From: Sasha Levin Date: Wed, 14 Aug 2019 02:33:31 +0000 (-0400) Subject: fixes for 4.14 X-Git-Tag: v5.2.9~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f3a7586fb6671e4a8d43c820ec946c3728e83b7e;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/acpi-iort-fix-off-by-one-check-in-iort_dev_find_its_.patch b/queue-4.14/acpi-iort-fix-off-by-one-check-in-iort_dev_find_its_.patch new file mode 100644 index 00000000000..0c0810517d5 --- /dev/null +++ b/queue-4.14/acpi-iort-fix-off-by-one-check-in-iort_dev_find_its_.patch @@ -0,0 +1,48 @@ +From e7252cd8dbf39dfcd335e253b44992761a08a37d Mon Sep 17 00:00:00 2001 +From: Lorenzo Pieralisi +Date: Mon, 22 Jul 2019 17:25:48 +0100 +Subject: ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() + +[ Upstream commit 5a46d3f71d5e5a9f82eabc682f996f1281705ac7 ] + +Static analysis identified that index comparison against ITS entries in +iort_dev_find_its_id() is off by one. + +Update the comparison condition and clarify the resulting error +message. + +Fixes: 4bf2efd26d76 ("ACPI: Add new IORT functions to support MSI domain handling") +Link: https://lore.kernel.org/linux-arm-kernel/20190613065410.GB16334@mwanda/ +Reviewed-by: Hanjun Guo +Reported-by: Dan Carpenter +Signed-off-by: Lorenzo Pieralisi +Cc: Dan Carpenter +Cc: Will Deacon +Cc: Hanjun Guo +Cc: Sudeep Holla +Cc: Catalin Marinas +Cc: Robin Murphy +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/acpi/arm64/iort.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c +index ca414910710ea..b0a7afd4e7d35 100644 +--- a/drivers/acpi/arm64/iort.c ++++ b/drivers/acpi/arm64/iort.c +@@ -506,8 +506,8 @@ static int iort_dev_find_its_id(struct device *dev, u32 req_id, + + /* Move to ITS specific data */ + its = (struct acpi_iort_its_group *)node->node_data; +- if (idx > its->its_count) { +- dev_err(dev, "requested ITS ID index [%d] is greater than available [%d]\n", ++ if (idx >= its->its_count) { ++ dev_err(dev, "requested ITS ID index [%d] overruns ITS entries [%d]\n", + idx, its->its_count); + return -ENXIO; + } +-- +2.20.1 + diff --git a/queue-4.14/alsa-compress-be-more-restrictive-about-when-a-drain.patch b/queue-4.14/alsa-compress-be-more-restrictive-about-when-a-drain.patch new file mode 100644 index 00000000000..f38d80c6a2d --- /dev/null +++ b/queue-4.14/alsa-compress-be-more-restrictive-about-when-a-drain.patch @@ -0,0 +1,49 @@ +From 065dcb8770186ead2575e121d081e9a14ecab49a Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:36 +0100 +Subject: ALSA: compress: Be more restrictive about when a drain is allowed + +[ Upstream commit 3b8179944cb0dd53e5223996966746cdc8a60657 ] + +Draining makes little sense in the situation of hardware overrun, as the +hardware will have consumed all its available samples. Additionally, +draining whilst the stream is paused would presumably get stuck as no +data is being consumed on the DSP side. + +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index b4f1536b17cb5..2e2d184684911 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -812,7 +812,10 @@ static int snd_compr_drain(struct snd_compr_stream *stream) + case SNDRV_PCM_STATE_OPEN: + case SNDRV_PCM_STATE_SETUP: + case SNDRV_PCM_STATE_PREPARED: ++ case SNDRV_PCM_STATE_PAUSED: + return -EPERM; ++ case SNDRV_PCM_STATE_XRUN: ++ return -EPIPE; + default: + break; + } +@@ -861,7 +864,10 @@ static int snd_compr_partial_drain(struct snd_compr_stream *stream) + case SNDRV_PCM_STATE_OPEN: + case SNDRV_PCM_STATE_SETUP: + case SNDRV_PCM_STATE_PREPARED: ++ case SNDRV_PCM_STATE_PAUSED: + return -EPERM; ++ case SNDRV_PCM_STATE_XRUN: ++ return -EPIPE; + default: + break; + } +-- +2.20.1 + diff --git a/queue-4.14/alsa-compress-don-t-allow-paritial-drain-operations-.patch b/queue-4.14/alsa-compress-don-t-allow-paritial-drain-operations-.patch new file mode 100644 index 00000000000..66202167260 --- /dev/null +++ b/queue-4.14/alsa-compress-don-t-allow-paritial-drain-operations-.patch @@ -0,0 +1,49 @@ +From 2d84d910d41f351cc75e13d604184bc78c71e0a5 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:35 +0100 +Subject: ALSA: compress: Don't allow paritial drain operations on capture + streams + +[ Upstream commit a70ab8a8645083f3700814e757f2940a88b7ef88 ] + +Partial drain and next track are intended for gapless playback and +don't really have an obvious interpretation for a capture stream, so +makes sense to not allow those operations on capture streams. + +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 1538fbc7562b8..b4f1536b17cb5 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -835,6 +835,10 @@ static int snd_compr_next_track(struct snd_compr_stream *stream) + if (stream->runtime->state != SNDRV_PCM_STATE_RUNNING) + return -EPERM; + ++ /* next track doesn't have any meaning for capture streams */ ++ if (stream->direction == SND_COMPRESS_CAPTURE) ++ return -EPERM; ++ + /* you can signal next track if this is intended to be a gapless stream + * and current track metadata is set + */ +@@ -862,6 +866,10 @@ static int snd_compr_partial_drain(struct snd_compr_stream *stream) + break; + } + ++ /* partial drain doesn't have any meaning for capture streams */ ++ if (stream->direction == SND_COMPRESS_CAPTURE) ++ return -EPERM; ++ + /* stream can be drained only when next track has been signalled */ + if (stream->next_track == false) + return -EPERM; +-- +2.20.1 + diff --git a/queue-4.14/alsa-compress-fix-regression-on-compressed-capture-s.patch b/queue-4.14/alsa-compress-fix-regression-on-compressed-capture-s.patch new file mode 100644 index 00000000000..95315766bb9 --- /dev/null +++ b/queue-4.14/alsa-compress-fix-regression-on-compressed-capture-s.patch @@ -0,0 +1,82 @@ +From c010c4d80d1c6689f4c01202ccf1ca731937e8a5 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:33 +0100 +Subject: ALSA: compress: Fix regression on compressed capture streams + +[ Upstream commit 4475f8c4ab7b248991a60d9c02808dbb813d6be8 ] + +A previous fix to the stop handling on compressed capture streams causes +some knock on issues. The previous fix updated snd_compr_drain_notify to +set the state back to PREPARED for capture streams. This causes some +issues however as the handling for snd_compr_poll differs between the +two states and some user-space applications were relying on the poll +failing after the stream had been stopped. + +To correct this regression whilst still fixing the original problem the +patch was addressing, update the capture handling to skip the PREPARED +state rather than skipping the SETUP state as it has done until now. + +Fixes: 4f2ab5e1d13d ("ALSA: compress: Fix stop handling on compressed capture streams") +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/sound/compress_driver.h | 5 +---- + sound/core/compress_offload.c | 16 +++++++++++----- + 2 files changed, 12 insertions(+), 9 deletions(-) + +diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h +index 392bac18398ba..33a07c3badf01 100644 +--- a/include/sound/compress_driver.h ++++ b/include/sound/compress_driver.h +@@ -186,10 +186,7 @@ static inline void snd_compr_drain_notify(struct snd_compr_stream *stream) + if (snd_BUG_ON(!stream)) + return; + +- if (stream->direction == SND_COMPRESS_PLAYBACK) +- stream->runtime->state = SNDRV_PCM_STATE_SETUP; +- else +- stream->runtime->state = SNDRV_PCM_STATE_PREPARED; ++ stream->runtime->state = SNDRV_PCM_STATE_SETUP; + + wake_up(&stream->runtime->sleep); + } +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 555df64d46ffc..cf1317546b0ff 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -575,10 +575,7 @@ snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg) + stream->metadata_set = false; + stream->next_track = false; + +- if (stream->direction == SND_COMPRESS_PLAYBACK) +- stream->runtime->state = SNDRV_PCM_STATE_SETUP; +- else +- stream->runtime->state = SNDRV_PCM_STATE_PREPARED; ++ stream->runtime->state = SNDRV_PCM_STATE_SETUP; + } else { + return -EPERM; + } +@@ -694,8 +691,17 @@ static int snd_compr_start(struct snd_compr_stream *stream) + { + int retval; + +- if (stream->runtime->state != SNDRV_PCM_STATE_PREPARED) ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_SETUP: ++ if (stream->direction != SND_COMPRESS_CAPTURE) ++ return -EPERM; ++ break; ++ case SNDRV_PCM_STATE_PREPARED: ++ break; ++ default: + return -EPERM; ++ } ++ + retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_START); + if (!retval) + stream->runtime->state = SNDRV_PCM_STATE_RUNNING; +-- +2.20.1 + diff --git a/queue-4.14/alsa-compress-prevent-bypasses-of-set_params.patch b/queue-4.14/alsa-compress-prevent-bypasses-of-set_params.patch new file mode 100644 index 00000000000..f8aa8696c6c --- /dev/null +++ b/queue-4.14/alsa-compress-prevent-bypasses-of-set_params.patch @@ -0,0 +1,83 @@ +From 2065e6aa03a1619956e6c8e59289e66d0049cf7d Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:34 +0100 +Subject: ALSA: compress: Prevent bypasses of set_params + +[ Upstream commit 26c3f1542f5064310ad26794c09321780d00c57d ] + +Currently, whilst in SNDRV_PCM_STATE_OPEN it is possible to call +snd_compr_stop, snd_compr_drain and snd_compr_partial_drain, which +allow a transition to SNDRV_PCM_STATE_SETUP. The stream should +only be able to move to the setup state once it has received a +SNDRV_COMPRESS_SET_PARAMS ioctl. Fix this issue by not allowing +those ioctls whilst in the open state. + +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index cf1317546b0ff..1538fbc7562b8 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -712,9 +712,15 @@ static int snd_compr_stop(struct snd_compr_stream *stream) + { + int retval; + +- if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED || +- stream->runtime->state == SNDRV_PCM_STATE_SETUP) ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_PREPARED: + return -EPERM; ++ default: ++ break; ++ } ++ + retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_STOP); + if (!retval) { + snd_compr_drain_notify(stream); +@@ -802,9 +808,14 @@ static int snd_compr_drain(struct snd_compr_stream *stream) + { + int retval; + +- if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED || +- stream->runtime->state == SNDRV_PCM_STATE_SETUP) ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_PREPARED: + return -EPERM; ++ default: ++ break; ++ } + + retval = stream->ops->trigger(stream, SND_COMPR_TRIGGER_DRAIN); + if (retval) { +@@ -841,9 +852,16 @@ static int snd_compr_next_track(struct snd_compr_stream *stream) + static int snd_compr_partial_drain(struct snd_compr_stream *stream) + { + int retval; +- if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED || +- stream->runtime->state == SNDRV_PCM_STATE_SETUP) ++ ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_PREPARED: + return -EPERM; ++ default: ++ break; ++ } ++ + /* stream can be drained only when next track has been signalled */ + if (stream->next_track == false) + return -EPERM; +-- +2.20.1 + diff --git a/queue-4.14/arm-davinci-fix-sleep.s-build-error-on-armv4.patch b/queue-4.14/arm-davinci-fix-sleep.s-build-error-on-armv4.patch new file mode 100644 index 00000000000..f6a4ae852d9 --- /dev/null +++ b/queue-4.14/arm-davinci-fix-sleep.s-build-error-on-armv4.patch @@ -0,0 +1,40 @@ +From 4d54ebda5b38e3fcec4e79a4adf6955f9a629f97 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 22 Jul 2019 16:51:50 +0200 +Subject: ARM: davinci: fix sleep.S build error on ARMv4 + +[ Upstream commit d64b212ea960db4276a1d8372bd98cb861dfcbb0 ] + +When building a multiplatform kernel that includes armv4 support, +the default target CPU does not support the blx instruction, +which leads to a build failure: + +arch/arm/mach-davinci/sleep.S: Assembler messages: +arch/arm/mach-davinci/sleep.S:56: Error: selected processor does not support `blx ip' in ARM mode + +Add a .arch statement in the sources to make this file build. + +Link: https://lore.kernel.org/r/20190722145211.1154785-1-arnd@arndb.de +Acked-by: Sekhar Nori +Signed-off-by: Arnd Bergmann +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-davinci/sleep.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-davinci/sleep.S b/arch/arm/mach-davinci/sleep.S +index cd350dee4df37..efcd400b2abb3 100644 +--- a/arch/arm/mach-davinci/sleep.S ++++ b/arch/arm/mach-davinci/sleep.S +@@ -37,6 +37,7 @@ + #define DEEPSLEEP_SLEEPENABLE_BIT BIT(31) + + .text ++ .arch armv5te + /* + * Move DaVinci into deep sleep state + * +-- +2.20.1 + diff --git a/queue-4.14/cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch b/queue-4.14/cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch new file mode 100644 index 00000000000..2c06534702e --- /dev/null +++ b/queue-4.14/cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch @@ -0,0 +1,73 @@ +From 991065fd1d6fcbe6e8949ac0808111ca58f28f8e Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Wed, 17 Jul 2019 11:55:04 +0800 +Subject: cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() + +[ Upstream commit e0a12445d1cb186d875410d093a00d215bec6a89 ] + +The cpu variable is still being used in the of_get_property() call +after the of_node_put() call, which may result in use-after-free. + +Fixes: a9acc26b75f6 ("cpufreq/pasemi: fix possible object reference leak") +Signed-off-by: Wen Yang +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/pasemi-cpufreq.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c +index 8456492124f0c..d1bdd8f622476 100644 +--- a/drivers/cpufreq/pasemi-cpufreq.c ++++ b/drivers/cpufreq/pasemi-cpufreq.c +@@ -145,10 +145,18 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy) + int err = -ENODEV; + + cpu = of_get_cpu_node(policy->cpu, NULL); ++ if (!cpu) ++ goto out; + ++ max_freqp = of_get_property(cpu, "clock-frequency", NULL); + of_node_put(cpu); +- if (!cpu) ++ if (!max_freqp) { ++ err = -EINVAL; + goto out; ++ } ++ ++ /* we need the freq in kHz */ ++ max_freq = *max_freqp / 1000; + + dn = of_find_compatible_node(NULL, NULL, "1682m-sdc"); + if (!dn) +@@ -185,16 +193,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy) + } + + pr_debug("init cpufreq on CPU %d\n", policy->cpu); +- +- max_freqp = of_get_property(cpu, "clock-frequency", NULL); +- if (!max_freqp) { +- err = -EINVAL; +- goto out_unmap_sdcpwr; +- } +- +- /* we need the freq in kHz */ +- max_freq = *max_freqp / 1000; +- + pr_debug("max clock-frequency is at %u kHz\n", max_freq); + pr_debug("initializing frequency table\n"); + +@@ -212,9 +210,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy) + + return cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency()); + +-out_unmap_sdcpwr: +- iounmap(sdcpwr_mapbase); +- + out_unmap_sdcasr: + iounmap(sdcasr_mapbase); + out: +-- +2.20.1 + diff --git a/queue-4.14/drbd-dynamically-allocate-shash-descriptor.patch b/queue-4.14/drbd-dynamically-allocate-shash-descriptor.patch new file mode 100644 index 00000000000..8bcc7b80379 --- /dev/null +++ b/queue-4.14/drbd-dynamically-allocate-shash-descriptor.patch @@ -0,0 +1,69 @@ +From 0d2669a69810c9cf62d5bde4f57d4f8ebb31615c Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 22 Jul 2019 14:26:34 +0200 +Subject: drbd: dynamically allocate shash descriptor + +[ Upstream commit 77ce56e2bfaa64127ae5e23ef136c0168b818777 ] + +Building with clang and KASAN, we get a warning about an overly large +stack frame on 32-bit architectures: + +drivers/block/drbd/drbd_receiver.c:921:31: error: stack frame size of 1280 bytes in function 'conn_connect' + [-Werror,-Wframe-larger-than=] + +We already allocate other data dynamically in this function, so +just do the same for the shash descriptor, which makes up most of +this memory. + +Link: https://lore.kernel.org/lkml/20190617132440.2721536-1-arnd@arndb.de/ +Reviewed-by: Kees Cook +Reviewed-by: Roland Kammerer +Signed-off-by: Arnd Bergmann +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_receiver.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c +index 1aad373da50e2..8fbdfaacc2226 100644 +--- a/drivers/block/drbd/drbd_receiver.c ++++ b/drivers/block/drbd/drbd_receiver.c +@@ -5237,7 +5237,7 @@ static int drbd_do_auth(struct drbd_connection *connection) + unsigned int key_len; + char secret[SHARED_SECRET_MAX]; /* 64 byte */ + unsigned int resp_size; +- SHASH_DESC_ON_STACK(desc, connection->cram_hmac_tfm); ++ struct shash_desc *desc; + struct packet_info pi; + struct net_conf *nc; + int err, rv; +@@ -5250,6 +5250,13 @@ static int drbd_do_auth(struct drbd_connection *connection) + memcpy(secret, nc->shared_secret, key_len); + rcu_read_unlock(); + ++ desc = kmalloc(sizeof(struct shash_desc) + ++ crypto_shash_descsize(connection->cram_hmac_tfm), ++ GFP_KERNEL); ++ if (!desc) { ++ rv = -1; ++ goto fail; ++ } + desc->tfm = connection->cram_hmac_tfm; + desc->flags = 0; + +@@ -5392,7 +5399,10 @@ static int drbd_do_auth(struct drbd_connection *connection) + kfree(peers_ch); + kfree(response); + kfree(right_response); +- shash_desc_zero(desc); ++ if (desc) { ++ shash_desc_zero(desc); ++ kfree(desc); ++ } + + return rv; + } +-- +2.20.1 + diff --git a/queue-4.14/drm-silence-variable-conn-set-but-not-used.patch b/queue-4.14/drm-silence-variable-conn-set-but-not-used.patch new file mode 100644 index 00000000000..c266865da6b --- /dev/null +++ b/queue-4.14/drm-silence-variable-conn-set-but-not-used.patch @@ -0,0 +1,41 @@ +From 66b3e17ff0e5f33f9822d5338d4558aa00465fc6 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Mon, 22 Jul 2019 15:14:46 -0400 +Subject: drm: silence variable 'conn' set but not used + +[ Upstream commit bbb6fc43f131f77fcb7ae8081f6d7c51396a2120 ] + +The "struct drm_connector" iteration cursor from +"for_each_new_connector_in_state" is never used in atomic_remove_fb() +which generates a compilation warning, + +drivers/gpu/drm/drm_framebuffer.c: In function 'atomic_remove_fb': +drivers/gpu/drm/drm_framebuffer.c:838:24: warning: variable 'conn' set +but not used [-Wunused-but-set-variable] + +Silence it by marking "conn" __maybe_unused. + +Signed-off-by: Qian Cai +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/1563822886-13570-1-git-send-email-cai@lca.pw +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_framebuffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c +index c21e10c780ac5..af40189cdb60c 100644 +--- a/drivers/gpu/drm/drm_framebuffer.c ++++ b/drivers/gpu/drm/drm_framebuffer.c +@@ -773,7 +773,7 @@ static int atomic_remove_fb(struct drm_framebuffer *fb) + struct drm_device *dev = fb->dev; + struct drm_atomic_state *state; + struct drm_plane *plane; +- struct drm_connector *conn; ++ struct drm_connector *conn __maybe_unused; + struct drm_connector_state *conn_state; + int i, ret = 0; + unsigned plane_mask; +-- +2.20.1 + diff --git a/queue-4.14/hwmon-nct6775-fix-register-address-and-added-missed-.patch b/queue-4.14/hwmon-nct6775-fix-register-address-and-added-missed-.patch new file mode 100644 index 00000000000..d42e48bd473 --- /dev/null +++ b/queue-4.14/hwmon-nct6775-fix-register-address-and-added-missed-.patch @@ -0,0 +1,43 @@ +From 8bc9f2dccf20329b64674b86df303d9eff72b040 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Gerhart?= +Date: Mon, 15 Jul 2019 18:33:55 +0200 +Subject: hwmon: (nct6775) Fix register address and added missed tolerance for + nct6106 + +[ Upstream commit f3d43e2e45fd9d44ba52d20debd12cd4ee9c89bf ] + +Fixed address of third NCT6106_REG_WEIGHT_DUTY_STEP, and +added missed NCT6106_REG_TOLERANCE_H. + +Fixes: 6c009501ff200 ("hwmon: (nct6775) Add support for NCT6102D/6106D") +Signed-off-by: Bjoern Gerhart +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/nct6775.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c +index ca9941fa741b7..7e14143ed1191 100644 +--- a/drivers/hwmon/nct6775.c ++++ b/drivers/hwmon/nct6775.c +@@ -769,7 +769,7 @@ static const u16 NCT6106_REG_TARGET[] = { 0x111, 0x121, 0x131 }; + static const u16 NCT6106_REG_WEIGHT_TEMP_SEL[] = { 0x168, 0x178, 0x188 }; + static const u16 NCT6106_REG_WEIGHT_TEMP_STEP[] = { 0x169, 0x179, 0x189 }; + static const u16 NCT6106_REG_WEIGHT_TEMP_STEP_TOL[] = { 0x16a, 0x17a, 0x18a }; +-static const u16 NCT6106_REG_WEIGHT_DUTY_STEP[] = { 0x16b, 0x17b, 0x17c }; ++static const u16 NCT6106_REG_WEIGHT_DUTY_STEP[] = { 0x16b, 0x17b, 0x18b }; + static const u16 NCT6106_REG_WEIGHT_TEMP_BASE[] = { 0x16c, 0x17c, 0x18c }; + static const u16 NCT6106_REG_WEIGHT_DUTY_BASE[] = { 0x16d, 0x17d, 0x18d }; + +@@ -3592,6 +3592,7 @@ static int nct6775_probe(struct platform_device *pdev) + data->REG_FAN_TIME[0] = NCT6106_REG_FAN_STOP_TIME; + data->REG_FAN_TIME[1] = NCT6106_REG_FAN_STEP_UP_TIME; + data->REG_FAN_TIME[2] = NCT6106_REG_FAN_STEP_DOWN_TIME; ++ data->REG_TOLERANCE_H = NCT6106_REG_TOLERANCE_H; + data->REG_PWM[0] = NCT6106_REG_PWM; + data->REG_PWM[1] = NCT6106_REG_FAN_START_OUTPUT; + data->REG_PWM[2] = NCT6106_REG_FAN_STOP_OUTPUT; +-- +2.20.1 + diff --git a/queue-4.14/iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch b/queue-4.14/iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch new file mode 100644 index 00000000000..e3d5a232403 --- /dev/null +++ b/queue-4.14/iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch @@ -0,0 +1,70 @@ +From 1372129d91147a1bbdffc063067d9653a427b9f8 Mon Sep 17 00:00:00 2001 +From: Thomas Tai +Date: Thu, 18 Jul 2019 18:37:34 +0000 +Subject: iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND + +[ Upstream commit 94bccc34071094c165c79b515d21b63c78f7e968 ] + +iscsi_ibft can use ACPI to find the iBFT entry during bootup, +currently, ISCSI_IBFT depends on ISCSI_IBFT_FIND which is +a X86 legacy way to find the iBFT by searching through the +low memory. This patch changes the dependency so that other +arch like ARM64 can use ISCSI_IBFT as long as the arch supports +ACPI. + +ibft_init() needs to use the global variable ibft_addr declared +in iscsi_ibft_find.c. A #ifndef CONFIG_ISCSI_IBFT_FIND is needed +to declare the variable if CONFIG_ISCSI_IBFT_FIND is not selected. +Moving ibft_addr into the iscsi_ibft.c does not work because if +ISCSI_IBFT is selected as a module, the arch/x86/kernel/setup.c won't +be able to find the variable at compile time. + +Signed-off-by: Thomas Tai +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Sasha Levin +--- + drivers/firmware/Kconfig | 5 +++-- + drivers/firmware/iscsi_ibft.c | 4 ++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig +index 6e4ed5a9c6fdc..42c4ff75281be 100644 +--- a/drivers/firmware/Kconfig ++++ b/drivers/firmware/Kconfig +@@ -156,7 +156,7 @@ config DMI_SCAN_MACHINE_NON_EFI_FALLBACK + + config ISCSI_IBFT_FIND + bool "iSCSI Boot Firmware Table Attributes" +- depends on X86 && ACPI ++ depends on X86 && ISCSI_IBFT + default n + help + This option enables the kernel to find the region of memory +@@ -167,7 +167,8 @@ config ISCSI_IBFT_FIND + config ISCSI_IBFT + tristate "iSCSI Boot Firmware Table Attributes module" + select ISCSI_BOOT_SYSFS +- depends on ISCSI_IBFT_FIND && SCSI && SCSI_LOWLEVEL ++ select ISCSI_IBFT_FIND if X86 ++ depends on ACPI && SCSI && SCSI_LOWLEVEL + default n + help + This option enables support for detection and exposing of iSCSI +diff --git a/drivers/firmware/iscsi_ibft.c b/drivers/firmware/iscsi_ibft.c +index 132b9bae4b6aa..220bbc91cebdb 100644 +--- a/drivers/firmware/iscsi_ibft.c ++++ b/drivers/firmware/iscsi_ibft.c +@@ -93,6 +93,10 @@ MODULE_DESCRIPTION("sysfs interface to BIOS iBFT information"); + MODULE_LICENSE("GPL"); + MODULE_VERSION(IBFT_ISCSI_VERSION); + ++#ifndef CONFIG_ISCSI_IBFT_FIND ++struct acpi_table_ibft *ibft_addr; ++#endif ++ + struct ibft_hdr { + u8 id; + u8 version; +-- +2.20.1 + diff --git a/queue-4.14/mac80211-don-t-warn-about-cw-params-when-not-using-t.patch b/queue-4.14/mac80211-don-t-warn-about-cw-params-when-not-using-t.patch new file mode 100644 index 00000000000..795328e55df --- /dev/null +++ b/queue-4.14/mac80211-don-t-warn-about-cw-params-when-not-using-t.patch @@ -0,0 +1,52 @@ +From 3506377fdbf70770c1e85993dba8308115736ffd Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 17 Jul 2019 18:57:12 -0700 +Subject: mac80211: don't warn about CW params when not using them + +[ Upstream commit d2b3fe42bc629c2d4002f652b3abdfb2e72991c7 ] + +ieee80211_set_wmm_default() normally sets up the initial CW min/max for +each queue, except that it skips doing this if the driver doesn't +support ->conf_tx. We still end up calling drv_conf_tx() in some cases +(e.g., ieee80211_reconfig()), which also still won't do anything +useful...except it complains here about the invalid CW parameters. + +Let's just skip the WARN if we weren't going to do anything useful with +the parameters. + +Signed-off-by: Brian Norris +Link: https://lore.kernel.org/r/20190718015712.197499-1-briannorris@chromium.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/driver-ops.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c +index bb886e7db47f1..f783d1377d9a8 100644 +--- a/net/mac80211/driver-ops.c ++++ b/net/mac80211/driver-ops.c +@@ -169,11 +169,16 @@ int drv_conf_tx(struct ieee80211_local *local, + if (!check_sdata_in_driver(sdata)) + return -EIO; + +- if (WARN_ONCE(params->cw_min == 0 || +- params->cw_min > params->cw_max, +- "%s: invalid CW_min/CW_max: %d/%d\n", +- sdata->name, params->cw_min, params->cw_max)) ++ if (params->cw_min == 0 || params->cw_min > params->cw_max) { ++ /* ++ * If we can't configure hardware anyway, don't warn. We may ++ * never have initialized the CW parameters. ++ */ ++ WARN_ONCE(local->ops->conf_tx, ++ "%s: invalid CW_min/CW_max: %d/%d\n", ++ sdata->name, params->cw_min, params->cw_max); + return -EINVAL; ++ } + + trace_drv_conf_tx(local, sdata, ac, params); + if (local->ops->conf_tx) +-- +2.20.1 + diff --git a/queue-4.14/netfilter-fix-rpfilter-dropping-vrf-packets-by-mista.patch b/queue-4.14/netfilter-fix-rpfilter-dropping-vrf-packets-by-mista.patch new file mode 100644 index 00000000000..33d69a2afdf --- /dev/null +++ b/queue-4.14/netfilter-fix-rpfilter-dropping-vrf-packets-by-mista.patch @@ -0,0 +1,64 @@ +From e84cfa5285e9c5621124413bd8ac301eb3caeef3 Mon Sep 17 00:00:00 2001 +From: Miaohe Lin +Date: Tue, 2 Jul 2019 03:59:36 +0000 +Subject: netfilter: Fix rpfilter dropping vrf packets by mistake + +[ Upstream commit b575b24b8eee37f10484e951b62ce2a31c579775 ] + +When firewalld is enabled with ipv4/ipv6 rpfilter, vrf +ipv4/ipv6 packets will be dropped. Vrf device will pass +through netfilter hook twice. One with enslaved device +and another one with l3 master device. So in device may +dismatch witch out device because out device is always +enslaved device.So failed with the check of the rpfilter +and drop the packets by mistake. + +Signed-off-by: Miaohe Lin +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/ipt_rpfilter.c | 1 + + net/ipv6/netfilter/ip6t_rpfilter.c | 8 ++++++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c +index 37fb9552e8589..341d1bd637af2 100644 +--- a/net/ipv4/netfilter/ipt_rpfilter.c ++++ b/net/ipv4/netfilter/ipt_rpfilter.c +@@ -96,6 +96,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par) + flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0; + flow.flowi4_tos = RT_TOS(iph->tos); + flow.flowi4_scope = RT_SCOPE_UNIVERSE; ++ flow.flowi4_oif = l3mdev_master_ifindex_rcu(xt_in(par)); + + return rpfilter_lookup_reverse(xt_net(par), &flow, xt_in(par), info->flags) ^ invert; + } +diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c +index 40eb16bd97860..d535768bea0fd 100644 +--- a/net/ipv6/netfilter/ip6t_rpfilter.c ++++ b/net/ipv6/netfilter/ip6t_rpfilter.c +@@ -58,7 +58,9 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb, + if (rpfilter_addr_linklocal(&iph->saddr)) { + lookup_flags |= RT6_LOOKUP_F_IFACE; + fl6.flowi6_oif = dev->ifindex; +- } else if ((flags & XT_RPFILTER_LOOSE) == 0) ++ /* Set flowi6_oif for vrf devices to lookup route in l3mdev domain. */ ++ } else if (netif_is_l3_master(dev) || netif_is_l3_slave(dev) || ++ (flags & XT_RPFILTER_LOOSE) == 0) + fl6.flowi6_oif = dev->ifindex; + + rt = (void *) ip6_route_lookup(net, &fl6, lookup_flags); +@@ -73,7 +75,9 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb, + goto out; + } + +- if (rt->rt6i_idev->dev == dev || (flags & XT_RPFILTER_LOOSE)) ++ if (rt->rt6i_idev->dev == dev || ++ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == dev->ifindex || ++ (flags & XT_RPFILTER_LOOSE)) + ret = true; + out: + ip6_rt_put(rt); +-- +2.20.1 + diff --git a/queue-4.14/netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch b/queue-4.14/netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch new file mode 100644 index 00000000000..cad870114b7 --- /dev/null +++ b/queue-4.14/netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch @@ -0,0 +1,75 @@ +From 3ef6970d22f10f4c0e5f2961563c01284e641be1 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 2 Jul 2019 21:41:40 +0200 +Subject: netfilter: nfnetlink: avoid deadlock due to synchronous + request_module + +[ Upstream commit 1b0890cd60829bd51455dc5ad689ed58c4408227 ] + +Thomas and Juliana report a deadlock when running: + +(rmmod nf_conntrack_netlink/xfrm_user) + + conntrack -e NEW -E & + modprobe -v xfrm_user + +They provided following analysis: + +conntrack -e NEW -E + netlink_bind() + netlink_lock_table() -> increases "nl_table_users" + nfnetlink_bind() + # does not unlock the table as it's locked by netlink_bind() + __request_module() + call_usermodehelper_exec() + +This triggers "modprobe nf_conntrack_netlink" from kernel, netlink_bind() +won't return until modprobe process is done. + +"modprobe xfrm_user": + xfrm_user_init() + register_pernet_subsys() + -> grab pernet_ops_rwsem + .. + netlink_table_grab() + calls schedule() as "nl_table_users" is non-zero + +so modprobe is blocked because netlink_bind() increased +nl_table_users while also holding pernet_ops_rwsem. + +"modprobe nf_conntrack_netlink" runs and inits nf_conntrack_netlink: + ctnetlink_init() + register_pernet_subsys() + -> blocks on "pernet_ops_rwsem" thanks to xfrm_user module + +both modprobe processes wait on one another -- neither can make +progress. + +Switch netlink_bind() to "nowait" modprobe -- this releases the netlink +table lock, which then allows both modprobe instances to complete. + +Reported-by: Thomas Jarosch +Reported-by: Juliana Rodrigueiro +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c +index 733d3e4a30d85..2cee032af46d2 100644 +--- a/net/netfilter/nfnetlink.c ++++ b/net/netfilter/nfnetlink.c +@@ -530,7 +530,7 @@ static int nfnetlink_bind(struct net *net, int group) + ss = nfnetlink_get_subsys(type << 8); + rcu_read_unlock(); + if (!ss) +- request_module("nfnetlink-subsys-%d", type); ++ request_module_nowait("nfnetlink-subsys-%d", type); + return 0; + } + #endif +-- +2.20.1 + diff --git a/queue-4.14/netfilter-nft_hash-fix-symhash-with-modulus-one.patch b/queue-4.14/netfilter-nft_hash-fix-symhash-with-modulus-one.patch new file mode 100644 index 00000000000..1550b0aa58e --- /dev/null +++ b/queue-4.14/netfilter-nft_hash-fix-symhash-with-modulus-one.patch @@ -0,0 +1,39 @@ +From 1df23976c114a84fb405ea45a39391e418c43939 Mon Sep 17 00:00:00 2001 +From: Laura Garcia Liebana +Date: Mon, 15 Jul 2019 13:23:37 +0200 +Subject: netfilter: nft_hash: fix symhash with modulus one + +[ Upstream commit 28b1d6ef53e3303b90ca8924bb78f31fa527cafb ] + +The rule below doesn't work as the kernel raises -ERANGE. + +nft add rule netdev nftlb lb01 ip daddr set \ + symhash mod 1 map { 0 : 192.168.0.10 } fwd to "eth0" + +This patch allows to use the symhash modulus with one +element, in the same way that the other types of hashes and +algorithms that uses the modulus parameter. + +Signed-off-by: Laura Garcia Liebana +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c +index 24f2f7567ddb7..010a565b40001 100644 +--- a/net/netfilter/nft_hash.c ++++ b/net/netfilter/nft_hash.c +@@ -131,7 +131,7 @@ static int nft_symhash_init(const struct nft_ctx *ctx, + priv->dreg = nft_parse_register(tb[NFTA_HASH_DREG]); + + priv->modulus = ntohl(nla_get_be32(tb[NFTA_HASH_MODULUS])); +- if (priv->modulus <= 1) ++ if (priv->modulus < 1) + return -ERANGE; + + if (priv->offset + priv->modulus - 1 < priv->offset) +-- +2.20.1 + diff --git a/queue-4.14/perf-core-fix-creating-kernel-counters-for-pmus-that.patch b/queue-4.14/perf-core-fix-creating-kernel-counters-for-pmus-that.patch new file mode 100644 index 00000000000..497e58a25d1 --- /dev/null +++ b/queue-4.14/perf-core-fix-creating-kernel-counters-for-pmus-that.patch @@ -0,0 +1,61 @@ +From 0198246ed3f6efeff30005e32577733769817c8b Mon Sep 17 00:00:00 2001 +From: Leonard Crestez +Date: Wed, 24 Jul 2019 15:53:24 +0300 +Subject: perf/core: Fix creating kernel counters for PMUs that override + event->cpu + +[ Upstream commit 4ce54af8b33d3e21ca935fc1b89b58cbba956051 ] + +Some hardware PMU drivers will override perf_event.cpu inside their +event_init callback. This causes a lockdep splat when initialized through +the kernel API: + + WARNING: CPU: 0 PID: 250 at kernel/events/core.c:2917 ctx_sched_out+0x78/0x208 + pc : ctx_sched_out+0x78/0x208 + Call trace: + ctx_sched_out+0x78/0x208 + __perf_install_in_context+0x160/0x248 + remote_function+0x58/0x68 + generic_exec_single+0x100/0x180 + smp_call_function_single+0x174/0x1b8 + perf_install_in_context+0x178/0x188 + perf_event_create_kernel_counter+0x118/0x160 + +Fix this by calling perf_install_in_context with event->cpu, just like +perf_event_open + +Signed-off-by: Leonard Crestez +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Mark Rutland +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Frank Li +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Link: https://lkml.kernel.org/r/c4ebe0503623066896d7046def4d6b1e06e0eb2e.1563972056.git.leonard.crestez@nxp.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 3d4eb6f840eba..ea4f3f7a0c6f3 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10474,7 +10474,7 @@ perf_event_create_kernel_counter(struct perf_event_attr *attr, int cpu, + goto err_unlock; + } + +- perf_install_in_context(ctx, event, cpu); ++ perf_install_in_context(ctx, event, event->cpu); + perf_unpin_context(ctx); + mutex_unlock(&ctx->mutex); + +-- +2.20.1 + diff --git a/queue-4.14/perf-probe-avoid-calling-freeing-routine-multiple-ti.patch b/queue-4.14/perf-probe-avoid-calling-freeing-routine-multiple-ti.patch new file mode 100644 index 00000000000..0fd5d36cfce --- /dev/null +++ b/queue-4.14/perf-probe-avoid-calling-freeing-routine-multiple-ti.patch @@ -0,0 +1,50 @@ +From 956582edfa97677ebf180aa15ae68fed23bc5907 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Thu, 18 Jul 2019 11:28:37 -0300 +Subject: perf probe: Avoid calling freeing routine multiple times for same + pointer + +[ Upstream commit d95daf5accf4a72005daa13fbb1d1bd8709f2861 ] + +When perf_add_probe_events() we call cleanup_perf_probe_events() for the +pev pointer it receives, then, as part of handling this failure the main +'perf probe' goes on and calls cleanup_params() and that will again call +cleanup_perf_probe_events()for the same pointer, so just set nevents to +zero when handling the failure of perf_add_probe_events() to avoid the +double free. + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Masami Hiramatsu +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-x8qgma4g813z96dvtw9w219q@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-probe.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/tools/perf/builtin-probe.c b/tools/perf/builtin-probe.c +index c0065923a525f..e1ac51aaedcff 100644 +--- a/tools/perf/builtin-probe.c ++++ b/tools/perf/builtin-probe.c +@@ -712,6 +712,16 @@ __cmd_probe(int argc, const char **argv) + + ret = perf_add_probe_events(params.events, params.nevents); + if (ret < 0) { ++ ++ /* ++ * When perf_add_probe_events() fails it calls ++ * cleanup_perf_probe_events(pevs, npevs), i.e. ++ * cleanup_perf_probe_events(params.events, params.nevents), which ++ * will call clear_perf_probe_event(), so set nevents to zero ++ * to avoid cleanup_params() to call clear_perf_probe_event() again ++ * on the same pevs. ++ */ ++ params.nevents = 0; + pr_err_with_code(" Error: Failed to add events.", ret); + return ret; + } +-- +2.20.1 + diff --git a/queue-4.14/perf-tools-fix-proper-buffer-size-for-feature-proces.patch b/queue-4.14/perf-tools-fix-proper-buffer-size-for-feature-proces.patch new file mode 100644 index 00000000000..6d1f2d63016 --- /dev/null +++ b/queue-4.14/perf-tools-fix-proper-buffer-size-for-feature-proces.patch @@ -0,0 +1,50 @@ +From a7659353ba65c2a14f7bd4f120448c0f359d67fd Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Mon, 15 Jul 2019 16:04:26 +0200 +Subject: perf tools: Fix proper buffer size for feature processing + +[ Upstream commit 79b2fe5e756163897175a8f57d66b26cd9befd59 ] + +After Song Liu's segfault fix for pipe mode, Arnaldo reported following +error: + + # perf record -o - | perf script + 0x514 [0x1ac]: failed to process type: 80 + +It's caused by wrong buffer size setup in feature processing, which +makes cpu topology feature fail, because it's using buffer size to +recognize its header version. + +Reported-by: Arnaldo Carvalho de Melo +Signed-off-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: David Carrillo-Cisneros +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Song Liu +Fixes: e9def1b2e74e ("perf tools: Add feature header record to pipe-mode") +Link: http://lkml.kernel.org/r/20190715140426.32509-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/header.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index 26437143c9406..c892a28e7b048 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -3081,7 +3081,7 @@ int perf_event__process_feature(struct perf_tool *tool, + return 0; + + ff.buf = (void *)fe->data; +- ff.size = event->header.size - sizeof(event->header); ++ ff.size = event->header.size - sizeof(*fe); + ff.ph = &session->header; + + if (feat_ops[feat].process(&ff, NULL)) +-- +2.20.1 + diff --git a/queue-4.14/s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch b/queue-4.14/s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch new file mode 100644 index 00000000000..83b950c7ed5 --- /dev/null +++ b/queue-4.14/s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch @@ -0,0 +1,50 @@ +From a553c7399e415a1cc52d89606d58ee1621494fa2 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Thu, 11 Jul 2019 18:17:36 +0200 +Subject: s390/qdio: add sanity checks to the fast-requeue path + +[ Upstream commit a6ec414a4dd529eeac5c3ea51c661daba3397108 ] + +If the device driver were to send out a full queue's worth of SBALs, +current code would end up discovering the last of those SBALs as PRIMED +and erroneously skip the SIGA-w. This immediately stalls the queue. + +Add a check to not attempt fast-requeue in this case. While at it also +make sure that the state of the previous SBAL was successfully extracted +before inspecting it. + +Signed-off-by: Julian Wiedmann +Reviewed-by: Jens Remus +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/qdio_main.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c +index ab8dd81fbc2b1..1a40c73961b83 100644 +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -1577,13 +1577,13 @@ static int handle_outbound(struct qdio_q *q, unsigned int callflags, + rc = qdio_kick_outbound_q(q, phys_aob); + } else if (need_siga_sync(q)) { + rc = qdio_siga_sync_q(q); ++ } else if (count < QDIO_MAX_BUFFERS_PER_Q && ++ get_buf_state(q, prev_buf(bufnr), &state, 0) > 0 && ++ state == SLSB_CU_OUTPUT_PRIMED) { ++ /* The previous buffer is not processed yet, tack on. */ ++ qperf_inc(q, fast_requeue); + } else { +- /* try to fast requeue buffers */ +- get_buf_state(q, prev_buf(bufnr), &state, 0); +- if (state != SLSB_CU_OUTPUT_PRIMED) +- rc = qdio_kick_outbound_q(q, 0); +- else +- qperf_inc(q, fast_requeue); ++ rc = qdio_kick_outbound_q(q, 0); + } + + /* in case of SIGA errors we must process the error immediately */ +-- +2.20.1 + diff --git a/queue-4.14/scripts-sphinx-pre-install-fix-script-for-rhel-cento.patch b/queue-4.14/scripts-sphinx-pre-install-fix-script-for-rhel-cento.patch new file mode 100644 index 00000000000..7fdd3882639 --- /dev/null +++ b/queue-4.14/scripts-sphinx-pre-install-fix-script-for-rhel-cento.patch @@ -0,0 +1,34 @@ +From c9ccd5f026a688f0806bb653026db8168dd14b1d Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Sat, 13 Jul 2019 08:50:24 -0300 +Subject: scripts/sphinx-pre-install: fix script for RHEL/CentOS + +[ Upstream commit b308467c916aa7acc5069802ab76a9f657434701 ] + +There's a missing parenthesis at the script, with causes it to +fail to detect non-Fedora releases (e. g. RHEL/CentOS). + +Tested with Centos 7.6.1810. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + scripts/sphinx-pre-install | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/sphinx-pre-install b/scripts/sphinx-pre-install +index 067459760a7b0..3524dbc313163 100755 +--- a/scripts/sphinx-pre-install ++++ b/scripts/sphinx-pre-install +@@ -301,7 +301,7 @@ sub give_redhat_hints() + # + # Checks valid for RHEL/CentOS version 7.x. + # +- if (! $system_release =~ /Fedora/) { ++ if (!($system_release =~ /Fedora/)) { + $map{"virtualenv"} = "python-virtualenv"; + } + +-- +2.20.1 + diff --git a/queue-4.14/scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch b/queue-4.14/scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch new file mode 100644 index 00000000000..15c595b2364 --- /dev/null +++ b/queue-4.14/scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch @@ -0,0 +1,73 @@ +From 53d7bb2df83cd3e7cbe2d9de959dccb2606b04bb Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Wed, 17 Jul 2019 14:48:27 -0500 +Subject: scsi: ibmvfc: fix WARN_ON during event pool release + +[ Upstream commit 5578257ca0e21056821e6481bd534ba267b84e58 ] + +While removing an ibmvfc client adapter a WARN_ON like the following +WARN_ON is seen in the kernel log: + +WARNING: CPU: 6 PID: 5421 at ./include/linux/dma-mapping.h:541 +ibmvfc_free_event_pool+0x12c/0x1f0 [ibmvfc] +CPU: 6 PID: 5421 Comm: rmmod Tainted: G E 4.17.0-rc1-next-20180419-autotest #1 +NIP: d00000000290328c LR: d00000000290325c CTR: c00000000036ee20 +REGS: c000000288d1b7e0 TRAP: 0700 Tainted: G E (4.17.0-rc1-next-20180419-autotest) +MSR: 800000010282b033 CR: 44008828 XER: 20000000 +CFAR: c00000000036e408 SOFTE: 1 +GPR00: d00000000290325c c000000288d1ba60 d000000002917900 c000000289d75448 +GPR04: 0000000000000071 c0000000ff870000 0000000018040000 0000000000000001 +GPR08: 0000000000000000 c00000000156e838 0000000000000001 d00000000290c640 +GPR12: c00000000036ee20 c00000001ec4dc00 0000000000000000 0000000000000000 +GPR16: 0000000000000000 0000000000000000 00000100276901e0 0000000010020598 +GPR20: 0000000010020550 0000000010020538 0000000010020578 00000000100205b0 +GPR24: 0000000000000000 0000000000000000 0000000010020590 5deadbeef0000100 +GPR28: 5deadbeef0000200 d000000002910b00 0000000000000071 c0000002822f87d8 +NIP [d00000000290328c] ibmvfc_free_event_pool+0x12c/0x1f0 [ibmvfc] +LR [d00000000290325c] ibmvfc_free_event_pool+0xfc/0x1f0 [ibmvfc] +Call Trace: +[c000000288d1ba60] [d00000000290325c] ibmvfc_free_event_pool+0xfc/0x1f0 [ibmvfc] (unreliable) +[c000000288d1baf0] [d000000002909390] ibmvfc_abort_task_set+0x7b0/0x8b0 [ibmvfc] +[c000000288d1bb70] [c0000000000d8c68] vio_bus_remove+0x68/0x100 +[c000000288d1bbb0] [c0000000007da7c4] device_release_driver_internal+0x1f4/0x2d0 +[c000000288d1bc00] [c0000000007da95c] driver_detach+0x7c/0x100 +[c000000288d1bc40] [c0000000007d8af4] bus_remove_driver+0x84/0x140 +[c000000288d1bcb0] [c0000000007db6ac] driver_unregister+0x4c/0xa0 +[c000000288d1bd20] [c0000000000d6e7c] vio_unregister_driver+0x2c/0x50 +[c000000288d1bd50] [d00000000290ba0c] cleanup_module+0x24/0x15e0 [ibmvfc] +[c000000288d1bd70] [c0000000001dadb0] sys_delete_module+0x220/0x2d0 +[c000000288d1be30] [c00000000000b284] system_call+0x58/0x6c +Instruction dump: +e8410018 e87f0068 809f0078 e8bf0080 e8df0088 2fa30000 419e008c e9230200 +2fa90000 419e0080 894d098a 794a07e0 <0b0a0000> e9290008 2fa90000 419e0028 + +This is tripped as a result of irqs being disabled during the call to +dma_free_coherent() by ibmvfc_free_event_pool(). At this point in the code path +we have quiesced the adapter and its overly paranoid anyways to be holding the +host lock. + +Reported-by: Abdul Haleem +Signed-off-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi/ibmvfc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c +index a06b24a61622c..34612add3829f 100644 +--- a/drivers/scsi/ibmvscsi/ibmvfc.c ++++ b/drivers/scsi/ibmvscsi/ibmvfc.c +@@ -4876,8 +4876,8 @@ static int ibmvfc_remove(struct vio_dev *vdev) + + spin_lock_irqsave(vhost->host->host_lock, flags); + ibmvfc_purge_requests(vhost, DID_ERROR); +- ibmvfc_free_event_pool(vhost); + spin_unlock_irqrestore(vhost->host->host_lock, flags); ++ ibmvfc_free_event_pool(vhost); + + ibmvfc_free_mem(vhost); + spin_lock(&ibmvfc_driver_lock); +-- +2.20.1 + diff --git a/queue-4.14/scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch b/queue-4.14/scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch new file mode 100644 index 00000000000..61a3a7bcd1e --- /dev/null +++ b/queue-4.14/scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch @@ -0,0 +1,43 @@ +From 4e8a7b6587f733d654f34f838663f39d3a585662 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Mon, 22 Jul 2019 09:15:24 -0700 +Subject: scsi: megaraid_sas: fix panic on loading firmware crashdump + +[ Upstream commit 3b5f307ef3cb5022bfe3c8ca5b8f2114d5bf6c29 ] + +While loading fw crashdump in function fw_crash_buffer_show(), left bytes +in one dma chunk was not checked, if copying size over it, overflow access +will cause kernel panic. + +Signed-off-by: Junxiao Bi +Acked-by: Sumit Saxena +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index 73acd3e9ded75..8595d83229b77 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -2976,6 +2976,7 @@ megasas_fw_crash_buffer_show(struct device *cdev, + u32 size; + unsigned long buff_addr; + unsigned long dmachunk = CRASH_DMA_BUF_SIZE; ++ unsigned long chunk_left_bytes; + unsigned long src_addr; + unsigned long flags; + u32 buff_offset; +@@ -3001,6 +3002,8 @@ megasas_fw_crash_buffer_show(struct device *cdev, + } + + size = (instance->fw_crash_buffer_size * dmachunk) - buff_offset; ++ chunk_left_bytes = dmachunk - (buff_offset % dmachunk); ++ size = (size > chunk_left_bytes) ? chunk_left_bytes : size; + size = (size >= PAGE_SIZE) ? (PAGE_SIZE - 1) : size; + + src_addr = (unsigned long)instance->crash_buf[buff_offset / dmachunk] + +-- +2.20.1 + diff --git a/queue-4.14/scsi-scsi_dh_alua-always-use-a-2-second-delay-before.patch b/queue-4.14/scsi-scsi_dh_alua-always-use-a-2-second-delay-before.patch new file mode 100644 index 00000000000..4a90a7b5aa7 --- /dev/null +++ b/queue-4.14/scsi-scsi_dh_alua-always-use-a-2-second-delay-before.patch @@ -0,0 +1,61 @@ +From aba40631eca508858cf4b2c983eec0493029e724 Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke +Date: Fri, 12 Jul 2019 08:53:47 +0200 +Subject: scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG + +[ Upstream commit 20122994e38aef0ae50555884d287adde6641c94 ] + +Retrying immediately after we've received a 'transitioning' sense code is +pretty much pointless, we should always use a delay before retrying. So +ensure the default delay is applied before retrying. + +Signed-off-by: Hannes Reinecke +Tested-by: Zhangguanghui +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/device_handler/scsi_dh_alua.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c +index 09c6a16fab93f..41f5f64101630 100644 +--- a/drivers/scsi/device_handler/scsi_dh_alua.c ++++ b/drivers/scsi/device_handler/scsi_dh_alua.c +@@ -53,6 +53,7 @@ + #define ALUA_FAILOVER_TIMEOUT 60 + #define ALUA_FAILOVER_RETRIES 5 + #define ALUA_RTPG_DELAY_MSECS 5 ++#define ALUA_RTPG_RETRY_DELAY 2 + + /* device handler flags */ + #define ALUA_OPTIMIZE_STPG 0x01 +@@ -677,7 +678,7 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg) + case SCSI_ACCESS_STATE_TRANSITIONING: + if (time_before(jiffies, pg->expiry)) { + /* State transition, retry */ +- pg->interval = 2; ++ pg->interval = ALUA_RTPG_RETRY_DELAY; + err = SCSI_DH_RETRY; + } else { + struct alua_dh_data *h; +@@ -802,6 +803,8 @@ static void alua_rtpg_work(struct work_struct *work) + spin_lock_irqsave(&pg->lock, flags); + pg->flags &= ~ALUA_PG_RUNNING; + pg->flags |= ALUA_PG_RUN_RTPG; ++ if (!pg->interval) ++ pg->interval = ALUA_RTPG_RETRY_DELAY; + spin_unlock_irqrestore(&pg->lock, flags); + queue_delayed_work(kaluad_wq, &pg->rtpg_work, + pg->interval * HZ); +@@ -813,6 +816,8 @@ static void alua_rtpg_work(struct work_struct *work) + spin_lock_irqsave(&pg->lock, flags); + if (err == SCSI_DH_RETRY || pg->flags & ALUA_PG_RUN_RTPG) { + pg->flags &= ~ALUA_PG_RUNNING; ++ if (!pg->interval && !(pg->flags & ALUA_PG_RUN_RTPG)) ++ pg->interval = ALUA_RTPG_RETRY_DELAY; + pg->flags |= ALUA_PG_RUN_RTPG; + spin_unlock_irqrestore(&pg->lock, flags); + queue_delayed_work(kaluad_wq, &pg->rtpg_work, +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 11521277fe0..ce95e48012d 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -22,3 +22,29 @@ usb-host-xhci-rcar-fix-timeout-in-xhci_suspend.patch usb-yurex-fix-use-after-free-in-yurex_delete.patch can-rcar_canfd-fix-possible-irq-storm-on-high-load.patch can-peak_usb-fix-potential-double-kfree_skb.patch +netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch +vfio-ccw-set-pa_nr-to-0-if-memory-allocation-fails-f.patch +netfilter-fix-rpfilter-dropping-vrf-packets-by-mista.patch +netfilter-nft_hash-fix-symhash-with-modulus-one.patch +scripts-sphinx-pre-install-fix-script-for-rhel-cento.patch +iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch +mac80211-don-t-warn-about-cw-params-when-not-using-t.patch +hwmon-nct6775-fix-register-address-and-added-missed-.patch +drm-silence-variable-conn-set-but-not-used.patch +cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch +s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch +alsa-compress-fix-regression-on-compressed-capture-s.patch +alsa-compress-prevent-bypasses-of-set_params.patch +alsa-compress-don-t-allow-paritial-drain-operations-.patch +alsa-compress-be-more-restrictive-about-when-a-drain.patch +perf-tools-fix-proper-buffer-size-for-feature-proces.patch +perf-probe-avoid-calling-freeing-routine-multiple-ti.patch +drbd-dynamically-allocate-shash-descriptor.patch +acpi-iort-fix-off-by-one-check-in-iort_dev_find_its_.patch +arm-davinci-fix-sleep.s-build-error-on-armv4.patch +scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch +scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch +scsi-scsi_dh_alua-always-use-a-2-second-delay-before.patch +test_firmware-fix-a-memory-leak-bug.patch +tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch +perf-core-fix-creating-kernel-counters-for-pmus-that.patch diff --git a/queue-4.14/test_firmware-fix-a-memory-leak-bug.patch b/queue-4.14/test_firmware-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..c7170385fb2 --- /dev/null +++ b/queue-4.14/test_firmware-fix-a-memory-leak-bug.patch @@ -0,0 +1,46 @@ +From bd99f85135b8267dd8a8df8671bb5ac6ae1e228d Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Sun, 14 Jul 2019 01:11:35 -0500 +Subject: test_firmware: fix a memory leak bug + +[ Upstream commit d4fddac5a51c378c5d3e68658816c37132611e1f ] + +In test_firmware_init(), the buffer pointed to by the global pointer +'test_fw_config' is allocated through kzalloc(). Then, the buffer is +initialized in __test_firmware_config_init(). In the case that the +initialization fails, the following execution in test_firmware_init() needs +to be terminated with an error code returned to indicate this failure. +However, the allocated buffer is not freed on this execution path, leading +to a memory leak bug. + +To fix the above issue, free the allocated buffer before returning from +test_firmware_init(). + +Signed-off-by: Wenwen Wang +Link: https://lore.kernel.org/r/1563084696-6865-1-git-send-email-wang6495@umn.edu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/test_firmware.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/test_firmware.c b/lib/test_firmware.c +index f978aebe60c5b..2e5e18bbfd28e 100644 +--- a/lib/test_firmware.c ++++ b/lib/test_firmware.c +@@ -895,8 +895,11 @@ static int __init test_firmware_init(void) + return -ENOMEM; + + rc = __test_firmware_config_init(); +- if (rc) ++ if (rc) { ++ kfree(test_fw_config); ++ pr_err("could not init firmware test config: %d\n", rc); + return rc; ++ } + + rc = misc_register(&test_fw_misc_device); + if (rc) { +-- +2.20.1 + diff --git a/queue-4.14/tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch b/queue-4.14/tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch new file mode 100644 index 00000000000..ffbf3dccd7c --- /dev/null +++ b/queue-4.14/tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch @@ -0,0 +1,75 @@ +From 2fa54267b282ea162f636592519ce666dd1ef9a3 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 18 Jul 2019 15:03:15 +0200 +Subject: tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep + loop + +[ Upstream commit 952041a8639a7a3a73a2b6573cb8aa8518bc39f8 ] + +While reviewing rwsem down_slowpath, Will noticed ldsem had a copy of +a bug we just found for rwsem. + + X = 0; + + CPU0 CPU1 + + rwsem_down_read() + for (;;) { + set_current_state(TASK_UNINTERRUPTIBLE); + + X = 1; + rwsem_up_write(); + rwsem_mark_wake() + atomic_long_add(adjustment, &sem->count); + smp_store_release(&waiter->task, NULL); + + if (!waiter.task) + break; + + ... + } + + r = X; + +Allows 'r == 0'. + +Reported-by: Will Deacon +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Will Deacon +Cc: Linus Torvalds +Cc: Peter Hurley +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 4898e640caf0 ("tty: Add timed, writer-prioritized rw semaphore") +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/tty/tty_ldsem.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/tty_ldsem.c b/drivers/tty/tty_ldsem.c +index 5c2cec298816b..c6ce34161281a 100644 +--- a/drivers/tty/tty_ldsem.c ++++ b/drivers/tty/tty_ldsem.c +@@ -139,8 +139,7 @@ static void __ldsem_wake_readers(struct ld_semaphore *sem) + + list_for_each_entry_safe(waiter, next, &sem->read_wait, list) { + tsk = waiter->task; +- smp_mb(); +- waiter->task = NULL; ++ smp_store_release(&waiter->task, NULL); + wake_up_process(tsk); + put_task_struct(tsk); + } +@@ -235,7 +234,7 @@ down_read_failed(struct ld_semaphore *sem, long count, long timeout) + for (;;) { + set_current_state(TASK_UNINTERRUPTIBLE); + +- if (!waiter.task) ++ if (!smp_load_acquire(&waiter.task)) + break; + if (!timeout) + break; +-- +2.20.1 + diff --git a/queue-4.14/vfio-ccw-set-pa_nr-to-0-if-memory-allocation-fails-f.patch b/queue-4.14/vfio-ccw-set-pa_nr-to-0-if-memory-allocation-fails-f.patch new file mode 100644 index 00000000000..c31c1223120 --- /dev/null +++ b/queue-4.14/vfio-ccw-set-pa_nr-to-0-if-memory-allocation-fails-f.patch @@ -0,0 +1,39 @@ +From 6c9df4ac5b88ca1fd244f46db3fa571c372ce921 Mon Sep 17 00:00:00 2001 +From: Farhan Ali +Date: Thu, 11 Jul 2019 10:28:53 -0400 +Subject: vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn + +[ Upstream commit c1ab69268d124ebdbb3864580808188ccd3ea355 ] + +So we don't call try to call vfio_unpin_pages() incorrectly. + +Fixes: 0a19e61e6d4c ("vfio: ccw: introduce channel program interfaces") +Signed-off-by: Farhan Ali +Reviewed-by: Eric Farman +Reviewed-by: Cornelia Huck +Message-Id: <33a89467ad6369196ae6edf820cbcb1e2d8d050c.1562854091.git.alifm@linux.ibm.com> +Signed-off-by: Cornelia Huck +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/vfio_ccw_cp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/cio/vfio_ccw_cp.c b/drivers/s390/cio/vfio_ccw_cp.c +index 1419eaea03d84..5a9e457caef33 100644 +--- a/drivers/s390/cio/vfio_ccw_cp.c ++++ b/drivers/s390/cio/vfio_ccw_cp.c +@@ -119,8 +119,10 @@ static int pfn_array_alloc_pin(struct pfn_array *pa, struct device *mdev, + sizeof(*pa->pa_iova_pfn) + + sizeof(*pa->pa_pfn), + GFP_KERNEL); +- if (unlikely(!pa->pa_iova_pfn)) ++ if (unlikely(!pa->pa_iova_pfn)) { ++ pa->pa_nr = 0; + return -ENOMEM; ++ } + pa->pa_pfn = pa->pa_iova_pfn + pa->pa_nr; + + ret = pfn_array_pin(pa, mdev); +-- +2.20.1 +