3 = vmcs_readl(GUEST_CR3); ++ __set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail); + + /* + * Use ept_save_pdptrs(vcpu) to load the MMU's cached PDPTRs +@@ -3803,7 +3812,8 @@ static void nested_vmx_restore_host_state(struct kvm_vcpu *vcpu) + * VMFail, like everything else we just need to ensure our + * software model is up-to-date. + */ +- ept_save_pdptrs(vcpu); ++ if (enable_ept) ++ ept_save_pdptrs(vcpu); + + kvm_mmu_reset_context(vcpu); + +@@ -5772,14 +5782,6 @@ __init int nested_vmx_hardware_setup(int (*exit_handlers[])(struct kvm_vcpu *)) + { + int i; + +- /* +- * Without EPT it is not possible to restore L1's CR3 and PDPTR on +- * VMfail, because they are not available in vmcs01. Just always +- * use hardware checks. +- */ +- if (!enable_ept) +- nested_early_check = 1; +- + if (!cpu_has_vmx_shadow_vmcs()) + enable_shadow_vmcs = 0; + if (enable_shadow_vmcs) { +-- +2.20.1 + diff --git a/queue-5.2/kvm-vmx-fix-limit-checking-in-get_vmx_mem_address.patch b/queue-5.2/kvm-vmx-fix-limit-checking-in-get_vmx_mem_address.patch new file mode 100644 index 00000000000..b724f2cce52 --- /dev/null +++ b/queue-5.2/kvm-vmx-fix-limit-checking-in-get_vmx_mem_address.patch @@ -0,0 +1,58 @@ +From d555f594121db03e4f18cb274923c12a732fde0f Mon Sep 17 00:00:00 2001 +From: Eugene Korenevsky +Date: Thu, 6 Jun 2019 00:17:39 +0300 +Subject: kvm: vmx: fix limit checking in get_vmx_mem_address() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit c1a9acbc5295e278d788e9f7510f543bc9864fa2 ] + +Intel SDM vol. 3, 5.3: +The processor causes a +general-protection exception (or, if the segment is SS, a stack-fault +exception) any time an attempt is made to access the following addresses +in a segment: +- A byte at an offset greater than the effective limit +- A word at an offset greater than the (effective-limit – 1) +- A doubleword at an offset greater than the (effective-limit – 3) +- A quadword at an offset greater than the (effective-limit – 7) + +Therefore, the generic limit checking error condition must be + +exn = (off > limit + 1 - access_len) = (off + access_len - 1 > limit) + +but not + +exn = (off + access_len > limit) + +as for now. + +Also avoid integer overflow of `off` at 32-bit KVM by casting it to u64. + +Note: access length is currently sizeof(u64) which is incorrect. This +will be fixed in the subsequent patch. + +Signed-off-by: Eugene Korenevsky +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/nested.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index b101127e13b6..543d7d82479b 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -4120,7 +4120,7 @@ int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification, + */ + if (!(s.base == 0 && s.limit == 0xffffffff && + ((s.type & 8) || !(s.type & 4)))) +- exn = exn || (off + sizeof(u64) > s.limit); ++ exn = exn || ((u64)off + sizeof(u64) - 1 > s.limit); + } + if (exn) { + kvm_queue_exception_e(vcpu, +-- +2.20.1 + diff --git a/queue-5.2/kvm-vmx-segment-limit-check-use-access-length.patch b/queue-5.2/kvm-vmx-segment-limit-check-use-access-length.patch new file mode 100644 index 00000000000..eb63958667c --- /dev/null +++ b/queue-5.2/kvm-vmx-segment-limit-check-use-access-length.patch @@ -0,0 +1,159 @@ +From 57ad384f8f6884d886c66c5245f655b37565b00d Mon Sep 17 00:00:00 2001 +From: Eugene Korenevsky +Date: Thu, 6 Jun 2019 00:19:16 +0300 +Subject: kvm: vmx: segment limit check: use access length + +[ Upstream commit fdb28619a8f033c13f5d9b9e8b5536bb6e68a2c3 ] + +There is an imperfection in get_vmx_mem_address(): access length is ignored +when checking the limit. To fix this, pass access length as a function argument. +The access length is usually obvious since it is used by callers after +get_vmx_mem_address() call, but for vmread/vmwrite it depends on the +state of 64-bit mode. + +Signed-off-by: Eugene Korenevsky +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/nested.c | 28 ++++++++++++++++------------ + arch/x86/kvm/vmx/nested.h | 2 +- + arch/x86/kvm/vmx/vmx.c | 3 ++- + 3 files changed, 19 insertions(+), 14 deletions(-) + +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index ac98b1328124..c1d118f4dc72 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -4017,7 +4017,7 @@ void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 exit_reason, + * #UD or #GP. + */ + int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification, +- u32 vmx_instruction_info, bool wr, gva_t *ret) ++ u32 vmx_instruction_info, bool wr, int len, gva_t *ret) + { + gva_t off; + bool exn; +@@ -4124,7 +4124,7 @@ int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification, + */ + if (!(s.base == 0 && s.limit == 0xffffffff && + ((s.type & 8) || !(s.type & 4)))) +- exn = exn || ((u64)off + sizeof(u64) - 1 > s.limit); ++ exn = exn || ((u64)off + len - 1 > s.limit); + } + if (exn) { + kvm_queue_exception_e(vcpu, +@@ -4143,7 +4143,8 @@ static int nested_vmx_get_vmptr(struct kvm_vcpu *vcpu, gpa_t *vmpointer) + struct x86_exception e; + + if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION), +- vmcs_read32(VMX_INSTRUCTION_INFO), false, &gva)) ++ vmcs_read32(VMX_INSTRUCTION_INFO), false, ++ sizeof(*vmpointer), &gva)) + return 1; + + if (kvm_read_guest_virt(vcpu, gva, vmpointer, sizeof(*vmpointer), &e)) { +@@ -4394,6 +4395,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu) + u64 field_value; + unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION); + u32 vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO); ++ int len; + gva_t gva = 0; + struct vmcs12 *vmcs12; + +@@ -4431,12 +4433,12 @@ static int handle_vmread(struct kvm_vcpu *vcpu) + kvm_register_writel(vcpu, (((vmx_instruction_info) >> 3) & 0xf), + field_value); + } else { ++ len = is_64_bit_mode(vcpu) ? 8 : 4; + if (get_vmx_mem_address(vcpu, exit_qualification, +- vmx_instruction_info, true, &gva)) ++ vmx_instruction_info, true, len, &gva)) + return 1; + /* _system ok, nested_vmx_check_permission has verified cpl=0 */ +- kvm_write_guest_virt_system(vcpu, gva, &field_value, +- (is_long_mode(vcpu) ? 8 : 4), NULL); ++ kvm_write_guest_virt_system(vcpu, gva, &field_value, len, NULL); + } + + return nested_vmx_succeed(vcpu); +@@ -4446,6 +4448,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu) + static int handle_vmwrite(struct kvm_vcpu *vcpu) + { + unsigned long field; ++ int len; + gva_t gva; + struct vcpu_vmx *vmx = to_vmx(vcpu); + unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION); +@@ -4471,11 +4474,11 @@ static int handle_vmwrite(struct kvm_vcpu *vcpu) + field_value = kvm_register_readl(vcpu, + (((vmx_instruction_info) >> 3) & 0xf)); + else { ++ len = is_64_bit_mode(vcpu) ? 8 : 4; + if (get_vmx_mem_address(vcpu, exit_qualification, +- vmx_instruction_info, false, &gva)) ++ vmx_instruction_info, false, len, &gva)) + return 1; +- if (kvm_read_guest_virt(vcpu, gva, &field_value, +- (is_64_bit_mode(vcpu) ? 8 : 4), &e)) { ++ if (kvm_read_guest_virt(vcpu, gva, &field_value, len, &e)) { + kvm_inject_page_fault(vcpu, &e); + return 1; + } +@@ -4634,7 +4637,8 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu) + if (unlikely(to_vmx(vcpu)->nested.hv_evmcs)) + return 1; + +- if (get_vmx_mem_address(vcpu, exit_qual, instr_info, true, &gva)) ++ if (get_vmx_mem_address(vcpu, exit_qual, instr_info, ++ true, sizeof(gpa_t), &gva)) + return 1; + /* *_system ok, nested_vmx_check_permission has verified cpl=0 */ + if (kvm_write_guest_virt_system(vcpu, gva, (void *)¤t_vmptr, +@@ -4680,7 +4684,7 @@ static int handle_invept(struct kvm_vcpu *vcpu) + * operand is read even if it isn't needed (e.g., for type==global) + */ + if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION), +- vmx_instruction_info, false, &gva)) ++ vmx_instruction_info, false, sizeof(operand), &gva)) + return 1; + if (kvm_read_guest_virt(vcpu, gva, &operand, sizeof(operand), &e)) { + kvm_inject_page_fault(vcpu, &e); +@@ -4742,7 +4746,7 @@ static int handle_invvpid(struct kvm_vcpu *vcpu) + * operand is read even if it isn't needed (e.g., for type==global) + */ + if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION), +- vmx_instruction_info, false, &gva)) ++ vmx_instruction_info, false, sizeof(operand), &gva)) + return 1; + if (kvm_read_guest_virt(vcpu, gva, &operand, sizeof(operand), &e)) { + kvm_inject_page_fault(vcpu, &e); +diff --git a/arch/x86/kvm/vmx/nested.h b/arch/x86/kvm/vmx/nested.h +index e847ff1019a2..29d205bb4e4f 100644 +--- a/arch/x86/kvm/vmx/nested.h ++++ b/arch/x86/kvm/vmx/nested.h +@@ -21,7 +21,7 @@ void nested_sync_from_vmcs12(struct kvm_vcpu *vcpu); + int vmx_set_vmx_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data); + int vmx_get_vmx_msr(struct nested_vmx_msrs *msrs, u32 msr_index, u64 *pdata); + int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification, +- u32 vmx_instruction_info, bool wr, gva_t *ret); ++ u32 vmx_instruction_info, bool wr, int len, gva_t *ret); + + static inline struct vmcs12 *get_vmcs12(struct kvm_vcpu *vcpu) + { +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c +index 306ed28569c0..924c2a79e4a9 100644 +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -5349,7 +5349,8 @@ static int handle_invpcid(struct kvm_vcpu *vcpu) + * is read even if it isn't needed (e.g., for type==all) + */ + if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION), +- vmx_instruction_info, false, &gva)) ++ vmx_instruction_info, false, ++ sizeof(operand), &gva)) + return 1; + + if (kvm_read_guest_virt(vcpu, gva, &operand, sizeof(operand), &e)) { +-- +2.20.1 + diff --git a/queue-5.2/locking-lockdep-fix-lock-used-or-unused-stats-error.patch b/queue-5.2/locking-lockdep-fix-lock-used-or-unused-stats-error.patch new file mode 100644 index 00000000000..08b06aa7a2d --- /dev/null +++ b/queue-5.2/locking-lockdep-fix-lock-used-or-unused-stats-error.patch @@ -0,0 +1,77 @@ +From ee3b9902cd43fa03c62f961afcf32303e93eb7e0 Mon Sep 17 00:00:00 2001 +From: Yuyang Du +Date: Tue, 9 Jul 2019 18:15:22 +0800 +Subject: locking/lockdep: Fix lock used or unused stats error + +[ Upstream commit 68d41d8c94a31dfb8233ab90b9baf41a2ed2da68 ] + +The stats variable nr_unused_locks is incremented every time a new lock +class is register and decremented when the lock is first used in +__lock_acquire(). And after all, it is shown and checked in lockdep_stats. + +However, under configurations that either CONFIG_TRACE_IRQFLAGS or +CONFIG_PROVE_LOCKING is not defined: + +The commit: + + 091806515124b20 ("locking/lockdep: Consolidate lock usage bit initialization") + +missed marking the LOCK_USED flag at IRQ usage initialization because +as mark_usage() is not called. And the commit: + + 886532aee3cd42d ("locking/lockdep: Move mark_lock() inside CONFIG_TRACE_IRQFLAGS && CONFIG_PROVE_LOCKING") + +further made mark_lock() not defined such that the LOCK_USED cannot be +marked at all when the lock is first acquired. + +As a result, we fix this by not showing and checking the stats under such +configurations for lockdep_stats. + +Reported-by: Qian Cai +Signed-off-by: Yuyang Du +Signed-off-by: Peter Zijlstra (Intel) +Cc: Andrew Morton +Cc: Linus Torvalds +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: arnd@arndb.de +Cc: frederic@kernel.org +Link: https://lkml.kernel.org/r/20190709101522.9117-1-duyuyang@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep_proc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/locking/lockdep_proc.c b/kernel/locking/lockdep_proc.c +index 9c49ec645d8b..65b6a1600c8f 100644 +--- a/kernel/locking/lockdep_proc.c ++++ b/kernel/locking/lockdep_proc.c +@@ -210,6 +210,7 @@ static int lockdep_stats_show(struct seq_file *m, void *v) + nr_hardirq_read_safe = 0, nr_hardirq_read_unsafe = 0, + sum_forward_deps = 0; + ++#ifdef CONFIG_PROVE_LOCKING + list_for_each_entry(class, &all_lock_classes, lock_entry) { + + if (class->usage_mask == 0) +@@ -241,12 +242,12 @@ static int lockdep_stats_show(struct seq_file *m, void *v) + if (class->usage_mask & LOCKF_ENABLED_HARDIRQ_READ) + nr_hardirq_read_unsafe++; + +-#ifdef CONFIG_PROVE_LOCKING + sum_forward_deps += lockdep_count_forward_deps(class); +-#endif + } + #ifdef CONFIG_DEBUG_LOCKDEP + DEBUG_LOCKS_WARN_ON(debug_atomic_read(nr_unused_locks) != nr_unused); ++#endif ++ + #endif + seq_printf(m, " lock-classes: %11lu [max: %lu]\n", + nr_lock_classes, MAX_LOCKDEP_KEYS); +-- +2.20.1 + diff --git a/queue-5.2/locking-lockdep-hide-unused-class-variable.patch b/queue-5.2/locking-lockdep-hide-unused-class-variable.patch new file mode 100644 index 00000000000..7287dd218c6 --- /dev/null +++ b/queue-5.2/locking-lockdep-hide-unused-class-variable.patch @@ -0,0 +1,58 @@ +From b290bf8d2ba227e07ed7e9109ed06c08a074440e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 15 Jul 2019 11:27:49 +0200 +Subject: locking/lockdep: Hide unused 'class' variable + +[ Upstream commit 68037aa78208f34bda4e5cd76c357f718b838cbb ] + +The usage is now hidden in an #ifdef, so we need to move +the variable itself in there as well to avoid this warning: + + kernel/locking/lockdep_proc.c:203:21: error: unused variable 'class' [-Werror,-Wunused-variable] + +Signed-off-by: Arnd Bergmann +Signed-off-by: Peter Zijlstra (Intel) +Cc: Andrew Morton +Cc: Bart Van Assche +Cc: Linus Torvalds +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Qian Cai +Cc: Thomas Gleixner +Cc: Waiman Long +Cc: Will Deacon +Cc: Will Deacon +Cc: Yuyang Du +Cc: frederic@kernel.org +Fixes: 68d41d8c94a3 ("locking/lockdep: Fix lock used or unused stats error") +Link: https://lkml.kernel.org/r/20190715092809.736834-1-arnd@arndb.de +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep_proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/locking/lockdep_proc.c b/kernel/locking/lockdep_proc.c +index 65b6a1600c8f..bda006f8a88b 100644 +--- a/kernel/locking/lockdep_proc.c ++++ b/kernel/locking/lockdep_proc.c +@@ -200,7 +200,6 @@ static void lockdep_stats_debug_show(struct seq_file *m) + + static int lockdep_stats_show(struct seq_file *m, void *v) + { +- struct lock_class *class; + unsigned long nr_unused = 0, nr_uncategorized = 0, + nr_irq_safe = 0, nr_irq_unsafe = 0, + nr_softirq_safe = 0, nr_softirq_unsafe = 0, +@@ -211,6 +210,8 @@ static int lockdep_stats_show(struct seq_file *m, void *v) + sum_forward_deps = 0; + + #ifdef CONFIG_PROVE_LOCKING ++ struct lock_class *class; ++ + list_for_each_entry(class, &all_lock_classes, lock_entry) { + + if (class->usage_mask == 0) +-- +2.20.1 + diff --git a/queue-5.2/mailbox-handle-failed-named-mailbox-channel-request.patch b/queue-5.2/mailbox-handle-failed-named-mailbox-channel-request.patch new file mode 100644 index 00000000000..8e8ce8d614c --- /dev/null +++ b/queue-5.2/mailbox-handle-failed-named-mailbox-channel-request.patch @@ -0,0 +1,44 @@ +From 38f71c4df70add60402e45b1a9270d9a66ff4e31 Mon Sep 17 00:00:00 2001 +From: morten petersen +Date: Mon, 8 Jul 2019 11:41:54 +0000 +Subject: mailbox: handle failed named mailbox channel request + +[ Upstream commit 25777e5784a7b417967460d4fcf9660d05a0c320 ] + +Previously, if mbox_request_channel_byname was used with a name +which did not exist in the "mbox-names" property of a mailbox +client, the mailbox corresponding to the last entry in the +"mbox-names" list would be incorrectly selected. +With this patch, -EINVAL is returned if the named mailbox is +not found. + +Signed-off-by: Morten Borup Petersen +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mailbox.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c +index f4b1950d35f3..0b821a5b2db8 100644 +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -418,11 +418,13 @@ struct mbox_chan *mbox_request_channel_byname(struct mbox_client *cl, + + of_property_for_each_string(np, "mbox-names", prop, mbox_name) { + if (!strncmp(name, mbox_name, strlen(name))) +- break; ++ return mbox_request_channel(cl, index); + index++; + } + +- return mbox_request_channel(cl, index); ++ dev_err(cl->dev, "%s() could not locate channel named \"%s\"\n", ++ __func__, name); ++ return ERR_PTR(-EINVAL); + } + EXPORT_SYMBOL_GPL(mbox_request_channel_byname); + +-- +2.20.1 + diff --git a/queue-5.2/memcg-fsnotify-no-oom-kill-for-remote-memcg-charging.patch b/queue-5.2/memcg-fsnotify-no-oom-kill-for-remote-memcg-charging.patch new file mode 100644 index 00000000000..975ad0aac1d --- /dev/null +++ b/queue-5.2/memcg-fsnotify-no-oom-kill-for-remote-memcg-charging.patch @@ -0,0 +1,77 @@ +From 0812b48b5be3972bf1bbb0e1060ca388ad392b45 Mon Sep 17 00:00:00 2001 +From: Shakeel Butt +Date: Thu, 11 Jul 2019 20:55:52 -0700 +Subject: memcg, fsnotify: no oom-kill for remote memcg charging + +[ Upstream commit ec165450968b26298bd1c373de37b0ab6d826b33 ] + +Commit d46eb14b735b ("fs: fsnotify: account fsnotify metadata to +kmemcg") added remote memcg charging for fanotify and inotify event +objects. The aim was to charge the memory to the listener who is +interested in the events but without triggering the OOM killer. +Otherwise there would be security concerns for the listener. + +At the time, oom-kill trigger was not in the charging path. A parallel +work added the oom-kill back to charging path i.e. commit 29ef680ae7c2 +("memcg, oom: move out_of_memory back to the charge path"). So to not +trigger oom-killer in the remote memcg, explicitly add +__GFP_RETRY_MAYFAIL to the fanotigy and inotify event allocations. + +Link: http://lkml.kernel.org/r/20190514212259.156585-2-shakeelb@google.com +Signed-off-by: Shakeel Butt +Reviewed-by: Roman Gushchin +Acked-by: Jan Kara +Cc: Johannes Weiner +Cc: Vladimir Davydov +Cc: Michal Hocko +Cc: Amir Goldstein +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/notify/fanotify/fanotify.c | 5 ++++- + fs/notify/inotify/inotify_fsnotify.c | 8 ++++++-- + 2 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c +index b428c295d13f..5778d1347b35 100644 +--- a/fs/notify/fanotify/fanotify.c ++++ b/fs/notify/fanotify/fanotify.c +@@ -288,10 +288,13 @@ struct fanotify_event *fanotify_alloc_event(struct fsnotify_group *group, + /* + * For queues with unlimited length lost events are not expected and + * can possibly have security implications. Avoid losing events when +- * memory is short. ++ * memory is short. For the limited size queues, avoid OOM killer in the ++ * target monitoring memcg as it may have security repercussion. + */ + if (group->max_events == UINT_MAX) + gfp |= __GFP_NOFAIL; ++ else ++ gfp |= __GFP_RETRY_MAYFAIL; + + /* Whoever is interested in the event, pays for the allocation. */ + memalloc_use_memcg(group->memcg); +diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c +index 2fda08b2b885..d510223d302c 100644 +--- a/fs/notify/inotify/inotify_fsnotify.c ++++ b/fs/notify/inotify/inotify_fsnotify.c +@@ -90,9 +90,13 @@ int inotify_handle_event(struct fsnotify_group *group, + i_mark = container_of(inode_mark, struct inotify_inode_mark, + fsn_mark); + +- /* Whoever is interested in the event, pays for the allocation. */ ++ /* ++ * Whoever is interested in the event, pays for the allocation. Do not ++ * trigger OOM killer in the target monitoring memcg as it may have ++ * security repercussion. ++ */ + memalloc_use_memcg(group->memcg); +- event = kmalloc(alloc_len, GFP_KERNEL_ACCOUNT); ++ event = kmalloc(alloc_len, GFP_KERNEL_ACCOUNT | __GFP_RETRY_MAYFAIL); + memalloc_unuse_memcg(); + + if (unlikely(!event)) { +-- +2.20.1 + diff --git a/queue-5.2/memstick-fix-error-cleanup-path-of-memstick_init.patch b/queue-5.2/memstick-fix-error-cleanup-path-of-memstick_init.patch new file mode 100644 index 00000000000..cdf65b6b721 --- /dev/null +++ b/queue-5.2/memstick-fix-error-cleanup-path-of-memstick_init.patch @@ -0,0 +1,75 @@ +From d8dc62f9beb0ff176be78ab6e0e6855fad79ef35 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Wed, 15 May 2019 22:37:25 +0800 +Subject: memstick: Fix error cleanup path of memstick_init + +[ Upstream commit 65f1a0d39c289bb6fc85635528cd36c4b07f560e ] + +If bus_register fails. On its error handling path, it has cleaned up +what it has done. There is no need to call bus_unregister again. +Otherwise, if bus_unregister is called, issues such as null-ptr-deref +will arise. + +Syzkaller report this: + +kobject_add_internal failed for memstick (error: -12 parent: bus) +BUG: KASAN: null-ptr-deref in sysfs_remove_file_ns+0x1b/0x40 fs/sysfs/file.c:467 +Read of size 8 at addr 0000000000000078 by task syz-executor.0/4460 + +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xa9/0x10e lib/dump_stack.c:113 + __kasan_report+0x171/0x18d mm/kasan/report.c:321 + kasan_report+0xe/0x20 mm/kasan/common.c:614 + sysfs_remove_file_ns+0x1b/0x40 fs/sysfs/file.c:467 + sysfs_remove_file include/linux/sysfs.h:519 [inline] + bus_remove_file+0x6c/0x90 drivers/base/bus.c:145 + remove_probe_files drivers/base/bus.c:599 [inline] + bus_unregister+0x6e/0x100 drivers/base/bus.c:916 ? 0xffffffffc1590000 + memstick_init+0x7a/0x1000 [memstick] + do_one_initcall+0xb9/0x3b5 init/main.c:914 + do_init_module+0xe0/0x330 kernel/module.c:3468 + load_module+0x38eb/0x4270 kernel/module.c:3819 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3909 + do_syscall_64+0x72/0x2a0 arch/x86/entry/common.c:298 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: baf8532a147d ("memstick: initial commit for Sony MemoryStick support") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/core/memstick.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c +index 6cfb293396f2..693ee73eb291 100644 +--- a/drivers/memstick/core/memstick.c ++++ b/drivers/memstick/core/memstick.c +@@ -625,13 +625,18 @@ static int __init memstick_init(void) + return -ENOMEM; + + rc = bus_register(&memstick_bus_type); +- if (!rc) +- rc = class_register(&memstick_host_class); ++ if (rc) ++ goto error_destroy_workqueue; + +- if (!rc) +- return 0; ++ rc = class_register(&memstick_host_class); ++ if (rc) ++ goto error_bus_unregister; ++ ++ return 0; + ++error_bus_unregister: + bus_unregister(&memstick_bus_type); ++error_destroy_workqueue: + destroy_workqueue(workqueue); + + return rc; +-- +2.20.1 + diff --git a/queue-5.2/mfd-arizona-fix-undefined-behavior.patch b/queue-5.2/mfd-arizona-fix-undefined-behavior.patch new file mode 100644 index 00000000000..c31300af884 --- /dev/null +++ b/queue-5.2/mfd-arizona-fix-undefined-behavior.patch @@ -0,0 +1,52 @@ +From 5dd27814c2a22731bfb61e7ed5590a06665bf924 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 20 May 2019 10:06:25 +0100 +Subject: mfd: arizona: Fix undefined behavior + +[ Upstream commit 5da6cbcd2f395981aa9bfc571ace99f1c786c985 ] + +When the driver is used with a subdevice that is disabled in the +kernel configuration, clang gets a little confused about the +control flow and fails to notice that n_subdevs is only +uninitialized when subdevs is NULL, and we check for that, +leading to a false-positive warning: + +drivers/mfd/arizona-core.c:1423:19: error: variable 'n_subdevs' is uninitialized when used here + [-Werror,-Wuninitialized] + subdevs, n_subdevs, NULL, 0, NULL); + ^~~~~~~~~ +drivers/mfd/arizona-core.c:999:15: note: initialize the variable 'n_subdevs' to silence this warning + int n_subdevs, ret, i; + ^ + = 0 + +Ideally, we would rearrange the code to avoid all those early +initializations and have an explicit exit in each disabled case, +but it's much easier to chicken out and add one more initialization +here to shut up the warning. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Signed-off-by: Charles Keepax +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/arizona-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/arizona-core.c b/drivers/mfd/arizona-core.c +index 2bdc7b02157a..4a31907a4525 100644 +--- a/drivers/mfd/arizona-core.c ++++ b/drivers/mfd/arizona-core.c +@@ -993,7 +993,7 @@ int arizona_dev_init(struct arizona *arizona) + unsigned int reg, val; + int (*apply_patch)(struct arizona *) = NULL; + const struct mfd_cell *subdevs = NULL; +- int n_subdevs, ret, i; ++ int n_subdevs = 0, ret, i; + + dev_set_drvdata(arizona->dev, arizona); + mutex_init(&arizona->clk_lock); +-- +2.20.1 + diff --git a/queue-5.2/mfd-core-set-fwnode-for-created-devices.patch b/queue-5.2/mfd-core-set-fwnode-for-created-devices.patch new file mode 100644 index 00000000000..65c256bd409 --- /dev/null +++ b/queue-5.2/mfd-core-set-fwnode-for-created-devices.patch @@ -0,0 +1,34 @@ +From 4bcfa45296163749b7009bb319b0bb94fca3fdac Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Tue, 4 Jun 2019 16:35:43 -0600 +Subject: mfd: core: Set fwnode for created devices + +[ Upstream commit c176c6d7e932662668bcaec2d763657096589d85 ] + +The logic for setting the of_node on devices created by mfd did not set +the fwnode pointer to match, which caused fwnode-based APIs to +malfunction on these devices since the fwnode pointer was null. Fix +this. + +Signed-off-by: Robert Hancock +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/mfd-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c +index dbf684c4ebfb..23276a80e3b4 100644 +--- a/drivers/mfd/mfd-core.c ++++ b/drivers/mfd/mfd-core.c +@@ -175,6 +175,7 @@ static int mfd_add_device(struct device *parent, int id, + for_each_child_of_node(parent->of_node, np) { + if (of_device_is_compatible(np, cell->of_compatible)) { + pdev->dev.of_node = np; ++ pdev->dev.fwnode = &np->fwnode; + break; + } + } +-- +2.20.1 + diff --git a/queue-5.2/mfd-cros_ec-register-cros_ec_lid_angle-driver-when-p.patch b/queue-5.2/mfd-cros_ec-register-cros_ec_lid_angle-driver-when-p.patch new file mode 100644 index 00000000000..29624b46b07 --- /dev/null +++ b/queue-5.2/mfd-cros_ec-register-cros_ec_lid_angle-driver-when-p.patch @@ -0,0 +1,56 @@ +From d587b1aff2109b949778156abf207266531ead99 Mon Sep 17 00:00:00 2001 +From: Gwendal Grignou +Date: Fri, 17 May 2019 16:38:55 -0700 +Subject: mfd: cros_ec: Register cros_ec_lid_angle driver when presented + +[ Upstream commit 1bb407f17c5316888c3c446e26cb2bb78943f236 ] + +Register driver when EC indicates has precise lid angle calculation code +running. +Fix incorrect extra resource allocation in cros_ec_sensors_register(). + +Signed-off-by: Gwendal Grignou +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/cros_ec_dev.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/mfd/cros_ec_dev.c b/drivers/mfd/cros_ec_dev.c +index a5391f96eafd..607383b67cf1 100644 +--- a/drivers/mfd/cros_ec_dev.c ++++ b/drivers/mfd/cros_ec_dev.c +@@ -285,13 +285,15 @@ static void cros_ec_sensors_register(struct cros_ec_dev *ec) + + resp = (struct ec_response_motion_sense *)msg->data; + sensor_num = resp->dump.sensor_count; +- /* Allocate 1 extra sensors in FIFO are needed */ +- sensor_cells = kcalloc(sensor_num + 1, sizeof(struct mfd_cell), ++ /* ++ * Allocate 2 extra sensors if lid angle sensor and/or FIFO are needed. ++ */ ++ sensor_cells = kcalloc(sensor_num + 2, sizeof(struct mfd_cell), + GFP_KERNEL); + if (sensor_cells == NULL) + goto error; + +- sensor_platforms = kcalloc(sensor_num + 1, ++ sensor_platforms = kcalloc(sensor_num, + sizeof(struct cros_ec_sensor_platform), + GFP_KERNEL); + if (sensor_platforms == NULL) +@@ -351,6 +353,11 @@ static void cros_ec_sensors_register(struct cros_ec_dev *ec) + sensor_cells[id].name = "cros-ec-ring"; + id++; + } ++ if (cros_ec_check_features(ec, ++ EC_FEATURE_REFINED_TABLET_MODE_HYSTERESIS)) { ++ sensor_cells[id].name = "cros-ec-lid-angle"; ++ id++; ++ } + + ret = mfd_add_devices(ec->dev, 0, sensor_cells, id, + NULL, 0, NULL); +-- +2.20.1 + diff --git a/queue-5.2/mfd-hi655x-pmic-fix-missing-return-value-check-for-d.patch b/queue-5.2/mfd-hi655x-pmic-fix-missing-return-value-check-for-d.patch new file mode 100644 index 00000000000..e42806dc04b --- /dev/null +++ b/queue-5.2/mfd-hi655x-pmic-fix-missing-return-value-check-for-d.patch @@ -0,0 +1,34 @@ +From 0d08dc055240e3bd65dd33e88de49897e3440d69 Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Wed, 26 Jun 2019 21:30:07 +0800 +Subject: mfd: hi655x-pmic: Fix missing return value check for + devm_regmap_init_mmio_clk + +[ Upstream commit 7efd105c27fd2323789b41b64763a0e33ed79c08 ] + +Since devm_regmap_init_mmio_clk can fail, add return value checking. + +Signed-off-by: Axel Lin +Acked-by: Chen Feng +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/hi655x-pmic.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/mfd/hi655x-pmic.c b/drivers/mfd/hi655x-pmic.c +index f1c51ce309fa..7e3959aaa285 100644 +--- a/drivers/mfd/hi655x-pmic.c ++++ b/drivers/mfd/hi655x-pmic.c +@@ -109,6 +109,8 @@ static int hi655x_pmic_probe(struct platform_device *pdev) + + pmic->regmap = devm_regmap_init_mmio_clk(dev, NULL, base, + &hi655x_regmap_config); ++ if (IS_ERR(pmic->regmap)) ++ return PTR_ERR(pmic->regmap); + + regmap_read(pmic->regmap, HI655X_BUS_ADDR(HI655X_VER_REG), &pmic->ver); + if ((pmic->ver < PMU_VER_START) || (pmic->ver > PMU_VER_END)) { +-- +2.20.1 + diff --git a/queue-5.2/mfd-madera-add-missing-of-table-registration.patch b/queue-5.2/mfd-madera-add-missing-of-table-registration.patch new file mode 100644 index 00000000000..7aa23d3da4e --- /dev/null +++ b/queue-5.2/mfd-madera-add-missing-of-table-registration.patch @@ -0,0 +1,49 @@ +From 24c2a13b211e8ecc77c7a356c046d8635b1159ed Mon Sep 17 00:00:00 2001 +From: Daniel Gomez +Date: Sat, 11 May 2019 12:03:58 +0200 +Subject: mfd: madera: Add missing of table registration + +[ Upstream commit 5aa3709c0a5c026735b0ddd4ec80810a23d65f5b ] + +MODULE_DEVICE_TABLE(of, ) should be called to complete DT +OF mathing mechanism and register it. + +Before this patch: +modinfo ./drivers/mfd/madera.ko | grep alias + +After this patch: +modinfo ./drivers/mfd/madera.ko | grep alias +alias: of:N*T*Ccirrus,wm1840C* +alias: of:N*T*Ccirrus,wm1840 +alias: of:N*T*Ccirrus,cs47l91C* +alias: of:N*T*Ccirrus,cs47l91 +alias: of:N*T*Ccirrus,cs47l90C* +alias: of:N*T*Ccirrus,cs47l90 +alias: of:N*T*Ccirrus,cs47l85C* +alias: of:N*T*Ccirrus,cs47l85 +alias: of:N*T*Ccirrus,cs47l35C* +alias: of:N*T*Ccirrus,cs47l35 + +Reported-by: Javier Martinez Canillas +Signed-off-by: Daniel Gomez +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/madera-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/madera-core.c b/drivers/mfd/madera-core.c +index 2a77988d0462..826b971ccb86 100644 +--- a/drivers/mfd/madera-core.c ++++ b/drivers/mfd/madera-core.c +@@ -286,6 +286,7 @@ const struct of_device_id madera_of_match[] = { + { .compatible = "cirrus,wm1840", .data = (void *)WM1840 }, + {} + }; ++MODULE_DEVICE_TABLE(of, madera_of_match); + EXPORT_SYMBOL_GPL(madera_of_match); + + static int madera_get_reset_gpio(struct madera *madera) +-- +2.20.1 + diff --git a/queue-5.2/mm-gup.c-mark-undo_dev_pagemap-as-__maybe_unused.patch b/queue-5.2/mm-gup.c-mark-undo_dev_pagemap-as-__maybe_unused.patch new file mode 100644 index 00000000000..a030008f739 --- /dev/null +++ b/queue-5.2/mm-gup.c-mark-undo_dev_pagemap-as-__maybe_unused.patch @@ -0,0 +1,44 @@ +From cfc9e7cd001f8ea97055c11902970f564b1b339f Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Thu, 11 Jul 2019 20:57:46 -0700 +Subject: mm/gup.c: mark undo_dev_pagemap as __maybe_unused + +[ Upstream commit 790c73690c2bbecb3f6f8becbdb11ddc9bcff8cc ] + +Several mips builds generate the following build warning. + + mm/gup.c:1788:13: warning: 'undo_dev_pagemap' defined but not used + +The function is declared unconditionally but only called from behind +various ifdefs. Mark it __maybe_unused. + +Link: http://lkml.kernel.org/r/1562072523-22311-1-git-send-email-linux@roeck-us.net +Signed-off-by: Guenter Roeck +Reviewed-by: Andrew Morton +Cc: Stephen Rothwell +Cc: Robin Murphy +Cc: Kirill A. Shutemov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/gup.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/gup.c b/mm/gup.c +index ddde097cf9e4..22855ff0b448 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -1696,7 +1696,8 @@ static inline pte_t gup_get_pte(pte_t *ptep) + } + #endif + +-static void undo_dev_pagemap(int *nr, int nr_start, struct page **pages) ++static void __maybe_unused undo_dev_pagemap(int *nr, int nr_start, ++ struct page **pages) + { + while ((*nr) - nr_start) { + struct page *page = pages[--(*nr)]; +-- +2.20.1 + diff --git a/queue-5.2/mm-gup.c-remove-some-bug_ons-from-get_gate_page.patch b/queue-5.2/mm-gup.c-remove-some-bug_ons-from-get_gate_page.patch new file mode 100644 index 00000000000..409c66ef92a --- /dev/null +++ b/queue-5.2/mm-gup.c-remove-some-bug_ons-from-get_gate_page.patch @@ -0,0 +1,53 @@ +From f9c169a6ab843421d2d5013daa9de188648a583e Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Thu, 11 Jul 2019 20:57:43 -0700 +Subject: mm/gup.c: remove some BUG_ONs from get_gate_page() + +[ Upstream commit b5d1c39f34d1c9bca0c4b9ae2e339fbbe264a9c7 ] + +If we end up without a PGD or PUD entry backing the gate area, don't BUG +-- just fail gracefully. + +It's not entirely implausible that this could happen some day on x86. It +doesn't right now even with an execute-only emulated vsyscall page because +the fixmap shares the PUD, but the core mm code shouldn't rely on that +particular detail to avoid OOPSing. + +Link: http://lkml.kernel.org/r/a1d9f4efb75b9d464e59fd6af00104b21c58f6f7.1561610798.git.luto@kernel.org +Signed-off-by: Andy Lutomirski +Reviewed-by: Kees Cook +Reviewed-by: Andrew Morton +Cc: Florian Weimer +Cc: Jann Horn +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/gup.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/mm/gup.c b/mm/gup.c +index 22855ff0b448..d2c14fc4b5d4 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -585,11 +585,14 @@ static int get_gate_page(struct mm_struct *mm, unsigned long address, + pgd = pgd_offset_k(address); + else + pgd = pgd_offset_gate(mm, address); +- BUG_ON(pgd_none(*pgd)); ++ if (pgd_none(*pgd)) ++ return -EFAULT; + p4d = p4d_offset(pgd, address); +- BUG_ON(p4d_none(*p4d)); ++ if (p4d_none(*p4d)) ++ return -EFAULT; + pud = pud_offset(p4d, address); +- BUG_ON(pud_none(*pud)); ++ if (pud_none(*pud)) ++ return -EFAULT; + pmd = pmd_offset(pud, address); + if (!pmd_present(*pmd)) + return -EFAULT; +-- +2.20.1 + diff --git a/queue-5.2/mm-hmm-fix-use-after-free-with-struct-hmm-in-the-mmu.patch b/queue-5.2/mm-hmm-fix-use-after-free-with-struct-hmm-in-the-mmu.patch new file mode 100644 index 00000000000..4faa2406fe1 --- /dev/null +++ b/queue-5.2/mm-hmm-fix-use-after-free-with-struct-hmm-in-the-mmu.patch @@ -0,0 +1,131 @@ +From d4d4811a68fbf8ba691e180da33bc243b70306c4 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Wed, 22 May 2019 16:52:52 -0300 +Subject: mm/hmm: fix use after free with struct hmm in the mmu notifiers + +[ Upstream commit 6d7c3cde93c1d9ac0b37f78ec3f2ff052159a242 ] + +mmu_notifier_unregister_no_release() is not a fence and the mmu_notifier +system will continue to reference hmm->mn until the srcu grace period +expires. + +Resulting in use after free races like this: + + CPU0 CPU1 + __mmu_notifier_invalidate_range_start() + srcu_read_lock + hlist_for_each () + // mn == hmm->mn +hmm_mirror_unregister() + hmm_put() + hmm_free() + mmu_notifier_unregister_no_release() + hlist_del_init_rcu(hmm-mn->list) + mn->ops->invalidate_range_start(mn, range); + mm_get_hmm() + mm->hmm = NULL; + kfree(hmm) + mutex_lock(&hmm->lock); + +Use SRCU to kfree the hmm memory so that the notifiers can rely on hmm +existing. Get the now-safe hmm struct through container_of and directly +check kref_get_unless_zero to lock it against free. + +Signed-off-by: Jason Gunthorpe +Reviewed-by: Ira Weiny +Reviewed-by: John Hubbard +Reviewed-by: Ralph Campbell +Reviewed-by: Christoph Hellwig +Tested-by: Philip Yang +Signed-off-by: Sasha Levin +--- + include/linux/hmm.h | 1 + + mm/hmm.c | 23 +++++++++++++++++------ + 2 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/include/linux/hmm.h b/include/linux/hmm.h +index 044a36d7c3f8..89508dc0795f 100644 +--- a/include/linux/hmm.h ++++ b/include/linux/hmm.h +@@ -93,6 +93,7 @@ struct hmm { + struct mmu_notifier mmu_notifier; + struct rw_semaphore mirrors_sem; + wait_queue_head_t wq; ++ struct rcu_head rcu; + long notifiers; + bool dead; + }; +diff --git a/mm/hmm.c b/mm/hmm.c +index f702a3895d05..4c405dfbd2b3 100644 +--- a/mm/hmm.c ++++ b/mm/hmm.c +@@ -104,6 +104,11 @@ static struct hmm *hmm_get_or_create(struct mm_struct *mm) + return NULL; + } + ++static void hmm_free_rcu(struct rcu_head *rcu) ++{ ++ kfree(container_of(rcu, struct hmm, rcu)); ++} ++ + static void hmm_free(struct kref *kref) + { + struct hmm *hmm = container_of(kref, struct hmm, kref); +@@ -116,7 +121,7 @@ static void hmm_free(struct kref *kref) + mm->hmm = NULL; + spin_unlock(&mm->page_table_lock); + +- kfree(hmm); ++ mmu_notifier_call_srcu(&hmm->rcu, hmm_free_rcu); + } + + static inline void hmm_put(struct hmm *hmm) +@@ -144,10 +149,14 @@ void hmm_mm_destroy(struct mm_struct *mm) + + static void hmm_release(struct mmu_notifier *mn, struct mm_struct *mm) + { +- struct hmm *hmm = mm_get_hmm(mm); ++ struct hmm *hmm = container_of(mn, struct hmm, mmu_notifier); + struct hmm_mirror *mirror; + struct hmm_range *range; + ++ /* Bail out if hmm is in the process of being freed */ ++ if (!kref_get_unless_zero(&hmm->kref)) ++ return; ++ + /* Report this HMM as dying. */ + hmm->dead = true; + +@@ -185,13 +194,14 @@ static void hmm_release(struct mmu_notifier *mn, struct mm_struct *mm) + static int hmm_invalidate_range_start(struct mmu_notifier *mn, + const struct mmu_notifier_range *nrange) + { +- struct hmm *hmm = mm_get_hmm(nrange->mm); ++ struct hmm *hmm = container_of(mn, struct hmm, mmu_notifier); + struct hmm_mirror *mirror; + struct hmm_update update; + struct hmm_range *range; + int ret = 0; + +- VM_BUG_ON(!hmm); ++ if (!kref_get_unless_zero(&hmm->kref)) ++ return 0; + + update.start = nrange->start; + update.end = nrange->end; +@@ -239,9 +249,10 @@ static int hmm_invalidate_range_start(struct mmu_notifier *mn, + static void hmm_invalidate_range_end(struct mmu_notifier *mn, + const struct mmu_notifier_range *nrange) + { +- struct hmm *hmm = mm_get_hmm(nrange->mm); ++ struct hmm *hmm = container_of(mn, struct hmm, mmu_notifier); + +- VM_BUG_ON(!hmm); ++ if (!kref_get_unless_zero(&hmm->kref)) ++ return; + + mutex_lock(&hmm->lock); + hmm->notifiers--; +-- +2.20.1 + diff --git a/queue-5.2/mm-kmemleak.c-fix-check-for-softirq-context.patch b/queue-5.2/mm-kmemleak.c-fix-check-for-softirq-context.patch new file mode 100644 index 00000000000..e07f2d20017 --- /dev/null +++ b/queue-5.2/mm-kmemleak.c-fix-check-for-softirq-context.patch @@ -0,0 +1,96 @@ +From ad38237eac140a1b44d21ed3d056236859bf8142 Mon Sep 17 00:00:00 2001 +From: Dmitry Vyukov +Date: Thu, 11 Jul 2019 20:53:39 -0700 +Subject: mm/kmemleak.c: fix check for softirq context + +[ Upstream commit 6ef9056952532c3b746de46aa10d45b4d7797bd8 ] + +in_softirq() is a wrong predicate to check if we are in a softirq +context. It also returns true if we have BH disabled, so objects are +falsely stamped with "softirq" comm. The correct predicate is +in_serving_softirq(). + +If user does cat from /sys/kernel/debug/kmemleak previously they would +see this, which is clearly wrong, this is system call context (see the +comm): + +unreferenced object 0xffff88805bd661c0 (size 64): + comm "softirq", pid 0, jiffies 4294942959 (age 12.400s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000007dcb30c>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<0000000007dcb30c>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<0000000007dcb30c>] slab_alloc mm/slab.c:3326 [inline] + [<0000000007dcb30c>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 + [<00000000969722b7>] kmalloc include/linux/slab.h:547 [inline] + [<00000000969722b7>] kzalloc include/linux/slab.h:742 [inline] + [<00000000969722b7>] ip_mc_add1_src net/ipv4/igmp.c:1961 [inline] + [<00000000969722b7>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2085 + [<00000000a4134b5f>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2475 + [<00000000d20248ad>] do_ip_setsockopt.isra.0+0x19fe/0x1c00 net/ipv4/ip_sockglue.c:957 + [<000000003d367be7>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1246 + [<000000003c7c76af>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616 + [<000000000c1aeb23>] sock_common_setsockopt+0x3e/0x50 net/core/sock.c:3130 + [<000000000157b92b>] __sys_setsockopt+0x9e/0x120 net/socket.c:2078 + [<00000000a9f3d058>] __do_sys_setsockopt net/socket.c:2089 [inline] + [<00000000a9f3d058>] __se_sys_setsockopt net/socket.c:2086 [inline] + [<00000000a9f3d058>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086 + [<000000001b8da885>] do_syscall_64+0x7c/0x1a0 arch/x86/entry/common.c:301 + [<00000000ba770c62>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +now they will see this: + +unreferenced object 0xffff88805413c800 (size 64): + comm "syz-executor.4", pid 8960, jiffies 4294994003 (age 14.350s) + hex dump (first 32 bytes): + 00 7a 8a 57 80 88 ff ff e0 00 00 01 00 00 00 00 .z.W............ + 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000c5d3be64>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<00000000c5d3be64>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<00000000c5d3be64>] slab_alloc mm/slab.c:3326 [inline] + [<00000000c5d3be64>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 + [<0000000023865be2>] kmalloc include/linux/slab.h:547 [inline] + [<0000000023865be2>] kzalloc include/linux/slab.h:742 [inline] + [<0000000023865be2>] ip_mc_add1_src net/ipv4/igmp.c:1961 [inline] + [<0000000023865be2>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2085 + [<000000003029a9d4>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2475 + [<00000000ccd0a87c>] do_ip_setsockopt.isra.0+0x19fe/0x1c00 net/ipv4/ip_sockglue.c:957 + [<00000000a85a3785>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1246 + [<00000000ec13c18d>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616 + [<0000000052d748e3>] sock_common_setsockopt+0x3e/0x50 net/core/sock.c:3130 + [<00000000512f1014>] __sys_setsockopt+0x9e/0x120 net/socket.c:2078 + [<00000000181758bc>] __do_sys_setsockopt net/socket.c:2089 [inline] + [<00000000181758bc>] __se_sys_setsockopt net/socket.c:2086 [inline] + [<00000000181758bc>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086 + [<00000000d4b73623>] do_syscall_64+0x7c/0x1a0 arch/x86/entry/common.c:301 + [<00000000c1098bec>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Link: http://lkml.kernel.org/r/20190517171507.96046-1-dvyukov@gmail.com +Signed-off-by: Dmitry Vyukov +Acked-by: Catalin Marinas +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/kmemleak.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/kmemleak.c b/mm/kmemleak.c +index 9dd581d11565..3e147ea83182 100644 +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -575,7 +575,7 @@ static struct kmemleak_object *create_object(unsigned long ptr, size_t size, + if (in_irq()) { + object->pid = 0; + strncpy(object->comm, "hardirq", sizeof(object->comm)); +- } else if (in_softirq()) { ++ } else if (in_serving_softirq()) { + object->pid = 0; + strncpy(object->comm, "softirq", sizeof(object->comm)); + } else { +-- +2.20.1 + diff --git a/queue-5.2/mm-mincore.c-fix-race-between-swapoff-and-mincore.patch b/queue-5.2/mm-mincore.c-fix-race-between-swapoff-and-mincore.patch new file mode 100644 index 00000000000..fcd3c56cb1e --- /dev/null +++ b/queue-5.2/mm-mincore.c-fix-race-between-swapoff-and-mincore.patch @@ -0,0 +1,90 @@ +From a41b1f25bc2965de657aa627cf864da54bf2e486 Mon Sep 17 00:00:00 2001 +From: Huang Ying +Date: Thu, 11 Jul 2019 20:55:44 -0700 +Subject: mm/mincore.c: fix race between swapoff and mincore +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit aeb309b81c6bada783c3695528a3e10748e97285 ] + +Via commit 4b3ef9daa4fc ("mm/swap: split swap cache into 64MB trunks"), +after swapoff, the address_space associated with the swap device will be +freed. So swap_address_space() users which touch the address_space need +some kind of mechanism to prevent the address_space from being freed +during accessing. + +When mincore processes an unmapped range for swapped shmem pages, it +doesn't hold the lock to prevent swap device from being swapped off. So +the following race is possible: + +CPU1 CPU2 +do_mincore() swapoff() + walk_page_range() + mincore_unmapped_range() + __mincore_unmapped_range + mincore_page + as = swap_address_space() + ... exit_swap_address_space() + ... kvfree(spaces) + find_get_page(as) + +The address space may be accessed after being freed. + +To fix the race, get_swap_device()/put_swap_device() is used to enclose +find_get_page() to check whether the swap entry is valid and prevent the +swap device from being swapoff during accessing. + +Link: http://lkml.kernel.org/r/20190611020510.28251-1-ying.huang@intel.com +Fixes: 4b3ef9daa4fc ("mm/swap: split swap cache into 64MB trunks") +Signed-off-by: "Huang, Ying" +Reviewed-by: Andrew Morton +Acked-by: Michal Hocko +Cc: Hugh Dickins +Cc: Paul E. McKenney +Cc: Minchan Kim +Cc: Johannes Weiner +Cc: Tim Chen +Cc: Mel Gorman +Cc: Jérôme Glisse +Cc: Andrea Arcangeli +Cc: Yang Shi +Cc: David Rientjes +Cc: Rik van Riel +Cc: Jan Kara +Cc: Dave Jiang +Cc: Daniel Jordan +Cc: Andrea Parri +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/mincore.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/mm/mincore.c b/mm/mincore.c +index c3f058bd0faf..4fe91d497436 100644 +--- a/mm/mincore.c ++++ b/mm/mincore.c +@@ -68,8 +68,16 @@ static unsigned char mincore_page(struct address_space *mapping, pgoff_t pgoff) + */ + if (xa_is_value(page)) { + swp_entry_t swp = radix_to_swp_entry(page); +- page = find_get_page(swap_address_space(swp), +- swp_offset(swp)); ++ struct swap_info_struct *si; ++ ++ /* Prevent swap device to being swapoff under us */ ++ si = get_swap_device(swp); ++ if (si) { ++ page = find_get_page(swap_address_space(swp), ++ swp_offset(swp)); ++ put_swap_device(si); ++ } else ++ page = NULL; + } + } else + page = find_get_page(mapping, pgoff); +-- +2.20.1 + diff --git a/queue-5.2/mm-mmu_notifier-use-hlist_add_head_rcu.patch b/queue-5.2/mm-mmu_notifier-use-hlist_add_head_rcu.patch new file mode 100644 index 00000000000..827a1dbaba5 --- /dev/null +++ b/queue-5.2/mm-mmu_notifier-use-hlist_add_head_rcu.patch @@ -0,0 +1,69 @@ +From f911714a5ab54c8ed7d7ac4267fdea5df54e23ab Mon Sep 17 00:00:00 2001 +From: Jean-Philippe Brucker +Date: Thu, 11 Jul 2019 20:58:50 -0700 +Subject: mm/mmu_notifier: use hlist_add_head_rcu() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 543bdb2d825fe2400d6e951f1786d92139a16931 ] + +Make mmu_notifier_register() safer by issuing a memory barrier before +registering a new notifier. This fixes a theoretical bug on weakly +ordered CPUs. For example, take this simplified use of notifiers by a +driver: + + my_struct->mn.ops = &my_ops; /* (1) */ + mmu_notifier_register(&my_struct->mn, mm) + ... + hlist_add_head(&mn->hlist, &mm->mmu_notifiers); /* (2) */ + ... + +Once mmu_notifier_register() releases the mm locks, another thread can +invalidate a range: + + mmu_notifier_invalidate_range() + ... + hlist_for_each_entry_rcu(mn, &mm->mmu_notifiers, hlist) { + if (mn->ops->invalidate_range) + +The read side relies on the data dependency between mn and ops to ensure +that the pointer is properly initialized. But the write side doesn't have +any dependency between (1) and (2), so they could be reordered and the +readers could dereference an invalid mn->ops. mmu_notifier_register() +does take all the mm locks before adding to the hlist, but those have +acquire semantics which isn't sufficient. + +By calling hlist_add_head_rcu() instead of hlist_add_head() we update the +hlist using a store-release, ensuring that readers see prior +initialization of my_struct. This situation is better illustated by +litmus test MP+onceassign+derefonce. + +Link: http://lkml.kernel.org/r/20190502133532.24981-1-jean-philippe.brucker@arm.com +Fixes: cddb8a5c14aa ("mmu-notifiers: core") +Signed-off-by: Jean-Philippe Brucker +Cc: Jérôme Glisse +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/mmu_notifier.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c +index 513b9607409d..b5670620aea0 100644 +--- a/mm/mmu_notifier.c ++++ b/mm/mmu_notifier.c +@@ -274,7 +274,7 @@ static int do_mmu_notifier_register(struct mmu_notifier *mn, + * thanks to mm_take_all_locks(). + */ + spin_lock(&mm->mmu_notifier_mm->lock); +- hlist_add_head(&mn->hlist, &mm->mmu_notifier_mm->list); ++ hlist_add_head_rcu(&mn->hlist, &mm->mmu_notifier_mm->list); + spin_unlock(&mm->mmu_notifier_mm->lock); + + mm_drop_all_locks(mm); +-- +2.20.1 + diff --git a/queue-5.2/mm-swap-fix-race-between-swapoff-and-some-swap-opera.patch b/queue-5.2/mm-swap-fix-race-between-swapoff-and-some-swap-opera.patch new file mode 100644 index 00000000000..d18dfdeb59c --- /dev/null +++ b/queue-5.2/mm-swap-fix-race-between-swapoff-and-some-swap-opera.patch @@ -0,0 +1,481 @@ +From 29d1dfe61f6a0206339566d79f52f5a42cdf1de6 Mon Sep 17 00:00:00 2001 +From: Huang Ying +Date: Thu, 11 Jul 2019 20:55:33 -0700 +Subject: mm, swap: fix race between swapoff and some swap operations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit eb085574a7526c4375965c5fbf7e5b0c19cdd336 ] + +When swapin is performed, after getting the swap entry information from +the page table, system will swap in the swap entry, without any lock held +to prevent the swap device from being swapoff. This may cause the race +like below, + +CPU 1 CPU 2 +----- ----- + do_swap_page + swapin_readahead + __read_swap_cache_async +swapoff swapcache_prepare + p->swap_map = NULL __swap_duplicate + p->swap_map[?] /* !!! NULL pointer access */ + +Because swapoff is usually done when system shutdown only, the race may +not hit many people in practice. But it is still a race need to be fixed. + +To fix the race, get_swap_device() is added to check whether the specified +swap entry is valid in its swap device. If so, it will keep the swap +entry valid via preventing the swap device from being swapoff, until +put_swap_device() is called. + +Because swapoff() is very rare code path, to make the normal path runs as +fast as possible, rcu_read_lock/unlock() and synchronize_rcu() instead of +reference count is used to implement get/put_swap_device(). >From +get_swap_device() to put_swap_device(), RCU reader side is locked, so +synchronize_rcu() in swapoff() will wait until put_swap_device() is +called. + +In addition to swap_map, cluster_info, etc. data structure in the struct +swap_info_struct, the swap cache radix tree will be freed after swapoff, +so this patch fixes the race between swap cache looking up and swapoff +too. + +Races between some other swap cache usages and swapoff are fixed too via +calling synchronize_rcu() between clearing PageSwapCache() and freeing +swap cache data structure. + +Another possible method to fix this is to use preempt_off() + +stop_machine() to prevent the swap device from being swapoff when its data +structure is being accessed. The overhead in hot-path of both methods is +similar. The advantages of RCU based method are, + +1. stop_machine() may disturb the normal execution code path on other + CPUs. + +2. File cache uses RCU to protect its radix tree. If the similar + mechanism is used for swap cache too, it is easier to share code + between them. + +3. RCU is used to protect swap cache in total_swapcache_pages() and + exit_swap_address_space() already. The two mechanisms can be + merged to simplify the logic. + +Link: http://lkml.kernel.org/r/20190522015423.14418-1-ying.huang@intel.com +Fixes: 235b62176712 ("mm/swap: add cluster lock") +Signed-off-by: "Huang, Ying" +Reviewed-by: Andrea Parri +Not-nacked-by: Hugh Dickins +Cc: Andrea Arcangeli +Cc: Paul E. McKenney +Cc: Daniel Jordan +Cc: Michal Hocko +Cc: Minchan Kim +Cc: Johannes Weiner +Cc: Tim Chen +Cc: Mel Gorman +Cc: Jérôme Glisse +Cc: Yang Shi +Cc: David Rientjes +Cc: Rik van Riel +Cc: Jan Kara +Cc: Dave Jiang +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/swap.h | 13 +++- + mm/memory.c | 2 +- + mm/swap_state.c | 16 ++++- + mm/swapfile.c | 154 ++++++++++++++++++++++++++++++++++--------- + 4 files changed, 146 insertions(+), 39 deletions(-) + +diff --git a/include/linux/swap.h b/include/linux/swap.h +index 4bfb5c4ac108..6358a6185634 100644 +--- a/include/linux/swap.h ++++ b/include/linux/swap.h +@@ -175,8 +175,9 @@ enum { + SWP_PAGE_DISCARD = (1 << 10), /* freed swap page-cluster discards */ + SWP_STABLE_WRITES = (1 << 11), /* no overwrite PG_writeback pages */ + SWP_SYNCHRONOUS_IO = (1 << 12), /* synchronous IO is efficient */ ++ SWP_VALID = (1 << 13), /* swap is valid to be operated on? */ + /* add others here before... */ +- SWP_SCANNING = (1 << 13), /* refcount in scan_swap_map */ ++ SWP_SCANNING = (1 << 14), /* refcount in scan_swap_map */ + }; + + #define SWAP_CLUSTER_MAX 32UL +@@ -460,7 +461,7 @@ extern unsigned int count_swap_pages(int, int); + extern sector_t map_swap_page(struct page *, struct block_device **); + extern sector_t swapdev_block(int, pgoff_t); + extern int page_swapcount(struct page *); +-extern int __swap_count(struct swap_info_struct *si, swp_entry_t entry); ++extern int __swap_count(swp_entry_t entry); + extern int __swp_swapcount(swp_entry_t entry); + extern int swp_swapcount(swp_entry_t entry); + extern struct swap_info_struct *page_swap_info(struct page *); +@@ -470,6 +471,12 @@ extern int try_to_free_swap(struct page *); + struct backing_dev_info; + extern int init_swap_address_space(unsigned int type, unsigned long nr_pages); + extern void exit_swap_address_space(unsigned int type); ++extern struct swap_info_struct *get_swap_device(swp_entry_t entry); ++ ++static inline void put_swap_device(struct swap_info_struct *si) ++{ ++ rcu_read_unlock(); ++} + + #else /* CONFIG_SWAP */ + +@@ -576,7 +583,7 @@ static inline int page_swapcount(struct page *page) + return 0; + } + +-static inline int __swap_count(struct swap_info_struct *si, swp_entry_t entry) ++static inline int __swap_count(swp_entry_t entry) + { + return 0; + } +diff --git a/mm/memory.c b/mm/memory.c +index 9a4401d21e94..b0efc69b2634 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -2807,7 +2807,7 @@ vm_fault_t do_swap_page(struct vm_fault *vmf) + struct swap_info_struct *si = swp_swap_info(entry); + + if (si->flags & SWP_SYNCHRONOUS_IO && +- __swap_count(si, entry) == 1) { ++ __swap_count(entry) == 1) { + /* skip swapcache */ + page = alloc_page_vma(GFP_HIGHUSER_MOVABLE, vma, + vmf->address); +diff --git a/mm/swap_state.c b/mm/swap_state.c +index 85245fdec8d9..61453f1faf72 100644 +--- a/mm/swap_state.c ++++ b/mm/swap_state.c +@@ -310,8 +310,13 @@ struct page *lookup_swap_cache(swp_entry_t entry, struct vm_area_struct *vma, + unsigned long addr) + { + struct page *page; ++ struct swap_info_struct *si; + ++ si = get_swap_device(entry); ++ if (!si) ++ return NULL; + page = find_get_page(swap_address_space(entry), swp_offset(entry)); ++ put_swap_device(si); + + INC_CACHE_INFO(find_total); + if (page) { +@@ -354,8 +359,8 @@ struct page *__read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask, + struct vm_area_struct *vma, unsigned long addr, + bool *new_page_allocated) + { +- struct page *found_page, *new_page = NULL; +- struct address_space *swapper_space = swap_address_space(entry); ++ struct page *found_page = NULL, *new_page = NULL; ++ struct swap_info_struct *si; + int err; + *new_page_allocated = false; + +@@ -365,7 +370,12 @@ struct page *__read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask, + * called after lookup_swap_cache() failed, re-calling + * that would confuse statistics. + */ +- found_page = find_get_page(swapper_space, swp_offset(entry)); ++ si = get_swap_device(entry); ++ if (!si) ++ break; ++ found_page = find_get_page(swap_address_space(entry), ++ swp_offset(entry)); ++ put_swap_device(si); + if (found_page) + break; + +diff --git a/mm/swapfile.c b/mm/swapfile.c +index 596ac98051c5..dbab16ddefa6 100644 +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -1079,12 +1079,11 @@ swp_entry_t get_swap_page_of_type(int type) + static struct swap_info_struct *__swap_info_get(swp_entry_t entry) + { + struct swap_info_struct *p; +- unsigned long offset, type; ++ unsigned long offset; + + if (!entry.val) + goto out; +- type = swp_type(entry); +- p = swap_type_to_swap_info(type); ++ p = swp_swap_info(entry); + if (!p) + goto bad_nofile; + if (!(p->flags & SWP_USED)) +@@ -1187,6 +1186,69 @@ static unsigned char __swap_entry_free_locked(struct swap_info_struct *p, + return usage; + } + ++/* ++ * Check whether swap entry is valid in the swap device. If so, ++ * return pointer to swap_info_struct, and keep the swap entry valid ++ * via preventing the swap device from being swapoff, until ++ * put_swap_device() is called. Otherwise return NULL. ++ * ++ * The entirety of the RCU read critical section must come before the ++ * return from or after the call to synchronize_rcu() in ++ * enable_swap_info() or swapoff(). So if "si->flags & SWP_VALID" is ++ * true, the si->map, si->cluster_info, etc. must be valid in the ++ * critical section. ++ * ++ * Notice that swapoff or swapoff+swapon can still happen before the ++ * rcu_read_lock() in get_swap_device() or after the rcu_read_unlock() ++ * in put_swap_device() if there isn't any other way to prevent ++ * swapoff, such as page lock, page table lock, etc. The caller must ++ * be prepared for that. For example, the following situation is ++ * possible. ++ * ++ * CPU1 CPU2 ++ * do_swap_page() ++ * ... swapoff+swapon ++ * __read_swap_cache_async() ++ * swapcache_prepare() ++ * __swap_duplicate() ++ * // check swap_map ++ * // verify PTE not changed ++ * ++ * In __swap_duplicate(), the swap_map need to be checked before ++ * changing partly because the specified swap entry may be for another ++ * swap device which has been swapoff. And in do_swap_page(), after ++ * the page is read from the swap device, the PTE is verified not ++ * changed with the page table locked to check whether the swap device ++ * has been swapoff or swapoff+swapon. ++ */ ++struct swap_info_struct *get_swap_device(swp_entry_t entry) ++{ ++ struct swap_info_struct *si; ++ unsigned long offset; ++ ++ if (!entry.val) ++ goto out; ++ si = swp_swap_info(entry); ++ if (!si) ++ goto bad_nofile; ++ ++ rcu_read_lock(); ++ if (!(si->flags & SWP_VALID)) ++ goto unlock_out; ++ offset = swp_offset(entry); ++ if (offset >= si->max) ++ goto unlock_out; ++ ++ return si; ++bad_nofile: ++ pr_err("%s: %s%08lx\n", __func__, Bad_file, entry.val); ++out: ++ return NULL; ++unlock_out: ++ rcu_read_unlock(); ++ return NULL; ++} ++ + static unsigned char __swap_entry_free(struct swap_info_struct *p, + swp_entry_t entry, unsigned char usage) + { +@@ -1358,11 +1420,18 @@ int page_swapcount(struct page *page) + return count; + } + +-int __swap_count(struct swap_info_struct *si, swp_entry_t entry) ++int __swap_count(swp_entry_t entry) + { ++ struct swap_info_struct *si; + pgoff_t offset = swp_offset(entry); ++ int count = 0; + +- return swap_count(si->swap_map[offset]); ++ si = get_swap_device(entry); ++ if (si) { ++ count = swap_count(si->swap_map[offset]); ++ put_swap_device(si); ++ } ++ return count; + } + + static int swap_swapcount(struct swap_info_struct *si, swp_entry_t entry) +@@ -1387,9 +1456,11 @@ int __swp_swapcount(swp_entry_t entry) + int count = 0; + struct swap_info_struct *si; + +- si = __swap_info_get(entry); +- if (si) ++ si = get_swap_device(entry); ++ if (si) { + count = swap_swapcount(si, entry); ++ put_swap_device(si); ++ } + return count; + } + +@@ -2335,9 +2406,9 @@ static int swap_node(struct swap_info_struct *p) + return bdev ? bdev->bd_disk->node_id : NUMA_NO_NODE; + } + +-static void _enable_swap_info(struct swap_info_struct *p, int prio, +- unsigned char *swap_map, +- struct swap_cluster_info *cluster_info) ++static void setup_swap_info(struct swap_info_struct *p, int prio, ++ unsigned char *swap_map, ++ struct swap_cluster_info *cluster_info) + { + int i; + +@@ -2362,7 +2433,11 @@ static void _enable_swap_info(struct swap_info_struct *p, int prio, + } + p->swap_map = swap_map; + p->cluster_info = cluster_info; +- p->flags |= SWP_WRITEOK; ++} ++ ++static void _enable_swap_info(struct swap_info_struct *p) ++{ ++ p->flags |= SWP_WRITEOK | SWP_VALID; + atomic_long_add(p->pages, &nr_swap_pages); + total_swap_pages += p->pages; + +@@ -2389,7 +2464,17 @@ static void enable_swap_info(struct swap_info_struct *p, int prio, + frontswap_init(p->type, frontswap_map); + spin_lock(&swap_lock); + spin_lock(&p->lock); +- _enable_swap_info(p, prio, swap_map, cluster_info); ++ setup_swap_info(p, prio, swap_map, cluster_info); ++ spin_unlock(&p->lock); ++ spin_unlock(&swap_lock); ++ /* ++ * Guarantee swap_map, cluster_info, etc. fields are valid ++ * between get/put_swap_device() if SWP_VALID bit is set ++ */ ++ synchronize_rcu(); ++ spin_lock(&swap_lock); ++ spin_lock(&p->lock); ++ _enable_swap_info(p); + spin_unlock(&p->lock); + spin_unlock(&swap_lock); + } +@@ -2398,7 +2483,8 @@ static void reinsert_swap_info(struct swap_info_struct *p) + { + spin_lock(&swap_lock); + spin_lock(&p->lock); +- _enable_swap_info(p, p->prio, p->swap_map, p->cluster_info); ++ setup_swap_info(p, p->prio, p->swap_map, p->cluster_info); ++ _enable_swap_info(p); + spin_unlock(&p->lock); + spin_unlock(&swap_lock); + } +@@ -2501,6 +2587,17 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile) + + reenable_swap_slots_cache_unlock(); + ++ spin_lock(&swap_lock); ++ spin_lock(&p->lock); ++ p->flags &= ~SWP_VALID; /* mark swap device as invalid */ ++ spin_unlock(&p->lock); ++ spin_unlock(&swap_lock); ++ /* ++ * wait for swap operations protected by get/put_swap_device() ++ * to complete ++ */ ++ synchronize_rcu(); ++ + flush_work(&p->discard_work); + + destroy_swap_extents(p); +@@ -3265,17 +3362,11 @@ static int __swap_duplicate(swp_entry_t entry, unsigned char usage) + unsigned char has_cache; + int err = -EINVAL; + +- if (non_swap_entry(entry)) +- goto out; +- +- p = swp_swap_info(entry); ++ p = get_swap_device(entry); + if (!p) +- goto bad_file; +- +- offset = swp_offset(entry); +- if (unlikely(offset >= p->max)) + goto out; + ++ offset = swp_offset(entry); + ci = lock_cluster_or_swap_info(p, offset); + + count = p->swap_map[offset]; +@@ -3321,11 +3412,9 @@ static int __swap_duplicate(swp_entry_t entry, unsigned char usage) + unlock_out: + unlock_cluster_or_swap_info(p, ci); + out: ++ if (p) ++ put_swap_device(p); + return err; +- +-bad_file: +- pr_err("swap_dup: %s%08lx\n", Bad_file, entry.val); +- goto out; + } + + /* +@@ -3417,6 +3506,7 @@ int add_swap_count_continuation(swp_entry_t entry, gfp_t gfp_mask) + struct page *list_page; + pgoff_t offset; + unsigned char count; ++ int ret = 0; + + /* + * When debugging, it's easier to use __GFP_ZERO here; but it's better +@@ -3424,15 +3514,15 @@ int add_swap_count_continuation(swp_entry_t entry, gfp_t gfp_mask) + */ + page = alloc_page(gfp_mask | __GFP_HIGHMEM); + +- si = swap_info_get(entry); ++ si = get_swap_device(entry); + if (!si) { + /* + * An acceptable race has occurred since the failing +- * __swap_duplicate(): the swap entry has been freed, +- * perhaps even the whole swap_map cleared for swapoff. ++ * __swap_duplicate(): the swap device may be swapoff + */ + goto outer; + } ++ spin_lock(&si->lock); + + offset = swp_offset(entry); + +@@ -3450,9 +3540,8 @@ int add_swap_count_continuation(swp_entry_t entry, gfp_t gfp_mask) + } + + if (!page) { +- unlock_cluster(ci); +- spin_unlock(&si->lock); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto out; + } + + /* +@@ -3504,10 +3593,11 @@ int add_swap_count_continuation(swp_entry_t entry, gfp_t gfp_mask) + out: + unlock_cluster(ci); + spin_unlock(&si->lock); ++ put_swap_device(si); + outer: + if (page) + __free_page(page); +- return 0; ++ return ret; + } + + /* +-- +2.20.1 + diff --git a/queue-5.2/mm-swap-fix-release_pages-when-releasing-devmap-page.patch b/queue-5.2/mm-swap-fix-release_pages-when-releasing-devmap-page.patch new file mode 100644 index 00000000000..7bb3d4773e8 --- /dev/null +++ b/queue-5.2/mm-swap-fix-release_pages-when-releasing-devmap-page.patch @@ -0,0 +1,77 @@ +From a39b9a3a1b12fb12ef5bbe17029a88729bcdfa90 Mon Sep 17 00:00:00 2001 +From: Ira Weiny +Date: Wed, 5 Jun 2019 14:49:22 -0700 +Subject: mm/swap: fix release_pages() when releasing devmap pages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit c5d6c45e90c49150670346967971e14576afd7f1 ] + +release_pages() is an optimized version of a loop around put_page(). +Unfortunately for devmap pages the logic is not entirely correct in +release_pages(). This is because device pages can be more than type +MEMORY_DEVICE_PUBLIC. There are in fact 4 types, private, public, FS DAX, +and PCI P2PDMA. Some of these have specific needs to "put" the page while +others do not. + +This logic to handle any special needs is contained in +put_devmap_managed_page(). Therefore all devmap pages should be processed +by this function where we can contain the correct logic for a page put. + +Handle all device type pages within release_pages() by calling +put_devmap_managed_page() on all devmap pages. If +put_devmap_managed_page() returns true the page has been put and we +continue with the next page. A false return of put_devmap_managed_page() +means the page did not require special processing and should fall to +"normal" processing. + +This was found via code inspection while determining if release_pages() +and the new put_user_pages() could be interchangeable.[1] + +[1] https://lkml.kernel.org/r/20190523172852.GA27175@iweiny-DESK2.sc.intel.com + +Link: https://lkml.kernel.org/r/20190605214922.17684-1-ira.weiny@intel.com +Cc: Jérôme Glisse +Cc: Michal Hocko +Reviewed-by: Dan Williams +Reviewed-by: John Hubbard +Signed-off-by: Ira Weiny +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + mm/swap.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/mm/swap.c b/mm/swap.c +index 7ede3eddc12a..607c48229a1d 100644 +--- a/mm/swap.c ++++ b/mm/swap.c +@@ -740,15 +740,20 @@ void release_pages(struct page **pages, int nr) + if (is_huge_zero_page(page)) + continue; + +- /* Device public page can not be huge page */ +- if (is_device_public_page(page)) { ++ if (is_zone_device_page(page)) { + if (locked_pgdat) { + spin_unlock_irqrestore(&locked_pgdat->lru_lock, + flags); + locked_pgdat = NULL; + } +- put_devmap_managed_page(page); +- continue; ++ /* ++ * ZONE_DEVICE pages that return 'false' from ++ * put_devmap_managed_page() do not require special ++ * processing, and instead, expect a call to ++ * put_page_testzero(). ++ */ ++ if (put_devmap_managed_page(page)) ++ continue; + } + + page = compound_head(page); +-- +2.20.1 + diff --git a/queue-5.2/mm-use-down_read_killable-for-locking-mmap_sem-in-ac.patch b/queue-5.2/mm-use-down_read_killable-for-locking-mmap_sem-in-ac.patch new file mode 100644 index 00000000000..12c32b24db7 --- /dev/null +++ b/queue-5.2/mm-use-down_read_killable-for-locking-mmap_sem-in-ac.patch @@ -0,0 +1,72 @@ +From 0e0c4a988895edd9ae918c189db7271911c02185 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Thu, 11 Jul 2019 21:00:07 -0700 +Subject: mm: use down_read_killable for locking mmap_sem in access_remote_vm +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 1e426fe28261b03f297992e89da3320b42816f4e ] + +This function is used by ptrace and proc files like /proc/pid/cmdline and +/proc/pid/environ. + +Access_remote_vm never returns error codes, all errors are ignored and +only size of successfully read data is returned. So, if current task was +killed we'll simply return 0 (bytes read). + +Mmap_sem could be locked for a long time or forever if something goes +wrong. Using a killable lock permits cleanup of stuck tasks and +simplifies investigation. + +Link: http://lkml.kernel.org/r/156007494202.3335.16782303099589302087.stgit@buzz +Signed-off-by: Konstantin Khlebnikov +Reviewed-by: Michal Koutný +Acked-by: Oleg Nesterov +Acked-by: Michal Hocko +Cc: Alexey Dobriyan +Cc: Matthew Wilcox +Cc: Cyrill Gorcunov +Cc: Kirill Tkhai +Cc: Al Viro +Cc: Roman Gushchin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memory.c | 4 +++- + mm/nommu.c | 3 ++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/mm/memory.c b/mm/memory.c +index ddf20bd0c317..9a4401d21e94 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -4349,7 +4349,9 @@ int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, + void *old_buf = buf; + int write = gup_flags & FOLL_WRITE; + +- down_read(&mm->mmap_sem); ++ if (down_read_killable(&mm->mmap_sem)) ++ return 0; ++ + /* ignore errors, just check how much was successfully transferred */ + while (len) { + int bytes, ret, offset; +diff --git a/mm/nommu.c b/mm/nommu.c +index d8c02fbe03b5..b2823519f8cd 100644 +--- a/mm/nommu.c ++++ b/mm/nommu.c +@@ -1792,7 +1792,8 @@ int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm, + struct vm_area_struct *vma; + int write = gup_flags & FOLL_WRITE; + +- down_read(&mm->mmap_sem); ++ if (down_read_killable(&mm->mmap_sem)) ++ return 0; + + /* the access must start within one of the target process's mappings */ + vma = find_vma(mm, addr); +-- +2.20.1 + diff --git a/queue-5.2/mmc-sdhci-sdhci-pci-o2micro-check-if-controller-supp.patch b/queue-5.2/mmc-sdhci-sdhci-pci-o2micro-check-if-controller-supp.patch new file mode 100644 index 00000000000..0a433283eff --- /dev/null +++ b/queue-5.2/mmc-sdhci-sdhci-pci-o2micro-check-if-controller-supp.patch @@ -0,0 +1,52 @@ +From 0ade336b8a64266592461457e5659032d646a81c Mon Sep 17 00:00:00 2001 +From: Raul E Rangel +Date: Mon, 17 Jun 2019 14:10:13 -0600 +Subject: mmc: sdhci: sdhci-pci-o2micro: Check if controller supports 8-bit + width + +[ Upstream commit de23f0b757766d9fae59df97da6e8bdc5b231351 ] + +The O2 controller supports 8-bit EMMC access. + +JESD84-B51 section A.6.3.a defines the bus testing procedure that +`mmc_select_bus_width()` implements. This is used to determine the actual +bus width of the eMMC. + +Signed-off-by: Raul E Rangel +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-pci-o2micro.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/sdhci-pci-o2micro.c b/drivers/mmc/host/sdhci-pci-o2micro.c +index dd21315922c8..9dc4548271b4 100644 +--- a/drivers/mmc/host/sdhci-pci-o2micro.c ++++ b/drivers/mmc/host/sdhci-pci-o2micro.c +@@ -395,11 +395,21 @@ int sdhci_pci_o2_probe_slot(struct sdhci_pci_slot *slot) + { + struct sdhci_pci_chip *chip; + struct sdhci_host *host; +- u32 reg; ++ u32 reg, caps; + int ret; + + chip = slot->chip; + host = slot->host; ++ ++ caps = sdhci_readl(host, SDHCI_CAPABILITIES); ++ ++ /* ++ * mmc_select_bus_width() will test the bus to determine the actual bus ++ * width. ++ */ ++ if (caps & SDHCI_CAN_DO_8BIT) ++ host->mmc->caps |= MMC_CAP_8_BIT_DATA; ++ + switch (chip->pdev->device) { + case PCI_DEVICE_ID_O2_SDS0: + case PCI_DEVICE_ID_O2_SEABIRD0: +-- +2.20.1 + diff --git a/queue-5.2/net-ipv4-fib_trie-avoid-cryptic-ternary-expressions.patch b/queue-5.2/net-ipv4-fib_trie-avoid-cryptic-ternary-expressions.patch new file mode 100644 index 00000000000..66490158f7e --- /dev/null +++ b/queue-5.2/net-ipv4-fib_trie-avoid-cryptic-ternary-expressions.patch @@ -0,0 +1,48 @@ +From 9c2fa1ab4055d3c560c09a01f270e66adafe54fa Mon Sep 17 00:00:00 2001 +From: Nathan Huckleberry +Date: Mon, 17 Jun 2019 10:28:29 -0700 +Subject: net/ipv4: fib_trie: Avoid cryptic ternary expressions + +[ Upstream commit 25cec756891e8733433efea63b2254ddc93aa5cc ] + +empty_child_inc/dec() use the ternary operator for conditional +operations. The conditions involve the post/pre in/decrement +operator and the operation is only performed when the condition +is *not* true. This is hard to parse for humans, use a regular +'if' construct instead and perform the in/decrement separately. + +This also fixes two warnings that are emitted about the value +of the ternary expression being unused, when building the kernel +with clang + "kbuild: Remove unnecessary -Wno-unused-value" +(https://lore.kernel.org/patchwork/patch/1089869/): + +CC net/ipv4/fib_trie.o +net/ipv4/fib_trie.c:351:2: error: expression result unused [-Werror,-Wunused-value] + ++tn_info(n)->empty_children ? : ++tn_info(n)->full_children; + +Fixes: 95f60ea3e99a ("fib_trie: Add collapse() and should_collapse() to resize") +Signed-off-by: Matthias Kaehlcke +Reviewed-by: Douglas Anderson +Reviewed-by: Nick Desaulniers +Acked-by: Alexander Duyck +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + scripts/Makefile.extrawarn | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/scripts/Makefile.extrawarn b/scripts/Makefile.extrawarn +index 3ab8d1a303cd..b293246e48fe 100644 +--- a/scripts/Makefile.extrawarn ++++ b/scripts/Makefile.extrawarn +@@ -68,7 +68,6 @@ else + + ifdef CONFIG_CC_IS_CLANG + KBUILD_CFLAGS += -Wno-initializer-overrides +-KBUILD_CFLAGS += -Wno-unused-value + KBUILD_CFLAGS += -Wno-format + KBUILD_CFLAGS += -Wno-sign-compare + KBUILD_CFLAGS += -Wno-format-zero-length +-- +2.20.1 + diff --git a/queue-5.2/nvme-fix-null-deref-for-fabrics-options.patch b/queue-5.2/nvme-fix-null-deref-for-fabrics-options.patch new file mode 100644 index 00000000000..99d333f723d --- /dev/null +++ b/queue-5.2/nvme-fix-null-deref-for-fabrics-options.patch @@ -0,0 +1,86 @@ +From 5658a1e2d038350fc1f4165ff8cbc295567e8b0b Mon Sep 17 00:00:00 2001 +From: Minwoo Im +Date: Fri, 12 Jul 2019 02:04:47 +0900 +Subject: nvme: fix NULL deref for fabrics options + +[ Upstream commit 7d30c81b80ea9b0812d27030a46a5bf4c4e328f5 ] + +git://git.infradead.org/nvme.git nvme-5.3 branch now causes the +following NULL deref oops. Check the ctrl->opts first before the deref. + +[ 16.337581] BUG: kernel NULL pointer dereference, address: 0000000000000056 +[ 16.338551] #PF: supervisor read access in kernel mode +[ 16.338551] #PF: error_code(0x0000) - not-present page +[ 16.338551] PGD 0 P4D 0 +[ 16.338551] Oops: 0000 [#1] SMP PTI +[ 16.338551] CPU: 2 PID: 1035 Comm: kworker/u16:5 Not tainted 5.2.0-rc6+ #1 +[ 16.338551] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014 +[ 16.338551] Workqueue: nvme-wq nvme_scan_work [nvme_core] +[ 16.338551] RIP: 0010:nvme_validate_ns+0xc9/0x7e0 [nvme_core] +[ 16.338551] Code: c0 49 89 c5 0f 84 00 07 00 00 48 8b 7b 58 e8 be 48 39 c1 48 3d 00 f0 ff ff 49 89 45 18 0f 87 a4 06 00 00 48 8b 93 70 0a 00 00 <80> 7a 56 00 74 0c 48 8b 40 68 83 48 3c 08 49 8b 45 18 48 89 c6 bf +[ 16.338551] RSP: 0018:ffffc900024c7d10 EFLAGS: 00010283 +[ 16.338551] RAX: ffff888135a30720 RBX: ffff88813a4fd1f8 RCX: 0000000000000007 +[ 16.338551] RDX: 0000000000000000 RSI: ffffffff8256dd38 RDI: ffff888135a30720 +[ 16.338551] RBP: 0000000000000001 R08: 0000000000000007 R09: ffff88813aa6a840 +[ 16.338551] R10: 0000000000000001 R11: 000000000002d060 R12: ffff88813a4fd1f8 +[ 16.338551] R13: ffff88813a77f800 R14: ffff88813aa35180 R15: 0000000000000001 +[ 16.338551] FS: 0000000000000000(0000) GS:ffff88813ba80000(0000) knlGS:0000000000000000 +[ 16.338551] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 16.338551] CR2: 0000000000000056 CR3: 000000000240a002 CR4: 0000000000360ee0 +[ 16.338551] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 16.338551] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 16.338551] Call Trace: +[ 16.338551] nvme_scan_work+0x2c0/0x340 [nvme_core] +[ 16.338551] ? __switch_to_asm+0x40/0x70 +[ 16.338551] ? _raw_spin_unlock_irqrestore+0x18/0x30 +[ 16.338551] ? try_to_wake_up+0x408/0x450 +[ 16.338551] process_one_work+0x20b/0x3e0 +[ 16.338551] worker_thread+0x1f9/0x3d0 +[ 16.338551] ? cancel_delayed_work+0xa0/0xa0 +[ 16.338551] kthread+0x117/0x120 +[ 16.338551] ? kthread_stop+0xf0/0xf0 +[ 16.338551] ret_from_fork+0x3a/0x50 +[ 16.338551] Modules linked in: nvme nvme_core +[ 16.338551] CR2: 0000000000000056 +[ 16.338551] ---[ end trace b9bf761a93e62d84 ]--- +[ 16.338551] RIP: 0010:nvme_validate_ns+0xc9/0x7e0 [nvme_core] +[ 16.338551] Code: c0 49 89 c5 0f 84 00 07 00 00 48 8b 7b 58 e8 be 48 39 c1 48 3d 00 f0 ff ff 49 89 45 18 0f 87 a4 06 00 00 48 8b 93 70 0a 00 00 <80> 7a 56 00 74 0c 48 8b 40 68 83 48 3c 08 49 8b 45 18 48 89 c6 bf +[ 16.338551] RSP: 0018:ffffc900024c7d10 EFLAGS: 00010283 +[ 16.338551] RAX: ffff888135a30720 RBX: ffff88813a4fd1f8 RCX: 0000000000000007 +[ 16.338551] RDX: 0000000000000000 RSI: ffffffff8256dd38 RDI: ffff888135a30720 +[ 16.338551] RBP: 0000000000000001 R08: 0000000000000007 R09: ffff88813aa6a840 +[ 16.338551] R10: 0000000000000001 R11: 000000000002d060 R12: ffff88813a4fd1f8 +[ 16.338551] R13: ffff88813a77f800 R14: ffff88813aa35180 R15: 0000000000000001 +[ 16.338551] FS: 0000000000000000(0000) GS:ffff88813ba80000(0000) knlGS:0000000000000000 +[ 16.338551] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 16.338551] CR2: 0000000000000056 CR3: 000000000240a002 CR4: 0000000000360ee0 +[ 16.338551] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 16.338551] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fixes: 958f2a0f8121 ("nvme-tcp: set the STABLE_WRITES flag when data digests are enabled") +Cc: Christoph Hellwig +Cc: Keith Busch +Reviewed-by: Sagi Grimberg +Signed-off-by: Minwoo Im +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 215bef904b7b..4a1d2ab4d161 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3257,7 +3257,7 @@ static int nvme_alloc_ns(struct nvme_ctrl *ctrl, unsigned nsid) + goto out_free_ns; + } + +- if (ctrl->opts->data_digest) ++ if (ctrl->opts && ctrl->opts->data_digest) + ns->queue->backing_dev_info->capabilities + |= BDI_CAP_STABLE_WRITES; + +-- +2.20.1 + diff --git a/queue-5.2/nvme-pci-check-for-null-return-from-pci_alloc_p2pmem.patch b/queue-5.2/nvme-pci-check-for-null-return-from-pci_alloc_p2pmem.patch new file mode 100644 index 00000000000..bf211edc73f --- /dev/null +++ b/queue-5.2/nvme-pci-check-for-null-return-from-pci_alloc_p2pmem.patch @@ -0,0 +1,54 @@ +From 24306310a5fbb9ebdffbd806b02b4385e3f4b3c9 Mon Sep 17 00:00:00 2001 +From: Alan Mikhak +Date: Mon, 8 Jul 2019 10:05:11 -0700 +Subject: nvme-pci: check for NULL return from pci_alloc_p2pmem() + +[ Upstream commit bfac8e9f55cf62a000b643a0081488badbe92d96 ] + +Modify nvme_alloc_sq_cmds() to call pci_free_p2pmem() to free the memory +it allocated using pci_alloc_p2pmem() in case pci_p2pmem_virt_to_bus() +returns null. + +Makes sure not to call pci_free_p2pmem() if pci_alloc_p2pmem() returned +NULL, which can happen if CONFIG_PCI_P2PDMA is not configured. + +The current implementation is not expected to leak since +pci_p2pmem_virt_to_bus() is expected to fail only if pci_alloc_p2pmem() +returns null. However, checking the return value of pci_alloc_p2pmem() +is more explicit. + +Signed-off-by: Alan Mikhak +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index f5bc1c30cef5..245b6e2151c1 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1456,11 +1456,15 @@ static int nvme_alloc_sq_cmds(struct nvme_dev *dev, struct nvme_queue *nvmeq, + + if (qid && dev->cmb_use_sqes && (dev->cmbsz & NVME_CMBSZ_SQS)) { + nvmeq->sq_cmds = pci_alloc_p2pmem(pdev, SQ_SIZE(depth)); +- nvmeq->sq_dma_addr = pci_p2pmem_virt_to_bus(pdev, +- nvmeq->sq_cmds); +- if (nvmeq->sq_dma_addr) { +- set_bit(NVMEQ_SQ_CMB, &nvmeq->flags); +- return 0; ++ if (nvmeq->sq_cmds) { ++ nvmeq->sq_dma_addr = pci_p2pmem_virt_to_bus(pdev, ++ nvmeq->sq_cmds); ++ if (nvmeq->sq_dma_addr) { ++ set_bit(NVMEQ_SQ_CMB, &nvmeq->flags); ++ return 0; ++ } ++ ++ pci_free_p2pmem(pdev, nvmeq->sq_cmds, SQ_SIZE(depth)); + } + } + +-- +2.20.1 + diff --git a/queue-5.2/nvme-pci-limit-max_hw_sectors-based-on-the-dma-max-m.patch b/queue-5.2/nvme-pci-limit-max_hw_sectors-based-on-the-dma-max-m.patch new file mode 100644 index 00000000000..ff10de98db5 --- /dev/null +++ b/queue-5.2/nvme-pci-limit-max_hw_sectors-based-on-the-dma-max-m.patch @@ -0,0 +1,39 @@ +From 9616fbae71c5c4a9f15438674a053be9e7f59388 Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Wed, 3 Jul 2019 09:54:44 -0700 +Subject: nvme-pci: limit max_hw_sectors based on the DMA max mapping size + +[ Upstream commit 7637de311bd2124b298a072852448b940d8a34b9 ] + +When running a NVMe device that is attached to a addressing +challenged PCIe root port that requires bounce buffering, our +request sizes can easily overflow the swiotlb bounce buffer +size. Limit the maximum I/O size to the limit exposed by +the DMA mapping subsystem. + +Signed-off-by: Christoph Hellwig +Reported-by: Atish Patra +Tested-by: Atish Patra +Reviewed-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 245b6e2151c1..7fbcd72c438f 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2521,7 +2521,8 @@ static void nvme_reset_work(struct work_struct *work) + * Limit the max command size to prevent iod->sg allocations going + * over a single page. + */ +- dev->ctrl.max_hw_sectors = NVME_MAX_KB_SZ << 1; ++ dev->ctrl.max_hw_sectors = min_t(u32, ++ NVME_MAX_KB_SZ << 1, dma_max_mapping_size(dev->dev) >> 9); + dev->ctrl.max_segments = NVME_MAX_SEGS; + + /* +-- +2.20.1 + diff --git a/queue-5.2/nvme-tcp-don-t-use-sendpage-for-slab-pages.patch b/queue-5.2/nvme-tcp-don-t-use-sendpage-for-slab-pages.patch new file mode 100644 index 00000000000..bb5772136bf --- /dev/null +++ b/queue-5.2/nvme-tcp-don-t-use-sendpage-for-slab-pages.patch @@ -0,0 +1,43 @@ +From fbd9282ae72aab4c5afe06f11b690881450bc0d6 Mon Sep 17 00:00:00 2001 +From: Mikhail Skorzhinskii +Date: Mon, 8 Jul 2019 12:31:29 +0200 +Subject: nvme-tcp: don't use sendpage for SLAB pages + +[ Upstream commit 37c15219599f7a4baa73f6e3432afc69ba7cc530 ] + +According to commit a10674bf2406 ("tcp: detecting the misuse of +.sendpage for Slab objects") and previous discussion, tcp_sendpage +should not be used for pages that is managed by SLAB, as SLAB is not +taking page reference counters into consideration. + +Signed-off-by: Mikhail Skorzhinskii +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/tcp.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 08a2501b9357..606b13d35d16 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -860,7 +860,14 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req) + else + flags |= MSG_MORE; + +- ret = kernel_sendpage(queue->sock, page, offset, len, flags); ++ /* can't zcopy slab pages */ ++ if (unlikely(PageSlab(page))) { ++ ret = sock_no_sendpage(queue->sock, page, offset, len, ++ flags); ++ } else { ++ ret = kernel_sendpage(queue->sock, page, offset, len, ++ flags); ++ } + if (ret <= 0) + return ret; + +-- +2.20.1 + diff --git a/queue-5.2/nvme-tcp-set-the-stable_writes-flag-when-data-digest.patch b/queue-5.2/nvme-tcp-set-the-stable_writes-flag-when-data-digest.patch new file mode 100644 index 00000000000..99de322150d --- /dev/null +++ b/queue-5.2/nvme-tcp-set-the-stable_writes-flag-when-data-digest.patch @@ -0,0 +1,55 @@ +From 4ac9c3f54edc2438043f4518329a71b2d226e97a Mon Sep 17 00:00:00 2001 +From: Mikhail Skorzhinskii +Date: Thu, 4 Jul 2019 09:59:18 +0200 +Subject: nvme-tcp: set the STABLE_WRITES flag when data digests are enabled + +[ Upstream commit 958f2a0f8121ae36a5cbff383ab94fadf1fba5eb ] + +There was a few false alarms sighted on target side about wrong data +digest while performing high throughput load to XFS filesystem shared +through NVMoF TCP. + +This flag tells the rest of the kernel to ensure that the data buffer +does not change while the write is in flight. It incurs a performance +penalty, so only enable it when it is actually needed, i.e. when we are +calculating data digests. + +Although even with this change in place, ext2 users can steel experience +false positives, as ext2 is not respecting this flag. This may be apply +to vfat as well. + +Signed-off-by: Mikhail Skorzhinskii +Signed-off-by: Mike Playle +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 22c68e3b71d5..215bef904b7b 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -3256,6 +3257,10 @@ static int nvme_alloc_ns(struct nvme_ctrl *ctrl, unsigned nsid) + goto out_free_ns; + } + ++ if (ctrl->opts->data_digest) ++ ns->queue->backing_dev_info->capabilities ++ |= BDI_CAP_STABLE_WRITES; ++ + blk_queue_flag_set(QUEUE_FLAG_NONROT, ns->queue); + if (ctrl->ops->flags & NVME_F_PCI_P2PDMA) + blk_queue_flag_set(QUEUE_FLAG_PCI_P2PDMA, ns->queue); +-- +2.20.1 + diff --git a/queue-5.2/pci-dwc-pci-dra7xx-fix-compilation-when-config_gpiol.patch b/queue-5.2/pci-dwc-pci-dra7xx-fix-compilation-when-config_gpiol.patch new file mode 100644 index 00000000000..ff61a29556f --- /dev/null +++ b/queue-5.2/pci-dwc-pci-dra7xx-fix-compilation-when-config_gpiol.patch @@ -0,0 +1,54 @@ +From 3d6481bbd6b6f0b7c656b688ccaa4d5538b14ddf Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Fri, 14 Jun 2019 23:40:44 +0800 +Subject: PCI: dwc: pci-dra7xx: Fix compilation when !CONFIG_GPIOLIB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 381ed79c8655a40268ee7391f716edd90c5c3a97 ] + +If CONFIG_GPIOLIB is not selected the compilation results in the +following build errors: + +drivers/pci/controller/dwc/pci-dra7xx.c: + In function dra7xx_pcie_probe: +drivers/pci/controller/dwc/pci-dra7xx.c:777:10: + error: implicit declaration of function devm_gpiod_get_optional; + did you mean devm_regulator_get_optional? [-Werror=implicit-function-declaration] + + reset = devm_gpiod_get_optional(dev, NULL, GPIOD_OUT_HIGH); + +drivers/pci/controller/dwc/pci-dra7xx.c:778:45: error: ‘GPIOD_OUT_HIGH’ +undeclared (first use in this function); did you mean ‘GPIOF_INIT_HIGH’? + reset = devm_gpiod_get_optional(dev, NULL, GPIOD_OUT_HIGH); + ^~~~~~~~~~~~~~ + GPIOF_INIT_HIGH + +Fix them by including the appropriate header file. + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +[lorenzo.pieralisi@arm.com: commit log] +Signed-off-by: Lorenzo Pieralisi +Acked-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pci-dra7xx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/controller/dwc/pci-dra7xx.c b/drivers/pci/controller/dwc/pci-dra7xx.c +index 419451efd58c..4234ddb4722f 100644 +--- a/drivers/pci/controller/dwc/pci-dra7xx.c ++++ b/drivers/pci/controller/dwc/pci-dra7xx.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + #include "../../pci.h" + #include "pcie-designware.h" +-- +2.20.1 + diff --git a/queue-5.2/pci-endpoint-allocate-enough-space-for-fixed-size-ba.patch b/queue-5.2/pci-endpoint-allocate-enough-space-for-fixed-size-ba.patch new file mode 100644 index 00000000000..51517c25152 --- /dev/null +++ b/queue-5.2/pci-endpoint-allocate-enough-space-for-fixed-size-ba.patch @@ -0,0 +1,47 @@ +From e761509523df59ce350914706678acbd6206ddb5 Mon Sep 17 00:00:00 2001 +From: Alan Mikhak +Date: Thu, 23 May 2019 14:47:59 -0700 +Subject: PCI: endpoint: Allocate enough space for fixed size BAR + +[ Upstream commit f16fb16ed16c7f561e9c41c9ae4107c7f6aa553c ] + +PCI endpoint test function code should honor the .bar_fixed_size parameter +from underlying endpoint controller drivers or results may be unexpected. + +In pci_epf_test_alloc_space(), check if BAR being used for test +register space is a fixed size BAR. If so, allocate the required fixed +size. + +Signed-off-by: Alan Mikhak +Signed-off-by: Lorenzo Pieralisi +Acked-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/pci/endpoint/functions/pci-epf-test.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c +index 27806987e93b..7d41e6684b87 100644 +--- a/drivers/pci/endpoint/functions/pci-epf-test.c ++++ b/drivers/pci/endpoint/functions/pci-epf-test.c +@@ -434,10 +434,16 @@ static int pci_epf_test_alloc_space(struct pci_epf *epf) + int bar; + enum pci_barno test_reg_bar = epf_test->test_reg_bar; + const struct pci_epc_features *epc_features; ++ size_t test_reg_size; + + epc_features = epf_test->epc_features; + +- base = pci_epf_alloc_space(epf, sizeof(struct pci_epf_test_reg), ++ if (epc_features->bar_fixed_size[test_reg_bar]) ++ test_reg_size = bar_size[test_reg_bar]; ++ else ++ test_reg_size = sizeof(struct pci_epf_test_reg); ++ ++ base = pci_epf_alloc_space(epf, test_reg_size, + test_reg_bar, epc_features->align); + if (!base) { + dev_err(dev, "Failed to allocated register space\n"); +-- +2.20.1 + diff --git a/queue-5.2/pci-mobiveil-fix-pci-base-address-in-mem-io-outbound.patch b/queue-5.2/pci-mobiveil-fix-pci-base-address-in-mem-io-outbound.patch new file mode 100644 index 00000000000..6e9e6d2019d --- /dev/null +++ b/queue-5.2/pci-mobiveil-fix-pci-base-address-in-mem-io-outbound.patch @@ -0,0 +1,43 @@ +From 83b08327486e3bfa5332c6754f581bdceb5a382f Mon Sep 17 00:00:00 2001 +From: Hou Zhiqiang +Date: Fri, 5 Jul 2019 17:56:31 +0800 +Subject: PCI: mobiveil: Fix PCI base address in MEM/IO outbound windows + +[ Upstream commit f99536e9d2f55996038158a6559d4254a7cc1693 ] + +The outbound memory windows PCI base addresses should be taken +from the 'ranges' property of DT node to setup MEM/IO outbound +windows decoding correctly instead of being hardcoded to zero. + +Update the code to retrieve the PCI base address for each range +and use it to program the outbound windows address decoders + +Fixes: 9af6bcb11e12 ("PCI: mobiveil: Add Mobiveil PCIe Host Bridge IP driver") +Signed-off-by: Hou Zhiqiang +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Minghuan Lian +Reviewed-by: Subrahmanya Lingappa +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-mobiveil.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/controller/pcie-mobiveil.c b/drivers/pci/controller/pcie-mobiveil.c +index 77052a0712d0..03d697b63e2a 100644 +--- a/drivers/pci/controller/pcie-mobiveil.c ++++ b/drivers/pci/controller/pcie-mobiveil.c +@@ -552,8 +552,9 @@ static int mobiveil_host_init(struct mobiveil_pcie *pcie) + if (type) { + /* configure outbound translation window */ + program_ob_windows(pcie, pcie->ob_wins_configured, +- win->res->start, 0, type, +- resource_size(win->res)); ++ win->res->start, ++ win->res->start - win->offset, ++ type, resource_size(win->res)); + } + } + +-- +2.20.1 + diff --git a/queue-5.2/pci-mobiveil-fix-the-class-code-field.patch b/queue-5.2/pci-mobiveil-fix-the-class-code-field.patch new file mode 100644 index 00000000000..76f0f4498e7 --- /dev/null +++ b/queue-5.2/pci-mobiveil-fix-the-class-code-field.patch @@ -0,0 +1,53 @@ +From be77b3df5f517287a7feb01b5520d67d0310b77b Mon Sep 17 00:00:00 2001 +From: Hou Zhiqiang +Date: Fri, 5 Jul 2019 17:56:35 +0800 +Subject: PCI: mobiveil: Fix the Class Code field + +[ Upstream commit 0122af0a08243f344a438f924e5c2486486555b3 ] + +Fix up the Class Code field in PCI configuration space and set it to +PCI_CLASS_BRIDGE_PCI. + +Move the Class Code fixup to function mobiveil_host_init() where +it belongs. + +Fixes: 9af6bcb11e12 ("PCI: mobiveil: Add Mobiveil PCIe Host Bridge IP driver") +Signed-off-by: Hou Zhiqiang +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Minghuan Lian +Reviewed-by: Subrahmanya Lingappa +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-mobiveil.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/controller/pcie-mobiveil.c b/drivers/pci/controller/pcie-mobiveil.c +index 03d697b63e2a..88e9b70081fc 100644 +--- a/drivers/pci/controller/pcie-mobiveil.c ++++ b/drivers/pci/controller/pcie-mobiveil.c +@@ -558,6 +558,12 @@ static int mobiveil_host_init(struct mobiveil_pcie *pcie) + } + } + ++ /* fixup for PCIe class register */ ++ value = csr_readl(pcie, PAB_INTP_AXI_PIO_CLASS); ++ value &= 0xff; ++ value |= (PCI_CLASS_BRIDGE_PCI << 16); ++ csr_writel(pcie, value, PAB_INTP_AXI_PIO_CLASS); ++ + /* setup MSI hardware registers */ + mobiveil_pcie_enable_msi(pcie); + +@@ -798,9 +804,6 @@ static int mobiveil_pcie_probe(struct platform_device *pdev) + goto error; + } + +- /* fixup for PCIe class register */ +- csr_writel(pcie, 0x060402ab, PAB_INTP_AXI_PIO_CLASS); +- + /* initialize the IRQ domains */ + ret = mobiveil_pcie_init_irq_domain(pcie); + if (ret) { +-- +2.20.1 + diff --git a/queue-5.2/pci-mobiveil-initialize-primary-secondary-subordinat.patch b/queue-5.2/pci-mobiveil-initialize-primary-secondary-subordinat.patch new file mode 100644 index 00000000000..ded4442463b --- /dev/null +++ b/queue-5.2/pci-mobiveil-initialize-primary-secondary-subordinat.patch @@ -0,0 +1,42 @@ +From e0b1c5891248ea69e23c1552effcfa498085121a Mon Sep 17 00:00:00 2001 +From: Hou Zhiqiang +Date: Fri, 5 Jul 2019 17:56:38 +0800 +Subject: PCI: mobiveil: Initialize Primary/Secondary/Subordinate bus numbers + +[ Upstream commit 6f3ab451aa5c2cbff33197d82fe8489cbd55ad91 ] + +The reset value of Primary, Secondary and Subordinate bus numbers is +zero which is a broken setup. + +Program a sensible default value for Primary/Secondary/Subordinate +bus numbers. + +Signed-off-by: Hou Zhiqiang +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Minghuan Lian +Reviewed-by: Subrahmanya Lingappa +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-mobiveil.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/pci/controller/pcie-mobiveil.c b/drivers/pci/controller/pcie-mobiveil.c +index 88e9b70081fc..e4a1964e1b43 100644 +--- a/drivers/pci/controller/pcie-mobiveil.c ++++ b/drivers/pci/controller/pcie-mobiveil.c +@@ -501,6 +501,12 @@ static int mobiveil_host_init(struct mobiveil_pcie *pcie) + return err; + } + ++ /* setup bus numbers */ ++ value = csr_readl(pcie, PCI_PRIMARY_BUS); ++ value &= 0xff000000; ++ value |= 0x00ff0100; ++ csr_writel(pcie, value, PCI_PRIMARY_BUS); ++ + /* + * program Bus Master Enable Bit in Command Register in PAB Config + * Space +-- +2.20.1 + diff --git a/queue-5.2/pci-mobiveil-use-the-1st-inbound-window-for-mem-inbo.patch b/queue-5.2/pci-mobiveil-use-the-1st-inbound-window-for-mem-inbo.patch new file mode 100644 index 00000000000..0bb04c686c2 --- /dev/null +++ b/queue-5.2/pci-mobiveil-use-the-1st-inbound-window-for-mem-inbo.patch @@ -0,0 +1,46 @@ +From 457e46bb50d4de40e04fadd9caf78f202ea6a25a Mon Sep 17 00:00:00 2001 +From: Hou Zhiqiang +Date: Fri, 5 Jul 2019 17:56:34 +0800 +Subject: PCI: mobiveil: Use the 1st inbound window for MEM inbound + transactions + +[ Upstream commit f7fee1b42fe4f8171a4b1cad05c61907c33c53f6 ] + +The inbound and outbound windows have completely separate control +registers sets in the host controller MMIO space. Windows control +register are accessed through an MMIO base address and an offset +that depends on the window index. + +Since inbound and outbound windows control registers are completely +separate there is no real need to use different window indexes in the +inbound/outbound windows initialization routines to prevent clashing. + +To fix this inconsistency, change the MEM inbound window index to 0, +mirroring the outbound window set-up. + +Signed-off-by: Hou Zhiqiang +[lorenzo.pieralisi@arm.com: update commit log] +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Minghuan Lian +Reviewed-by: Subrahmanya Lingappa +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-mobiveil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/pcie-mobiveil.c b/drivers/pci/controller/pcie-mobiveil.c +index e4a1964e1b43..387a20f3c240 100644 +--- a/drivers/pci/controller/pcie-mobiveil.c ++++ b/drivers/pci/controller/pcie-mobiveil.c +@@ -546,7 +546,7 @@ static int mobiveil_host_init(struct mobiveil_pcie *pcie) + resource_size(pcie->ob_io_res)); + + /* memory inbound translation window */ +- program_ib_windows(pcie, WIN_NUM_1, 0, MEM_WINDOW_TYPE, IB_WIN_SIZE); ++ program_ib_windows(pcie, WIN_NUM_0, 0, MEM_WINDOW_TYPE, IB_WIN_SIZE); + + /* Get the I/O and memory ranges from DT */ + resource_list_for_each_entry_safe(win, tmp, &pcie->resources) { +-- +2.20.1 + diff --git a/queue-5.2/pci-return-error-if-cannot-probe-vf.patch b/queue-5.2/pci-return-error-if-cannot-probe-vf.patch new file mode 100644 index 00000000000..37e5f9b245b --- /dev/null +++ b/queue-5.2/pci-return-error-if-cannot-probe-vf.patch @@ -0,0 +1,63 @@ +From cba60a315970d41449128ca19a32c4d28e7737dc Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 1 May 2019 11:00:16 -0600 +Subject: PCI: Return error if cannot probe VF + +[ Upstream commit 76002d8b48c4b08c9bd414517dd295e132ad910b ] + +Commit 0e7df22401a3 ("PCI: Add sysfs sriov_drivers_autoprobe to control +VF driver binding") allows the user to specify that drivers for VFs of +a PF should not be probed, but it actually causes pci_device_probe() to +return success back to the driver core in this case. Therefore by all +sysfs appearances the device is bound to a driver, the driver link from +the device exists as does the device link back from the driver, yet the +driver's probe function is never called on the device. We also fail to +do any sort of cleanup when we're prohibited from probing the device, +the IRQ setup remains in place and we even hold a device reference. + +Instead, abort with errno before any setup or references are taken when +pci_device_can_probe() prevents us from trying to probe the device. + +Link: https://lore.kernel.org/lkml/155672991496.20698.4279330795743262888.stgit@gimli.home +Fixes: 0e7df22401a3 ("PCI: Add sysfs sriov_drivers_autoprobe to control VF driver binding") +Signed-off-by: Alex Williamson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pci-driver.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c +index ca3793002e2f..74c3df250d9c 100644 +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -414,6 +414,9 @@ static int pci_device_probe(struct device *dev) + struct pci_dev *pci_dev = to_pci_dev(dev); + struct pci_driver *drv = to_pci_driver(dev->driver); + ++ if (!pci_device_can_probe(pci_dev)) ++ return -ENODEV; ++ + pci_assign_irq(pci_dev); + + error = pcibios_alloc_irq(pci_dev); +@@ -421,12 +424,10 @@ static int pci_device_probe(struct device *dev) + return error; + + pci_dev_get(pci_dev); +- if (pci_device_can_probe(pci_dev)) { +- error = __pci_device_probe(drv, pci_dev); +- if (error) { +- pcibios_free_irq(pci_dev); +- pci_dev_put(pci_dev); +- } ++ error = __pci_device_probe(drv, pci_dev); ++ if (error) { ++ pcibios_free_irq(pci_dev); ++ pci_dev_put(pci_dev); + } + + return error; +-- +2.20.1 + diff --git a/queue-5.2/pci-sysfs-ignore-lockdep-for-remove-attribute.patch b/queue-5.2/pci-sysfs-ignore-lockdep-for-remove-attribute.patch new file mode 100644 index 00000000000..dac898df2a9 --- /dev/null +++ b/queue-5.2/pci-sysfs-ignore-lockdep-for-remove-attribute.patch @@ -0,0 +1,61 @@ +From b3d8af3d085be584c741b2f610976b08da5676ef Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Mon, 27 May 2019 00:51:51 +0200 +Subject: PCI: sysfs: Ignore lockdep for remove attribute + +[ Upstream commit dc6b698a86fe40a50525433eb8e92a267847f6f9 ] + +With CONFIG_PROVE_LOCKING=y, using sysfs to remove a bridge with a device +below it causes a lockdep warning, e.g., + + # echo 1 > /sys/class/pci_bus/0000:00/device/0000:00:00.0/remove + ============================================ + WARNING: possible recursive locking detected + ... + pci_bus 0000:01: busn_res: [bus 01] is released + +The remove recursively removes the subtree below the bridge. Each call +uses a different lock so there's no deadlock, but the locks were all +created with the same lockdep key so the lockdep checker can't tell them +apart. + +Mark the "remove" sysfs attribute with __ATTR_IGNORE_LOCKDEP() as it is +safe to ignore the lockdep check between different "remove" kernfs +instances. + +There's discussion about a similar issue in USB at [1], which resulted in +356c05d58af0 ("sysfs: get rid of some lockdep false positives") and +e9b526fe7048 ("i2c: suppress lockdep warning on delete_device"), which do +basically the same thing for USB "remove" and i2c "delete_device" files. + +[1] https://lore.kernel.org/r/Pine.LNX.4.44L0.1204251436140.1206-100000@iolanthe.rowland.org +Link: https://lore.kernel.org/r/20190526225151.3865-1-marek.vasut@gmail.com +Signed-off-by: Marek Vasut +[bhelgaas: trim commit log, details at above links] +Signed-off-by: Bjorn Helgaas +Cc: Geert Uytterhoeven +Cc: Phil Edworthy +Cc: Simon Horman +Cc: Tejun Heo +Cc: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/pci/pci-sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index 6d27475e39b2..4e83c347de5d 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -477,7 +477,7 @@ static ssize_t remove_store(struct device *dev, struct device_attribute *attr, + pci_stop_and_remove_bus_device_locked(to_pci_dev(dev)); + return count; + } +-static struct device_attribute dev_remove_attr = __ATTR(remove, ++static struct device_attribute dev_remove_attr = __ATTR_IGNORE_LOCKDEP(remove, + (S_IWUSR|S_IWGRP), + NULL, remove_store); + +-- +2.20.1 + diff --git a/queue-5.2/pci-xilinx-nwl-fix-multi-msi-data-programming.patch b/queue-5.2/pci-xilinx-nwl-fix-multi-msi-data-programming.patch new file mode 100644 index 00000000000..9fcd5c2cb88 --- /dev/null +++ b/queue-5.2/pci-xilinx-nwl-fix-multi-msi-data-programming.patch @@ -0,0 +1,97 @@ +From 304a24570fabaf01c5934255fa1d973094f35fbb Mon Sep 17 00:00:00 2001 +From: Bharat Kumar Gogada +Date: Wed, 12 Jun 2019 15:47:59 +0530 +Subject: PCI: xilinx-nwl: Fix Multi MSI data programming + +[ Upstream commit 181fa434d0514e40ebf6e9721f2b72700287b6e2 ] + +According to the PCI Local Bus specification Revision 3.0, +section 6.8.1.3 (Message Control for MSI), endpoints that +are Multiple Message Capable as defined by bits [3:1] in +the Message Control for MSI can request a number of vectors +that is power of two aligned. + +As specified in section 6.8.1.6 "Message data for MSI", the Multiple +Message Enable field (bits [6:4] of the Message Control register) +defines the number of low order message data bits the function is +permitted to modify to generate its system software allocated +vectors. + +The MSI controller in the Xilinx NWL PCIe controller supports a number +of MSI vectors specified through a bitmap and the hwirq number for an +MSI, that is the value written in the MSI data TLP is determined by +the bitmap allocation. + +For instance, in a situation where two endpoints sitting on +the PCI bus request the following MSI configuration, with +the current PCI Xilinx bitmap allocation code (that does not +align MSI vector allocation on a power of two boundary): + +Endpoint #1: Requesting 1 MSI vector - allocated bitmap bits 0 +Endpoint #2: Requesting 2 MSI vectors - allocated bitmap bits [1,2] + +The bitmap value(s) corresponds to the hwirq number that is programmed +into the Message Data for MSI field in the endpoint MSI capability +and is detected by the root complex to fire the corresponding +MSI irqs. The value written in Message Data for MSI field corresponds +to the first bit allocated in the bitmap for Multi MSI vectors. + +The current Xilinx NWL MSI allocation code allows a bitmap allocation +that is not a power of two boundaries, so endpoint #2, is allowed to +toggle Message Data bit[0] to differentiate between its two vectors +(meaning that the MSI data will be respectively 0x0 and 0x1 for the two +vectors allocated to endpoint #2). + +This clearly aliases with the Endpoint #1 vector allocation, resulting +in a broken Multi MSI implementation. + +Update the code to allocate MSI bitmap ranges with a power of two +alignment, fixing the bug. + +Fixes: ab597d35ef11 ("PCI: xilinx-nwl: Add support for Xilinx NWL PCIe Host Controller") +Suggested-by: Marc Zyngier +Signed-off-by: Bharat Kumar Gogada +[lorenzo.pieralisi@arm.com: updated commit log] +Signed-off-by: Lorenzo Pieralisi +Acked-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-xilinx-nwl.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/pci/controller/pcie-xilinx-nwl.c b/drivers/pci/controller/pcie-xilinx-nwl.c +index 3b031f00a94a..45c0f344ccd1 100644 +--- a/drivers/pci/controller/pcie-xilinx-nwl.c ++++ b/drivers/pci/controller/pcie-xilinx-nwl.c +@@ -482,15 +482,13 @@ static int nwl_irq_domain_alloc(struct irq_domain *domain, unsigned int virq, + int i; + + mutex_lock(&msi->lock); +- bit = bitmap_find_next_zero_area(msi->bitmap, INT_PCI_MSI_NR, 0, +- nr_irqs, 0); +- if (bit >= INT_PCI_MSI_NR) { ++ bit = bitmap_find_free_region(msi->bitmap, INT_PCI_MSI_NR, ++ get_count_order(nr_irqs)); ++ if (bit < 0) { + mutex_unlock(&msi->lock); + return -ENOSPC; + } + +- bitmap_set(msi->bitmap, bit, nr_irqs); +- + for (i = 0; i < nr_irqs; i++) { + irq_domain_set_info(domain, virq + i, bit + i, &nwl_irq_chip, + domain->host_data, handle_simple_irq, +@@ -508,7 +506,8 @@ static void nwl_irq_domain_free(struct irq_domain *domain, unsigned int virq, + struct nwl_msi *msi = &pcie->msi; + + mutex_lock(&msi->lock); +- bitmap_clear(msi->bitmap, data->hwirq, nr_irqs); ++ bitmap_release_region(msi->bitmap, data->hwirq, ++ get_count_order(nr_irqs)); + mutex_unlock(&msi->lock); + } + +-- +2.20.1 + diff --git a/queue-5.2/perf-annotate-fix-dereferencing-freed-memory-found-b.patch b/queue-5.2/perf-annotate-fix-dereferencing-freed-memory-found-b.patch new file mode 100644 index 00000000000..57818595802 --- /dev/null +++ b/queue-5.2/perf-annotate-fix-dereferencing-freed-memory-found-b.patch @@ -0,0 +1,103 @@ +From a7e35e84daf48330de0ef611da3644ffe0b5da26 Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Tue, 2 Jul 2019 18:34:13 +0800 +Subject: perf annotate: Fix dereferencing freed memory found by the smatch + tool + +[ Upstream commit 600c787dbf6521d8d07ee717ab7606d5070103ea ] + +Based on the following report from Smatch, fix the potential +dereferencing freed memory check. + + tools/perf/util/annotate.c:1125 + disasm_line__parse() error: dereferencing freed memory 'namep' + + tools/perf/util/annotate.c + 1100 static int disasm_line__parse(char *line, const char **namep, char **rawp) + 1101 { + 1102 char tmp, *name = ltrim(line); + + [...] + + 1114 *namep = strdup(name); + 1115 + 1116 if (*namep == NULL) + 1117 goto out_free_name; + + [...] + + 1124 out_free_name: + 1125 free((void *)namep); + ^^^^^ + 1126 *namep = NULL; + ^^^^^^ + 1127 return -1; + 1128 } + +If strdup() fails to allocate memory space for *namep, we don't need to +free memory with pointer 'namep', which is resident in data structure +disasm_line::ins::name; and *namep is NULL pointer for this failure, so +it's pointless to assign NULL to *namep again. + +Committer note: + +Freeing namep, which is the address of the first entry of the 'struct +ins' that is the first member of struct disasm_line would in fact free +that disasm_line instance, if it was allocated via malloc/calloc, which, +later, would a dereference of freed memory. + +Signed-off-by: Leo Yan +Acked-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Alexios Zavras +Cc: Andi Kleen +Cc: Changbin Du +Cc: David S. Miller +Cc: Davidlohr Bueso +Cc: Eric Saint-Etienne +Cc: Jin Yao +Cc: Konstantin Khlebnikov +Cc: Mathieu Poirier +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Rasmus Villemoes +Cc: Song Liu +Cc: Suzuki Poulouse +Cc: Thomas Gleixner +Cc: Thomas Richter +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lkml.kernel.org/r/20190702103420.27540-5-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index c8ce13419d9b..b8dfcfe08bb1 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -1113,16 +1113,14 @@ static int disasm_line__parse(char *line, const char **namep, char **rawp) + *namep = strdup(name); + + if (*namep == NULL) +- goto out_free_name; ++ goto out; + + (*rawp)[0] = tmp; + *rawp = ltrim(*rawp); + + return 0; + +-out_free_name: +- free((void *)namep); +- *namep = NULL; ++out: + return -1; + } + +-- +2.20.1 + diff --git a/queue-5.2/perf-hists-browser-fix-potential-null-pointer-derefe.patch b/queue-5.2/perf-hists-browser-fix-potential-null-pointer-derefe.patch new file mode 100644 index 00000000000..9048e0febf1 --- /dev/null +++ b/queue-5.2/perf-hists-browser-fix-potential-null-pointer-derefe.patch @@ -0,0 +1,92 @@ +From ebba89200ed7326803a5c2985d31e228eee38599 Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Mon, 8 Jul 2019 22:39:34 +0800 +Subject: perf hists browser: Fix potential NULL pointer dereference found by + the smatch tool + +[ Upstream commit ceb75476db1617a88cc29b09839acacb69aa076e ] + +Based on the following report from Smatch, fix the potential +NULL pointer dereference check. + + tools/perf/ui/browsers/hists.c:641 + hist_browser__run() error: we previously assumed 'hbt' could be + null (see line 625) + + tools/perf/ui/browsers/hists.c:3088 + perf_evsel__hists_browse() error: we previously assumed + 'browser->he_selection' could be null (see line 2902) + + tools/perf/ui/browsers/hists.c:3272 + perf_evsel_menu__run() error: we previously assumed 'hbt' could be + null (see line 3260) + +This patch firstly validating the pointers before access them, so can +fix potential NULL pointer dereference. + +Signed-off-by: Leo Yan +Acked-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Mathieu Poirier +Cc: Namhyung Kim +Cc: Suzuki Poulouse +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lkml.kernel.org/r/20190708143937.7722-2-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/ui/browsers/hists.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c +index 3421ecbdd3f0..c1dd9b54dc6e 100644 +--- a/tools/perf/ui/browsers/hists.c ++++ b/tools/perf/ui/browsers/hists.c +@@ -638,7 +638,11 @@ int hist_browser__run(struct hist_browser *browser, const char *help, + switch (key) { + case K_TIMER: { + u64 nr_entries; +- hbt->timer(hbt->arg); ++ ++ WARN_ON_ONCE(!hbt); ++ ++ if (hbt) ++ hbt->timer(hbt->arg); + + if (hist_browser__has_filter(browser) || + symbol_conf.report_hierarchy) +@@ -2819,7 +2823,7 @@ static int perf_evsel__hists_browse(struct perf_evsel *evsel, int nr_events, + { + struct hists *hists = evsel__hists(evsel); + struct hist_browser *browser = perf_evsel_browser__new(evsel, hbt, env, annotation_opts); +- struct branch_info *bi; ++ struct branch_info *bi = NULL; + #define MAX_OPTIONS 16 + char *options[MAX_OPTIONS]; + struct popup_action actions[MAX_OPTIONS]; +@@ -3085,7 +3089,9 @@ static int perf_evsel__hists_browse(struct perf_evsel *evsel, int nr_events, + goto skip_annotation; + + if (sort__mode == SORT_MODE__BRANCH) { +- bi = browser->he_selection->branch_info; ++ ++ if (browser->he_selection) ++ bi = browser->he_selection->branch_info; + + if (bi == NULL) + goto skip_annotation; +@@ -3269,7 +3275,8 @@ static int perf_evsel_menu__run(struct perf_evsel_menu *menu, + + switch (key) { + case K_TIMER: +- hbt->timer(hbt->arg); ++ if (hbt) ++ hbt->timer(hbt->arg); + + if (!menu->lost_events_warned && + menu->lost_events && +-- +2.20.1 + diff --git a/queue-5.2/perf-intel-bts-fix-potential-null-pointer-dereferenc.patch b/queue-5.2/perf-intel-bts-fix-potential-null-pointer-dereferenc.patch new file mode 100644 index 00000000000..f09d003bc12 --- /dev/null +++ b/queue-5.2/perf-intel-bts-fix-potential-null-pointer-dereferenc.patch @@ -0,0 +1,75 @@ +From b38dac13c461b91b245434e0b2c1ba3d74dabdc9 Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Mon, 8 Jul 2019 22:39:35 +0800 +Subject: perf intel-bts: Fix potential NULL pointer dereference found by the + smatch tool + +[ Upstream commit 1d481458816d9424c8a05833ce0ebe72194a350e ] + +Based on the following report from Smatch, fix the potential NULL +pointer dereference check. + + tools/perf/util/intel-bts.c:898 + intel_bts_process_auxtrace_info() error: we previously assumed + 'session->itrace_synth_opts' could be null (see line 894) + + tools/perf/util/intel-bts.c:899 + intel_bts_process_auxtrace_info() warn: variable dereferenced before + check 'session->itrace_synth_opts' (see line 898) + + tools/perf/util/intel-bts.c + 894 if (session->itrace_synth_opts && session->itrace_synth_opts->set) { + 895 bts->synth_opts = *session->itrace_synth_opts; + 896 } else { + 897 itrace_synth_opts__set_default(&bts->synth_opts, + 898 session->itrace_synth_opts->default_no_sample); + ^^^^^^^^^^^^^^^^^^^^^^^^^^ + 899 if (session->itrace_synth_opts) + ^^^^^^^^^^^^^^^^^^^^^^^^^^ + 900 bts->synth_opts.thread_stack = + 901 session->itrace_synth_opts->thread_stack; + 902 } + +'session->itrace_synth_opts' is impossible to be a NULL pointer in +intel_bts_process_auxtrace_info(), thus this patch removes the NULL test +for 'session->itrace_synth_opts'. + +Signed-off-by: Leo Yan +Acked-by: Adrian Hunter +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Mathieu Poirier +Cc: Namhyung Kim +Cc: Suzuki Poulouse +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lkml.kernel.org/r/20190708143937.7722-3-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-bts.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/intel-bts.c b/tools/perf/util/intel-bts.c +index e32dbffebb2f..625ad3639a7e 100644 +--- a/tools/perf/util/intel-bts.c ++++ b/tools/perf/util/intel-bts.c +@@ -891,13 +891,12 @@ int intel_bts_process_auxtrace_info(union perf_event *event, + if (dump_trace) + return 0; + +- if (session->itrace_synth_opts && session->itrace_synth_opts->set) { ++ if (session->itrace_synth_opts->set) { + bts->synth_opts = *session->itrace_synth_opts; + } else { + itrace_synth_opts__set_default(&bts->synth_opts, + session->itrace_synth_opts->default_no_sample); +- if (session->itrace_synth_opts) +- bts->synth_opts.thread_stack = ++ bts->synth_opts.thread_stack = + session->itrace_synth_opts->thread_stack; + } + +-- +2.20.1 + diff --git a/queue-5.2/perf-map-fix-potential-null-pointer-dereference-foun.patch b/queue-5.2/perf-map-fix-potential-null-pointer-dereference-foun.patch new file mode 100644 index 00000000000..2f9a07c3c24 --- /dev/null +++ b/queue-5.2/perf-map-fix-potential-null-pointer-dereference-foun.patch @@ -0,0 +1,87 @@ +From 02d39f22492cd0a33696017dd7e5abb92c1198c8 Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Tue, 2 Jul 2019 18:34:16 +0800 +Subject: perf map: Fix potential NULL pointer dereference found by smatch tool + +[ Upstream commit 363bbaef63ffebcc745239fe80a953ebb5ac9ec9 ] + +Based on the following report from Smatch, fix the potential NULL +pointer dereference check. + + tools/perf/util/map.c:479 + map__fprintf_srccode() error: we previously assumed 'state' could be + null (see line 466) + + tools/perf/util/map.c + 465 /* Avoid redundant printing */ + 466 if (state && + 467 state->srcfile && + 468 !strcmp(state->srcfile, srcfile) && + 469 state->line == line) { + 470 free(srcfile); + 471 return 0; + 472 } + 473 + 474 srccode = find_sourceline(srcfile, line, &len); + 475 if (!srccode) + 476 goto out_free_line; + 477 + 478 ret = fprintf(fp, "|%-8d %.*s", line, len, srccode); + 479 state->srcfile = srcfile; + ^^^^^^^ + 480 state->line = line; + ^^^^^^^ + +This patch validates 'state' pointer before access its elements. + +Signed-off-by: Leo Yan +Acked-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Alexios Zavras +Cc: Andi Kleen +Cc: Changbin Du +Cc: David S. Miller +Cc: Davidlohr Bueso +Cc: Eric Saint-Etienne +Cc: Jin Yao +Cc: Konstantin Khlebnikov +Cc: Mathieu Poirier +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Rasmus Villemoes +Cc: Song Liu +Cc: Suzuki Poulouse +Cc: Thomas Gleixner +Cc: Thomas Richter +Cc: linux-arm-kernel@lists.infradead.org +Fixes: dd2e18e9ac20 ("perf tools: Support 'srccode' output") +Link: http://lkml.kernel.org/r/20190702103420.27540-8-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/map.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c +index ee71efb9db62..9c81ee092784 100644 +--- a/tools/perf/util/map.c ++++ b/tools/perf/util/map.c +@@ -470,8 +470,11 @@ int map__fprintf_srccode(struct map *map, u64 addr, + goto out_free_line; + + ret = fprintf(fp, "|%-8d %.*s", line, len, srccode); +- state->srcfile = srcfile; +- state->line = line; ++ ++ if (state) { ++ state->srcfile = srcfile; ++ state->line = line; ++ } + return ret; + + out_free_line: +-- +2.20.1 + diff --git a/queue-5.2/perf-session-fix-potential-null-pointer-dereference-.patch b/queue-5.2/perf-session-fix-potential-null-pointer-dereference-.patch new file mode 100644 index 00000000000..e34c5617ff7 --- /dev/null +++ b/queue-5.2/perf-session-fix-potential-null-pointer-dereference-.patch @@ -0,0 +1,80 @@ +From 4a3d8630cb942fceae1d71c80534107da26d3598 Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Tue, 2 Jul 2019 18:34:17 +0800 +Subject: perf session: Fix potential NULL pointer dereference found by the + smatch tool + +[ Upstream commit f3c8d90757724982e5f07cd77d315eb64ca145ac ] + +Based on the following report from Smatch, fix the potential +NULL pointer dereference check. + + tools/perf/util/session.c:1252 + dump_read() error: we previously assumed 'evsel' could be null + (see line 1249) + + tools/perf/util/session.c + 1240 static void dump_read(struct perf_evsel *evsel, union perf_event *event) + 1241 { + 1242 struct read_event *read_event = &event->read; + 1243 u64 read_format; + 1244 + 1245 if (!dump_trace) + 1246 return; + 1247 + 1248 printf(": %d %d %s %" PRIu64 "\n", event->read.pid, event->read.tid, + 1249 evsel ? perf_evsel__name(evsel) : "FAIL", + 1250 event->read.value); + 1251 + 1252 read_format = evsel->attr.read_format; + ^^^^^^^ + +'evsel' could be NULL pointer, for this case this patch directly bails +out without dumping read_event. + +Signed-off-by: Leo Yan +Acked-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Alexios Zavras +Cc: Andi Kleen +Cc: Changbin Du +Cc: David S. Miller +Cc: Davidlohr Bueso +Cc: Eric Saint-Etienne +Cc: Jin Yao +Cc: Konstantin Khlebnikov +Cc: Mathieu Poirier +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Rasmus Villemoes +Cc: Song Liu +Cc: Suzuki Poulouse +Cc: Thomas Gleixner +Cc: Thomas Richter +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lkml.kernel.org/r/20190702103420.27540-9-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/session.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c +index 54cf163347f7..2e61dd6a3574 100644 +--- a/tools/perf/util/session.c ++++ b/tools/perf/util/session.c +@@ -1249,6 +1249,9 @@ static void dump_read(struct perf_evsel *evsel, union perf_event *event) + evsel ? perf_evsel__name(evsel) : "FAIL", + event->read.value); + ++ if (!evsel) ++ return; ++ + read_format = evsel->attr.read_format; + + if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) +-- +2.20.1 + diff --git a/queue-5.2/perf-stat-fix-use-after-freed-pointer-detected-by-th.patch b/queue-5.2/perf-stat-fix-use-after-freed-pointer-detected-by-th.patch new file mode 100644 index 00000000000..2afdc456550 --- /dev/null +++ b/queue-5.2/perf-stat-fix-use-after-freed-pointer-detected-by-th.patch @@ -0,0 +1,63 @@ +From 4c2ca4a253508285dc65137993e483e0b27f1016 Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Tue, 2 Jul 2019 18:34:11 +0800 +Subject: perf stat: Fix use-after-freed pointer detected by the smatch tool + +[ Upstream commit c74b05030edb3b52f4208d8415b8c933bc509a29 ] + +Based on the following report from Smatch, fix the use-after-freed +pointer. + + tools/perf/builtin-stat.c:1353 + add_default_attributes() warn: passing freed memory 'str'. + +The pointer 'str' has been freed but later it is still passed into the +function parse_events_print_error(). This patch fixes this +use-after-freed issue. + +Signed-off-by: Leo Yan +Acked-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Alexios Zavras +Cc: Andi Kleen +Cc: Changbin Du +Cc: Davidlohr Bueso +Cc: David S. Miller +Cc: Eric Saint-Etienne +Cc: Jin Yao +Cc: Konstantin Khlebnikov +Cc: linux-arm-kernel@lists.infradead.org +Cc: Mathieu Poirier +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Rasmus Villemoes +Cc: Song Liu +Cc: Suzuki Poulouse +Cc: Thomas Gleixner +Cc: Thomas Richter +Link: http://lkml.kernel.org/r/20190702103420.27540-3-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-stat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c +index 1ae66f09dc7d..e28002d90573 100644 +--- a/tools/perf/builtin-stat.c ++++ b/tools/perf/builtin-stat.c +@@ -1276,8 +1276,8 @@ static int add_default_attributes(void) + fprintf(stderr, + "Cannot set up top down events %s: %d\n", + str, err); +- free(str); + parse_events_print_error(&errinfo, str); ++ free(str); + return -1; + } + } else { +-- +2.20.1 + diff --git a/queue-5.2/perf-test-mmap-thread-lookup-initialize-variable-to-.patch b/queue-5.2/perf-test-mmap-thread-lookup-initialize-variable-to-.patch new file mode 100644 index 00000000000..0f8709fdf2a --- /dev/null +++ b/queue-5.2/perf-test-mmap-thread-lookup-initialize-variable-to-.patch @@ -0,0 +1,54 @@ +From 598dc7333d5b3b9d05ef91a791a9f53d9763d83a Mon Sep 17 00:00:00 2001 +From: Numfor Mbiziwo-Tiapo +Date: Tue, 2 Jul 2019 10:37:15 -0700 +Subject: perf test mmap-thread-lookup: Initialize variable to suppress memory + sanitizer warning + +[ Upstream commit 4e4cf62b37da5ff45c904a3acf242ab29ed5881d ] + +Running the 'perf test' command after building perf with a memory +sanitizer causes a warning that says: + + WARNING: MemorySanitizer: use-of-uninitialized-value... in mmap-thread-lookup.c + +Initializing the go variable to 0 silences this harmless warning. + +Committer warning: + +This was harmless, just a simple test writing whatever was at that +sizeof(int) memory area just to signal another thread blocked reading +that file created with pipe(). Initialize it tho so that we don't get +this warning. + +Signed-off-by: Numfor Mbiziwo-Tiapo +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Drayton +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Song Liu +Cc: Stephane Eranian +Link: http://lkml.kernel.org/r/20190702173716.181223-1-nums@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/mmap-thread-lookup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/tests/mmap-thread-lookup.c b/tools/perf/tests/mmap-thread-lookup.c +index ba87e6e8d18c..0a4301a5155c 100644 +--- a/tools/perf/tests/mmap-thread-lookup.c ++++ b/tools/perf/tests/mmap-thread-lookup.c +@@ -53,7 +53,7 @@ static void *thread_fn(void *arg) + { + struct thread_data *td = arg; + ssize_t ret; +- int go; ++ int go = 0; + + if (thread_init(td)) + return NULL; +-- +2.20.1 + diff --git a/queue-5.2/perf-top-fix-potential-null-pointer-dereference-dete.patch b/queue-5.2/perf-top-fix-potential-null-pointer-dereference-dete.patch new file mode 100644 index 00000000000..5480f7dcdb3 --- /dev/null +++ b/queue-5.2/perf-top-fix-potential-null-pointer-dereference-dete.patch @@ -0,0 +1,106 @@ +From c537f6bf73421b0c684a4b188487bf751fe5025f Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Tue, 2 Jul 2019 18:34:12 +0800 +Subject: perf top: Fix potential NULL pointer dereference detected by the + smatch tool + +[ Upstream commit 111442cfc8abdeaa7ec1407f07ef7b3e5f76654e ] + +Based on the following report from Smatch, fix the potential NULL +pointer dereference check. + + tools/perf/builtin-top.c:109 + perf_top__parse_source() warn: variable dereferenced before check 'he' + (see line 103) + + tools/perf/builtin-top.c:233 + perf_top__show_details() warn: variable dereferenced before check 'he' + (see line 228) + + tools/perf/builtin-top.c + 101 static int perf_top__parse_source(struct perf_top *top, struct hist_entry *he) + 102 { + 103 struct perf_evsel *evsel = hists_to_evsel(he->hists); + ^^^^ + 104 struct symbol *sym; + 105 struct annotation *notes; + 106 struct map *map; + 107 int err = -1; + 108 + 109 if (!he || !he->ms.sym) + 110 return -1; + +This patch moves the values assignment after validating pointer 'he'. + +Signed-off-by: Leo Yan +Acked-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Alexios Zavras +Cc: Andi Kleen +Cc: Changbin Du +Cc: David S. Miller +Cc: Davidlohr Bueso +Cc: Eric Saint-Etienne +Cc: Jin Yao +Cc: Konstantin Khlebnikov +Cc: Mathieu Poirier +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Rasmus Villemoes +Cc: Song Liu +Cc: Suzuki Poulouse +Cc: Thomas Gleixner +Cc: Thomas Richter +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lkml.kernel.org/r/20190702103420.27540-4-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-top.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c +index 466621cd1017..8a9ff4b11df0 100644 +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -100,7 +100,7 @@ static void perf_top__resize(struct perf_top *top) + + static int perf_top__parse_source(struct perf_top *top, struct hist_entry *he) + { +- struct perf_evsel *evsel = hists_to_evsel(he->hists); ++ struct perf_evsel *evsel; + struct symbol *sym; + struct annotation *notes; + struct map *map; +@@ -109,6 +109,8 @@ static int perf_top__parse_source(struct perf_top *top, struct hist_entry *he) + if (!he || !he->ms.sym) + return -1; + ++ evsel = hists_to_evsel(he->hists); ++ + sym = he->ms.sym; + map = he->ms.map; + +@@ -225,7 +227,7 @@ static void perf_top__record_precise_ip(struct perf_top *top, + static void perf_top__show_details(struct perf_top *top) + { + struct hist_entry *he = top->sym_filter_entry; +- struct perf_evsel *evsel = hists_to_evsel(he->hists); ++ struct perf_evsel *evsel; + struct annotation *notes; + struct symbol *symbol; + int more; +@@ -233,6 +235,8 @@ static void perf_top__show_details(struct perf_top *top) + if (!he) + return; + ++ evsel = hists_to_evsel(he->hists); ++ + symbol = he->ms.sym; + notes = symbol__annotation(symbol); + +-- +2.20.1 + diff --git a/queue-5.2/perf-trace-fix-potential-null-pointer-dereference-fo.patch b/queue-5.2/perf-trace-fix-potential-null-pointer-dereference-fo.patch new file mode 100644 index 00000000000..32c0b6cd44d --- /dev/null +++ b/queue-5.2/perf-trace-fix-potential-null-pointer-dereference-fo.patch @@ -0,0 +1,80 @@ +From 4131b2aed970e8b40d5055c011e4e241c87b41a1 Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Tue, 2 Jul 2019 18:34:14 +0800 +Subject: perf trace: Fix potential NULL pointer dereference found by the + smatch tool + +[ Upstream commit 7a6d49dc8cad8fa1f3d63994102af8f9ae9c859f ] + +Based on the following report from Smatch, fix the potential NULL +pointer dereference check. + + tools/perf/builtin-trace.c:1044 + thread_trace__new() error: we previously assumed 'ttrace' could be + null (see line 1041). + + tools/perf/builtin-trace.c + 1037 static struct thread_trace *thread_trace__new(void) + 1038 { + 1039 struct thread_trace *ttrace = zalloc(sizeof(struct thread_trace)); + 1040 + 1041 if (ttrace) + 1042 ttrace->files.max = -1; + 1043 + 1044 ttrace->syscall_stats = intlist__new(NULL); + ^^^^^^^^ + 1045 + 1046 return ttrace; + 1047 } + +Signed-off-by: Leo Yan +Acked-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Alexios Zavras +Cc: Andi Kleen +Cc: Changbin Du +Cc: David S. Miller +Cc: Davidlohr Bueso +Cc: Eric Saint-Etienne +Cc: Jin Yao +Cc: Konstantin Khlebnikov +Cc: Mathieu Poirier +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Rasmus Villemoes +Cc: Song Liu +Cc: Suzuki Poulouse +Cc: Thomas Gleixner +Cc: Thomas Richter +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lkml.kernel.org/r/20190702103420.27540-6-leo.yan@linaro.org +[ Just made it look like other tools/perf constructors, same end result ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index 52fadc858ef0..909e68545bb8 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -997,10 +997,10 @@ static struct thread_trace *thread_trace__new(void) + { + struct thread_trace *ttrace = zalloc(sizeof(struct thread_trace)); + +- if (ttrace) ++ if (ttrace) { + ttrace->files.max = -1; +- +- ttrace->syscall_stats = intlist__new(NULL); ++ ttrace->syscall_stats = intlist__new(NULL); ++ } + + return ttrace; + } +-- +2.20.1 + diff --git a/queue-5.2/phy-meson-g12a-usb3-pcie-disable-locking-for-cr_regm.patch b/queue-5.2/phy-meson-g12a-usb3-pcie-disable-locking-for-cr_regm.patch new file mode 100644 index 00000000000..81f1c702619 --- /dev/null +++ b/queue-5.2/phy-meson-g12a-usb3-pcie-disable-locking-for-cr_regm.patch @@ -0,0 +1,71 @@ +From 549252e69f10ce5c85d69feeb3e0e77b74b20e43 Mon Sep 17 00:00:00 2001 +From: Neil Armstrong +Date: Wed, 5 Jun 2019 11:02:15 +0200 +Subject: phy: meson-g12a-usb3-pcie: disable locking for cr_regmap + +[ Upstream commit 5fc2aa3ec9efad97dd7c316f3c8e4c6268bbed9b ] + +Locking is not needed for the phy_g12a_usb3_pcie_cr_bus_read/write() and +currently it causes the following BUG because of the usage of the +regmap_read_poll_timeout() running in spinlock_irq, configured by regmap fast_io. + +Simply disable locking in the cr_regmap config since it's only used from the +PHY init callback function. + +BUG: sleeping function called from invalid context at drivers/phy/amlogic/phy-meson-g12a-usb3-pcie.c:85 +in_atomic(): 1, irqs_disabled(): 128, pid: 60, name: kworker/3:1 +[snip] +Workqueue: events deferred_probe_work_func +Call trace: + dump_backtrace+0x0/0x190 + show_stack+0x14/0x20 + dump_stack+0x90/0xb4 + ___might_sleep+0xec/0x110 + __might_sleep+0x50/0x88 + phy_g12a_usb3_pcie_cr_bus_addr.isra.0+0x80/0x1a8 + phy_g12a_usb3_pcie_cr_bus_read+0x34/0x1d8 + _regmap_read+0x60/0xe0 + _regmap_update_bits+0xc4/0x110 + regmap_update_bits_base+0x60/0x90 + phy_g12a_usb3_pcie_init+0xdc/0x210 + phy_init+0x74/0xd0 + dwc3_meson_g12a_probe+0x2cc/0x4d0 + platform_drv_probe+0x50/0xa0 + really_probe+0x20c/0x3b8 + driver_probe_device+0x68/0x150 + __device_attach_driver+0xa8/0x170 + bus_for_each_drv+0x64/0xc8 + __device_attach+0xd8/0x158 + device_initial_probe+0x10/0x18 + bus_probe_device+0x90/0x98 + deferred_probe_work_func+0x94/0xe8 + process_one_work+0x1e0/0x338 + worker_thread+0x230/0x458 + kthread+0x134/0x138 + ret_from_fork+0x10/0x1c + +Fixes: 36077e16c050 ("phy: amlogic: Add Amlogic G12A USB3 + PCIE Combo PHY Driver") +Signed-off-by: Neil Armstrong +Tested-by: Kevin Hilman +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/phy/amlogic/phy-meson-g12a-usb3-pcie.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/amlogic/phy-meson-g12a-usb3-pcie.c b/drivers/phy/amlogic/phy-meson-g12a-usb3-pcie.c +index 6233a7979a93..ac322d643c7a 100644 +--- a/drivers/phy/amlogic/phy-meson-g12a-usb3-pcie.c ++++ b/drivers/phy/amlogic/phy-meson-g12a-usb3-pcie.c +@@ -188,7 +188,7 @@ static const struct regmap_config phy_g12a_usb3_pcie_cr_regmap_conf = { + .reg_read = phy_g12a_usb3_pcie_cr_bus_read, + .reg_write = phy_g12a_usb3_pcie_cr_bus_write, + .max_register = 0xffff, +- .fast_io = true, ++ .disable_locking = true, + }; + + static int phy_g12a_usb3_init(struct phy *phy) +-- +2.20.1 + diff --git a/queue-5.2/phy-renesas-rcar-gen2-fix-memory-leak-at-error-paths.patch b/queue-5.2/phy-renesas-rcar-gen2-fix-memory-leak-at-error-paths.patch new file mode 100644 index 00000000000..4d479165d3d --- /dev/null +++ b/queue-5.2/phy-renesas-rcar-gen2-fix-memory-leak-at-error-paths.patch @@ -0,0 +1,44 @@ +From bcca1af6773a1402fb504d094022165dbaa87801 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 28 May 2019 14:04:02 +0900 +Subject: phy: renesas: rcar-gen2: Fix memory leak at error paths + +[ Upstream commit d4a36e82924d3305a17ac987a510f3902df5a4b2 ] + +This patch fixes memory leak at error paths of the probe function. +In for_each_child_of_node, if the loop returns, the driver should +call of_put_node() before returns. + +Reported-by: Julia Lawall +Fixes: 1233f59f745b237 ("phy: Renesas R-Car Gen2 PHY driver") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/phy/renesas/phy-rcar-gen2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/phy/renesas/phy-rcar-gen2.c b/drivers/phy/renesas/phy-rcar-gen2.c +index 8dc5710d9c98..2926e4937301 100644 +--- a/drivers/phy/renesas/phy-rcar-gen2.c ++++ b/drivers/phy/renesas/phy-rcar-gen2.c +@@ -391,6 +391,7 @@ static int rcar_gen2_phy_probe(struct platform_device *pdev) + error = of_property_read_u32(np, "reg", &channel_num); + if (error || channel_num > 2) { + dev_err(dev, "Invalid \"reg\" property\n"); ++ of_node_put(np); + return error; + } + channel->select_mask = select_mask[channel_num]; +@@ -406,6 +407,7 @@ static int rcar_gen2_phy_probe(struct platform_device *pdev) + data->gen2_phy_ops); + if (IS_ERR(phy->phy)) { + dev_err(dev, "Failed to create PHY\n"); ++ of_node_put(np); + return PTR_ERR(phy->phy); + } + phy_set_drvdata(phy->phy, phy); +-- +2.20.1 + diff --git a/queue-5.2/phy-renesas-rcar-gen3-usb2-fix-imbalance-powered-fla.patch b/queue-5.2/phy-renesas-rcar-gen3-usb2-fix-imbalance-powered-fla.patch new file mode 100644 index 00000000000..e67181aaf7f --- /dev/null +++ b/queue-5.2/phy-renesas-rcar-gen3-usb2-fix-imbalance-powered-fla.patch @@ -0,0 +1,164 @@ +From 0db0dd2fb6fc297bdff97d58b96920e5ca347360 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Mon, 10 Jun 2019 15:23:55 +0900 +Subject: phy: renesas: rcar-gen3-usb2: fix imbalance powered flag + +[ Upstream commit 5c9dc6379f539c68a0fdd39e39a9d359545649e9 ] + +The powered flag should be set for any other phys anyway. Also +the flag should be locked by the channel. Otherwise, after we have +revised the device tree for the usb phy, the following warning +happened during a second system suspend. And if the driver doesn't +lock the flag, an imbalance is possible when enabling the regulator +during system resume. So, this patch fixes the issues. + +< The warning > +[ 56.026531] unbalanced disables for USB20_VBUS0 +[ 56.031108] WARNING: CPU: 3 PID: 513 at drivers/regulator/core.c:2593 _regula +tor_disable+0xe0/0x1c0 +[ 56.040146] Modules linked in: rcar_du_drm rcar_lvds drm_kms_helper drm drm_p +anel_orientation_quirks vsp1 videobuf2_vmalloc videobuf2_dma_contig videobuf2_me +mops videobuf2_v4l2 videobuf2_common videodev snd_soc_rcar renesas_usbhs snd_soc +_audio_graph_card media snd_soc_simple_card_utils crct10dif_ce renesas_usb3 snd_ +soc_ak4613 rcar_fcp pwm_rcar usb_dmac phy_rcar_gen3_usb3 pwm_bl ipv6 +[ 56.074047] CPU: 3 PID: 513 Comm: kworker/u16:19 Not tainted 5.2.0-rc3-00001- +g5f20a19 #6 +[ 56.082129] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ ( +DT) +[ 56.089524] Workqueue: events_unbound async_run_entry_fn +[ 56.094832] pstate: 40000005 (nZcv daif -PAN -UAO) +[ 56.099617] pc : _regulator_disable+0xe0/0x1c0 +[ 56.104054] lr : _regulator_disable+0xe0/0x1c0 +[ 56.108489] sp : ffff0000121c3ae0 +[ 56.111796] x29: ffff0000121c3ae0 x28: 0000000000000000 +[ 56.117102] x27: 0000000000000000 x26: ffff000010fe0e60 +[ 56.122407] x25: 0000000000000002 x24: 0000000000000001 +[ 56.127712] x23: 0000000000000002 x22: ffff8006f99d4000 +[ 56.133017] x21: ffff8006f99cc000 x20: ffff8006f9846800 +[ 56.138322] x19: ffff8006f9846800 x18: ffffffffffffffff +[ 56.143626] x17: 0000000000000000 x16: 0000000000000000 +[ 56.148931] x15: ffff0000112f96c8 x14: ffff0000921c37f7 +[ 56.154235] x13: ffff0000121c3805 x12: ffff000011312000 +[ 56.159540] x11: 0000000005f5e0ff x10: ffff0000112f9f20 +[ 56.164844] x9 : ffff0000112d3018 x8 : 00000000000001ad +[ 56.170149] x7 : 00000000ffffffcc x6 : ffff8006ff768180 +[ 56.175453] x5 : ffff8006ff768180 x4 : 0000000000000000 +[ 56.180758] x3 : ffff8006ff76ef10 x2 : ffff8006ff768180 +[ 56.186062] x1 : 3d2eccbaead8fb00 x0 : 0000000000000000 +[ 56.191367] Call trace: +[ 56.193808] _regulator_disable+0xe0/0x1c0 +[ 56.197899] regulator_disable+0x40/0x78 +[ 56.201820] rcar_gen3_phy_usb2_power_off+0x3c/0x50 +[ 56.206692] phy_power_off+0x48/0xd8 +[ 56.210263] usb_phy_roothub_power_off+0x30/0x50 +[ 56.214873] usb_phy_roothub_suspend+0x1c/0x50 +[ 56.219311] hcd_bus_suspend+0x13c/0x168 +[ 56.223226] generic_suspend+0x4c/0x58 +[ 56.226969] usb_suspend_both+0x1ac/0x238 +[ 56.230972] usb_suspend+0xcc/0x170 +[ 56.234455] usb_dev_suspend+0x10/0x18 +[ 56.238199] dpm_run_callback.isra.6+0x20/0x68 +[ 56.242635] __device_suspend+0x110/0x308 +[ 56.246637] async_suspend+0x24/0xa8 +[ 56.250205] async_run_entry_fn+0x40/0xf8 +[ 56.254210] process_one_work+0x1e0/0x320 +[ 56.258211] worker_thread+0x40/0x450 +[ 56.261867] kthread+0x124/0x128 +[ 56.265094] ret_from_fork+0x10/0x18 +[ 56.268661] ---[ end trace 86d7ec5de5c517af ]--- +[ 56.273290] phy phy-ee080200.usb-phy.10: phy poweroff failed --> -5 + +Reported-by: Geert Uytterhoeven +Fixes: 549b6b55b005 ("phy: renesas: rcar-gen3-usb2: enable/disable independent irqs") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Geert Uytterhoeven +Tested-by: Geert Uytterhoeven +Reviewed-by: Simon Horman +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/phy/renesas/phy-rcar-gen3-usb2.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c +index 1322185a00a2..8ffba67568ec 100644 +--- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c ++++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -106,6 +107,7 @@ struct rcar_gen3_chan { + struct rcar_gen3_phy rphys[NUM_OF_PHYS]; + struct regulator *vbus; + struct work_struct work; ++ struct mutex lock; /* protects rphys[...].powered */ + enum usb_dr_mode dr_mode; + bool extcon_host; + bool is_otg_channel; +@@ -437,15 +439,16 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) + struct rcar_gen3_chan *channel = rphy->ch; + void __iomem *usb2_base = channel->base; + u32 val; +- int ret; ++ int ret = 0; + ++ mutex_lock(&channel->lock); + if (!rcar_gen3_are_all_rphys_power_off(channel)) +- return 0; ++ goto out; + + if (channel->vbus) { + ret = regulator_enable(channel->vbus); + if (ret) +- return ret; ++ goto out; + } + + val = readl(usb2_base + USB2_USBCTR); +@@ -454,7 +457,10 @@ static int rcar_gen3_phy_usb2_power_on(struct phy *p) + val &= ~USB2_USBCTR_PLL_RST; + writel(val, usb2_base + USB2_USBCTR); + ++out: ++ /* The powered flag should be set for any other phys anyway */ + rphy->powered = true; ++ mutex_unlock(&channel->lock); + + return 0; + } +@@ -465,14 +471,18 @@ static int rcar_gen3_phy_usb2_power_off(struct phy *p) + struct rcar_gen3_chan *channel = rphy->ch; + int ret = 0; + ++ mutex_lock(&channel->lock); + rphy->powered = false; + + if (!rcar_gen3_are_all_rphys_power_off(channel)) +- return 0; ++ goto out; + + if (channel->vbus) + ret = regulator_disable(channel->vbus); + ++out: ++ mutex_unlock(&channel->lock); ++ + return ret; + } + +@@ -639,6 +649,7 @@ static int rcar_gen3_phy_usb2_probe(struct platform_device *pdev) + if (!phy_usb2_ops) + return -EINVAL; + ++ mutex_init(&channel->lock); + for (i = 0; i < NUM_OF_PHYS; i++) { + channel->rphys[i].phy = devm_phy_create(dev, NULL, + phy_usb2_ops); +-- +2.20.1 + diff --git a/queue-5.2/pinctrl-rockchip-fix-leaked-of_node-references.patch b/queue-5.2/pinctrl-rockchip-fix-leaked-of_node-references.patch new file mode 100644 index 00000000000..53be1751833 --- /dev/null +++ b/queue-5.2/pinctrl-rockchip-fix-leaked-of_node-references.patch @@ -0,0 +1,42 @@ +From 3ef59a0dcf6be6df8a21acd8508922b04d64fbea Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Mon, 15 Apr 2019 14:24:02 +0800 +Subject: pinctrl: rockchip: fix leaked of_node references + +[ Upstream commit 3c89c70634bb0b6f48512de873e7a45c7e1fbaa5 ] + +The call to of_parse_phandle returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/pinctrl/pinctrl-rockchip.c:3221:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3196, but without a corresponding object release within this function. +./drivers/pinctrl/pinctrl-rockchip.c:3223:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3196, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Linus Walleij +Cc: Heiko Stuebner +Cc: linux-gpio@vger.kernel.org +Cc: linux-rockchip@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-rockchip.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c +index 807a3263d849..62a622159006 100644 +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -3204,6 +3204,7 @@ static int rockchip_get_bank_data(struct rockchip_pin_bank *bank, + base, + &rockchip_regmap_config); + } ++ of_node_put(node); + } + + bank->irq = irq_of_parse_and_map(bank->of_node, 0); +-- +2.20.1 + diff --git a/queue-5.2/platform-x86-asus-wmi-increase-input-buffer-size-of-.patch b/queue-5.2/platform-x86-asus-wmi-increase-input-buffer-size-of-.patch new file mode 100644 index 00000000000..7c9b8460ebd --- /dev/null +++ b/queue-5.2/platform-x86-asus-wmi-increase-input-buffer-size-of-.patch @@ -0,0 +1,89 @@ +From 500cebc1e655078b76e7d3e90d0d1082a1a0b355 Mon Sep 17 00:00:00 2001 +From: Yurii Pavlovskyi +Date: Tue, 14 May 2019 20:54:50 +0200 +Subject: platform/x86: asus-wmi: Increase input buffer size of WMI methods + +[ Upstream commit 98e865a522983f2afde075648ec9d15ea4bb9194 ] + +The asus-nb-wmi driver is matched by WMI alias but fails to load on TUF +Gaming series laptops producing multiple ACPI errors in the kernel log. + +The input buffer for WMI method invocation size is 2 dwords, whereas +3 are expected by this model. + +FX505GM: +.. +Method (WMNB, 3, Serialized) +{ + P8XH (Zero, 0x11) + CreateDWordField (Arg2, Zero, IIA0) + CreateDWordField (Arg2, 0x04, IIA1) + CreateDWordField (Arg2, 0x08, IIA2) + Local0 = (Arg1 & 0xFFFFFFFF) + ... + +Compare with older K54C: +... +Method (WMNB, 3, NotSerialized) +{ + CreateDWordField (Arg2, 0x00, IIA0) + CreateDWordField (Arg2, 0x04, IIA1) + Local0 = (Arg1 & 0xFFFFFFFF) + ... + +Increase buffer size to 3 dwords. No negative consequences of this change +are expected, as the input buffer size is not verified. The original +function is replaced by a wrapper for a new method passing value 0 for the +last parameter. The new function will be used to control RGB keyboard +backlight. + +Signed-off-by: Yurii Pavlovskyi +Reviewed-by: Daniel Drake +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-wmi.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 9b18a184e0aa..abfa99d18fea 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -85,6 +85,7 @@ static bool ashs_present(void) + struct bios_args { + u32 arg0; + u32 arg1; ++ u32 arg2; /* At least TUF Gaming series uses 3 dword input buffer. */ + } __packed; + + /* +@@ -211,11 +212,13 @@ static void asus_wmi_input_exit(struct asus_wmi *asus) + asus->inputdev = NULL; + } + +-int asus_wmi_evaluate_method(u32 method_id, u32 arg0, u32 arg1, u32 *retval) ++static int asus_wmi_evaluate_method3(u32 method_id, ++ u32 arg0, u32 arg1, u32 arg2, u32 *retval) + { + struct bios_args args = { + .arg0 = arg0, + .arg1 = arg1, ++ .arg2 = arg2, + }; + struct acpi_buffer input = { (acpi_size) sizeof(args), &args }; + struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; +@@ -247,6 +250,11 @@ int asus_wmi_evaluate_method(u32 method_id, u32 arg0, u32 arg1, u32 *retval) + + return 0; + } ++ ++int asus_wmi_evaluate_method(u32 method_id, u32 arg0, u32 arg1, u32 *retval) ++{ ++ return asus_wmi_evaluate_method3(method_id, arg0, arg1, 0, retval); ++} + EXPORT_SYMBOL_GPL(asus_wmi_evaluate_method); + + static int asus_wmi_evaluate_method_agfn(const struct acpi_buffer args) +-- +2.20.1 + diff --git a/queue-5.2/platform-x86-fix-pcengines_apu2-kconfig-warning.patch b/queue-5.2/platform-x86-fix-pcengines_apu2-kconfig-warning.patch new file mode 100644 index 00000000000..f4cc5b206bf --- /dev/null +++ b/queue-5.2/platform-x86-fix-pcengines_apu2-kconfig-warning.patch @@ -0,0 +1,46 @@ +From 8be4f61a5b989c6c72516da0258ed248134b35ff Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 4 Jul 2019 14:27:25 +0800 +Subject: platform/x86: Fix PCENGINES_APU2 Kconfig warning + +[ Upstream commit 7d67c8ac25fbc66ee254aa3e33329d1c9bc152ce ] + +Fix Kconfig warning for PCENGINES_APU2 symbol: + +WARNING: unmet direct dependencies detected for GPIO_AMD_FCH + Depends on [n]: GPIOLIB [=n] && HAS_IOMEM [=y] + Selected by [y]: + - PCENGINES_APU2 [=y] && X86 [=y] && X86_PLATFORM_DEVICES [=y] && INPUT [=y] && INPUT_KEYBOARD [=y] && LEDS_CLASS [=y] + +WARNING: unmet direct dependencies detected for KEYBOARD_GPIO_POLLED + Depends on [n]: !UML && INPUT [=y] && INPUT_KEYBOARD [=y] && GPIOLIB [=n] + Selected by [y]: + - PCENGINES_APU2 [=y] && X86 [=y] && X86_PLATFORM_DEVICES [=y] && INPUT [=y] && INPUT_KEYBOARD [=y] && LEDS_CLASS [=y] + +Add GPIOLIB dependency to fix it. + +Reported-by: Hulk Robot +Fixes: f8eb0235f659 ("x86: pcengines apuv2 gpio/leds/keys platform driver") +Signed-off-by: YueHaibing +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index 5d5cc6111081..7c2fd1d72e18 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -1317,7 +1317,7 @@ config HUAWEI_WMI + + config PCENGINES_APU2 + tristate "PC Engines APUv2/3 front button and LEDs driver" +- depends on INPUT && INPUT_KEYBOARD ++ depends on INPUT && INPUT_KEYBOARD && GPIOLIB + depends on LEDS_CLASS + select GPIO_AMD_FCH + select KEYBOARD_GPIO_POLLED +-- +2.20.1 + diff --git a/queue-5.2/powerpc-4xx-uic-clear-pending-interrupt-after-irq-ty.patch b/queue-5.2/powerpc-4xx-uic-clear-pending-interrupt-after-irq-ty.patch new file mode 100644 index 00000000000..c40d91edcc4 --- /dev/null +++ b/queue-5.2/powerpc-4xx-uic-clear-pending-interrupt-after-irq-ty.patch @@ -0,0 +1,38 @@ +From 2eb3326820d73f773db66ce4c8999c777084dd90 Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Sat, 15 Jun 2019 17:23:13 +0200 +Subject: powerpc/4xx/uic: clear pending interrupt after irq type/pol change + +[ Upstream commit 3ab3a0689e74e6aa5b41360bc18861040ddef5b1 ] + +When testing out gpio-keys with a button, a spurious +interrupt (and therefore a key press or release event) +gets triggered as soon as the driver enables the irq +line for the first time. + +This patch clears any potential bogus generated interrupt +that was caused by the switching of the associated irq's +type and polarity. + +Signed-off-by: Christian Lamparter +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/4xx/uic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/4xx/uic.c b/arch/powerpc/platforms/4xx/uic.c +index 31f12ad37a98..36fb66ce54cf 100644 +--- a/arch/powerpc/platforms/4xx/uic.c ++++ b/arch/powerpc/platforms/4xx/uic.c +@@ -154,6 +154,7 @@ static int uic_set_irq_type(struct irq_data *d, unsigned int flow_type) + + mtdcr(uic->dcrbase + UIC_PR, pr); + mtdcr(uic->dcrbase + UIC_TR, tr); ++ mtdcr(uic->dcrbase + UIC_SR, ~mask); + + raw_spin_unlock_irqrestore(&uic->lock, flags); + +-- +2.20.1 + diff --git a/queue-5.2/powerpc-boot-add-get-put-_unaligned_be32-to-xz_confi.patch b/queue-5.2/powerpc-boot-add-get-put-_unaligned_be32-to-xz_confi.patch new file mode 100644 index 00000000000..2dbd09cac25 --- /dev/null +++ b/queue-5.2/powerpc-boot-add-get-put-_unaligned_be32-to-xz_confi.patch @@ -0,0 +1,102 @@ +From 66a12b5714bbb2bc40e447042ea199b839f9e3e3 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Fri, 5 Jul 2019 19:01:43 +0900 +Subject: powerpc/boot: add {get, put}_unaligned_be32 to xz_config.h + +[ Upstream commit 9e005b761e7ad153dcf40a6cba1d681fe0830ac6 ] + +The next commit will make the way of passing CONFIG options more robust. +Unfortunately, it would uncover another hidden issue; without this +commit, skiroot_defconfig would be broken like this: + +| WRAP arch/powerpc/boot/zImage.pseries +| arch/powerpc/boot/wrapper.a(decompress.o): In function `bcj_powerpc.isra.10': +| decompress.c:(.text+0x720): undefined reference to `get_unaligned_be32' +| decompress.c:(.text+0x7a8): undefined reference to `put_unaligned_be32' +| make[1]: *** [arch/powerpc/boot/Makefile;383: arch/powerpc/boot/zImage.pseries] Error 1 +| make: *** [arch/powerpc/Makefile;295: zImage] Error 2 + +skiroot_defconfig is the only defconfig that enables CONFIG_KERNEL_XZ +for ppc, which has never been correctly built before. + +I figured out the root cause in lib/decompress_unxz.c: + +| #ifdef CONFIG_PPC +| # define XZ_DEC_POWERPC +| #endif + +CONFIG_PPC is undefined here in the ppc bootwrapper because autoconf.h +is not included except by arch/powerpc/boot/serial.c + +XZ_DEC_POWERPC is not defined, therefore, bcj_powerpc() is not compiled +for the bootwrapper. + +With the next commit passing CONFIG_PPC correctly, we would realize that +{get,put}_unaligned_be32 was missing. + +Unlike the other decompressors, the ppc bootwrapper duplicates all the +necessary helpers in arch/powerpc/boot/. + +The other architectures define __KERNEL__ and pull in helpers for +building the decompressors. + +If ppc bootwrapper had defined __KERNEL__, lib/xz/xz_private.h would +have included : + +| #ifdef __KERNEL__ +| # include +| # include +| # include + +However, doing so would cause tons of definition conflicts since the +bootwrapper has duplicated everything. + +I just added copies of {get,put}_unaligned_be32, following the +bootwrapper coding convention. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190705100144.28785-1-yamada.masahiro@socionext.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/xz_config.h | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/arch/powerpc/boot/xz_config.h b/arch/powerpc/boot/xz_config.h +index e22e5b3770dd..ebfadd39e192 100644 +--- a/arch/powerpc/boot/xz_config.h ++++ b/arch/powerpc/boot/xz_config.h +@@ -20,10 +20,30 @@ static inline uint32_t swab32p(void *p) + + #ifdef __LITTLE_ENDIAN__ + #define get_le32(p) (*((uint32_t *) (p))) ++#define cpu_to_be32(x) swab32(x) ++static inline u32 be32_to_cpup(const u32 *p) ++{ ++ return swab32p((u32 *)p); ++} + #else + #define get_le32(p) swab32p(p) ++#define cpu_to_be32(x) (x) ++static inline u32 be32_to_cpup(const u32 *p) ++{ ++ return *p; ++} + #endif + ++static inline uint32_t get_unaligned_be32(const void *p) ++{ ++ return be32_to_cpup(p); ++} ++ ++static inline void put_unaligned_be32(u32 val, void *p) ++{ ++ *((u32 *)p) = cpu_to_be32(val); ++} ++ + #define memeq(a, b, size) (memcmp(a, b, size) == 0) + #define memzero(buf, size) memset(buf, 0, size) + +-- +2.20.1 + diff --git a/queue-5.2/powerpc-cacheflush-fix-variable-set-but-not-used.patch b/queue-5.2/powerpc-cacheflush-fix-variable-set-but-not-used.patch new file mode 100644 index 00000000000..5845f6619c3 --- /dev/null +++ b/queue-5.2/powerpc-cacheflush-fix-variable-set-but-not-used.patch @@ -0,0 +1,45 @@ +From 44597163f47254cd7b9f15f4e55b5620f804bb2f Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Thu, 6 Jun 2019 09:58:13 -0400 +Subject: powerpc/cacheflush: fix variable set but not used + +[ Upstream commit 04db3ede40ae4fc23a5c4237254c4a53bbe4c1f2 ] + +The powerpc's flush_cache_vmap() is defined as a macro and never use +both of its arguments, so it will generate a compilation warning, + +lib/ioremap.c: In function 'ioremap_page_range': +lib/ioremap.c:203:16: warning: variable 'start' set but not used +[-Wunused-but-set-variable] + +Fix it by making it an inline function. + +Signed-off-by: Qian Cai +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/cacheflush.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/include/asm/cacheflush.h b/arch/powerpc/include/asm/cacheflush.h +index 74d60cfe8ce5..fd318f7c3eed 100644 +--- a/arch/powerpc/include/asm/cacheflush.h ++++ b/arch/powerpc/include/asm/cacheflush.h +@@ -29,9 +29,12 @@ + * not expect this type of fault. flush_cache_vmap is not exactly the right + * place to put this, but it seems to work well enough. + */ +-#define flush_cache_vmap(start, end) do { asm volatile("ptesync" ::: "memory"); } while (0) ++static inline void flush_cache_vmap(unsigned long start, unsigned long end) ++{ ++ asm volatile("ptesync" ::: "memory"); ++} + #else +-#define flush_cache_vmap(start, end) do { } while (0) ++static inline void flush_cache_vmap(unsigned long start, unsigned long end) { } + #endif + + #define ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE 1 +-- +2.20.1 + diff --git a/queue-5.2/powerpc-eeh-handle-hugepages-in-ioremap-space.patch b/queue-5.2/powerpc-eeh-handle-hugepages-in-ioremap-space.patch new file mode 100644 index 00000000000..cce38ffe2ad --- /dev/null +++ b/queue-5.2/powerpc-eeh-handle-hugepages-in-ioremap-space.patch @@ -0,0 +1,68 @@ +From b75fe3e55c7be1ac920d0bad67cf62e3e8fb82b3 Mon Sep 17 00:00:00 2001 +From: Oliver O'Halloran +Date: Thu, 11 Jul 2019 01:05:17 +1000 +Subject: powerpc/eeh: Handle hugepages in ioremap space + +[ Upstream commit 33439620680be5225c1b8806579a291e0d761ca0 ] + +In commit 4a7b06c157a2 ("powerpc/eeh: Handle hugepages in ioremap +space") support for using hugepages in the vmalloc and ioremap areas was +enabled for radix. Unfortunately this broke EEH MMIO error checking. + +Detection works by inserting a hook which checks the results of the +ioreadXX() set of functions. When a read returns a 0xFFs response we +need to check for an error which we do by mapping the (virtual) MMIO +address back to a physical address, then mapping physical address to a +PCI device via an interval tree. + +When translating virt -> phys we currently assume the ioremap space is +only populated by PAGE_SIZE mappings. If a hugepage mapping is found we +emit a WARN_ON(), but otherwise handles the check as though a normal +page was found. In pathalogical cases such as copying a buffer +containing a lot of 0xFFs from BAR memory this can result in the system +not booting because it's too busy printing WARN_ON()s. + +There's no real reason to assume huge pages can't be present and we're +prefectly capable of handling them, so do that. + +Fixes: 4a7b06c157a2 ("powerpc/eeh: Handle hugepages in ioremap space") +Reported-by: Sachin Sant +Signed-off-by: Oliver O'Halloran +Tested-by: Sachin Sant +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190710150517.27114-1-oohall@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c +index f192d57db47d..c0e4b73191f3 100644 +--- a/arch/powerpc/kernel/eeh.c ++++ b/arch/powerpc/kernel/eeh.c +@@ -354,10 +354,19 @@ static inline unsigned long eeh_token_to_phys(unsigned long token) + ptep = find_init_mm_pte(token, &hugepage_shift); + if (!ptep) + return token; +- WARN_ON(hugepage_shift); +- pa = pte_pfn(*ptep) << PAGE_SHIFT; + +- return pa | (token & (PAGE_SIZE-1)); ++ pa = pte_pfn(*ptep); ++ ++ /* On radix we can do hugepage mappings for io, so handle that */ ++ if (hugepage_shift) { ++ pa <<= hugepage_shift; ++ pa |= token & ((1ul << hugepage_shift) - 1); ++ } else { ++ pa <<= PAGE_SHIFT; ++ pa |= token & (PAGE_SIZE - 1); ++ } ++ ++ return pa; + } + + /* +-- +2.20.1 + diff --git a/queue-5.2/powerpc-irq-don-t-warn-continuously-in-arch_local_ir.patch b/queue-5.2/powerpc-irq-don-t-warn-continuously-in-arch_local_ir.patch new file mode 100644 index 00000000000..20b58298745 --- /dev/null +++ b/queue-5.2/powerpc-irq-don-t-warn-continuously-in-arch_local_ir.patch @@ -0,0 +1,58 @@ +From aa12ea380ba43df92217bfa88b3718d9bf3b6221 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Mon, 8 Jul 2019 16:02:19 +1000 +Subject: powerpc/irq: Don't WARN continuously in arch_local_irq_restore() + +[ Upstream commit 0fc12c022ad25532b66bf6f6c818ee1c1d63e702 ] + +When CONFIG_PPC_IRQ_SOFT_MASK_DEBUG is enabled (uncommon), we have a +series of WARN_ON's in arch_local_irq_restore(). + +These are "should never happen" conditions, but if they do happen they +can flood the console and render the system unusable. So switch them +to WARN_ON_ONCE(). + +Fixes: e2b36d591720 ("powerpc/64: Don't trace code that runs with the soft irq mask unreconciled") +Fixes: 9b81c0211c24 ("powerpc/64s: make PACA_IRQ_HARD_DIS track MSR[EE] closely") +Fixes: 7c0482e3d055 ("powerpc/irq: Fix another case of lazy IRQ state getting out of sync") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190708061046.7075-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/irq.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c +index bc68c53af67c..5645bc9cbc09 100644 +--- a/arch/powerpc/kernel/irq.c ++++ b/arch/powerpc/kernel/irq.c +@@ -255,7 +255,7 @@ notrace void arch_local_irq_restore(unsigned long mask) + irq_happened = get_irq_happened(); + if (!irq_happened) { + #ifdef CONFIG_PPC_IRQ_SOFT_MASK_DEBUG +- WARN_ON(!(mfmsr() & MSR_EE)); ++ WARN_ON_ONCE(!(mfmsr() & MSR_EE)); + #endif + return; + } +@@ -268,7 +268,7 @@ notrace void arch_local_irq_restore(unsigned long mask) + */ + if (!(irq_happened & PACA_IRQ_HARD_DIS)) { + #ifdef CONFIG_PPC_IRQ_SOFT_MASK_DEBUG +- WARN_ON(!(mfmsr() & MSR_EE)); ++ WARN_ON_ONCE(!(mfmsr() & MSR_EE)); + #endif + __hard_irq_disable(); + #ifdef CONFIG_PPC_IRQ_SOFT_MASK_DEBUG +@@ -279,7 +279,7 @@ notrace void arch_local_irq_restore(unsigned long mask) + * warn if we are wrong. Only do that when IRQ tracing + * is enabled as mfmsr() can be costly. + */ +- if (WARN_ON(mfmsr() & MSR_EE)) ++ if (WARN_ON_ONCE(mfmsr() & MSR_EE)) + __hard_irq_disable(); + #endif + } +-- +2.20.1 + diff --git a/queue-5.2/powerpc-mm-handle-page-table-allocation-failures.patch b/queue-5.2/powerpc-mm-handle-page-table-allocation-failures.patch new file mode 100644 index 00000000000..ba7edb7998f --- /dev/null +++ b/queue-5.2/powerpc-mm-handle-page-table-allocation-failures.patch @@ -0,0 +1,60 @@ +From afaea3d2e1ca1762ccb152a91b359727c52e2d54 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Tue, 28 May 2019 11:06:24 +0530 +Subject: powerpc/mm: Handle page table allocation failures + +[ Upstream commit 2230ebf6e6dd0b7751e2921b40f6cfe34f09bb16 ] + +This fixes kernel crash that arises due to not handling page table allocation +failures while allocating hugetlb page table. + +Fixes: e2b3d202d1db ("powerpc: Switch 16GB and 16MB explicit hugepages to a different page table format") +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/hugetlbpage.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/powerpc/mm/hugetlbpage.c b/arch/powerpc/mm/hugetlbpage.c +index b5d92dc32844..1de0f43a68e5 100644 +--- a/arch/powerpc/mm/hugetlbpage.c ++++ b/arch/powerpc/mm/hugetlbpage.c +@@ -130,6 +130,8 @@ pte_t *huge_pte_alloc(struct mm_struct *mm, unsigned long addr, unsigned long sz + } else { + pdshift = PUD_SHIFT; + pu = pud_alloc(mm, pg, addr); ++ if (!pu) ++ return NULL; + if (pshift == PUD_SHIFT) + return (pte_t *)pu; + else if (pshift > PMD_SHIFT) { +@@ -138,6 +140,8 @@ pte_t *huge_pte_alloc(struct mm_struct *mm, unsigned long addr, unsigned long sz + } else { + pdshift = PMD_SHIFT; + pm = pmd_alloc(mm, pu, addr); ++ if (!pm) ++ return NULL; + if (pshift == PMD_SHIFT) + /* 16MB hugepage */ + return (pte_t *)pm; +@@ -154,12 +158,16 @@ pte_t *huge_pte_alloc(struct mm_struct *mm, unsigned long addr, unsigned long sz + } else { + pdshift = PUD_SHIFT; + pu = pud_alloc(mm, pg, addr); ++ if (!pu) ++ return NULL; + if (pshift >= PUD_SHIFT) { + ptl = pud_lockptr(mm, pu); + hpdp = (hugepd_t *)pu; + } else { + pdshift = PMD_SHIFT; + pm = pmd_alloc(mm, pu, addr); ++ if (!pm) ++ return NULL; + ptl = pmd_lockptr(mm, pm); + hpdp = (hugepd_t *)pm; + } +-- +2.20.1 + diff --git a/queue-5.2/powerpc-mm-mark-more-tlb-functions-as-__always_inlin.patch b/queue-5.2/powerpc-mm-mark-more-tlb-functions-as-__always_inlin.patch new file mode 100644 index 00000000000..aaf6120fd8a --- /dev/null +++ b/queue-5.2/powerpc-mm-mark-more-tlb-functions-as-__always_inlin.patch @@ -0,0 +1,155 @@ +From 0ce7f8adb55fc4df44f2d4350a1c356e4cdc768c Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Tue, 21 May 2019 22:13:24 +0900 +Subject: powerpc/mm: mark more tlb functions as __always_inline + +[ Upstream commit 6d3ca7e73642ce17398f4cd5df1780da4a1ccdaf ] + +With CONFIG_OPTIMIZE_INLINING enabled, Laura Abbott reported error +with gcc 9.1.1: + + arch/powerpc/mm/book3s64/radix_tlb.c: In function '_tlbiel_pid': + arch/powerpc/mm/book3s64/radix_tlb.c:104:2: warning: asm operand 3 probably doesn't match constraints + 104 | asm volatile(PPC_TLBIEL(%0, %4, %3, %2, %1) + | ^~~ + arch/powerpc/mm/book3s64/radix_tlb.c:104:2: error: impossible constraint in 'asm' + +Fixing _tlbiel_pid() is enough to address the warning above, but I +inlined more functions to fix all potential issues. + +To meet the "i" (immediate) constraint for the asm operands, functions +propagating "ric" must be always inlined. + +Fixes: 9012d011660e ("compiler: allow all arches to enable CONFIG_OPTIMIZE_INLINING") +Reported-by: Laura Abbott +Signed-off-by: Masahiro Yamada +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/book3s64/hash_native.c | 2 +- + arch/powerpc/mm/book3s64/radix_tlb.c | 32 +++++++++++++------------- + 2 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/arch/powerpc/mm/book3s64/hash_native.c b/arch/powerpc/mm/book3s64/hash_native.c +index 30d62ffe3310..1322c59cb5dd 100644 +--- a/arch/powerpc/mm/book3s64/hash_native.c ++++ b/arch/powerpc/mm/book3s64/hash_native.c +@@ -56,7 +56,7 @@ static inline void tlbiel_hash_set_isa206(unsigned int set, unsigned int is) + * tlbiel instruction for hash, set invalidation + * i.e., r=1 and is=01 or is=10 or is=11 + */ +-static inline void tlbiel_hash_set_isa300(unsigned int set, unsigned int is, ++static __always_inline void tlbiel_hash_set_isa300(unsigned int set, unsigned int is, + unsigned int pid, + unsigned int ric, unsigned int prs) + { +diff --git a/arch/powerpc/mm/book3s64/radix_tlb.c b/arch/powerpc/mm/book3s64/radix_tlb.c +index bb9835681315..d0cd5271a57c 100644 +--- a/arch/powerpc/mm/book3s64/radix_tlb.c ++++ b/arch/powerpc/mm/book3s64/radix_tlb.c +@@ -25,7 +25,7 @@ + * tlbiel instruction for radix, set invalidation + * i.e., r=1 and is=01 or is=10 or is=11 + */ +-static inline void tlbiel_radix_set_isa300(unsigned int set, unsigned int is, ++static __always_inline void tlbiel_radix_set_isa300(unsigned int set, unsigned int is, + unsigned int pid, + unsigned int ric, unsigned int prs) + { +@@ -146,8 +146,8 @@ static __always_inline void __tlbie_lpid(unsigned long lpid, unsigned long ric) + trace_tlbie(lpid, 0, rb, rs, ric, prs, r); + } + +-static inline void __tlbiel_lpid_guest(unsigned long lpid, int set, +- unsigned long ric) ++static __always_inline void __tlbiel_lpid_guest(unsigned long lpid, int set, ++ unsigned long ric) + { + unsigned long rb,rs,prs,r; + +@@ -163,8 +163,8 @@ static inline void __tlbiel_lpid_guest(unsigned long lpid, int set, + } + + +-static inline void __tlbiel_va(unsigned long va, unsigned long pid, +- unsigned long ap, unsigned long ric) ++static __always_inline void __tlbiel_va(unsigned long va, unsigned long pid, ++ unsigned long ap, unsigned long ric) + { + unsigned long rb,rs,prs,r; + +@@ -179,8 +179,8 @@ static inline void __tlbiel_va(unsigned long va, unsigned long pid, + trace_tlbie(0, 1, rb, rs, ric, prs, r); + } + +-static inline void __tlbie_va(unsigned long va, unsigned long pid, +- unsigned long ap, unsigned long ric) ++static __always_inline void __tlbie_va(unsigned long va, unsigned long pid, ++ unsigned long ap, unsigned long ric) + { + unsigned long rb,rs,prs,r; + +@@ -195,8 +195,8 @@ static inline void __tlbie_va(unsigned long va, unsigned long pid, + trace_tlbie(0, 0, rb, rs, ric, prs, r); + } + +-static inline void __tlbie_lpid_va(unsigned long va, unsigned long lpid, +- unsigned long ap, unsigned long ric) ++static __always_inline void __tlbie_lpid_va(unsigned long va, unsigned long lpid, ++ unsigned long ap, unsigned long ric) + { + unsigned long rb,rs,prs,r; + +@@ -235,7 +235,7 @@ static inline void fixup_tlbie_lpid(unsigned long lpid) + /* + * We use 128 set in radix mode and 256 set in hpt mode. + */ +-static inline void _tlbiel_pid(unsigned long pid, unsigned long ric) ++static __always_inline void _tlbiel_pid(unsigned long pid, unsigned long ric) + { + int set; + +@@ -337,7 +337,7 @@ static inline void _tlbie_lpid(unsigned long lpid, unsigned long ric) + asm volatile("eieio; tlbsync; ptesync": : :"memory"); + } + +-static inline void _tlbiel_lpid_guest(unsigned long lpid, unsigned long ric) ++static __always_inline void _tlbiel_lpid_guest(unsigned long lpid, unsigned long ric) + { + int set; + +@@ -377,8 +377,8 @@ static inline void __tlbiel_va_range(unsigned long start, unsigned long end, + __tlbiel_va(addr, pid, ap, RIC_FLUSH_TLB); + } + +-static inline void _tlbiel_va(unsigned long va, unsigned long pid, +- unsigned long psize, unsigned long ric) ++static __always_inline void _tlbiel_va(unsigned long va, unsigned long pid, ++ unsigned long psize, unsigned long ric) + { + unsigned long ap = mmu_get_ap(psize); + +@@ -409,8 +409,8 @@ static inline void __tlbie_va_range(unsigned long start, unsigned long end, + __tlbie_va(addr, pid, ap, RIC_FLUSH_TLB); + } + +-static inline void _tlbie_va(unsigned long va, unsigned long pid, +- unsigned long psize, unsigned long ric) ++static __always_inline void _tlbie_va(unsigned long va, unsigned long pid, ++ unsigned long psize, unsigned long ric) + { + unsigned long ap = mmu_get_ap(psize); + +@@ -420,7 +420,7 @@ static inline void _tlbie_va(unsigned long va, unsigned long pid, + asm volatile("eieio; tlbsync; ptesync": : :"memory"); + } + +-static inline void _tlbie_lpid_va(unsigned long va, unsigned long lpid, ++static __always_inline void _tlbie_lpid_va(unsigned long va, unsigned long lpid, + unsigned long psize, unsigned long ric) + { + unsigned long ap = mmu_get_ap(psize); +-- +2.20.1 + diff --git a/queue-5.2/powerpc-pci-of-fix-of-flags-parsing-for-64bit-bars.patch b/queue-5.2/powerpc-pci-of-fix-of-flags-parsing-for-64bit-bars.patch new file mode 100644 index 00000000000..39dad85f824 --- /dev/null +++ b/queue-5.2/powerpc-pci-of-fix-of-flags-parsing-for-64bit-bars.patch @@ -0,0 +1,65 @@ +From 93603e1cd87b0069783a875eac58bb3de22ba22f Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Wed, 5 Jun 2019 13:38:14 +1000 +Subject: powerpc/pci/of: Fix OF flags parsing for 64bit BARs + +[ Upstream commit df5be5be8735ef2ae80d5ae1f2453cd81a035c4b ] + +When the firmware does PCI BAR resource allocation, it passes the assigned +addresses and flags (prefetch/64bit/...) via the "reg" property of +a PCI device device tree node so the kernel does not need to do +resource allocation. + +The flags are stored in resource::flags - the lower byte stores +PCI_BASE_ADDRESS_SPACE/etc bits and the other bytes are IORESOURCE_IO/etc. +Some flags from PCI_BASE_ADDRESS_xxx and IORESOURCE_xxx are duplicated, +such as PCI_BASE_ADDRESS_MEM_PREFETCH/PCI_BASE_ADDRESS_MEM_TYPE_64/etc. +When parsing the "reg" property, we copy the prefetch flag but we skip +on PCI_BASE_ADDRESS_MEM_TYPE_64 which leaves the flags out of sync. + +The missing IORESOURCE_MEM_64 flag comes into play under 2 conditions: +1. we remove PCI_PROBE_ONLY for pseries (by hacking pSeries_setup_arch() +or by passing "/chosen/linux,pci-probe-only"); +2. we request resource alignment (by passing pci=resource_alignment= +via the kernel cmd line to request PAGE_SIZE alignment or defining +ppc_md.pcibios_default_alignment which returns anything but 0). Note that +the alignment requests are ignored if PCI_PROBE_ONLY is enabled. + +With 1) and 2), the generic PCI code in the kernel unconditionally +decides to: +- reassign the BARs in pci_specified_resource_alignment() (works fine) +- write new BARs to the device - this fails for 64bit BARs as the generic +code looks at IORESOURCE_MEM_64 (not set) and writes only lower 32bits +of the BAR and leaves the upper 32bit unmodified which breaks BAR mapping +in the hypervisor. + +This fixes the issue by copying the flag. This is useful if we want to +enforce certain BAR alignment per platform as handling subpage sized BARs +is proven to cause problems with hotplug (SLOF already aligns BARs to 64k). + +Signed-off-by: Alexey Kardashevskiy +Reviewed-by: Sam Bobroff +Reviewed-by: Oliver O'Halloran +Reviewed-by: Shawn Anastasio +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/pci_of_scan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/kernel/pci_of_scan.c b/arch/powerpc/kernel/pci_of_scan.c +index 24522aa37665..c63c53b37e8e 100644 +--- a/arch/powerpc/kernel/pci_of_scan.c ++++ b/arch/powerpc/kernel/pci_of_scan.c +@@ -42,6 +42,8 @@ unsigned int pci_parse_of_flags(u32 addr0, int bridge) + if (addr0 & 0x02000000) { + flags = IORESOURCE_MEM | PCI_BASE_ADDRESS_SPACE_MEMORY; + flags |= (addr0 >> 22) & PCI_BASE_ADDRESS_MEM_TYPE_64; ++ if (flags & PCI_BASE_ADDRESS_MEM_TYPE_64) ++ flags |= IORESOURCE_MEM_64; + flags |= (addr0 >> 28) & PCI_BASE_ADDRESS_MEM_TYPE_1M; + if (addr0 & 0x40000000) + flags |= IORESOURCE_PREFETCH +-- +2.20.1 + diff --git a/queue-5.2/powerpc-pseries-mobility-prevent-cpu-hotplug-during-.patch b/queue-5.2/powerpc-pseries-mobility-prevent-cpu-hotplug-during-.patch new file mode 100644 index 00000000000..1977e39319b --- /dev/null +++ b/queue-5.2/powerpc-pseries-mobility-prevent-cpu-hotplug-during-.patch @@ -0,0 +1,57 @@ +From 99e9af4521ee6be5b7507e8cc4e8d6f372d5a90d Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Tue, 11 Jun 2019 23:45:05 -0500 +Subject: powerpc/pseries/mobility: prevent cpu hotplug during DT update + +[ Upstream commit e59a175faa8df9d674247946f2a5a9c29c835725 ] + +CPU online/offline code paths are sensitive to parts of the device +tree (various cpu node properties, cache nodes) that can be changed as +a result of a migration. + +Prevent CPU hotplug while the device tree potentially is inconsistent. + +Fixes: 410bccf97881 ("powerpc/pseries: Partition migration in the kernel") +Signed-off-by: Nathan Lynch +Reviewed-by: Gautham R. Shenoy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/mobility.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c +index 0c48c8964783..50e7aee3c7f3 100644 +--- a/arch/powerpc/platforms/pseries/mobility.c ++++ b/arch/powerpc/platforms/pseries/mobility.c +@@ -6,6 +6,7 @@ + * Copyright (C) 2010 IBM Corporation + */ + ++#include + #include + #include + #include +@@ -335,11 +336,19 @@ void post_mobility_fixup(void) + if (rc) + printk(KERN_ERR "Post-mobility activate-fw failed: %d\n", rc); + ++ /* ++ * We don't want CPUs to go online/offline while the device ++ * tree is being updated. ++ */ ++ cpus_read_lock(); ++ + rc = pseries_devicetree_update(MIGRATION_SCOPE); + if (rc) + printk(KERN_ERR "Post-mobility device tree update " + "failed: %d\n", rc); + ++ cpus_read_unlock(); ++ + /* Possibly switch to a new RFI flush type */ + pseries_setup_rfi_flush(); + +-- +2.20.1 + diff --git a/queue-5.2/powerpc-rtas-retry-when-cpu-offline-races-with-suspe.patch b/queue-5.2/powerpc-rtas-retry-when-cpu-offline-races-with-suspe.patch new file mode 100644 index 00000000000..f105e9b467c --- /dev/null +++ b/queue-5.2/powerpc-rtas-retry-when-cpu-offline-races-with-suspe.patch @@ -0,0 +1,55 @@ +From 4a150fcdaafa62638d17c07ee699b90495b3c6bd Mon Sep 17 00:00:00 2001 +From: Nathan Lynch +Date: Fri, 21 Jun 2019 01:05:18 -0500 +Subject: powerpc/rtas: retry when cpu offline races with suspend/migration + +[ Upstream commit 9fb603050ffd94f8127df99c699cca2f575eb6a0 ] + +The protocol for suspending or migrating an LPAR requires all present +processor threads to enter H_JOIN. So if we have threads offline, we +have to temporarily bring them up. This can race with administrator +actions such as SMT state changes. As of dfd718a2ed1f ("powerpc/rtas: +Fix a potential race between CPU-Offline & Migration"), +rtas_ibm_suspend_me() accounts for this, but errors out with -EBUSY +for what almost certainly is a transient condition in any reasonable +scenario. + +Callers of rtas_ibm_suspend_me() already retry when -EAGAIN is +returned, and it is typical during a migration for that to happen +repeatedly for several minutes polling the H_VASI_STATE hcall result +before proceeding to the next stage. + +So return -EAGAIN instead of -EBUSY when this race is +encountered. Additionally: logging this event is still appropriate but +use pr_info instead of pr_err; and remove use of unlikely() while here +as this is not a hot path at all. + +Fixes: dfd718a2ed1f ("powerpc/rtas: Fix a potential race between CPU-Offline & Migration") +Signed-off-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/rtas.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index b824f4c69622..fff2eb22427d 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -980,10 +980,9 @@ int rtas_ibm_suspend_me(u64 handle) + cpu_hotplug_disable(); + + /* Check if we raced with a CPU-Offline Operation */ +- if (unlikely(!cpumask_equal(cpu_present_mask, cpu_online_mask))) { +- pr_err("%s: Raced against a concurrent CPU-Offline\n", +- __func__); +- atomic_set(&data.error, -EBUSY); ++ if (!cpumask_equal(cpu_present_mask, cpu_online_mask)) { ++ pr_info("%s: Raced against a concurrent CPU-Offline\n", __func__); ++ atomic_set(&data.error, -EAGAIN); + goto out_hotplug_enable; + } + +-- +2.20.1 + diff --git a/queue-5.2/powerpc-silence-a-wcast-function-type-warning-in-daw.patch b/queue-5.2/powerpc-silence-a-wcast-function-type-warning-in-daw.patch new file mode 100644 index 00000000000..fd2283eb4cb --- /dev/null +++ b/queue-5.2/powerpc-silence-a-wcast-function-type-warning-in-daw.patch @@ -0,0 +1,59 @@ +From 6048b5bafcee5efa06a4266718d9667529e626a9 Mon Sep 17 00:00:00 2001 +From: Mathieu Malaterre +Date: Tue, 4 Jun 2019 13:00:36 +1000 +Subject: powerpc: silence a -Wcast-function-type warning in + dawr_write_file_bool + +[ Upstream commit 548c54acba5bd1388d50727a9a126a42d0cd4ad0 ] + +In commit c1fe190c0672 ("powerpc: Add force enable of DAWR on P9 +option") the following piece of code was added: + + smp_call_function((smp_call_func_t)set_dawr, &null_brk, 0); + +Since GCC 8 this triggers the following warning about incompatible +function types: + + arch/powerpc/kernel/hw_breakpoint.c:408:21: error: cast between incompatible function types from 'int (*)(struct arch_hw_breakpoint *)' to 'void (*)(void *)' [-Werror=cast-function-type] + +Since the warning is there for a reason, and should not be hidden behind +a cast, provide an intermediate callback function to avoid the warning. + +Fixes: c1fe190c0672 ("powerpc: Add force enable of DAWR on P9 option") +Suggested-by: Christoph Hellwig +Signed-off-by: Mathieu Malaterre +Signed-off-by: Michael Neuling +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/hw_breakpoint.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/hw_breakpoint.c b/arch/powerpc/kernel/hw_breakpoint.c +index a293a53b4365..50262597c222 100644 +--- a/arch/powerpc/kernel/hw_breakpoint.c ++++ b/arch/powerpc/kernel/hw_breakpoint.c +@@ -370,6 +370,11 @@ void hw_breakpoint_pmu_read(struct perf_event *bp) + bool dawr_force_enable; + EXPORT_SYMBOL_GPL(dawr_force_enable); + ++static void set_dawr_cb(void *info) ++{ ++ set_dawr(info); ++} ++ + static ssize_t dawr_write_file_bool(struct file *file, + const char __user *user_buf, + size_t count, loff_t *ppos) +@@ -389,7 +394,7 @@ static ssize_t dawr_write_file_bool(struct file *file, + + /* If we are clearing, make sure all CPUs have the DAWR cleared */ + if (!dawr_force_enable) +- smp_call_function((smp_call_func_t)set_dawr, &null_brk, 0); ++ smp_call_function(set_dawr_cb, &null_brk, 0); + + return rc; + } +-- +2.20.1 + diff --git a/queue-5.2/powerpc-xmon-fix-disabling-tracing-while-in-xmon.patch b/queue-5.2/powerpc-xmon-fix-disabling-tracing-while-in-xmon.patch new file mode 100644 index 00000000000..68fef768154 --- /dev/null +++ b/queue-5.2/powerpc-xmon-fix-disabling-tracing-while-in-xmon.patch @@ -0,0 +1,46 @@ +From 8fa902844f23f61fd884c8e4f35cea6842fa69c4 Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Thu, 27 Jun 2019 15:29:40 +0530 +Subject: powerpc/xmon: Fix disabling tracing while in xmon + +[ Upstream commit aaf06665f7ea3ee9f9754e16c1a507a89f1de5b1 ] + +Commit ed49f7fd6438d ("powerpc/xmon: Disable tracing when entering +xmon") added code to disable recording trace entries while in xmon. The +commit introduced a variable 'tracing_enabled' to record if tracing was +enabled on xmon entry, and used this to conditionally enable tracing +during exit from xmon. + +However, we are not checking the value of 'fromipi' variable in +xmon_core() when setting 'tracing_enabled'. Due to this, when secondary +cpus enter xmon, they will see tracing as being disabled already and +tracing won't be re-enabled on exit. Fix the same. + +Fixes: ed49f7fd6438d ("powerpc/xmon: Disable tracing when entering xmon") +Signed-off-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/xmon/xmon.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c +index d0620d762a5a..4a721fd62406 100644 +--- a/arch/powerpc/xmon/xmon.c ++++ b/arch/powerpc/xmon/xmon.c +@@ -465,8 +465,10 @@ static int xmon_core(struct pt_regs *regs, int fromipi) + local_irq_save(flags); + hard_irq_disable(); + +- tracing_enabled = tracing_is_on(); +- tracing_off(); ++ if (!fromipi) { ++ tracing_enabled = tracing_is_on(); ++ tracing_off(); ++ } + + bp = in_breakpoint_table(regs->nip, &offset); + if (bp != NULL) { +-- +2.20.1 + diff --git a/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-cl.patch b/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-cl.patch new file mode 100644 index 00000000000..0b78d629b37 --- /dev/null +++ b/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-cl.patch @@ -0,0 +1,52 @@ +From 097b555dfd159d6b6045f9425433fec94480f58c Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Thu, 11 Jul 2019 21:00:00 -0700 +Subject: proc: use down_read_killable mmap_sem for /proc/pid/clear_refs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit c46038017fbdcac627b670c9d4176f1d0c2f5fa3 ] + +Do not remain stuck forever if something goes wrong. Using a killable +lock permits cleanup of stuck tasks and simplifies investigation. + +Replace the only unkillable mmap_sem lock in clear_refs_write(). + +Link: http://lkml.kernel.org/r/156007493826.3335.5424884725467456239.stgit@buzz +Signed-off-by: Konstantin Khlebnikov +Reviewed-by: Roman Gushchin +Reviewed-by: Cyrill Gorcunov +Reviewed-by: Kirill Tkhai +Acked-by: Michal Hocko +Cc: Alexey Dobriyan +Cc: Al Viro +Cc: Matthew Wilcox +Cc: Michal Koutný +Cc: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/task_mmu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index 1d9c63cd8a3c..abcd9513efff 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -1136,7 +1136,10 @@ static ssize_t clear_refs_write(struct file *file, const char __user *buf, + goto out_mm; + } + +- down_read(&mm->mmap_sem); ++ if (down_read_killable(&mm->mmap_sem)) { ++ count = -EINTR; ++ goto out_mm; ++ } + tlb_gather_mmu(&tlb, mm, 0, -1); + if (type == CLEAR_REFS_SOFT_DIRTY) { + for (vma = mm->mmap; vma; vma = vma->vm_next) { +-- +2.20.1 + diff --git a/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-ma.patch b/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-ma.patch new file mode 100644 index 00000000000..144061edb48 --- /dev/null +++ b/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-ma.patch @@ -0,0 +1,106 @@ +From 96c70885e2aa799b563d65a3bfa52d080852fad0 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Thu, 11 Jul 2019 21:00:03 -0700 +Subject: proc: use down_read_killable mmap_sem for /proc/pid/map_files +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit cd9e2bb8271c971d9f37c722be2616c7f8ba0664 ] + +Do not remain stuck forever if something goes wrong. Using a killable +lock permits cleanup of stuck tasks and simplifies investigation. + +It seems ->d_revalidate() could return any error (except ECHILD) to abort +validation and pass error as result of lookup sequence. + +[akpm@linux-foundation.org: fix proc_map_files_lookup() return value, per Andrei] +Link: http://lkml.kernel.org/r/156007493995.3335.9595044802115356911.stgit@buzz +Signed-off-by: Konstantin Khlebnikov +Reviewed-by: Roman Gushchin +Reviewed-by: Cyrill Gorcunov +Reviewed-by: Kirill Tkhai +Acked-by: Michal Hocko +Cc: Alexey Dobriyan +Cc: Al Viro +Cc: Matthew Wilcox +Cc: Michal Koutný +Cc: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/base.c | 28 ++++++++++++++++++++++------ + 1 file changed, 22 insertions(+), 6 deletions(-) + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 255f6754c70d..03517154fe0f 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -1962,9 +1962,12 @@ static int map_files_d_revalidate(struct dentry *dentry, unsigned int flags) + goto out; + + if (!dname_to_vma_addr(dentry, &vm_start, &vm_end)) { +- down_read(&mm->mmap_sem); +- exact_vma_exists = !!find_exact_vma(mm, vm_start, vm_end); +- up_read(&mm->mmap_sem); ++ status = down_read_killable(&mm->mmap_sem); ++ if (!status) { ++ exact_vma_exists = !!find_exact_vma(mm, vm_start, ++ vm_end); ++ up_read(&mm->mmap_sem); ++ } + } + + mmput(mm); +@@ -2010,8 +2013,11 @@ static int map_files_get_link(struct dentry *dentry, struct path *path) + if (rc) + goto out_mmput; + ++ rc = down_read_killable(&mm->mmap_sem); ++ if (rc) ++ goto out_mmput; ++ + rc = -ENOENT; +- down_read(&mm->mmap_sem); + vma = find_exact_vma(mm, vm_start, vm_end); + if (vma && vma->vm_file) { + *path = vma->vm_file->f_path; +@@ -2107,7 +2113,11 @@ static struct dentry *proc_map_files_lookup(struct inode *dir, + if (!mm) + goto out_put_task; + +- down_read(&mm->mmap_sem); ++ result = ERR_PTR(-EINTR); ++ if (down_read_killable(&mm->mmap_sem)) ++ goto out_put_mm; ++ ++ result = ERR_PTR(-ENOENT); + vma = find_exact_vma(mm, vm_start, vm_end); + if (!vma) + goto out_no_vma; +@@ -2118,6 +2128,7 @@ static struct dentry *proc_map_files_lookup(struct inode *dir, + + out_no_vma: + up_read(&mm->mmap_sem); ++out_put_mm: + mmput(mm); + out_put_task: + put_task_struct(task); +@@ -2160,7 +2171,12 @@ proc_map_files_readdir(struct file *file, struct dir_context *ctx) + mm = get_task_mm(task); + if (!mm) + goto out_put_task; +- down_read(&mm->mmap_sem); ++ ++ ret = down_read_killable(&mm->mmap_sem); ++ if (ret) { ++ mmput(mm); ++ goto out_put_task; ++ } + + nr_files = 0; + +-- +2.20.1 + diff --git a/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-ma.patch-17560 b/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-ma.patch-17560 new file mode 100644 index 00000000000..e79b6219964 --- /dev/null +++ b/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-ma.patch-17560 @@ -0,0 +1,71 @@ +From 5cab4273ee34bf2b3a6140feef4cc02f022bbd94 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Thu, 11 Jul 2019 20:59:50 -0700 +Subject: proc: use down_read_killable mmap_sem for /proc/pid/maps +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 8a713e7df3352b8d9392476e9cf29e4e185dac32 ] + +Do not remain stuck forever if something goes wrong. Using a killable +lock permits cleanup of stuck tasks and simplifies investigation. + +This function is also used for /proc/pid/smaps. + +Link: http://lkml.kernel.org/r/156007493160.3335.14447544314127417266.stgit@buzz +Signed-off-by: Konstantin Khlebnikov +Reviewed-by: Roman Gushchin +Reviewed-by: Cyrill Gorcunov +Reviewed-by: Kirill Tkhai +Acked-by: Michal Hocko +Cc: Alexey Dobriyan +Cc: Al Viro +Cc: Matthew Wilcox +Cc: Michal Koutný +Cc: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/task_mmu.c | 6 +++++- + fs/proc/task_nommu.c | 6 +++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index abcd9513efff..7f84d1477b5b 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -166,7 +166,11 @@ static void *m_start(struct seq_file *m, loff_t *ppos) + if (!mm || !mmget_not_zero(mm)) + return NULL; + +- down_read(&mm->mmap_sem); ++ if (down_read_killable(&mm->mmap_sem)) { ++ mmput(mm); ++ return ERR_PTR(-EINTR); ++ } ++ + hold_task_mempolicy(priv); + priv->tail_vma = get_gate_vma(mm); + +diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c +index 36bf0f2e102e..7907e6419e57 100644 +--- a/fs/proc/task_nommu.c ++++ b/fs/proc/task_nommu.c +@@ -211,7 +211,11 @@ static void *m_start(struct seq_file *m, loff_t *pos) + if (!mm || !mmget_not_zero(mm)) + return NULL; + +- down_read(&mm->mmap_sem); ++ if (down_read_killable(&mm->mmap_sem)) { ++ mmput(mm); ++ return ERR_PTR(-EINTR); ++ } ++ + /* start from the Nth VMA */ + for (p = rb_first(&mm->mm_rb); p; p = rb_next(p)) + if (n-- == 0) +-- +2.20.1 + diff --git a/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-pa.patch b/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-pa.patch new file mode 100644 index 00000000000..4ad30d38faa --- /dev/null +++ b/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-pa.patch @@ -0,0 +1,49 @@ +From a1875e816a8c8e4d253790f3972aa0b3ffa3d29f Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Thu, 11 Jul 2019 20:59:56 -0700 +Subject: proc: use down_read_killable mmap_sem for /proc/pid/pagemap +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit ad80b932c57d85fd6377f97f359b025baf179a87 ] + +Do not remain stuck forever if something goes wrong. Using a killable +lock permits cleanup of stuck tasks and simplifies investigation. + +Link: http://lkml.kernel.org/r/156007493638.3335.4872164955523928492.stgit@buzz +Signed-off-by: Konstantin Khlebnikov +Reviewed-by: Roman Gushchin +Reviewed-by: Cyrill Gorcunov +Reviewed-by: Kirill Tkhai +Acked-by: Michal Hocko +Cc: Alexey Dobriyan +Cc: Al Viro +Cc: Matthew Wilcox +Cc: Michal Koutný +Cc: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/task_mmu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index 4d9a8e72d91f..1d9c63cd8a3c 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -1543,7 +1543,9 @@ static ssize_t pagemap_read(struct file *file, char __user *buf, + /* overflow ? */ + if (end < start_vaddr || end > end_vaddr) + end = end_vaddr; +- down_read(&mm->mmap_sem); ++ ret = down_read_killable(&mm->mmap_sem); ++ if (ret) ++ goto out_free; + ret = walk_page_range(start_vaddr, end, &pagemap_walk); + up_read(&mm->mmap_sem); + start_vaddr = end; +-- +2.20.1 + diff --git a/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-sm.patch b/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-sm.patch new file mode 100644 index 00000000000..200c5c617a8 --- /dev/null +++ b/queue-5.2/proc-use-down_read_killable-mmap_sem-for-proc-pid-sm.patch @@ -0,0 +1,61 @@ +From e057a65fafe7da2dbfd9200671718706891f826e Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Thu, 11 Jul 2019 20:59:53 -0700 +Subject: proc: use down_read_killable mmap_sem for /proc/pid/smaps_rollup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit a26a97815548574213fd37f29b4b78ccc6d9ed20 ] + +Do not remain stuck forever if something goes wrong. Using a killable +lock permits cleanup of stuck tasks and simplifies investigation. + +Link: http://lkml.kernel.org/r/156007493429.3335.14666825072272692455.stgit@buzz +Signed-off-by: Konstantin Khlebnikov +Reviewed-by: Roman Gushchin +Reviewed-by: Cyrill Gorcunov +Reviewed-by: Kirill Tkhai +Acked-by: Michal Hocko +Cc: Alexey Dobriyan +Cc: Al Viro +Cc: Matthew Wilcox +Cc: Michal Koutný +Cc: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/task_mmu.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index 01d4eb0e6bd1..4d9a8e72d91f 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -828,7 +828,10 @@ static int show_smaps_rollup(struct seq_file *m, void *v) + + memset(&mss, 0, sizeof(mss)); + +- down_read(&mm->mmap_sem); ++ ret = down_read_killable(&mm->mmap_sem); ++ if (ret) ++ goto out_put_mm; ++ + hold_task_mempolicy(priv); + + for (vma = priv->mm->mmap; vma; vma = vma->vm_next) { +@@ -845,8 +848,9 @@ static int show_smaps_rollup(struct seq_file *m, void *v) + + release_task_mempolicy(priv); + up_read(&mm->mmap_sem); +- mmput(mm); + ++out_put_mm: ++ mmput(mm); + out_put_task: + put_task_struct(priv->task); + priv->task = NULL; +-- +2.20.1 + diff --git a/queue-5.2/rdma-core-fix-race-when-resolving-ip-address.patch b/queue-5.2/rdma-core-fix-race-when-resolving-ip-address.patch new file mode 100644 index 00000000000..c1dbffb238b --- /dev/null +++ b/queue-5.2/rdma-core-fix-race-when-resolving-ip-address.patch @@ -0,0 +1,64 @@ +From c135acdefcee0df594f121b0796dcd4d06e65310 Mon Sep 17 00:00:00 2001 +From: Dag Moxnes +Date: Tue, 9 Jul 2019 13:50:26 +0200 +Subject: RDMA/core: Fix race when resolving IP address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit d8d9ec7dc5abbb3f11d866e983c4984f5c2de9d6 ] + +Use the neighbour lock when copying the MAC address from the neighbour +data struct in dst_fetch_ha. + +When not using the lock, it is possible for the function to race with +neigh_update(), causing it to copy an torn MAC address: + +rdma_resolve_addr() + rdma_resolve_ip() + addr_resolve() + addr_resolve_neigh() + fetch_ha() + dst_fetch_ha() + memcpy(dev_addr->dst_dev_addr, n->ha, MAX_ADDR_LEN) + +and + +net_ioctl() + arp_ioctl() + arp_rec_delete() + arp_invalidate() + neigh_update() + __neigh_update() + memcpy(&neigh->ha, lladdr, dev->addr_len) + +It is possible to provoke this error by calling rdma_resolve_addr() in a +tight loop, while deleting the corresponding ARP entry in another tight +loop. + +Fixes: 51d45974515c ("infiniband: addr: Consolidate code to fetch neighbour hardware address from dst.") +Signed-off-by: Dag Moxnes +Signed-off-by: HÃ¥kon Bugge +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/addr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c +index 2f7d14159841..9b76a8fcdd24 100644 +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -337,7 +337,7 @@ static int dst_fetch_ha(const struct dst_entry *dst, + neigh_event_send(n, NULL); + ret = -ENODATA; + } else { +- memcpy(dev_addr->dst_dev_addr, n->ha, MAX_ADDR_LEN); ++ neigh_ha_snapshot(dev_addr->dst_dev_addr, n, dst->dev); + } + + neigh_release(n); +-- +2.20.1 + diff --git a/queue-5.2/rdma-i40iw-set-queue-pair-state-when-being-queried.patch b/queue-5.2/rdma-i40iw-set-queue-pair-state-when-being-queried.patch new file mode 100644 index 00000000000..0bea6f7dcb7 --- /dev/null +++ b/queue-5.2/rdma-i40iw-set-queue-pair-state-when-being-queried.patch @@ -0,0 +1,36 @@ +From 1a5085965241f0a738c2bc96ba2d0b59e4541f64 Mon Sep 17 00:00:00 2001 +From: "Liu, Changcheng" +Date: Fri, 28 Jun 2019 14:16:13 +0800 +Subject: RDMA/i40iw: Set queue pair state when being queried + +[ Upstream commit 2e67e775845373905d2c2aecb9062c2c4352a535 ] + +The API for ib_query_qp requires the driver to set qp_state and +cur_qp_state on return, add the missing sets. + +Fixes: d37498417947 ("i40iw: add files for iwarp interface") +Signed-off-by: Changcheng Liu +Acked-by: Shiraz Saleem +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/i40iw/i40iw_verbs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.c b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +index 5689d742bafb..4c88d6f72574 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +@@ -772,6 +772,8 @@ static int i40iw_query_qp(struct ib_qp *ibqp, + struct i40iw_qp *iwqp = to_iwqp(ibqp); + struct i40iw_sc_qp *qp = &iwqp->sc_qp; + ++ attr->qp_state = iwqp->ibqp_state; ++ attr->cur_qp_state = attr->qp_state; + attr->qp_access_flags = 0; + attr->cap.max_send_wr = qp->qp_uk.sq_size; + attr->cap.max_recv_wr = qp->qp_uk.rq_size; +-- +2.20.1 + diff --git a/queue-5.2/rdma-rxe-fill-in-wc-byte_len-with-ib_wc_recv_rdma_wi.patch b/queue-5.2/rdma-rxe-fill-in-wc-byte_len-with-ib_wc_recv_rdma_wi.patch new file mode 100644 index 00000000000..5a8d22a290a --- /dev/null +++ b/queue-5.2/rdma-rxe-fill-in-wc-byte_len-with-ib_wc_recv_rdma_wi.patch @@ -0,0 +1,61 @@ +From fedf8292e7a84a5b3a486ca1681c5ab561b52624 Mon Sep 17 00:00:00 2001 +From: Konstantin Taranov +Date: Thu, 27 Jun 2019 16:06:43 +0200 +Subject: RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM + +[ Upstream commit bdce1290493caa3f8119f24b5dacc3fb7ca27389 ] + +Calculate the correct byte_len on the receiving side when a work +completion is generated with IB_WC_RECV_RDMA_WITH_IMM opcode. + +According to the IBA byte_len must indicate the number of written bytes, +whereas it was always equal to zero for the IB_WC_RECV_RDMA_WITH_IMM +opcode, even though data was transferred. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Signed-off-by: Konstantin Taranov +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_resp.c | 5 ++++- + drivers/infiniband/sw/rxe/rxe_verbs.h | 1 + + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c +index aca9f60f9b21..1cbfbd98eb22 100644 +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -431,6 +431,7 @@ static enum resp_states check_rkey(struct rxe_qp *qp, + qp->resp.va = reth_va(pkt); + qp->resp.rkey = reth_rkey(pkt); + qp->resp.resid = reth_len(pkt); ++ qp->resp.length = reth_len(pkt); + } + access = (pkt->mask & RXE_READ_MASK) ? IB_ACCESS_REMOTE_READ + : IB_ACCESS_REMOTE_WRITE; +@@ -856,7 +857,9 @@ static enum resp_states do_complete(struct rxe_qp *qp, + pkt->mask & RXE_WRITE_MASK) ? + IB_WC_RECV_RDMA_WITH_IMM : IB_WC_RECV; + wc->vendor_err = 0; +- wc->byte_len = wqe->dma.length - wqe->dma.resid; ++ wc->byte_len = (pkt->mask & RXE_IMMDT_MASK && ++ pkt->mask & RXE_WRITE_MASK) ? ++ qp->resp.length : wqe->dma.length - wqe->dma.resid; + + /* fields after byte_len are different between kernel and user + * space +diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.h b/drivers/infiniband/sw/rxe/rxe_verbs.h +index e8be7f44e3be..28bfb3ece104 100644 +--- a/drivers/infiniband/sw/rxe/rxe_verbs.h ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.h +@@ -213,6 +213,7 @@ struct rxe_resp_info { + struct rxe_mem *mr; + u32 resid; + u32 rkey; ++ u32 length; + u64 atomic_orig; + + /* SRQ only */ +-- +2.20.1 + diff --git a/queue-5.2/rds-accept-peer-connection-reject-messages-due-to-in.patch b/queue-5.2/rds-accept-peer-connection-reject-messages-due-to-in.patch new file mode 100644 index 00000000000..8c5dadfeba0 --- /dev/null +++ b/queue-5.2/rds-accept-peer-connection-reject-messages-due-to-in.patch @@ -0,0 +1,125 @@ +From ec53f0a9991fdd04fef370bfc7b12100a8c5fac6 Mon Sep 17 00:00:00 2001 +From: Gerd Rausch +Date: Thu, 27 Jun 2019 09:21:44 -0700 +Subject: rds: Accept peer connection reject messages due to incompatible + version + +[ Upstream commit 8c6166cfc9cd48e93d9176561e50b63cef4330d5 ] + +Prior to +commit d021fabf525ff ("rds: rdma: add consumer reject") + +function "rds_rdma_cm_event_handler_cmn" would always honor a rejected +connection attempt by issuing a "rds_conn_drop". + +The commit mentioned above added a "break", eliminating +the "fallthrough" case and made the "rds_conn_drop" rather conditional: + +Now it only happens if a "consumer defined" reject (i.e. "rdma_reject") +carries an integer-value of "1" inside "private_data": + + if (!conn) + break; + err = (int *)rdma_consumer_reject_data(cm_id, event, &len); + if (!err || (err && ((*err) == RDS_RDMA_REJ_INCOMPAT))) { + pr_warn("RDS/RDMA: conn <%pI6c, %pI6c> rejected, dropping connection\n", + &conn->c_laddr, &conn->c_faddr); + conn->c_proposed_version = RDS_PROTOCOL_COMPAT_VERSION; + rds_conn_drop(conn); + } + rdsdebug("Connection rejected: %s\n", + rdma_reject_msg(cm_id, event->status)); + break; + /* FALLTHROUGH */ +A number of issues are worth mentioning here: + #1) Previous versions of the RDS code simply rejected a connection + by calling "rdma_reject(cm_id, NULL, 0);" + So the value of the payload in "private_data" will not be "1", + but "0". + + #2) Now the code has become dependent on host byte order and sizing. + If one peer is big-endian, the other is little-endian, + or there's a difference in sizeof(int) (e.g. ILP64 vs LP64), + the *err check does not work as intended. + + #3) There is no check for "len" to see if the data behind *err is even valid. + Luckily, it appears that the "rdma_reject(cm_id, NULL, 0)" will always + carry 148 bytes of zeroized payload. + But that should probably not be relied upon here. + + #4) With the added "break;", + we might as well drop the misleading "/* FALLTHROUGH */" comment. + +This commit does _not_ address issue #2, as the sender would have to +agree on a byte order as well. + +Here is the sequence of messages in this observed error-scenario: + Host-A is pre-QoS changes (excluding the commit mentioned above) + Host-B is post-QoS changes (including the commit mentioned above) + + #1 Host-B + issues a connection request via function "rds_conn_path_transition" + connection state transitions to "RDS_CONN_CONNECTING" + + #2 Host-A + rejects the incompatible connection request (from #1) + It does so by calling "rdma_reject(cm_id, NULL, 0);" + + #3 Host-B + receives an "RDMA_CM_EVENT_REJECTED" event (from #2) + But since the code is changed in the way described above, + it won't drop the connection here, simply because "*err == 0". + + #4 Host-A + issues a connection request + + #5 Host-B + receives an "RDMA_CM_EVENT_CONNECT_REQUEST" event + and ends up calling "rds_ib_cm_handle_connect". + But since the state is already in "RDS_CONN_CONNECTING" + (as of #1) it will end up issuing a "rdma_reject" without + dropping the connection: + if (rds_conn_state(conn) == RDS_CONN_CONNECTING) { + /* Wait and see - our connect may still be succeeding */ + rds_ib_stats_inc(s_ib_connect_raced); + } + goto out; + + #6 Host-A + receives an "RDMA_CM_EVENT_REJECTED" event (from #5), + drops the connection and tries again (goto #4) until it gives up. + +Tested-by: Zhu Yanjun +Signed-off-by: Gerd Rausch +Signed-off-by: Santosh Shilimkar +Signed-off-by: Sasha Levin +--- + net/rds/rdma_transport.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/rds/rdma_transport.c b/net/rds/rdma_transport.c +index 46bce8389066..9db455d02255 100644 +--- a/net/rds/rdma_transport.c ++++ b/net/rds/rdma_transport.c +@@ -112,7 +112,9 @@ static int rds_rdma_cm_event_handler_cmn(struct rdma_cm_id *cm_id, + if (!conn) + break; + err = (int *)rdma_consumer_reject_data(cm_id, event, &len); +- if (!err || (err && ((*err) == RDS_RDMA_REJ_INCOMPAT))) { ++ if (!err || ++ (err && len >= sizeof(*err) && ++ ((*err) <= RDS_RDMA_REJ_INCOMPAT))) { + pr_warn("RDS/RDMA: conn <%pI6c, %pI6c> rejected, dropping connection\n", + &conn->c_laddr, &conn->c_faddr); + conn->c_proposed_version = RDS_PROTOCOL_COMPAT_VERSION; +@@ -122,7 +124,6 @@ static int rds_rdma_cm_event_handler_cmn(struct rdma_cm_id *cm_id, + rdsdebug("Connection rejected: %s\n", + rdma_reject_msg(cm_id, event->status)); + break; +- /* FALLTHROUGH */ + case RDMA_CM_EVENT_ADDR_ERROR: + case RDMA_CM_EVENT_ROUTE_ERROR: + case RDMA_CM_EVENT_CONNECT_ERROR: +-- +2.20.1 + diff --git a/queue-5.2/recordmcount-fix-spurious-mcount-entries-on-powerpc.patch b/queue-5.2/recordmcount-fix-spurious-mcount-entries-on-powerpc.patch new file mode 100644 index 00000000000..2bfae6859db --- /dev/null +++ b/queue-5.2/recordmcount-fix-spurious-mcount-entries-on-powerpc.patch @@ -0,0 +1,94 @@ +From a050b87ef03d11b0d2addcf232839214a22aa1e1 Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Thu, 27 Jun 2019 00:08:01 +0530 +Subject: recordmcount: Fix spurious mcount entries on powerpc + +[ Upstream commit 80e5302e4bc85a6b685b7668c36c6487b5f90e9a ] + +An impending change to enable HAVE_C_RECORDMCOUNT on powerpc leads to +warnings such as the following: + + # modprobe kprobe_example + ftrace-powerpc: Not expected bl: opcode is 3c4c0001 + WARNING: CPU: 0 PID: 227 at kernel/trace/ftrace.c:2001 ftrace_bug+0x90/0x318 + Modules linked in: + CPU: 0 PID: 227 Comm: modprobe Not tainted 5.2.0-rc6-00678-g1c329100b942 #2 + NIP: c000000000264318 LR: c00000000025d694 CTR: c000000000f5cd30 + REGS: c000000001f2b7b0 TRAP: 0700 Not tainted (5.2.0-rc6-00678-g1c329100b942) + MSR: 900000010282b033 CR: 28228222 XER: 00000000 + CFAR: c0000000002642fc IRQMASK: 0 + + NIP [c000000000264318] ftrace_bug+0x90/0x318 + LR [c00000000025d694] ftrace_process_locs+0x4f4/0x5e0 + Call Trace: + [c000000001f2ba40] [0000000000000004] 0x4 (unreliable) + [c000000001f2bad0] [c00000000025d694] ftrace_process_locs+0x4f4/0x5e0 + [c000000001f2bb90] [c00000000020ff10] load_module+0x25b0/0x30c0 + [c000000001f2bd00] [c000000000210cb0] sys_finit_module+0xc0/0x130 + [c000000001f2be20] [c00000000000bda4] system_call+0x5c/0x70 + Instruction dump: + 419e0018 2f83ffff 419e00bc 2f83ffea 409e00cc 4800001c 0fe00000 3c62ff96 + 39000001 39400000 386386d0 480000c4 <0fe00000> 3ce20003 39000001 3c62ff96 + ---[ end trace 4c438d5cebf78381 ]--- + ftrace failed to modify + [] 0xc0080000012a0008 + actual: 01:00:4c:3c + Initializing ftrace call sites + ftrace record flags: 2000000 + (0) + expected tramp: c00000000006af4c + +Looking at the relocation records in __mcount_loc shows a few spurious +entries: + + RELOCATION RECORDS FOR [__mcount_loc]: + OFFSET TYPE VALUE + 0000000000000000 R_PPC64_ADDR64 .text.unlikely+0x0000000000000008 + 0000000000000008 R_PPC64_ADDR64 .text.unlikely+0x0000000000000014 + 0000000000000010 R_PPC64_ADDR64 .text.unlikely+0x0000000000000060 + 0000000000000018 R_PPC64_ADDR64 .text.unlikely+0x00000000000000b4 + 0000000000000020 R_PPC64_ADDR64 .init.text+0x0000000000000008 + 0000000000000028 R_PPC64_ADDR64 .init.text+0x0000000000000014 + +The first entry in each section is incorrect. Looking at the +relocation records, the spurious entries correspond to the +R_PPC64_ENTRY records: + + RELOCATION RECORDS FOR [.text.unlikely]: + OFFSET TYPE VALUE + 0000000000000000 R_PPC64_REL64 .TOC.-0x0000000000000008 + 0000000000000008 R_PPC64_ENTRY *ABS* + 0000000000000014 R_PPC64_REL24 _mcount + + +The problem is that we are not validating the return value from +get_mcountsym() in sift_rel_mcount(). With this entry, mcountsym is 0, +but Elf_r_sym(relp) also ends up being 0. Fix this by ensuring +mcountsym is valid before processing the entry. + +Signed-off-by: Naveen N. Rao +Acked-by: Steven Rostedt (VMware) +Tested-by: Satheesh Rajendran +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + scripts/recordmcount.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h +index 13c5e6c8829c..47fca2c69a73 100644 +--- a/scripts/recordmcount.h ++++ b/scripts/recordmcount.h +@@ -325,7 +325,8 @@ static uint_t *sift_rel_mcount(uint_t *mlocp, + if (!mcountsym) + mcountsym = get_mcountsym(sym0, relp, str0); + +- if (mcountsym == Elf_r_sym(relp) && !is_fake_mcount(relp)) { ++ if (mcountsym && mcountsym == Elf_r_sym(relp) && ++ !is_fake_mcount(relp)) { + uint_t const addend = + _w(_w(relp->r_offset) - recval + mcount_adjust); + mrelp->r_offset = _w(offbase +-- +2.20.1 + diff --git a/queue-5.2/rseq-selftests-fix-thumb-mode-build-failure-on-arm32.patch b/queue-5.2/rseq-selftests-fix-thumb-mode-build-failure-on-arm32.patch new file mode 100644 index 00000000000..131cc004f25 --- /dev/null +++ b/queue-5.2/rseq-selftests-fix-thumb-mode-build-failure-on-arm32.patch @@ -0,0 +1,161 @@ +From 7af5f6c4ee99835cfeebec4887b3472f2747f511 Mon Sep 17 00:00:00 2001 +From: Mathieu Desnoyers +Date: Sun, 30 Jun 2019 09:56:13 -0400 +Subject: rseq/selftests: Fix Thumb mode build failure on arm32 + +[ Upstream commit ee8a84c60bcc1f1615bd9cb3edfe501e26cdc85b ] + +Using ".arm .inst" for the arm signature introduces build issues for +programs compiled in Thumb mode because the assembler stays in the +arm mode for the rest of the inline assembly. Revert to using a ".word" +to express the signature as data instead. + +The choice of signature is a valid trap instruction on arm32 little +endian, where both code and data are little endian. + +ARMv6+ big endian (BE8) generates mixed endianness code vs data: +little-endian code and big-endian data. The data value of the signature +needs to have its byte order reversed to generate the trap instruction. + +Prior to ARMv6, -mbig-endian generates big-endian code and data +(which match), so the endianness of the data representation of the +signature should not be reversed. However, the choice between BE32 +and BE8 is done by the linker, so we cannot know whether code and +data endianness will be mixed before the linker is invoked. So rather +than try to play tricks with the linker, the rseq signature is simply +data (not a trap instruction) prior to ARMv6 on big endian. This is +why the signature is expressed as data (.word) rather than as +instruction (.inst) in assembler. + +Because a ".word" is used to emit the signature, it will be interpreted +as a literal pool by a disassembler, not as an actual instruction. +Considering that the signature is not meant to be executed except in +scenarios where the program execution is completely bogus, this should +not be an issue. + +Signed-off-by: Mathieu Desnoyers +Acked-by: Will Deacon +CC: Peter Zijlstra +CC: Thomas Gleixner +CC: Joel Fernandes +CC: Catalin Marinas +CC: Dave Watson +CC: Will Deacon +CC: Shuah Khan +CC: Andi Kleen +CC: linux-kselftest@vger.kernel.org +CC: "H . Peter Anvin" +CC: Chris Lameter +CC: Russell King +CC: Michael Kerrisk +CC: "Paul E . McKenney" +CC: Paul Turner +CC: Boqun Feng +CC: Josh Triplett +CC: Steven Rostedt +CC: Ben Maurer +CC: linux-api@vger.kernel.org +CC: Andy Lutomirski +CC: Andrew Morton +CC: Linus Torvalds +CC: Carlos O'Donell +CC: Florian Weimer +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/rseq/rseq-arm.h | 61 +++++++++++++------------ + 1 file changed, 33 insertions(+), 28 deletions(-) + +diff --git a/tools/testing/selftests/rseq/rseq-arm.h b/tools/testing/selftests/rseq/rseq-arm.h +index 84f28f147fb6..5943c816c07c 100644 +--- a/tools/testing/selftests/rseq/rseq-arm.h ++++ b/tools/testing/selftests/rseq/rseq-arm.h +@@ -6,6 +6,8 @@ + */ + + /* ++ * - ARM little endian ++ * + * RSEQ_SIG uses the udf A32 instruction with an uncommon immediate operand + * value 0x5de3. This traps if user-space reaches this instruction by mistake, + * and the uncommon operand ensures the kernel does not move the instruction +@@ -22,36 +24,40 @@ + * def3 udf #243 ; 0xf3 + * e7f5 b.n <7f5> + * +- * pre-ARMv6 big endian code: +- * e7f5 b.n <7f5> +- * def3 udf #243 ; 0xf3 ++ * - ARMv6+ big endian (BE8): + * + * ARMv6+ -mbig-endian generates mixed endianness code vs data: little-endian +- * code and big-endian data. Ensure the RSEQ_SIG data signature matches code +- * endianness. Prior to ARMv6, -mbig-endian generates big-endian code and data +- * (which match), so there is no need to reverse the endianness of the data +- * representation of the signature. However, the choice between BE32 and BE8 +- * is done by the linker, so we cannot know whether code and data endianness +- * will be mixed before the linker is invoked. ++ * code and big-endian data. The data value of the signature needs to have its ++ * byte order reversed to generate the trap instruction: ++ * ++ * Data: 0xf3def5e7 ++ * ++ * Translates to this A32 instruction pattern: ++ * ++ * e7f5def3 udf #24035 ; 0x5de3 ++ * ++ * Translates to this T16 instruction pattern: ++ * ++ * def3 udf #243 ; 0xf3 ++ * e7f5 b.n <7f5> ++ * ++ * - Prior to ARMv6 big endian (BE32): ++ * ++ * Prior to ARMv6, -mbig-endian generates big-endian code and data ++ * (which match), so the endianness of the data representation of the ++ * signature should not be reversed. However, the choice between BE32 ++ * and BE8 is done by the linker, so we cannot know whether code and ++ * data endianness will be mixed before the linker is invoked. So rather ++ * than try to play tricks with the linker, the rseq signature is simply ++ * data (not a trap instruction) prior to ARMv6 on big endian. This is ++ * why the signature is expressed as data (.word) rather than as ++ * instruction (.inst) in assembler. + */ + +-#define RSEQ_SIG_CODE 0xe7f5def3 +- +-#ifndef __ASSEMBLER__ +- +-#define RSEQ_SIG_DATA \ +- ({ \ +- int sig; \ +- asm volatile ("b 2f\n\t" \ +- "1: .inst " __rseq_str(RSEQ_SIG_CODE) "\n\t" \ +- "2:\n\t" \ +- "ldr %[sig], 1b\n\t" \ +- : [sig] "=r" (sig)); \ +- sig; \ +- }) +- +-#define RSEQ_SIG RSEQ_SIG_DATA +- ++#ifdef __ARMEB__ ++#define RSEQ_SIG 0xf3def5e7 /* udf #24035 ; 0x5de3 (ARMv6+) */ ++#else ++#define RSEQ_SIG 0xe7f5def3 /* udf #24035 ; 0x5de3 */ + #endif + + #define rseq_smp_mb() __asm__ __volatile__ ("dmb" ::: "memory", "cc") +@@ -125,8 +131,7 @@ do { \ + __rseq_str(table_label) ":\n\t" \ + ".word " __rseq_str(version) ", " __rseq_str(flags) "\n\t" \ + ".word " __rseq_str(start_ip) ", 0x0, " __rseq_str(post_commit_offset) ", 0x0, " __rseq_str(abort_ip) ", 0x0\n\t" \ +- ".arm\n\t" \ +- ".inst " __rseq_str(RSEQ_SIG_CODE) "\n\t" \ ++ ".word " __rseq_str(RSEQ_SIG) "\n\t" \ + __rseq_str(label) ":\n\t" \ + teardown \ + "b %l[" __rseq_str(abort_label) "]\n\t" +-- +2.20.1 + diff --git a/queue-5.2/serial-8250-fix-tx-interrupt-handling-condition.patch b/queue-5.2/serial-8250-fix-tx-interrupt-handling-condition.patch new file mode 100644 index 00000000000..f2c7746e1a2 --- /dev/null +++ b/queue-5.2/serial-8250-fix-tx-interrupt-handling-condition.patch @@ -0,0 +1,46 @@ +From 8175fe28d7847408e0b5de1272f31f5487e9c750 Mon Sep 17 00:00:00 2001 +From: Rautkoski Kimmo EXT +Date: Fri, 24 May 2019 09:19:22 +0000 +Subject: serial: 8250: Fix TX interrupt handling condition + +[ Upstream commit db1b5bc047b3cadaedab3826bba82c3d9e023c4b ] + +Interrupt handler checked THRE bit (transmitter holding register +empty) in LSR to detect if TX fifo is empty. +In case when there is only receive interrupts the TX handling +got called because THRE bit in LSR is set when there is no +transmission (FIFO empty). TX handling caused TX stop, which in +RS-485 half-duplex mode actually resets receiver FIFO. This is not +desired during reception because of possible data loss. + +The fix is to check if THRI is set in IER in addition of the TX +fifo status. THRI in IER is set when TX is started and cleared +when TX is stopped. +This ensures that TX handling is only called when there is really +transmission on going and an interrupt for THRE and not when there +are only RX interrupts. + +Signed-off-by: Kimmo Rautkoski +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_port.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index 682300713be4..eb2e2d141c01 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1874,7 +1874,8 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir) + status = serial8250_rx_chars(up, status); + } + serial8250_modem_status(up); +- if ((!up->dma || up->dma->tx_err) && (status & UART_LSR_THRE)) ++ if ((!up->dma || up->dma->tx_err) && (status & UART_LSR_THRE) && ++ (up->ier & UART_IER_THRI)) + serial8250_tx_chars(up); + + uart_unlock_and_check_sysrq(port, flags); +-- +2.20.1 + diff --git a/queue-5.2/serial-imx-fix-locking-in-set_termios.patch b/queue-5.2/serial-imx-fix-locking-in-set_termios.patch new file mode 100644 index 00000000000..9e5d1d47c78 --- /dev/null +++ b/queue-5.2/serial-imx-fix-locking-in-set_termios.patch @@ -0,0 +1,87 @@ +From e2ce27301fda023324d456e526ce62752b2ad777 Mon Sep 17 00:00:00 2001 +From: Sergey Organov +Date: Tue, 11 Jun 2019 15:05:24 +0300 +Subject: serial: imx: fix locking in set_termios() + +[ Upstream commit 4e828c3e09201512be5ee162393f334321f7cf01 ] + +imx_uart_set_termios() called imx_uart_rts_active(), or +imx_uart_rts_inactive() before taking port->port.lock. + +As a consequence, sport->port.mctrl that these functions modify +could have been changed without holding port->port.lock. + +Moved locking of port->port.lock above the calls to fix the issue. + +Signed-off-by: Sergey Organov +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/imx.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c +index 8b752e895053..10db3e54ac9e 100644 +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -383,6 +383,7 @@ static void imx_uart_ucrs_restore(struct imx_port *sport, + } + #endif + ++/* called with port.lock taken and irqs caller dependent */ + static void imx_uart_rts_active(struct imx_port *sport, u32 *ucr2) + { + *ucr2 &= ~(UCR2_CTSC | UCR2_CTS); +@@ -391,6 +392,7 @@ static void imx_uart_rts_active(struct imx_port *sport, u32 *ucr2) + mctrl_gpio_set(sport->gpios, sport->port.mctrl); + } + ++/* called with port.lock taken and irqs caller dependent */ + static void imx_uart_rts_inactive(struct imx_port *sport, u32 *ucr2) + { + *ucr2 &= ~UCR2_CTSC; +@@ -400,6 +402,7 @@ static void imx_uart_rts_inactive(struct imx_port *sport, u32 *ucr2) + mctrl_gpio_set(sport->gpios, sport->port.mctrl); + } + ++/* called with port.lock taken and irqs caller dependent */ + static void imx_uart_rts_auto(struct imx_port *sport, u32 *ucr2) + { + *ucr2 |= UCR2_CTSC; +@@ -1549,6 +1552,16 @@ imx_uart_set_termios(struct uart_port *port, struct ktermios *termios, + old_csize = CS8; + } + ++ del_timer_sync(&sport->timer); ++ ++ /* ++ * Ask the core to calculate the divisor for us. ++ */ ++ baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 16); ++ quot = uart_get_divisor(port, baud); ++ ++ spin_lock_irqsave(&sport->port.lock, flags); ++ + if ((termios->c_cflag & CSIZE) == CS8) + ucr2 = UCR2_WS | UCR2_SRST | UCR2_IRTS; + else +@@ -1592,16 +1605,6 @@ imx_uart_set_termios(struct uart_port *port, struct ktermios *termios, + ucr2 |= UCR2_PROE; + } + +- del_timer_sync(&sport->timer); +- +- /* +- * Ask the core to calculate the divisor for us. +- */ +- baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 16); +- quot = uart_get_divisor(port, baud); +- +- spin_lock_irqsave(&sport->port.lock, flags); +- + sport->port.read_status_mask = 0; + if (termios->c_iflag & INPCK) + sport->port.read_status_mask |= (URXD_FRMERR | URXD_PRERR); +-- +2.20.1 + diff --git a/queue-5.2/serial-mctrl_gpio-check-if-gpio-property-exisits-bef.patch b/queue-5.2/serial-mctrl_gpio-check-if-gpio-property-exisits-bef.patch new file mode 100644 index 00000000000..d1d42716bac --- /dev/null +++ b/queue-5.2/serial-mctrl_gpio-check-if-gpio-property-exisits-bef.patch @@ -0,0 +1,111 @@ +From e7ecbf1f9c55286a9619224f6ff17a4c99ce5f2f Mon Sep 17 00:00:00 2001 +From: Stefan Roese +Date: Thu, 20 Jun 2019 08:24:19 +0200 +Subject: serial: mctrl_gpio: Check if GPIO property exisits before requesting + it + +[ Upstream commit d99482673f950817b30caf3fcdfb31179b050ce1 ] + +This patch adds a check for the GPIOs property existence, before the +GPIO is requested. This fixes an issue seen when the 8250 mctrl_gpio +support is added (2nd patch in this patch series) on x86 platforms using +ACPI. + +Here Mika's comments from 2016-08-09: + +" +I noticed that with v4.8-rc1 serial console of some of our Broxton +systems does not work properly anymore. I'm able to see output but input +does not work. + +I bisected it down to commit 4ef03d328769eddbfeca1f1c958fdb181a69c341 +("tty/serial/8250: use mctrl_gpio helpers"). + +The reason why it fails is that in ACPI we do not have names for GPIOs +(except when _DSD is used) so we use the "idx" to index into _CRS GPIO +resources. Now mctrl_gpio_init_noauto() goes through a list of GPIOs +calling devm_gpiod_get_index_optional() passing "idx" of 0 for each. The +UART device in Broxton has following (simplified) ACPI description: + + Device (URT4) + { + ... + Name (_CRS, ResourceTemplate () { + GpioIo (Exclusive, PullDefault, 0x0000, 0x0000, IoRestrictionOutputOnly, + "\\_SB.GPO0", 0x00, ResourceConsumer) + { + 0x003A + } + GpioIo (Exclusive, PullDefault, 0x0000, 0x0000, IoRestrictionOutputOnly, + "\\_SB.GPO0", 0x00, ResourceConsumer) + { + 0x003D + } + }) + +In this case it finds the first GPIO (0x003A which happens to be RX pin +for that UART), turns it into GPIO which then breaks input for the UART +device. This also breaks systems with bluetooth connected to UART (those +typically have some GPIOs in their _CRS). + +Any ideas how to fix this? + +We cannot just drop the _CRS index lookup fallback because that would +break many existing machines out there so maybe we can limit this to +only DT enabled machines. Or alternatively probe if the property first +exists before trying to acquire the GPIOs (using +device_property_present()). +" + +This patch implements the fix suggested by Mika in his statement above. + +Signed-off-by: Stefan Roese +Reviewed-by: Mika Westerberg +Reviewed-by: Andy Shevchenko +Tested-by: Yegor Yefremov +Cc: Mika Westerberg +Cc: Andy Shevchenko +Cc: Yegor Yefremov +Cc: Greg Kroah-Hartman +Cc: Giulio Benetti +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial_mctrl_gpio.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/tty/serial/serial_mctrl_gpio.c b/drivers/tty/serial/serial_mctrl_gpio.c +index 39ed56214cd3..2b400189be91 100644 +--- a/drivers/tty/serial/serial_mctrl_gpio.c ++++ b/drivers/tty/serial/serial_mctrl_gpio.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + + #include "serial_mctrl_gpio.h" + +@@ -116,6 +117,19 @@ struct mctrl_gpios *mctrl_gpio_init_noauto(struct device *dev, unsigned int idx) + + for (i = 0; i < UART_GPIO_MAX; i++) { + enum gpiod_flags flags; ++ char *gpio_str; ++ bool present; ++ ++ /* Check if GPIO property exists and continue if not */ ++ gpio_str = kasprintf(GFP_KERNEL, "%s-gpios", ++ mctrl_gpios_desc[i].name); ++ if (!gpio_str) ++ continue; ++ ++ present = device_property_present(dev, gpio_str); ++ kfree(gpio_str); ++ if (!present) ++ continue; + + if (mctrl_gpios_desc[i].dir_out) + flags = GPIOD_OUT_LOW; +-- +2.20.1 + diff --git a/queue-5.2/serial-sh-sci-fix-tx-dma-buffer-flushing-and-workque.patch b/queue-5.2/serial-sh-sci-fix-tx-dma-buffer-flushing-and-workque.patch new file mode 100644 index 00000000000..16a5ff7fcc7 --- /dev/null +++ b/queue-5.2/serial-sh-sci-fix-tx-dma-buffer-flushing-and-workque.patch @@ -0,0 +1,114 @@ +From b26eee2c58bf0e74e6941a0d3f35063307a63323 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 24 Jun 2019 14:35:39 +0200 +Subject: serial: sh-sci: Fix TX DMA buffer flushing and workqueue races + +[ Upstream commit 8493eab02608b0e82f67b892aa72882e510c31d0 ] + +When uart_flush_buffer() is called, the .flush_buffer() callback zeroes +the tx_dma_len field. This may race with the work queue function +handling transmit DMA requests: + + 1. If the buffer is flushed before the first DMA API call, + dmaengine_prep_slave_single() may be called with a zero length, + causing the DMA request to never complete, leading to messages + like: + + rcar-dmac e7300000.dma-controller: Channel Address Error happen + + and, with debug enabled: + + sh-sci e6e88000.serial: sci_dma_tx_work_fn: ffff800639b55000: 0...0, cookie 126 + + and DMA timeouts. + + 2. If the buffer is flushed after the first DMA API call, but before + the second, dma_sync_single_for_device() may be called with a zero + length, causing the transmit data not to be flushed to RAM, and + leading to stale data being output. + +Fix this by: + 1. Letting sci_dma_tx_work_fn() return immediately if the transmit + buffer is empty, + 2. Extending the critical section to cover all DMA preparational work, + so tx_dma_len stays consistent for all of it, + 3. Using local copies of circ_buf.head and circ_buf.tail, to make sure + they match the actual operation above. + +Reported-by: Eugeniu Rosca +Suggested-by: Yoshihiro Shimoda +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Eugeniu Rosca +Tested-by: Eugeniu Rosca +Link: https://lore.kernel.org/r/20190624123540.20629-2-geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sh-sci.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index 1d25c4e2d0d2..d18c680aa64b 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -1398,6 +1398,7 @@ static void sci_dma_tx_work_fn(struct work_struct *work) + struct circ_buf *xmit = &port->state->xmit; + unsigned long flags; + dma_addr_t buf; ++ int head, tail; + + /* + * DMA is idle now. +@@ -1407,16 +1408,23 @@ static void sci_dma_tx_work_fn(struct work_struct *work) + * consistent xmit buffer state. + */ + spin_lock_irq(&port->lock); +- buf = s->tx_dma_addr + (xmit->tail & (UART_XMIT_SIZE - 1)); ++ head = xmit->head; ++ tail = xmit->tail; ++ buf = s->tx_dma_addr + (tail & (UART_XMIT_SIZE - 1)); + s->tx_dma_len = min_t(unsigned int, +- CIRC_CNT(xmit->head, xmit->tail, UART_XMIT_SIZE), +- CIRC_CNT_TO_END(xmit->head, xmit->tail, UART_XMIT_SIZE)); +- spin_unlock_irq(&port->lock); ++ CIRC_CNT(head, tail, UART_XMIT_SIZE), ++ CIRC_CNT_TO_END(head, tail, UART_XMIT_SIZE)); ++ if (!s->tx_dma_len) { ++ /* Transmit buffer has been flushed */ ++ spin_unlock_irq(&port->lock); ++ return; ++ } + + desc = dmaengine_prep_slave_single(chan, buf, s->tx_dma_len, + DMA_MEM_TO_DEV, + DMA_PREP_INTERRUPT | DMA_CTRL_ACK); + if (!desc) { ++ spin_unlock_irq(&port->lock); + dev_warn(port->dev, "Failed preparing Tx DMA descriptor\n"); + goto switch_to_pio; + } +@@ -1424,18 +1432,18 @@ static void sci_dma_tx_work_fn(struct work_struct *work) + dma_sync_single_for_device(chan->device->dev, buf, s->tx_dma_len, + DMA_TO_DEVICE); + +- spin_lock_irq(&port->lock); + desc->callback = sci_dma_tx_complete; + desc->callback_param = s; +- spin_unlock_irq(&port->lock); + s->cookie_tx = dmaengine_submit(desc); + if (dma_submit_error(s->cookie_tx)) { ++ spin_unlock_irq(&port->lock); + dev_warn(port->dev, "Failed submitting Tx DMA descriptor\n"); + goto switch_to_pio; + } + ++ spin_unlock_irq(&port->lock); + dev_dbg(port->dev, "%s: %p: %d...%d, cookie %d\n", +- __func__, xmit->buf, xmit->tail, xmit->head, s->cookie_tx); ++ __func__, xmit->buf, tail, head, s->cookie_tx); + + dma_async_issue_pending(chan); + return; +-- +2.20.1 + diff --git a/queue-5.2/serial-sh-sci-terminate-tx-dma-during-buffer-flushin.patch b/queue-5.2/serial-sh-sci-terminate-tx-dma-during-buffer-flushin.patch new file mode 100644 index 00000000000..a2e407da344 --- /dev/null +++ b/queue-5.2/serial-sh-sci-terminate-tx-dma-during-buffer-flushin.patch @@ -0,0 +1,54 @@ +From 0351c807f34dfa52bd735b796f94bf81513b104f Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 24 Jun 2019 14:35:40 +0200 +Subject: serial: sh-sci: Terminate TX DMA during buffer flushing + +[ Upstream commit 775b7ffd7d6d5db320d99b0a485c51e04dfcf9f1 ] + +While the .flush_buffer() callback clears sci_port.tx_dma_len since +commit 1cf4a7efdc71cab8 ("serial: sh-sci: Fix race condition causing +garbage during shutdown"), it does not terminate a transmit DMA +operation that may be in progress. + +Fix this by terminating any pending DMA operations, and resetting the +corresponding cookie. + +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Eugeniu Rosca +Tested-by: Eugeniu Rosca + +Link: https://lore.kernel.org/r/20190624123540.20629-3-geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sh-sci.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index abc705716aa0..1d25c4e2d0d2 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -1648,11 +1648,18 @@ static void sci_free_dma(struct uart_port *port) + + static void sci_flush_buffer(struct uart_port *port) + { ++ struct sci_port *s = to_sci_port(port); ++ + /* + * In uart_flush_buffer(), the xmit circular buffer has just been +- * cleared, so we have to reset tx_dma_len accordingly. ++ * cleared, so we have to reset tx_dma_len accordingly, and stop any ++ * pending transfers + */ +- to_sci_port(port)->tx_dma_len = 0; ++ s->tx_dma_len = 0; ++ if (s->chan_tx) { ++ dmaengine_terminate_async(s->chan_tx); ++ s->cookie_tx = -EINVAL; ++ } + } + #else /* !CONFIG_SERIAL_SH_SCI_DMA */ + static inline void sci_request_dma(struct uart_port *port) +-- +2.20.1 + diff --git a/queue-5.2/serial-uartps-use-the-same-dynamic-major-number-for-.patch b/queue-5.2/serial-uartps-use-the-same-dynamic-major-number-for-.patch new file mode 100644 index 00000000000..8f9f0482a53 --- /dev/null +++ b/queue-5.2/serial-uartps-use-the-same-dynamic-major-number-for-.patch @@ -0,0 +1,63 @@ +From 9bf2739d698f836552c56f97634068d457731527 Mon Sep 17 00:00:00 2001 +From: Shubhrajyoti Datta +Date: Wed, 12 Jun 2019 13:14:38 +0200 +Subject: serial: uartps: Use the same dynamic major number for all ports + +[ Upstream commit ab262666018de6f4e206b021386b93ed0c164316 ] + +Let kernel to find out major number dynamically for the first device and +then reuse it for other instances. +This fixes the issue that each uart is registered with a +different major number. + +After the patch: +crw------- 1 root root 253, 0 Jun 10 08:31 /dev/ttyPS0 +crw--w---- 1 root root 253, 1 Jan 1 1970 /dev/ttyPS1 + +Fixes: 024ca329bfb9 ("serial: uartps: Register own uart console and driver structures") +Signed-off-by: Shubhrajyoti Datta +Signed-off-by: Michal Simek +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/xilinx_uartps.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index 605354fd60b1..9dcc4d855ddd 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -29,12 +29,12 @@ + + #define CDNS_UART_TTY_NAME "ttyPS" + #define CDNS_UART_NAME "xuartps" +-#define CDNS_UART_MAJOR 0 /* use dynamic node allocation */ + #define CDNS_UART_FIFO_SIZE 64 /* FIFO size */ + #define CDNS_UART_REGISTER_SPACE 0x1000 + + /* Rx Trigger level */ + static int rx_trigger_level = 56; ++static int uartps_major; + module_param(rx_trigger_level, uint, S_IRUGO); + MODULE_PARM_DESC(rx_trigger_level, "Rx trigger level, 1-63 bytes"); + +@@ -1517,7 +1517,7 @@ static int cdns_uart_probe(struct platform_device *pdev) + cdns_uart_uart_driver->owner = THIS_MODULE; + cdns_uart_uart_driver->driver_name = driver_name; + cdns_uart_uart_driver->dev_name = CDNS_UART_TTY_NAME; +- cdns_uart_uart_driver->major = CDNS_UART_MAJOR; ++ cdns_uart_uart_driver->major = uartps_major; + cdns_uart_uart_driver->minor = cdns_uart_data->id; + cdns_uart_uart_driver->nr = 1; + +@@ -1546,6 +1546,7 @@ static int cdns_uart_probe(struct platform_device *pdev) + goto err_out_id; + } + ++ uartps_major = cdns_uart_uart_driver->tty_driver->major; + cdns_uart_data->cdns_uart_driver = cdns_uart_uart_driver; + + /* +-- +2.20.1 + diff --git a/queue-5.2/series b/queue-5.2/series index bfb9ef4b727..6738de9397c 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -1,3 +1,166 @@ regulator-88pm800-fix-warning-same-module-names.patch media-drivers-media-coda-fix-warning-same-module-names.patch btrfs-shut-up-bogus-wmaybe-uninitialized-warning.patch +drm-lima-handle-shared-irq-case-for-lima_pp_bcast_ir.patch +drm-panel-simple-fix-panel_simple_dsi_probe.patch +iio-adc-stm32-dfsdm-manage-the-get_irq-error-case.patch +iio-adc-stm32-dfsdm-missing-error-case-during-probe.patch +drm-virtio-set-seqno-for-dma-fence.patch +staging-kpc2000-added-missing-clean-up-to-probe_core.patch +ipmi_si-fix-unexpected-driver-unregister-warning.patch +staging-vt6656-use-meaningful-error-code-during-buff.patch +drm-bochs-fix-connector-leak-during-driver-unload.patch +usb-core-hub-disable-hub-initiated-u1-u2.patch +tty-max310x-fix-invalid-baudrate-divisors-calculator.patch +pinctrl-rockchip-fix-leaked-of_node-references.patch +tty-serial-cpm_uart-fix-init-when-smc-is-relocated.patch +f2fs-fix-to-check-layout-on-last-valid-checkpoint-pa.patch +drm-msm-a6xx-check-for-err-or-null-before-iounmap.patch +ipmi_ssif-fix-unexpected-driver-unregister-warning.patch +drm-amd-display-fill-prescale_params-scale-for-rgb56.patch +drm-amd-display-fix-multi-display-seamless-boot-case.patch +drm-msm-a6xx-avoid-freeing-gmu-resources-multiple-ti.patch +drm-amd-display-disable-cursor-when-offscreen-in-neg.patch +drm-amd-display-fill-plane-attrs-only-for-valid-pxl-.patch +drm-amdgpu-reserve-shared-fence-for-eviction-fence.patch +f2fs-fix-to-avoid-deadloop-if-data_flush-is-on.patch +drm-amdgpu-sriov-need-to-initialize-the-hdp_nonsurfa.patch +drm-amd-display-disable-abm-before-destroy-abm-struc.patch +drm-amdkfd-fix-a-potential-memory-leak.patch +drm-amdkfd-fix-sdma-queue-map-issue.patch +drm-edid-fix-a-missing-check-bug-in-drm_load_edid_fi.patch +tools-pci-fix-broken-pcitest-compilation.patch +pci-return-error-if-cannot-probe-vf.patch +staging-kpc2000-report-error-status-to-spi-core.patch +drm-bridge-tc358767-read-display_props-in-get_modes.patch +drm-bridge-sii902x-pixel-clock-unit-is-10khz-instead.patch +drm-amd-display-reset-planes-for-color-management-ch.patch +drm-amd-display-cs_tfm_1d-only-applied-post-eotf.patch +drm-amd-display-increase-backlight-gain-step-size.patch +f2fs-fix-accounting-for-unusable-blocks.patch +f2fs-lower-threshold-for-disable_cp_again.patch +gpu-host1x-increase-maximum-dma-segment-size.patch +drm-crc-debugfs-user-irqsafe-spinlock-in-drm_crtc_ad.patch +drm-crc-debugfs-also-sprinkle-irqrestore-over-early-.patch +drm-vkms-forward-timer-right-after-drm_crtc_handle_v.patch +i2c-nvidia-gpu-resume-ccgx-i2c-client.patch +mm-hmm-fix-use-after-free-with-struct-hmm-in-the-mmu.patch +drm-omap-don-t-check-dispc-timings-for-dsi.patch +memstick-fix-error-cleanup-path-of-memstick_init.patch +tty-serial-digicolor-fix-digicolor-usart-already-reg.patch +tty-serial-msm_serial-avoid-system-lockup-condition.patch +serial-8250-fix-tx-interrupt-handling-condition.patch +pci-endpoint-allocate-enough-space-for-fixed-size-ba.patch +drm-amd-display-always-allocate-initial-connector-st.patch +drm-amd-display-update-link-rate-from-dpcd-10.patch +drm-virtio-add-memory-barriers-for-capset-cache.patch +drm-amd-display-set-link-dongle_max_pix_clk-to-0-on-.patch +phy-renesas-rcar-gen2-fix-memory-leak-at-error-paths.patch +drm-amd-display-fix-compilation-error.patch +sunhv-fix-device-naming-inconsistency-between-sunhv_.patch +drm-bridge-tfp410-fix-use-of-cancel_delayed_work_syn.patch +powerpc-pseries-mobility-prevent-cpu-hotplug-during-.patch +dma-remap-avoid-de-referencing-null-atomic_pool.patch +drm-rockchip-properly-adjust-to-a-true-clock-in-adju.patch +platform-x86-asus-wmi-increase-input-buffer-size-of-.patch +iio-adxl372-fix-iio_triggered_buffer_-pre-post-enabl.patch +serial-imx-fix-locking-in-set_termios.patch +serial-uartps-use-the-same-dynamic-major-number-for-.patch +tty-serial_core-set-port-active-bit-in-uart_port_act.patch +usb-gadget-zero-ffs_io_data.patch +usb-dwc3-fix-core-validation-in-probe-move-after-clo.patch +kvm-vmx-fix-limit-checking-in-get_vmx_mem_address.patch +mmc-sdhci-sdhci-pci-o2micro-check-if-controller-supp.patch +kvm-nvmx-intercept-vmwrites-to-guest_-cs-ss-_ar_byte.patch +kvm-vmx-segment-limit-check-use-access-length.patch +drm-msm-adreno-ensure-that-the-zap-shader-region-is-.patch +powerpc-pci-of-fix-of-flags-parsing-for-64bit-bars.patch +drm-msm-depopulate-platform-on-probe-failure.patch +serial-mctrl_gpio-check-if-gpio-property-exisits-bef.patch +phy-renesas-rcar-gen3-usb2-fix-imbalance-powered-fla.patch +pci-sysfs-ignore-lockdep-for-remove-attribute.patch +i2c-stm32f7-fix-the-get_irq-error-cases.patch +net-ipv4-fib_trie-avoid-cryptic-ternary-expressions.patch +kbuild-add-werror-unknown-warning-option-to-clang_fl.patch +genksyms-teach-parser-about-128-bit-built-in-types.patch +phy-meson-g12a-usb3-pcie-disable-locking-for-cr_regm.patch +pci-xilinx-nwl-fix-multi-msi-data-programming.patch +iio-iio-utils-fix-possible-incorrect-mask-calculatio.patch +dt-bindings-backlight-lm3630a-correct-schema-validat.patch +powerpc-cacheflush-fix-variable-set-but-not-used.patch +powerpc-xmon-fix-disabling-tracing-while-in-xmon.patch +powerpc-rtas-retry-when-cpu-offline-races-with-suspe.patch +fixdep-check-return-value-of-printf-and-putchar.patch +recordmcount-fix-spurious-mcount-entries-on-powerpc.patch +mfd-cros_ec-register-cros_ec_lid_angle-driver-when-p.patch +mfd-madera-add-missing-of-table-registration.patch +mfd-core-set-fwnode-for-created-devices.patch +mfd-arizona-fix-undefined-behavior.patch +mfd-hi655x-pmic-fix-missing-return-value-check-for-d.patch +mm-swap-fix-release_pages-when-releasing-devmap-page.patch +um-silence-lockdep-complaint-about-mmap_sem.patch +f2fs-fix-is_idle-check-for-discard-type.patch +powerpc-silence-a-wcast-function-type-warning-in-daw.patch +powerpc-4xx-uic-clear-pending-interrupt-after-irq-ty.patch +powerpc-mm-mark-more-tlb-functions-as-__always_inlin.patch +rdma-i40iw-set-queue-pair-state-when-being-queried.patch +serial-sh-sci-terminate-tx-dma-during-buffer-flushin.patch +serial-sh-sci-fix-tx-dma-buffer-flushing-and-workque.patch +ib-mlx5-fixed-reporting-counters-on-2nd-port-for-dua.patch +powerpc-mm-handle-page-table-allocation-failures.patch +ib-ipoib-add-child-to-parent-list-only-if-device-ini.patch +arm64-assembler-switch-esb-instruction-with-a-vanill.patch +kvm-nvmx-stash-l1-s-cr3-in-vmcs01.guest_cr3-on-neste.patch +pci-mobiveil-fix-pci-base-address-in-mem-io-outbound.patch +pci-mobiveil-fix-the-class-code-field.patch +kallsyms-exclude-kasan-local-symbols-on-s390.patch +pci-mobiveil-initialize-primary-secondary-subordinat.patch +pci-mobiveil-use-the-1st-inbound-window-for-mem-inbo.patch +perf-test-mmap-thread-lookup-initialize-variable-to-.patch +perf-stat-fix-use-after-freed-pointer-detected-by-th.patch +rseq-selftests-fix-thumb-mode-build-failure-on-arm32.patch +perf-top-fix-potential-null-pointer-dereference-dete.patch +perf-trace-fix-potential-null-pointer-dereference-fo.patch +perf-session-fix-potential-null-pointer-dereference-.patch +perf-map-fix-potential-null-pointer-dereference-foun.patch +perf-annotate-fix-dereferencing-freed-memory-found-b.patch +perf-hists-browser-fix-potential-null-pointer-derefe.patch +rdma-rxe-fill-in-wc-byte_len-with-ib_wc_recv_rdma_wi.patch +pci-dwc-pci-dra7xx-fix-compilation-when-config_gpiol.patch +perf-intel-bts-fix-potential-null-pointer-dereferenc.patch +rdma-core-fix-race-when-resolving-ip-address.patch +nvme-pci-check-for-null-return-from-pci_alloc_p2pmem.patch +nvme-pci-limit-max_hw_sectors-based-on-the-dma-max-m.patch +nvme-tcp-don-t-use-sendpage-for-slab-pages.patch +io_uring-fix-io_sq_thread_stop-running-in-front-of-i.patch +nvme-tcp-set-the-stable_writes-flag-when-data-digest.patch +powerpc-irq-don-t-warn-continuously-in-arch_local_ir.patch +powerpc-boot-add-get-put-_unaligned_be32-to-xz_confi.patch +block-init-flush-rq-ref-count-to-1.patch +rds-accept-peer-connection-reject-messages-due-to-in.patch +f2fs-fix-to-avoid-long-latency-during-umount.patch +f2fs-avoid-out-of-range-memory-access.patch +mailbox-handle-failed-named-mailbox-channel-request.patch +dlm-check-if-workqueues-are-null-before-flushing-des.patch +powerpc-eeh-handle-hugepages-in-ioremap-space.patch +platform-x86-fix-pcengines_apu2-kconfig-warning.patch +block-bio-integrity-fix-a-memory-leak-bug.patch +nvme-fix-null-deref-for-fabrics-options.patch +sh-prevent-warnings-when-using-iounmap.patch +mm-kmemleak.c-fix-check-for-softirq-context.patch +9p-pass-the-correct-prototype-to-read_cache_page.patch +mm-mincore.c-fix-race-between-swapoff-and-mincore.patch +mm-gup.c-mark-undo_dev_pagemap-as-__maybe_unused.patch +mm-gup.c-remove-some-bug_ons-from-get_gate_page.patch +memcg-fsnotify-no-oom-kill-for-remote-memcg-charging.patch +mm-mmu_notifier-use-hlist_add_head_rcu.patch +proc-use-down_read_killable-mmap_sem-for-proc-pid-sm.patch +proc-use-down_read_killable-mmap_sem-for-proc-pid-pa.patch +proc-use-down_read_killable-mmap_sem-for-proc-pid-cl.patch +proc-use-down_read_killable-mmap_sem-for-proc-pid-ma.patch +cxgb4-reduce-kernel-stack-usage-in-cudbg_collect_mem.patch +proc-use-down_read_killable-mmap_sem-for-proc-pid-ma.patch-17560 +locking-lockdep-fix-lock-used-or-unused-stats-error.patch +mm-use-down_read_killable-for-locking-mmap_sem-in-ac.patch +mm-swap-fix-race-between-swapoff-and-some-swap-opera.patch +locking-lockdep-hide-unused-class-variable.patch diff --git a/queue-5.2/sh-prevent-warnings-when-using-iounmap.patch b/queue-5.2/sh-prevent-warnings-when-using-iounmap.patch new file mode 100644 index 00000000000..9ab1e427469 --- /dev/null +++ b/queue-5.2/sh-prevent-warnings-when-using-iounmap.patch @@ -0,0 +1,62 @@ +From f0f26f20472303389b826b6a38b0b100f3e69b93 Mon Sep 17 00:00:00 2001 +From: Sam Ravnborg +Date: Thu, 11 Jul 2019 20:52:52 -0700 +Subject: sh: prevent warnings when using iounmap + +[ Upstream commit 733f0025f0fb43e382b84db0930ae502099b7e62 ] + +When building drm/exynos for sh, as part of an allmodconfig build, the +following warning triggered: + + exynos7_drm_decon.c: In function `decon_remove': + exynos7_drm_decon.c:769:24: warning: unused variable `ctx' + struct decon_context *ctx = dev_get_drvdata(&pdev->dev); + +The ctx variable is only used as argument to iounmap(). + +In sh - allmodconfig CONFIG_MMU is not defined +so it ended up in: + +\#define __iounmap(addr) do { } while (0) +\#define iounmap __iounmap + +Fix the warning by introducing a static inline function for iounmap. + +This is similar to several other architectures. + +Link: http://lkml.kernel.org/r/20190622114208.24427-1-sam@ravnborg.org +Signed-off-by: Sam Ravnborg +Reviewed-by: Geert Uytterhoeven +Cc: Yoshinori Sato +Cc: Rich Felker +Cc: Will Deacon +Cc: Mark Brown +Cc: Inki Dae +Cc: Krzysztof Kozlowski +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/sh/include/asm/io.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/sh/include/asm/io.h b/arch/sh/include/asm/io.h +index c28e37a344ad..ac0561960c52 100644 +--- a/arch/sh/include/asm/io.h ++++ b/arch/sh/include/asm/io.h +@@ -369,7 +369,11 @@ static inline int iounmap_fixed(void __iomem *addr) { return -EINVAL; } + + #define ioremap_nocache ioremap + #define ioremap_uc ioremap +-#define iounmap __iounmap ++ ++static inline void iounmap(void __iomem *addr) ++{ ++ __iounmap(addr); ++} + + /* + * Convert a physical pointer to a virtual kernel pointer for /dev/mem +-- +2.20.1 + diff --git a/queue-5.2/staging-kpc2000-added-missing-clean-up-to-probe_core.patch b/queue-5.2/staging-kpc2000-added-missing-clean-up-to-probe_core.patch new file mode 100644 index 00000000000..b8be9a65f33 --- /dev/null +++ b/queue-5.2/staging-kpc2000-added-missing-clean-up-to-probe_core.patch @@ -0,0 +1,58 @@ +From 446e59b94d3184b030a0aadc538944874fd730f0 Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Wed, 15 May 2019 12:14:36 +0100 +Subject: staging: kpc2000: added missing clean-up to probe_core_uio. + +[ Upstream commit abb611d2c21c0a4fa8eab35dc936c80d9a07acd8 ] + +On error, probe_core_uio just returned an error without freeing +resources which had previously been allocated. Added the missing +clean-up code. + +Updated TODO. + +Signed-off-by: Jeremy Sowden +Reviewed-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/kpc2000/TODO | 1 - + drivers/staging/kpc2000/kpc2000/cell_probe.c | 3 +++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/kpc2000/TODO b/drivers/staging/kpc2000/TODO +index 8c7af29fefae..ed951acc829a 100644 +--- a/drivers/staging/kpc2000/TODO ++++ b/drivers/staging/kpc2000/TODO +@@ -1,7 +1,6 @@ + - the kpc_spi driver doesn't seem to let multiple transactions (to different instances of the core) happen in parallel... + - The kpc_i2c driver is a hot mess, it should probably be cleaned up a ton. It functions against current hardware though. + - pcard->card_num in kp2000_pcie_probe() is a global variable and needs atomic / locking / something better. +-- probe_core_uio() probably needs error handling + - the loop in kp2000_probe_cores() that uses probe_core_uio() also probably needs error handling + - would be nice if the AIO fileops in kpc_dma could be made to work + - probably want to add a CONFIG_ option to control compilation of the AIO functions +diff --git a/drivers/staging/kpc2000/kpc2000/cell_probe.c b/drivers/staging/kpc2000/kpc2000/cell_probe.c +index e0dba91e7fa8..d6b57f550876 100644 +--- a/drivers/staging/kpc2000/kpc2000/cell_probe.c ++++ b/drivers/staging/kpc2000/kpc2000/cell_probe.c +@@ -295,6 +295,7 @@ int probe_core_uio(unsigned int core_num, struct kp2000_device *pcard, char *na + kudev->dev = device_create(kpc_uio_class, &pcard->pdev->dev, MKDEV(0,0), kudev, "%s.%d.%d.%d", kudev->uioinfo.name, pcard->card_num, cte.type, kudev->core_num); + if (IS_ERR(kudev->dev)) { + dev_err(&pcard->pdev->dev, "probe_core_uio device_create failed!\n"); ++ kfree(kudev); + return -ENODEV; + } + dev_set_drvdata(kudev->dev, kudev); +@@ -302,6 +303,8 @@ int probe_core_uio(unsigned int core_num, struct kp2000_device *pcard, char *na + rv = uio_register_device(kudev->dev, &kudev->uioinfo); + if (rv){ + dev_err(&pcard->pdev->dev, "probe_core_uio failed uio_register_device: %d\n", rv); ++ put_device(kudev->dev); ++ kfree(kudev); + return rv; + } + +-- +2.20.1 + diff --git a/queue-5.2/staging-kpc2000-report-error-status-to-spi-core.patch b/queue-5.2/staging-kpc2000-report-error-status-to-spi-core.patch new file mode 100644 index 00000000000..e24b2c4ab87 --- /dev/null +++ b/queue-5.2/staging-kpc2000-report-error-status-to-spi-core.patch @@ -0,0 +1,55 @@ +From 6cd4139535f1a76514db83c2873e0f72543dc8bf Mon Sep 17 00:00:00 2001 +From: Mao Wenan +Date: Tue, 28 May 2019 16:02:13 +0800 +Subject: staging: kpc2000: report error status to spi core + +[ Upstream commit 9164f336311863d3e9f80840f4a1cce2aee293bd ] + +There is an error condition that's not reported to +the spi core in kp_spi_transfer_one_message(). +It should restore status value to m->status, and +return it in error path. + +Signed-off-by: Mao Wenan +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/kpc2000/kpc_spi/spi_driver.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/kpc2000/kpc_spi/spi_driver.c b/drivers/staging/kpc2000/kpc_spi/spi_driver.c +index 86df16547a92..2f535022dc03 100644 +--- a/drivers/staging/kpc2000/kpc_spi/spi_driver.c ++++ b/drivers/staging/kpc2000/kpc_spi/spi_driver.c +@@ -333,7 +333,7 @@ kp_spi_transfer_one_message(struct spi_master *master, struct spi_message *m) + list_for_each_entry(transfer, &m->transfers, transfer_list) { + if (transfer->tx_buf == NULL && transfer->rx_buf == NULL && transfer->len) { + status = -EINVAL; +- break; ++ goto error; + } + + /* transfer */ +@@ -371,7 +371,7 @@ kp_spi_transfer_one_message(struct spi_master *master, struct spi_message *m) + + if (count != transfer->len) { + status = -EIO; +- break; ++ goto error; + } + } + +@@ -389,6 +389,10 @@ kp_spi_transfer_one_message(struct spi_master *master, struct spi_message *m) + /* done work */ + spi_finalize_current_message(master); + return 0; ++ ++ error: ++ m->status = status; ++ return status; + } + + static void +-- +2.20.1 + diff --git a/queue-5.2/staging-vt6656-use-meaningful-error-code-during-buff.patch b/queue-5.2/staging-vt6656-use-meaningful-error-code-during-buff.patch new file mode 100644 index 00000000000..a27ab3363cc --- /dev/null +++ b/queue-5.2/staging-vt6656-use-meaningful-error-code-during-buff.patch @@ -0,0 +1,126 @@ +From 7376090f491311466205e6b6f6649395ba965717 Mon Sep 17 00:00:00 2001 +From: Quentin Deslandes +Date: Mon, 20 May 2019 16:39:04 +0000 +Subject: staging: vt6656: use meaningful error code during buffer allocation + +[ Upstream commit d8c2869300ab5f7a19bf6f5a04fe473c5c9887e3 ] + +Check on called function's returned value for error and return 0 on +success or a negative errno value on error instead of a boolean value. + +Signed-off-by: Quentin Deslandes +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/vt6656/main_usb.c | 42 ++++++++++++++++++++----------- + 1 file changed, 28 insertions(+), 14 deletions(-) + +diff --git a/drivers/staging/vt6656/main_usb.c b/drivers/staging/vt6656/main_usb.c +index ccafcc2c87ac..70433f756d8e 100644 +--- a/drivers/staging/vt6656/main_usb.c ++++ b/drivers/staging/vt6656/main_usb.c +@@ -402,16 +402,19 @@ static void vnt_free_int_bufs(struct vnt_private *priv) + kfree(priv->int_buf.data_buf); + } + +-static bool vnt_alloc_bufs(struct vnt_private *priv) ++static int vnt_alloc_bufs(struct vnt_private *priv) + { ++ int ret = 0; + struct vnt_usb_send_context *tx_context; + struct vnt_rcb *rcb; + int ii; + + for (ii = 0; ii < priv->num_tx_context; ii++) { + tx_context = kmalloc(sizeof(*tx_context), GFP_KERNEL); +- if (!tx_context) ++ if (!tx_context) { ++ ret = -ENOMEM; + goto free_tx; ++ } + + priv->tx_context[ii] = tx_context; + tx_context->priv = priv; +@@ -419,16 +422,20 @@ static bool vnt_alloc_bufs(struct vnt_private *priv) + + /* allocate URBs */ + tx_context->urb = usb_alloc_urb(0, GFP_KERNEL); +- if (!tx_context->urb) ++ if (!tx_context->urb) { ++ ret = -ENOMEM; + goto free_tx; ++ } + + tx_context->in_use = false; + } + + for (ii = 0; ii < priv->num_rcb; ii++) { + priv->rcb[ii] = kzalloc(sizeof(*priv->rcb[ii]), GFP_KERNEL); +- if (!priv->rcb[ii]) ++ if (!priv->rcb[ii]) { ++ ret = -ENOMEM; + goto free_rx_tx; ++ } + + rcb = priv->rcb[ii]; + +@@ -436,39 +443,46 @@ static bool vnt_alloc_bufs(struct vnt_private *priv) + + /* allocate URBs */ + rcb->urb = usb_alloc_urb(0, GFP_KERNEL); +- if (!rcb->urb) ++ if (!rcb->urb) { ++ ret = -ENOMEM; + goto free_rx_tx; ++ } + + rcb->skb = dev_alloc_skb(priv->rx_buf_sz); +- if (!rcb->skb) ++ if (!rcb->skb) { ++ ret = -ENOMEM; + goto free_rx_tx; ++ } + + rcb->in_use = false; + + /* submit rx urb */ +- if (vnt_submit_rx_urb(priv, rcb)) ++ ret = vnt_submit_rx_urb(priv, rcb); ++ if (ret) + goto free_rx_tx; + } + + priv->interrupt_urb = usb_alloc_urb(0, GFP_KERNEL); +- if (!priv->interrupt_urb) ++ if (!priv->interrupt_urb) { ++ ret = -ENOMEM; + goto free_rx_tx; ++ } + + priv->int_buf.data_buf = kmalloc(MAX_INTERRUPT_SIZE, GFP_KERNEL); + if (!priv->int_buf.data_buf) { +- usb_free_urb(priv->interrupt_urb); +- goto free_rx_tx; ++ ret = -ENOMEM; ++ goto free_rx_tx_urb; + } + +- return true; ++ return 0; + ++free_rx_tx_urb: ++ usb_free_urb(priv->interrupt_urb); + free_rx_tx: + vnt_free_rx_bufs(priv); +- + free_tx: + vnt_free_tx_bufs(priv); +- +- return false; ++ return ret; + } + + static void vnt_tx_80211(struct ieee80211_hw *hw, +-- +2.20.1 + diff --git a/queue-5.2/sunhv-fix-device-naming-inconsistency-between-sunhv_.patch b/queue-5.2/sunhv-fix-device-naming-inconsistency-between-sunhv_.patch new file mode 100644 index 00000000000..26995b088d1 --- /dev/null +++ b/queue-5.2/sunhv-fix-device-naming-inconsistency-between-sunhv_.patch @@ -0,0 +1,65 @@ +From fa7e03f963fd2b2c50e9bac803d9f061a404bfad Mon Sep 17 00:00:00 2001 +From: John Paul Adrian Glaubitz +Date: Tue, 11 Jun 2019 17:38:37 +0200 +Subject: sunhv: Fix device naming inconsistency between sunhv_console and + sunhv_reg + +[ Upstream commit 07a6d63eb1b54b5fb38092780fe618dfe1d96e23 ] + +In d5a2aa24, the name in struct console sunhv_console was changed from "ttyS" +to "ttyHV" while the name in struct uart_ops sunhv_pops remained unchanged. + +This results in the hypervisor console device to be listed as "ttyHV0" under +/proc/consoles while the device node is still named "ttyS0": + +root@osaka:~# cat /proc/consoles +ttyHV0 -W- (EC p ) 4:64 +tty0 -WU (E ) 4:1 +root@osaka:~# readlink /sys/dev/char/4:64 +../../devices/root/f02836f0/f0285690/tty/ttyS0 +root@osaka:~# + +This means that any userland code which tries to determine the name of the +device file of the hypervisor console device can not rely on the information +provided by /proc/consoles. In particular, booting current versions of debian- +installer inside a SPARC LDOM will fail with the installer unable to determine +the console device. + +After renaming the device in struct uart_ops sunhv_pops to "ttyHV" as well, +the inconsistency is fixed and it is possible again to determine the name +of the device file of the hypervisor console device by reading the contents +of /proc/console: + +root@osaka:~# cat /proc/consoles +ttyHV0 -W- (EC p ) 4:64 +tty0 -WU (E ) 4:1 +root@osaka:~# readlink /sys/dev/char/4:64 +../../devices/root/f02836f0/f0285690/tty/ttyHV0 +root@osaka:~# + +With this change, debian-installer works correctly when installing inside +a SPARC LDOM. + +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sunhv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/sunhv.c b/drivers/tty/serial/sunhv.c +index 63e34d868de8..f8503f8fc44e 100644 +--- a/drivers/tty/serial/sunhv.c ++++ b/drivers/tty/serial/sunhv.c +@@ -397,7 +397,7 @@ static const struct uart_ops sunhv_pops = { + static struct uart_driver sunhv_reg = { + .owner = THIS_MODULE, + .driver_name = "sunhv", +- .dev_name = "ttyS", ++ .dev_name = "ttyHV", + .major = TTY_MAJOR, + }; + +-- +2.20.1 + diff --git a/queue-5.2/tools-pci-fix-broken-pcitest-compilation.patch b/queue-5.2/tools-pci-fix-broken-pcitest-compilation.patch new file mode 100644 index 00000000000..986ac05e141 --- /dev/null +++ b/queue-5.2/tools-pci-fix-broken-pcitest-compilation.patch @@ -0,0 +1,55 @@ +From 9133a8a37d20360f15fa263aa2933ee9985f9829 Mon Sep 17 00:00:00 2001 +From: Alan Mikhak +Date: Thu, 23 May 2019 14:18:00 -0700 +Subject: tools: PCI: Fix broken pcitest compilation + +[ Upstream commit 8a5e0af240e07dd3d4897eb8ff52aab757da7fab ] + +pcitest is currently broken due to the following compiler error +and related warning. Fix by changing the run_test() function +signature to return an integer result. + +pcitest.c: In function run_test: +pcitest.c:143:9: warning: return with a value, in function +returning void + return (ret < 0) ? ret : 1 - ret; /* return 0 if test succeeded */ + +pcitest.c: In function main: +pcitest.c:232:9: error: void value not ignored as it ought to be + return run_test(test); + +Fixes: fef31ecaaf2c ("tools: PCI: Fix compilation warnings") +Signed-off-by: Alan Mikhak +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + tools/pci/pcitest.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/pci/pcitest.c b/tools/pci/pcitest.c +index cb7a47dfd8b6..49ddfa6f5a8c 100644 +--- a/tools/pci/pcitest.c ++++ b/tools/pci/pcitest.c +@@ -36,15 +36,15 @@ struct pci_test { + unsigned long size; + }; + +-static void run_test(struct pci_test *test) ++static int run_test(struct pci_test *test) + { +- long ret; ++ int ret = -EINVAL; + int fd; + + fd = open(test->device, O_RDWR); + if (fd < 0) { + perror("can't open PCI Endpoint Test device"); +- return; ++ return -ENODEV; + } + + if (test->barnum >= 0 && test->barnum <= 5) { +-- +2.20.1 + diff --git a/queue-5.2/tty-max310x-fix-invalid-baudrate-divisors-calculator.patch b/queue-5.2/tty-max310x-fix-invalid-baudrate-divisors-calculator.patch new file mode 100644 index 00000000000..3e928f5247b --- /dev/null +++ b/queue-5.2/tty-max310x-fix-invalid-baudrate-divisors-calculator.patch @@ -0,0 +1,112 @@ +From 2afa6ae2593ff89e7d02b1bc2823c35cfbf8b5ba Mon Sep 17 00:00:00 2001 +From: Serge Semin +Date: Tue, 14 May 2019 13:14:12 +0300 +Subject: tty: max310x: Fix invalid baudrate divisors calculator + +[ Upstream commit 35240ba26a932b279a513f66fa4cabfd7af55221 ] + +Current calculator doesn't do it' job quite correct. First of all the +max310x baud-rates generator supports the divisor being less than 16. +In this case the x2/x4 modes can be used to double or quadruple +the reference frequency. But the current baud-rate setter function +just filters all these modes out by the first condition and setups +these modes only if there is a clocks-baud division remainder. The former +doesn't seem right at all, since enabling the x2/x4 modes causes the line +noise tolerance reduction and should be only used as a last resort to +enable a requested too high baud-rate. + +Finally the fraction is supposed to be calculated from D = Fref/(c*baud) +formulae, but not from D % 16, which causes the precision loss. So to speak +the current baud-rate calculator code works well only if the baud perfectly +fits to the uart reference input frequency. + +Lets fix the calculator by implementing the algo fully compliant with +the fractional baud-rate generator described in the datasheet: +D = Fref / (c*baud), where c={16,8,4} is the x1/x2/x4 rate mode +respectively, Fref - reference input frequency. The divisor fraction is +calculated from the same formulae, but making sure it is found with a +resolution of 0.0625 (four bits). + +Signed-off-by: Serge Semin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/max310x.c | 51 ++++++++++++++++++++++-------------- + 1 file changed, 31 insertions(+), 20 deletions(-) + +diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c +index e5aebbf5f302..c3afd128b8fc 100644 +--- a/drivers/tty/serial/max310x.c ++++ b/drivers/tty/serial/max310x.c +@@ -496,37 +496,48 @@ static bool max310x_reg_precious(struct device *dev, unsigned int reg) + + static int max310x_set_baud(struct uart_port *port, int baud) + { +- unsigned int mode = 0, clk = port->uartclk, div = clk / baud; ++ unsigned int mode = 0, div = 0, frac = 0, c = 0, F = 0; + +- /* Check for minimal value for divider */ +- if (div < 16) +- div = 16; +- +- if (clk % baud && (div / 16) < 0x8000) { ++ /* ++ * Calculate the integer divisor first. Select a proper mode ++ * in case if the requested baud is too high for the pre-defined ++ * clocks frequency. ++ */ ++ div = port->uartclk / baud; ++ if (div < 8) { ++ /* Mode x4 */ ++ c = 4; ++ mode = MAX310X_BRGCFG_4XMODE_BIT; ++ } else if (div < 16) { + /* Mode x2 */ ++ c = 8; + mode = MAX310X_BRGCFG_2XMODE_BIT; +- clk = port->uartclk * 2; +- div = clk / baud; +- +- if (clk % baud && (div / 16) < 0x8000) { +- /* Mode x4 */ +- mode = MAX310X_BRGCFG_4XMODE_BIT; +- clk = port->uartclk * 4; +- div = clk / baud; +- } ++ } else { ++ c = 16; + } + +- max310x_port_write(port, MAX310X_BRGDIVMSB_REG, (div / 16) >> 8); +- max310x_port_write(port, MAX310X_BRGDIVLSB_REG, div / 16); +- max310x_port_write(port, MAX310X_BRGCFG_REG, (div % 16) | mode); ++ /* Calculate the divisor in accordance with the fraction coefficient */ ++ div /= c; ++ F = c*baud; ++ ++ /* Calculate the baud rate fraction */ ++ if (div > 0) ++ frac = (16*(port->uartclk % F)) / F; ++ else ++ div = 1; ++ ++ max310x_port_write(port, MAX310X_BRGDIVMSB_REG, div >> 8); ++ max310x_port_write(port, MAX310X_BRGDIVLSB_REG, div); ++ max310x_port_write(port, MAX310X_BRGCFG_REG, frac | mode); + +- return DIV_ROUND_CLOSEST(clk, div); ++ /* Return the actual baud rate we just programmed */ ++ return (16*port->uartclk) / (c*(16*div + frac)); + } + + static int max310x_update_best_err(unsigned long f, long *besterr) + { + /* Use baudrate 115200 for calculate error */ +- long err = f % (115200 * 16); ++ long err = f % (460800 * 16); + + if ((*besterr < 0) || (*besterr > err)) { + *besterr = err; +-- +2.20.1 + diff --git a/queue-5.2/tty-serial-cpm_uart-fix-init-when-smc-is-relocated.patch b/queue-5.2/tty-serial-cpm_uart-fix-init-when-smc-is-relocated.patch new file mode 100644 index 00000000000..9cb39531fb0 --- /dev/null +++ b/queue-5.2/tty-serial-cpm_uart-fix-init-when-smc-is-relocated.patch @@ -0,0 +1,76 @@ +From c452a4b26ad99091699e54f9335bcaa2480868c8 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Wed, 22 May 2019 12:17:11 +0000 +Subject: tty: serial: cpm_uart - fix init when SMC is relocated + +[ Upstream commit 06aaa3d066db87e8478522d910285141d44b1e58 ] + +SMC relocation can also be activated earlier by the bootloader, +so the driver's behaviour cannot rely on selected kernel config. + +When the SMC is relocated, CPM_CR_INIT_TRX cannot be used. + +But the only thing CPM_CR_INIT_TRX does is to clear the +rstate and tstate registers, so this can be done manually, +even when SMC is not relocated. + +Signed-off-by: Christophe Leroy +Fixes: 9ab921201444 ("cpm_uart: fix non-console port startup bug") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/cpm_uart/cpm_uart_core.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/tty/serial/cpm_uart/cpm_uart_core.c b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +index b929c7ae3a27..7bab9a3eda92 100644 +--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c ++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +@@ -407,7 +407,16 @@ static int cpm_uart_startup(struct uart_port *port) + clrbits16(&pinfo->sccp->scc_sccm, UART_SCCM_RX); + } + cpm_uart_initbd(pinfo); +- cpm_line_cr_cmd(pinfo, CPM_CR_INIT_TRX); ++ if (IS_SMC(pinfo)) { ++ out_be32(&pinfo->smcup->smc_rstate, 0); ++ out_be32(&pinfo->smcup->smc_tstate, 0); ++ out_be16(&pinfo->smcup->smc_rbptr, ++ in_be16(&pinfo->smcup->smc_rbase)); ++ out_be16(&pinfo->smcup->smc_tbptr, ++ in_be16(&pinfo->smcup->smc_tbase)); ++ } else { ++ cpm_line_cr_cmd(pinfo, CPM_CR_INIT_TRX); ++ } + } + /* Install interrupt handler. */ + retval = request_irq(port->irq, cpm_uart_int, 0, "cpm_uart", port); +@@ -861,16 +870,14 @@ static void cpm_uart_init_smc(struct uart_cpm_port *pinfo) + (u8 __iomem *)pinfo->tx_bd_base - DPRAM_BASE); + + /* +- * In case SMC1 is being relocated... ++ * In case SMC is being relocated... + */ +-#if defined (CONFIG_I2C_SPI_SMC1_UCODE_PATCH) + out_be16(&up->smc_rbptr, in_be16(&pinfo->smcup->smc_rbase)); + out_be16(&up->smc_tbptr, in_be16(&pinfo->smcup->smc_tbase)); + out_be32(&up->smc_rstate, 0); + out_be32(&up->smc_tstate, 0); + out_be16(&up->smc_brkcr, 1); /* number of break chars */ + out_be16(&up->smc_brkec, 0); +-#endif + + /* Set up the uart parameters in the + * parameter ram. +@@ -884,8 +891,6 @@ static void cpm_uart_init_smc(struct uart_cpm_port *pinfo) + out_be16(&up->smc_brkec, 0); + out_be16(&up->smc_brkcr, 1); + +- cpm_line_cr_cmd(pinfo, CPM_CR_INIT_TRX); +- + /* Set UART mode, 8 bit, no parity, one stop. + * Enable receive and transmit. + */ +-- +2.20.1 + diff --git a/queue-5.2/tty-serial-digicolor-fix-digicolor-usart-already-reg.patch b/queue-5.2/tty-serial-digicolor-fix-digicolor-usart-already-reg.patch new file mode 100644 index 00000000000..7f6188473fa --- /dev/null +++ b/queue-5.2/tty-serial-digicolor-fix-digicolor-usart-already-reg.patch @@ -0,0 +1,44 @@ +From 4eee0fcfb88a0e160bc5b10b0583bcf2958458e2 Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Fri, 31 May 2019 21:37:33 +0800 +Subject: tty/serial: digicolor: Fix digicolor-usart already registered warning + +[ Upstream commit c7ad9ba0611c53cfe194223db02e3bca015f0674 ] + +When modprobe/rmmod/modprobe module, if platform_driver_register() fails, +the kernel complained, + + proc_dir_entry 'driver/digicolor-usart' already registered + WARNING: CPU: 1 PID: 5636 at fs/proc/generic.c:360 proc_register+0x19d/0x270 + +Fix this by adding uart_unregister_driver() when platform_driver_register() fails. + +Reported-by: Hulk Robot +Signed-off-by: Kefeng Wang +Acked-by: Baruch Siach +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/digicolor-usart.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/digicolor-usart.c b/drivers/tty/serial/digicolor-usart.c +index f460cca139e2..13ac36e2da4f 100644 +--- a/drivers/tty/serial/digicolor-usart.c ++++ b/drivers/tty/serial/digicolor-usart.c +@@ -541,7 +541,11 @@ static int __init digicolor_uart_init(void) + if (ret) + return ret; + +- return platform_driver_register(&digicolor_uart_platform); ++ ret = platform_driver_register(&digicolor_uart_platform); ++ if (ret) ++ uart_unregister_driver(&digicolor_uart); ++ ++ return ret; + } + module_init(digicolor_uart_init); + +-- +2.20.1 + diff --git a/queue-5.2/tty-serial-msm_serial-avoid-system-lockup-condition.patch b/queue-5.2/tty-serial-msm_serial-avoid-system-lockup-condition.patch new file mode 100644 index 00000000000..c311e41e9e7 --- /dev/null +++ b/queue-5.2/tty-serial-msm_serial-avoid-system-lockup-condition.patch @@ -0,0 +1,43 @@ +From 1f8b46035400afb9c687ef0f169f783ea08ecd39 Mon Sep 17 00:00:00 2001 +From: Jorge Ramirez-Ortiz +Date: Mon, 10 Jun 2019 19:23:08 +0200 +Subject: tty: serial: msm_serial: avoid system lockup condition + +[ Upstream commit ba3684f99f1b25d2a30b6956d02d339d7acb9799 ] + +The function msm_wait_for_xmitr can be taken with interrupts +disabled. In order to avoid a potential system lockup - demonstrated +under stress testing conditions on SoC QCS404/5 - make sure we wait +for a bounded amount of time. + +Tested on SoC QCS404. + +Signed-off-by: Jorge Ramirez-Ortiz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/msm_serial.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c +index 23833ad952ba..3657a24913fc 100644 +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -383,10 +383,14 @@ static void msm_request_rx_dma(struct msm_port *msm_port, resource_size_t base) + + static inline void msm_wait_for_xmitr(struct uart_port *port) + { ++ unsigned int timeout = 500000; ++ + while (!(msm_read(port, UART_SR) & UART_SR_TX_EMPTY)) { + if (msm_read(port, UART_ISR) & UART_ISR_TX_READY) + break; + udelay(1); ++ if (!timeout--) ++ break; + } + msm_write(port, UART_CR_CMD_RESET_TX_READY, UART_CR); + } +-- +2.20.1 + diff --git a/queue-5.2/tty-serial_core-set-port-active-bit-in-uart_port_act.patch b/queue-5.2/tty-serial_core-set-port-active-bit-in-uart_port_act.patch new file mode 100644 index 00000000000..8710401b104 --- /dev/null +++ b/queue-5.2/tty-serial_core-set-port-active-bit-in-uart_port_act.patch @@ -0,0 +1,71 @@ +From 1981d87fafa0c68618cbfbf3b18cda327b5fc740 Mon Sep 17 00:00:00 2001 +From: Serge Semin +Date: Wed, 8 May 2019 13:44:41 +0300 +Subject: tty: serial_core: Set port active bit in uart_port_activate + +[ Upstream commit 13b18d35909707571af9539f7731389fbf0feb31 ] + +A bug was introduced by commit b3b576461864 ("tty: serial_core: convert +uart_open to use tty_port_open"). It caused a constant warning printed +into the system log regarding the tty and port counter mismatch: + +[ 21.644197] ttyS ttySx: tty_port_close_start: tty->count = 1 port count = 2 + +in case if session hangup was detected so the warning is printed starting +from the second open-close iteration. + +Particularly the problem was discovered in situation when there is a +serial tty device without hardware back-end being setup. It is considered +by the tty-serial subsystems as a hardware problem with session hang up. +In this case uart_startup() will return a positive value with TTY_IO_ERROR +flag set in corresponding tty_struct instance. The same value will get +passed to be returned from the activate() callback and then being returned +from tty_port_open(). But since in this case tty_port_block_til_ready() +isn't called the TTY_PORT_ACTIVE flag isn't set (while the method had been +called before tty_port_open conversion was introduced and the rest of the +subsystem code expected the bit being set in this case), which prevents the +uart_hangup() method to perform any cleanups including the tty port +counter setting to zero. So the next attempt to open/close the tty device +will discover the counters mismatch. + +In order to fix the problem we need to manually set the TTY_PORT_ACTIVE +flag in case if uart_startup() returned a positive value. In this case +the hang up procedure will perform a full set of cleanup actions including +the port ref-counter resetting. + +Fixes: b3b576461864 "tty: serial_core: convert uart_open to use tty_port_open" +Signed-off-by: Serge Semin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial_core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index 83f4dd0bfd74..4223cb496764 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -1777,6 +1777,7 @@ static int uart_port_activate(struct tty_port *port, struct tty_struct *tty) + { + struct uart_state *state = container_of(port, struct uart_state, port); + struct uart_port *uport; ++ int ret; + + uport = uart_port_check(state); + if (!uport || uport->flags & UPF_DEAD) +@@ -1787,7 +1788,11 @@ static int uart_port_activate(struct tty_port *port, struct tty_struct *tty) + /* + * Start up the serial port. + */ +- return uart_startup(tty, state, 0); ++ ret = uart_startup(tty, state, 0); ++ if (ret > 0) ++ tty_port_set_active(port, 1); ++ ++ return ret; + } + + static const char *uart_type(struct uart_port *port) +-- +2.20.1 + diff --git a/queue-5.2/um-silence-lockdep-complaint-about-mmap_sem.patch b/queue-5.2/um-silence-lockdep-complaint-about-mmap_sem.patch new file mode 100644 index 00000000000..28688cb1ecb --- /dev/null +++ b/queue-5.2/um-silence-lockdep-complaint-about-mmap_sem.patch @@ -0,0 +1,111 @@ +From 4737aed2a2dfdbf421079a01bfcb7851b95f36a8 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 24 May 2019 21:54:14 +0200 +Subject: um: Silence lockdep complaint about mmap_sem + +[ Upstream commit 80bf6ceaf9310b3f61934c69b382d4912deee049 ] + +When we get into activate_mm(), lockdep complains that we're doing +something strange: + + WARNING: possible circular locking dependency detected + 5.1.0-10252-gb00152307319-dirty #121 Not tainted + ------------------------------------------------------ + inside.sh/366 is trying to acquire lock: + (____ptrval____) (&(&p->alloc_lock)->rlock){+.+.}, at: flush_old_exec+0x703/0x8d7 + + but task is already holding lock: + (____ptrval____) (&mm->mmap_sem){++++}, at: flush_old_exec+0x6c5/0x8d7 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (&mm->mmap_sem){++++}: + [...] + __lock_acquire+0x12ab/0x139f + lock_acquire+0x155/0x18e + down_write+0x3f/0x98 + flush_old_exec+0x748/0x8d7 + load_elf_binary+0x2ca/0xddb + [...] + + -> #0 (&(&p->alloc_lock)->rlock){+.+.}: + [...] + __lock_acquire+0x12ab/0x139f + lock_acquire+0x155/0x18e + _raw_spin_lock+0x30/0x83 + flush_old_exec+0x703/0x8d7 + load_elf_binary+0x2ca/0xddb + [...] + + other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&mm->mmap_sem); + lock(&(&p->alloc_lock)->rlock); + lock(&mm->mmap_sem); + lock(&(&p->alloc_lock)->rlock); + + *** DEADLOCK *** + + 2 locks held by inside.sh/366: + #0: (____ptrval____) (&sig->cred_guard_mutex){+.+.}, at: __do_execve_file+0x12d/0x869 + #1: (____ptrval____) (&mm->mmap_sem){++++}, at: flush_old_exec+0x6c5/0x8d7 + + stack backtrace: + CPU: 0 PID: 366 Comm: inside.sh Not tainted 5.1.0-10252-gb00152307319-dirty #121 + Stack: + [...] + Call Trace: + [<600420de>] show_stack+0x13b/0x155 + [<6048906b>] dump_stack+0x2a/0x2c + [<6009ae64>] print_circular_bug+0x332/0x343 + [<6009c5c6>] check_prev_add+0x669/0xdad + [<600a06b4>] __lock_acquire+0x12ab/0x139f + [<6009f3d0>] lock_acquire+0x155/0x18e + [<604a07e0>] _raw_spin_lock+0x30/0x83 + [<60151e6a>] flush_old_exec+0x703/0x8d7 + [<601a8eb8>] load_elf_binary+0x2ca/0xddb + [...] + +I think it's because in exec_mmap() we have + + down_read(&old_mm->mmap_sem); +... + task_lock(tsk); +... + activate_mm(active_mm, mm); + (which does down_write(&mm->mmap_sem)) + +I'm not really sure why lockdep throws in the whole knowledge +about the task lock, but it seems that old_mm and mm shouldn't +ever be the same (and it doesn't deadlock) so tell lockdep that +they're different. + +Signed-off-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/include/asm/mmu_context.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/um/include/asm/mmu_context.h b/arch/um/include/asm/mmu_context.h +index 9f4b4bb78120..00cefd33afdd 100644 +--- a/arch/um/include/asm/mmu_context.h ++++ b/arch/um/include/asm/mmu_context.h +@@ -52,7 +52,7 @@ static inline void activate_mm(struct mm_struct *old, struct mm_struct *new) + * when the new ->mm is used for the first time. + */ + __switch_mm(&new->context.id); +- down_write(&new->mmap_sem); ++ down_write_nested(&new->mmap_sem, 1); + uml_setup_stubs(new); + up_write(&new->mmap_sem); + } +-- +2.20.1 + diff --git a/queue-5.2/usb-core-hub-disable-hub-initiated-u1-u2.patch b/queue-5.2/usb-core-hub-disable-hub-initiated-u1-u2.patch new file mode 100644 index 00000000000..85902a3edcd --- /dev/null +++ b/queue-5.2/usb-core-hub-disable-hub-initiated-u1-u2.patch @@ -0,0 +1,81 @@ +From 003f464a89bf9762f3b24f60411e513fcdb25c71 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Tue, 14 May 2019 14:38:38 -0700 +Subject: usb: core: hub: Disable hub-initiated U1/U2 + +[ Upstream commit 561759292774707b71ee61aecc07724905bb7ef1 ] + +If the device rejects the control transfer to enable device-initiated +U1/U2 entry, then the device will not initiate U1/U2 transition. To +improve the performance, the downstream port should not initate +transition to U1/U2 to avoid the delay from the device link command +response (no packet can be transmitted while waiting for a response from +the device). If the device has some quirks and does not implement U1/U2, +it may reject all the link state change requests, and the downstream +port may resend and flood the bus with more requests. This will affect +the device performance even further. This patch disables the +hub-initated U1/U2 if the device-initiated U1/U2 entry fails. + +Reference: USB 3.2 spec 7.2.4.2.3 + +Signed-off-by: Thinh Nguyen +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hub.c | 28 ++++++++++++++++------------ + 1 file changed, 16 insertions(+), 12 deletions(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 2c8e60c7dbd8..2844366dc173 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4002,6 +4002,9 @@ static int usb_set_lpm_timeout(struct usb_device *udev, + * control transfers to set the hub timeout or enable device-initiated U1/U2 + * will be successful. + * ++ * If the control transfer to enable device-initiated U1/U2 entry fails, then ++ * hub-initiated U1/U2 will be disabled. ++ * + * If we cannot set the parent hub U1/U2 timeout, we attempt to let the xHCI + * driver know about it. If that call fails, it should be harmless, and just + * take up more slightly more bus bandwidth for unnecessary U1/U2 exit latency. +@@ -4056,23 +4059,24 @@ static void usb_enable_link_state(struct usb_hcd *hcd, struct usb_device *udev, + * host know that this link state won't be enabled. + */ + hcd->driver->disable_usb3_lpm_timeout(hcd, udev, state); +- } else { +- /* Only a configured device will accept the Set Feature +- * U1/U2_ENABLE +- */ +- if (udev->actconfig) +- usb_set_device_initiated_lpm(udev, state, true); ++ return; ++ } + +- /* As soon as usb_set_lpm_timeout(timeout) returns 0, the +- * hub-initiated LPM is enabled. Thus, LPM is enabled no +- * matter the result of usb_set_device_initiated_lpm(). +- * The only difference is whether device is able to initiate +- * LPM. +- */ ++ /* Only a configured device will accept the Set Feature ++ * U1/U2_ENABLE ++ */ ++ if (udev->actconfig && ++ usb_set_device_initiated_lpm(udev, state, true) == 0) { + if (state == USB3_LPM_U1) + udev->usb3_lpm_u1_enabled = 1; + else if (state == USB3_LPM_U2) + udev->usb3_lpm_u2_enabled = 1; ++ } else { ++ /* Don't request U1/U2 entry if the device ++ * cannot transition to U1/U2. ++ */ ++ usb_set_lpm_timeout(udev, state, 0); ++ hcd->driver->disable_usb3_lpm_timeout(hcd, udev, state); + } + } + +-- +2.20.1 + diff --git a/queue-5.2/usb-dwc3-fix-core-validation-in-probe-move-after-clo.patch b/queue-5.2/usb-dwc3-fix-core-validation-in-probe-move-after-clo.patch new file mode 100644 index 00000000000..73659175198 --- /dev/null +++ b/queue-5.2/usb-dwc3-fix-core-validation-in-probe-move-after-clo.patch @@ -0,0 +1,71 @@ +From 7859e50c2b4848eecbbce6eeb96e2a9015105805 Mon Sep 17 00:00:00 2001 +From: Enric Balletbo i Serra +Date: Thu, 13 Jun 2019 17:01:07 +0200 +Subject: usb: dwc3: Fix core validation in probe, move after clocks are + enabled + +[ Upstream commit dc1b5d9aed1794b5a1c6b0da46e372cc09974cbc ] + +The required clocks needs to be enabled before the first register +access. After commit fe8abf332b8f ("usb: dwc3: support clocks and resets +for DWC3 core"), this happens when the dwc3_core_is_valid function is +called, but the mentioned commit adds that call in the wrong place, +before the clocks are enabled. So, move that call after the +clk_bulk_enable() to ensure the clocks are enabled and the reset +deasserted. + +I detected this while, as experiment, I tried to move the clocks and resets +from the glue layer to the DWC3 core on a Samsung Chromebook Plus. + +That was not detected before because, in most cases, the glue layer +initializes SoC-specific things and then populates the child "snps,dwc3" +with those clocks already enabled. + +Fixes: b873e2d0ea1ef ("usb: dwc3: Do core validation early on probe") +Signed-off-by: Enric Balletbo i Serra +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 4aff1d8dbc4f..6e9e172010fc 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1423,11 +1423,6 @@ static int dwc3_probe(struct platform_device *pdev) + dwc->regs = regs; + dwc->regs_size = resource_size(&dwc_res); + +- if (!dwc3_core_is_valid(dwc)) { +- dev_err(dwc->dev, "this is not a DesignWare USB3 DRD Core\n"); +- return -ENODEV; +- } +- + dwc3_get_properties(dwc); + + dwc->reset = devm_reset_control_get_optional_shared(dev, NULL); +@@ -1460,6 +1455,12 @@ static int dwc3_probe(struct platform_device *pdev) + if (ret) + goto unprepare_clks; + ++ if (!dwc3_core_is_valid(dwc)) { ++ dev_err(dwc->dev, "this is not a DesignWare USB3 DRD Core\n"); ++ ret = -ENODEV; ++ goto disable_clks; ++ } ++ + platform_set_drvdata(pdev, dwc); + dwc3_cache_hwparams(dwc); + +@@ -1525,6 +1526,7 @@ static int dwc3_probe(struct platform_device *pdev) + pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); + ++disable_clks: + clk_bulk_disable(dwc->num_clks, dwc->clks); + unprepare_clks: + clk_bulk_unprepare(dwc->num_clks, dwc->clks); +-- +2.20.1 + diff --git a/queue-5.2/usb-gadget-zero-ffs_io_data.patch b/queue-5.2/usb-gadget-zero-ffs_io_data.patch new file mode 100644 index 00000000000..9cbab3a0927 --- /dev/null +++ b/queue-5.2/usb-gadget-zero-ffs_io_data.patch @@ -0,0 +1,57 @@ +From 005b79d66ba9e188a571cdd1712fadc5071bf556 Mon Sep 17 00:00:00 2001 +From: Andrzej Pietrasiewicz +Date: Mon, 3 Jun 2019 19:05:28 +0200 +Subject: usb: gadget: Zero ffs_io_data + +[ Upstream commit 508595515f4bcfe36246e4a565cf280937aeaade ] + +In some cases the "Allocate & copy" block in ffs_epfile_io() is not +executed. Consequently, in such a case ffs_alloc_buffer() is never called +and struct ffs_io_data is not initialized properly. This in turn leads to +problems when ffs_free_buffer() is called at the end of ffs_epfile_io(). + +This patch uses kzalloc() instead of kmalloc() in the aio case and memset() +in non-aio case to properly initialize struct ffs_io_data. + +Signed-off-by: Andrzej Pietrasiewicz +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index c7ed90084d1a..213ff03c8a9f 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1183,11 +1183,12 @@ static ssize_t ffs_epfile_write_iter(struct kiocb *kiocb, struct iov_iter *from) + ENTER(); + + if (!is_sync_kiocb(kiocb)) { +- p = kmalloc(sizeof(io_data), GFP_KERNEL); ++ p = kzalloc(sizeof(io_data), GFP_KERNEL); + if (unlikely(!p)) + return -ENOMEM; + p->aio = true; + } else { ++ memset(p, 0, sizeof(*p)); + p->aio = false; + } + +@@ -1219,11 +1220,12 @@ static ssize_t ffs_epfile_read_iter(struct kiocb *kiocb, struct iov_iter *to) + ENTER(); + + if (!is_sync_kiocb(kiocb)) { +- p = kmalloc(sizeof(io_data), GFP_KERNEL); ++ p = kzalloc(sizeof(io_data), GFP_KERNEL); + if (unlikely(!p)) + return -ENOMEM; + p->aio = true; + } else { ++ memset(p, 0, sizeof(*p)); + p->aio = false; + } + +-- +2.20.1 +