From: Greg Kroah-Hartman Date: Wed, 13 Feb 2019 14:08:13 +0000 (+0100) Subject: 4.20-stable patches X-Git-Tag: v4.9.157~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fdce43862b891ce7d88a6d536ec2f4f33e4c88be;p=thirdparty%2Fkernel%2Fstable-queue.git 4.20-stable patches added patches: arm-dts-da850-fix-interrupt-numbers-for-clocksource.patch arm-iop32x-n2100-fix-pci-irq-mapping.patch arm-tango-improve-arch_multiplatform-compatibility.patch drm-amd-powerplay-fix-missing-break-in-switch.patch drm-i915-always-return-something-on-ddi-clock-selection.patch drm-modes-prevent-division-by-zero-htotal.patch drm-rockchip-rgb-update-spdx-license-identifier.patch drm-vmwgfx-fix-an-uninitialized-fence-handle-value.patch drm-vmwgfx-fix-setting-of-dma-masks.patch drm-vmwgfx-return-error-code-from-vmw_execbuf_copy_fence_user.patch firmware-arm_scmi-provide-the-mandatory-device-release-callback.patch mac80211-ensure-that-mgmt-tx-skbs-have-tailroom-for-encryption.patch mic-vop-fix-use-after-free-on-remove.patch mips-cm-reprime-error-cause.patch mips-loongson64-remove-unreachable-fix-loongson_poweroff.patch mips-octeon-don-t-set-octeon_dma_bar_type-if-pci-is-disabled.patch mips-use-lower-case-for-addresses-in-nexys4ddr.dts.patch mips-vdso-include-ccflags-vdso-in-o32-n32-.lds-builds.patch mips-vdso-use-same-m-float-cflag-as-the-kernel-proper.patch pinctrl-cherryview-fix-strago-dmi-workaround.patch pinctrl-sunxi-correct-number-of-irq-banks-on-h6-main-pin-controller.patch powerpc-papr_scm-use-the-correct-bind-address.patch powerpc-radix-fix-kernel-crash-with-mremap.patch svcrdma-remove-max_sge-check-at-connect-time.patch tracing-uprobes-fix-output-for-multiple-string-arguments.patch tracing-uprobes-fix-typo-in-pr_fmt-string.patch --- diff --git a/queue-4.20/arm-dts-da850-fix-interrupt-numbers-for-clocksource.patch b/queue-4.20/arm-dts-da850-fix-interrupt-numbers-for-clocksource.patch new file mode 100644 index 00000000000..be546e02f05 --- /dev/null +++ b/queue-4.20/arm-dts-da850-fix-interrupt-numbers-for-clocksource.patch @@ -0,0 +1,37 @@ +From e3966a766865da7ced1dece663697861dd5cf103 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 11 Jan 2019 18:21:18 +0100 +Subject: ARM: dts: da850: fix interrupt numbers for clocksource + +From: Bartosz Golaszewski + +commit e3966a766865da7ced1dece663697861dd5cf103 upstream. + +The timer interrupts specified in commit 3652e2741f42 ("ARM: dts: +da850: Add clocks") are wrong but since the current timer code +hard-codes them, the bug was never spotted. + +This patch must go into stable since, once we introduce a proper +clocksource driver, devices with buggy device tree will stop booting. + +Fixes: 3652e2741f42 ("ARM: dts: da850: Add clocks") +Cc: stable@vger.kernel.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sekhar Nori +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/da850.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/da850.dtsi ++++ b/arch/arm/boot/dts/da850.dtsi +@@ -476,7 +476,7 @@ + clocksource: timer@20000 { + compatible = "ti,da830-timer"; + reg = <0x20000 0x1000>; +- interrupts = <12>, <13>; ++ interrupts = <21>, <22>; + interrupt-names = "tint12", "tint34"; + clocks = <&pll0_auxclk>; + }; diff --git a/queue-4.20/arm-iop32x-n2100-fix-pci-irq-mapping.patch b/queue-4.20/arm-iop32x-n2100-fix-pci-irq-mapping.patch new file mode 100644 index 00000000000..3bd6c4a3282 --- /dev/null +++ b/queue-4.20/arm-iop32x-n2100-fix-pci-irq-mapping.patch @@ -0,0 +1,33 @@ +From db4090920ba2d61a5827a23e441447926a02ffee Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Fri, 25 Jan 2019 20:10:15 +0000 +Subject: ARM: iop32x/n2100: fix PCI IRQ mapping + +From: Russell King + +commit db4090920ba2d61a5827a23e441447926a02ffee upstream. + +Booting 4.20 on a TheCUS N2100 results in a kernel oops while probing +PCI, due to n2100_pci_map_irq() having been discarded during boot. + +Signed-off-by: Russell King +Cc: stable@vger.kernel.org # 2.6.18+ +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-iop32x/n2100.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/arm/mach-iop32x/n2100.c ++++ b/arch/arm/mach-iop32x/n2100.c +@@ -75,8 +75,7 @@ void __init n2100_map_io(void) + /* + * N2100 PCI. + */ +-static int __init +-n2100_pci_map_irq(const struct pci_dev *dev, u8 slot, u8 pin) ++static int n2100_pci_map_irq(const struct pci_dev *dev, u8 slot, u8 pin) + { + int irq; + diff --git a/queue-4.20/arm-tango-improve-arch_multiplatform-compatibility.patch b/queue-4.20/arm-tango-improve-arch_multiplatform-compatibility.patch new file mode 100644 index 00000000000..8dd5d266680 --- /dev/null +++ b/queue-4.20/arm-tango-improve-arch_multiplatform-compatibility.patch @@ -0,0 +1,74 @@ +From d0f9f16788e15d9eb40f68b047732d49658c5a3a Mon Sep 17 00:00:00 2001 +From: Marc Gonzalez +Date: Wed, 16 Jan 2019 16:49:58 +0100 +Subject: ARM: tango: Improve ARCH_MULTIPLATFORM compatibility + +From: Marc Gonzalez + +commit d0f9f16788e15d9eb40f68b047732d49658c5a3a upstream. + +Calling platform-specific code unconditionally blows up when running +an ARCH_MULTIPLATFORM kernel on a different platform. Don't do it. + +Reported-by: Paolo Pisati +Signed-off-by: Marc Gonzalez +Acked-by: Pavel Machek +Cc: stable@vger.kernel.org # v4.8+ +Fixes: a30eceb7a59d ("ARM: tango: add Suspend-to-RAM support") +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-tango/pm.c | 6 ++---- + arch/arm/mach-tango/pm.h | 7 +++++++ + arch/arm/mach-tango/setup.c | 2 ++ + 3 files changed, 11 insertions(+), 4 deletions(-) + +--- a/arch/arm/mach-tango/pm.c ++++ b/arch/arm/mach-tango/pm.c +@@ -3,6 +3,7 @@ + #include + #include + #include "smc.h" ++#include "pm.h" + + static int tango_pm_powerdown(unsigned long arg) + { +@@ -24,10 +25,7 @@ static const struct platform_suspend_ops + .valid = suspend_valid_only_mem, + }; + +-static int __init tango_pm_init(void) ++void __init tango_pm_init(void) + { + suspend_set_ops(&tango_pm_ops); +- return 0; + } +- +-late_initcall(tango_pm_init); +--- /dev/null ++++ b/arch/arm/mach-tango/pm.h +@@ -0,0 +1,7 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++ ++#ifdef CONFIG_SUSPEND ++void __init tango_pm_init(void); ++#else ++#define tango_pm_init NULL ++#endif +--- a/arch/arm/mach-tango/setup.c ++++ b/arch/arm/mach-tango/setup.c +@@ -2,6 +2,7 @@ + #include + #include + #include "smc.h" ++#include "pm.h" + + static void tango_l2c_write(unsigned long val, unsigned int reg) + { +@@ -15,4 +16,5 @@ DT_MACHINE_START(TANGO_DT, "Sigma Tango + .dt_compat = tango_dt_compat, + .l2c_aux_mask = ~0, + .l2c_write_sec = tango_l2c_write, ++ .init_late = tango_pm_init, + MACHINE_END diff --git a/queue-4.20/drm-amd-powerplay-fix-missing-break-in-switch.patch b/queue-4.20/drm-amd-powerplay-fix-missing-break-in-switch.patch new file mode 100644 index 00000000000..cdd280394e7 --- /dev/null +++ b/queue-4.20/drm-amd-powerplay-fix-missing-break-in-switch.patch @@ -0,0 +1,39 @@ +From 2f10d823739680d2477ce34437e8a08a53117f40 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Fri, 25 Jan 2019 15:55:33 -0600 +Subject: drm/amd/powerplay: Fix missing break in switch + +From: Gustavo A. R. Silva + +commit 2f10d823739680d2477ce34437e8a08a53117f40 upstream. + +Add missing break statement in order to prevent the code from falling +through to the default case. + +The resoning for this is that pclk_vol_table is an automatic variable. +So, it makes no sense to update it just before falling through to the +default case and return -EINVAL. + +This bug was found thanks to the ongoing efforts to enabling +-Wimplicit-fallthrough. + +Fixes: cd70f3d6e3fa ("drm/amd/powerplay: PP/DAL interface changes for dynamic clock switch") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/powerplay/hwmgr/smu10_hwmgr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/smu10_hwmgr.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/smu10_hwmgr.c +@@ -1005,6 +1005,7 @@ static int smu10_get_clock_by_type_with_ + break; + case amd_pp_dpp_clock: + pclk_vol_table = pinfo->vdd_dep_on_dppclk; ++ break; + default: + return -EINVAL; + } diff --git a/queue-4.20/drm-i915-always-return-something-on-ddi-clock-selection.patch b/queue-4.20/drm-i915-always-return-something-on-ddi-clock-selection.patch new file mode 100644 index 00000000000..fcc8a8026f9 --- /dev/null +++ b/queue-4.20/drm-i915-always-return-something-on-ddi-clock-selection.patch @@ -0,0 +1,39 @@ +From 2a121030d4ee3f84f60c6f415f9c44bffbcde81d Mon Sep 17 00:00:00 2001 +From: Lucas De Marchi +Date: Fri, 25 Jan 2019 14:24:42 -0800 +Subject: drm/i915: always return something on DDI clock selection + +From: Lucas De Marchi + +commit 2a121030d4ee3f84f60c6f415f9c44bffbcde81d upstream. + +Even if we don't have the correct clock and get a warning, we should not +skip the return. + +v2: improve commit message (from Joonas) + +Fixes: 1fa11ee2d9d0 ("drm/i915/icl: start adding the TBT pll") +Cc: Paulo Zanoni +Cc: # v4.19+ +Signed-off-by: Lucas De Marchi +Reviewed-by: Mika Kahola +Link: https://patchwork.freedesktop.org/patch/msgid/20190125222444.19926-3-lucas.demarchi@intel.com +(cherry picked from commit 7a61a6dec3dfb9f2e8c39a337580a3c3036c5cdf) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_ddi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_ddi.c ++++ b/drivers/gpu/drm/i915/intel_ddi.c +@@ -1085,7 +1085,7 @@ static uint32_t icl_pll_to_ddi_pll_sel(s + return DDI_CLK_SEL_TBT_810; + default: + MISSING_CASE(clock); +- break; ++ return DDI_CLK_SEL_NONE; + } + case DPLL_ID_ICL_MGPLL1: + case DPLL_ID_ICL_MGPLL2: diff --git a/queue-4.20/drm-modes-prevent-division-by-zero-htotal.patch b/queue-4.20/drm-modes-prevent-division-by-zero-htotal.patch new file mode 100644 index 00000000000..53f5de4cf9a --- /dev/null +++ b/queue-4.20/drm-modes-prevent-division-by-zero-htotal.patch @@ -0,0 +1,102 @@ +From a2fcd5c84f7a7825e028381b10182439067aa90d Mon Sep 17 00:00:00 2001 +From: Tina Zhang +Date: Wed, 23 Jan 2019 15:28:59 +0800 +Subject: drm/modes: Prevent division by zero htotal + +From: Tina Zhang + +commit a2fcd5c84f7a7825e028381b10182439067aa90d upstream. + +This patch prevents division by zero htotal. + +In a follow-up mail Tina writes: + +> > How did you manage to get here with htotal == 0? This needs backtraces (or if +> > this is just about static checkers, a mention of that). +> > -Daniel +> +> In GVT-g, we are trying to enable a virtual display w/o setting timings for a pipe +> (a.k.a htotal=0), then we met the following kernel panic: +> +> [ 32.832048] divide error: 0000 [#1] SMP PTI +> [ 32.833614] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.18.0-rc4-sriov+ #33 +> [ 32.834438] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.10.1-0-g8891697-dirty-20180511_165818-tinazhang-linux-1 04/01/2014 +> [ 32.835901] RIP: 0010:drm_mode_hsync+0x1e/0x40 +> [ 32.836004] Code: 31 c0 c3 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 8b 87 d8 00 00 00 85 c0 75 22 8b 4f 68 85 c9 78 1b 69 47 58 e8 03 00 00 99 f9 b9 d3 4d 62 10 05 f4 01 00 00 f7 e1 89 d0 c1 e8 06 f3 c3 66 +> [ 32.836004] RSP: 0000:ffffc900000ebb90 EFLAGS: 00010206 +> [ 32.836004] RAX: 0000000000000000 RBX: ffff88001c67c8a0 RCX: 0000000000000000 +> [ 32.836004] RDX: 0000000000000000 RSI: ffff88001c67c000 RDI: ffff88001c67c8a0 +> [ 32.836004] RBP: ffff88001c7d03a0 R08: ffff88001c67c8a0 R09: ffff88001c7d0330 +> [ 32.836004] R10: ffffffff822c3a98 R11: 0000000000000001 R12: ffff88001c67c000 +> [ 32.836004] R13: ffff88001c7d0370 R14: ffffffff8207eb78 R15: ffff88001c67c800 +> [ 32.836004] FS: 0000000000000000(0000) GS:ffff88001da00000(0000) knlGS:0000000000000000 +> [ 32.836004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +> [ 32.836004] CR2: 0000000000000000 CR3: 000000000220a000 CR4: 00000000000006f0 +> [ 32.836004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +> [ 32.836004] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +> [ 32.836004] Call Trace: +> [ 32.836004] intel_mode_from_pipe_config+0x72/0x90 +> [ 32.836004] intel_modeset_setup_hw_state+0x569/0xf90 +> [ 32.836004] intel_modeset_init+0x905/0x1db0 +> [ 32.836004] i915_driver_load+0xb8c/0x1120 +> [ 32.836004] i915_pci_probe+0x4d/0xb0 +> [ 32.836004] local_pci_probe+0x44/0xa0 +> [ 32.836004] ? pci_assign_irq+0x27/0x130 +> [ 32.836004] pci_device_probe+0x102/0x1c0 +> [ 32.836004] driver_probe_device+0x2b8/0x480 +> [ 32.836004] __driver_attach+0x109/0x110 +> [ 32.836004] ? driver_probe_device+0x480/0x480 +> [ 32.836004] bus_for_each_dev+0x67/0xc0 +> [ 32.836004] ? klist_add_tail+0x3b/0x70 +> [ 32.836004] bus_add_driver+0x1e8/0x260 +> [ 32.836004] driver_register+0x5b/0xe0 +> [ 32.836004] ? mipi_dsi_bus_init+0x11/0x11 +> [ 32.836004] do_one_initcall+0x4d/0x1eb +> [ 32.836004] kernel_init_freeable+0x197/0x237 +> [ 32.836004] ? rest_init+0xd0/0xd0 +> [ 32.836004] kernel_init+0xa/0x110 +> [ 32.836004] ret_from_fork+0x35/0x40 +> [ 32.836004] Modules linked in: +> [ 32.859183] ---[ end trace 525608b0ed0e8665 ]--- +> [ 32.859722] RIP: 0010:drm_mode_hsync+0x1e/0x40 +> [ 32.860287] Code: 31 c0 c3 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 8b 87 d8 00 00 00 85 c0 75 22 8b 4f 68 85 c9 78 1b 69 47 58 e8 03 00 00 99 f9 b9 d3 4d 62 10 05 f4 01 00 00 f7 e1 89 d0 c1 e8 06 f3 c3 66 +> [ 32.862680] RSP: 0000:ffffc900000ebb90 EFLAGS: 00010206 +> [ 32.863309] RAX: 0000000000000000 RBX: ffff88001c67c8a0 RCX: 0000000000000000 +> [ 32.864182] RDX: 0000000000000000 RSI: ffff88001c67c000 RDI: ffff88001c67c8a0 +> [ 32.865206] RBP: ffff88001c7d03a0 R08: ffff88001c67c8a0 R09: ffff88001c7d0330 +> [ 32.866359] R10: ffffffff822c3a98 R11: 0000000000000001 R12: ffff88001c67c000 +> [ 32.867213] R13: ffff88001c7d0370 R14: ffffffff8207eb78 R15: ffff88001c67c800 +> [ 32.868075] FS: 0000000000000000(0000) GS:ffff88001da00000(0000) knlGS:0000000000000000 +> [ 32.868983] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +> [ 32.869659] CR2: 0000000000000000 CR3: 000000000220a000 CR4: 00000000000006f0 +> [ 32.870599] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +> [ 32.871598] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +> [ 32.872549] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b +> +> Since drm_mode_hsync() has the logic to check mode->htotal, I just extend it to cover the case htotal==0. + +Signed-off-by: Tina Zhang +Cc: Adam Jackson +Cc: Dave Airlie +Cc: Daniel Vetter +[danvet: Add additional explanations + cc: stable.] +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/1548228539-3061-1-git-send-email-tina.zhang@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_modes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_modes.c ++++ b/drivers/gpu/drm/drm_modes.c +@@ -758,7 +758,7 @@ int drm_mode_hsync(const struct drm_disp + if (mode->hsync) + return mode->hsync; + +- if (mode->htotal < 0) ++ if (mode->htotal <= 0) + return 0; + + calc_val = (mode->clock * 1000) / mode->htotal; /* hsync in Hz */ diff --git a/queue-4.20/drm-rockchip-rgb-update-spdx-license-identifier.patch b/queue-4.20/drm-rockchip-rgb-update-spdx-license-identifier.patch new file mode 100644 index 00000000000..e98947b645c --- /dev/null +++ b/queue-4.20/drm-rockchip-rgb-update-spdx-license-identifier.patch @@ -0,0 +1,69 @@ +From 053ff09f1a8f2151339f9fda457c5250929d1c49 Mon Sep 17 00:00:00 2001 +From: Sandy Huang +Date: Wed, 23 Jan 2019 18:14:39 +0800 +Subject: drm/rockchip: rgb: update SPDX license identifier + +From: Sandy Huang + +commit 053ff09f1a8f2151339f9fda457c5250929d1c49 upstream. + +Update SPDX License Identifier from GPL-2.0+ to GPL-2.0 +and drop some GPL text. +This fixes a mismatch between the existing SPDX headers and GPL +boilerplate text. + +Fixes: 1f0f01515172 ("Add support for Rockchip Soc RGB output interface") +Cc: stable@vger.kernel.org +Reported-by: Thomas Gleixner +Signed-off-by: Sandy Huang +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/1548238479-171491-1-git-send-email-hjc@rock-chips.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/rockchip/rockchip_rgb.c | 11 +---------- + drivers/gpu/drm/rockchip/rockchip_rgb.h | 11 +---------- + 2 files changed, 2 insertions(+), 20 deletions(-) + +--- a/drivers/gpu/drm/rockchip/rockchip_rgb.c ++++ b/drivers/gpu/drm/rockchip/rockchip_rgb.c +@@ -1,17 +1,8 @@ +-//SPDX-License-Identifier: GPL-2.0+ ++// SPDX-License-Identifier: GPL-2.0 + /* + * Copyright (C) Fuzhou Rockchip Electronics Co.Ltd + * Author: + * Sandy Huang +- * +- * This software is licensed under the terms of the GNU General Public +- * License version 2, as published by the Free Software Foundation, and +- * may be copied, distributed, and modified under those terms. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. + */ + + #include +--- a/drivers/gpu/drm/rockchip/rockchip_rgb.h ++++ b/drivers/gpu/drm/rockchip/rockchip_rgb.h +@@ -1,17 +1,8 @@ +-//SPDX-License-Identifier: GPL-2.0+ ++/* SPDX-License-Identifier: GPL-2.0 */ + /* + * Copyright (C) Fuzhou Rockchip Electronics Co.Ltd + * Author: + * Sandy Huang +- * +- * This software is licensed under the terms of the GNU General Public +- * License version 2, as published by the Free Software Foundation, and +- * may be copied, distributed, and modified under those terms. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. + */ + + #ifdef CONFIG_ROCKCHIP_RGB diff --git a/queue-4.20/drm-vmwgfx-fix-an-uninitialized-fence-handle-value.patch b/queue-4.20/drm-vmwgfx-fix-an-uninitialized-fence-handle-value.patch new file mode 100644 index 00000000000..f8494dc4e86 --- /dev/null +++ b/queue-4.20/drm-vmwgfx-fix-an-uninitialized-fence-handle-value.patch @@ -0,0 +1,38 @@ +From 51fdbeb4ca1a8415c98f87cb877956ae83e71627 Mon Sep 17 00:00:00 2001 +From: Thomas Hellstrom +Date: Thu, 31 Jan 2019 10:52:21 +0100 +Subject: drm/vmwgfx: Fix an uninitialized fence handle value + +From: Thomas Hellstrom + +commit 51fdbeb4ca1a8415c98f87cb877956ae83e71627 upstream. + +if vmw_execbuf_fence_commands() fails, The handle value will be +uninitialized and a bogus fence handle might be copied to user-space. + +Cc: +Fixes: 2724b2d54cda: ("drm/vmwgfx: Use new validation interface for the modesetting code v2") +Reported-by: Dan Carpenter +Signed-off-by: Thomas Hellstrom +Reviewed-by: Brian Paul #v1 +Reviewed-by: Sinclair Yeh #v1 +Reviewed-by: Deepak Rawat +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -2592,8 +2592,8 @@ void vmw_kms_helper_validation_finish(st + user_fence_rep) + { + struct vmw_fence_obj *fence = NULL; +- uint32_t handle; +- int ret; ++ uint32_t handle = 0; ++ int ret = 0; + + if (file_priv || user_fence_rep || vmw_validation_has_bos(ctx) || + out_fence) diff --git a/queue-4.20/drm-vmwgfx-fix-setting-of-dma-masks.patch b/queue-4.20/drm-vmwgfx-fix-setting-of-dma-masks.patch new file mode 100644 index 00000000000..312142d89ed --- /dev/null +++ b/queue-4.20/drm-vmwgfx-fix-setting-of-dma-masks.patch @@ -0,0 +1,44 @@ +From 4cbfa1e6c09e98450aab3240e5119b0ab2c9795b Mon Sep 17 00:00:00 2001 +From: Thomas Hellstrom +Date: Mon, 28 Jan 2019 10:31:33 +0100 +Subject: drm/vmwgfx: Fix setting of dma masks + +From: Thomas Hellstrom + +commit 4cbfa1e6c09e98450aab3240e5119b0ab2c9795b upstream. + +Previously we set only the dma mask and not the coherent mask. Fix that. +Also, for clarity, make sure both are initially set to 64 bits. + +Cc: +Fixes: 0d00c488f3de: ("drm/vmwgfx: Fix the driver for large dma addresses") +Signed-off-by: Thomas Hellstrom +Reviewed-by: Deepak Rawat +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +@@ -629,13 +629,16 @@ out_fixup: + static int vmw_dma_masks(struct vmw_private *dev_priv) + { + struct drm_device *dev = dev_priv->dev; ++ int ret = 0; + +- if (intel_iommu_enabled && ++ ret = dma_set_mask_and_coherent(dev->dev, DMA_BIT_MASK(64)); ++ if (dev_priv->map_mode != vmw_dma_phys && + (sizeof(unsigned long) == 4 || vmw_restrict_dma_mask)) { + DRM_INFO("Restricting DMA addresses to 44 bits.\n"); +- return dma_set_mask(dev->dev, DMA_BIT_MASK(44)); ++ return dma_set_mask_and_coherent(dev->dev, DMA_BIT_MASK(44)); + } +- return 0; ++ ++ return ret; + } + #else + static int vmw_dma_masks(struct vmw_private *dev_priv) diff --git a/queue-4.20/drm-vmwgfx-return-error-code-from-vmw_execbuf_copy_fence_user.patch b/queue-4.20/drm-vmwgfx-return-error-code-from-vmw_execbuf_copy_fence_user.patch new file mode 100644 index 00000000000..ec7ec8c4f01 --- /dev/null +++ b/queue-4.20/drm-vmwgfx-return-error-code-from-vmw_execbuf_copy_fence_user.patch @@ -0,0 +1,38 @@ +From 728354c005c36eaf44b6e5552372b67e60d17f56 Mon Sep 17 00:00:00 2001 +From: Thomas Hellstrom +Date: Thu, 31 Jan 2019 10:55:37 +0100 +Subject: drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user + +From: Thomas Hellstrom + +commit 728354c005c36eaf44b6e5552372b67e60d17f56 upstream. + +The function was unconditionally returning 0, and a caller would have to +rely on the returned fence pointer being NULL to detect errors. However, +the function vmw_execbuf_copy_fence_user() would expect a non-zero error +code in that case and would BUG otherwise. + +So make sure we return a proper non-zero error code if the fence pointer +returned is NULL. + +Cc: +Fixes: ae2a104058e2: ("vmwgfx: Implement fence objects") +Signed-off-by: Thomas Hellstrom +Reviewed-by: Deepak Rawat +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -3570,7 +3570,7 @@ int vmw_execbuf_fence_commands(struct dr + *p_fence = NULL; + } + +- return 0; ++ return ret; + } + + /** diff --git a/queue-4.20/firmware-arm_scmi-provide-the-mandatory-device-release-callback.patch b/queue-4.20/firmware-arm_scmi-provide-the-mandatory-device-release-callback.patch new file mode 100644 index 00000000000..411d1e6d37c --- /dev/null +++ b/queue-4.20/firmware-arm_scmi-provide-the-mandatory-device-release-callback.patch @@ -0,0 +1,92 @@ +From 46edb8d1322c1763dd04e179992f8e9996085047 Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Tue, 22 Jan 2019 11:35:25 +0000 +Subject: firmware: arm_scmi: provide the mandatory device release callback + +From: Sudeep Holla + +commit 46edb8d1322c1763dd04e179992f8e9996085047 upstream. + +The device/driver model clearly mandates that bus driver that discover +and allocate the device must set the release callback. This callback +will be used to free the device after all references have gone away. + +scmi bus driver is missing the obvious callback which will result in +the following warning if the device is unregistered: + +Device 'scmi_dev.1' does not have a release() function, it is broken and +must be fixed. See Documentation/kobject.txt. +WARNING at drivers/base/core.c:922 device_release+0x8c/0xa0 +Hardware name: ARM LTD Juno Development Platform BIOS EDK II Jan 21 2019 +Workqueue: events deferred_probe_work_func +pstate: 60000005 (nZCv daif -PAN -UAO) +pc : device_release+0x8c/0xa0 +lr : device_release+0x8c/0xa0 +Call trace: + device_release+0x8c/0xa0 + kobject_put+0x8c/0x208 + device_unregister+0x30/0x78 + scmi_device_destroy+0x28/0x50 + scmi_probe+0x354/0x5b0 + platform_drv_probe+0x58/0xa8 + really_probe+0x2c4/0x3e8 + driver_probe_device+0x12c/0x148 + __device_attach_driver+0xac/0x150 + bus_for_each_drv+0x78/0xd8 + __device_attach+0xe0/0x168 + device_initial_probe+0x24/0x30 + bus_probe_device+0xa0/0xa8 + deferred_probe_work_func+0x8c/0xe0 + process_one_work+0x1f0/0x478 + worker_thread+0x22c/0x450 + kthread+0x134/0x138 + ret_from_fork+0x10/0x1c +---[ end trace 420bdb7f6af50937 ]--- + +Fix the issue by providing scmi_device_release callback. We have +everything required for device release already in scmi_device_destroy, +so we just need to move freeing of the device to scmi_device_release. + +Fixes: 933c504424a2 ("firmware: arm_scmi: add scmi protocol bus to enumerate protocol devices") +Signed-off-by: Sudeep Holla +Cc: stable@vger.kernel.org # 4.17+ +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/arm_scmi/bus.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/firmware/arm_scmi/bus.c ++++ b/drivers/firmware/arm_scmi/bus.c +@@ -119,6 +119,11 @@ void scmi_driver_unregister(struct scmi_ + } + EXPORT_SYMBOL_GPL(scmi_driver_unregister); + ++static void scmi_device_release(struct device *dev) ++{ ++ kfree(to_scmi_dev(dev)); ++} ++ + struct scmi_device * + scmi_device_create(struct device_node *np, struct device *parent, int protocol) + { +@@ -138,6 +143,7 @@ scmi_device_create(struct device_node *n + scmi_dev->dev.parent = parent; + scmi_dev->dev.of_node = np; + scmi_dev->dev.bus = &scmi_bus_type; ++ scmi_dev->dev.release = scmi_device_release; + dev_set_name(&scmi_dev->dev, "scmi_dev.%d", id); + + retval = device_register(&scmi_dev->dev); +@@ -156,9 +162,8 @@ free_mem: + void scmi_device_destroy(struct scmi_device *scmi_dev) + { + scmi_handle_put(scmi_dev->handle); +- device_unregister(&scmi_dev->dev); + ida_simple_remove(&scmi_bus_id, scmi_dev->id); +- kfree(scmi_dev); ++ device_unregister(&scmi_dev->dev); + } + + void scmi_set_handle(struct scmi_device *scmi_dev) diff --git a/queue-4.20/mac80211-ensure-that-mgmt-tx-skbs-have-tailroom-for-encryption.patch b/queue-4.20/mac80211-ensure-that-mgmt-tx-skbs-have-tailroom-for-encryption.patch new file mode 100644 index 00000000000..6a0638833e0 --- /dev/null +++ b/queue-4.20/mac80211-ensure-that-mgmt-tx-skbs-have-tailroom-for-encryption.patch @@ -0,0 +1,57 @@ +From 9d0f50b80222dc273e67e4e14410fcfa4130a90c Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 29 Jan 2019 11:10:57 +0100 +Subject: mac80211: ensure that mgmt tx skbs have tailroom for encryption + +From: Felix Fietkau + +commit 9d0f50b80222dc273e67e4e14410fcfa4130a90c upstream. + +Some drivers use IEEE80211_KEY_FLAG_SW_MGMT_TX to indicate that management +frames need to be software encrypted. Since normal data packets are still +encrypted by the hardware, crypto_tx_tailroom_needed_cnt gets decremented +after key upload to hw. This can lead to passing skbs to ccmp_encrypt_skb, +which don't have the necessary tailroom for software encryption. + +Change the code to add tailroom for encrypted management packets, even if +crypto_tx_tailroom_needed_cnt is 0. + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1938,9 +1938,16 @@ static int ieee80211_skb_resize(struct i + int head_need, bool may_encrypt) + { + struct ieee80211_local *local = sdata->local; ++ struct ieee80211_hdr *hdr; ++ bool enc_tailroom; + int tail_need = 0; + +- if (may_encrypt && sdata->crypto_tx_tailroom_needed_cnt) { ++ hdr = (struct ieee80211_hdr *) skb->data; ++ enc_tailroom = may_encrypt && ++ (sdata->crypto_tx_tailroom_needed_cnt || ++ ieee80211_is_mgmt(hdr->frame_control)); ++ ++ if (enc_tailroom) { + tail_need = IEEE80211_ENCRYPT_TAILROOM; + tail_need -= skb_tailroom(skb); + tail_need = max_t(int, tail_need, 0); +@@ -1948,8 +1955,7 @@ static int ieee80211_skb_resize(struct i + + if (skb_cloned(skb) && + (!ieee80211_hw_check(&local->hw, SUPPORTS_CLONED_SKBS) || +- !skb_clone_writable(skb, ETH_HLEN) || +- (may_encrypt && sdata->crypto_tx_tailroom_needed_cnt))) ++ !skb_clone_writable(skb, ETH_HLEN) || enc_tailroom)) + I802_DEBUG_INC(local->tx_expand_skb_head_cloned); + else if (head_need || tail_need) + I802_DEBUG_INC(local->tx_expand_skb_head); diff --git a/queue-4.20/mic-vop-fix-use-after-free-on-remove.patch b/queue-4.20/mic-vop-fix-use-after-free-on-remove.patch new file mode 100644 index 00000000000..782744d95c5 --- /dev/null +++ b/queue-4.20/mic-vop-fix-use-after-free-on-remove.patch @@ -0,0 +1,117 @@ +From 70ed7148dadb812f2f7c9927e98ef3cf4869dfa9 Mon Sep 17 00:00:00 2001 +From: Vincent Whitchurch +Date: Fri, 1 Feb 2019 10:03:12 +0100 +Subject: mic: vop: Fix use-after-free on remove + +From: Vincent Whitchurch + +commit 70ed7148dadb812f2f7c9927e98ef3cf4869dfa9 upstream. + +KASAN detects a use-after-free when vop devices are removed. + +This problem was introduced by commit 0063e8bbd2b62d136 ("virtio_vop: +don't kfree device on register failure"). That patch moved the freeing +of the struct _vop_vdev to the release function, but failed to ensure +that vop holds a reference to the device when it doesn't want it to go +away. A kfree() was replaced with a put_device() in the unregistration +path, but the last reference to the device is already dropped in +unregister_virtio_device() so the struct is freed before vop is done +with it. + +Fix it by holding a reference until cleanup is done. This is similar to +the fix in virtio_pci in commit 2989be09a8a9d6 ("virtio_pci: fix use +after free on release"). + + ================================================================== + BUG: KASAN: use-after-free in vop_scan_devices+0xc6c/0xe50 [vop] + Read of size 8 at addr ffff88800da18580 by task kworker/0:1/12 + + CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.0.0-rc4+ #53 + Workqueue: events vop_hotplug_devices [vop] + Call Trace: + dump_stack+0x74/0xbb + print_address_description+0x5d/0x2b0 + ? vop_scan_devices+0xc6c/0xe50 [vop] + kasan_report+0x152/0x1aa + ? vop_scan_devices+0xc6c/0xe50 [vop] + ? vop_scan_devices+0xc6c/0xe50 [vop] + vop_scan_devices+0xc6c/0xe50 [vop] + ? vop_loopback_free_irq+0x160/0x160 [vop_loopback] + process_one_work+0x7c0/0x14b0 + ? pwq_dec_nr_in_flight+0x2d0/0x2d0 + ? do_raw_spin_lock+0x120/0x280 + worker_thread+0x8f/0xbf0 + ? __kthread_parkme+0x78/0xf0 + ? process_one_work+0x14b0/0x14b0 + kthread+0x2ae/0x3a0 + ? kthread_park+0x120/0x120 + ret_from_fork+0x3a/0x50 + + Allocated by task 12: + kmem_cache_alloc_trace+0x13a/0x2a0 + vop_scan_devices+0x473/0xe50 [vop] + process_one_work+0x7c0/0x14b0 + worker_thread+0x8f/0xbf0 + kthread+0x2ae/0x3a0 + ret_from_fork+0x3a/0x50 + + Freed by task 12: + kfree+0x104/0x310 + device_release+0x73/0x1d0 + kobject_put+0x14f/0x420 + unregister_virtio_device+0x32/0x50 + vop_scan_devices+0x19d/0xe50 [vop] + process_one_work+0x7c0/0x14b0 + worker_thread+0x8f/0xbf0 + kthread+0x2ae/0x3a0 + ret_from_fork+0x3a/0x50 + + The buggy address belongs to the object at ffff88800da18008 + which belongs to the cache kmalloc-2k of size 2048 + The buggy address is located 1400 bytes inside of + 2048-byte region [ffff88800da18008, ffff88800da18808) + The buggy address belongs to the page: + page:ffffea0000368600 count:1 mapcount:0 mapping:ffff88801440dbc0 index:0x0 compound_mapcount: 0 + flags: 0x4000000000010200(slab|head) + raw: 4000000000010200 ffffea0000378608 ffffea000037a008 ffff88801440dbc0 + raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff88800da18480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88800da18500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + >ffff88800da18580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88800da18600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88800da18680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ================================================================== + +Fixes: 0063e8bbd2b62d136 ("virtio_vop: don't kfree device on register failure") +Signed-off-by: Vincent Whitchurch +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mic/vop/vop_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/misc/mic/vop/vop_main.c ++++ b/drivers/misc/mic/vop/vop_main.c +@@ -568,6 +568,8 @@ static int _vop_remove_device(struct mic + int ret = -1; + + if (ioread8(&dc->config_change) == MIC_VIRTIO_PARAM_DEV_REMOVE) { ++ struct device *dev = get_device(&vdev->vdev.dev); ++ + dev_dbg(&vpdev->dev, + "%s %d config_change %d type %d vdev %p\n", + __func__, __LINE__, +@@ -579,7 +581,7 @@ static int _vop_remove_device(struct mic + iowrite8(-1, &dc->h2c_vdev_db); + if (status & VIRTIO_CONFIG_S_DRIVER_OK) + wait_for_completion(&vdev->reset_done); +- put_device(&vdev->vdev.dev); ++ put_device(dev); + iowrite8(1, &dc->guest_ack); + dev_dbg(&vpdev->dev, "%s %d guest_ack %d\n", + __func__, __LINE__, ioread8(&dc->guest_ack)); diff --git a/queue-4.20/mips-cm-reprime-error-cause.patch b/queue-4.20/mips-cm-reprime-error-cause.patch new file mode 100644 index 00000000000..45790772532 --- /dev/null +++ b/queue-4.20/mips-cm-reprime-error-cause.patch @@ -0,0 +1,42 @@ +From 05dc6001af0630e200ad5ea08707187fe5537e6d Mon Sep 17 00:00:00 2001 +From: Vladimir Kondratiev +Date: Wed, 6 Feb 2019 13:46:17 +0200 +Subject: mips: cm: reprime error cause + +From: Vladimir Kondratiev + +commit 05dc6001af0630e200ad5ea08707187fe5537e6d upstream. + +Accordingly to the documentation +---cut--- +The GCR_ERROR_CAUSE.ERR_TYPE field and the GCR_ERROR_MULT.ERR_TYPE +fields can be cleared by either a reset or by writing the current +value of GCR_ERROR_CAUSE.ERR_TYPE to the +GCR_ERROR_CAUSE.ERR_TYPE register. +---cut--- +Do exactly this. Original value of cm_error may be safely written back; +it clears error cause and keeps other bits untouched. + +Fixes: 3885c2b463f6 ("MIPS: CM: Add support for reporting CM cache errors") +Signed-off-by: Vladimir Kondratiev +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # v4.3+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/mips-cm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/mips-cm.c ++++ b/arch/mips/kernel/mips-cm.c +@@ -457,5 +457,5 @@ void mips_cm_error_report(void) + } + + /* reprime cause register */ +- write_gcr_error_cause(0); ++ write_gcr_error_cause(cm_error); + } diff --git a/queue-4.20/mips-loongson64-remove-unreachable-fix-loongson_poweroff.patch b/queue-4.20/mips-loongson64-remove-unreachable-fix-loongson_poweroff.patch new file mode 100644 index 00000000000..9c0da289f6c --- /dev/null +++ b/queue-4.20/mips-loongson64-remove-unreachable-fix-loongson_poweroff.patch @@ -0,0 +1,60 @@ +From 8a96669d77897ff3613157bf43f875739205d66d Mon Sep 17 00:00:00 2001 +From: Yifeng Li +Date: Wed, 6 Feb 2019 15:07:21 +0800 +Subject: mips: loongson64: remove unreachable(), fix loongson_poweroff(). + +From: Yifeng Li + +commit 8a96669d77897ff3613157bf43f875739205d66d upstream. + +On my Yeeloong 8089, I noticed the machine fails to shutdown +properly, and often, the function mach_prepare_reboot() is +unexpectedly executed, thus the machine reboots instead. A +wait loop is needed to ensure the system is in a well-defined +state before going down. + +In commit 997e93d4df16 ("MIPS: Hang more efficiently on +halt/powerdown/restart"), a general superset of the wait loop for all +platforms is already provided, so we don't need to implement our own. + +This commit simply removes the unreachable() compiler marco after +mach_prepare_reboot(), thus allowing the execution of machine_hang(). +My test shows that the machine is now able to shutdown successfully. + +Please note that there are two different bugs preventing the machine +from shutting down, another work-in-progress commit is needed to +fix a lockup in cpufreq / i8259 driver, please read Reference, this +commit does not fix that bug. + +Reference: https://lkml.org/lkml/2019/2/5/908 +Signed-off-by: Yifeng Li +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Cc: Huacai Chen +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-kernel@vger.kernel.org +Cc: Aaro Koskinen +Cc: stable@vger.kernel.org # v4.17+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/loongson64/common/reset.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/mips/loongson64/common/reset.c ++++ b/arch/mips/loongson64/common/reset.c +@@ -59,7 +59,12 @@ static void loongson_poweroff(void) + { + #ifndef CONFIG_LEFI_FIRMWARE_INTERFACE + mach_prepare_shutdown(); +- unreachable(); ++ ++ /* ++ * It needs a wait loop here, but mips/kernel/reset.c already calls ++ * a generic delay loop, machine_hang(), so simply return. ++ */ ++ return; + #else + void (*fw_poweroff)(void) = (void *)loongson_sysconf.poweroff_addr; + diff --git a/queue-4.20/mips-octeon-don-t-set-octeon_dma_bar_type-if-pci-is-disabled.patch b/queue-4.20/mips-octeon-don-t-set-octeon_dma_bar_type-if-pci-is-disabled.patch new file mode 100644 index 00000000000..d09717aebec --- /dev/null +++ b/queue-4.20/mips-octeon-don-t-set-octeon_dma_bar_type-if-pci-is-disabled.patch @@ -0,0 +1,49 @@ +From dcf300a69ac307053dfb35c2e33972e754a98bce Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 27 Jan 2019 23:28:33 +0200 +Subject: MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled + +From: Aaro Koskinen + +commit dcf300a69ac307053dfb35c2e33972e754a98bce upstream. + +Don't set octeon_dma_bar_type if PCI is disabled. This avoids creation +of the MSI irqchip later on, and saves a bit of memory. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Paul Burton +Fixes: a214720cbf50 ("Disable MSI also when pcie-octeon.pcie_disable on") +Cc: stable@vger.kernel.org # v3.3+ +Cc: linux-mips@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/pci/pci-octeon.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/mips/pci/pci-octeon.c ++++ b/arch/mips/pci/pci-octeon.c +@@ -568,6 +568,11 @@ static int __init octeon_pci_setup(void) + if (octeon_has_feature(OCTEON_FEATURE_PCIE)) + return 0; + ++ if (!octeon_is_pci_host()) { ++ pr_notice("Not in host mode, PCI Controller not initialized\n"); ++ return 0; ++ } ++ + /* Point pcibios_map_irq() to the PCI version of it */ + octeon_pcibios_map_irq = octeon_pci_pcibios_map_irq; + +@@ -579,11 +584,6 @@ static int __init octeon_pci_setup(void) + else + octeon_dma_bar_type = OCTEON_DMA_BAR_TYPE_BIG; + +- if (!octeon_is_pci_host()) { +- pr_notice("Not in host mode, PCI Controller not initialized\n"); +- return 0; +- } +- + /* PCI I/O and PCI MEM values */ + set_io_port_base(OCTEON_PCI_IOSPACE_BASE); + ioport_resource.start = 0; diff --git a/queue-4.20/mips-use-lower-case-for-addresses-in-nexys4ddr.dts.patch b/queue-4.20/mips-use-lower-case-for-addresses-in-nexys4ddr.dts.patch new file mode 100644 index 00000000000..e6445caf6d3 --- /dev/null +++ b/queue-4.20/mips-use-lower-case-for-addresses-in-nexys4ddr.dts.patch @@ -0,0 +1,59 @@ +From 047f2d941b8b24cadd6a4a09e606b7f41188ba3e Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Mon, 4 Feb 2019 19:53:53 +0000 +Subject: MIPS: Use lower case for addresses in nexys4ddr.dts + +From: Paul Burton + +commit 047f2d941b8b24cadd6a4a09e606b7f41188ba3e upstream. + +DTC introduced an i2c_bus_reg check in v1.4.7, used since Linux v4.20, +which complains about upper case addresses used in the unit name. + +nexys4ddr.dts names an I2C device node "ad7420@4B", leading to: + + arch/mips/boot/dts/xilfpga/nexys4ddr.dts:109.16-112.8: Warning + (i2c_bus_reg): /i2c@10A00000/ad7420@4B: I2C bus unit address format + error, expected "4b" + +Fix this by switching to lower case addresses throughout the file, as is +*mostly* the case in the file already & fairly standard throughout the +tree. + +Signed-off-by: Paul Burton +Cc: stable@vger.kernel.org # v4.20+ +Cc: linux-mips@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/boot/dts/xilfpga/nexys4ddr.dts | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/mips/boot/dts/xilfpga/nexys4ddr.dts ++++ b/arch/mips/boot/dts/xilfpga/nexys4ddr.dts +@@ -90,11 +90,11 @@ + interrupts = <0>; + }; + +- axi_i2c: i2c@10A00000 { ++ axi_i2c: i2c@10a00000 { + compatible = "xlnx,xps-iic-2.00.a"; + interrupt-parent = <&axi_intc>; + interrupts = <4>; +- reg = < 0x10A00000 0x10000 >; ++ reg = < 0x10a00000 0x10000 >; + clocks = <&ext>; + xlnx,clk-freq = <0x5f5e100>; + xlnx,family = "Artix7"; +@@ -106,9 +106,9 @@ + #address-cells = <1>; + #size-cells = <0>; + +- ad7420@4B { ++ ad7420@4b { + compatible = "adi,adt7420"; +- reg = <0x4B>; ++ reg = <0x4b>; + }; + } ; + }; diff --git a/queue-4.20/mips-vdso-include-ccflags-vdso-in-o32-n32-.lds-builds.patch b/queue-4.20/mips-vdso-include-ccflags-vdso-in-o32-n32-.lds-builds.patch new file mode 100644 index 00000000000..0ddf4af6535 --- /dev/null +++ b/queue-4.20/mips-vdso-include-ccflags-vdso-in-o32-n32-.lds-builds.patch @@ -0,0 +1,62 @@ +From 67fc5dc8a541e8f458d7f08bf88ff55933bf9f9d Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Mon, 28 Jan 2019 23:16:22 +0000 +Subject: MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds + +From: Paul Burton + +commit 67fc5dc8a541e8f458d7f08bf88ff55933bf9f9d upstream. + +When generating vdso-o32.lds & vdso-n32.lds for use with programs +running as compat ABIs under 64b kernels, we previously haven't included +the compiler flags that are supposedly common to all ABIs - ie. those in +the ccflags-vdso variable. + +This is problematic in cases where we need to provide the -m%-float flag +in order to ensure that we don't attempt to use a floating point ABI +that's incompatible with the target CPU & ABI. For example a toolchain +using current gcc trunk configured --with-fp-32=xx fails to build a +64r6el_defconfig kernel with the following error: + + cc1: error: '-march=mips1' requires '-mfp32' + make[2]: *** [arch/mips/vdso/Makefile:135: arch/mips/vdso/vdso-o32.lds] Error 1 + +Include $(ccflags-vdso) for the compat VDSO .lds builds, just as it is +included for the native VDSO .lds & when compiling objects for the +compat VDSOs. This ensures we consistently provide the -msoft-float flag +amongst others, avoiding the problem by ensuring we're agnostic to the +toolchain defaults. + +Signed-off-by: Paul Burton +Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO") +Cc: linux-mips@vger.kernel.org +Cc: Kevin Hilman +Cc: Guenter Roeck +Cc: Maciej W . Rozycki +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/vdso/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/vdso/Makefile ++++ b/arch/mips/vdso/Makefile +@@ -129,7 +129,7 @@ $(obj)/%-o32.o: $(src)/%.c FORCE + $(call cmd,force_checksrc) + $(call if_changed_rule,cc_o_c) + +-$(obj)/vdso-o32.lds: KBUILD_CPPFLAGS := -mabi=32 ++$(obj)/vdso-o32.lds: KBUILD_CPPFLAGS := $(ccflags-vdso) -mabi=32 + $(obj)/vdso-o32.lds: $(src)/vdso.lds.S FORCE + $(call if_changed_dep,cpp_lds_S) + +@@ -169,7 +169,7 @@ $(obj)/%-n32.o: $(src)/%.c FORCE + $(call cmd,force_checksrc) + $(call if_changed_rule,cc_o_c) + +-$(obj)/vdso-n32.lds: KBUILD_CPPFLAGS := -mabi=n32 ++$(obj)/vdso-n32.lds: KBUILD_CPPFLAGS := $(ccflags-vdso) -mabi=n32 + $(obj)/vdso-n32.lds: $(src)/vdso.lds.S FORCE + $(call if_changed_dep,cpp_lds_S) + diff --git a/queue-4.20/mips-vdso-use-same-m-float-cflag-as-the-kernel-proper.patch b/queue-4.20/mips-vdso-use-same-m-float-cflag-as-the-kernel-proper.patch new file mode 100644 index 00000000000..b6263d8e9cd --- /dev/null +++ b/queue-4.20/mips-vdso-use-same-m-float-cflag-as-the-kernel-proper.patch @@ -0,0 +1,62 @@ +From 0648e50e548d881d025b9419a1a168753c8e2bf7 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Mon, 28 Jan 2019 22:21:17 +0000 +Subject: MIPS: VDSO: Use same -m%-float cflag as the kernel proper + +From: Paul Burton + +commit 0648e50e548d881d025b9419a1a168753c8e2bf7 upstream. + +The MIPS VDSO build currently doesn't provide the -msoft-float flag to +the compiler as the kernel proper does. This results in an attempt to +use the compiler's default floating point configuration, which can be +problematic in cases where this is incompatible with the target CPU's +-march= flag. For example decstation_defconfig fails to build using +toolchains in which gcc was configured --with-fp-32=xx with the +following error: + + LDS arch/mips/vdso/vdso.lds + cc1: error: '-march=r3000' requires '-mfp32' + make[2]: *** [scripts/Makefile.build:379: arch/mips/vdso/vdso.lds] Error 1 + +The kernel proper avoids this error because we build with the +-msoft-float compiler flag, rather than using the compiler's default. +Pass this flag through to the VDSO build so that it too becomes agnostic +to the toolchain's floating point configuration. + +Note that this is filtered out from KBUILD_CFLAGS rather than simply +always using -msoft-float such that if we switch the kernel to use +-mno-float in the future the VDSO will automatically inherit the change. + +The VDSO doesn't actually include any floating point code, and its +.MIPS.abiflags section is already manually generated to specify that +it's compatible with any floating point ABI. As such this change should +have no effect on the resulting VDSO, apart from fixing the build +failure for affected toolchains. + +Signed-off-by: Paul Burton +Reported-by: Kevin Hilman +Reported-by: Guenter Roeck +Tested-by: Kevin Hilman +References: https://lore.kernel.org/linux-mips/1477843551-21813-1-git-send-email-linux@roeck-us.net/ +References: https://kernelci.org/build/id/5c4e4ae059b5142a249ad004/logs/ +Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO") +Cc: Maciej W. Rozycki +Cc: linux-mips@vger.kernel.org +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/vdso/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/vdso/Makefile ++++ b/arch/mips/vdso/Makefile +@@ -8,6 +8,7 @@ ccflags-vdso := \ + $(filter -E%,$(KBUILD_CFLAGS)) \ + $(filter -mmicromips,$(KBUILD_CFLAGS)) \ + $(filter -march=%,$(KBUILD_CFLAGS)) \ ++ $(filter -m%-float,$(KBUILD_CFLAGS)) \ + -D__VDSO__ + + ifdef CONFIG_CC_IS_CLANG diff --git a/queue-4.20/pinctrl-cherryview-fix-strago-dmi-workaround.patch b/queue-4.20/pinctrl-cherryview-fix-strago-dmi-workaround.patch new file mode 100644 index 00000000000..057bb4964d1 --- /dev/null +++ b/queue-4.20/pinctrl-cherryview-fix-strago-dmi-workaround.patch @@ -0,0 +1,65 @@ +From e3f72b749da2bf63bed7409e416f160418d475b6 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 14 Jan 2019 19:38:36 -0800 +Subject: pinctrl: cherryview: fix Strago DMI workaround + +From: Dmitry Torokhov + +commit e3f72b749da2bf63bed7409e416f160418d475b6 upstream. + +Well, hopefully 3rd time is a charm. We tried making that check +DMI_BIOS_VERSION and DMI_BOARD_VERSION, but the real one is +DMI_PRODUCT_VERSION. + +Fixes: 86c5dd6860a6 ("pinctrl: cherryview: limit Strago DMI workarounds to version 1.0") +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197953 +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1631930 +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Reviewed-by: Andy Shevchenko +Acked-by: Mika Westerberg +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -1507,7 +1507,7 @@ static const struct dmi_system_id chv_no + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "GOOGLE"), + DMI_MATCH(DMI_PRODUCT_FAMILY, "Intel_Strago"), +- DMI_MATCH(DMI_BOARD_VERSION, "1.0"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"), + }, + }, + { +@@ -1515,7 +1515,7 @@ static const struct dmi_system_id chv_no + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "HP"), + DMI_MATCH(DMI_PRODUCT_NAME, "Setzer"), +- DMI_MATCH(DMI_BOARD_VERSION, "1.0"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"), + }, + }, + { +@@ -1523,7 +1523,7 @@ static const struct dmi_system_id chv_no + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "GOOGLE"), + DMI_MATCH(DMI_PRODUCT_NAME, "Cyan"), +- DMI_MATCH(DMI_BOARD_VERSION, "1.0"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"), + }, + }, + { +@@ -1531,7 +1531,7 @@ static const struct dmi_system_id chv_no + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "GOOGLE"), + DMI_MATCH(DMI_PRODUCT_NAME, "Celes"), +- DMI_MATCH(DMI_BOARD_VERSION, "1.0"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"), + }, + }, + {} diff --git a/queue-4.20/pinctrl-sunxi-correct-number-of-irq-banks-on-h6-main-pin-controller.patch b/queue-4.20/pinctrl-sunxi-correct-number-of-irq-banks-on-h6-main-pin-controller.patch new file mode 100644 index 00000000000..3becca5542d --- /dev/null +++ b/queue-4.20/pinctrl-sunxi-correct-number-of-irq-banks-on-h6-main-pin-controller.patch @@ -0,0 +1,119 @@ +From 10098709b4ee6f6f19f25ba81d9c6f83518c584c Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Tue, 15 Jan 2019 10:45:43 +0800 +Subject: pinctrl: sunxi: Correct number of IRQ banks on H6 main pin controller + +From: Chen-Yu Tsai + +commit 10098709b4ee6f6f19f25ba81d9c6f83518c584c upstream. + +The H6 main pin controller has four banks of interrupt-triggering pins. +The driver as originally submitted only specified three, but had pin +descriptions referencing a fourth bank. This results in a out-of-bounds +access into .irq_array of struct sunxi_pinctrl. This however did not +result in a crash until v4.20, with commit a66d972465d1 ("devres: Align +data[] to ARCH_KMALLOC_MINALIGN"), which changed the alignment of memory +region returned by devm_kcalloc(). The increase likely moved the +out-of-bounds access into the next, unmapped page. + +With KASAN on, the bug is quite clear: + + BUG: KASAN: slab-out-of-bounds in sunxi_pinctrl_init_with_variant+0x49c/0x12b8 + Write of size 4 at addr ffff80002c680280 by task swapper/0/1 + + CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc1-00016-gc480a5e6a077 #3 + Hardware name: OrangePi Lite2 (DT) + Call trace: + dump_backtrace+0x0/0x220 + show_stack+0x14/0x20 + dump_stack+0xac/0xd4 + print_address_description+0x60/0x25c + kasan_report+0x14c/0x1ac + __asan_store4+0x80/0xa0 + sunxi_pinctrl_init_with_variant+0x49c/0x12b8 + h6_pinctrl_probe+0x18/0x20 + platform_drv_probe+0x6c/0xc8 + really_probe+0x244/0x4b0 + driver_probe_device.part.4+0x11c/0x164 + __driver_attach+0x120/0x190 + bus_for_each_dev+0xe8/0x158 + driver_attach+0x30/0x40 + bus_add_driver+0x308/0x318 + driver_register+0xbc/0x1d0 + __platform_driver_register+0x7c/0x88 + h6_pinctrl_driver_init+0x18/0x20 + do_one_initcall+0xd4/0x208 + kernel_init_freeable+0x230/0x2c8 + kernel_init+0x10/0x108 + ret_from_fork+0x10/0x1c + + Allocated by task 1: + kasan_kmalloc.part.0+0x4c/0x100 + kasan_kmalloc+0xc4/0xe8 + kasan_slab_alloc+0x14/0x20 + __kmalloc_track_caller+0x130/0x238 + devm_kmalloc+0x34/0xd0 + sunxi_pinctrl_init_with_variant+0x1d8/0x12b8 + h6_pinctrl_probe+0x18/0x20 + platform_drv_probe+0x6c/0xc8 + really_probe+0x244/0x4b0 + driver_probe_device.part.4+0x11c/0x164 + __driver_attach+0x120/0x190 + bus_for_each_dev+0xe8/0x158 + driver_attach+0x30/0x40 + bus_add_driver+0x308/0x318 + driver_register+0xbc/0x1d0 + __platform_driver_register+0x7c/0x88 + h6_pinctrl_driver_init+0x18/0x20 + do_one_initcall+0xd4/0x208 + kernel_init_freeable+0x230/0x2c8 + kernel_init+0x10/0x108 + ret_from_fork+0x10/0x1c + + Freed by task 0: + (stack is not available) + + The buggy address belongs to the object at ffff80002c680080 + which belongs to the cache kmalloc-512 of size 512 + The buggy address is located 0 bytes to the right of + 512-byte region [ffff80002c680080, ffff80002c680280) + The buggy address belongs to the page: + page:ffff7e0000b1a000 count:1 mapcount:0 mapping:ffff80002e00c780 index:0xffff80002c683c80 compound_mapcount: 0 + flags: 0x10200(slab|head) + raw: 0000000000010200 ffff80002e003a10 ffff80002e003a10 ffff80002e00c780 + raw: ffff80002c683c80 0000000000100001 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff80002c680180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff80002c680200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + >ffff80002c680280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff80002c680300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff80002c680380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Correct the number of IRQ banks so there are no more mismatches. + +Fixes: c8a830904991 ("pinctrl: sunxi: add support for the Allwinner H6 main pin controller") +Cc: +Signed-off-by: Chen-Yu Tsai +Tested-by: Neil Armstrong +Acked-by: Maxime Ripard +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/sunxi/pinctrl-sun50i-h6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/sunxi/pinctrl-sun50i-h6.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sun50i-h6.c +@@ -588,7 +588,7 @@ static const unsigned int h6_irq_bank_ma + static const struct sunxi_pinctrl_desc h6_pinctrl_data = { + .pins = h6_pins, + .npins = ARRAY_SIZE(h6_pins), +- .irq_banks = 3, ++ .irq_banks = 4, + .irq_bank_map = h6_irq_bank_map, + .irq_read_needs_mux = true, + }; diff --git a/queue-4.20/powerpc-papr_scm-use-the-correct-bind-address.patch b/queue-4.20/powerpc-papr_scm-use-the-correct-bind-address.patch new file mode 100644 index 00000000000..4534afd0537 --- /dev/null +++ b/queue-4.20/powerpc-papr_scm-use-the-correct-bind-address.patch @@ -0,0 +1,62 @@ +From 5a3840a470c41ec0b85cd36ca80370330656b163 Mon Sep 17 00:00:00 2001 +From: Oliver O'Halloran +Date: Thu, 31 Jan 2019 12:53:47 +1100 +Subject: powerpc/papr_scm: Use the correct bind address + +From: Oliver O'Halloran + +commit 5a3840a470c41ec0b85cd36ca80370330656b163 upstream. + +When binding an SCM volume to a physical address the hypervisor has the +option to return early with a continue token with the expectation that +the guest will resume the bind operation until it completes. A quirk of +this interface is that the bind address will only be returned by the +first bind h-call and the subsequent calls will return +0xFFFF_FFFF_FFFF_FFFF for the bind address. + +We currently do not save the address returned by the first h-call. As a +result we will use the junk address as the base of the bound region if +the hypervisor decides to split the bind across multiple h-calls. This +bug was found when testing with very large SCM volumes where the bind +process would take more time than they hypervisor's internal h-call time +limit would allow. This patch fixes the issue by saving the bind address +from the first call. + +Cc: stable@vger.kernel.org +Fixes: b5beae5e224f ("powerpc/pseries: Add driver for PAPR SCM regions") +Signed-off-by: Oliver O'Halloran +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/papr_scm.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/papr_scm.c ++++ b/arch/powerpc/platforms/pseries/papr_scm.c +@@ -43,6 +43,7 @@ static int drc_pmem_bind(struct papr_scm + { + unsigned long ret[PLPAR_HCALL_BUFSIZE]; + uint64_t rc, token; ++ uint64_t saved = 0; + + /* + * When the hypervisor cannot map all the requested memory in a single +@@ -56,6 +57,8 @@ static int drc_pmem_bind(struct papr_scm + rc = plpar_hcall(H_SCM_BIND_MEM, ret, p->drc_index, 0, + p->blocks, BIND_ANY_ADDR, token); + token = ret[0]; ++ if (!saved) ++ saved = ret[1]; + cond_resched(); + } while (rc == H_BUSY); + +@@ -64,7 +67,7 @@ static int drc_pmem_bind(struct papr_scm + return -ENXIO; + } + +- p->bound_addr = ret[1]; ++ p->bound_addr = saved; + + dev_dbg(&p->pdev->dev, "bound drc %x to %pR\n", p->drc_index, &p->res); + diff --git a/queue-4.20/powerpc-radix-fix-kernel-crash-with-mremap.patch b/queue-4.20/powerpc-radix-fix-kernel-crash-with-mremap.patch new file mode 100644 index 00000000000..cf15efb685a --- /dev/null +++ b/queue-4.20/powerpc-radix-fix-kernel-crash-with-mremap.patch @@ -0,0 +1,96 @@ +From 579b9239c1f38665b21e8d0e6ee83ecc96dbd6bb Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Wed, 23 Jan 2019 11:51:38 +0530 +Subject: powerpc/radix: Fix kernel crash with mremap() + +From: Aneesh Kumar K.V + +commit 579b9239c1f38665b21e8d0e6ee83ecc96dbd6bb upstream. + +With support for split pmd lock, we use pmd page pmd_huge_pte pointer +to store the deposited page table. In those config when we move page +tables we need to make sure we move the deposited page table to the +correct pmd page. Otherwise this can result in crash when we withdraw +of deposited page table because we can find the pmd_huge_pte NULL. + +eg: + + __split_huge_pmd+0x1070/0x1940 + __split_huge_pmd+0xe34/0x1940 (unreliable) + vma_adjust_trans_huge+0x110/0x1c0 + __vma_adjust+0x2b4/0x9b0 + __split_vma+0x1b8/0x280 + __do_munmap+0x13c/0x550 + sys_mremap+0x220/0x7e0 + system_call+0x5c/0x70 + +Fixes: 675d995297d4 ("powerpc/book3s64: Enable split pmd ptlock.") +Cc: stable@vger.kernel.org # v4.18+ +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/book3s/64/pgtable.h | 22 +++++++--------------- + arch/powerpc/mm/pgtable-book3s64.c | 22 ++++++++++++++++++++++ + 2 files changed, 29 insertions(+), 15 deletions(-) + +--- a/arch/powerpc/include/asm/book3s/64/pgtable.h ++++ b/arch/powerpc/include/asm/book3s/64/pgtable.h +@@ -1258,21 +1258,13 @@ extern pmd_t pmdp_invalidate(struct vm_a + + #define pmd_move_must_withdraw pmd_move_must_withdraw + struct spinlock; +-static inline int pmd_move_must_withdraw(struct spinlock *new_pmd_ptl, +- struct spinlock *old_pmd_ptl, +- struct vm_area_struct *vma) +-{ +- if (radix_enabled()) +- return false; +- /* +- * Archs like ppc64 use pgtable to store per pmd +- * specific information. So when we switch the pmd, +- * we should also withdraw and deposit the pgtable +- */ +- return true; +-} +- +- ++extern int pmd_move_must_withdraw(struct spinlock *new_pmd_ptl, ++ struct spinlock *old_pmd_ptl, ++ struct vm_area_struct *vma); ++/* ++ * Hash translation mode use the deposited table to store hash pte ++ * slot information. ++ */ + #define arch_needs_pgtable_deposit arch_needs_pgtable_deposit + static inline bool arch_needs_pgtable_deposit(void) + { +--- a/arch/powerpc/mm/pgtable-book3s64.c ++++ b/arch/powerpc/mm/pgtable-book3s64.c +@@ -482,3 +482,25 @@ void arch_report_meminfo(struct seq_file + atomic_long_read(&direct_pages_count[MMU_PAGE_1G]) << 20); + } + #endif /* CONFIG_PROC_FS */ ++ ++/* ++ * For hash translation mode, we use the deposited table to store hash slot ++ * information and they are stored at PTRS_PER_PMD offset from related pmd ++ * location. Hence a pmd move requires deposit and withdraw. ++ * ++ * For radix translation with split pmd ptl, we store the deposited table in the ++ * pmd page. Hence if we have different pmd page we need to withdraw during pmd ++ * move. ++ * ++ * With hash we use deposited table always irrespective of anon or not. ++ * With radix we use deposited table only for anonymous mapping. ++ */ ++int pmd_move_must_withdraw(struct spinlock *new_pmd_ptl, ++ struct spinlock *old_pmd_ptl, ++ struct vm_area_struct *vma) ++{ ++ if (radix_enabled()) ++ return (new_pmd_ptl != old_pmd_ptl) && vma_is_anonymous(vma); ++ ++ return true; ++} diff --git a/queue-4.20/series b/queue-4.20/series index 87b75004d6e..c2a9173fd4b 100644 --- a/queue-4.20/series +++ b/queue-4.20/series @@ -15,3 +15,29 @@ cfg80211-call-disconnect_wk-when-ap-stops.patch mei-me-add-ice-lake-point-device-id.patch samples-mei-use-dev-mei0-instead-of-dev-mei.patch debugfs-fix-debugfs_rename-parameter-checking.patch +svcrdma-remove-max_sge-check-at-connect-time.patch +pinctrl-sunxi-correct-number-of-irq-banks-on-h6-main-pin-controller.patch +pinctrl-cherryview-fix-strago-dmi-workaround.patch +tracing-uprobes-fix-output-for-multiple-string-arguments.patch +tracing-uprobes-fix-typo-in-pr_fmt-string.patch +mips-cm-reprime-error-cause.patch +mips-use-lower-case-for-addresses-in-nexys4ddr.dts.patch +mips-octeon-don-t-set-octeon_dma_bar_type-if-pci-is-disabled.patch +mips-vdso-use-same-m-float-cflag-as-the-kernel-proper.patch +mips-loongson64-remove-unreachable-fix-loongson_poweroff.patch +mips-vdso-include-ccflags-vdso-in-o32-n32-.lds-builds.patch +arm-iop32x-n2100-fix-pci-irq-mapping.patch +arm-tango-improve-arch_multiplatform-compatibility.patch +arm-dts-da850-fix-interrupt-numbers-for-clocksource.patch +firmware-arm_scmi-provide-the-mandatory-device-release-callback.patch +powerpc-papr_scm-use-the-correct-bind-address.patch +powerpc-radix-fix-kernel-crash-with-mremap.patch +mic-vop-fix-use-after-free-on-remove.patch +mac80211-ensure-that-mgmt-tx-skbs-have-tailroom-for-encryption.patch +drm-modes-prevent-division-by-zero-htotal.patch +drm-rockchip-rgb-update-spdx-license-identifier.patch +drm-amd-powerplay-fix-missing-break-in-switch.patch +drm-i915-always-return-something-on-ddi-clock-selection.patch +drm-vmwgfx-fix-setting-of-dma-masks.patch +drm-vmwgfx-fix-an-uninitialized-fence-handle-value.patch +drm-vmwgfx-return-error-code-from-vmw_execbuf_copy_fence_user.patch diff --git a/queue-4.20/svcrdma-remove-max_sge-check-at-connect-time.patch b/queue-4.20/svcrdma-remove-max_sge-check-at-connect-time.patch new file mode 100644 index 00000000000..68808b82229 --- /dev/null +++ b/queue-4.20/svcrdma-remove-max_sge-check-at-connect-time.patch @@ -0,0 +1,199 @@ +From e248aa7be86e8179f20ac0931774ecd746f3f5bf Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Fri, 25 Jan 2019 16:54:54 -0500 +Subject: svcrdma: Remove max_sge check at connect time + +From: Chuck Lever + +commit e248aa7be86e8179f20ac0931774ecd746f3f5bf upstream. + +Two and a half years ago, the client was changed to use gathered +Send for larger inline messages, in commit 655fec6987b ("xprtrdma: +Use gathered Send for large inline messages"). Several fixes were +required because there are a few in-kernel device drivers whose +max_sge is 3, and these were broken by the change. + +Apparently my memory is going, because some time later, I submitted +commit 25fd86eca11c ("svcrdma: Don't overrun the SGE array in +svc_rdma_send_ctxt"), and after that, commit f3c1fd0ee294 ("svcrdma: +Reduce max_send_sges"). These too incorrectly assumed in-kernel +device drivers would have more than a few Send SGEs available. + +The fix for the server side is not the same. This is because the +fundamental problem on the server is that, whether or not the client +has provisioned a chunk for the RPC reply, the server must squeeze +even the most complex RPC replies into a single RDMA Send. Failing +in the send path because of Send SGE exhaustion should never be an +option. + +Therefore, instead of failing when the send path runs out of SGEs, +switch to using a bounce buffer mechanism to handle RPC replies that +are too complex for the device to send directly. That allows us to +remove the max_sge check to enable drivers with small max_sge to +work again. + +Reported-by: Don Dutile +Fixes: 25fd86eca11c ("svcrdma: Don't overrun the SGE array in ...") +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 105 +++++++++++++++++++++++++++++-- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 9 -- + 2 files changed, 102 insertions(+), 12 deletions(-) + +--- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c +@@ -563,6 +563,99 @@ void svc_rdma_sync_reply_hdr(struct svcx + DMA_TO_DEVICE); + } + ++/* If the xdr_buf has more elements than the device can ++ * transmit in a single RDMA Send, then the reply will ++ * have to be copied into a bounce buffer. ++ */ ++static bool svc_rdma_pull_up_needed(struct svcxprt_rdma *rdma, ++ struct xdr_buf *xdr, ++ __be32 *wr_lst) ++{ ++ int elements; ++ ++ /* xdr->head */ ++ elements = 1; ++ ++ /* xdr->pages */ ++ if (!wr_lst) { ++ unsigned int remaining; ++ unsigned long pageoff; ++ ++ pageoff = xdr->page_base & ~PAGE_MASK; ++ remaining = xdr->page_len; ++ while (remaining) { ++ ++elements; ++ remaining -= min_t(u32, PAGE_SIZE - pageoff, ++ remaining); ++ pageoff = 0; ++ } ++ } ++ ++ /* xdr->tail */ ++ if (xdr->tail[0].iov_len) ++ ++elements; ++ ++ /* assume 1 SGE is needed for the transport header */ ++ return elements >= rdma->sc_max_send_sges; ++} ++ ++/* The device is not capable of sending the reply directly. ++ * Assemble the elements of @xdr into the transport header ++ * buffer. ++ */ ++static int svc_rdma_pull_up_reply_msg(struct svcxprt_rdma *rdma, ++ struct svc_rdma_send_ctxt *ctxt, ++ struct xdr_buf *xdr, __be32 *wr_lst) ++{ ++ unsigned char *dst, *tailbase; ++ unsigned int taillen; ++ ++ dst = ctxt->sc_xprt_buf; ++ dst += ctxt->sc_sges[0].length; ++ ++ memcpy(dst, xdr->head[0].iov_base, xdr->head[0].iov_len); ++ dst += xdr->head[0].iov_len; ++ ++ tailbase = xdr->tail[0].iov_base; ++ taillen = xdr->tail[0].iov_len; ++ if (wr_lst) { ++ u32 xdrpad; ++ ++ xdrpad = xdr_padsize(xdr->page_len); ++ if (taillen && xdrpad) { ++ tailbase += xdrpad; ++ taillen -= xdrpad; ++ } ++ } else { ++ unsigned int len, remaining; ++ unsigned long pageoff; ++ struct page **ppages; ++ ++ ppages = xdr->pages + (xdr->page_base >> PAGE_SHIFT); ++ pageoff = xdr->page_base & ~PAGE_MASK; ++ remaining = xdr->page_len; ++ while (remaining) { ++ len = min_t(u32, PAGE_SIZE - pageoff, remaining); ++ ++ memcpy(dst, page_address(*ppages), len); ++ remaining -= len; ++ dst += len; ++ pageoff = 0; ++ } ++ } ++ ++ if (taillen) ++ memcpy(dst, tailbase, taillen); ++ ++ ctxt->sc_sges[0].length += xdr->len; ++ ib_dma_sync_single_for_device(rdma->sc_pd->device, ++ ctxt->sc_sges[0].addr, ++ ctxt->sc_sges[0].length, ++ DMA_TO_DEVICE); ++ ++ return 0; ++} ++ + /* svc_rdma_map_reply_msg - Map the buffer holding RPC message + * @rdma: controlling transport + * @ctxt: send_ctxt for the Send WR +@@ -585,8 +678,10 @@ int svc_rdma_map_reply_msg(struct svcxpr + u32 xdr_pad; + int ret; + +- if (++ctxt->sc_cur_sge_no >= rdma->sc_max_send_sges) +- return -EIO; ++ if (svc_rdma_pull_up_needed(rdma, xdr, wr_lst)) ++ return svc_rdma_pull_up_reply_msg(rdma, ctxt, xdr, wr_lst); ++ ++ ++ctxt->sc_cur_sge_no; + ret = svc_rdma_dma_map_buf(rdma, ctxt, + xdr->head[0].iov_base, + xdr->head[0].iov_len); +@@ -617,8 +712,7 @@ int svc_rdma_map_reply_msg(struct svcxpr + while (remaining) { + len = min_t(u32, PAGE_SIZE - page_off, remaining); + +- if (++ctxt->sc_cur_sge_no >= rdma->sc_max_send_sges) +- return -EIO; ++ ++ctxt->sc_cur_sge_no; + ret = svc_rdma_dma_map_page(rdma, ctxt, *ppages++, + page_off, len); + if (ret < 0) +@@ -632,8 +726,7 @@ int svc_rdma_map_reply_msg(struct svcxpr + len = xdr->tail[0].iov_len; + tail: + if (len) { +- if (++ctxt->sc_cur_sge_no >= rdma->sc_max_send_sges) +- return -EIO; ++ ++ctxt->sc_cur_sge_no; + ret = svc_rdma_dma_map_buf(rdma, ctxt, base, len); + if (ret < 0) + return ret; +--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c +@@ -478,12 +478,9 @@ static struct svc_xprt *svc_rdma_accept( + /* Transport header, head iovec, tail iovec */ + newxprt->sc_max_send_sges = 3; + /* Add one SGE per page list entry */ +- newxprt->sc_max_send_sges += svcrdma_max_req_size / PAGE_SIZE; +- if (newxprt->sc_max_send_sges > dev->attrs.max_send_sge) { +- pr_err("svcrdma: too few Send SGEs available (%d needed)\n", +- newxprt->sc_max_send_sges); +- goto errout; +- } ++ newxprt->sc_max_send_sges += (svcrdma_max_req_size / PAGE_SIZE) + 1; ++ if (newxprt->sc_max_send_sges > dev->attrs.max_send_sge) ++ newxprt->sc_max_send_sges = dev->attrs.max_send_sge; + newxprt->sc_max_req_size = svcrdma_max_req_size; + newxprt->sc_max_requests = svcrdma_max_requests; + newxprt->sc_max_bc_requests = svcrdma_max_bc_requests; diff --git a/queue-4.20/tracing-uprobes-fix-output-for-multiple-string-arguments.patch b/queue-4.20/tracing-uprobes-fix-output-for-multiple-string-arguments.patch new file mode 100644 index 00000000000..bfa47c05105 --- /dev/null +++ b/queue-4.20/tracing-uprobes-fix-output-for-multiple-string-arguments.patch @@ -0,0 +1,76 @@ +From 0722069a5374b904ec1a67f91249f90e1cfae259 Mon Sep 17 00:00:00 2001 +From: Andreas Ziegler +Date: Wed, 16 Jan 2019 15:16:29 +0100 +Subject: tracing/uprobes: Fix output for multiple string arguments + +From: Andreas Ziegler + +commit 0722069a5374b904ec1a67f91249f90e1cfae259 upstream. + +When printing multiple uprobe arguments as strings the output for the +earlier arguments would also include all later string arguments. + +This is best explained in an example: + +Consider adding a uprobe to a function receiving two strings as +parameters which is at offset 0xa0 in strlib.so and we want to print +both parameters when the uprobe is hit (on x86_64): + +$ echo 'p:func /lib/strlib.so:0xa0 +0(%di):string +0(%si):string' > \ + /sys/kernel/debug/tracing/uprobe_events + +When the function is called as func("foo", "bar") and we hit the probe, +the trace file shows a line like the following: + + [...] func: (0x7f7e683706a0) arg1="foobar" arg2="bar" + +Note the extra "bar" printed as part of arg1. This behaviour stacks up +for additional string arguments. + +The strings are stored in a dynamically growing part of the uprobe +buffer by fetch_store_string() after copying them from userspace via +strncpy_from_user(). The return value of strncpy_from_user() is then +directly used as the required size for the string. However, this does +not take the terminating null byte into account as the documentation +for strncpy_from_user() cleary states that it "[...] returns the +length of the string (not including the trailing NUL)" even though the +null byte will be copied to the destination. + +Therefore, subsequent calls to fetch_store_string() will overwrite +the terminating null byte of the most recently fetched string with +the first character of the current string, leading to the +"accumulation" of strings in earlier arguments in the output. + +Fix this by incrementing the return value of strncpy_from_user() by +one if we did not hit the maximum buffer size. + +Link: http://lkml.kernel.org/r/20190116141629.5752-1-andreas.ziegler@fau.de + +Cc: Ingo Molnar +Cc: stable@vger.kernel.org +Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes") +Acked-by: Masami Hiramatsu +Signed-off-by: Andreas Ziegler +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_uprobe.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -127,6 +127,13 @@ fetch_store_string(unsigned long addr, v + if (ret >= 0) { + if (ret == maxlen) + dst[ret - 1] = '\0'; ++ else ++ /* ++ * Include the terminating null byte. In this case it ++ * was copied by strncpy_from_user but not accounted ++ * for in ret. ++ */ ++ ret++; + *(u32 *)dest = make_data_loc(ret, (void *)dst - base); + } + diff --git a/queue-4.20/tracing-uprobes-fix-typo-in-pr_fmt-string.patch b/queue-4.20/tracing-uprobes-fix-typo-in-pr_fmt-string.patch new file mode 100644 index 00000000000..98c40265160 --- /dev/null +++ b/queue-4.20/tracing-uprobes-fix-typo-in-pr_fmt-string.patch @@ -0,0 +1,38 @@ +From ea6eb5e7d15e1838de335609994b4546e2abcaaf Mon Sep 17 00:00:00 2001 +From: Andreas Ziegler +Date: Thu, 17 Jan 2019 14:30:23 +0100 +Subject: tracing: uprobes: Fix typo in pr_fmt string + +From: Andreas Ziegler + +commit ea6eb5e7d15e1838de335609994b4546e2abcaaf upstream. + +The subsystem-specific message prefix for uprobes was also +"trace_kprobe: " instead of "trace_uprobe: " as described in +the original commit message. + +Link: http://lkml.kernel.org/r/20190117133023.19292-1-andreas.ziegler@fau.de + +Cc: Ingo Molnar +Cc: stable@vger.kernel.org +Acked-by: Masami Hiramatsu +Fixes: 7257634135c24 ("tracing/probe: Show subsystem name in messages") +Signed-off-by: Andreas Ziegler +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_uprobe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -5,7 +5,7 @@ + * Copyright (C) IBM Corporation, 2010-2012 + * Author: Srikar Dronamraju + */ +-#define pr_fmt(fmt) "trace_kprobe: " fmt ++#define pr_fmt(fmt) "trace_uprobe: " fmt + + #include + #include