From 5800ebb76d52ffa47236fa44887eb56a9e8f8aff Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 31 Dec 2019 21:27:31 -0500 Subject: [PATCH] fixes for 5.4 Signed-off-by: Sasha Levin --- ...igned-len-comparison-with-less-than-.patch | 59 +++ ...re-v2-remove-brahma-b53-from-hardeni.patch | 45 ++ ...try-to-shrink-1-node-in-bch_mca_scan.patch | 52 ++ ...vice-capabilities-during-opening-act.patch | 69 +++ ...use-after-free-bug-in-cifs_reconnect.patch | 234 +++++++++ ...fileinfo_put-logic-into-a-work-queue.patch | 493 ++++++++++++++++++ ...gpio-propagate-rate-change-to-parent.patch | 49 ++ ...lk-fix-memory-leak-in-clk_unregister.patch | 60 +++ ...lk-pxa-fix-one-of-the-pxa-rtc-clocks.patch | 39 ++ ...w-constant-ratio-freq-tables-for-rcg.patch | 64 +++ .../clk-qcom-smd-add-missing-pnoc-clock.patch | 54 ++ ...ers-asm9260-add-a-check-for-of_clk_g.patch | 38 ++ ...ers-timer-of-use-unique-device-name-.patch | 47 ++ ...schedule-point-in-debug_dma_dump_map.patch | 45 ++ ...-for-overflows-on-32-bit-dma-address.patch | 70 +++ ...ng-add-vmap-checks-to-dma_map_single.patch | 43 ++ ...handling-of-dma-ranges-for-reserved-.patch | 116 +++++ ...-qdma-handle-invalid-qdma-queue0-irq.patch | 40 ++ ..._dma-clear-desc_pendingcount-in-xili.patch | 42 ++ ...-fix-crash-handler-reset-of-hyper-v-.patch | 46 ++ ...-amdgpu-call-find_vma-under-mmap_sem.patch | 125 +++++ ...rove-validation-build-error-handling.patch | 86 +++ ...dtc-use-pkg-config-to-locate-libyaml.patch | 53 ++ ...extends-beyond-eof-should-be-marked-.patch | 61 +++ ...ct-i-o-read-lock-pattern-for-iocb_no.patch | 47 ++ ...limit-when-softlimit-is-larger-than-.patch | 92 ++++ ...k-in-f2fs_gc-context-during-atomic-f.patch | 130 +++++ ...ate-dir-s-i_pino-during-cross_rename.patch | 94 ++++ ...-fix-to-update-time-in-lazytime-mode.patch | 104 ++++ ...overflows-of-sysctl-fs.quota.-and-re.patch | 148 ++++++ ...lynxpoint-setup-correct-irq-handlers.patch | 44 ++ ...-t-overwrite-default-irq_set_type-ca.patch | 56 ++ .../gpio-mpc8xxx-fix-qoriq-gpio-reading.patch | 37 ++ ...t-the-second-irq-when-there-is-more-.patch | 63 +++ ...p-va-block-list-update-in-reset-flow.patch | 113 ++++ ...x-no-irq-after-reset-on-raydium-3118.patch | 54 ++ ...windows-precision-touchpad-detection.patch | 68 +++ ...pp-silence-intermittent-get_battery_.patch | 46 ++ ...uirk-for-hp-msu1465-pixart-oem-mouse.patch | 63 +++ ...at-the-rmi_started-bit-is-set-before.patch | 47 ++ ...-reorder-remove-probe-error-handling.patch | 72 +++ ...el_mxt_ts-disable-irq-across-suspend.patch | 54 ++ ...ndle-errors-from-input_mt_init_slots.patch | 40 ++ ...1232-do-not-reset-the-chip-too-early.patch | 78 +++ ...cate_scq_urings-should-return-a-sane.patch | 51 ++ ...-value-of-iomap_dio_bio_actor-on-32b.patch | 61 +++ ...3-don-t-display-an-error-when-irq-li.patch | 64 +++ ...rockchip-free-domain-on-.domain_free.patch | 64 +++ ...smmu-fix-page-tables-in-4-gib-memory.patch | 79 +++ ...error-out-if-irq-domain-creation-fai.patch | 59 +++ ...038-l1-enable-parent-irq-if-necessar.patch | 38 ++ ...tics-for-the-number-of-logged-blocks.patch | 61 +++ ...l-sysctl-make-drop_caches-write-only.patch | 53 ++ ...add-a-check-for-devm_regmap_init_i2c.patch | 41 ++ ...andle-failure-to-probe-the-regulator.patch | 52 ++ ...dev-fix-handling-on-interface-rename.patch | 60 +++ ...t32_max-and-uint32_max-in-libfdt_env.patch | 84 +++ ...btt-fix-variable-rc-set-but-not-used.patch | 50 ++ ...ear-the-right-interrupts-at-shutdown.patch | 51 ++ ...ox-imx-fix-tx-doorbell-shutdown-path.patch | 79 +++ ...our-device-tree-s-request-to-disable.patch | 49 ++ ...-error-handling-when-setting-up-moun.patch | 92 ++++ ...-fix-passing-zero-to-ptr_err-warning.patch | 48 ++ ...memory-leak-in-attach_node_and_child.patch | 47 ++ ...ate-and-correctly-byte-swap-drc-prop.patch | 116 +++++ ...ctly-match-ibm-my-drc-index-to-drc-n.patch | 51 ++ ...-rely-on-firmware-feature-to-imply-d.patch | 48 ++ ...x-up-pointer-to-first-drc-info-entry.patch | 43 ++ ...rf-diff-use-llabs-with-64-bit-values.patch | 49 ++ ...erf_reg_name-return-unknown-instead-.patch | 86 +++ ...-script-fix-brstackinsn-for-auxtrace.patch | 66 +++ ...el_pmc_core-add-comet-lake-cml-platf.patch | 73 +++ ...el_pmc_core-fix-the-soc-naming-incon.patch | 94 ++++ ...q-wmi-switch-to-using-polled-mode-of.patch | 173 ++++++ ...m-update-oops-message-to-print-the-c.patch | 69 +++ ...-hash-add-cond_resched-to-avoid-soft.patch | 77 +++ ...d-mabi-flags-when-building-with-clan.patch | 97 ++++ ...erentiate-duplicate-detection-messag.patch | 58 +++ ...se-__fix_to_virt-instead-of-fix_to_v.patch | 71 +++ ...-fix-an-off-by-one-check-in-papr_scm.patch | 60 +++ ...cmm-implement-release-function-for-s.patch | 52 ++ ...don-t-fail-hash-page-table-insert-fo.patch | 67 +++ ...mark-accumulate_stolen_time-as-notra.patch | 52 ++ ...-book3s64-report-l1tf-status-in-sysf.patch | 45 ++ ...-fix-wrong-message-when-rfi-flush-is.patch | 95 ++++ ...tools-don-t-quote-objdump-in-scripts.patch | 67 +++ ...f-check-for-sdbt-and-sdb-consistency.patch | 107 ++++ ...emption-when-switching-to-nodat-stac.patch | 61 +++ ...wind-filter-out-unreliable-bogus-r14.patch | 47 ++ ...le-new-reply-code-filtered_by_hyperv.patch | 51 ++ ...syms-fix-definitely-lost-memory-leak.patch | 48 ++ ...sun3_scsi-set-sg_tablesize-to-1-inst.patch | 163 ++++++ ...csiostor-don-t-enable-irqs-too-early.patch | 100 ++++ ...lete-the-debugfs-folder-of-hisi_sas-.patch | 54 ++ ...place-in_softirq-check-in-hisi_sas_t.patch | 85 +++ ...on-t-send-data-to-unbound-connection.patch | 96 ++++ ...verity-lpfc_cmpl_els_rsp-null-pointe.patch | 67 +++ ...scovery-failures-when-target-device-.patch | 60 +++ ...plicate-unreg_rpi-error-in-port-offl.patch | 54 ++ ...fix-hardlockup-in-lpfc_abort_handler.patch | 58 +++ ...ist-corruption-in-lpfc_sli_get_iocbq.patch | 117 +++++ ...ocking-on-mailbox-command-completion.patch | 68 +++ ...i3-hba-in-loop-mode-not-discovering-.patch | 45 ++ ...inlock_irq-issues-in-lpfc_els_flush_.patch | 91 ++++ ...expected-error-messages-during-rscn-.patch | 91 ++++ ...ix-clear-pending-bit-in-ioctl-status.patch | 45 ++ ...ect-nvme-encap-cmnds-to-unsupported-.patch | 69 +++ ...add-disconnect_mask-module-parameter.patch | 54 ++ ...pm80xx-fix-for-sata-device-discovery.patch | 41 ++ .../scsi-scsi_debug-num_tgts-must-be-0.patch | 40 ++ ...ompare-full-chap_a-algorithm-strings.patch | 53 ++ ...-release-spc-2-reservations-when-clo.patch | 128 +++++ ...i-wait-for-all-commands-to-finish-be.patch | 144 +++++ ...-handling-of-transfer-length-0-for-r.patch | 55 ++ ...x-error-handing-during-hibern8-enter.patch | 86 +++ ...ential-bug-which-ends-in-system-hang.patch | 82 +++ ...i-ufs-fix-up-auto-hibern8-enablement.patch | 116 +++++ ...imit-dma-transfers-to-65536-bytes-ex.patch | 70 +++ ...-powerpc-fixup-clobbers-for-tm-tests.patch | 101 ++++ ...c-skip-tm-signal-sigreturn-nt-if-tm-.patch | 56 ++ ...-vm-add-fragment-config_test_vmalloc.patch | 40 ++ queue-5.4/series | 128 +++++ ...intel-speed-select-ignore-missing-co.patch | 77 +++ ...intel-speed-select-remove-warning-fo.patch | 56 ++ .../um-virtio-keep-reading-on-eagain.patch | 94 ++++ ...ire-cap_sys_ptrace-for-uffd_feature_.patch | 86 +++ ...-race-between-the-release-of-watchdo.patch | 289 ++++++++++ .../watchdog-imx7ulp-fix-reboot-hang.patch | 73 +++ ...t-deferral-of-watchdogd-wakeup-on-rt.patch | 92 ++++ 129 files changed, 9810 insertions(+) create mode 100644 queue-5.4/apparmor-fix-unsigned-len-comparison-with-less-than-.patch create mode 100644 queue-5.4/arm-8937-1-spectre-v2-remove-brahma-b53-from-hardeni.patch create mode 100644 queue-5.4/bcache-at-least-try-to-shrink-1-node-in-bch_mca_scan.patch create mode 100644 queue-5.4/cdrom-respect-device-capabilities-during-opening-act.patch create mode 100644 queue-5.4/cifs-fix-use-after-free-bug-in-cifs_reconnect.patch create mode 100644 queue-5.4/cifs-move-cifsfileinfo_put-logic-into-a-work-queue.patch create mode 100644 queue-5.4/clk-clk-gpio-propagate-rate-change-to-parent.patch create mode 100644 queue-5.4/clk-fix-memory-leak-in-clk_unregister.patch create mode 100644 queue-5.4/clk-pxa-fix-one-of-the-pxa-rtc-clocks.patch create mode 100644 queue-5.4/clk-qcom-allow-constant-ratio-freq-tables-for-rcg.patch create mode 100644 queue-5.4/clk-qcom-smd-add-missing-pnoc-clock.patch create mode 100644 queue-5.4/clocksource-drivers-asm9260-add-a-check-for-of_clk_g.patch create mode 100644 queue-5.4/clocksource-drivers-timer-of-use-unique-device-name-.patch create mode 100644 queue-5.4/dma-debug-add-a-schedule-point-in-debug_dma_dump_map.patch create mode 100644 queue-5.4/dma-direct-check-for-overflows-on-32-bit-dma-address.patch create mode 100644 queue-5.4/dma-mapping-add-vmap-checks-to-dma_map_single.patch create mode 100644 queue-5.4/dma-mapping-fix-handling-of-dma-ranges-for-reserved-.patch create mode 100644 queue-5.4/dmaengine-fsl-qdma-handle-invalid-qdma-queue0-irq.patch create mode 100644 queue-5.4/dmaengine-xilinx_dma-clear-desc_pendingcount-in-xili.patch create mode 100644 queue-5.4/drivers-hv-vmbus-fix-crash-handler-reset-of-hyper-v-.patch create mode 100644 queue-5.4/drm-amdgpu-call-find_vma-under-mmap_sem.patch create mode 100644 queue-5.4/dt-bindings-improve-validation-build-error-handling.patch create mode 100644 queue-5.4/dtc-use-pkg-config-to-locate-libyaml.patch create mode 100644 queue-5.4/ext4-iomap-that-extends-beyond-eof-should-be-marked-.patch create mode 100644 queue-5.4/ext4-update-direct-i-o-read-lock-pattern-for-iocb_no.patch create mode 100644 queue-5.4/f2fs-choose-hardlimit-when-softlimit-is-larger-than-.patch create mode 100644 queue-5.4/f2fs-fix-deadlock-in-f2fs_gc-context-during-atomic-f.patch create mode 100644 queue-5.4/f2fs-fix-to-update-dir-s-i_pino-during-cross_rename.patch create mode 100644 queue-5.4/f2fs-fix-to-update-time-in-lazytime-mode.patch create mode 100644 queue-5.4/fs-quota-handle-overflows-of-sysctl-fs.quota.-and-re.patch create mode 100644 queue-5.4/gpio-lynxpoint-setup-correct-irq-handlers.patch create mode 100644 queue-5.4/gpio-mpc8xxx-don-t-overwrite-default-irq_set_type-ca.patch create mode 100644 queue-5.4/gpio-mpc8xxx-fix-qoriq-gpio-reading.patch create mode 100644 queue-5.4/gpio-mxc-only-get-the-second-irq-when-there-is-more-.patch create mode 100644 queue-5.4/habanalabs-skip-va-block-list-update-in-reset-flow.patch create mode 100644 queue-5.4/hid-i2c-hid-fix-no-irq-after-reset-on-raydium-3118.patch create mode 100644 queue-5.4/hid-improve-windows-precision-touchpad-detection.patch create mode 100644 queue-5.4/hid-logitech-hidpp-silence-intermittent-get_battery_.patch create mode 100644 queue-5.4/hid-quirks-add-quirk-for-hp-msu1465-pixart-oem-mouse.patch create mode 100644 queue-5.4/hid-rmi-check-that-the-rmi_started-bit-is-set-before.patch create mode 100644 queue-5.4/i2c-stm32f7-fix-reorder-remove-probe-error-handling.patch create mode 100644 queue-5.4/input-atmel_mxt_ts-disable-irq-across-suspend.patch create mode 100644 queue-5.4/input-ili210x-handle-errors-from-input_mt_init_slots.patch create mode 100644 queue-5.4/input-st1232-do-not-reset-the-chip-too-early.patch create mode 100644 queue-5.4/io_uring-io_allocate_scq_urings-should-return-a-sane.patch create mode 100644 queue-5.4/iomap-fix-return-value-of-iomap_dio_bio_actor-on-32b.patch create mode 100644 queue-5.4/iommu-arm-smmu-v3-don-t-display-an-error-when-irq-li.patch create mode 100644 queue-5.4/iommu-rockchip-free-domain-on-.domain_free.patch create mode 100644 queue-5.4/iommu-tegra-smmu-fix-page-tables-in-4-gib-memory.patch create mode 100644 queue-5.4/irqchip-ingenic-error-out-if-irq-domain-creation-fai.patch create mode 100644 queue-5.4/irqchip-irq-bcm7038-l1-enable-parent-irq-if-necessar.patch create mode 100644 queue-5.4/jbd2-fix-statistics-for-the-number-of-logged-blocks.patch create mode 100644 queue-5.4/kernel-sysctl-make-drop_caches-write-only.patch create mode 100644 queue-5.4/leds-an30259a-add-a-check-for-devm_regmap_init_i2c.patch create mode 100644 queue-5.4/leds-lm3692x-handle-failure-to-probe-the-regulator.patch create mode 100644 queue-5.4/leds-trigger-netdev-fix-handling-on-interface-rename.patch create mode 100644 queue-5.4/libfdt-define-int32_max-and-uint32_max-in-libfdt_env.patch create mode 100644 queue-5.4/libnvdimm-btt-fix-variable-rc-set-but-not-used.patch create mode 100644 queue-5.4/mailbox-imx-clear-the-right-interrupts-at-shutdown.patch create mode 100644 queue-5.4/mailbox-imx-fix-tx-doorbell-shutdown-path.patch create mode 100644 queue-5.4/mfd-mfd-core-honour-device-tree-s-request-to-disable.patch create mode 100644 queue-5.4/mm-hugetlbfs-fix-error-handling-when-setting-up-moun.patch create mode 100644 queue-5.4/ocfs2-fix-passing-zero-to-ptr_err-warning.patch create mode 100644 queue-5.4/of-unittest-fix-memory-leak-in-attach_node_and_child.patch create mode 100644 queue-5.4/pci-rpaphp-annotate-and-correctly-byte-swap-drc-prop.patch create mode 100644 queue-5.4/pci-rpaphp-correctly-match-ibm-my-drc-index-to-drc-n.patch create mode 100644 queue-5.4/pci-rpaphp-don-t-rely-on-firmware-feature-to-imply-d.patch create mode 100644 queue-5.4/pci-rpaphp-fix-up-pointer-to-first-drc-info-entry.patch create mode 100644 queue-5.4/perf-diff-use-llabs-with-64-bit-values.patch create mode 100644 queue-5.4/perf-regs-make-perf_reg_name-return-unknown-instead-.patch create mode 100644 queue-5.4/perf-script-fix-brstackinsn-for-auxtrace.patch create mode 100644 queue-5.4/platform-x86-intel_pmc_core-add-comet-lake-cml-platf.patch create mode 100644 queue-5.4/platform-x86-intel_pmc_core-fix-the-soc-naming-incon.patch create mode 100644 queue-5.4/platform-x86-peaq-wmi-switch-to-using-polled-mode-of.patch create mode 100644 queue-5.4/powerpc-book3s-mm-update-oops-message-to-print-the-c.patch create mode 100644 queue-5.4/powerpc-book3s64-hash-add-cond_resched-to-avoid-soft.patch create mode 100644 queue-5.4/powerpc-don-t-add-mabi-flags-when-building-with-clan.patch create mode 100644 queue-5.4/powerpc-eeh-differentiate-duplicate-detection-messag.patch create mode 100644 queue-5.4/powerpc-fixmap-use-__fix_to_virt-instead-of-fix_to_v.patch create mode 100644 queue-5.4/powerpc-papr_scm-fix-an-off-by-one-check-in-papr_scm.patch create mode 100644 queue-5.4/powerpc-pseries-cmm-implement-release-function-for-s.patch create mode 100644 queue-5.4/powerpc-pseries-don-t-fail-hash-page-table-insert-fo.patch create mode 100644 queue-5.4/powerpc-pseries-mark-accumulate_stolen_time-as-notra.patch create mode 100644 queue-5.4/powerpc-security-book3s64-report-l1tf-status-in-sysf.patch create mode 100644 queue-5.4/powerpc-security-fix-wrong-message-when-rfi-flush-is.patch create mode 100644 queue-5.4/powerpc-tools-don-t-quote-objdump-in-scripts.patch create mode 100644 queue-5.4/s390-cpum_sf-check-for-sdbt-and-sdb-consistency.patch create mode 100644 queue-5.4/s390-disable-preemption-when-switching-to-nodat-stac.patch create mode 100644 queue-5.4/s390-unwind-filter-out-unreliable-bogus-r14.patch create mode 100644 queue-5.4/s390-zcrypt-handle-new-reply-code-filtered_by_hyperv.patch create mode 100644 queue-5.4/scripts-kallsyms-fix-definitely-lost-memory-leak.patch create mode 100644 queue-5.4/scsi-atari_scsi-sun3_scsi-set-sg_tablesize-to-1-inst.patch create mode 100644 queue-5.4/scsi-csiostor-don-t-enable-irqs-too-early.patch create mode 100644 queue-5.4/scsi-hisi_sas-delete-the-debugfs-folder-of-hisi_sas-.patch create mode 100644 queue-5.4/scsi-hisi_sas-replace-in_softirq-check-in-hisi_sas_t.patch create mode 100644 queue-5.4/scsi-iscsi-don-t-send-data-to-unbound-connection.patch create mode 100644 queue-5.4/scsi-lpfc-fix-coverity-lpfc_cmpl_els_rsp-null-pointe.patch create mode 100644 queue-5.4/scsi-lpfc-fix-discovery-failures-when-target-device-.patch create mode 100644 queue-5.4/scsi-lpfc-fix-duplicate-unreg_rpi-error-in-port-offl.patch create mode 100644 queue-5.4/scsi-lpfc-fix-hardlockup-in-lpfc_abort_handler.patch create mode 100644 queue-5.4/scsi-lpfc-fix-list-corruption-in-lpfc_sli_get_iocbq.patch create mode 100644 queue-5.4/scsi-lpfc-fix-locking-on-mailbox-command-completion.patch create mode 100644 queue-5.4/scsi-lpfc-fix-sli3-hba-in-loop-mode-not-discovering-.patch create mode 100644 queue-5.4/scsi-lpfc-fix-spinlock_irq-issues-in-lpfc_els_flush_.patch create mode 100644 queue-5.4/scsi-lpfc-fix-unexpected-error-messages-during-rscn-.patch create mode 100644 queue-5.4/scsi-mpt3sas-fix-clear-pending-bit-in-ioctl-status.patch create mode 100644 queue-5.4/scsi-mpt3sas-reject-nvme-encap-cmnds-to-unsupported-.patch create mode 100644 queue-5.4/scsi-ncr5380-add-disconnect_mask-module-parameter.patch create mode 100644 queue-5.4/scsi-pm80xx-fix-for-sata-device-discovery.patch create mode 100644 queue-5.4/scsi-scsi_debug-num_tgts-must-be-0.patch create mode 100644 queue-5.4/scsi-target-compare-full-chap_a-algorithm-strings.patch create mode 100644 queue-5.4/scsi-target-core-release-spc-2-reservations-when-clo.patch create mode 100644 queue-5.4/scsi-target-iscsi-wait-for-all-commands-to-finish-be.patch create mode 100644 queue-5.4/scsi-tracing-fix-handling-of-transfer-length-0-for-r.patch create mode 100644 queue-5.4/scsi-ufs-fix-error-handing-during-hibern8-enter.patch create mode 100644 queue-5.4/scsi-ufs-fix-potential-bug-which-ends-in-system-hang.patch create mode 100644 queue-5.4/scsi-ufs-fix-up-auto-hibern8-enablement.patch create mode 100644 queue-5.4/scsi-zorro_esp-limit-dma-transfers-to-65536-bytes-ex.patch create mode 100644 queue-5.4/selftests-powerpc-fixup-clobbers-for-tm-tests.patch create mode 100644 queue-5.4/selftests-powerpc-skip-tm-signal-sigreturn-nt-if-tm-.patch create mode 100644 queue-5.4/selftests-vm-add-fragment-config_test_vmalloc.patch create mode 100644 queue-5.4/tools-power-x86-intel-speed-select-ignore-missing-co.patch create mode 100644 queue-5.4/tools-power-x86-intel-speed-select-remove-warning-fo.patch create mode 100644 queue-5.4/um-virtio-keep-reading-on-eagain.patch create mode 100644 queue-5.4/userfaultfd-require-cap_sys_ptrace-for-uffd_feature_.patch create mode 100644 queue-5.4/watchdog-fix-the-race-between-the-release-of-watchdo.patch create mode 100644 queue-5.4/watchdog-imx7ulp-fix-reboot-hang.patch create mode 100644 queue-5.4/watchdog-prevent-deferral-of-watchdogd-wakeup-on-rt.patch diff --git a/queue-5.4/apparmor-fix-unsigned-len-comparison-with-less-than-.patch b/queue-5.4/apparmor-fix-unsigned-len-comparison-with-less-than-.patch new file mode 100644 index 00000000000..81d199dd6ba --- /dev/null +++ b/queue-5.4/apparmor-fix-unsigned-len-comparison-with-less-than-.patch @@ -0,0 +1,59 @@ +From 94438dc50cd3f1c98304936e513589b5674fad19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2019 14:09:04 +0100 +Subject: apparmor: fix unsigned len comparison with less than zero + +From: Colin Ian King + +[ Upstream commit 00e0590dbaec6f1bcaa36a85467d7e3497ced522 ] + +The sanity check in macro update_for_len checks to see if len +is less than zero, however, len is a size_t so it can never be +less than zero, so this sanity check is a no-op. Fix this by +making len a ssize_t so the comparison will work and add ulen +that is a size_t copy of len so that the min() macro won't +throw warnings about comparing different types. + +Addresses-Coverity: ("Macro compares unsigned to 0") +Fixes: f1bd904175e8 ("apparmor: add the base fns() for domain labels") +Signed-off-by: Colin Ian King +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/label.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/security/apparmor/label.c b/security/apparmor/label.c +index 59f1cc2557a7..470693239e64 100644 +--- a/security/apparmor/label.c ++++ b/security/apparmor/label.c +@@ -1458,11 +1458,13 @@ static inline bool use_label_hname(struct aa_ns *ns, struct aa_label *label, + /* helper macro for snprint routines */ + #define update_for_len(total, len, size, str) \ + do { \ ++ size_t ulen = len; \ ++ \ + AA_BUG(len < 0); \ +- total += len; \ +- len = min(len, size); \ +- size -= len; \ +- str += len; \ ++ total += ulen; \ ++ ulen = min(ulen, size); \ ++ size -= ulen; \ ++ str += ulen; \ + } while (0) + + /** +@@ -1597,7 +1599,7 @@ int aa_label_snxprint(char *str, size_t size, struct aa_ns *ns, + struct aa_ns *prev_ns = NULL; + struct label_it i; + int count = 0, total = 0; +- size_t len; ++ ssize_t len; + + AA_BUG(!str && size != 0); + AA_BUG(!label); +-- +2.20.1 + diff --git a/queue-5.4/arm-8937-1-spectre-v2-remove-brahma-b53-from-hardeni.patch b/queue-5.4/arm-8937-1-spectre-v2-remove-brahma-b53-from-hardeni.patch new file mode 100644 index 00000000000..1324da64c61 --- /dev/null +++ b/queue-5.4/arm-8937-1-spectre-v2-remove-brahma-b53-from-hardeni.patch @@ -0,0 +1,45 @@ +From d369bcb86121d6092ba3f383d83d078933132ff0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2019 04:32:04 +0100 +Subject: ARM: 8937/1: spectre-v2: remove Brahma-B53 from hardening + +From: Doug Berger + +[ Upstream commit 4ae5061a19b550dfe25397843427ed2ebab16b16 ] + +When the default processor handling was added to the function +cpu_v7_spectre_init() it only excluded other ARM implemented processor +cores. The Broadcom Brahma B53 core is not implemented by ARM so it +ended up falling through into the set of processors that attempt to use +the ARM_SMCCC_ARCH_WORKAROUND_1 service to harden the branch predictor. + +Since this workaround is not necessary for the Brahma-B53 this commit +explicitly checks for it and prevents it from applying a branch +predictor hardening workaround. + +Fixes: 10115105cb3a ("ARM: spectre-v2: add firmware based hardening") +Signed-off-by: Doug Berger +Signed-off-by: Florian Fainelli +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/proc-v7-bugs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/mm/proc-v7-bugs.c b/arch/arm/mm/proc-v7-bugs.c +index 9a07916af8dd..a6554fdb56c5 100644 +--- a/arch/arm/mm/proc-v7-bugs.c ++++ b/arch/arm/mm/proc-v7-bugs.c +@@ -65,6 +65,9 @@ static void cpu_v7_spectre_init(void) + break; + + #ifdef CONFIG_ARM_PSCI ++ case ARM_CPU_PART_BRAHMA_B53: ++ /* Requires no workaround */ ++ break; + default: + /* Other ARM CPUs require no workaround */ + if (read_cpuid_implementor() == ARM_CPU_IMP_ARM) +-- +2.20.1 + diff --git a/queue-5.4/bcache-at-least-try-to-shrink-1-node-in-bch_mca_scan.patch b/queue-5.4/bcache-at-least-try-to-shrink-1-node-in-bch_mca_scan.patch new file mode 100644 index 00000000000..c603b453752 --- /dev/null +++ b/queue-5.4/bcache-at-least-try-to-shrink-1-node-in-bch_mca_scan.patch @@ -0,0 +1,52 @@ +From ae832d2c484fe2dfec45fcb96da574b5a94bed0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 16:03:24 +0800 +Subject: bcache: at least try to shrink 1 node in bch_mca_scan() + +From: Coly Li + +[ Upstream commit 9fcc34b1a6dd4b8e5337e2b6ef45e428897eca6b ] + +In bch_mca_scan(), the number of shrinking btree node is calculated +by code like this, + unsigned long nr = sc->nr_to_scan; + + nr /= c->btree_pages; + nr = min_t(unsigned long, nr, mca_can_free(c)); +variable sc->nr_to_scan is number of objects (here is bcache B+tree +nodes' number) to shrink, and pointer variable sc is sent from memory +management code as parametr of a callback. + +If sc->nr_to_scan is smaller than c->btree_pages, after the above +calculation, variable 'nr' will be 0 and nothing will be shrunk. It is +frequeently observed that only 1 or 2 is set to sc->nr_to_scan and make +nr to be zero. Then bch_mca_scan() will do nothing more then acquiring +and releasing mutex c->bucket_lock. + +This patch checkes whether nr is 0 after the above calculation, if 0 +is the result then set 1 to variable 'n'. Then at least bch_mca_scan() +will try to shrink a single B+tree node. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/btree.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index ba434d9ac720..46a8b5a91c38 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -723,6 +723,8 @@ static unsigned long bch_mca_scan(struct shrinker *shrink, + * IO can always make forward progress: + */ + nr /= c->btree_pages; ++ if (nr == 0) ++ nr = 1; + nr = min_t(unsigned long, nr, mca_can_free(c)); + + i = 0; +-- +2.20.1 + diff --git a/queue-5.4/cdrom-respect-device-capabilities-during-opening-act.patch b/queue-5.4/cdrom-respect-device-capabilities-during-opening-act.patch new file mode 100644 index 00000000000..7dff51f5329 --- /dev/null +++ b/queue-5.4/cdrom-respect-device-capabilities-during-opening-act.patch @@ -0,0 +1,69 @@ +From 9de372f164223b0ce50806ffe5a89f5cae172498 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2019 21:37:08 +0000 +Subject: cdrom: respect device capabilities during opening action +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Diego Elio Pettenò + +[ Upstream commit 366ba7c71ef77c08d06b18ad61b26e2df7352338 ] + +Reading the TOC only works if the device can play audio, otherwise +these commands fail (and possibly bring the device to an unhealthy +state.) + +Similarly, cdrom_mmc3_profile() should only be called if the device +supports generic packet commands. + +To: Jens Axboe +Cc: linux-kernel@vger.kernel.org +Cc: linux-scsi@vger.kernel.org +Signed-off-by: Diego Elio Pettenò +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/cdrom/cdrom.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index ac42ae4651ce..eebdcbef0578 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -996,6 +996,12 @@ static void cdrom_count_tracks(struct cdrom_device_info *cdi, tracktype *tracks) + tracks->xa = 0; + tracks->error = 0; + cd_dbg(CD_COUNT_TRACKS, "entering cdrom_count_tracks\n"); ++ ++ if (!CDROM_CAN(CDC_PLAY_AUDIO)) { ++ tracks->error = CDS_NO_INFO; ++ return; ++ } ++ + /* Grab the TOC header so we can see how many tracks there are */ + ret = cdi->ops->audio_ioctl(cdi, CDROMREADTOCHDR, &header); + if (ret) { +@@ -1162,7 +1168,8 @@ int cdrom_open(struct cdrom_device_info *cdi, struct block_device *bdev, + ret = open_for_data(cdi); + if (ret) + goto err; +- cdrom_mmc3_profile(cdi); ++ if (CDROM_CAN(CDC_GENERIC_PACKET)) ++ cdrom_mmc3_profile(cdi); + if (mode & FMODE_WRITE) { + ret = -EROFS; + if (cdrom_open_write(cdi)) +@@ -2882,6 +2889,9 @@ int cdrom_get_last_written(struct cdrom_device_info *cdi, long *last_written) + it doesn't give enough information or fails. then we return + the toc contents. */ + use_toc: ++ if (!CDROM_CAN(CDC_PLAY_AUDIO)) ++ return -ENOSYS; ++ + toc.cdte_format = CDROM_MSF; + toc.cdte_track = CDROM_LEADOUT; + if ((ret = cdi->ops->audio_ioctl(cdi, CDROMREADTOCENTRY, &toc))) +-- +2.20.1 + diff --git a/queue-5.4/cifs-fix-use-after-free-bug-in-cifs_reconnect.patch b/queue-5.4/cifs-fix-use-after-free-bug-in-cifs_reconnect.patch new file mode 100644 index 00000000000..a6e809bde70 --- /dev/null +++ b/queue-5.4/cifs-fix-use-after-free-bug-in-cifs_reconnect.patch @@ -0,0 +1,234 @@ +From 5d9ff673275d9970bb3ad01288d37104cc5db749 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2019 12:30:51 -0300 +Subject: cifs: Fix use-after-free bug in cifs_reconnect() + +From: Paulo Alcantara (SUSE) + +[ Upstream commit 8354d88efdab72b4da32fc4f032448fcef22dab4 ] + +Ensure we grab an active reference in cifs superblock while doing +failover to prevent automounts (DFS links) of expiring and then +destroying the superblock pointer. + +This patch fixes the following KASAN report: + +[ 464.301462] BUG: KASAN: use-after-free in +cifs_reconnect+0x6ab/0x1350 +[ 464.303052] Read of size 8 at addr ffff888155e580d0 by task +cifsd/1107 + +[ 464.304682] CPU: 3 PID: 1107 Comm: cifsd Not tainted 5.4.0-rc4+ #13 +[ 464.305552] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), +BIOS rel-1.12.1-0-ga5cab58-rebuilt.opensuse.org 04/01/2014 +[ 464.307146] Call Trace: +[ 464.307875] dump_stack+0x5b/0x90 +[ 464.308631] print_address_description.constprop.0+0x16/0x200 +[ 464.309478] ? cifs_reconnect+0x6ab/0x1350 +[ 464.310253] ? cifs_reconnect+0x6ab/0x1350 +[ 464.311040] __kasan_report.cold+0x1a/0x41 +[ 464.311811] ? cifs_reconnect+0x6ab/0x1350 +[ 464.312563] kasan_report+0xe/0x20 +[ 464.313300] cifs_reconnect+0x6ab/0x1350 +[ 464.314062] ? extract_hostname.part.0+0x90/0x90 +[ 464.314829] ? printk+0xad/0xde +[ 464.315525] ? _raw_spin_lock+0x7c/0xd0 +[ 464.316252] ? _raw_read_lock_irq+0x40/0x40 +[ 464.316961] ? ___ratelimit+0xed/0x182 +[ 464.317655] cifs_readv_from_socket+0x289/0x3b0 +[ 464.318386] cifs_read_from_socket+0x98/0xd0 +[ 464.319078] ? cifs_readv_from_socket+0x3b0/0x3b0 +[ 464.319782] ? try_to_wake_up+0x43c/0xa90 +[ 464.320463] ? cifs_small_buf_get+0x4b/0x60 +[ 464.321173] ? allocate_buffers+0x98/0x1a0 +[ 464.321856] cifs_demultiplex_thread+0x218/0x14a0 +[ 464.322558] ? cifs_handle_standard+0x270/0x270 +[ 464.323237] ? __switch_to_asm+0x40/0x70 +[ 464.323893] ? __switch_to_asm+0x34/0x70 +[ 464.324554] ? __switch_to_asm+0x40/0x70 +[ 464.325226] ? __switch_to_asm+0x40/0x70 +[ 464.325863] ? __switch_to_asm+0x34/0x70 +[ 464.326505] ? __switch_to_asm+0x40/0x70 +[ 464.327161] ? __switch_to_asm+0x34/0x70 +[ 464.327784] ? finish_task_switch+0xa1/0x330 +[ 464.328414] ? __switch_to+0x363/0x640 +[ 464.329044] ? __schedule+0x575/0xaf0 +[ 464.329655] ? _raw_spin_lock_irqsave+0x82/0xe0 +[ 464.330301] kthread+0x1a3/0x1f0 +[ 464.330884] ? cifs_handle_standard+0x270/0x270 +[ 464.331624] ? kthread_create_on_node+0xd0/0xd0 +[ 464.332347] ret_from_fork+0x35/0x40 + +[ 464.333577] Allocated by task 1110: +[ 464.334381] save_stack+0x1b/0x80 +[ 464.335123] __kasan_kmalloc.constprop.0+0xc2/0xd0 +[ 464.335848] cifs_smb3_do_mount+0xd4/0xb00 +[ 464.336619] legacy_get_tree+0x6b/0xa0 +[ 464.337235] vfs_get_tree+0x41/0x110 +[ 464.337975] fc_mount+0xa/0x40 +[ 464.338557] vfs_kern_mount.part.0+0x6c/0x80 +[ 464.339227] cifs_dfs_d_automount+0x336/0xd29 +[ 464.339846] follow_managed+0x1b1/0x450 +[ 464.340449] lookup_fast+0x231/0x4a0 +[ 464.341039] path_openat+0x240/0x1fd0 +[ 464.341634] do_filp_open+0x126/0x1c0 +[ 464.342277] do_sys_open+0x1eb/0x2c0 +[ 464.342957] do_syscall_64+0x5e/0x190 +[ 464.343555] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 464.344772] Freed by task 0: +[ 464.345347] save_stack+0x1b/0x80 +[ 464.345966] __kasan_slab_free+0x12c/0x170 +[ 464.346576] kfree+0xa6/0x270 +[ 464.347211] rcu_core+0x39c/0xc80 +[ 464.347800] __do_softirq+0x10d/0x3da + +[ 464.348919] The buggy address belongs to the object at +ffff888155e58000 + which belongs to the cache kmalloc-256 of size 256 +[ 464.350222] The buggy address is located 208 bytes inside of + 256-byte region [ffff888155e58000, ffff888155e58100) +[ 464.351575] The buggy address belongs to the page: +[ 464.352333] page:ffffea0005579600 refcount:1 mapcount:0 +mapping:ffff88815a803400 index:0x0 compound_mapcount: 0 +[ 464.353583] flags: 0x200000000010200(slab|head) +[ 464.354209] raw: 0200000000010200 ffffea0005576200 0000000400000004 +ffff88815a803400 +[ 464.355353] raw: 0000000000000000 0000000080100010 00000001ffffffff +0000000000000000 +[ 464.356458] page dumped because: kasan: bad access detected + +[ 464.367005] Memory state around the buggy address: +[ 464.367787] ffff888155e57f80: fc fc fc fc fc fc fc fc fc fc fc fc +fc fc fc fc +[ 464.368877] ffff888155e58000: fb fb fb fb fb fb fb fb fb fb fb fb +fb fb fb fb +[ 464.369967] >ffff888155e58080: fb fb fb fb fb fb fb fb fb fb fb fb +fb fb fb fb +[ 464.371111] ^ +[ 464.371775] ffff888155e58100: fc fc fc fc fc fc fc fc fc fc fc fc +fc fc fc fc +[ 464.372893] ffff888155e58180: fc fc fc fc fc fc fc fc fc fc fc fc +fc fc fc fc +[ 464.373983] ================================================================== + +Signed-off-by: Paulo Alcantara (SUSE) +Reviewed-by: Aurelien Aptel +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 46 +++++++++++++++++++++++++++++++++++----------- + 1 file changed, 35 insertions(+), 11 deletions(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 20c70cbab1ad..02451d085ddd 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -387,7 +387,7 @@ static inline int reconn_set_ipaddr(struct TCP_Server_Info *server) + #ifdef CONFIG_CIFS_DFS_UPCALL + struct super_cb_data { + struct TCP_Server_Info *server; +- struct cifs_sb_info *cifs_sb; ++ struct super_block *sb; + }; + + /* These functions must be called with server->srv_mutex held */ +@@ -398,25 +398,39 @@ static void super_cb(struct super_block *sb, void *arg) + struct cifs_sb_info *cifs_sb; + struct cifs_tcon *tcon; + +- if (d->cifs_sb) ++ if (d->sb) + return; + + cifs_sb = CIFS_SB(sb); + tcon = cifs_sb_master_tcon(cifs_sb); + if (tcon->ses->server == d->server) +- d->cifs_sb = cifs_sb; ++ d->sb = sb; + } + +-static inline struct cifs_sb_info * +-find_super_by_tcp(struct TCP_Server_Info *server) ++static struct super_block *get_tcp_super(struct TCP_Server_Info *server) + { + struct super_cb_data d = { + .server = server, +- .cifs_sb = NULL, ++ .sb = NULL, + }; + + iterate_supers_type(&cifs_fs_type, super_cb, &d); +- return d.cifs_sb ? d.cifs_sb : ERR_PTR(-ENOENT); ++ ++ if (unlikely(!d.sb)) ++ return ERR_PTR(-ENOENT); ++ /* ++ * Grab an active reference in order to prevent automounts (DFS links) ++ * of expiring and then freeing up our cifs superblock pointer while ++ * we're doing failover. ++ */ ++ cifs_sb_active(d.sb); ++ return d.sb; ++} ++ ++static inline void put_tcp_super(struct super_block *sb) ++{ ++ if (!IS_ERR_OR_NULL(sb)) ++ cifs_sb_deactive(sb); + } + + static void reconn_inval_dfs_target(struct TCP_Server_Info *server, +@@ -480,6 +494,7 @@ cifs_reconnect(struct TCP_Server_Info *server) + struct mid_q_entry *mid_entry; + struct list_head retry_list; + #ifdef CONFIG_CIFS_DFS_UPCALL ++ struct super_block *sb = NULL; + struct cifs_sb_info *cifs_sb = NULL; + struct dfs_cache_tgt_list tgt_list = {0}; + struct dfs_cache_tgt_iterator *tgt_it = NULL; +@@ -489,13 +504,15 @@ cifs_reconnect(struct TCP_Server_Info *server) + server->nr_targets = 1; + #ifdef CONFIG_CIFS_DFS_UPCALL + spin_unlock(&GlobalMid_Lock); +- cifs_sb = find_super_by_tcp(server); +- if (IS_ERR(cifs_sb)) { +- rc = PTR_ERR(cifs_sb); ++ sb = get_tcp_super(server); ++ if (IS_ERR(sb)) { ++ rc = PTR_ERR(sb); + cifs_dbg(FYI, "%s: will not do DFS failover: rc = %d\n", + __func__, rc); +- cifs_sb = NULL; ++ sb = NULL; + } else { ++ cifs_sb = CIFS_SB(sb); ++ + rc = reconn_setup_dfs_targets(cifs_sb, &tgt_list, &tgt_it); + if (rc && (rc != -EOPNOTSUPP)) { + cifs_server_dbg(VFS, "%s: no target servers for DFS failover\n", +@@ -512,6 +529,10 @@ cifs_reconnect(struct TCP_Server_Info *server) + /* the demux thread will exit normally + next time through the loop */ + spin_unlock(&GlobalMid_Lock); ++#ifdef CONFIG_CIFS_DFS_UPCALL ++ dfs_cache_free_tgts(&tgt_list); ++ put_tcp_super(sb); ++#endif + return rc; + } else + server->tcpStatus = CifsNeedReconnect; +@@ -638,7 +659,10 @@ cifs_reconnect(struct TCP_Server_Info *server) + __func__, rc); + } + dfs_cache_free_tgts(&tgt_list); ++ + } ++ ++ put_tcp_super(sb); + #endif + if (server->tcpStatus == CifsNeedNegotiate) + mod_delayed_work(cifsiod_wq, &server->echo, 0); +-- +2.20.1 + diff --git a/queue-5.4/cifs-move-cifsfileinfo_put-logic-into-a-work-queue.patch b/queue-5.4/cifs-move-cifsfileinfo_put-logic-into-a-work-queue.patch new file mode 100644 index 00000000000..3f7d8488005 --- /dev/null +++ b/queue-5.4/cifs-move-cifsfileinfo_put-logic-into-a-work-queue.patch @@ -0,0 +1,493 @@ +From f81b269db65fa213ba9ec67a49f273d9dc5d43a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Nov 2019 13:06:37 +1000 +Subject: cifs: move cifsFileInfo_put logic into a work-queue + +From: Ronnie Sahlberg + +[ Upstream commit 32546a9586aa4565035bb557e191648e022b29e8 ] + +This patch moves the final part of the cifsFileInfo_put() logic where we +need a write lock on lock_sem to be processed in a separate thread that +holds no other locks. +This is to prevent deadlocks like the one below: + +> there are 6 processes looping to while trying to down_write +> cinode->lock_sem, 5 of them from _cifsFileInfo_put, and one from +> cifs_new_fileinfo +> +> and there are 5 other processes which are blocked, several of them +> waiting on either PG_writeback or PG_locked (which are both set), all +> for the same page of the file +> +> 2 inode_lock() (inode->i_rwsem) for the file +> 1 wait_on_page_writeback() for the page +> 1 down_read(inode->i_rwsem) for the inode of the directory +> 1 inode_lock()(inode->i_rwsem) for the inode of the directory +> 1 __lock_page +> +> +> so processes are blocked waiting on: +> page flags PG_locked and PG_writeback for one specific page +> inode->i_rwsem for the directory +> inode->i_rwsem for the file +> cifsInodeInflock_sem +> +> +> +> here are the more gory details (let me know if I need to provide +> anything more/better): +> +> [0 00:48:22.765] [UN] PID: 8863 TASK: ffff8c691547c5c0 CPU: 3 +> COMMAND: "reopen_file" +> #0 [ffff9965007e3ba8] __schedule at ffffffff9b6e6095 +> #1 [ffff9965007e3c38] schedule at ffffffff9b6e64df +> #2 [ffff9965007e3c48] rwsem_down_write_slowpath at ffffffff9af283d7 +> #3 [ffff9965007e3cb8] legitimize_path at ffffffff9b0f975d +> #4 [ffff9965007e3d08] path_openat at ffffffff9b0fe55d +> #5 [ffff9965007e3dd8] do_filp_open at ffffffff9b100a33 +> #6 [ffff9965007e3ee0] do_sys_open at ffffffff9b0eb2d6 +> #7 [ffff9965007e3f38] do_syscall_64 at ffffffff9ae04315 +> * (I think legitimize_path is bogus) +> +> in path_openat +> } else { +> const char *s = path_init(nd, flags); +> while (!(error = link_path_walk(s, nd)) && +> (error = do_last(nd, file, op)) > 0) { <<<< +> +> do_last: +> if (open_flag & O_CREAT) +> inode_lock(dir->d_inode); <<<< +> else +> so it's trying to take inode->i_rwsem for the directory +> +> DENTRY INODE SUPERBLK TYPE PATH +> ffff8c68bb8e79c0 ffff8c691158ef20 ffff8c6915bf9000 DIR /mnt/vm1_smb/ +> inode.i_rwsem is ffff8c691158efc0 +> +> : +> owner: (UN - 8856 - +> reopen_file), counter: 0x0000000000000003 +> waitlist: 2 +> 0xffff9965007e3c90 8863 reopen_file UN 0 1:29:22.926 +> RWSEM_WAITING_FOR_WRITE +> 0xffff996500393e00 9802 ls UN 0 1:17:26.700 +> RWSEM_WAITING_FOR_READ +> +> +> the owner of the inode.i_rwsem of the directory is: +> +> [0 00:00:00.109] [UN] PID: 8856 TASK: ffff8c6914275d00 CPU: 3 +> COMMAND: "reopen_file" +> #0 [ffff99650065b828] __schedule at ffffffff9b6e6095 +> #1 [ffff99650065b8b8] schedule at ffffffff9b6e64df +> #2 [ffff99650065b8c8] schedule_timeout at ffffffff9b6e9f89 +> #3 [ffff99650065b940] msleep at ffffffff9af573a9 +> #4 [ffff99650065b948] _cifsFileInfo_put.cold.63 at ffffffffc0a42dd6 [cifs] +> #5 [ffff99650065ba38] cifs_writepage_locked at ffffffffc0a0b8f3 [cifs] +> #6 [ffff99650065bab0] cifs_launder_page at ffffffffc0a0bb72 [cifs] +> #7 [ffff99650065bb30] invalidate_inode_pages2_range at ffffffff9b04d4bd +> #8 [ffff99650065bcb8] cifs_invalidate_mapping at ffffffffc0a11339 [cifs] +> #9 [ffff99650065bcd0] cifs_revalidate_mapping at ffffffffc0a1139a [cifs] +> #10 [ffff99650065bcf0] cifs_d_revalidate at ffffffffc0a014f6 [cifs] +> #11 [ffff99650065bd08] path_openat at ffffffff9b0fe7f7 +> #12 [ffff99650065bdd8] do_filp_open at ffffffff9b100a33 +> #13 [ffff99650065bee0] do_sys_open at ffffffff9b0eb2d6 +> #14 [ffff99650065bf38] do_syscall_64 at ffffffff9ae04315 +> +> cifs_launder_page is for page 0xffffd1e2c07d2480 +> +> crash> page.index,mapping,flags 0xffffd1e2c07d2480 +> index = 0x8 +> mapping = 0xffff8c68f3cd0db0 +> flags = 0xfffffc0008095 +> +> PAGE-FLAG BIT VALUE +> PG_locked 0 0000001 +> PG_uptodate 2 0000004 +> PG_lru 4 0000010 +> PG_waiters 7 0000080 +> PG_writeback 15 0008000 +> +> +> inode is ffff8c68f3cd0c40 +> inode.i_rwsem is ffff8c68f3cd0ce0 +> DENTRY INODE SUPERBLK TYPE PATH +> ffff8c68a1f1b480 ffff8c68f3cd0c40 ffff8c6915bf9000 REG +> /mnt/vm1_smb/testfile.8853 +> +> +> this process holds the inode->i_rwsem for the parent directory, is +> laundering a page attached to the inode of the file it's opening, and in +> _cifsFileInfo_put is trying to down_write the cifsInodeInflock_sem +> for the file itself. +> +> +> : +> owner: (UN - 8854 - +> reopen_file), counter: 0x0000000000000003 +> waitlist: 1 +> 0xffff9965005dfd80 8855 reopen_file UN 0 1:29:22.912 +> RWSEM_WAITING_FOR_WRITE +> +> this is the inode.i_rwsem for the file +> +> the owner: +> +> [0 00:48:22.739] [UN] PID: 8854 TASK: ffff8c6914272e80 CPU: 2 +> COMMAND: "reopen_file" +> #0 [ffff99650054fb38] __schedule at ffffffff9b6e6095 +> #1 [ffff99650054fbc8] schedule at ffffffff9b6e64df +> #2 [ffff99650054fbd8] io_schedule at ffffffff9b6e68e2 +> #3 [ffff99650054fbe8] __lock_page at ffffffff9b03c56f +> #4 [ffff99650054fc80] pagecache_get_page at ffffffff9b03dcdf +> #5 [ffff99650054fcc0] grab_cache_page_write_begin at ffffffff9b03ef4c +> #6 [ffff99650054fcd0] cifs_write_begin at ffffffffc0a064ec [cifs] +> #7 [ffff99650054fd30] generic_perform_write at ffffffff9b03bba4 +> #8 [ffff99650054fda8] __generic_file_write_iter at ffffffff9b04060a +> #9 [ffff99650054fdf0] cifs_strict_writev.cold.70 at ffffffffc0a4469b [cifs] +> #10 [ffff99650054fe48] new_sync_write at ffffffff9b0ec1dd +> #11 [ffff99650054fed0] vfs_write at ffffffff9b0eed35 +> #12 [ffff99650054ff00] ksys_write at ffffffff9b0eefd9 +> #13 [ffff99650054ff38] do_syscall_64 at ffffffff9ae04315 +> +> the process holds the inode->i_rwsem for the file to which it's writing, +> and is trying to __lock_page for the same page as in the other processes +> +> +> the other tasks: +> [0 00:00:00.028] [UN] PID: 8859 TASK: ffff8c6915479740 CPU: 2 +> COMMAND: "reopen_file" +> #0 [ffff9965007b39d8] __schedule at ffffffff9b6e6095 +> #1 [ffff9965007b3a68] schedule at ffffffff9b6e64df +> #2 [ffff9965007b3a78] schedule_timeout at ffffffff9b6e9f89 +> #3 [ffff9965007b3af0] msleep at ffffffff9af573a9 +> #4 [ffff9965007b3af8] cifs_new_fileinfo.cold.61 at ffffffffc0a42a07 [cifs] +> #5 [ffff9965007b3b78] cifs_open at ffffffffc0a0709d [cifs] +> #6 [ffff9965007b3cd8] do_dentry_open at ffffffff9b0e9b7a +> #7 [ffff9965007b3d08] path_openat at ffffffff9b0fe34f +> #8 [ffff9965007b3dd8] do_filp_open at ffffffff9b100a33 +> #9 [ffff9965007b3ee0] do_sys_open at ffffffff9b0eb2d6 +> #10 [ffff9965007b3f38] do_syscall_64 at ffffffff9ae04315 +> +> this is opening the file, and is trying to down_write cinode->lock_sem +> +> +> [0 00:00:00.041] [UN] PID: 8860 TASK: ffff8c691547ae80 CPU: 2 +> COMMAND: "reopen_file" +> [0 00:00:00.057] [UN] PID: 8861 TASK: ffff8c6915478000 CPU: 3 +> COMMAND: "reopen_file" +> [0 00:00:00.059] [UN] PID: 8858 TASK: ffff8c6914271740 CPU: 2 +> COMMAND: "reopen_file" +> [0 00:00:00.109] [UN] PID: 8862 TASK: ffff8c691547dd00 CPU: 6 +> COMMAND: "reopen_file" +> #0 [ffff9965007c3c78] __schedule at ffffffff9b6e6095 +> #1 [ffff9965007c3d08] schedule at ffffffff9b6e64df +> #2 [ffff9965007c3d18] schedule_timeout at ffffffff9b6e9f89 +> #3 [ffff9965007c3d90] msleep at ffffffff9af573a9 +> #4 [ffff9965007c3d98] _cifsFileInfo_put.cold.63 at ffffffffc0a42dd6 [cifs] +> #5 [ffff9965007c3e88] cifs_close at ffffffffc0a07aaf [cifs] +> #6 [ffff9965007c3ea0] __fput at ffffffff9b0efa6e +> #7 [ffff9965007c3ee8] task_work_run at ffffffff9aef1614 +> #8 [ffff9965007c3f20] exit_to_usermode_loop at ffffffff9ae03d6f +> #9 [ffff9965007c3f38] do_syscall_64 at ffffffff9ae0444c +> +> closing the file, and trying to down_write cifsi->lock_sem +> +> +> [0 00:48:22.839] [UN] PID: 8857 TASK: ffff8c6914270000 CPU: 7 +> COMMAND: "reopen_file" +> #0 [ffff9965006a7cc8] __schedule at ffffffff9b6e6095 +> #1 [ffff9965006a7d58] schedule at ffffffff9b6e64df +> #2 [ffff9965006a7d68] io_schedule at ffffffff9b6e68e2 +> #3 [ffff9965006a7d78] wait_on_page_bit at ffffffff9b03cac6 +> #4 [ffff9965006a7e10] __filemap_fdatawait_range at ffffffff9b03b028 +> #5 [ffff9965006a7ed8] filemap_write_and_wait at ffffffff9b040165 +> #6 [ffff9965006a7ef0] cifs_flush at ffffffffc0a0c2fa [cifs] +> #7 [ffff9965006a7f10] filp_close at ffffffff9b0e93f1 +> #8 [ffff9965006a7f30] __x64_sys_close at ffffffff9b0e9a0e +> #9 [ffff9965006a7f38] do_syscall_64 at ffffffff9ae04315 +> +> in __filemap_fdatawait_range +> wait_on_page_writeback(page); +> for the same page of the file +> +> +> +> [0 00:48:22.718] [UN] PID: 8855 TASK: ffff8c69142745c0 CPU: 7 +> COMMAND: "reopen_file" +> #0 [ffff9965005dfc98] __schedule at ffffffff9b6e6095 +> #1 [ffff9965005dfd28] schedule at ffffffff9b6e64df +> #2 [ffff9965005dfd38] rwsem_down_write_slowpath at ffffffff9af283d7 +> #3 [ffff9965005dfdf0] cifs_strict_writev at ffffffffc0a0c40a [cifs] +> #4 [ffff9965005dfe48] new_sync_write at ffffffff9b0ec1dd +> #5 [ffff9965005dfed0] vfs_write at ffffffff9b0eed35 +> #6 [ffff9965005dff00] ksys_write at ffffffff9b0eefd9 +> #7 [ffff9965005dff38] do_syscall_64 at ffffffff9ae04315 +> +> inode_lock(inode); +> +> +> and one 'ls' later on, to see whether the rest of the mount is available +> (the test file is in the root, so we get blocked up on the directory +> ->i_rwsem), so the entire mount is unavailable +> +> [0 00:36:26.473] [UN] PID: 9802 TASK: ffff8c691436ae80 CPU: 4 +> COMMAND: "ls" +> #0 [ffff996500393d28] __schedule at ffffffff9b6e6095 +> #1 [ffff996500393db8] schedule at ffffffff9b6e64df +> #2 [ffff996500393dc8] rwsem_down_read_slowpath at ffffffff9b6e9421 +> #3 [ffff996500393e78] down_read_killable at ffffffff9b6e95e2 +> #4 [ffff996500393e88] iterate_dir at ffffffff9b103c56 +> #5 [ffff996500393ec8] ksys_getdents64 at ffffffff9b104b0c +> #6 [ffff996500393f30] __x64_sys_getdents64 at ffffffff9b104bb6 +> #7 [ffff996500393f38] do_syscall_64 at ffffffff9ae04315 +> +> in iterate_dir: +> if (shared) +> res = down_read_killable(&inode->i_rwsem); <<<< +> else +> res = down_write_killable(&inode->i_rwsem); +> + +Reported-by: Frank Sorenson +Reviewed-by: Pavel Shilovsky +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifsfs.c | 13 +++++++- + fs/cifs/cifsglob.h | 5 +++- + fs/cifs/file.c | 74 ++++++++++++++++++++++++++++++---------------- + 3 files changed, 65 insertions(+), 27 deletions(-) + +diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c +index 1a135d1b85bd..07d8ace61f77 100644 +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -119,6 +119,7 @@ extern mempool_t *cifs_mid_poolp; + + struct workqueue_struct *cifsiod_wq; + struct workqueue_struct *decrypt_wq; ++struct workqueue_struct *fileinfo_put_wq; + struct workqueue_struct *cifsoplockd_wq; + __u32 cifs_lock_secret; + +@@ -1554,11 +1555,18 @@ init_cifs(void) + goto out_destroy_cifsiod_wq; + } + ++ fileinfo_put_wq = alloc_workqueue("cifsfileinfoput", ++ WQ_UNBOUND|WQ_FREEZABLE|WQ_MEM_RECLAIM, 0); ++ if (!fileinfo_put_wq) { ++ rc = -ENOMEM; ++ goto out_destroy_decrypt_wq; ++ } ++ + cifsoplockd_wq = alloc_workqueue("cifsoplockd", + WQ_FREEZABLE|WQ_MEM_RECLAIM, 0); + if (!cifsoplockd_wq) { + rc = -ENOMEM; +- goto out_destroy_decrypt_wq; ++ goto out_destroy_fileinfo_put_wq; + } + + rc = cifs_fscache_register(); +@@ -1624,6 +1632,8 @@ out_unreg_fscache: + cifs_fscache_unregister(); + out_destroy_cifsoplockd_wq: + destroy_workqueue(cifsoplockd_wq); ++out_destroy_fileinfo_put_wq: ++ destroy_workqueue(fileinfo_put_wq); + out_destroy_decrypt_wq: + destroy_workqueue(decrypt_wq); + out_destroy_cifsiod_wq: +@@ -1653,6 +1663,7 @@ exit_cifs(void) + cifs_fscache_unregister(); + destroy_workqueue(cifsoplockd_wq); + destroy_workqueue(decrypt_wq); ++ destroy_workqueue(fileinfo_put_wq); + destroy_workqueue(cifsiod_wq); + cifs_proc_clean(); + } +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h +index 5d2dd04b55a6..f55e53486e74 100644 +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1265,6 +1265,7 @@ struct cifsFileInfo { + struct mutex fh_mutex; /* prevents reopen race after dead ses*/ + struct cifs_search_info srch_inf; + struct work_struct oplock_break; /* work for oplock breaks */ ++ struct work_struct put; /* work for the final part of _put */ + }; + + struct cifs_io_parms { +@@ -1370,7 +1371,8 @@ cifsFileInfo_get_locked(struct cifsFileInfo *cifs_file) + } + + struct cifsFileInfo *cifsFileInfo_get(struct cifsFileInfo *cifs_file); +-void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr); ++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr, ++ bool offload); + void cifsFileInfo_put(struct cifsFileInfo *cifs_file); + + #define CIFS_CACHE_READ_FLG 1 +@@ -1908,6 +1910,7 @@ void cifs_queue_oplock_break(struct cifsFileInfo *cfile); + extern const struct slow_work_ops cifs_oplock_break_ops; + extern struct workqueue_struct *cifsiod_wq; + extern struct workqueue_struct *decrypt_wq; ++extern struct workqueue_struct *fileinfo_put_wq; + extern struct workqueue_struct *cifsoplockd_wq; + extern __u32 cifs_lock_secret; + +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index c32650f14c9b..969543034b4d 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -288,6 +288,8 @@ cifs_down_write(struct rw_semaphore *sem) + msleep(10); + } + ++static void cifsFileInfo_put_work(struct work_struct *work); ++ + struct cifsFileInfo * + cifs_new_fileinfo(struct cifs_fid *fid, struct file *file, + struct tcon_link *tlink, __u32 oplock) +@@ -322,6 +324,7 @@ cifs_new_fileinfo(struct cifs_fid *fid, struct file *file, + cfile->invalidHandle = false; + cfile->tlink = cifs_get_tlink(tlink); + INIT_WORK(&cfile->oplock_break, cifs_oplock_break); ++ INIT_WORK(&cfile->put, cifsFileInfo_put_work); + mutex_init(&cfile->fh_mutex); + spin_lock_init(&cfile->file_info_lock); + +@@ -376,6 +379,41 @@ cifsFileInfo_get(struct cifsFileInfo *cifs_file) + return cifs_file; + } + ++static void cifsFileInfo_put_final(struct cifsFileInfo *cifs_file) ++{ ++ struct inode *inode = d_inode(cifs_file->dentry); ++ struct cifsInodeInfo *cifsi = CIFS_I(inode); ++ struct cifsLockInfo *li, *tmp; ++ struct super_block *sb = inode->i_sb; ++ ++ /* ++ * Delete any outstanding lock records. We'll lose them when the file ++ * is closed anyway. ++ */ ++ cifs_down_write(&cifsi->lock_sem); ++ list_for_each_entry_safe(li, tmp, &cifs_file->llist->locks, llist) { ++ list_del(&li->llist); ++ cifs_del_lock_waiters(li); ++ kfree(li); ++ } ++ list_del(&cifs_file->llist->llist); ++ kfree(cifs_file->llist); ++ up_write(&cifsi->lock_sem); ++ ++ cifs_put_tlink(cifs_file->tlink); ++ dput(cifs_file->dentry); ++ cifs_sb_deactive(sb); ++ kfree(cifs_file); ++} ++ ++static void cifsFileInfo_put_work(struct work_struct *work) ++{ ++ struct cifsFileInfo *cifs_file = container_of(work, ++ struct cifsFileInfo, put); ++ ++ cifsFileInfo_put_final(cifs_file); ++} ++ + /** + * cifsFileInfo_put - release a reference of file priv data + * +@@ -383,15 +421,15 @@ cifsFileInfo_get(struct cifsFileInfo *cifs_file) + */ + void cifsFileInfo_put(struct cifsFileInfo *cifs_file) + { +- _cifsFileInfo_put(cifs_file, true); ++ _cifsFileInfo_put(cifs_file, true, true); + } + + /** + * _cifsFileInfo_put - release a reference of file priv data + * + * This may involve closing the filehandle @cifs_file out on the +- * server. Must be called without holding tcon->open_file_lock and +- * cifs_file->file_info_lock. ++ * server. Must be called without holding tcon->open_file_lock, ++ * cinode->open_file_lock and cifs_file->file_info_lock. + * + * If @wait_for_oplock_handler is true and we are releasing the last + * reference, wait for any running oplock break handler of the file +@@ -399,7 +437,8 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file) + * oplock break handler, you need to pass false. + * + */ +-void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler) ++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, ++ bool wait_oplock_handler, bool offload) + { + struct inode *inode = d_inode(cifs_file->dentry); + struct cifs_tcon *tcon = tlink_tcon(cifs_file->tlink); +@@ -407,7 +446,6 @@ void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler) + struct cifsInodeInfo *cifsi = CIFS_I(inode); + struct super_block *sb = inode->i_sb; + struct cifs_sb_info *cifs_sb = CIFS_SB(sb); +- struct cifsLockInfo *li, *tmp; + struct cifs_fid fid; + struct cifs_pending_open open; + bool oplock_break_cancelled; +@@ -468,24 +506,10 @@ void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler) + + cifs_del_pending_open(&open); + +- /* +- * Delete any outstanding lock records. We'll lose them when the file +- * is closed anyway. +- */ +- cifs_down_write(&cifsi->lock_sem); +- list_for_each_entry_safe(li, tmp, &cifs_file->llist->locks, llist) { +- list_del(&li->llist); +- cifs_del_lock_waiters(li); +- kfree(li); +- } +- list_del(&cifs_file->llist->llist); +- kfree(cifs_file->llist); +- up_write(&cifsi->lock_sem); +- +- cifs_put_tlink(cifs_file->tlink); +- dput(cifs_file->dentry); +- cifs_sb_deactive(sb); +- kfree(cifs_file); ++ if (offload) ++ queue_work(fileinfo_put_wq, &cifs_file->put); ++ else ++ cifsFileInfo_put_final(cifs_file); + } + + int cifs_open(struct inode *inode, struct file *file) +@@ -816,7 +840,7 @@ reopen_error_exit: + int cifs_close(struct inode *inode, struct file *file) + { + if (file->private_data != NULL) { +- cifsFileInfo_put(file->private_data); ++ _cifsFileInfo_put(file->private_data, true, false); + file->private_data = NULL; + } + +@@ -4688,7 +4712,7 @@ void cifs_oplock_break(struct work_struct *work) + cinode); + cifs_dbg(FYI, "Oplock release rc = %d\n", rc); + } +- _cifsFileInfo_put(cfile, false /* do not wait for ourself */); ++ _cifsFileInfo_put(cfile, false /* do not wait for ourself */, false); + cifs_done_oplock_break(cinode); + } + +-- +2.20.1 + diff --git a/queue-5.4/clk-clk-gpio-propagate-rate-change-to-parent.patch b/queue-5.4/clk-clk-gpio-propagate-rate-change-to-parent.patch new file mode 100644 index 00000000000..650540f5f3a --- /dev/null +++ b/queue-5.4/clk-clk-gpio-propagate-rate-change-to-parent.patch @@ -0,0 +1,49 @@ +From 766f98b776c9e98c9915e13b681d1f86cb59bbf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2019 09:17:18 +0200 +Subject: clk: clk-gpio: propagate rate change to parent + +From: Michael Hennerich + +[ Upstream commit fc59462c5ce60da119568fac325c92fc6b7c6175 ] + +For an external clock source, which is gated via a GPIO, the +rate change should typically be propagated to the parent clock. + +The situation where we are requiring this propagation, is when an +external clock is connected to override an internal clock (which typically +has a fixed rate). The external clock can have a different rate than the +internal one, and may also be variable, thus requiring the rate +propagation. + +This rate change wasn't propagated until now, and it's unclear about cases +where this shouldn't be propagated. Thus, it's unclear whether this is +fixing a bug, or extending the current driver behavior. Also, it's unsure +about whether this may break any existing setups; in the case that it does, +a device-tree property may be added to disable this flag. + +Signed-off-by: Michael Hennerich +Signed-off-by: Alexandru Ardelean +Link: https://lkml.kernel.org/r/20191108071718.17985-1-alexandru.ardelean@analog.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-gpio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/clk-gpio.c b/drivers/clk/clk-gpio.c +index 9d930edd6516..13304cf5f2a8 100644 +--- a/drivers/clk/clk-gpio.c ++++ b/drivers/clk/clk-gpio.c +@@ -280,7 +280,7 @@ static int gpio_clk_driver_probe(struct platform_device *pdev) + else + clk = clk_register_gpio_gate(&pdev->dev, node->name, + parent_names ? parent_names[0] : NULL, gpiod, +- 0); ++ CLK_SET_RATE_PARENT); + if (IS_ERR(clk)) + return PTR_ERR(clk); + +-- +2.20.1 + diff --git a/queue-5.4/clk-fix-memory-leak-in-clk_unregister.patch b/queue-5.4/clk-fix-memory-leak-in-clk_unregister.patch new file mode 100644 index 00000000000..45247475b4d --- /dev/null +++ b/queue-5.4/clk-fix-memory-leak-in-clk_unregister.patch @@ -0,0 +1,60 @@ +From 1eccd3bcfd1142d1a8de126ed1e14c4f533400d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 12:41:53 +0530 +Subject: clk: Fix memory leak in clk_unregister() + +From: Kishon Vijay Abraham I + +[ Upstream commit 8247470772beb38822f226c99a2ed8c195f6b438 ] + +Memory allocated in alloc_clk() for 'struct clk' and +'const char *con_id' while invoking clk_register() is never freed +in clk_unregister(), resulting in kmemleak showing the following +backtrace. + + backtrace: + [<00000000546f5dd0>] kmem_cache_alloc+0x18c/0x270 + [<0000000073a32862>] alloc_clk+0x30/0x70 + [<0000000082942480>] __clk_register+0xc8/0x760 + [<000000005c859fca>] devm_clk_register+0x54/0xb0 + [<00000000868834a8>] 0xffff800008c60950 + [<00000000d5a80534>] platform_drv_probe+0x50/0xa0 + [<000000001b3889fc>] really_probe+0x108/0x348 + [<00000000953fa60a>] driver_probe_device+0x58/0x100 + [<0000000008acc17c>] device_driver_attach+0x6c/0x90 + [<0000000022813df3>] __driver_attach+0x84/0xc8 + [<00000000448d5443>] bus_for_each_dev+0x74/0xc8 + [<00000000294aa93f>] driver_attach+0x20/0x28 + [<00000000e5e52626>] bus_add_driver+0x148/0x1f0 + [<000000001de21efc>] driver_register+0x60/0x110 + [<00000000af07c068>] __platform_driver_register+0x40/0x48 + [<0000000060fa80ee>] 0xffff800008c66020 + +Fix it here. + +Cc: Tomi Valkeinen +Cc: Tero Kristo +Signed-off-by: Kishon Vijay Abraham I +Link: https://lkml.kernel.org/r/20191022071153.21118-1-kishon@ti.com +Fixes: 1df4046a93e0 ("clk: Combine __clk_get() and __clk_create_clk()") +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index 1c677d7f7f53..2f2eea26c375 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -3879,6 +3879,7 @@ void clk_unregister(struct clk *clk) + __func__, clk->core->name); + + kref_put(&clk->core->ref, __clk_release); ++ free_clk(clk); + unlock: + clk_prepare_unlock(); + } +-- +2.20.1 + diff --git a/queue-5.4/clk-pxa-fix-one-of-the-pxa-rtc-clocks.patch b/queue-5.4/clk-pxa-fix-one-of-the-pxa-rtc-clocks.patch new file mode 100644 index 00000000000..18417525647 --- /dev/null +++ b/queue-5.4/clk-pxa-fix-one-of-the-pxa-rtc-clocks.patch @@ -0,0 +1,39 @@ +From cd9d79963f28fbd9f86e5bdf20ed85d459c8d3a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Oct 2019 21:44:20 +0200 +Subject: clk: pxa: fix one of the pxa RTC clocks + +From: Robert Jarzmik + +[ Upstream commit 46acbcb4849b2ca2e6e975e7c8130c1d61c8fd0c ] + +The pxa27x platforms have a single IP with 2 drivers, sa1100-rtc and +rtc-pxa drivers. + +A previous patch fixed the sa1100-rtc case, but the pxa-rtc wasn't +fixed. This patch completes the previous one. + +Fixes: 8b6d10345e16 ("clk: pxa: add missing pxa27x clocks for Irda and sa1100-rtc") +Signed-off-by: Robert Jarzmik +Link: https://lkml.kernel.org/r/20191026194420.11918-1-robert.jarzmik@free.fr +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/pxa/clk-pxa27x.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/pxa/clk-pxa27x.c b/drivers/clk/pxa/clk-pxa27x.c +index 287fdeae7c7c..7b123105b5de 100644 +--- a/drivers/clk/pxa/clk-pxa27x.c ++++ b/drivers/clk/pxa/clk-pxa27x.c +@@ -459,6 +459,7 @@ struct dummy_clk { + }; + static struct dummy_clk dummy_clks[] __initdata = { + DUMMY_CLK(NULL, "pxa27x-gpio", "osc_32_768khz"), ++ DUMMY_CLK(NULL, "pxa-rtc", "osc_32_768khz"), + DUMMY_CLK(NULL, "sa1100-rtc", "osc_32_768khz"), + DUMMY_CLK("UARTCLK", "pxa2xx-ir", "STUART"), + }; +-- +2.20.1 + diff --git a/queue-5.4/clk-qcom-allow-constant-ratio-freq-tables-for-rcg.patch b/queue-5.4/clk-qcom-allow-constant-ratio-freq-tables-for-rcg.patch new file mode 100644 index 00000000000..6c08a228a43 --- /dev/null +++ b/queue-5.4/clk-qcom-allow-constant-ratio-freq-tables-for-rcg.patch @@ -0,0 +1,64 @@ +From d0b717eedf3681dd6b99129543db8341a552a0ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 11:57:15 -0700 +Subject: clk: qcom: Allow constant ratio freq tables for rcg + +From: Jeffrey Hugo + +[ Upstream commit efd164b5520afd6fb2883b68e0d408a7de29c491 ] + +Some RCGs (the gfx_3d_src_clk in msm8998 for example) are basically just +some constant ratio from the input across the entire frequency range. It +would be great if we could specify the frequency table as a single entry +constant ratio instead of a long list, ie: + + { .src = P_GPUPLL0_OUT_EVEN, .pre_div = 3 }, + { } + +So, lets support that. + +We need to fix a corner case in qcom_find_freq() where if the freq table +is non-null, but has no frequencies, we end up returning an "entry" before +the table array, which is bad. Then, we need ignore the freq from the +table, and instead base everything on the requested freq. + +Suggested-by: Stephen Boyd +Signed-off-by: Jeffrey Hugo +Link: https://lkml.kernel.org/r/20191031185715.15504-1-jeffrey.l.hugo@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/clk-rcg2.c | 2 ++ + drivers/clk/qcom/common.c | 3 +++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c +index b98b81ef43a1..5a89ed88cc27 100644 +--- a/drivers/clk/qcom/clk-rcg2.c ++++ b/drivers/clk/qcom/clk-rcg2.c +@@ -220,6 +220,8 @@ static int _freq_tbl_determine_rate(struct clk_hw *hw, const struct freq_tbl *f, + if (clk_flags & CLK_SET_RATE_PARENT) { + rate = f->freq; + if (f->pre_div) { ++ if (!rate) ++ rate = req->rate; + rate /= 2; + rate *= f->pre_div + 1; + } +diff --git a/drivers/clk/qcom/common.c b/drivers/clk/qcom/common.c +index 28ddc747d703..bdeacebbf0e4 100644 +--- a/drivers/clk/qcom/common.c ++++ b/drivers/clk/qcom/common.c +@@ -29,6 +29,9 @@ struct freq_tbl *qcom_find_freq(const struct freq_tbl *f, unsigned long rate) + if (!f) + return NULL; + ++ if (!f->freq) ++ return f; ++ + for (; f->freq; f++) + if (rate <= f->freq) + return f; +-- +2.20.1 + diff --git a/queue-5.4/clk-qcom-smd-add-missing-pnoc-clock.patch b/queue-5.4/clk-qcom-smd-add-missing-pnoc-clock.patch new file mode 100644 index 00000000000..a4b0bca1ec0 --- /dev/null +++ b/queue-5.4/clk-qcom-smd-add-missing-pnoc-clock.patch @@ -0,0 +1,54 @@ +From 78f923737e23c6e291286e9583069efad43ca77d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 11:06:15 -0800 +Subject: clk: qcom: smd: Add missing pnoc clock + +From: Jeffrey Hugo + +[ Upstream commit ba1d366de261981c0dd04fac44d2ce3a5eba2eaa ] + +When MSM8998 support was added, and analysis was done to determine what +clocks would be consumed. That analysis had a flaw, which caused the +pnoc to be skipped. The pnoc clock needs to be on to access the uart +for the console. The clock is on from boot, but has no consumer votes +in the RPM. When we attempt to boot the modem, it causes the RPM to +turn off pnoc, which kills our access to the console and causes CPU hangs. + +We need pnoc to be defined, so that clk_smd_rpm_handoff() will put in +an implicit vote for linux and prevent issues when booting modem. +Hopefully pnoc can be consumed by the interconnect framework in future +so that Linux can rely on explicit votes. + +Fixes: 6131dc81211c ("clk: qcom: smd: Add support for MSM8998 rpm clocks") +Signed-off-by: Jeffrey Hugo +Link: https://lkml.kernel.org/r/20191107190615.5656-1-jeffrey.l.hugo@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/clk-smd-rpm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/clk/qcom/clk-smd-rpm.c b/drivers/clk/qcom/clk-smd-rpm.c +index fef5e8157061..930fa4a4c52a 100644 +--- a/drivers/clk/qcom/clk-smd-rpm.c ++++ b/drivers/clk/qcom/clk-smd-rpm.c +@@ -648,6 +648,7 @@ static const struct rpm_smd_clk_desc rpm_clk_qcs404 = { + }; + + /* msm8998 */ ++DEFINE_CLK_SMD_RPM(msm8998, pcnoc_clk, pcnoc_a_clk, QCOM_SMD_RPM_BUS_CLK, 0); + DEFINE_CLK_SMD_RPM(msm8998, snoc_clk, snoc_a_clk, QCOM_SMD_RPM_BUS_CLK, 1); + DEFINE_CLK_SMD_RPM(msm8998, cnoc_clk, cnoc_a_clk, QCOM_SMD_RPM_BUS_CLK, 2); + DEFINE_CLK_SMD_RPM(msm8998, ce1_clk, ce1_a_clk, QCOM_SMD_RPM_CE_CLK, 0); +@@ -670,6 +671,8 @@ DEFINE_CLK_SMD_RPM_XO_BUFFER_PINCTRL(msm8998, rf_clk2_pin, rf_clk2_a_pin, 5); + DEFINE_CLK_SMD_RPM_XO_BUFFER(msm8998, rf_clk3, rf_clk3_a, 6); + DEFINE_CLK_SMD_RPM_XO_BUFFER_PINCTRL(msm8998, rf_clk3_pin, rf_clk3_a_pin, 6); + static struct clk_smd_rpm *msm8998_clks[] = { ++ [RPM_SMD_PCNOC_CLK] = &msm8998_pcnoc_clk, ++ [RPM_SMD_PCNOC_A_CLK] = &msm8998_pcnoc_a_clk, + [RPM_SMD_SNOC_CLK] = &msm8998_snoc_clk, + [RPM_SMD_SNOC_A_CLK] = &msm8998_snoc_a_clk, + [RPM_SMD_CNOC_CLK] = &msm8998_cnoc_clk, +-- +2.20.1 + diff --git a/queue-5.4/clocksource-drivers-asm9260-add-a-check-for-of_clk_g.patch b/queue-5.4/clocksource-drivers-asm9260-add-a-check-for-of_clk_g.patch new file mode 100644 index 00000000000..d176bee6691 --- /dev/null +++ b/queue-5.4/clocksource-drivers-asm9260-add-a-check-for-of_clk_g.patch @@ -0,0 +1,38 @@ +From f46381f79eb0b77df50c7bceb2a4d0c917c577db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2019 20:43:30 +0800 +Subject: clocksource/drivers/asm9260: Add a check for of_clk_get + +From: Chuhong Yuan + +[ Upstream commit 6e001f6a4cc73cd06fc7b8c633bc4906c33dd8ad ] + +asm9260_timer_init misses a check for of_clk_get. +Add a check for it and print errors like other clocksource drivers. + +Signed-off-by: Chuhong Yuan +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20191016124330.22211-1-hslester96@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/clocksource/asm9260_timer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/clocksource/asm9260_timer.c b/drivers/clocksource/asm9260_timer.c +index 9f09a59161e7..5b39d3701fa3 100644 +--- a/drivers/clocksource/asm9260_timer.c ++++ b/drivers/clocksource/asm9260_timer.c +@@ -194,6 +194,10 @@ static int __init asm9260_timer_init(struct device_node *np) + } + + clk = of_clk_get(np, 0); ++ if (IS_ERR(clk)) { ++ pr_err("Failed to get clk!\n"); ++ return PTR_ERR(clk); ++ } + + ret = clk_prepare_enable(clk); + if (ret) { +-- +2.20.1 + diff --git a/queue-5.4/clocksource-drivers-timer-of-use-unique-device-name-.patch b/queue-5.4/clocksource-drivers-timer-of-use-unique-device-name-.patch new file mode 100644 index 00000000000..031a056898c --- /dev/null +++ b/queue-5.4/clocksource-drivers-timer-of-use-unique-device-name-.patch @@ -0,0 +1,47 @@ +From a46a6aa25f72ceab9494b84536fca6d4d7ea463c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2019 16:47:45 +0200 +Subject: clocksource/drivers/timer-of: Use unique device name instead of timer + +From: Geert Uytterhoeven + +[ Upstream commit 4411464d6f8b5e5759637235a6f2b2a85c2be0f1 ] + +If a hardware-specific driver does not provide a name, the timer-of core +falls back to device_node.name. Due to generic DT node naming policies, +that name is almost always "timer", and thus doesn't identify the actual +timer used. + +Fix this by using device_node.full_name instead, which includes the unit +addrees. + +Example impact on /proc/timer_list: + + -Clock Event Device: timer + +Clock Event Device: timer@fcfec400 + +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Rob Herring +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20191016144747.29538-3-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-of.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clocksource/timer-of.c b/drivers/clocksource/timer-of.c +index 11ff701ff4bb..a3c73e972fce 100644 +--- a/drivers/clocksource/timer-of.c ++++ b/drivers/clocksource/timer-of.c +@@ -192,7 +192,7 @@ int __init timer_of_init(struct device_node *np, struct timer_of *to) + } + + if (!to->clkevt.name) +- to->clkevt.name = np->name; ++ to->clkevt.name = np->full_name; + + to->np = np; + +-- +2.20.1 + diff --git a/queue-5.4/dma-debug-add-a-schedule-point-in-debug_dma_dump_map.patch b/queue-5.4/dma-debug-add-a-schedule-point-in-debug_dma_dump_map.patch new file mode 100644 index 00000000000..2d393cb57b6 --- /dev/null +++ b/queue-5.4/dma-debug-add-a-schedule-point-in-debug_dma_dump_map.patch @@ -0,0 +1,45 @@ +From d0e54bd0c3a5def068ed8b5f1d9a22376be077c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Oct 2019 14:56:46 -0700 +Subject: dma-debug: add a schedule point in debug_dma_dump_mappings() + +From: Eric Dumazet + +[ Upstream commit 9ff6aa027dbb98755f0265695354f2dd07c0d1ce ] + +debug_dma_dump_mappings() can take a lot of cpu cycles : + +lpk43:/# time wc -l /sys/kernel/debug/dma-api/dump +163435 /sys/kernel/debug/dma-api/dump + +real 0m0.463s +user 0m0.003s +sys 0m0.459s + +Let's add a cond_resched() to avoid holding cpu for too long. + +Signed-off-by: Eric Dumazet +Cc: Corentin Labbe +Cc: Christoph Hellwig +Cc: Marek Szyprowski +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/debug.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c +index 099002d84f46..4ad74f5987ea 100644 +--- a/kernel/dma/debug.c ++++ b/kernel/dma/debug.c +@@ -420,6 +420,7 @@ void debug_dma_dump_mappings(struct device *dev) + } + + spin_unlock_irqrestore(&bucket->lock, flags); ++ cond_resched(); + } + } + +-- +2.20.1 + diff --git a/queue-5.4/dma-direct-check-for-overflows-on-32-bit-dma-address.patch b/queue-5.4/dma-direct-check-for-overflows-on-32-bit-dma-address.patch new file mode 100644 index 00000000000..db47f89d07f --- /dev/null +++ b/queue-5.4/dma-direct-check-for-overflows-on-32-bit-dma-address.patch @@ -0,0 +1,70 @@ +From f4c9697f2dde63b4d42aa1318722d4279f567c3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 16:06:44 +0100 +Subject: dma-direct: check for overflows on 32 bit DMA addresses + +From: Nicolas Saenz Julienne + +[ Upstream commit b12d66278dd627cbe1ea7c000aa4715aaf8830c8 ] + +As seen on the new Raspberry Pi 4 and sta2x11's DMA implementation it is +possible for a device configured with 32 bit DMA addresses and a partial +DMA mapping located at the end of the address space to overflow. It +happens when a higher physical address, not DMAable, is translated to +it's DMA counterpart. + +For example the Raspberry Pi 4, configurable up to 4 GB of memory, has +an interconnect capable of addressing the lower 1 GB of physical memory +with a DMA offset of 0xc0000000. It transpires that, any attempt to +translate physical addresses higher than the first GB will result in an +overflow which dma_capable() can't detect as it only checks for +addresses bigger then the maximum allowed DMA address. + +Fix this by verifying in dma_capable() if the DMA address range provided +is at any point lower than the minimum possible DMA address on the bus. + +Signed-off-by: Nicolas Saenz Julienne +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + include/linux/dma-direct.h | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/include/linux/dma-direct.h b/include/linux/dma-direct.h +index adf993a3bd58..6a18a97b76a8 100644 +--- a/include/linux/dma-direct.h ++++ b/include/linux/dma-direct.h +@@ -3,8 +3,11 @@ + #define _LINUX_DMA_DIRECT_H 1 + + #include ++#include /* for min_low_pfn */ + #include + ++static inline dma_addr_t phys_to_dma(struct device *dev, phys_addr_t paddr); ++ + #ifdef CONFIG_ARCH_HAS_PHYS_TO_DMA + #include + #else +@@ -24,11 +27,16 @@ static inline phys_addr_t __dma_to_phys(struct device *dev, dma_addr_t dev_addr) + + static inline bool dma_capable(struct device *dev, dma_addr_t addr, size_t size) + { ++ dma_addr_t end = addr + size - 1; ++ + if (!dev->dma_mask) + return false; + +- return addr + size - 1 <= +- min_not_zero(*dev->dma_mask, dev->bus_dma_mask); ++ if (!IS_ENABLED(CONFIG_ARCH_DMA_ADDR_T_64BIT) && ++ min(addr, end) < phys_to_dma(dev, PFN_PHYS(min_low_pfn))) ++ return false; ++ ++ return end <= min_not_zero(*dev->dma_mask, dev->bus_dma_mask); + } + #endif /* !CONFIG_ARCH_HAS_PHYS_TO_DMA */ + +-- +2.20.1 + diff --git a/queue-5.4/dma-mapping-add-vmap-checks-to-dma_map_single.patch b/queue-5.4/dma-mapping-add-vmap-checks-to-dma_map_single.patch new file mode 100644 index 00000000000..0858349fa52 --- /dev/null +++ b/queue-5.4/dma-mapping-add-vmap-checks-to-dma_map_single.patch @@ -0,0 +1,43 @@ +From 44cb6a7e845265a9cdfc086b4fa005b0c50234c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 14:34:22 -0700 +Subject: dma-mapping: Add vmap checks to dma_map_single() + +From: Kees Cook + +[ Upstream commit 4544b9f25e70eae9f70a243de0cc802aa5c8cb69 ] + +As we've seen from USB and other areas[1], we need to always do runtime +checks for DMA operating on memory regions that might be remapped. This +adds vmap checks (similar to those already in USB but missing in other +places) into dma_map_single() so all callers benefit from the checking. + +[1] https://git.kernel.org/linus/3840c5b78803b2b6cc1ff820100a74a092c40cbb + +Suggested-by: Laura Abbott +Signed-off-by: Kees Cook +[hch: fixed the printk message] +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + include/linux/dma-mapping.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h +index 4a1c4fca475a..0aad641d662c 100644 +--- a/include/linux/dma-mapping.h ++++ b/include/linux/dma-mapping.h +@@ -583,6 +583,10 @@ static inline unsigned long dma_get_merge_boundary(struct device *dev) + static inline dma_addr_t dma_map_single_attrs(struct device *dev, void *ptr, + size_t size, enum dma_data_direction dir, unsigned long attrs) + { ++ /* DMA must never operate on areas that might be remapped. */ ++ if (dev_WARN_ONCE(dev, is_vmalloc_addr(ptr), ++ "rejecting DMA map of vmalloc memory\n")) ++ return DMA_MAPPING_ERROR; + debug_dma_map_single(dev, ptr, size); + return dma_map_page_attrs(dev, virt_to_page(ptr), offset_in_page(ptr), + size, dir, attrs); +-- +2.20.1 + diff --git a/queue-5.4/dma-mapping-fix-handling-of-dma-ranges-for-reserved-.patch b/queue-5.4/dma-mapping-fix-handling-of-dma-ranges-for-reserved-.patch new file mode 100644 index 00000000000..6958c834391 --- /dev/null +++ b/queue-5.4/dma-mapping-fix-handling-of-dma-ranges-for-reserved-.patch @@ -0,0 +1,116 @@ +From 5d03f25e9c909f403b2ced3ef696ef6df0e8947d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Oct 2019 10:13:13 +0000 +Subject: dma-mapping: fix handling of dma-ranges for reserved memory (again) + +From: Vladimir Murzin + +[ Upstream commit a445e940ea686fc60475564009821010eb213be3 ] + +Daniele reported that issue previously fixed in c41f9ea998f3 +("drivers: dma-coherent: Account dma_pfn_offset when used with device +tree") reappear shortly after 43fc509c3efb ("dma-coherent: introduce +interface for default DMA pool") where fix was accidentally dropped. + +Lets put fix back in place and respect dma-ranges for reserved memory. + +Fixes: 43fc509c3efb ("dma-coherent: introduce interface for default DMA pool") + +Reported-by: Daniele Alessandrelli +Tested-by: Daniele Alessandrelli +Tested-by: Alexandre Torgue +Signed-off-by: Vladimir Murzin +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + arch/arm/mm/dma-mapping-nommu.c | 2 +- + include/linux/dma-mapping.h | 4 ++-- + kernel/dma/coherent.c | 16 +++++++++------- + 3 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/arch/arm/mm/dma-mapping-nommu.c b/arch/arm/mm/dma-mapping-nommu.c +index db9247898300..287ef898a55e 100644 +--- a/arch/arm/mm/dma-mapping-nommu.c ++++ b/arch/arm/mm/dma-mapping-nommu.c +@@ -35,7 +35,7 @@ static void *arm_nommu_dma_alloc(struct device *dev, size_t size, + unsigned long attrs) + + { +- void *ret = dma_alloc_from_global_coherent(size, dma_handle); ++ void *ret = dma_alloc_from_global_coherent(dev, size, dma_handle); + + /* + * dma_alloc_from_global_coherent() may fail because: +diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h +index 0aad641d662c..4d450672b7d6 100644 +--- a/include/linux/dma-mapping.h ++++ b/include/linux/dma-mapping.h +@@ -162,7 +162,7 @@ int dma_release_from_dev_coherent(struct device *dev, int order, void *vaddr); + int dma_mmap_from_dev_coherent(struct device *dev, struct vm_area_struct *vma, + void *cpu_addr, size_t size, int *ret); + +-void *dma_alloc_from_global_coherent(ssize_t size, dma_addr_t *dma_handle); ++void *dma_alloc_from_global_coherent(struct device *dev, ssize_t size, dma_addr_t *dma_handle); + int dma_release_from_global_coherent(int order, void *vaddr); + int dma_mmap_from_global_coherent(struct vm_area_struct *vma, void *cpu_addr, + size_t size, int *ret); +@@ -172,7 +172,7 @@ int dma_mmap_from_global_coherent(struct vm_area_struct *vma, void *cpu_addr, + #define dma_release_from_dev_coherent(dev, order, vaddr) (0) + #define dma_mmap_from_dev_coherent(dev, vma, vaddr, order, ret) (0) + +-static inline void *dma_alloc_from_global_coherent(ssize_t size, ++static inline void *dma_alloc_from_global_coherent(struct device *dev, ssize_t size, + dma_addr_t *dma_handle) + { + return NULL; +diff --git a/kernel/dma/coherent.c b/kernel/dma/coherent.c +index 545e3869b0e3..551b0eb7028a 100644 +--- a/kernel/dma/coherent.c ++++ b/kernel/dma/coherent.c +@@ -123,8 +123,9 @@ int dma_declare_coherent_memory(struct device *dev, phys_addr_t phys_addr, + return ret; + } + +-static void *__dma_alloc_from_coherent(struct dma_coherent_mem *mem, +- ssize_t size, dma_addr_t *dma_handle) ++static void *__dma_alloc_from_coherent(struct device *dev, ++ struct dma_coherent_mem *mem, ++ ssize_t size, dma_addr_t *dma_handle) + { + int order = get_order(size); + unsigned long flags; +@@ -143,7 +144,7 @@ static void *__dma_alloc_from_coherent(struct dma_coherent_mem *mem, + /* + * Memory was found in the coherent area. + */ +- *dma_handle = mem->device_base + (pageno << PAGE_SHIFT); ++ *dma_handle = dma_get_device_base(dev, mem) + (pageno << PAGE_SHIFT); + ret = mem->virt_base + (pageno << PAGE_SHIFT); + spin_unlock_irqrestore(&mem->spinlock, flags); + memset(ret, 0, size); +@@ -175,17 +176,18 @@ int dma_alloc_from_dev_coherent(struct device *dev, ssize_t size, + if (!mem) + return 0; + +- *ret = __dma_alloc_from_coherent(mem, size, dma_handle); ++ *ret = __dma_alloc_from_coherent(dev, mem, size, dma_handle); + return 1; + } + +-void *dma_alloc_from_global_coherent(ssize_t size, dma_addr_t *dma_handle) ++void *dma_alloc_from_global_coherent(struct device *dev, ssize_t size, ++ dma_addr_t *dma_handle) + { + if (!dma_coherent_default_memory) + return NULL; + +- return __dma_alloc_from_coherent(dma_coherent_default_memory, size, +- dma_handle); ++ return __dma_alloc_from_coherent(dev, dma_coherent_default_memory, size, ++ dma_handle); + } + + static int __dma_release_from_coherent(struct dma_coherent_mem *mem, +-- +2.20.1 + diff --git a/queue-5.4/dmaengine-fsl-qdma-handle-invalid-qdma-queue0-irq.patch b/queue-5.4/dmaengine-fsl-qdma-handle-invalid-qdma-queue0-irq.patch new file mode 100644 index 00000000000..f692c9554a4 --- /dev/null +++ b/queue-5.4/dmaengine-fsl-qdma-handle-invalid-qdma-queue0-irq.patch @@ -0,0 +1,40 @@ +From 86f7f25a99cd8119fbf8b4df14788736c80fbfb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2019 17:08:26 +0200 +Subject: dmaengine: fsl-qdma: Handle invalid qdma-queue0 IRQ + +From: Krzysztof Kozlowski + +[ Upstream commit 41814c4eadf8a791b6d07114f96e7e120e59555c ] + +platform_get_irq_byname() might return -errno which later would be cast +to an unsigned int and used in IRQ handling code leading to usage of +wrong ID and errors about wrong irq_base. + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Peng Ma +Tested-by: Peng Ma +Link: https://lore.kernel.org/r/20191004150826.6656-1-krzk@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/fsl-qdma.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/dma/fsl-qdma.c b/drivers/dma/fsl-qdma.c +index 06664fbd2d91..89792083d62c 100644 +--- a/drivers/dma/fsl-qdma.c ++++ b/drivers/dma/fsl-qdma.c +@@ -1155,6 +1155,9 @@ static int fsl_qdma_probe(struct platform_device *pdev) + return ret; + + fsl_qdma->irq_base = platform_get_irq_byname(pdev, "qdma-queue0"); ++ if (fsl_qdma->irq_base < 0) ++ return fsl_qdma->irq_base; ++ + fsl_qdma->feature = of_property_read_bool(np, "big-endian"); + INIT_LIST_HEAD(&fsl_qdma->dma_dev.channels); + +-- +2.20.1 + diff --git a/queue-5.4/dmaengine-xilinx_dma-clear-desc_pendingcount-in-xili.patch b/queue-5.4/dmaengine-xilinx_dma-clear-desc_pendingcount-in-xili.patch new file mode 100644 index 00000000000..1ed7d157dd0 --- /dev/null +++ b/queue-5.4/dmaengine-xilinx_dma-clear-desc_pendingcount-in-xili.patch @@ -0,0 +1,42 @@ +From ae08483d117322b4cdb708bb0663d97c4021f6f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2019 20:18:24 +0530 +Subject: dmaengine: xilinx_dma: Clear desc_pendingcount in xilinx_dma_reset + +From: Nicholas Graumann + +[ Upstream commit 8a631a5a0f7d4a4a24dba8587d5d9152be0871cc ] + +Whenever we reset the channel, we need to clear desc_pendingcount +along with desc_submitcount. Otherwise when a new transaction is +submitted, the irq coalesce level could be programmed to an incorrect +value in the axidma case. + +This behavior can be observed when terminating pending transactions +with xilinx_dma_terminate_all() and then submitting new transactions +without releasing and requesting the channel. + +Signed-off-by: Nicholas Graumann +Signed-off-by: Radhey Shyam Pandey +Link: https://lore.kernel.org/r/1571150904-3988-8-git-send-email-radhey.shyam.pandey@xilinx.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index 5d56f1e4d332..43acba2a1c0e 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -1433,6 +1433,7 @@ static int xilinx_dma_reset(struct xilinx_dma_chan *chan) + + chan->err = false; + chan->idle = true; ++ chan->desc_pendingcount = 0; + chan->desc_submitcount = 0; + + return err; +-- +2.20.1 + diff --git a/queue-5.4/drivers-hv-vmbus-fix-crash-handler-reset-of-hyper-v-.patch b/queue-5.4/drivers-hv-vmbus-fix-crash-handler-reset-of-hyper-v-.patch new file mode 100644 index 00000000000..cccfc1a6761 --- /dev/null +++ b/queue-5.4/drivers-hv-vmbus-fix-crash-handler-reset-of-hyper-v-.patch @@ -0,0 +1,46 @@ +From 25f7596802de2c2869ace152344d924ba42959c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 06:32:01 +0000 +Subject: Drivers: hv: vmbus: Fix crash handler reset of Hyper-V synic + +From: Michael Kelley + +[ Upstream commit 7a1323b5dfe44a9013a2cc56ef2973034a00bf88 ] + +The crash handler calls hv_synic_cleanup() to shutdown the +Hyper-V synthetic interrupt controller. But if the CPU +that calls hv_synic_cleanup() has a VMbus channel interrupt +assigned to it (which is likely the case in smaller VM sizes), +hv_synic_cleanup() returns an error and the synthetic +interrupt controller isn't shutdown. While the lack of +being shutdown hasn't caused a known problem, it still +should be fixed for highest reliability. + +So directly call hv_synic_disable_regs() instead of +hv_synic_cleanup(), which ensures that the synic is always +shutdown. + +Signed-off-by: Michael Kelley +Reviewed-by: Vitaly Kuznetsov +Reviewed-by: Dexuan Cui +Signed-off-by: Sasha Levin +--- + drivers/hv/vmbus_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 53a60c81e220..05ead1735c6e 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -2308,7 +2308,7 @@ static void hv_crash_handler(struct pt_regs *regs) + vmbus_connection.conn_state = DISCONNECTED; + cpu = smp_processor_id(); + hv_stimer_cleanup(cpu); +- hv_synic_cleanup(cpu); ++ hv_synic_disable_regs(cpu); + hyperv_cleanup(); + }; + +-- +2.20.1 + diff --git a/queue-5.4/drm-amdgpu-call-find_vma-under-mmap_sem.patch b/queue-5.4/drm-amdgpu-call-find_vma-under-mmap_sem.patch new file mode 100644 index 00000000000..876390dcd71 --- /dev/null +++ b/queue-5.4/drm-amdgpu-call-find_vma-under-mmap_sem.patch @@ -0,0 +1,125 @@ +From be3184cd93d5afbdd9c44f5eef2abd0b896cb61e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2019 16:22:27 -0400 +Subject: drm/amdgpu: Call find_vma under mmap_sem +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jason Gunthorpe + +[ Upstream commit a9ae8731e6e52829a935d81a65d7f925cb95dbac ] + +find_vma() must be called under the mmap_sem, reorganize this code to +do the vma check after entering the lock. + +Further, fix the unlocked use of struct task_struct's mm, instead use +the mm from hmm_mirror which has an active mm_grab. Also the mm_grab +must be converted to a mm_get before acquiring mmap_sem or calling +find_vma(). + +Fixes: 66c45500bfdc ("drm/amdgpu: use new HMM APIs and helpers") +Fixes: 0919195f2b0d ("drm/amdgpu: Enable amdgpu_ttm_tt_get_user_pages in worker threads") +Link: https://lore.kernel.org/r/20191112202231.3856-11-jgg@ziepe.ca +Acked-by: Christian König +Reviewed-by: Felix Kuehling +Reviewed-by: Philip Yang +Tested-by: Philip Yang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 37 ++++++++++++++----------- + 1 file changed, 21 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +index dff41d0a85fe..c0e41f1f0c23 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -788,7 +789,7 @@ int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages) + struct hmm_mirror *mirror = bo->mn ? &bo->mn->mirror : NULL; + struct ttm_tt *ttm = bo->tbo.ttm; + struct amdgpu_ttm_tt *gtt = (void *)ttm; +- struct mm_struct *mm = gtt->usertask->mm; ++ struct mm_struct *mm; + unsigned long start = gtt->userptr; + struct vm_area_struct *vma; + struct hmm_range *range; +@@ -796,25 +797,14 @@ int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages) + uint64_t *pfns; + int r = 0; + +- if (!mm) /* Happens during process shutdown */ +- return -ESRCH; +- + if (unlikely(!mirror)) { + DRM_DEBUG_DRIVER("Failed to get hmm_mirror\n"); +- r = -EFAULT; +- goto out; ++ return -EFAULT; + } + +- vma = find_vma(mm, start); +- if (unlikely(!vma || start < vma->vm_start)) { +- r = -EFAULT; +- goto out; +- } +- if (unlikely((gtt->userflags & AMDGPU_GEM_USERPTR_ANONONLY) && +- vma->vm_file)) { +- r = -EPERM; +- goto out; +- } ++ mm = mirror->hmm->mmu_notifier.mm; ++ if (!mmget_not_zero(mm)) /* Happens during process shutdown */ ++ return -ESRCH; + + range = kzalloc(sizeof(*range), GFP_KERNEL); + if (unlikely(!range)) { +@@ -847,6 +837,17 @@ int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages) + hmm_range_wait_until_valid(range, HMM_RANGE_DEFAULT_TIMEOUT); + + down_read(&mm->mmap_sem); ++ vma = find_vma(mm, start); ++ if (unlikely(!vma || start < vma->vm_start)) { ++ r = -EFAULT; ++ goto out_unlock; ++ } ++ if (unlikely((gtt->userflags & AMDGPU_GEM_USERPTR_ANONONLY) && ++ vma->vm_file)) { ++ r = -EPERM; ++ goto out_unlock; ++ } ++ + r = hmm_range_fault(range, 0); + up_read(&mm->mmap_sem); + +@@ -865,15 +866,19 @@ int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages) + } + + gtt->range = range; ++ mmput(mm); + + return 0; + ++out_unlock: ++ up_read(&mm->mmap_sem); + out_free_pfns: + hmm_range_unregister(range); + kvfree(pfns); + out_free_ranges: + kfree(range); + out: ++ mmput(mm); + return r; + } + +-- +2.20.1 + diff --git a/queue-5.4/dt-bindings-improve-validation-build-error-handling.patch b/queue-5.4/dt-bindings-improve-validation-build-error-handling.patch new file mode 100644 index 00000000000..7997ca0ea49 --- /dev/null +++ b/queue-5.4/dt-bindings-improve-validation-build-error-handling.patch @@ -0,0 +1,86 @@ +From 0ef92ad14722619abbcf3a3db95f62640c0f6903 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 09:46:19 -0600 +Subject: dt-bindings: Improve validation build error handling + +From: Rob Herring + +[ Upstream commit 93512dad334deb444619505f1fbb761156f7471b ] + +Schema errors can cause make to exit before useful information is +printed. This leaves developers wondering what's wrong. It can be +overcome passing '-k' to make, but that's not an obvious solution. +There's 2 scenarios where this happens. + +When using DT_SCHEMA_FILES to validate with a single schema, any error +in the schema results in processed-schema.yaml being empty causing a +make error. The result is the specific errors in the schema are never +shown because processed-schema.yaml is the first target built. Simply +making processed-schema.yaml last in extra-y ensures the full schema +validation with detailed error messages happen first. + +The 2nd problem is while schema errors are ignored for +processed-schema.yaml, full validation of the schema still runs in +parallel and any schema validation errors will still stop the build when +running validation of dts files. The fix is to not add the schema +examples to extra-y in this case. This means 'dtbs_check' is no longer a +superset of 'dt_binding_check'. Update the documentation to make this +clear. + +Cc: Masahiro Yamada +Tested-by: Jeffrey Hugo +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/Makefile | 5 ++++- + Documentation/devicetree/writing-schema.rst | 6 ++++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/Documentation/devicetree/bindings/Makefile b/Documentation/devicetree/bindings/Makefile +index 5138a2f6232a..646cb3525373 100644 +--- a/Documentation/devicetree/bindings/Makefile ++++ b/Documentation/devicetree/bindings/Makefile +@@ -12,7 +12,6 @@ $(obj)/%.example.dts: $(src)/%.yaml FORCE + $(call if_changed,chk_binding) + + DT_TMP_SCHEMA := processed-schema.yaml +-extra-y += $(DT_TMP_SCHEMA) + + quiet_cmd_mk_schema = SCHEMA $@ + cmd_mk_schema = $(DT_MK_SCHEMA) $(DT_MK_SCHEMA_FLAGS) -o $@ $(real-prereqs) +@@ -26,8 +25,12 @@ DT_DOCS = $(shell \ + + DT_SCHEMA_FILES ?= $(addprefix $(src)/,$(DT_DOCS)) + ++ifeq ($(CHECK_DTBS),) + extra-y += $(patsubst $(src)/%.yaml,%.example.dts, $(DT_SCHEMA_FILES)) + extra-y += $(patsubst $(src)/%.yaml,%.example.dt.yaml, $(DT_SCHEMA_FILES)) ++endif + + $(obj)/$(DT_TMP_SCHEMA): $(DT_SCHEMA_FILES) FORCE + $(call if_changed,mk_schema) ++ ++extra-y += $(DT_TMP_SCHEMA) +diff --git a/Documentation/devicetree/writing-schema.rst b/Documentation/devicetree/writing-schema.rst +index f4a638072262..83e04e5c342d 100644 +--- a/Documentation/devicetree/writing-schema.rst ++++ b/Documentation/devicetree/writing-schema.rst +@@ -130,11 +130,13 @@ binding schema. All of the DT binding documents can be validated using the + + make dt_binding_check + +-In order to perform validation of DT source files, use the `dtbs_check` target:: ++In order to perform validation of DT source files, use the ``dtbs_check`` target:: + + make dtbs_check + +-This will first run the `dt_binding_check` which generates the processed schema. ++Note that ``dtbs_check`` will skip any binding schema files with errors. It is ++necessary to use ``dt_binding_check`` to get all the validation errors in the ++binding schema files. + + It is also possible to run checks with a single schema file by setting the + ``DT_SCHEMA_FILES`` variable to a specific schema file. +-- +2.20.1 + diff --git a/queue-5.4/dtc-use-pkg-config-to-locate-libyaml.patch b/queue-5.4/dtc-use-pkg-config-to-locate-libyaml.patch new file mode 100644 index 00000000000..ae73dd18e96 --- /dev/null +++ b/queue-5.4/dtc-use-pkg-config-to-locate-libyaml.patch @@ -0,0 +1,53 @@ +From 812be73f030f5c6a0b4320ab3ddab779abdf1f8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Jul 2019 13:52:19 +0200 +Subject: dtc: Use pkg-config to locate libyaml + +From: Pavel Modilaynen + +[ Upstream commit 067c650c456e758f933aaf87a202f841d34be269 ] + +Using Makefile's wildcard with absolute path to detect +the presence of libyaml results in false-positive +detection when cross-compiling e.g. in yocto environment. +The latter results in build error: +| scripts/dtc/yamltree.o: In function `yaml_propval_int': +| yamltree.c: undefined reference to `yaml_sequence_start_event_initialize' +| yamltree.c: undefined reference to `yaml_emitter_emit' +| yamltree.c: undefined reference to `yaml_scalar_event_initialize' +... +Use pkg-config to locate libyaml to address this scenario. + +Signed-off-by: Pavel Modilaynen +[robh: silence stderr] +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + scripts/dtc/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scripts/dtc/Makefile b/scripts/dtc/Makefile +index 82160808765c..b5a5b1c548c9 100644 +--- a/scripts/dtc/Makefile ++++ b/scripts/dtc/Makefile +@@ -11,7 +11,7 @@ dtc-objs += dtc-lexer.lex.o dtc-parser.tab.o + # Source files need to get at the userspace version of libfdt_env.h to compile + HOST_EXTRACFLAGS := -I $(srctree)/$(src)/libfdt + +-ifeq ($(wildcard /usr/include/yaml.h),) ++ifeq ($(shell pkg-config --exists yaml-0.1 2>/dev/null && echo yes),) + ifneq ($(CHECK_DTBS),) + $(error dtc needs libyaml for DT schema validation support. \ + Install the necessary libyaml development package.) +@@ -19,7 +19,7 @@ endif + HOST_EXTRACFLAGS += -DNO_YAML + else + dtc-objs += yamltree.o +-HOSTLDLIBS_dtc := -lyaml ++HOSTLDLIBS_dtc := $(shell pkg-config yaml-0.1 --libs) + endif + + # Generated files need one more search path to include headers in source tree +-- +2.20.1 + diff --git a/queue-5.4/ext4-iomap-that-extends-beyond-eof-should-be-marked-.patch b/queue-5.4/ext4-iomap-that-extends-beyond-eof-should-be-marked-.patch new file mode 100644 index 00000000000..8fa7ab6e57b --- /dev/null +++ b/queue-5.4/ext4-iomap-that-extends-beyond-eof-should-be-marked-.patch @@ -0,0 +1,61 @@ +From dbf67fd61bb3a38dba4aaf7534bc8c64d5ca9f9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 22:59:37 +1100 +Subject: ext4: iomap that extends beyond EOF should be marked dirty + +From: Matthew Bobrowski + +[ Upstream commit 2e9b51d78229d5145725a481bb5464ebc0a3f9b2 ] + +This patch addresses what Dave Chinner had discovered and fixed within +commit: 7684e2c4384d. This changes does not have any user visible +impact for ext4 as none of the current users of ext4_iomap_begin() +that extend files depend on IOMAP_F_DIRTY. + +When doing a direct IO that spans the current EOF, and there are +written blocks beyond EOF that extend beyond the current write, the +only metadata update that needs to be done is a file size extension. + +However, we don't mark such iomaps as IOMAP_F_DIRTY to indicate that +there is IO completion metadata updates required, and hence we may +fail to correctly sync file size extensions made in IO completion when +O_DSYNC writes are being used and the hardware supports FUA. + +Hence when setting IOMAP_F_DIRTY, we need to also take into account +whether the iomap spans the current EOF. If it does, then we need to +mark it dirty so that IO completion will call generic_write_sync() to +flush the inode size update to stable storage correctly. + +Signed-off-by: Matthew Bobrowski +Reviewed-by: Jan Kara +Reviewed-by: Ritesh Harjani +Link: https://lore.kernel.org/r/8b43ee9ee94bee5328da56ba0909b7d2229ef150.1572949325.git.mbobrowski@mbobrowski.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/inode.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index b10aa115eade..8bba6cd5e870 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3532,8 +3532,14 @@ retry: + return ret; + } + ++ /* ++ * Writes that span EOF might trigger an I/O size update on completion, ++ * so consider them to be dirty for the purposes of O_DSYNC, even if ++ * there is no other metadata changes being made or are pending here. ++ */ + iomap->flags = 0; +- if (ext4_inode_datasync_dirty(inode)) ++ if (ext4_inode_datasync_dirty(inode) || ++ offset + length > i_size_read(inode)) + iomap->flags |= IOMAP_F_DIRTY; + iomap->bdev = inode->i_sb->s_bdev; + iomap->dax_dev = sbi->s_daxdev; +-- +2.20.1 + diff --git a/queue-5.4/ext4-update-direct-i-o-read-lock-pattern-for-iocb_no.patch b/queue-5.4/ext4-update-direct-i-o-read-lock-pattern-for-iocb_no.patch new file mode 100644 index 00000000000..1adc3b08466 --- /dev/null +++ b/queue-5.4/ext4-update-direct-i-o-read-lock-pattern-for-iocb_no.patch @@ -0,0 +1,47 @@ +From e0dd8be7ce2d3b0ae3372390e9aa81dec9e44d37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 22:59:22 +1100 +Subject: ext4: update direct I/O read lock pattern for IOCB_NOWAIT + +From: Matthew Bobrowski + +[ Upstream commit 548feebec7e93e58b647dba70b3303dcb569c914 ] + +This patch updates the lock pattern in ext4_direct_IO_read() to not +block on inode lock in cases of IOCB_NOWAIT direct I/O reads. The +locking condition implemented here is similar to that of 942491c9e6d6 +("xfs: fix AIM7 regression"). + +Fixes: 16c54688592c ("ext4: Allow parallel DIO reads") +Signed-off-by: Matthew Bobrowski +Reviewed-by: Jan Kara +Reviewed-by: Ritesh Harjani +Link: https://lore.kernel.org/r/c5d5e759f91747359fbd2c6f9a36240cf75ad79f.1572949325.git.mbobrowski@mbobrowski.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/inode.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 53134e4509b8..b10aa115eade 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3836,7 +3836,13 @@ static ssize_t ext4_direct_IO_read(struct kiocb *iocb, struct iov_iter *iter) + * writes & truncates and since we take care of writing back page cache, + * we are protected against page writeback as well. + */ +- inode_lock_shared(inode); ++ if (iocb->ki_flags & IOCB_NOWAIT) { ++ if (!inode_trylock_shared(inode)) ++ return -EAGAIN; ++ } else { ++ inode_lock_shared(inode); ++ } ++ + ret = filemap_write_and_wait_range(mapping, iocb->ki_pos, + iocb->ki_pos + count - 1); + if (ret) +-- +2.20.1 + diff --git a/queue-5.4/f2fs-choose-hardlimit-when-softlimit-is-larger-than-.patch b/queue-5.4/f2fs-choose-hardlimit-when-softlimit-is-larger-than-.patch new file mode 100644 index 00000000000..2c71c512606 --- /dev/null +++ b/queue-5.4/f2fs-choose-hardlimit-when-softlimit-is-larger-than-.patch @@ -0,0 +1,92 @@ +From 4a2869ce8e18dbe8954fa070a2a66e9f1871fc2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 11:20:36 +0800 +Subject: f2fs: choose hardlimit when softlimit is larger than hardlimit in + f2fs_statfs_project() + +From: Chengguang Xu + +[ Upstream commit 909110c060f22e65756659ec6fa957ae75777e00 ] + +Setting softlimit larger than hardlimit seems meaningless +for disk quota but currently it is allowed. In this case, +there may be a bit of comfusion for users when they run +df comamnd to directory which has project quota. + +For example, we set 20M softlimit and 10M hardlimit of +block usage limit for project quota of test_dir(project id 123). + +[root@hades f2fs]# repquota -P -a +*** Report for project quotas on device /dev/nvme0n1p8 +Block grace time: 7days; Inode grace time: 7days +Block limits File limits +Project used soft hard grace used soft hard grace +---------------------------------------------------------------------- +0 -- 4 0 0 1 0 0 +123 +- 10248 20480 10240 2 0 0 + +The result of df command as below: + +[root@hades f2fs]# df -h /mnt/f2fs/test +Filesystem Size Used Avail Use% Mounted on +/dev/nvme0n1p8 20M 11M 10M 51% /mnt/f2fs + +Even though it looks like there is another 10M free space to use, +if we write new data to diretory test(inherit project id), +the write will fail with errno(-EDQUOT). + +After this patch, the df result looks like below. + +[root@hades f2fs]# df -h /mnt/f2fs/test +Filesystem Size Used Avail Use% Mounted on +/dev/nvme0n1p8 10M 10M 0 100% /mnt/f2fs + +Signed-off-by: Chengguang Xu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 1443cee15863..a2af155567b8 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1213,9 +1213,13 @@ static int f2fs_statfs_project(struct super_block *sb, + return PTR_ERR(dquot); + spin_lock(&dquot->dq_dqb_lock); + +- limit = (dquot->dq_dqb.dqb_bsoftlimit ? +- dquot->dq_dqb.dqb_bsoftlimit : +- dquot->dq_dqb.dqb_bhardlimit) >> sb->s_blocksize_bits; ++ limit = 0; ++ if (dquot->dq_dqb.dqb_bsoftlimit) ++ limit = dquot->dq_dqb.dqb_bsoftlimit; ++ if (dquot->dq_dqb.dqb_bhardlimit && ++ (!limit || dquot->dq_dqb.dqb_bhardlimit < limit)) ++ limit = dquot->dq_dqb.dqb_bhardlimit; ++ + if (limit && buf->f_blocks > limit) { + curblock = dquot->dq_dqb.dqb_curspace >> sb->s_blocksize_bits; + buf->f_blocks = limit; +@@ -1224,9 +1228,13 @@ static int f2fs_statfs_project(struct super_block *sb, + (buf->f_blocks - curblock) : 0; + } + +- limit = dquot->dq_dqb.dqb_isoftlimit ? +- dquot->dq_dqb.dqb_isoftlimit : +- dquot->dq_dqb.dqb_ihardlimit; ++ limit = 0; ++ if (dquot->dq_dqb.dqb_isoftlimit) ++ limit = dquot->dq_dqb.dqb_isoftlimit; ++ if (dquot->dq_dqb.dqb_ihardlimit && ++ (!limit || dquot->dq_dqb.dqb_ihardlimit < limit)) ++ limit = dquot->dq_dqb.dqb_ihardlimit; ++ + if (limit && buf->f_files > limit) { + buf->f_files = limit; + buf->f_ffree = +-- +2.20.1 + diff --git a/queue-5.4/f2fs-fix-deadlock-in-f2fs_gc-context-during-atomic-f.patch b/queue-5.4/f2fs-fix-deadlock-in-f2fs_gc-context-during-atomic-f.patch new file mode 100644 index 00000000000..2bc52b41a47 --- /dev/null +++ b/queue-5.4/f2fs-fix-deadlock-in-f2fs_gc-context-during-atomic-f.patch @@ -0,0 +1,130 @@ +From 13d4e15c39b4a40a1654752ae1d92a2521c3e6b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 16:01:03 +0530 +Subject: f2fs: Fix deadlock in f2fs_gc() context during atomic files handling + +From: Sahitya Tummala + +[ Upstream commit 677017d196ba2a4cfff13626b951cc9a206b8c7c ] + +The FS got stuck in the below stack when the storage is almost +full/dirty condition (when FG_GC is being done). + +schedule_timeout +io_schedule_timeout +congestion_wait +f2fs_drop_inmem_pages_all +f2fs_gc +f2fs_balance_fs +__write_node_page +f2fs_fsync_node_pages +f2fs_do_sync_file +f2fs_ioctl + +The root cause for this issue is there is a potential infinite loop +in f2fs_drop_inmem_pages_all() for the case where gc_failure is true +and when there an inode whose i_gc_failures[GC_FAILURE_ATOMIC] is +not set. Fix this by keeping track of the total atomic files +currently opened and using that to exit from this condition. + +Fix-suggested-by: Chao Yu +Signed-off-by: Chao Yu +Signed-off-by: Sahitya Tummala +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 1 + + fs/f2fs/file.c | 1 + + fs/f2fs/segment.c | 21 +++++++++++++++------ + 3 files changed, 17 insertions(+), 6 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index f078cd20dab8..9046432b87c2 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1289,6 +1289,7 @@ struct f2fs_sb_info { + unsigned int gc_mode; /* current GC state */ + unsigned int next_victim_seg[2]; /* next segment in victim section */ + /* for skip statistic */ ++ unsigned int atomic_files; /* # of opened atomic file */ + unsigned long long skipped_atomic_files[2]; /* FG_GC and BG_GC */ + unsigned long long skipped_gc_rwsem; /* FG_GC only */ + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 29bc0a542759..8ed8e4328bd1 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1890,6 +1890,7 @@ static int f2fs_ioc_start_atomic_write(struct file *filp) + spin_lock(&sbi->inode_lock[ATOMIC_FILE]); + if (list_empty(&fi->inmem_ilist)) + list_add_tail(&fi->inmem_ilist, &sbi->inode_list[ATOMIC_FILE]); ++ sbi->atomic_files++; + spin_unlock(&sbi->inode_lock[ATOMIC_FILE]); + + /* add inode in inmem_list first and set atomic_file */ +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 808709581481..7d8578401267 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -288,6 +288,8 @@ void f2fs_drop_inmem_pages_all(struct f2fs_sb_info *sbi, bool gc_failure) + struct list_head *head = &sbi->inode_list[ATOMIC_FILE]; + struct inode *inode; + struct f2fs_inode_info *fi; ++ unsigned int count = sbi->atomic_files; ++ unsigned int looped = 0; + next: + spin_lock(&sbi->inode_lock[ATOMIC_FILE]); + if (list_empty(head)) { +@@ -296,22 +298,26 @@ next: + } + fi = list_first_entry(head, struct f2fs_inode_info, inmem_ilist); + inode = igrab(&fi->vfs_inode); ++ if (inode) ++ list_move_tail(&fi->inmem_ilist, head); + spin_unlock(&sbi->inode_lock[ATOMIC_FILE]); + + if (inode) { + if (gc_failure) { +- if (fi->i_gc_failures[GC_FAILURE_ATOMIC]) +- goto drop; +- goto skip; ++ if (!fi->i_gc_failures[GC_FAILURE_ATOMIC]) ++ goto skip; + } +-drop: + set_inode_flag(inode, FI_ATOMIC_REVOKE_REQUEST); + f2fs_drop_inmem_pages(inode); ++skip: + iput(inode); + } +-skip: + congestion_wait(BLK_RW_ASYNC, HZ/50); + cond_resched(); ++ if (gc_failure) { ++ if (++looped >= count) ++ return; ++ } + goto next; + } + +@@ -327,13 +333,16 @@ void f2fs_drop_inmem_pages(struct inode *inode) + mutex_unlock(&fi->inmem_lock); + } + +- clear_inode_flag(inode, FI_ATOMIC_FILE); + fi->i_gc_failures[GC_FAILURE_ATOMIC] = 0; + stat_dec_atomic_write(inode); + + spin_lock(&sbi->inode_lock[ATOMIC_FILE]); + if (!list_empty(&fi->inmem_ilist)) + list_del_init(&fi->inmem_ilist); ++ if (f2fs_is_atomic_file(inode)) { ++ clear_inode_flag(inode, FI_ATOMIC_FILE); ++ sbi->atomic_files--; ++ } + spin_unlock(&sbi->inode_lock[ATOMIC_FILE]); + } + +-- +2.20.1 + diff --git a/queue-5.4/f2fs-fix-to-update-dir-s-i_pino-during-cross_rename.patch b/queue-5.4/f2fs-fix-to-update-dir-s-i_pino-during-cross_rename.patch new file mode 100644 index 00000000000..89b6042317d --- /dev/null +++ b/queue-5.4/f2fs-fix-to-update-dir-s-i_pino-during-cross_rename.patch @@ -0,0 +1,94 @@ +From 5b2cf117de5c09c5f473be2b8c3d9deeb8d5cd2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 14:12:05 +0800 +Subject: f2fs: fix to update dir's i_pino during cross_rename + +From: Chao Yu + +[ Upstream commit 2a60637f06ac94869b2e630eaf837110d39bf291 ] + +As Eric reported: + +RENAME_EXCHANGE support was just added to fsstress in xfstests: + + commit 65dfd40a97b6bbbd2a22538977bab355c5bc0f06 + Author: kaixuxia + Date: Thu Oct 31 14:41:48 2019 +0800 + + fsstress: add EXCHANGE renameat2 support + +This is causing xfstest generic/579 to fail due to fsck.f2fs reporting errors. +I'm not sure what the problem is, but it still happens even with all the +fs-verity stuff in the test commented out, so that the test just runs fsstress. + +generic/579 23s ... [10:02:25] +[ 7.745370] run fstests generic/579 at 2019-11-04 10:02:25 +_check_generic_filesystem: filesystem on /dev/vdc is inconsistent +(see /results/f2fs/results-default/generic/579.full for details) + [10:02:47] +Ran: generic/579 +Failures: generic/579 +Failed 1 of 1 tests +Xunit report: /results/f2fs/results-default/result.xml + +Here's the contents of 579.full: + +_check_generic_filesystem: filesystem on /dev/vdc is inconsistent +*** fsck.f2fs output *** +[ASSERT] (__chk_dots_dentries:1378) --> Bad inode number[0x24] for '..', parent parent ino is [0xd10] + +The root cause is that we forgot to update directory's i_pino during +cross_rename, fix it. + +Fixes: 32f9bc25cbda0 ("f2fs: support ->rename2()") +Signed-off-by: Chao Yu +Tested-by: Eric Biggers +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/namei.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c +index 4faf06e8bf89..a1c507b0b4ac 100644 +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -981,7 +981,8 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry, + if (!old_dir_entry || whiteout) + file_lost_pino(old_inode); + else +- F2FS_I(old_inode)->i_pino = new_dir->i_ino; ++ /* adjust dir's i_pino to pass fsck check */ ++ f2fs_i_pino_write(old_inode, new_dir->i_ino); + up_write(&F2FS_I(old_inode)->i_sem); + + old_inode->i_ctime = current_time(old_inode); +@@ -1141,7 +1142,11 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, + f2fs_set_link(old_dir, old_entry, old_page, new_inode); + + down_write(&F2FS_I(old_inode)->i_sem); +- file_lost_pino(old_inode); ++ if (!old_dir_entry) ++ file_lost_pino(old_inode); ++ else ++ /* adjust dir's i_pino to pass fsck check */ ++ f2fs_i_pino_write(old_inode, new_dir->i_ino); + up_write(&F2FS_I(old_inode)->i_sem); + + old_dir->i_ctime = current_time(old_dir); +@@ -1156,7 +1161,11 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, + f2fs_set_link(new_dir, new_entry, new_page, old_inode); + + down_write(&F2FS_I(new_inode)->i_sem); +- file_lost_pino(new_inode); ++ if (!new_dir_entry) ++ file_lost_pino(new_inode); ++ else ++ /* adjust dir's i_pino to pass fsck check */ ++ f2fs_i_pino_write(new_inode, old_dir->i_ino); + up_write(&F2FS_I(new_inode)->i_sem); + + new_dir->i_ctime = current_time(new_dir); +-- +2.20.1 + diff --git a/queue-5.4/f2fs-fix-to-update-time-in-lazytime-mode.patch b/queue-5.4/f2fs-fix-to-update-time-in-lazytime-mode.patch new file mode 100644 index 00000000000..4fcdc4ffeef --- /dev/null +++ b/queue-5.4/f2fs-fix-to-update-time-in-lazytime-mode.patch @@ -0,0 +1,104 @@ +From 3c0b487e39d7ade36219f7faccd72f40a4fee340 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2019 18:01:35 +0800 +Subject: f2fs: fix to update time in lazytime mode + +From: Chao Yu + +[ Upstream commit fe1897eaa6646f5a64a4cee0e6473ed9887d324b ] + +generic/018 reports an inconsistent status of atime, the +testcase is as below: +- open file with O_SYNC +- write file to construct fraged space +- calc md5 of file +- record {a,c,m}time +- defrag file --- do nothing +- umount & mount +- check {a,c,m}time + +The root cause is, as f2fs enables lazytime by default, atime +update will dirty vfs inode, rather than dirtying f2fs inode (by set +with FI_DIRTY_INODE), so later f2fs_write_inode() called from VFS will +fail to update inode page due to our skip: + +f2fs_write_inode() + if (is_inode_flag_set(inode, FI_DIRTY_INODE)) + return 0; + +So eventually, after evict(), we lose last atime for ever. + +To fix this issue, we need to check whether {a,c,m,cr}time is +consistent in between inode cache and inode page, and only skip +f2fs_update_inode() if f2fs inode is not dirty and time is +consistent as well. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 23 +++++++++++++++-------- + fs/f2fs/inode.c | 6 +++++- + 2 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 4024790028aa..f078cd20dab8 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -2704,6 +2704,20 @@ static inline void clear_file(struct inode *inode, int type) + f2fs_mark_inode_dirty_sync(inode, true); + } + ++static inline bool f2fs_is_time_consistent(struct inode *inode) ++{ ++ if (!timespec64_equal(F2FS_I(inode)->i_disk_time, &inode->i_atime)) ++ return false; ++ if (!timespec64_equal(F2FS_I(inode)->i_disk_time + 1, &inode->i_ctime)) ++ return false; ++ if (!timespec64_equal(F2FS_I(inode)->i_disk_time + 2, &inode->i_mtime)) ++ return false; ++ if (!timespec64_equal(F2FS_I(inode)->i_disk_time + 3, ++ &F2FS_I(inode)->i_crtime)) ++ return false; ++ return true; ++} ++ + static inline bool f2fs_skip_inode_update(struct inode *inode, int dsync) + { + bool ret; +@@ -2721,14 +2735,7 @@ static inline bool f2fs_skip_inode_update(struct inode *inode, int dsync) + i_size_read(inode) & ~PAGE_MASK) + return false; + +- if (!timespec64_equal(F2FS_I(inode)->i_disk_time, &inode->i_atime)) +- return false; +- if (!timespec64_equal(F2FS_I(inode)->i_disk_time + 1, &inode->i_ctime)) +- return false; +- if (!timespec64_equal(F2FS_I(inode)->i_disk_time + 2, &inode->i_mtime)) +- return false; +- if (!timespec64_equal(F2FS_I(inode)->i_disk_time + 3, +- &F2FS_I(inode)->i_crtime)) ++ if (!f2fs_is_time_consistent(inode)) + return false; + + down_read(&F2FS_I(inode)->i_sem); +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index db4fec30c30d..386ad54c13c3 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -615,7 +615,11 @@ int f2fs_write_inode(struct inode *inode, struct writeback_control *wbc) + inode->i_ino == F2FS_META_INO(sbi)) + return 0; + +- if (!is_inode_flag_set(inode, FI_DIRTY_INODE)) ++ /* ++ * atime could be updated without dirtying f2fs inode in lazytime mode ++ */ ++ if (f2fs_is_time_consistent(inode) && ++ !is_inode_flag_set(inode, FI_DIRTY_INODE)) + return 0; + + if (!f2fs_is_checkpoint_ready(sbi)) +-- +2.20.1 + diff --git a/queue-5.4/fs-quota-handle-overflows-of-sysctl-fs.quota.-and-re.patch b/queue-5.4/fs-quota-handle-overflows-of-sysctl-fs.quota.-and-re.patch new file mode 100644 index 00000000000..b3388535c9b --- /dev/null +++ b/queue-5.4/fs-quota-handle-overflows-of-sysctl-fs.quota.-and-re.patch @@ -0,0 +1,148 @@ +From c840e8a902c8920d759ed00967ad09cf11f6fc84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Nov 2019 12:49:06 +0300 +Subject: fs/quota: handle overflows of sysctl fs.quota.* and report as + unsigned long + +From: Konstantin Khlebnikov + +[ Upstream commit 6fcbcec9cfc7b3c6a2c1f1a23ebacedff7073e0a ] + +Quota statistics counted as 64-bit per-cpu counter. Reading sums per-cpu +fractions as signed 64-bit int, filters negative values and then reports +lower half as signed 32-bit int. + +Result may looks like: + +fs.quota.allocated_dquots = 22327 +fs.quota.cache_hits = -489852115 +fs.quota.drops = -487288718 +fs.quota.free_dquots = 22083 +fs.quota.lookups = -486883485 +fs.quota.reads = 22327 +fs.quota.syncs = 335064 +fs.quota.writes = 3088689 + +Values bigger than 2^31-1 reported as negative. + +All counters except "allocated_dquots" and "free_dquots" are monotonic, +thus they should be reported as is without filtering negative values. + +Kernel doesn't have generic helper for 64-bit sysctl yet, +let's use at least unsigned long. + +Link: https://lore.kernel.org/r/157337934693.2078.9842146413181153727.stgit@buzz +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 29 +++++++++++++++++------------ + include/linux/quota.h | 2 +- + 2 files changed, 18 insertions(+), 13 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 7f0b39da5022..9b96243de081 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -2861,68 +2861,73 @@ EXPORT_SYMBOL(dquot_quotactl_sysfile_ops); + static int do_proc_dqstats(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +- unsigned int type = (int *)table->data - dqstats.stat; ++ unsigned int type = (unsigned long *)table->data - dqstats.stat; ++ s64 value = percpu_counter_sum(&dqstats.counter[type]); ++ ++ /* Filter negative values for non-monotonic counters */ ++ if (value < 0 && (type == DQST_ALLOC_DQUOTS || ++ type == DQST_FREE_DQUOTS)) ++ value = 0; + + /* Update global table */ +- dqstats.stat[type] = +- percpu_counter_sum_positive(&dqstats.counter[type]); +- return proc_dointvec(table, write, buffer, lenp, ppos); ++ dqstats.stat[type] = value; ++ return proc_doulongvec_minmax(table, write, buffer, lenp, ppos); + } + + static struct ctl_table fs_dqstats_table[] = { + { + .procname = "lookups", + .data = &dqstats.stat[DQST_LOOKUPS], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, + { + .procname = "drops", + .data = &dqstats.stat[DQST_DROPS], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, + { + .procname = "reads", + .data = &dqstats.stat[DQST_READS], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, + { + .procname = "writes", + .data = &dqstats.stat[DQST_WRITES], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, + { + .procname = "cache_hits", + .data = &dqstats.stat[DQST_CACHE_HITS], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, + { + .procname = "allocated_dquots", + .data = &dqstats.stat[DQST_ALLOC_DQUOTS], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, + { + .procname = "free_dquots", + .data = &dqstats.stat[DQST_FREE_DQUOTS], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, + { + .procname = "syncs", + .data = &dqstats.stat[DQST_SYNCS], +- .maxlen = sizeof(int), ++ .maxlen = sizeof(unsigned long), + .mode = 0444, + .proc_handler = do_proc_dqstats, + }, +diff --git a/include/linux/quota.h b/include/linux/quota.h +index f32dd270b8e3..27aab84fcbaa 100644 +--- a/include/linux/quota.h ++++ b/include/linux/quota.h +@@ -263,7 +263,7 @@ enum { + }; + + struct dqstats { +- int stat[_DQST_DQSTAT_LAST]; ++ unsigned long stat[_DQST_DQSTAT_LAST]; + struct percpu_counter counter[_DQST_DQSTAT_LAST]; + }; + +-- +2.20.1 + diff --git a/queue-5.4/gpio-lynxpoint-setup-correct-irq-handlers.patch b/queue-5.4/gpio-lynxpoint-setup-correct-irq-handlers.patch new file mode 100644 index 00000000000..99888a54646 --- /dev/null +++ b/queue-5.4/gpio-lynxpoint-setup-correct-irq-handlers.patch @@ -0,0 +1,44 @@ +From d53fef6cf06d3c2883d2ca9f70c53a0375f153d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2019 20:02:51 +0200 +Subject: gpio: lynxpoint: Setup correct IRQ handlers + +From: Andy Shevchenko + +[ Upstream commit e272f7ec070d212b9301d5a465bc8952f8dcf908 ] + +When commit 75e99bf5ed8f ("gpio: lynxpoint: set default handler to be +handle_bad_irq()") switched default handler to be handle_bad_irq() the +lp_irq_type() function remained untouched. It means that even request_irq() +can't change the handler and we are not able to handle IRQs properly anymore. +Fix it by setting correct handlers in the lp_irq_type() callback. + +Fixes: 75e99bf5ed8f ("gpio: lynxpoint: set default handler to be handle_bad_irq()") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20191118180251.31439-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-lynxpoint.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpio/gpio-lynxpoint.c b/drivers/gpio/gpio-lynxpoint.c +index e9e47c0d5be7..490ce7bae25e 100644 +--- a/drivers/gpio/gpio-lynxpoint.c ++++ b/drivers/gpio/gpio-lynxpoint.c +@@ -164,6 +164,12 @@ static int lp_irq_type(struct irq_data *d, unsigned type) + value |= TRIG_SEL_BIT | INT_INV_BIT; + + outl(value, reg); ++ ++ if (type & IRQ_TYPE_EDGE_BOTH) ++ irq_set_handler_locked(d, handle_edge_irq); ++ else if (type & IRQ_TYPE_LEVEL_MASK) ++ irq_set_handler_locked(d, handle_level_irq); ++ + spin_unlock_irqrestore(&lg->lock, flags); + + return 0; +-- +2.20.1 + diff --git a/queue-5.4/gpio-mpc8xxx-don-t-overwrite-default-irq_set_type-ca.patch b/queue-5.4/gpio-mpc8xxx-don-t-overwrite-default-irq_set_type-ca.patch new file mode 100644 index 00000000000..625ca43fac9 --- /dev/null +++ b/queue-5.4/gpio-mpc8xxx-don-t-overwrite-default-irq_set_type-ca.patch @@ -0,0 +1,56 @@ +From a8f999eebe81051a62bc2c70ed6290e91c7d5062 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 14:55:51 +0200 +Subject: gpio: mpc8xxx: Don't overwrite default irq_set_type callback + +From: Vladimir Oltean + +[ Upstream commit 4e50573f39229d5e9c985fa3b4923a8b29619ade ] + +The per-SoC devtype structures can contain their own callbacks that +overwrite mpc8xxx_gpio_devtype_default. + +The clear intention is that mpc8xxx_irq_set_type is used in case the SoC +does not specify a more specific callback. But what happens is that if +the SoC doesn't specify one, its .irq_set_type is de-facto NULL, and +this overwrites mpc8xxx_irq_set_type to a no-op. This means that the +following SoCs are affected: + +- fsl,mpc8572-gpio +- fsl,ls1028a-gpio +- fsl,ls1088a-gpio + +On these boards, the irq_set_type does exactly nothing, and the GPIO +controller keeps its GPICR register in the hardware-default state. On +the LS1028A, that is ACTIVE_BOTH, which means 2 interrupts are raised +even if the IRQ client requests LEVEL_HIGH. Another implication is that +the IRQs are not checked (e.g. level-triggered interrupts are not +rejected, although they are not supported). + +Fixes: 82e39b0d8566 ("gpio: mpc8xxx: handle differences between incarnations at a single place") +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20191115125551.31061-1-olteanv@gmail.com +Tested-by: Michael Walle +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mpc8xxx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-mpc8xxx.c b/drivers/gpio/gpio-mpc8xxx.c +index b863421ae730..a031cbcdf6ef 100644 +--- a/drivers/gpio/gpio-mpc8xxx.c ++++ b/drivers/gpio/gpio-mpc8xxx.c +@@ -377,7 +377,8 @@ static int mpc8xxx_probe(struct platform_device *pdev) + * It's assumed that only a single type of gpio controller is available + * on the current machine, so overwriting global data is fine. + */ +- mpc8xxx_irq_chip.irq_set_type = devtype->irq_set_type; ++ if (devtype->irq_set_type) ++ mpc8xxx_irq_chip.irq_set_type = devtype->irq_set_type; + + if (devtype->gpio_dir_out) + gc->direction_output = devtype->gpio_dir_out; +-- +2.20.1 + diff --git a/queue-5.4/gpio-mpc8xxx-fix-qoriq-gpio-reading.patch b/queue-5.4/gpio-mpc8xxx-fix-qoriq-gpio-reading.patch new file mode 100644 index 00000000000..cbeb341dd8e --- /dev/null +++ b/queue-5.4/gpio-mpc8xxx-fix-qoriq-gpio-reading.patch @@ -0,0 +1,37 @@ +From db67533cfdba9397a842bd15ee19c4ec0cd5211c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2019 13:10:38 +0000 +Subject: gpio/mpc8xxx: fix qoriq GPIO reading + +From: Russell King + +[ Upstream commit 787b64a43f7acacf8099329ea08872e663f1e74f ] + +Qoriq requires the IBE register to be set to enable GPIO inputs to be +read. Set it. + +Signed-off-by: Russell King +Link: https://lore.kernel.org/r/E1iX3HC-00069N-0T@rmk-PC.armlinux.org.uk +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mpc8xxx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpio/gpio-mpc8xxx.c b/drivers/gpio/gpio-mpc8xxx.c +index 16a47de29c94..b863421ae730 100644 +--- a/drivers/gpio/gpio-mpc8xxx.c ++++ b/drivers/gpio/gpio-mpc8xxx.c +@@ -386,6 +386,9 @@ static int mpc8xxx_probe(struct platform_device *pdev) + + gc->to_irq = mpc8xxx_gpio_to_irq; + ++ if (of_device_is_compatible(np, "fsl,qoriq-gpio")) ++ gc->write_reg(mpc8xxx_gc->regs + GPIO_IBE, 0xffffffff); ++ + ret = gpiochip_add_data(gc, mpc8xxx_gc); + if (ret) { + pr_err("%pOF: GPIO chip registration failed with status %d\n", +-- +2.20.1 + diff --git a/queue-5.4/gpio-mxc-only-get-the-second-irq-when-there-is-more-.patch b/queue-5.4/gpio-mxc-only-get-the-second-irq-when-there-is-more-.patch new file mode 100644 index 00000000000..b7cf7115cab --- /dev/null +++ b/queue-5.4/gpio-mxc-only-get-the-second-irq-when-there-is-more-.patch @@ -0,0 +1,63 @@ +From c16b1eda3c3cf6697a5f0c84800b5158ca277b61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Sep 2019 17:39:17 +0800 +Subject: gpio: mxc: Only get the second IRQ when there is more than one IRQ + +From: Anson Huang + +[ Upstream commit c8f3d144004dd3f471ffd414690d15a005e4acd6 ] + +On some of i.MX SoCs like i.MX8QXP, there is ONLY one IRQ for each +GPIO bank, so it is better to check the IRQ count before getting +second IRQ to avoid below error message during probe: + +[ 1.070908] gpio-mxc 5d080000.gpio: IRQ index 1 not found +[ 1.077420] gpio-mxc 5d090000.gpio: IRQ index 1 not found +[ 1.083766] gpio-mxc 5d0a0000.gpio: IRQ index 1 not found +[ 1.090122] gpio-mxc 5d0b0000.gpio: IRQ index 1 not found +[ 1.096470] gpio-mxc 5d0c0000.gpio: IRQ index 1 not found +[ 1.102804] gpio-mxc 5d0d0000.gpio: IRQ index 1 not found +[ 1.109144] gpio-mxc 5d0e0000.gpio: IRQ index 1 not found +[ 1.115475] gpio-mxc 5d0f0000.gpio: IRQ index 1 not found + +Signed-off-by: Anson Huang +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mxc.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpio/gpio-mxc.c b/drivers/gpio/gpio-mxc.c +index 7907a8755866..c77d474185f3 100644 +--- a/drivers/gpio/gpio-mxc.c ++++ b/drivers/gpio/gpio-mxc.c +@@ -411,6 +411,7 @@ static int mxc_gpio_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; + struct mxc_gpio_port *port; ++ int irq_count; + int irq_base; + int err; + +@@ -426,9 +427,15 @@ static int mxc_gpio_probe(struct platform_device *pdev) + if (IS_ERR(port->base)) + return PTR_ERR(port->base); + +- port->irq_high = platform_get_irq(pdev, 1); +- if (port->irq_high < 0) +- port->irq_high = 0; ++ irq_count = platform_irq_count(pdev); ++ if (irq_count < 0) ++ return irq_count; ++ ++ if (irq_count > 1) { ++ port->irq_high = platform_get_irq(pdev, 1); ++ if (port->irq_high < 0) ++ port->irq_high = 0; ++ } + + port->irq = platform_get_irq(pdev, 0); + if (port->irq < 0) +-- +2.20.1 + diff --git a/queue-5.4/habanalabs-skip-va-block-list-update-in-reset-flow.patch b/queue-5.4/habanalabs-skip-va-block-list-update-in-reset-flow.patch new file mode 100644 index 00000000000..c6c91b385c9 --- /dev/null +++ b/queue-5.4/habanalabs-skip-va-block-list-update-in-reset-flow.patch @@ -0,0 +1,113 @@ +From a20f2d2f8438cd15b86576eb55f4c3ea1b943377 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 18:23:57 +0000 +Subject: habanalabs: skip VA block list update in reset flow + +From: Omer Shpigelman + +[ Upstream commit 71c5e55e7c077fa17c42fbda91a8d14322825c44 ] + +Reduce context close time by skipping the VA block free list update in +order to avoid hard reset with open contexts. +Reset with open contexts can potentially lead to a kernel crash as the +generic pool of the MMU hops is destroyed while it is not empty because +some unmap operations are not done. +The commit affect mainly when running on simulator. + +Signed-off-by: Omer Shpigelman +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +--- + drivers/misc/habanalabs/memory.c | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +diff --git a/drivers/misc/habanalabs/memory.c b/drivers/misc/habanalabs/memory.c +index 365fb0cb8dff..22566b75ca50 100644 +--- a/drivers/misc/habanalabs/memory.c ++++ b/drivers/misc/habanalabs/memory.c +@@ -965,17 +965,19 @@ init_page_pack_err: + * + * @ctx : current context + * @vaddr : device virtual address to unmap ++ * @ctx_free : true if in context free flow, false otherwise. + * + * This function does the following: + * - Unmap the physical pages related to the given virtual address + * - return the device virtual block to the virtual block list + */ +-static int unmap_device_va(struct hl_ctx *ctx, u64 vaddr) ++static int unmap_device_va(struct hl_ctx *ctx, u64 vaddr, bool ctx_free) + { + struct hl_device *hdev = ctx->hdev; + struct hl_vm_phys_pg_pack *phys_pg_pack = NULL; + struct hl_vm_hash_node *hnode = NULL; + struct hl_userptr *userptr = NULL; ++ struct hl_va_range *va_range; + enum vm_type_t *vm_type; + u64 next_vaddr, i; + u32 page_size; +@@ -1003,6 +1005,7 @@ static int unmap_device_va(struct hl_ctx *ctx, u64 vaddr) + + if (*vm_type == VM_TYPE_USERPTR) { + is_userptr = true; ++ va_range = &ctx->host_va_range; + userptr = hnode->ptr; + rc = init_phys_pg_pack_from_userptr(ctx, userptr, + &phys_pg_pack); +@@ -1014,6 +1017,7 @@ static int unmap_device_va(struct hl_ctx *ctx, u64 vaddr) + } + } else if (*vm_type == VM_TYPE_PHYS_PACK) { + is_userptr = false; ++ va_range = &ctx->dram_va_range; + phys_pg_pack = hnode->ptr; + } else { + dev_warn(hdev->dev, +@@ -1052,12 +1056,18 @@ static int unmap_device_va(struct hl_ctx *ctx, u64 vaddr) + + mutex_unlock(&ctx->mmu_lock); + +- if (add_va_block(hdev, +- is_userptr ? &ctx->host_va_range : &ctx->dram_va_range, +- vaddr, +- vaddr + phys_pg_pack->total_size - 1)) +- dev_warn(hdev->dev, "add va block failed for vaddr: 0x%llx\n", +- vaddr); ++ /* ++ * No point in maintaining the free VA block list if the context is ++ * closing as the list will be freed anyway ++ */ ++ if (!ctx_free) { ++ rc = add_va_block(hdev, va_range, vaddr, ++ vaddr + phys_pg_pack->total_size - 1); ++ if (rc) ++ dev_warn(hdev->dev, ++ "add va block failed for vaddr: 0x%llx\n", ++ vaddr); ++ } + + atomic_dec(&phys_pg_pack->mapping_cnt); + kfree(hnode); +@@ -1189,8 +1199,8 @@ int hl_mem_ioctl(struct hl_fpriv *hpriv, void *data) + break; + + case HL_MEM_OP_UNMAP: +- rc = unmap_device_va(ctx, +- args->in.unmap.device_virt_addr); ++ rc = unmap_device_va(ctx, args->in.unmap.device_virt_addr, ++ false); + break; + + default: +@@ -1620,7 +1630,7 @@ void hl_vm_ctx_fini(struct hl_ctx *ctx) + dev_dbg(hdev->dev, + "hl_mem_hash_node of vaddr 0x%llx of asid %d is still alive\n", + hnode->vaddr, ctx->asid); +- unmap_device_va(ctx, hnode->vaddr); ++ unmap_device_va(ctx, hnode->vaddr, true); + } + + spin_lock(&vm->idr_lock); +-- +2.20.1 + diff --git a/queue-5.4/hid-i2c-hid-fix-no-irq-after-reset-on-raydium-3118.patch b/queue-5.4/hid-i2c-hid-fix-no-irq-after-reset-on-raydium-3118.patch new file mode 100644 index 00000000000..edfa3844a2e --- /dev/null +++ b/queue-5.4/hid-i2c-hid-fix-no-irq-after-reset-on-raydium-3118.patch @@ -0,0 +1,54 @@ +From 6f5f0e820261a82e4eeff3d380655638f93c053d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 03:12:47 +0800 +Subject: HID: i2c-hid: fix no irq after reset on raydium 3118 + +From: Aaron Ma + +[ Upstream commit 0c8432236dea20a95f68fa17989ea3f8af0186a5 ] + +On some ThinkPad L390 some raydium 3118 touchscreen devices +doesn't response any data after reset, but some does. + +Add this ID to no irq quirk, +then don't wait for any response alike on these touchscreens. +All kinds of raydium 3118 devices work fine. + +BugLink: https://bugs.launchpad.net/bugs/1849721 + +Signed-off-by: Aaron Ma +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/i2c-hid/i2c-hid-core.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 00904537e17c..6273e7178e78 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -960,6 +960,7 @@ + + #define I2C_VENDOR_ID_RAYDIUM 0x2386 + #define I2C_PRODUCT_ID_RAYDIUM_4B33 0x4b33 ++#define I2C_PRODUCT_ID_RAYDIUM_3118 0x3118 + + #define USB_VENDOR_ID_RAZER 0x1532 + #define USB_DEVICE_ID_RAZER_BLADE_14 0x011D +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index 04c088131e04..7608ee053114 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -170,6 +170,8 @@ static const struct i2c_hid_quirks { + I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV }, + { I2C_VENDOR_ID_HANTICK, I2C_PRODUCT_ID_HANTICK_5288, + I2C_HID_QUIRK_NO_IRQ_AFTER_RESET }, ++ { I2C_VENDOR_ID_RAYDIUM, I2C_PRODUCT_ID_RAYDIUM_3118, ++ I2C_HID_QUIRK_NO_IRQ_AFTER_RESET }, + { USB_VENDOR_ID_ELAN, HID_ANY_ID, + I2C_HID_QUIRK_BOGUS_IRQ }, + { 0, 0 } +-- +2.20.1 + diff --git a/queue-5.4/hid-improve-windows-precision-touchpad-detection.patch b/queue-5.4/hid-improve-windows-precision-touchpad-detection.patch new file mode 100644 index 00000000000..3483c3a755f --- /dev/null +++ b/queue-5.4/hid-improve-windows-precision-touchpad-detection.patch @@ -0,0 +1,68 @@ +From 3860aab1d6fee5782141c429991f309667fd0a29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2019 20:02:46 +0900 +Subject: HID: Improve Windows Precision Touchpad detection. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Blaž Hrastnik + +[ Upstream commit 2dbc6f113acd74c66b04bf49fb027efd830b1c5a ] + +Per Microsoft spec, usage 0xC5 (page 0xFF) returns a blob containing +data used to verify the touchpad as a Windows Precision Touchpad. + + 0x85, REPORTID_PTPHQA, // REPORT_ID (PTPHQA) + 0x09, 0xC5, // USAGE (Vendor Usage 0xC5) + 0x15, 0x00, // LOGICAL_MINIMUM (0) + 0x26, 0xff, 0x00, // LOGICAL_MAXIMUM (0xff) + 0x75, 0x08, // REPORT_SIZE (8) + 0x96, 0x00, 0x01, // REPORT_COUNT (0x100 (256)) + 0xb1, 0x02, // FEATURE (Data,Var,Abs) + +However, some devices, namely Microsoft's Surface line of products +instead implement a "segmented device certification report" (usage 0xC6) +which returns the same report, but in smaller chunks. + + 0x06, 0x00, 0xff, // USAGE_PAGE (Vendor Defined) + 0x85, REPORTID_PTPHQA, // REPORT_ID (PTPHQA) + 0x09, 0xC6, // USAGE (Vendor usage for segment #) + 0x25, 0x08, // LOGICAL_MAXIMUM (8) + 0x75, 0x08, // REPORT_SIZE (8) + 0x95, 0x01, // REPORT_COUNT (1) + 0xb1, 0x02, // FEATURE (Data,Var,Abs) + 0x09, 0xC7, // USAGE (Vendor Usage) + 0x26, 0xff, 0x00, // LOGICAL_MAXIMUM (0xff) + 0x95, 0x20, // REPORT_COUNT (32) + 0xb1, 0x02, // FEATURE (Data,Var,Abs) + +By expanding Win8 touchpad detection to also look for the segmented +report, all Surface touchpads are now properly recognized by +hid-multitouch. + +Signed-off-by: Blaž Hrastnik +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 2fa3587d974f..e0b241bd3070 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -781,6 +781,10 @@ static void hid_scan_feature_usage(struct hid_parser *parser, u32 usage) + if (usage == 0xff0000c5 && parser->global.report_count == 256 && + parser->global.report_size == 8) + parser->scan_flags |= HID_SCAN_FLAG_MT_WIN_8; ++ ++ if (usage == 0xff0000c6 && parser->global.report_count == 1 && ++ parser->global.report_size == 8) ++ parser->scan_flags |= HID_SCAN_FLAG_MT_WIN_8; + } + + static void hid_scan_collection(struct hid_parser *parser, unsigned type) +-- +2.20.1 + diff --git a/queue-5.4/hid-logitech-hidpp-silence-intermittent-get_battery_.patch b/queue-5.4/hid-logitech-hidpp-silence-intermittent-get_battery_.patch new file mode 100644 index 00000000000..5fe2bff8ebf --- /dev/null +++ b/queue-5.4/hid-logitech-hidpp-silence-intermittent-get_battery_.patch @@ -0,0 +1,46 @@ +From 13307dd2bde132a49a0876ee6c2cdb42eb417f14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 15:30:46 +0100 +Subject: HID: logitech-hidpp: Silence intermittent get_battery_capacity errors + +From: Hans de Goede + +[ Upstream commit 61005d65b6c7dcf61c19516e6ebe5acc02d2cdda ] + +My Logitech M185 (PID:4038) 2.4 GHz wireless HID++ mouse is causing +intermittent errors like these in the log: + +[11091.034857] logitech-hidpp-device 0003:046D:4038.0006: hidpp20_batterylevel_get_battery_capacity: received protocol error 0x09 +[12388.031260] logitech-hidpp-device 0003:046D:4038.0006: hidpp20_batterylevel_get_battery_capacity: received protocol error 0x09 +[16613.718543] logitech-hidpp-device 0003:046D:4038.0006: hidpp20_batterylevel_get_battery_capacity: received protocol error 0x09 +[23529.938728] logitech-hidpp-device 0003:046D:4038.0006: hidpp20_batterylevel_get_battery_capacity: received protocol error 0x09 + +We are already silencing error-code 0x09 (HIDPP_ERROR_RESOURCE_ERROR) +errors in other places, lets do the same in +hidpp20_batterylevel_get_battery_capacity to remove these harmless, +but scary looking errors from the dmesg output. + +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-logitech-hidpp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index 8e91e2f06cb4..cd9193078525 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -1102,6 +1102,9 @@ static int hidpp20_batterylevel_get_battery_capacity(struct hidpp_device *hidpp, + ret = hidpp_send_fap_command_sync(hidpp, feature_index, + CMD_BATTERY_LEVEL_STATUS_GET_BATTERY_LEVEL_STATUS, + NULL, 0, &response); ++ /* Ignore these intermittent errors */ ++ if (ret == HIDPP_ERROR_RESOURCE_ERROR) ++ return -EIO; + if (ret > 0) { + hid_err(hidpp->hid_dev, "%s: received protocol error 0x%02x\n", + __func__, ret); +-- +2.20.1 + diff --git a/queue-5.4/hid-quirks-add-quirk-for-hp-msu1465-pixart-oem-mouse.patch b/queue-5.4/hid-quirks-add-quirk-for-hp-msu1465-pixart-oem-mouse.patch new file mode 100644 index 00000000000..7edb4b256af --- /dev/null +++ b/queue-5.4/hid-quirks-add-quirk-for-hp-msu1465-pixart-oem-mouse.patch @@ -0,0 +1,63 @@ +From 1ce2c39384238a1b754f136348458ba29954c2f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 11:38:41 +0800 +Subject: HID: quirks: Add quirk for HP MSU1465 PIXART OEM mouse + +From: Jinke Fan + +[ Upstream commit f1a0094cbbe97a5f8aca7bdc64bfe43ac9dc6879 ] + +The PixArt OEM mouse disconnets/reconnects every minute on +Linux. All contents of dmesg are repetitive: + +[ 1465.810014] usb 1-2.2: USB disconnect, device number 20 +[ 1467.431509] usb 1-2.2: new low-speed USB device number 21 using xhci_hcd +[ 1467.654982] usb 1-2.2: New USB device found, idVendor=03f0,idProduct=1f4a, bcdDevice= 1.00 +[ 1467.654985] usb 1-2.2: New USB device strings: Mfr=1, Product=2,SerialNumber=0 +[ 1467.654987] usb 1-2.2: Product: HP USB Optical Mouse +[ 1467.654988] usb 1-2.2: Manufacturer: PixArt +[ 1467.699722] input: PixArt HP USB Optical Mouse as /devices/pci0000:00/0000:00:07.1/0000:05:00.3/usb1/1-2/1-2.2/1-2.2:1.0/0003:03F0:1F4A.0012/input/input19 +[ 1467.700124] hid-generic 0003:03F0:1F4A.0012: input,hidraw0: USB HID v1.11 Mouse [PixArt HP USB Optical Mouse] on usb-0000:05:00.3-2.2/input0 + +So add HID_QUIRK_ALWAYS_POLL for this one as well. +Test the patch, the mouse is no longer disconnected and there are no +duplicate logs in dmesg. + +Reference: +https://github.com/sriemer/fix-linux-mouse + +Signed-off-by: Jinke Fan +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 447e8db21174..00904537e17c 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -573,6 +573,7 @@ + #define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_094A 0x094a + #define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_0941 0x0941 + #define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_0641 0x0641 ++#define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_1f4a 0x1f4a + + #define USB_VENDOR_ID_HUION 0x256c + #define USB_DEVICE_ID_HUION_TABLET 0x006e +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index c50bcd967d99..9a35af1e2662 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -94,6 +94,7 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_094A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_0941), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_0641), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_1f4a), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_IDEACOM, USB_DEVICE_ID_IDEACOM_IDC6680), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_INNOMEDIA, USB_DEVICE_ID_INNEX_GENESIS_ATARI), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_M610X), HID_QUIRK_MULTI_INPUT }, +-- +2.20.1 + diff --git a/queue-5.4/hid-rmi-check-that-the-rmi_started-bit-is-set-before.patch b/queue-5.4/hid-rmi-check-that-the-rmi_started-bit-is-set-before.patch new file mode 100644 index 00000000000..da87437b343 --- /dev/null +++ b/queue-5.4/hid-rmi-check-that-the-rmi_started-bit-is-set-before.patch @@ -0,0 +1,47 @@ +From 1739196f83c3b045d9da11591bf41d3b957e7287 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 01:24:03 +0000 +Subject: HID: rmi: Check that the RMI_STARTED bit is set before unregistering + the RMI transport device + +From: Andrew Duggan + +[ Upstream commit 8725aa4fa7ded30211ebd28bb1c9bae806eb3841 ] + +In the event that the RMI device is unreachable, the calls to rmi_set_mode() or +rmi_set_page() will fail before registering the RMI transport device. When the +device is removed, rmi_remove() will call rmi_unregister_transport_device() +which will attempt to access the rmi_dev pointer which was not set. +This patch adds a check of the RMI_STARTED bit before calling +rmi_unregister_transport_device(). The RMI_STARTED bit is only set +after rmi_register_transport_device() completes successfully. + +The kernel oops was reported in this message: +https://www.spinics.net/lists/linux-input/msg58433.html + +[jkosina@suse.cz: reworded changelog as agreed with Andrew] +Signed-off-by: Andrew Duggan +Reported-by: Federico Cerutti +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-rmi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-rmi.c b/drivers/hid/hid-rmi.c +index 7c6abd7e0979..9ce22acdfaca 100644 +--- a/drivers/hid/hid-rmi.c ++++ b/drivers/hid/hid-rmi.c +@@ -744,7 +744,8 @@ static void rmi_remove(struct hid_device *hdev) + { + struct rmi_data *hdata = hid_get_drvdata(hdev); + +- if (hdata->device_flags & RMI_DEVICE) { ++ if ((hdata->device_flags & RMI_DEVICE) ++ && test_bit(RMI_STARTED, &hdata->flags)) { + clear_bit(RMI_STARTED, &hdata->flags); + cancel_work_sync(&hdata->reset_work); + rmi_unregister_transport_device(&hdata->xport); +-- +2.20.1 + diff --git a/queue-5.4/i2c-stm32f7-fix-reorder-remove-probe-error-handling.patch b/queue-5.4/i2c-stm32f7-fix-reorder-remove-probe-error-handling.patch new file mode 100644 index 00000000000..ec165c3bdd6 --- /dev/null +++ b/queue-5.4/i2c-stm32f7-fix-reorder-remove-probe-error-handling.patch @@ -0,0 +1,72 @@ +From c09c4cf7e1766420861e30132d0eaa164010b07a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 16:04:24 +0200 +Subject: i2c: stm32f7: fix & reorder remove & probe error handling + +From: Alain Volmat + +[ Upstream commit 53aaaa5d9b1e95eb40e877fbffa6f964a8394bb7 ] + +Add missing dma channels free calls in case of error during probe +and reorder the remove function so that dma channels are freed after +the i2c adapter is deleted. +Overall, reorder the remove function so that probe error handling order +and remove function order are same. + +Fixes: 7ecc8cfde553 ("i2c: i2c-stm32f7: Add DMA support") +Signed-off-by: Alain Volmat +Reviewed-by: Pierre-Yves MORDRET +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-stm32f7.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-stm32f7.c b/drivers/i2c/busses/i2c-stm32f7.c +index b24e7b937f21..84cfed17ff4f 100644 +--- a/drivers/i2c/busses/i2c-stm32f7.c ++++ b/drivers/i2c/busses/i2c-stm32f7.c +@@ -1985,6 +1985,11 @@ pm_disable: + pm_runtime_set_suspended(i2c_dev->dev); + pm_runtime_dont_use_autosuspend(i2c_dev->dev); + ++ if (i2c_dev->dma) { ++ stm32_i2c_dma_free(i2c_dev->dma); ++ i2c_dev->dma = NULL; ++ } ++ + clk_free: + clk_disable_unprepare(i2c_dev->clk); + +@@ -1995,21 +2000,21 @@ static int stm32f7_i2c_remove(struct platform_device *pdev) + { + struct stm32f7_i2c_dev *i2c_dev = platform_get_drvdata(pdev); + +- if (i2c_dev->dma) { +- stm32_i2c_dma_free(i2c_dev->dma); +- i2c_dev->dma = NULL; +- } +- + i2c_del_adapter(&i2c_dev->adap); + pm_runtime_get_sync(i2c_dev->dev); + +- clk_disable_unprepare(i2c_dev->clk); +- + pm_runtime_put_noidle(i2c_dev->dev); + pm_runtime_disable(i2c_dev->dev); + pm_runtime_set_suspended(i2c_dev->dev); + pm_runtime_dont_use_autosuspend(i2c_dev->dev); + ++ if (i2c_dev->dma) { ++ stm32_i2c_dma_free(i2c_dev->dma); ++ i2c_dev->dma = NULL; ++ } ++ ++ clk_disable_unprepare(i2c_dev->clk); ++ + return 0; + } + +-- +2.20.1 + diff --git a/queue-5.4/input-atmel_mxt_ts-disable-irq-across-suspend.patch b/queue-5.4/input-atmel_mxt_ts-disable-irq-across-suspend.patch new file mode 100644 index 00000000000..c2da7a8531b --- /dev/null +++ b/queue-5.4/input-atmel_mxt_ts-disable-irq-across-suspend.patch @@ -0,0 +1,54 @@ +From 70b19bb3f6477e93241729ea713af3e1342d4cf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 14:00:21 -0700 +Subject: Input: atmel_mxt_ts - disable IRQ across suspend + +From: Evan Green + +[ Upstream commit 463fa44eec2fef50d111ed0199cf593235065c04 ] + +Across suspend and resume, we are seeing error messages like the following: + +atmel_mxt_ts i2c-PRP0001:00: __mxt_read_reg: i2c transfer failed (-121) +atmel_mxt_ts i2c-PRP0001:00: Failed to read T44 and T5 (-121) + +This occurs because the driver leaves its IRQ enabled. Upon resume, there +is an IRQ pending, but the interrupt is serviced before both the driver and +the underlying I2C bus have been resumed. This causes EREMOTEIO errors. + +Disable the IRQ in suspend, and re-enable it on resume. If there are cases +where the driver enters suspend with interrupts disabled, that's a bug we +should fix separately. + +Signed-off-by: Evan Green +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/atmel_mxt_ts.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c +index 24c4b691b1c9..ae60442efda0 100644 +--- a/drivers/input/touchscreen/atmel_mxt_ts.c ++++ b/drivers/input/touchscreen/atmel_mxt_ts.c +@@ -3156,6 +3156,8 @@ static int __maybe_unused mxt_suspend(struct device *dev) + + mutex_unlock(&input_dev->mutex); + ++ disable_irq(data->irq); ++ + return 0; + } + +@@ -3168,6 +3170,8 @@ static int __maybe_unused mxt_resume(struct device *dev) + if (!input_dev) + return 0; + ++ enable_irq(data->irq); ++ + mutex_lock(&input_dev->mutex); + + if (input_dev->users) +-- +2.20.1 + diff --git a/queue-5.4/input-ili210x-handle-errors-from-input_mt_init_slots.patch b/queue-5.4/input-ili210x-handle-errors-from-input_mt_init_slots.patch new file mode 100644 index 00000000000..a7cd31af6e3 --- /dev/null +++ b/queue-5.4/input-ili210x-handle-errors-from-input_mt_init_slots.patch @@ -0,0 +1,40 @@ +From fe8fb2e7c8de60ab4436d5f7a65846949fa9c091 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2019 10:39:41 -0800 +Subject: Input: ili210x - handle errors from input_mt_init_slots() + +From: Dmitry Torokhov + +[ Upstream commit 43f06a4c639de8ee89fc348a9a3ecd70320a04dd ] + +input_mt_init_slots() may fail and we need to handle such failures. + +Tested-by: Adam Ford #imx6q-logicpd +Tested-by: Sven Van Asbroeck # ILI2118A variant +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/ili210x.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/ili210x.c b/drivers/input/touchscreen/ili210x.c +index e9006407c9bc..f4ebdab06280 100644 +--- a/drivers/input/touchscreen/ili210x.c ++++ b/drivers/input/touchscreen/ili210x.c +@@ -334,7 +334,12 @@ static int ili210x_i2c_probe(struct i2c_client *client, + input_set_abs_params(input, ABS_MT_POSITION_X, 0, 0xffff, 0, 0); + input_set_abs_params(input, ABS_MT_POSITION_Y, 0, 0xffff, 0, 0); + touchscreen_parse_properties(input, true, &priv->prop); +- input_mt_init_slots(input, priv->max_touches, INPUT_MT_DIRECT); ++ ++ error = input_mt_init_slots(input, priv->max_touches, INPUT_MT_DIRECT); ++ if (error) { ++ dev_err(dev, "Unable to set up slots, err: %d\n", error); ++ return error; ++ } + + error = devm_add_action(dev, ili210x_cancel_work, priv); + if (error) +-- +2.20.1 + diff --git a/queue-5.4/input-st1232-do-not-reset-the-chip-too-early.patch b/queue-5.4/input-st1232-do-not-reset-the-chip-too-early.patch new file mode 100644 index 00000000000..d079fccf252 --- /dev/null +++ b/queue-5.4/input-st1232-do-not-reset-the-chip-too-early.patch @@ -0,0 +1,78 @@ +From 2005b3a6f8c43b9a634578fd11989744e8c029c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 11:02:33 -0700 +Subject: Input: st1232 - do not reset the chip too early + +From: Dmitry Torokhov + +[ Upstream commit efd7bb08a762d4f6322054c6824bd942971ac563 ] + +We should not be putting the chip into reset while interrupts are enabled +and ISR may be running. Fix this by installing a custom devm action and +powering off the device/resetting GPIO line from there. This ensures proper +ordering. + +Tested-by: Matthias Fend +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/st1232.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/input/touchscreen/st1232.c b/drivers/input/touchscreen/st1232.c +index 1139714e72e2..1c5f8875cb79 100644 +--- a/drivers/input/touchscreen/st1232.c ++++ b/drivers/input/touchscreen/st1232.c +@@ -149,6 +149,11 @@ static void st1232_ts_power(struct st1232_ts_data *ts, bool poweron) + gpiod_set_value_cansleep(ts->reset_gpio, !poweron); + } + ++static void st1232_ts_power_off(void *data) ++{ ++ st1232_ts_power(data, false); ++} ++ + static const struct st_chip_info st1232_chip_info = { + .have_z = true, + .max_x = 0x31f, /* 800 - 1 */ +@@ -229,6 +234,13 @@ static int st1232_ts_probe(struct i2c_client *client, + + st1232_ts_power(ts, true); + ++ error = devm_add_action_or_reset(&client->dev, st1232_ts_power_off, ts); ++ if (error) { ++ dev_err(&client->dev, ++ "Failed to install power off action: %d\n", error); ++ return error; ++ } ++ + input_dev->name = "st1232-touchscreen"; + input_dev->id.bustype = BUS_I2C; + input_dev->dev.parent = &client->dev; +@@ -271,15 +283,6 @@ static int st1232_ts_probe(struct i2c_client *client, + return 0; + } + +-static int st1232_ts_remove(struct i2c_client *client) +-{ +- struct st1232_ts_data *ts = i2c_get_clientdata(client); +- +- st1232_ts_power(ts, false); +- +- return 0; +-} +- + static int __maybe_unused st1232_ts_suspend(struct device *dev) + { + struct i2c_client *client = to_i2c_client(dev); +@@ -329,7 +332,6 @@ MODULE_DEVICE_TABLE(of, st1232_ts_dt_ids); + + static struct i2c_driver st1232_ts_driver = { + .probe = st1232_ts_probe, +- .remove = st1232_ts_remove, + .id_table = st1232_ts_id, + .driver = { + .name = ST1232_TS_NAME, +-- +2.20.1 + diff --git a/queue-5.4/io_uring-io_allocate_scq_urings-should-return-a-sane.patch b/queue-5.4/io_uring-io_allocate_scq_urings-should-return-a-sane.patch new file mode 100644 index 00000000000..5e2f22d4ac8 --- /dev/null +++ b/queue-5.4/io_uring-io_allocate_scq_urings-should-return-a-sane.patch @@ -0,0 +1,51 @@ +From 9ff7d184d2dfceddc49b0fb9866aeeec41165540 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Nov 2019 09:26:29 -0700 +Subject: io_uring: io_allocate_scq_urings() should return a sane state + +From: Jens Axboe + +[ Upstream commit eb065d301e8c83643367bdb0898becc364046bda ] + +We currently rely on the ring destroy on cleaning things up in case of +failure, but io_allocate_scq_urings() can leave things half initialized +if only parts of it fails. + +Be nice and return with either everything setup in success, or return an +error with things nicely cleaned up. + +Reported-by: syzbot+0d818c0d39399188f393@syzkaller.appspotmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index a340147387ec..74e786578c77 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -3773,12 +3773,18 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx, + ctx->cq_entries = rings->cq_ring_entries; + + size = array_size(sizeof(struct io_uring_sqe), p->sq_entries); +- if (size == SIZE_MAX) ++ if (size == SIZE_MAX) { ++ io_mem_free(ctx->rings); ++ ctx->rings = NULL; + return -EOVERFLOW; ++ } + + ctx->sq_sqes = io_mem_alloc(size); +- if (!ctx->sq_sqes) ++ if (!ctx->sq_sqes) { ++ io_mem_free(ctx->rings); ++ ctx->rings = NULL; + return -ENOMEM; ++ } + + return 0; + } +-- +2.20.1 + diff --git a/queue-5.4/iomap-fix-return-value-of-iomap_dio_bio_actor-on-32b.patch b/queue-5.4/iomap-fix-return-value-of-iomap_dio_bio_actor-on-32b.patch new file mode 100644 index 00000000000..75ac848f305 --- /dev/null +++ b/queue-5.4/iomap-fix-return-value-of-iomap_dio_bio_actor-on-32b.patch @@ -0,0 +1,61 @@ +From 272252dc42d8adce6f5b1032db96ee003b47789c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2019 12:58:24 -0800 +Subject: iomap: fix return value of iomap_dio_bio_actor on 32bit systems + +From: Jan Stancek + +[ Upstream commit e9f930ac88a8936ccc2d021110c98810cf5aa810 ] + +Naresh reported LTP diotest4 failing for 32bit x86 and arm -next +kernels on ext4. Same problem exists in 5.4-rc7 on xfs. + +The failure comes down to: + openat(AT_FDCWD, "testdata-4.5918", O_RDWR|O_DIRECT) = 4 + mmap2(NULL, 4096, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f7b000 + read(4, 0xb7f7b000, 4096) = 0 // expects -EFAULT + +Problem is conversion at iomap_dio_bio_actor() return. Ternary +operator has a return type and an attempt is made to convert each +of operands to the type of the other. In this case "ret" (int) +is converted to type of "copied" (unsigned long). Both have size +of 4 bytes: + size_t copied = 0; + int ret = -14; + long long actor_ret = copied ? copied : ret; + + On x86_64: actor_ret == -14; + On x86 : actor_ret == 4294967282 + +Replace ternary operator with 2 return statements to avoid this +unwanted conversion. + +Fixes: 4721a6010990 ("iomap: dio data corruption and spurious errors when pipes fill") +Reported-by: Naresh Kamboju +Signed-off-by: Jan Stancek +Reviewed-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/iomap/direct-io.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/iomap/direct-io.c b/fs/iomap/direct-io.c +index fd46ec83cb04..7b5f76efef02 100644 +--- a/fs/iomap/direct-io.c ++++ b/fs/iomap/direct-io.c +@@ -318,7 +318,9 @@ zero_tail: + if (pad) + iomap_dio_zero(dio, iomap, pos, fs_block_size - pad); + } +- return copied ? copied : ret; ++ if (copied) ++ return copied; ++ return ret; + } + + static loff_t +-- +2.20.1 + diff --git a/queue-5.4/iommu-arm-smmu-v3-don-t-display-an-error-when-irq-li.patch b/queue-5.4/iommu-arm-smmu-v3-don-t-display-an-error-when-irq-li.patch new file mode 100644 index 00000000000..96bc9deb041 --- /dev/null +++ b/queue-5.4/iommu-arm-smmu-v3-don-t-display-an-error-when-irq-li.patch @@ -0,0 +1,64 @@ +From fceb96a606f97ec648e74e9adc5bc2e220aed94e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2019 12:17:20 +0100 +Subject: iommu/arm-smmu-v3: Don't display an error when IRQ lines are missing + +From: Jean-Philippe Brucker + +[ Upstream commit f7aff1a93f52047739af31072de0ad8d149641f3 ] + +Since commit 7723f4c5ecdb ("driver core: platform: Add an error message +to platform_get_irq*()"), platform_get_irq_byname() displays an error +when the IRQ isn't found. Since the SMMUv3 driver uses that function to +query which interrupt method is available, the message is now displayed +during boot for any SMMUv3 that doesn't implement the combined +interrupt, or that implements MSIs. + +[ 20.700337] arm-smmu-v3 arm-smmu-v3.7.auto: IRQ combined not found +[ 20.706508] arm-smmu-v3 arm-smmu-v3.7.auto: IRQ eventq not found +[ 20.712503] arm-smmu-v3 arm-smmu-v3.7.auto: IRQ priq not found +[ 20.718325] arm-smmu-v3 arm-smmu-v3.7.auto: IRQ gerror not found + +Use platform_get_irq_byname_optional() to avoid displaying a spurious +error. + +Fixes: 7723f4c5ecdb ("driver core: platform: Add an error message to platform_get_irq*()") +Signed-off-by: Jean-Philippe Brucker +Acked-by: Will Deacon +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm-smmu-v3.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c +index 8da93e730d6f..ed90361b84dc 100644 +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -3611,19 +3611,19 @@ static int arm_smmu_device_probe(struct platform_device *pdev) + + /* Interrupt lines */ + +- irq = platform_get_irq_byname(pdev, "combined"); ++ irq = platform_get_irq_byname_optional(pdev, "combined"); + if (irq > 0) + smmu->combined_irq = irq; + else { +- irq = platform_get_irq_byname(pdev, "eventq"); ++ irq = platform_get_irq_byname_optional(pdev, "eventq"); + if (irq > 0) + smmu->evtq.q.irq = irq; + +- irq = platform_get_irq_byname(pdev, "priq"); ++ irq = platform_get_irq_byname_optional(pdev, "priq"); + if (irq > 0) + smmu->priq.q.irq = irq; + +- irq = platform_get_irq_byname(pdev, "gerror"); ++ irq = platform_get_irq_byname_optional(pdev, "gerror"); + if (irq > 0) + smmu->gerr_irq = irq; + } +-- +2.20.1 + diff --git a/queue-5.4/iommu-rockchip-free-domain-on-.domain_free.patch b/queue-5.4/iommu-rockchip-free-domain-on-.domain_free.patch new file mode 100644 index 00000000000..ef5664f5639 --- /dev/null +++ b/queue-5.4/iommu-rockchip-free-domain-on-.domain_free.patch @@ -0,0 +1,64 @@ +From 791f3660dea0ed4f039fae41875c664a7e3f0d22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 14:29:23 -0300 +Subject: iommu: rockchip: Free domain on .domain_free + +From: Ezequiel Garcia + +[ Upstream commit 42bb97b80f2e3bf592e3e99d109b67309aa1b30e ] + +IOMMU domain resource life is well-defined, managed +by .domain_alloc and .domain_free. + +Therefore, domain-specific resources shouldn't be tied to +the device life, but instead to its domain. + +Signed-off-by: Ezequiel Garcia +Reviewed-by: Robin Murphy +Acked-by: Heiko Stuebner +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/rockchip-iommu.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/iommu/rockchip-iommu.c b/drivers/iommu/rockchip-iommu.c +index 4dcbf68dfda4..0df091934361 100644 +--- a/drivers/iommu/rockchip-iommu.c ++++ b/drivers/iommu/rockchip-iommu.c +@@ -980,13 +980,13 @@ static struct iommu_domain *rk_iommu_domain_alloc(unsigned type) + if (!dma_dev) + return NULL; + +- rk_domain = devm_kzalloc(dma_dev, sizeof(*rk_domain), GFP_KERNEL); ++ rk_domain = kzalloc(sizeof(*rk_domain), GFP_KERNEL); + if (!rk_domain) + return NULL; + + if (type == IOMMU_DOMAIN_DMA && + iommu_get_dma_cookie(&rk_domain->domain)) +- return NULL; ++ goto err_free_domain; + + /* + * rk32xx iommus use a 2 level pagetable. +@@ -1021,6 +1021,8 @@ err_free_dt: + err_put_cookie: + if (type == IOMMU_DOMAIN_DMA) + iommu_put_dma_cookie(&rk_domain->domain); ++err_free_domain: ++ kfree(rk_domain); + + return NULL; + } +@@ -1049,6 +1051,7 @@ static void rk_iommu_domain_free(struct iommu_domain *domain) + + if (domain->type == IOMMU_DOMAIN_DMA) + iommu_put_dma_cookie(&rk_domain->domain); ++ kfree(rk_domain); + } + + static int rk_iommu_add_device(struct device *dev) +-- +2.20.1 + diff --git a/queue-5.4/iommu-tegra-smmu-fix-page-tables-in-4-gib-memory.patch b/queue-5.4/iommu-tegra-smmu-fix-page-tables-in-4-gib-memory.patch new file mode 100644 index 00000000000..510a83ddc85 --- /dev/null +++ b/queue-5.4/iommu-tegra-smmu-fix-page-tables-in-4-gib-memory.patch @@ -0,0 +1,79 @@ +From 5aa08f4adabfa8ec949c201ff850db3221a9c028 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2019 13:50:26 +0200 +Subject: iommu/tegra-smmu: Fix page tables in > 4 GiB memory + +From: Thierry Reding + +[ Upstream commit 96d3ab802e4930a29a33934373157d6dff1b2c7e ] + +Page tables that reside in physical memory beyond the 4 GiB boundary are +currently not working properly. The reason is that when the physical +address for page directory entries is read, it gets truncated at 32 bits +and can cause crashes when passing that address to the DMA API. + +Fix this by first casting the PDE value to a dma_addr_t and then using +the page frame number mask for the SMMU instance to mask out the invalid +bits, which are typically used for mapping attributes, etc. + +Signed-off-by: Thierry Reding +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/tegra-smmu.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/iommu/tegra-smmu.c b/drivers/iommu/tegra-smmu.c +index 7293fc3f796d..dd486233e282 100644 +--- a/drivers/iommu/tegra-smmu.c ++++ b/drivers/iommu/tegra-smmu.c +@@ -159,9 +159,9 @@ static bool smmu_dma_addr_valid(struct tegra_smmu *smmu, dma_addr_t addr) + return (addr & smmu->pfn_mask) == addr; + } + +-static dma_addr_t smmu_pde_to_dma(u32 pde) ++static dma_addr_t smmu_pde_to_dma(struct tegra_smmu *smmu, u32 pde) + { +- return pde << 12; ++ return (dma_addr_t)(pde & smmu->pfn_mask) << 12; + } + + static void smmu_flush_ptc_all(struct tegra_smmu *smmu) +@@ -549,6 +549,7 @@ static u32 *tegra_smmu_pte_lookup(struct tegra_smmu_as *as, unsigned long iova, + dma_addr_t *dmap) + { + unsigned int pd_index = iova_pd_index(iova); ++ struct tegra_smmu *smmu = as->smmu; + struct page *pt_page; + u32 *pd; + +@@ -557,7 +558,7 @@ static u32 *tegra_smmu_pte_lookup(struct tegra_smmu_as *as, unsigned long iova, + return NULL; + + pd = page_address(as->pd); +- *dmap = smmu_pde_to_dma(pd[pd_index]); ++ *dmap = smmu_pde_to_dma(smmu, pd[pd_index]); + + return tegra_smmu_pte_offset(pt_page, iova); + } +@@ -599,7 +600,7 @@ static u32 *as_get_pte(struct tegra_smmu_as *as, dma_addr_t iova, + } else { + u32 *pd = page_address(as->pd); + +- *dmap = smmu_pde_to_dma(pd[pde]); ++ *dmap = smmu_pde_to_dma(smmu, pd[pde]); + } + + return tegra_smmu_pte_offset(as->pts[pde], iova); +@@ -624,7 +625,7 @@ static void tegra_smmu_pte_put_use(struct tegra_smmu_as *as, unsigned long iova) + if (--as->count[pde] == 0) { + struct tegra_smmu *smmu = as->smmu; + u32 *pd = page_address(as->pd); +- dma_addr_t pte_dma = smmu_pde_to_dma(pd[pde]); ++ dma_addr_t pte_dma = smmu_pde_to_dma(smmu, pd[pde]); + + tegra_smmu_set_pde(as, iova, 0); + +-- +2.20.1 + diff --git a/queue-5.4/irqchip-ingenic-error-out-if-irq-domain-creation-fai.patch b/queue-5.4/irqchip-ingenic-error-out-if-irq-domain-creation-fai.patch new file mode 100644 index 00000000000..fb175a77c45 --- /dev/null +++ b/queue-5.4/irqchip-ingenic-error-out-if-irq-domain-creation-fai.patch @@ -0,0 +1,59 @@ +From 2b48c7b3a6392b3c429b3842e9c43e1bc1aebaa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 19:25:22 +0800 +Subject: irqchip: ingenic: Error out if IRQ domain creation failed + +From: Paul Cercueil + +[ Upstream commit 52ecc87642f273a599c9913b29fd179c13de457b ] + +If we cannot create the IRQ domain, the driver should fail to probe +instead of succeeding with just a warning message. + +Signed-off-by: Paul Cercueil +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/1570015525-27018-3-git-send-email-zhouyanjie@zoho.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-ingenic.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/irqchip/irq-ingenic.c b/drivers/irqchip/irq-ingenic.c +index f126255b3260..dda512dfe2c1 100644 +--- a/drivers/irqchip/irq-ingenic.c ++++ b/drivers/irqchip/irq-ingenic.c +@@ -108,6 +108,14 @@ static int __init ingenic_intc_of_init(struct device_node *node, + goto out_unmap_irq; + } + ++ domain = irq_domain_add_legacy(node, num_chips * 32, ++ JZ4740_IRQ_BASE, 0, ++ &irq_domain_simple_ops, NULL); ++ if (!domain) { ++ err = -ENOMEM; ++ goto out_unmap_base; ++ } ++ + for (i = 0; i < num_chips; i++) { + /* Mask all irqs */ + writel(0xffffffff, intc->base + (i * CHIP_SIZE) + +@@ -134,14 +142,11 @@ static int __init ingenic_intc_of_init(struct device_node *node, + IRQ_NOPROBE | IRQ_LEVEL); + } + +- domain = irq_domain_add_legacy(node, num_chips * 32, JZ4740_IRQ_BASE, 0, +- &irq_domain_simple_ops, NULL); +- if (!domain) +- pr_warn("unable to register IRQ domain\n"); +- + setup_irq(parent_irq, &intc_cascade_action); + return 0; + ++out_unmap_base: ++ iounmap(intc->base); + out_unmap_irq: + irq_dispose_mapping(parent_irq); + out_free: +-- +2.20.1 + diff --git a/queue-5.4/irqchip-irq-bcm7038-l1-enable-parent-irq-if-necessar.patch b/queue-5.4/irqchip-irq-bcm7038-l1-enable-parent-irq-if-necessar.patch new file mode 100644 index 00000000000..33ca9708a3a --- /dev/null +++ b/queue-5.4/irqchip-irq-bcm7038-l1-enable-parent-irq-if-necessar.patch @@ -0,0 +1,38 @@ +From 5b292fa921edc753764d5f173289459dfcc3f8c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 13:14:13 -0700 +Subject: irqchip/irq-bcm7038-l1: Enable parent IRQ if necessary + +From: Florian Fainelli + +[ Upstream commit 27eebb60357ed5aa6659442f92907c0f7368d6ae ] + +If the 'brcm,irq-can-wake' property is specified, make sure we also +enable the corresponding parent interrupt we are attached to. + +Signed-off-by: Florian Fainelli +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20191024201415.23454-4-f.fainelli@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-bcm7038-l1.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/irqchip/irq-bcm7038-l1.c b/drivers/irqchip/irq-bcm7038-l1.c +index fc75c61233aa..58bec2126966 100644 +--- a/drivers/irqchip/irq-bcm7038-l1.c ++++ b/drivers/irqchip/irq-bcm7038-l1.c +@@ -281,6 +281,10 @@ static int __init bcm7038_l1_init_one(struct device_node *dn, + pr_err("failed to map parent interrupt %d\n", parent_irq); + return -EINVAL; + } ++ ++ if (of_property_read_bool(dn, "brcm,irq-can-wake")) ++ enable_irq_wake(parent_irq); ++ + irq_set_chained_handler_and_data(parent_irq, bcm7038_l1_irq_handle, + intc); + +-- +2.20.1 + diff --git a/queue-5.4/jbd2-fix-statistics-for-the-number-of-logged-blocks.patch b/queue-5.4/jbd2-fix-statistics-for-the-number-of-logged-blocks.patch new file mode 100644 index 00000000000..736c9bbb8db --- /dev/null +++ b/queue-5.4/jbd2-fix-statistics-for-the-number-of-logged-blocks.patch @@ -0,0 +1,61 @@ +From dde33b1e3aac0be6f4ed1dcb3259adf5ec6ce02a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 17:44:19 +0100 +Subject: jbd2: Fix statistics for the number of logged blocks + +From: Jan Kara + +[ Upstream commit 015c6033068208d6227612c878877919f3fcf6b6 ] + +jbd2 statistics counting number of blocks logged in a transaction was +wrong. It didn't count the commit block and more importantly it didn't +count revoke descriptor blocks. Make sure these get properly counted. + +Reviewed-by: Theodore Ts'o +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20191105164437.32602-13-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/commit.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c +index 132fb92098c7..c43591cd70f1 100644 +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -727,7 +727,6 @@ start_journal_io: + submit_bh(REQ_OP_WRITE, REQ_SYNC, bh); + } + cond_resched(); +- stats.run.rs_blocks_logged += bufs; + + /* Force a new descriptor to be generated next + time round the loop. */ +@@ -814,6 +813,7 @@ start_journal_io: + if (unlikely(!buffer_uptodate(bh))) + err = -EIO; + jbd2_unfile_log_bh(bh); ++ stats.run.rs_blocks_logged++; + + /* + * The list contains temporary buffer heads created by +@@ -859,6 +859,7 @@ start_journal_io: + BUFFER_TRACE(bh, "ph5: control buffer writeout done: unfile"); + clear_buffer_jwrite(bh); + jbd2_unfile_log_bh(bh); ++ stats.run.rs_blocks_logged++; + __brelse(bh); /* One for getblk */ + /* AKPM: bforget here */ + } +@@ -880,6 +881,7 @@ start_journal_io: + } + if (cbh) + err = journal_wait_on_commit_record(journal, cbh); ++ stats.run.rs_blocks_logged++; + if (jbd2_has_feature_async_commit(journal) && + journal->j_flags & JBD2_BARRIER) { + blkdev_issue_flush(journal->j_dev, GFP_NOFS, NULL); +-- +2.20.1 + diff --git a/queue-5.4/kernel-sysctl-make-drop_caches-write-only.patch b/queue-5.4/kernel-sysctl-make-drop_caches-write-only.patch new file mode 100644 index 00000000000..92db20fee98 --- /dev/null +++ b/queue-5.4/kernel-sysctl-make-drop_caches-write-only.patch @@ -0,0 +1,53 @@ +From 9f10195443bb1a22ce872ba94e7d026886f8190a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2019 17:56:08 -0800 +Subject: kernel: sysctl: make drop_caches write-only + +From: Johannes Weiner + +[ Upstream commit 204cb79ad42f015312a5bbd7012d09c93d9b46fb ] + +Currently, the drop_caches proc file and sysctl read back the last value +written, suggesting this is somehow a stateful setting instead of a +one-time command. Make it write-only, like e.g. compact_memory. + +While mitigating a VM problem at scale in our fleet, there was confusion +about whether writing to this file will permanently switch the kernel into +a non-caching mode. This influences the decision making in a tense +situation, where tens of people are trying to fix tens of thousands of +affected machines: Do we need a rollback strategy? What are the +performance implications of operating in a non-caching state for several +days? It also caused confusion when the kernel team said we may need to +write the file several times to make sure it's effective ("But it already +reads back 3?"). + +Link: http://lkml.kernel.org/r/20191031221602.9375-1-hannes@cmpxchg.org +Signed-off-by: Johannes Weiner +Acked-by: Chris Down +Acked-by: Vlastimil Babka +Acked-by: David Hildenbrand +Acked-by: Michal Hocko +Acked-by: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/sysctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index b6f2f35d0bcf..70665934d53e 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -1466,7 +1466,7 @@ static struct ctl_table vm_table[] = { + .procname = "drop_caches", + .data = &sysctl_drop_caches, + .maxlen = sizeof(int), +- .mode = 0644, ++ .mode = 0200, + .proc_handler = drop_caches_sysctl_handler, + .extra1 = SYSCTL_ONE, + .extra2 = &four, +-- +2.20.1 + diff --git a/queue-5.4/leds-an30259a-add-a-check-for-devm_regmap_init_i2c.patch b/queue-5.4/leds-an30259a-add-a-check-for-devm_regmap_init_i2c.patch new file mode 100644 index 00000000000..ada0620fa9b --- /dev/null +++ b/queue-5.4/leds-an30259a-add-a-check-for-devm_regmap_init_i2c.patch @@ -0,0 +1,41 @@ +From 88f318b5f5cbe14615132abf5b75735808de452a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2019 20:54:03 +0800 +Subject: leds: an30259a: add a check for devm_regmap_init_i2c + +From: Chuhong Yuan + +[ Upstream commit fc7b5028f2627133c7c18734715a08829eab4d1f ] + +an30259a_probe misses a check for devm_regmap_init_i2c and may cause +problems. +Add a check and print errors like other leds drivers. + +Signed-off-by: Chuhong Yuan +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-an30259a.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/leds/leds-an30259a.c b/drivers/leds/leds-an30259a.c +index 250dc9d6f635..82350a28a564 100644 +--- a/drivers/leds/leds-an30259a.c ++++ b/drivers/leds/leds-an30259a.c +@@ -305,6 +305,13 @@ static int an30259a_probe(struct i2c_client *client) + + chip->regmap = devm_regmap_init_i2c(client, &an30259a_regmap_config); + ++ if (IS_ERR(chip->regmap)) { ++ err = PTR_ERR(chip->regmap); ++ dev_err(&client->dev, "Failed to allocate register map: %d\n", ++ err); ++ goto exit; ++ } ++ + for (i = 0; i < chip->num_leds; i++) { + struct led_init_data init_data = {}; + +-- +2.20.1 + diff --git a/queue-5.4/leds-lm3692x-handle-failure-to-probe-the-regulator.patch b/queue-5.4/leds-lm3692x-handle-failure-to-probe-the-regulator.patch new file mode 100644 index 00000000000..400d201b0cf --- /dev/null +++ b/queue-5.4/leds-lm3692x-handle-failure-to-probe-the-regulator.patch @@ -0,0 +1,52 @@ +From 29ad9a488790a6bfffa2e4f686322dce65c8cfcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Sep 2019 14:12:10 -0700 +Subject: leds: lm3692x: Handle failure to probe the regulator +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guido Günther + +[ Upstream commit 396128d2ffcba6e1954cfdc9a89293ff79cbfd7c ] + +Instead use devm_regulator_get_optional since the regulator +is optional and check for errors. + +Signed-off-by: Guido Günther +Acked-by: Pavel Machek +Reviewed-by: Dan Murphy +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-lm3692x.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/leds/leds-lm3692x.c b/drivers/leds/leds-lm3692x.c +index 3d381f2f73d0..1ac9a44570ee 100644 +--- a/drivers/leds/leds-lm3692x.c ++++ b/drivers/leds/leds-lm3692x.c +@@ -334,9 +334,18 @@ static int lm3692x_probe_dt(struct lm3692x_led *led) + return ret; + } + +- led->regulator = devm_regulator_get(&led->client->dev, "vled"); +- if (IS_ERR(led->regulator)) ++ led->regulator = devm_regulator_get_optional(&led->client->dev, "vled"); ++ if (IS_ERR(led->regulator)) { ++ ret = PTR_ERR(led->regulator); ++ if (ret != -ENODEV) { ++ if (ret != -EPROBE_DEFER) ++ dev_err(&led->client->dev, ++ "Failed to get vled regulator: %d\n", ++ ret); ++ return ret; ++ } + led->regulator = NULL; ++ } + + child = device_get_next_child_node(&led->client->dev, child); + if (!child) { +-- +2.20.1 + diff --git a/queue-5.4/leds-trigger-netdev-fix-handling-on-interface-rename.patch b/queue-5.4/leds-trigger-netdev-fix-handling-on-interface-rename.patch new file mode 100644 index 00000000000..28d6741e470 --- /dev/null +++ b/queue-5.4/leds-trigger-netdev-fix-handling-on-interface-rename.patch @@ -0,0 +1,60 @@ +From 1667723424868f74bdf4b1b698e27412a5087b5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 09:01:42 +0200 +Subject: leds: trigger: netdev: fix handling on interface rename + +From: Martin Schiller + +[ Upstream commit 5f820ed52371b4f5d8c43c93f03408d0dbc01e5b ] + +The NETDEV_CHANGENAME code is not "unneeded" like it is stated in commit +4cb6560514fa ("leds: trigger: netdev: fix refcnt leak on interface +rename"). + +The event was accidentally misinterpreted equivalent to +NETDEV_UNREGISTER, but should be equivalent to NETDEV_REGISTER. + +This was the case in the original code from the openwrt project. + +Otherwise, you are unable to set netdev led triggers for (non-existent) +netdevices, which has to be renamed. This is the case, for example, for +ppp interfaces in openwrt. + +Fixes: 06f502f57d0d ("leds: trigger: Introduce a NETDEV trigger") +Fixes: 4cb6560514fa ("leds: trigger: netdev: fix refcnt leak on interface rename") +Signed-off-by: Martin Schiller +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + drivers/leds/trigger/ledtrig-netdev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/leds/trigger/ledtrig-netdev.c b/drivers/leds/trigger/ledtrig-netdev.c +index 136f86a1627d..d5e774d83021 100644 +--- a/drivers/leds/trigger/ledtrig-netdev.c ++++ b/drivers/leds/trigger/ledtrig-netdev.c +@@ -302,10 +302,12 @@ static int netdev_trig_notify(struct notifier_block *nb, + container_of(nb, struct led_netdev_data, notifier); + + if (evt != NETDEV_UP && evt != NETDEV_DOWN && evt != NETDEV_CHANGE +- && evt != NETDEV_REGISTER && evt != NETDEV_UNREGISTER) ++ && evt != NETDEV_REGISTER && evt != NETDEV_UNREGISTER ++ && evt != NETDEV_CHANGENAME) + return NOTIFY_DONE; + + if (!(dev == trigger_data->net_dev || ++ (evt == NETDEV_CHANGENAME && !strcmp(dev->name, trigger_data->device_name)) || + (evt == NETDEV_REGISTER && !strcmp(dev->name, trigger_data->device_name)))) + return NOTIFY_DONE; + +@@ -315,6 +317,7 @@ static int netdev_trig_notify(struct notifier_block *nb, + + clear_bit(NETDEV_LED_MODE_LINKUP, &trigger_data->mode); + switch (evt) { ++ case NETDEV_CHANGENAME: + case NETDEV_REGISTER: + if (trigger_data->net_dev) + dev_put(trigger_data->net_dev); +-- +2.20.1 + diff --git a/queue-5.4/libfdt-define-int32_max-and-uint32_max-in-libfdt_env.patch b/queue-5.4/libfdt-define-int32_max-and-uint32_max-in-libfdt_env.patch new file mode 100644 index 00000000000..206e7562d82 --- /dev/null +++ b/queue-5.4/libfdt-define-int32_max-and-uint32_max-in-libfdt_env.patch @@ -0,0 +1,84 @@ +From 3fc0ca8e158f51181e4d9d1835613d2935a5c4e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 16:12:02 +0900 +Subject: libfdt: define INT32_MAX and UINT32_MAX in libfdt_env.h + +From: Masahiro Yamada + +[ Upstream commit a8de1304b7df30e3a14f2a8b9709bb4ff31a0385 ] + +The DTC v1.5.1 added references to (U)INT32_MAX. + +This is no problem for user-space programs since defines +(U)INT32_MAX along with (u)int32_t. + +For the kernel space, libfdt_env.h needs to be adjusted before we +pull in the changes. + +In the kernel, we usually use s/u32 instead of (u)int32_t for the +fixed-width types. + +Accordingly, we already have S/U32_MAX for their max values. +So, we should not add (U)INT32_MAX to any more. + +Instead, add them to the in-kernel libfdt_env.h to compile the +latest libfdt. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + arch/arm/boot/compressed/libfdt_env.h | 4 +++- + arch/powerpc/boot/libfdt_env.h | 2 ++ + include/linux/libfdt_env.h | 3 +++ + 3 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/compressed/libfdt_env.h b/arch/arm/boot/compressed/libfdt_env.h +index b36c0289a308..6a0f1f524466 100644 +--- a/arch/arm/boot/compressed/libfdt_env.h ++++ b/arch/arm/boot/compressed/libfdt_env.h +@@ -2,11 +2,13 @@ + #ifndef _ARM_LIBFDT_ENV_H + #define _ARM_LIBFDT_ENV_H + ++#include + #include + #include + #include + +-#define INT_MAX ((int)(~0U>>1)) ++#define INT32_MAX S32_MAX ++#define UINT32_MAX U32_MAX + + typedef __be16 fdt16_t; + typedef __be32 fdt32_t; +diff --git a/arch/powerpc/boot/libfdt_env.h b/arch/powerpc/boot/libfdt_env.h +index 2abc8e83b95e..9757d4f6331e 100644 +--- a/arch/powerpc/boot/libfdt_env.h ++++ b/arch/powerpc/boot/libfdt_env.h +@@ -6,6 +6,8 @@ + #include + + #define INT_MAX ((int)(~0U>>1)) ++#define UINT32_MAX ((u32)~0U) ++#define INT32_MAX ((s32)(UINT32_MAX >> 1)) + + #include "of.h" + +diff --git a/include/linux/libfdt_env.h b/include/linux/libfdt_env.h +index edb0f0c30904..1adf54aad2df 100644 +--- a/include/linux/libfdt_env.h ++++ b/include/linux/libfdt_env.h +@@ -7,6 +7,9 @@ + + #include + ++#define INT32_MAX S32_MAX ++#define UINT32_MAX U32_MAX ++ + typedef __be16 fdt16_t; + typedef __be32 fdt32_t; + typedef __be64 fdt64_t; +-- +2.20.1 + diff --git a/queue-5.4/libnvdimm-btt-fix-variable-rc-set-but-not-used.patch b/queue-5.4/libnvdimm-btt-fix-variable-rc-set-but-not-used.patch new file mode 100644 index 00000000000..f6597c1dd4e --- /dev/null +++ b/queue-5.4/libnvdimm-btt-fix-variable-rc-set-but-not-used.patch @@ -0,0 +1,50 @@ +From a466ecd2fa383af8bad8c26ae58a1cedb735c42c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 10:05:19 -0400 +Subject: libnvdimm/btt: fix variable 'rc' set but not used + +From: Qian Cai + +[ Upstream commit 4e24e37d5313edca8b4ab86f240c046c731e28d6 ] + +drivers/nvdimm/btt.c: In function 'btt_read_pg': +drivers/nvdimm/btt.c:1264:8: warning: variable 'rc' set but not used +[-Wunused-but-set-variable] + int rc; + ^~ + +Add a ratelimited message in case a storm of errors is encountered. + +Fixes: d9b83c756953 ("libnvdimm, btt: rework error clearing") +Signed-off-by: Qian Cai +Reviewed-by: Vishal Verma +Link: https://lore.kernel.org/r/1572530719-32161-1-git-send-email-cai@lca.pw +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/btt.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvdimm/btt.c b/drivers/nvdimm/btt.c +index 3e9f45aec8d1..5129543a0473 100644 +--- a/drivers/nvdimm/btt.c ++++ b/drivers/nvdimm/btt.c +@@ -1261,11 +1261,11 @@ static int btt_read_pg(struct btt *btt, struct bio_integrity_payload *bip, + + ret = btt_data_read(arena, page, off, postmap, cur_len); + if (ret) { +- int rc; +- + /* Media error - set the e_flag */ +- rc = btt_map_write(arena, premap, postmap, 0, 1, +- NVDIMM_IO_ATOMIC); ++ if (btt_map_write(arena, premap, postmap, 0, 1, NVDIMM_IO_ATOMIC)) ++ dev_warn_ratelimited(to_dev(arena), ++ "Error persistently tracking bad blocks at %#x\n", ++ premap); + goto out_rtt; + } + +-- +2.20.1 + diff --git a/queue-5.4/mailbox-imx-clear-the-right-interrupts-at-shutdown.patch b/queue-5.4/mailbox-imx-clear-the-right-interrupts-at-shutdown.patch new file mode 100644 index 00000000000..5819c4fb852 --- /dev/null +++ b/queue-5.4/mailbox-imx-clear-the-right-interrupts-at-shutdown.patch @@ -0,0 +1,51 @@ +From 79b85e7ebb897a2759139bb7ab239061ed738780 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2019 16:07:19 +0800 +Subject: mailbox: imx: Clear the right interrupts at shutdown + +From: Daniel Baluta + +[ Upstream commit 5f0af07e89199ac51cdd4f25bc303bdc703f4e9c ] + +Make sure to only clear enabled interrupts keeping count +of the connection type. + +Suggested-by: Oleksij Rempel +Signed-off-by: Daniel Baluta +Signed-off-by: Richard Zhu +Reviewed-by: Dong Aisheng +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/imx-mailbox.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/mailbox/imx-mailbox.c b/drivers/mailbox/imx-mailbox.c +index 9f74dee1a58c..d28bbd47ff88 100644 +--- a/drivers/mailbox/imx-mailbox.c ++++ b/drivers/mailbox/imx-mailbox.c +@@ -217,8 +217,19 @@ static void imx_mu_shutdown(struct mbox_chan *chan) + if (cp->type == IMX_MU_TYPE_TXDB) + tasklet_kill(&cp->txdb_tasklet); + +- imx_mu_xcr_rmw(priv, 0, IMX_MU_xCR_TIEn(cp->idx) | +- IMX_MU_xCR_RIEn(cp->idx) | IMX_MU_xCR_GIEn(cp->idx)); ++ switch (cp->type) { ++ case IMX_MU_TYPE_TX: ++ imx_mu_xcr_rmw(priv, 0, IMX_MU_xCR_TIEn(cp->idx)); ++ break; ++ case IMX_MU_TYPE_RX: ++ imx_mu_xcr_rmw(priv, 0, IMX_MU_xCR_RIEn(cp->idx)); ++ break; ++ case IMX_MU_TYPE_RXDB: ++ imx_mu_xcr_rmw(priv, 0, IMX_MU_xCR_GIEn(cp->idx)); ++ break; ++ default: ++ break; ++ } + + free_irq(priv->irq, chan); + } +-- +2.20.1 + diff --git a/queue-5.4/mailbox-imx-fix-tx-doorbell-shutdown-path.patch b/queue-5.4/mailbox-imx-fix-tx-doorbell-shutdown-path.patch new file mode 100644 index 00000000000..c2bc9a60d0e --- /dev/null +++ b/queue-5.4/mailbox-imx-fix-tx-doorbell-shutdown-path.patch @@ -0,0 +1,79 @@ +From 985c8e0fff2c9324e7223fd483d2304b61b934ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2019 16:07:18 +0800 +Subject: mailbox: imx: Fix Tx doorbell shutdown path + +From: Daniel Baluta + +[ Upstream commit bf159d151a0b844be28882f39e316b5800acaa2b ] + +Tx doorbell is handled by txdb_tasklet and doesn't +have an associated IRQ. + +Anyhow, imx_mu_shutdown ignores this and tries to +free an IRQ that wasn't requested for Tx DB resulting +in the following warning: + +[ 1.967644] Trying to free already-free IRQ 26 +[ 1.972108] WARNING: CPU: 2 PID: 157 at kernel/irq/manage.c:1708 __free_irq+0xc0/0x358 +[ 1.980024] Modules linked in: +[ 1.983088] CPU: 2 PID: 157 Comm: kworker/2:1 Tainted: G +[ 1.993524] Hardware name: Freescale i.MX8QXP MEK (DT) +[ 1.998668] Workqueue: events deferred_probe_work_func +[ 2.003812] pstate: 60000085 (nZCv daIf -PAN -UAO) +[ 2.008607] pc : __free_irq+0xc0/0x358 +[ 2.012364] lr : __free_irq+0xc0/0x358 +[ 2.016111] sp : ffff00001179b7e0 +[ 2.019422] x29: ffff00001179b7e0 x28: 0000000000000018 +[ 2.024736] x27: ffff000011233000 x26: 0000000000000004 +[ 2.030053] x25: 000000000000001a x24: ffff80083bec74d4 +[ 2.035369] x23: 0000000000000000 x22: ffff80083bec7588 +[ 2.040686] x21: ffff80083b1fe8d8 x20: ffff80083bec7400 +[ 2.046003] x19: 0000000000000000 x18: ffffffffffffffff +[ 2.051320] x17: 0000000000000000 x16: 0000000000000000 +[ 2.056637] x15: ffff0000111296c8 x14: ffff00009179b517 +[ 2.061953] x13: ffff00001179b525 x12: ffff000011142000 +[ 2.067270] x11: ffff000011129f20 x10: ffff0000105da970 +[ 2.072587] x9 : 00000000ffffffd0 x8 : 0000000000000194 +[ 2.077903] x7 : 612065657266206f x6 : ffff0000111e7b09 +[ 2.083220] x5 : 0000000000000003 x4 : 0000000000000000 +[ 2.088537] x3 : 0000000000000000 x2 : 00000000ffffffff +[ 2.093854] x1 : 28b70f0a2b60a500 x0 : 0000000000000000 +[ 2.099173] Call trace: +[ 2.101618] __free_irq+0xc0/0x358 +[ 2.105021] free_irq+0x38/0x98 +[ 2.108170] imx_mu_shutdown+0x90/0xb0 +[ 2.111921] mbox_free_channel.part.2+0x24/0xb8 +[ 2.116453] mbox_free_channel+0x18/0x28 + +This bug is present from the beginning of times. + +Cc: Oleksij Rempel +Signed-off-by: Daniel Baluta +Signed-off-by: Richard Zhu +Reviewed-by: Dong Aisheng +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/imx-mailbox.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mailbox/imx-mailbox.c b/drivers/mailbox/imx-mailbox.c +index d28bbd47ff88..afe625e88a5c 100644 +--- a/drivers/mailbox/imx-mailbox.c ++++ b/drivers/mailbox/imx-mailbox.c +@@ -214,8 +214,10 @@ static void imx_mu_shutdown(struct mbox_chan *chan) + struct imx_mu_priv *priv = to_imx_mu_priv(chan->mbox); + struct imx_mu_con_priv *cp = chan->con_priv; + +- if (cp->type == IMX_MU_TYPE_TXDB) ++ if (cp->type == IMX_MU_TYPE_TXDB) { + tasklet_kill(&cp->txdb_tasklet); ++ return; ++ } + + switch (cp->type) { + case IMX_MU_TYPE_TX: +-- +2.20.1 + diff --git a/queue-5.4/mfd-mfd-core-honour-device-tree-s-request-to-disable.patch b/queue-5.4/mfd-mfd-core-honour-device-tree-s-request-to-disable.patch new file mode 100644 index 00000000000..33f5cca0832 --- /dev/null +++ b/queue-5.4/mfd-mfd-core-honour-device-tree-s-request-to-disable.patch @@ -0,0 +1,49 @@ +From 6c7fff1ca4605404f5edfd8860b6891885883931 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 11:19:50 +0000 +Subject: mfd: mfd-core: Honour Device Tree's request to disable a child-device + +From: Lee Jones + +[ Upstream commit 6b5c350648b857047b47acf74a57087ad27d6183 ] + +Until now, MFD has assumed all child devices passed to it (via +mfd_cells) are to be registered. It does not take into account +requests from Device Tree and the like to disable child devices +on a per-platform basis. + +Well now it does. + +Link: https://www.spinics.net/lists/arm-kernel/msg366309.html +Link: https://lkml.org/lkml/2019/8/22/1350 + +Reported-by: Barry Song +Reported-by: Stephan Gerhold +Reviewed-by: Daniel Thompson +Reviewed-by: Mark Brown +Tested-by: Stephan Gerhold +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/mfd-core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c +index 23276a80e3b4..b0afefdc9eac 100644 +--- a/drivers/mfd/mfd-core.c ++++ b/drivers/mfd/mfd-core.c +@@ -174,6 +174,11 @@ static int mfd_add_device(struct device *parent, int id, + if (parent->of_node && cell->of_compatible) { + for_each_child_of_node(parent->of_node, np) { + if (of_device_is_compatible(np, cell->of_compatible)) { ++ if (!of_device_is_available(np)) { ++ /* Ignore disabled devices error free */ ++ ret = 0; ++ goto fail_alias; ++ } + pdev->dev.of_node = np; + pdev->dev.fwnode = &np->fwnode; + break; +-- +2.20.1 + diff --git a/queue-5.4/mm-hugetlbfs-fix-error-handling-when-setting-up-moun.patch b/queue-5.4/mm-hugetlbfs-fix-error-handling-when-setting-up-moun.patch new file mode 100644 index 00000000000..eca4575cf64 --- /dev/null +++ b/queue-5.4/mm-hugetlbfs-fix-error-handling-when-setting-up-moun.patch @@ -0,0 +1,92 @@ +From 9e8eb6d74a7aa67fd06ad407af15ef494e11f2a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2019 17:56:34 -0800 +Subject: mm/hugetlbfs: fix error handling when setting up mounts + +From: Mike Kravetz + +[ Upstream commit 8fc312b32b25c6b0a8b46fab4df8c68df5af1223 ] + +It is assumed that the hugetlbfs_vfsmount[] array will contain either a +valid vfsmount pointer or NULL for each hstate after initialization. +Changes made while converting to use fs_context broke this assumption. + +While fixing the hugetlbfs_vfsmount issue, it was discovered that +init_hugetlbfs_fs never did correctly clean up when encountering a vfs +mount error. + +It was found during code inspection. A small memory allocation failure +would be the most likely cause of taking a error path with the bug. +This is unlikely to happen as this is early init code. + +Link: http://lkml.kernel.org/r/94b6244d-2c24-e269-b12c-e3ba694b242d@oracle.com +Reported-by: Chengguang Xu +Fixes: 32021982a324 ("hugetlbfs: Convert to fs_context") +Signed-off-by: Mike Kravetz +Cc: David Howells +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hugetlbfs/inode.c | 31 ++++++++++++++++++++++--------- + 1 file changed, 22 insertions(+), 9 deletions(-) + +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index a478df035651..26e3906c18fe 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -1461,28 +1461,41 @@ static int __init init_hugetlbfs_fs(void) + sizeof(struct hugetlbfs_inode_info), + 0, SLAB_ACCOUNT, init_once); + if (hugetlbfs_inode_cachep == NULL) +- goto out2; ++ goto out; + + error = register_filesystem(&hugetlbfs_fs_type); + if (error) +- goto out; ++ goto out_free; + ++ /* default hstate mount is required */ ++ mnt = mount_one_hugetlbfs(&hstates[default_hstate_idx]); ++ if (IS_ERR(mnt)) { ++ error = PTR_ERR(mnt); ++ goto out_unreg; ++ } ++ hugetlbfs_vfsmount[default_hstate_idx] = mnt; ++ ++ /* other hstates are optional */ + i = 0; + for_each_hstate(h) { ++ if (i == default_hstate_idx) ++ continue; ++ + mnt = mount_one_hugetlbfs(h); +- if (IS_ERR(mnt) && i == 0) { +- error = PTR_ERR(mnt); +- goto out; +- } +- hugetlbfs_vfsmount[i] = mnt; ++ if (IS_ERR(mnt)) ++ hugetlbfs_vfsmount[i] = NULL; ++ else ++ hugetlbfs_vfsmount[i] = mnt; + i++; + } + + return 0; + +- out: ++ out_unreg: ++ (void)unregister_filesystem(&hugetlbfs_fs_type); ++ out_free: + kmem_cache_destroy(hugetlbfs_inode_cachep); +- out2: ++ out: + return error; + } + fs_initcall(init_hugetlbfs_fs) +-- +2.20.1 + diff --git a/queue-5.4/ocfs2-fix-passing-zero-to-ptr_err-warning.patch b/queue-5.4/ocfs2-fix-passing-zero-to-ptr_err-warning.patch new file mode 100644 index 00000000000..27e4a30a6b1 --- /dev/null +++ b/queue-5.4/ocfs2-fix-passing-zero-to-ptr_err-warning.patch @@ -0,0 +1,48 @@ +From e329003fd01792d8285a36660279291df19ab056 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2019 17:49:12 -0800 +Subject: ocfs2: fix passing zero to 'PTR_ERR' warning + +From: Ding Xiang + +[ Upstream commit 188c523e1c271d537f3c9f55b6b65bf4476de32f ] + +Fix a static code checker warning: +fs/ocfs2/acl.c:331 + ocfs2_acl_chmod() warn: passing zero to 'PTR_ERR' + +Link: http://lkml.kernel.org/r/1dee278b-6c96-eec2-ce76-fe6e07c6e20f@linux.alibaba.com +Fixes: 5ee0fbd50fd ("ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang") +Signed-off-by: Ding Xiang +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/acl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c +index 3e7da392aa6f..bb981ec76456 100644 +--- a/fs/ocfs2/acl.c ++++ b/fs/ocfs2/acl.c +@@ -327,8 +327,8 @@ int ocfs2_acl_chmod(struct inode *inode, struct buffer_head *bh) + down_read(&OCFS2_I(inode)->ip_xattr_sem); + acl = ocfs2_get_acl_nolock(inode, ACL_TYPE_ACCESS, bh); + up_read(&OCFS2_I(inode)->ip_xattr_sem); +- if (IS_ERR(acl) || !acl) +- return PTR_ERR(acl); ++ if (IS_ERR_OR_NULL(acl)) ++ return PTR_ERR_OR_ZERO(acl); + ret = __posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode); + if (ret) + return ret; +-- +2.20.1 + diff --git a/queue-5.4/of-unittest-fix-memory-leak-in-attach_node_and_child.patch b/queue-5.4/of-unittest-fix-memory-leak-in-attach_node_and_child.patch new file mode 100644 index 00000000000..aa1db5cda0d --- /dev/null +++ b/queue-5.4/of-unittest-fix-memory-leak-in-attach_node_and_child.patch @@ -0,0 +1,47 @@ +From 68e498cdddaafc929463d74cddd45679d5715095 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Nov 2019 02:48:04 +0100 +Subject: of: unittest: fix memory leak in attach_node_and_children + +From: Erhard Furtner + +[ Upstream commit 2aacace6dbbb6b6ce4e177e6c7ea901f389c0472 ] + +In attach_node_and_children memory is allocated for full_name via +kasprintf. If the condition of the 1st if is not met the function +returns early without freeing the memory. Add a kfree() to fix that. + +This has been detected with kmemleak: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=205327 + +It looks like the leak was introduced by this commit: +Fixes: 5babefb7f7ab ("of: unittest: allow base devicetree to have symbol metadata") + +Signed-off-by: Erhard Furtner +Reviewed-by: Michael Ellerman +Reviewed-by: Tyrel Datwyler +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 92e895d86458..ca7823eef2b4 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -1146,8 +1146,10 @@ static void attach_node_and_children(struct device_node *np) + full_name = kasprintf(GFP_KERNEL, "%pOF", np); + + if (!strcmp(full_name, "/__local_fixups__") || +- !strcmp(full_name, "/__fixups__")) ++ !strcmp(full_name, "/__fixups__")) { ++ kfree(full_name); + return; ++ } + + dup = of_find_node_by_path(full_name); + kfree(full_name); +-- +2.20.1 + diff --git a/queue-5.4/pci-rpaphp-annotate-and-correctly-byte-swap-drc-prop.patch b/queue-5.4/pci-rpaphp-annotate-and-correctly-byte-swap-drc-prop.patch new file mode 100644 index 00000000000..18155943ae3 --- /dev/null +++ b/queue-5.4/pci-rpaphp-annotate-and-correctly-byte-swap-drc-prop.patch @@ -0,0 +1,116 @@ +From 7d1c26f8c475ebf7b283f65d14c29b1684400f41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Nov 2019 23:21:35 -0600 +Subject: PCI: rpaphp: Annotate and correctly byte swap DRC properties + +From: Tyrel Datwyler + +[ Upstream commit 0737686778c6dbe0908d684dd5b9c05b127526ba ] + +The device tree is in big endian format and any properties directly +retrieved using OF helpers that don't explicitly byte swap should +be annotated. In particular there are several places where we grab +the opaque property value for the old ibm,drc-* properties and the +ibm,my-drc-index property. + +Fix this for better static checking by annotating values we know to +explicitly big endian, and byte swap where appropriate. + +Signed-off-by: Tyrel Datwyler +Acked-by: Bjorn Helgaas +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1573449697-5448-9-git-send-email-tyreld@linux.ibm.com +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/rpaphp_core.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +diff --git a/drivers/pci/hotplug/rpaphp_core.c b/drivers/pci/hotplug/rpaphp_core.c +index e18e9a0e959c..abb10b3c0b70 100644 +--- a/drivers/pci/hotplug/rpaphp_core.c ++++ b/drivers/pci/hotplug/rpaphp_core.c +@@ -154,11 +154,11 @@ static enum pci_bus_speed get_max_bus_speed(struct slot *slot) + return speed; + } + +-static int get_children_props(struct device_node *dn, const int **drc_indexes, +- const int **drc_names, const int **drc_types, +- const int **drc_power_domains) ++static int get_children_props(struct device_node *dn, const __be32 **drc_indexes, ++ const __be32 **drc_names, const __be32 **drc_types, ++ const __be32 **drc_power_domains) + { +- const int *indexes, *names, *types, *domains; ++ const __be32 *indexes, *names, *types, *domains; + + indexes = of_get_property(dn, "ibm,drc-indexes", NULL); + names = of_get_property(dn, "ibm,drc-names", NULL); +@@ -194,8 +194,8 @@ static int rpaphp_check_drc_props_v1(struct device_node *dn, char *drc_name, + char *drc_type, unsigned int my_index) + { + char *name_tmp, *type_tmp; +- const int *indexes, *names; +- const int *types, *domains; ++ const __be32 *indexes, *names; ++ const __be32 *types, *domains; + int i, rc; + + rc = get_children_props(dn->parent, &indexes, &names, &types, &domains); +@@ -208,7 +208,7 @@ static int rpaphp_check_drc_props_v1(struct device_node *dn, char *drc_name, + + /* Iterate through parent properties, looking for my-drc-index */ + for (i = 0; i < be32_to_cpu(indexes[0]); i++) { +- if ((unsigned int) indexes[i + 1] == my_index) ++ if (be32_to_cpu(indexes[i + 1]) == my_index) + break; + + name_tmp += (strlen(name_tmp) + 1); +@@ -267,7 +267,7 @@ static int rpaphp_check_drc_props_v2(struct device_node *dn, char *drc_name, + int rpaphp_check_drc_props(struct device_node *dn, char *drc_name, + char *drc_type) + { +- const unsigned int *my_index; ++ const __be32 *my_index; + + my_index = of_get_property(dn, "ibm,my-drc-index", NULL); + if (!my_index) { +@@ -277,10 +277,10 @@ int rpaphp_check_drc_props(struct device_node *dn, char *drc_name, + + if (of_find_property(dn->parent, "ibm,drc-info", NULL)) + return rpaphp_check_drc_props_v2(dn, drc_name, drc_type, +- *my_index); ++ be32_to_cpu(*my_index)); + else + return rpaphp_check_drc_props_v1(dn, drc_name, drc_type, +- *my_index); ++ be32_to_cpu(*my_index)); + } + EXPORT_SYMBOL_GPL(rpaphp_check_drc_props); + +@@ -311,10 +311,11 @@ static int is_php_type(char *drc_type) + * for built-in pci slots (even when the built-in slots are + * dlparable.) + */ +-static int is_php_dn(struct device_node *dn, const int **indexes, +- const int **names, const int **types, const int **power_domains) ++static int is_php_dn(struct device_node *dn, const __be32 **indexes, ++ const __be32 **names, const __be32 **types, ++ const __be32 **power_domains) + { +- const int *drc_types; ++ const __be32 *drc_types; + int rc; + + rc = get_children_props(dn, indexes, names, &drc_types, power_domains); +@@ -349,7 +350,7 @@ int rpaphp_add_slot(struct device_node *dn) + struct slot *slot; + int retval = 0; + int i; +- const int *indexes, *names, *types, *power_domains; ++ const __be32 *indexes, *names, *types, *power_domains; + char *name, *type; + + if (!dn->name || strcmp(dn->name, "pci")) +-- +2.20.1 + diff --git a/queue-5.4/pci-rpaphp-correctly-match-ibm-my-drc-index-to-drc-n.patch b/queue-5.4/pci-rpaphp-correctly-match-ibm-my-drc-index-to-drc-n.patch new file mode 100644 index 00000000000..3916bfa4971 --- /dev/null +++ b/queue-5.4/pci-rpaphp-correctly-match-ibm-my-drc-index-to-drc-n.patch @@ -0,0 +1,51 @@ +From 22ceec83cdff15cb4b744b80ce0436a84639e072 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Nov 2019 23:21:36 -0600 +Subject: PCI: rpaphp: Correctly match ibm, my-drc-index to drc-name when using + drc-info + +From: Tyrel Datwyler + +[ Upstream commit 4f9f2d3d7a434b7f882b72550194c9278f4a3925 ] + +The newer ibm,drc-info property is a condensed description of the old +ibm,drc-* properties (ie. names, types, indexes, and power-domains). +When matching a drc-index to a drc-name we need to verify that the +index is within the start and last drc-index range and map it to a +drc-name using the drc-name-prefix and logical index. + +Fix the mapping by checking that the index is within the range of the +current drc-info entry, and build the name from the drc-name-prefix +concatenated with the starting drc-name-suffix value and the sequential +index obtained by subtracting ibm,my-drc-index from this entries +drc-start-index. + +Signed-off-by: Tyrel Datwyler +Acked-by: Bjorn Helgaas +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1573449697-5448-10-git-send-email-tyreld@linux.ibm.com +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/rpaphp_core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/hotplug/rpaphp_core.c b/drivers/pci/hotplug/rpaphp_core.c +index abb10b3c0b70..32eab1776cfe 100644 +--- a/drivers/pci/hotplug/rpaphp_core.c ++++ b/drivers/pci/hotplug/rpaphp_core.c +@@ -248,9 +248,10 @@ static int rpaphp_check_drc_props_v2(struct device_node *dn, char *drc_name, + /* Should now know end of current entry */ + + /* Found it */ +- if (my_index <= drc.last_drc_index) { ++ if (my_index >= drc.drc_index_start && my_index <= drc.last_drc_index) { ++ int index = my_index - drc.drc_index_start; + sprintf(cell_drc_name, "%s%d", drc.drc_name_prefix, +- my_index); ++ drc.drc_name_suffix_start + index); + break; + } + } +-- +2.20.1 + diff --git a/queue-5.4/pci-rpaphp-don-t-rely-on-firmware-feature-to-imply-d.patch b/queue-5.4/pci-rpaphp-don-t-rely-on-firmware-feature-to-imply-d.patch new file mode 100644 index 00000000000..0c91417e1bd --- /dev/null +++ b/queue-5.4/pci-rpaphp-don-t-rely-on-firmware-feature-to-imply-d.patch @@ -0,0 +1,48 @@ +From 96d826ab0f7f09e6d084789269bc8204c888e84e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Nov 2019 23:21:32 -0600 +Subject: PCI: rpaphp: Don't rely on firmware feature to imply drc-info support + +From: Tyrel Datwyler + +[ Upstream commit 52e2b0f16574afd082cff0f0e8567b2d9f68c033 ] + +In the event that the partition is migrated to a platform with older +firmware that doesn't support the ibm,drc-info property the device +tree is modified to remove the ibm,drc-info property and replace it +with the older style ibm,drc-* properties for types, names, indexes, +and power-domains. One of the requirements of the drc-info firmware +feature is that the client is able to handle both the new property, +and old style properties at runtime. Therefore we can't rely on the +firmware feature alone to dictate which property is currently +present in the device tree. + +Fix this short coming by checking explicitly for the ibm,drc-info +property, and falling back to the older ibm,drc-* properties if it +doesn't exist. + +Signed-off-by: Tyrel Datwyler +Acked-by: Bjorn Helgaas +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1573449697-5448-6-git-send-email-tyreld@linux.ibm.com +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/rpaphp_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/hotplug/rpaphp_core.c b/drivers/pci/hotplug/rpaphp_core.c +index e3502644a45c..e18e9a0e959c 100644 +--- a/drivers/pci/hotplug/rpaphp_core.c ++++ b/drivers/pci/hotplug/rpaphp_core.c +@@ -275,7 +275,7 @@ int rpaphp_check_drc_props(struct device_node *dn, char *drc_name, + return -EINVAL; + } + +- if (firmware_has_feature(FW_FEATURE_DRC_INFO)) ++ if (of_find_property(dn->parent, "ibm,drc-info", NULL)) + return rpaphp_check_drc_props_v2(dn, drc_name, drc_type, + *my_index); + else +-- +2.20.1 + diff --git a/queue-5.4/pci-rpaphp-fix-up-pointer-to-first-drc-info-entry.patch b/queue-5.4/pci-rpaphp-fix-up-pointer-to-first-drc-info-entry.patch new file mode 100644 index 00000000000..867f9bdcaff --- /dev/null +++ b/queue-5.4/pci-rpaphp-fix-up-pointer-to-first-drc-info-entry.patch @@ -0,0 +1,43 @@ +From 37862ffd54d58577d730409ff2c4136f0315448c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Nov 2019 23:21:31 -0600 +Subject: PCI: rpaphp: Fix up pointer to first drc-info entry + +From: Tyrel Datwyler + +[ Upstream commit 9723c25f99aff0451cfe6392e1b9fdd99d0bf9f0 ] + +The first entry of the ibm,drc-info property is an int encoded count +of the number of drc-info entries that follow. The "value" pointer +returned by of_prop_next_u32() is still pointing at the this value +when we call of_read_drc_info_cell(), but the helper function +expects that value to be pointing at the first element of an entry. + +Fix up by incrementing the "value" pointer to point at the first +element of the first drc-info entry prior. + +Signed-off-by: Tyrel Datwyler +Acked-by: Bjorn Helgaas +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1573449697-5448-5-git-send-email-tyreld@linux.ibm.com +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/rpaphp_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pci/hotplug/rpaphp_core.c b/drivers/pci/hotplug/rpaphp_core.c +index 18627bb21e9e..e3502644a45c 100644 +--- a/drivers/pci/hotplug/rpaphp_core.c ++++ b/drivers/pci/hotplug/rpaphp_core.c +@@ -239,6 +239,8 @@ static int rpaphp_check_drc_props_v2(struct device_node *dn, char *drc_name, + value = of_prop_next_u32(info, NULL, &entries); + if (!value) + return -EINVAL; ++ else ++ value++; + + for (j = 0; j < entries; j++) { + of_read_drc_info_cell(&info, &value, &drc); +-- +2.20.1 + diff --git a/queue-5.4/perf-diff-use-llabs-with-64-bit-values.patch b/queue-5.4/perf-diff-use-llabs-with-64-bit-values.patch new file mode 100644 index 00000000000..83d0c71d2f9 --- /dev/null +++ b/queue-5.4/perf-diff-use-llabs-with-64-bit-values.patch @@ -0,0 +1,49 @@ +From cd64b957876b2a77aedc8182c3d0369ba5b1c1a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 09:58:22 -0300 +Subject: perf diff: Use llabs() with 64-bit values + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 98e93245113d0f5c279ef77f4a9e7d097323ad71 ] + +To fix these build errors on a debian mipsel cross build environment: + + builtin-diff.c: In function 'block_cycles_diff_cmp': + builtin-diff.c:550:6: error: absolute value function 'labs' given an argument of type 's64' {aka 'long long int'} but has parameter of type 'long int' which may cause truncation of value [-Werror=absolute-value] + 550 | l = labs(left->diff.cycles); + | ^~~~ + builtin-diff.c:551:6: error: absolute value function 'labs' given an argument of type 's64' {aka 'long long int'} but has parameter of type 'long int' which may cause truncation of value [-Werror=absolute-value] + 551 | r = labs(right->diff.cycles); + | ^~~~ + +Fixes: 99150a1faab2 ("perf diff: Use hists to manage basic blocks per symbol") +Cc: Jin Yao +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-pn7szy5uw384ntjgk6zckh6a@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-diff.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-diff.c b/tools/perf/builtin-diff.c +index c37a78677955..265682296836 100644 +--- a/tools/perf/builtin-diff.c ++++ b/tools/perf/builtin-diff.c +@@ -575,8 +575,8 @@ static int64_t block_cycles_diff_cmp(struct hist_entry *left, + if (!pairs_left && !pairs_right) + return 0; + +- l = labs(left->diff.cycles); +- r = labs(right->diff.cycles); ++ l = llabs(left->diff.cycles); ++ r = llabs(right->diff.cycles); + return r - l; + } + +-- +2.20.1 + diff --git a/queue-5.4/perf-regs-make-perf_reg_name-return-unknown-instead-.patch b/queue-5.4/perf-regs-make-perf_reg_name-return-unknown-instead-.patch new file mode 100644 index 00000000000..c4ceef9f5b5 --- /dev/null +++ b/queue-5.4/perf-regs-make-perf_reg_name-return-unknown-instead-.patch @@ -0,0 +1,86 @@ +From 2103f4c4ab4209deb7424230bf78ca454f666cff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 10:13:34 -0300 +Subject: perf regs: Make perf_reg_name() return "unknown" instead of NULL + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 5b596e0ff0e1852197d4c82d3314db5e43126bf7 ] + +To avoid breaking the build on arches where this is not wired up, at +least all the other features should be made available and when using +this specific routine, the "unknown" should point the user/developer to +the need to wire this up on this particular hardware architecture. + +Detected in a container mipsel debian cross build environment, where it +shows up as: + + In file included from /usr/mipsel-linux-gnu/include/stdio.h:867, + from /git/linux/tools/perf/lib/include/perf/cpumap.h:6, + from util/session.c:13: + In function 'printf', + inlined from 'regs_dump__printf' at util/session.c:1103:3, + inlined from 'regs__printf' at util/session.c:1131:2: + /usr/mipsel-linux-gnu/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=] + 107 | return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +cross compiler details: + + mipsel-linux-gnu-gcc (Debian 9.2.1-8) 9.2.1 20190909 + +Also on mips64: + + In file included from /usr/mips64-linux-gnuabi64/include/stdio.h:867, + from /git/linux/tools/perf/lib/include/perf/cpumap.h:6, + from util/session.c:13: + In function 'printf', + inlined from 'regs_dump__printf' at util/session.c:1103:3, + inlined from 'regs__printf' at util/session.c:1131:2, + inlined from 'regs_user__printf' at util/session.c:1139:3, + inlined from 'dump_sample' at util/session.c:1246:3, + inlined from 'machines__deliver_event' at util/session.c:1421:3: + /usr/mips64-linux-gnuabi64/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=] + 107 | return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + In function 'printf', + inlined from 'regs_dump__printf' at util/session.c:1103:3, + inlined from 'regs__printf' at util/session.c:1131:2, + inlined from 'regs_intr__printf' at util/session.c:1147:3, + inlined from 'dump_sample' at util/session.c:1249:3, + inlined from 'machines__deliver_event' at util/session.c:1421:3: + /usr/mips64-linux-gnuabi64/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=] + 107 | return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ()); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +cross compiler details: + + mips64-linux-gnuabi64-gcc (Debian 9.2.1-8) 9.2.1 20190909 + +Fixes: 2bcd355b71da ("perf tools: Add interface to arch registers sets") +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-95wjyv4o65nuaeweq31t7l1s@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/perf_regs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/perf_regs.h b/tools/perf/util/perf_regs.h +index 47fe34e5f7d5..ec7640cc4c91 100644 +--- a/tools/perf/util/perf_regs.h ++++ b/tools/perf/util/perf_regs.h +@@ -41,7 +41,7 @@ int perf_reg_value(u64 *valp, struct regs_dump *regs, int id); + + static inline const char *perf_reg_name(int id __maybe_unused) + { +- return NULL; ++ return "unknown"; + } + + static inline int perf_reg_value(u64 *valp __maybe_unused, +-- +2.20.1 + diff --git a/queue-5.4/perf-script-fix-brstackinsn-for-auxtrace.patch b/queue-5.4/perf-script-fix-brstackinsn-for-auxtrace.patch new file mode 100644 index 00000000000..73f4307d1ee --- /dev/null +++ b/queue-5.4/perf-script-fix-brstackinsn-for-auxtrace.patch @@ -0,0 +1,66 @@ +From 838a4377ce48a054b1457eff7aebc7dcdf5e60f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 11:53:21 +0200 +Subject: perf script: Fix brstackinsn for AUXTRACE + +From: Adrian Hunter + +[ Upstream commit 0cd032d3b5fcebf5454315400ab310746a81ca53 ] + +brstackinsn must be allowed to be set by the user when AUX area data has +been captured because, in that case, the branch stack might be +synthesized on the fly. This fixes the following error: + +Before: + + $ perf record -e '{intel_pt//,cpu/mem_inst_retired.all_loads,aux-sample-size=8192/pp}:u' grep -rqs jhgjhg /boot + [ perf record: Woken up 19 times to write data ] + [ perf record: Captured and wrote 2.274 MB perf.data ] + $ perf script -F +brstackinsn --xed --itrace=i1usl100 | head + Display of branch stack assembler requested, but non all-branch filter set + Hint: run 'perf record -b ...' + +After: + + $ perf record -e '{intel_pt//,cpu/mem_inst_retired.all_loads,aux-sample-size=8192/pp}:u' grep -rqs jhgjhg /boot + [ perf record: Woken up 19 times to write data ] + [ perf record: Captured and wrote 2.274 MB perf.data ] + $ perf script -F +brstackinsn --xed --itrace=i1usl100 | head + grep 13759 [002] 8091.310257: 1862 instructions:uH: 5641d58069eb bmexec+0x86b (/bin/grep) + bmexec+2485: + 00005641d5806b35 jnz 0x5641d5806bd0 # MISPRED + 00005641d5806bd0 movzxb (%r13,%rdx,1), %eax + 00005641d5806bd6 add %rdi, %rax + 00005641d5806bd9 movzxb -0x1(%rax), %edx + 00005641d5806bdd cmp %rax, %r14 + 00005641d5806be0 jnb 0x5641d58069c0 # MISPRED + mismatch of LBR data and executable + 00005641d58069c0 movzxb (%r13,%rdx,1), %edi + +Fixes: 48d02a1d5c13 ("perf script: Add 'brstackinsn' for branch stacks") +Reported-by: Andi Kleen +Signed-off-by: Adrian Hunter +Cc: Jiri Olsa +Link: http://lore.kernel.org/lkml/20191127095322.15417-1-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-script.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c +index 6dba8b728d23..3983d6ccd14d 100644 +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -448,7 +448,7 @@ static int perf_evsel__check_attr(struct evsel *evsel, + "selected. Hence, no address to lookup the source line number.\n"); + return -EINVAL; + } +- if (PRINT_FIELD(BRSTACKINSN) && ++ if (PRINT_FIELD(BRSTACKINSN) && !allow_user_set && + !(perf_evlist__combined_branch_type(session->evlist) & + PERF_SAMPLE_BRANCH_ANY)) { + pr_err("Display of branch stack assembler requested, but non all-branch filter set\n" +-- +2.20.1 + diff --git a/queue-5.4/platform-x86-intel_pmc_core-add-comet-lake-cml-platf.patch b/queue-5.4/platform-x86-intel_pmc_core-add-comet-lake-cml-platf.patch new file mode 100644 index 00000000000..20ee8812af5 --- /dev/null +++ b/queue-5.4/platform-x86-intel_pmc_core-add-comet-lake-cml-platf.patch @@ -0,0 +1,73 @@ +From 35a0d62b0e5695dfe416c38ac506b3190894b603 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2019 11:05:41 -0800 +Subject: platform/x86: intel_pmc_core: Add Comet Lake (CML) platform support + to intel_pmc_core driver + +From: Gayatri Kammela + +[ Upstream commit 5406327d43edd9a171bd260f49c752d148727eaf ] + +Add Comet Lake to the list of the platforms that intel_pmc_core driver +supports for pmc_core device. + +Just like Ice Lake, Comet Lake can also reuse all the Cannon Lake PCH +IPs. No additional effort is needed to enable but to simply reuse them. + +Cc: Mario Limonciello +Cc: Peter Zijlstra +Cc: Srinivas Pandruvada +Cc: Andy Shevchenko +Cc: Kan Liang +Cc: David E. Box +Cc: Rajneesh Bhardwaj +Cc: Tony Luck +Signed-off-by: Gayatri Kammela +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_pmc_core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c +index 6b6edc30f835..571b4754477c 100644 +--- a/drivers/platform/x86/intel_pmc_core.c ++++ b/drivers/platform/x86/intel_pmc_core.c +@@ -160,6 +160,7 @@ static const struct pmc_reg_map spt_reg_map = { + + /* Cannon Lake: PGD PFET Enable Ack Status Register(s) bitmap */ + static const struct pmc_bit_map cnp_pfear_map[] = { ++ /* Reserved for Cannon Lake but valid for Comet Lake */ + {"PMC", BIT(0)}, + {"OPI-DMI", BIT(1)}, + {"SPI/eSPI", BIT(2)}, +@@ -185,7 +186,7 @@ static const struct pmc_bit_map cnp_pfear_map[] = { + {"SDX", BIT(4)}, + {"SPE", BIT(5)}, + {"Fuse", BIT(6)}, +- /* Reserved for Cannon Lake but valid for Ice Lake */ ++ /* Reserved for Cannon Lake but valid for Ice Lake and Comet Lake */ + {"SBR8", BIT(7)}, + + {"CSME_FSC", BIT(0)}, +@@ -229,7 +230,7 @@ static const struct pmc_bit_map cnp_pfear_map[] = { + {"HDA_PGD4", BIT(2)}, + {"HDA_PGD5", BIT(3)}, + {"HDA_PGD6", BIT(4)}, +- /* Reserved for Cannon Lake but valid for Ice Lake */ ++ /* Reserved for Cannon Lake but valid for Ice Lake and Comet Lake */ + {"PSF6", BIT(5)}, + {"PSF7", BIT(6)}, + {"PSF8", BIT(7)}, +@@ -813,6 +814,8 @@ static const struct x86_cpu_id intel_pmc_core_ids[] = { + INTEL_CPU_FAM6(CANNONLAKE_L, cnp_reg_map), + INTEL_CPU_FAM6(ICELAKE_L, icl_reg_map), + INTEL_CPU_FAM6(ICELAKE_NNPI, icl_reg_map), ++ INTEL_CPU_FAM6(COMETLAKE, cnp_reg_map), ++ INTEL_CPU_FAM6(COMETLAKE_L, cnp_reg_map), + {} + }; + +-- +2.20.1 + diff --git a/queue-5.4/platform-x86-intel_pmc_core-fix-the-soc-naming-incon.patch b/queue-5.4/platform-x86-intel_pmc_core-fix-the-soc-naming-incon.patch new file mode 100644 index 00000000000..42fded52d42 --- /dev/null +++ b/queue-5.4/platform-x86-intel_pmc_core-fix-the-soc-naming-incon.patch @@ -0,0 +1,94 @@ +From 9bbec4238061a6544f992f9d518625aee313f974 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2019 11:05:40 -0800 +Subject: platform/x86: intel_pmc_core: Fix the SoC naming inconsistency + +From: Gayatri Kammela + +[ Upstream commit 43e82d8aa92503d264309fb648b251b2d85caf1a ] + +Intel's SoCs follow a naming convention which spells out the SoC name as +two words instead of one word (E.g: Cannon Lake vs Cannonlake). Thus fix +the naming inconsistency across the intel_pmc_core driver, so future +SoCs can follow the naming consistency as below. + +Cometlake -> Comet Lake +Tigerlake -> Tiger Lake +Elkhartlake -> Elkhart Lake + +Cc: Mario Limonciello +Cc: Peter Zijlstra +Cc: Srinivas Pandruvada +Cc: Andy Shevchenko +Cc: Kan Liang +Cc: David E. Box +Cc: Rajneesh Bhardwaj +Cc: Tony Luck +Suggested-by: Andy Shevchenko +Signed-off-by: Gayatri Kammela +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_pmc_core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c +index 94a008efb09b..6b6edc30f835 100644 +--- a/drivers/platform/x86/intel_pmc_core.c ++++ b/drivers/platform/x86/intel_pmc_core.c +@@ -158,7 +158,7 @@ static const struct pmc_reg_map spt_reg_map = { + .pm_vric1_offset = SPT_PMC_VRIC1_OFFSET, + }; + +-/* Cannonlake: PGD PFET Enable Ack Status Register(s) bitmap */ ++/* Cannon Lake: PGD PFET Enable Ack Status Register(s) bitmap */ + static const struct pmc_bit_map cnp_pfear_map[] = { + {"PMC", BIT(0)}, + {"OPI-DMI", BIT(1)}, +@@ -185,7 +185,7 @@ static const struct pmc_bit_map cnp_pfear_map[] = { + {"SDX", BIT(4)}, + {"SPE", BIT(5)}, + {"Fuse", BIT(6)}, +- /* Reserved for Cannonlake but valid for Icelake */ ++ /* Reserved for Cannon Lake but valid for Ice Lake */ + {"SBR8", BIT(7)}, + + {"CSME_FSC", BIT(0)}, +@@ -229,12 +229,12 @@ static const struct pmc_bit_map cnp_pfear_map[] = { + {"HDA_PGD4", BIT(2)}, + {"HDA_PGD5", BIT(3)}, + {"HDA_PGD6", BIT(4)}, +- /* Reserved for Cannonlake but valid for Icelake */ ++ /* Reserved for Cannon Lake but valid for Ice Lake */ + {"PSF6", BIT(5)}, + {"PSF7", BIT(6)}, + {"PSF8", BIT(7)}, + +- /* Icelake generation onwards only */ ++ /* Ice Lake generation onwards only */ + {"RES_65", BIT(0)}, + {"RES_66", BIT(1)}, + {"RES_67", BIT(2)}, +@@ -324,7 +324,7 @@ static const struct pmc_bit_map cnp_ltr_show_map[] = { + {"ISH", CNP_PMC_LTR_ISH}, + {"UFSX2", CNP_PMC_LTR_UFSX2}, + {"EMMC", CNP_PMC_LTR_EMMC}, +- /* Reserved for Cannonlake but valid for Icelake */ ++ /* Reserved for Cannon Lake but valid for Ice Lake */ + {"WIGIG", ICL_PMC_LTR_WIGIG}, + /* Below two cannot be used for LTR_IGNORE */ + {"CURRENT_PLATFORM", CNP_PMC_LTR_CUR_PLT}, +@@ -871,8 +871,8 @@ static int pmc_core_probe(struct platform_device *pdev) + pmcdev->map = (struct pmc_reg_map *)cpu_id->driver_data; + + /* +- * Coffeelake has CPU ID of Kabylake and Cannonlake PCH. So here +- * Sunrisepoint PCH regmap can't be used. Use Cannonlake PCH regmap ++ * Coffee Lake has CPU ID of Kaby Lake and Cannon Lake PCH. So here ++ * Sunrisepoint PCH regmap can't be used. Use Cannon Lake PCH regmap + * in this case. + */ + if (pmcdev->map == &spt_reg_map && !pci_dev_present(pmc_pci_ids)) +-- +2.20.1 + diff --git a/queue-5.4/platform-x86-peaq-wmi-switch-to-using-polled-mode-of.patch b/queue-5.4/platform-x86-peaq-wmi-switch-to-using-polled-mode-of.patch new file mode 100644 index 00000000000..d757a00f847 --- /dev/null +++ b/queue-5.4/platform-x86-peaq-wmi-switch-to-using-polled-mode-of.patch @@ -0,0 +1,173 @@ +From dda32c8527e69812dc246ba9e0734469d07318c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2019 11:58:22 -0700 +Subject: platform/x86: peaq-wmi: switch to using polled mode of input devices + +From: Dmitry Torokhov + +[ Upstream commit 60d15095336cfb56dce5c7767ed3b8c6c1cf79a3 ] + +We have added polled mode to the normal input devices with the intent of +retiring input_polled_dev. This converts peaq-wmi driver to use the +polling mode of standard input devices and removes dependency on +INPUT_POLLDEV. + +Because the new polling coded does not allow peeking inside the poller +structure to get the poll interval, we change the "debounce" process to +operate on the time basis, instead of counting events. + +We also fix error handling during initialization, as previously we leaked +input device structure when we failed to register it. + +Signed-off-by: Dmitry Torokhov +Reviewed-by: Hans de Goede +Tested-by: Hans de Goede +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/Kconfig | 1 - + drivers/platform/x86/peaq-wmi.c | 66 +++++++++++++++++++++------------ + 2 files changed, 42 insertions(+), 25 deletions(-) + +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index ae21d08c65e8..1cab99320514 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -806,7 +806,6 @@ config PEAQ_WMI + tristate "PEAQ 2-in-1 WMI hotkey driver" + depends on ACPI_WMI + depends on INPUT +- select INPUT_POLLDEV + help + Say Y here if you want to support WMI-based hotkeys on PEAQ 2-in-1s. + +diff --git a/drivers/platform/x86/peaq-wmi.c b/drivers/platform/x86/peaq-wmi.c +index fdeb3624c529..cf9c44c20a82 100644 +--- a/drivers/platform/x86/peaq-wmi.c ++++ b/drivers/platform/x86/peaq-wmi.c +@@ -6,7 +6,7 @@ + + #include + #include +-#include ++#include + #include + #include + +@@ -18,8 +18,7 @@ + + MODULE_ALIAS("wmi:"PEAQ_DOLBY_BUTTON_GUID); + +-static unsigned int peaq_ignore_events_counter; +-static struct input_polled_dev *peaq_poll_dev; ++static struct input_dev *peaq_poll_dev; + + /* + * The Dolby button (yes really a Dolby button) causes an ACPI variable to get +@@ -28,8 +27,10 @@ static struct input_polled_dev *peaq_poll_dev; + * (if polling after the release) or twice (polling between press and release). + * We ignore events for 0.5s after the first event to avoid reporting 2 presses. + */ +-static void peaq_wmi_poll(struct input_polled_dev *dev) ++static void peaq_wmi_poll(struct input_dev *input_dev) + { ++ static unsigned long last_event_time; ++ static bool had_events; + union acpi_object obj; + acpi_status status; + u32 dummy = 0; +@@ -44,22 +45,25 @@ static void peaq_wmi_poll(struct input_polled_dev *dev) + return; + + if (obj.type != ACPI_TYPE_INTEGER) { +- dev_err(&peaq_poll_dev->input->dev, ++ dev_err(&input_dev->dev, + "Error WMBC did not return an integer\n"); + return; + } + +- if (peaq_ignore_events_counter && peaq_ignore_events_counter--) ++ if (!obj.integer.value) + return; + +- if (obj.integer.value) { +- input_event(peaq_poll_dev->input, EV_KEY, KEY_SOUND, 1); +- input_sync(peaq_poll_dev->input); +- input_event(peaq_poll_dev->input, EV_KEY, KEY_SOUND, 0); +- input_sync(peaq_poll_dev->input); +- peaq_ignore_events_counter = max(1u, +- PEAQ_POLL_IGNORE_MS / peaq_poll_dev->poll_interval); +- } ++ if (had_events && time_before(jiffies, last_event_time + ++ msecs_to_jiffies(PEAQ_POLL_IGNORE_MS))) ++ return; ++ ++ input_event(input_dev, EV_KEY, KEY_SOUND, 1); ++ input_sync(input_dev); ++ input_event(input_dev, EV_KEY, KEY_SOUND, 0); ++ input_sync(input_dev); ++ ++ last_event_time = jiffies; ++ had_events = true; + } + + /* Some other devices (Shuttle XS35) use the same WMI GUID for other purposes */ +@@ -75,6 +79,8 @@ static const struct dmi_system_id peaq_dmi_table[] __initconst = { + + static int __init peaq_wmi_init(void) + { ++ int err; ++ + /* WMI GUID is not unique, also check for a DMI match */ + if (!dmi_check_system(peaq_dmi_table)) + return -ENODEV; +@@ -82,24 +88,36 @@ static int __init peaq_wmi_init(void) + if (!wmi_has_guid(PEAQ_DOLBY_BUTTON_GUID)) + return -ENODEV; + +- peaq_poll_dev = input_allocate_polled_device(); ++ peaq_poll_dev = input_allocate_device(); + if (!peaq_poll_dev) + return -ENOMEM; + +- peaq_poll_dev->poll = peaq_wmi_poll; +- peaq_poll_dev->poll_interval = PEAQ_POLL_INTERVAL_MS; +- peaq_poll_dev->poll_interval_max = PEAQ_POLL_MAX_MS; +- peaq_poll_dev->input->name = "PEAQ WMI hotkeys"; +- peaq_poll_dev->input->phys = "wmi/input0"; +- peaq_poll_dev->input->id.bustype = BUS_HOST; +- input_set_capability(peaq_poll_dev->input, EV_KEY, KEY_SOUND); ++ peaq_poll_dev->name = "PEAQ WMI hotkeys"; ++ peaq_poll_dev->phys = "wmi/input0"; ++ peaq_poll_dev->id.bustype = BUS_HOST; ++ input_set_capability(peaq_poll_dev, EV_KEY, KEY_SOUND); ++ ++ err = input_setup_polling(peaq_poll_dev, peaq_wmi_poll); ++ if (err) ++ goto err_out; ++ ++ input_set_poll_interval(peaq_poll_dev, PEAQ_POLL_INTERVAL_MS); ++ input_set_max_poll_interval(peaq_poll_dev, PEAQ_POLL_MAX_MS); ++ ++ err = input_register_device(peaq_poll_dev); ++ if (err) ++ goto err_out; ++ ++ return 0; + +- return input_register_polled_device(peaq_poll_dev); ++err_out: ++ input_free_device(peaq_poll_dev); ++ return err; + } + + static void __exit peaq_wmi_exit(void) + { +- input_unregister_polled_device(peaq_poll_dev); ++ input_unregister_device(peaq_poll_dev); + } + + module_init(peaq_wmi_init); +-- +2.20.1 + diff --git a/queue-5.4/powerpc-book3s-mm-update-oops-message-to-print-the-c.patch b/queue-5.4/powerpc-book3s-mm-update-oops-message-to-print-the-c.patch new file mode 100644 index 00000000000..0f8a08b9f40 --- /dev/null +++ b/queue-5.4/powerpc-book3s-mm-update-oops-message-to-print-the-c.patch @@ -0,0 +1,69 @@ +From 8a9352f2f394cfae8015915169bdec60c3a942d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2019 20:28:14 +0530 +Subject: powerpc/book3s/mm: Update Oops message to print the correct + translation in use + +From: Aneesh Kumar K.V + +[ Upstream commit d7e02f7b7991dbe14a2acfb0e53d675cd149001c ] + +Avoids confusion when printing Oops message like below + + Faulting instruction address: 0xc00000000008bdb4 + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Radix MMU=Hash SMP NR_CPUS=2048 NUMA PowerNV + +This was because we never clear the MMU_FTR_HPTE_TABLE feature flag +even if we run with radix translation. It was discussed that we should +look at this feature flag as an indication of the capability to run +hash translation and we should not clear the flag even if we run in +radix translation. All the code paths check for radix_enabled() check and +if found true consider we are running with radix translation. Follow the +same sequence for finding the MMU translation string to be used in Oops +message. + +Signed-off-by: Aneesh Kumar K.V +Acked-by: Nicholas Piggin +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190711145814.17970-1-aneesh.kumar@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/traps.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c +index 82f43535e686..014ff0701f24 100644 +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -250,15 +250,22 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, + } + NOKPROBE_SYMBOL(oops_end); + ++static char *get_mmu_str(void) ++{ ++ if (early_radix_enabled()) ++ return " MMU=Radix"; ++ if (early_mmu_has_feature(MMU_FTR_HPTE_TABLE)) ++ return " MMU=Hash"; ++ return ""; ++} ++ + static int __die(const char *str, struct pt_regs *regs, long err) + { + printk("Oops: %s, sig: %ld [#%d]\n", str, err, ++die_counter); + +- printk("%s PAGE_SIZE=%luK%s%s%s%s%s%s%s %s\n", ++ printk("%s PAGE_SIZE=%luK%s%s%s%s%s%s %s\n", + IS_ENABLED(CONFIG_CPU_LITTLE_ENDIAN) ? "LE" : "BE", +- PAGE_SIZE / 1024, +- early_radix_enabled() ? " MMU=Radix" : "", +- early_mmu_has_feature(MMU_FTR_HPTE_TABLE) ? " MMU=Hash" : "", ++ PAGE_SIZE / 1024, get_mmu_str(), + IS_ENABLED(CONFIG_PREEMPT) ? " PREEMPT" : "", + IS_ENABLED(CONFIG_SMP) ? " SMP" : "", + IS_ENABLED(CONFIG_SMP) ? (" NR_CPUS=" __stringify(NR_CPUS)) : "", +-- +2.20.1 + diff --git a/queue-5.4/powerpc-book3s64-hash-add-cond_resched-to-avoid-soft.patch b/queue-5.4/powerpc-book3s64-hash-add-cond_resched-to-avoid-soft.patch new file mode 100644 index 00000000000..abd86615b4b --- /dev/null +++ b/queue-5.4/powerpc-book3s64-hash-add-cond_resched-to-avoid-soft.patch @@ -0,0 +1,77 @@ +From 88d43dcaef73f415ea7af5c55138c3a584f12387 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2019 14:16:56 +0530 +Subject: powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning + +From: Aneesh Kumar K.V + +[ Upstream commit 16f6b67cf03cb43db7104acb2ca877bdc2606c92 ] + +With large memory (8TB and more) hotplug, we can get soft lockup +warnings as below. These were caused by a long loop without any +explicit cond_resched which is a problem for !PREEMPT kernels. + +Avoid this using cond_resched() while inserting hash page table +entries. We already do similar cond_resched() in __add_pages(), see +commit f64ac5e6e306 ("mm, memory_hotplug: add scheduling point to +__add_pages"). + + rcu: 3-....: (24002 ticks this GP) idle=13e/1/0x4000000000000002 softirq=722/722 fqs=12001 + (t=24003 jiffies g=4285 q=2002) + NMI backtrace for cpu 3 + CPU: 3 PID: 3870 Comm: ndctl Not tainted 5.3.0-197.18-default+ #2 + Call Trace: + dump_stack+0xb0/0xf4 (unreliable) + nmi_cpu_backtrace+0x124/0x130 + nmi_trigger_cpumask_backtrace+0x1ac/0x1f0 + arch_trigger_cpumask_backtrace+0x28/0x3c + rcu_dump_cpu_stacks+0xf8/0x154 + rcu_sched_clock_irq+0x878/0xb40 + update_process_times+0x48/0x90 + tick_sched_handle.isra.16+0x4c/0x80 + tick_sched_timer+0x68/0xe0 + __hrtimer_run_queues+0x180/0x430 + hrtimer_interrupt+0x110/0x300 + timer_interrupt+0x108/0x2f0 + decrementer_common+0x114/0x120 + --- interrupt: 901 at arch_add_memory+0xc0/0x130 + LR = arch_add_memory+0x74/0x130 + memremap_pages+0x494/0x650 + devm_memremap_pages+0x3c/0xa0 + pmem_attach_disk+0x188/0x750 + nvdimm_bus_probe+0xac/0x2c0 + really_probe+0x148/0x570 + driver_probe_device+0x19c/0x1d0 + device_driver_attach+0xcc/0x100 + bind_store+0x134/0x1c0 + drv_attr_store+0x44/0x60 + sysfs_kf_write+0x64/0x90 + kernfs_fop_write+0x1a0/0x270 + __vfs_write+0x3c/0x70 + vfs_write+0xd0/0x260 + ksys_write+0xdc/0x130 + system_call+0x5c/0x68 + +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191001084656.31277-1-aneesh.kumar@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/book3s64/hash_utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/mm/book3s64/hash_utils.c b/arch/powerpc/mm/book3s64/hash_utils.c +index 6e5a769ebcb8..83c51a7d7eee 100644 +--- a/arch/powerpc/mm/book3s64/hash_utils.c ++++ b/arch/powerpc/mm/book3s64/hash_utils.c +@@ -305,6 +305,7 @@ int htab_bolt_mapping(unsigned long vstart, unsigned long vend, + if (ret < 0) + break; + ++ cond_resched(); + #ifdef CONFIG_DEBUG_PAGEALLOC + if (debug_pagealloc_enabled() && + (paddr >> PAGE_SHIFT) < linear_map_hash_count) +-- +2.20.1 + diff --git a/queue-5.4/powerpc-don-t-add-mabi-flags-when-building-with-clan.patch b/queue-5.4/powerpc-don-t-add-mabi-flags-when-building-with-clan.patch new file mode 100644 index 00000000000..56ab9abaad1 --- /dev/null +++ b/queue-5.4/powerpc-don-t-add-mabi-flags-when-building-with-clan.patch @@ -0,0 +1,97 @@ +From d188a1afeb7d5af752172f09bc71a41d745356d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2019 21:57:10 -0700 +Subject: powerpc: Don't add -mabi= flags when building with Clang + +From: Nathan Chancellor + +[ Upstream commit 465bfd9c44dea6b55962b5788a23ac87a467c923 ] + +When building pseries_defconfig, building vdso32 errors out: + + error: unknown target ABI 'elfv1' + +This happens because -m32 in clang changes the target to 32-bit, +which does not allow the ABI to be changed. + +Commit 4dc831aa8813 ("powerpc: Fix compiling a BE kernel with a +powerpc64le toolchain") added these flags to fix building big endian +kernels with a little endian GCC. + +Clang doesn't need -mabi because the target triple controls the +default value. -mlittle-endian and -mbig-endian manipulate the triple +into either powerpc64-* or powerpc64le-*, which properly sets the +default ABI. + +Adding a debug print out in the PPC64TargetInfo constructor after line +383 above shows this: + + $ echo | ./clang -E --target=powerpc64-linux -mbig-endian -o /dev/null - + Default ABI: elfv1 + + $ echo | ./clang -E --target=powerpc64-linux -mlittle-endian -o /dev/null - + Default ABI: elfv2 + + $ echo | ./clang -E --target=powerpc64le-linux -mbig-endian -o /dev/null - + Default ABI: elfv1 + + $ echo | ./clang -E --target=powerpc64le-linux -mlittle-endian -o /dev/null - + Default ABI: elfv2 + +Don't specify -mabi when building with clang to avoid the build error +with -m32 and not change any code generation. + +-mcall-aixdesc is not an implemented flag in clang so it can be safely +excluded as well, see commit 238abecde8ad ("powerpc: Don't use gcc +specific options on clang"). + +pseries_defconfig successfully builds after this patch and +powernv_defconfig and ppc44x_defconfig don't regress. + +Reviewed-by: Daniel Axtens +Signed-off-by: Nathan Chancellor +[mpe: Trim clang links in change log] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191119045712.39633-2-natechancellor@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/Makefile | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile +index 83522c9fc7b6..37ac731a556b 100644 +--- a/arch/powerpc/Makefile ++++ b/arch/powerpc/Makefile +@@ -91,11 +91,13 @@ MULTIPLEWORD := -mmultiple + endif + + ifdef CONFIG_PPC64 ++ifndef CONFIG_CC_IS_CLANG + cflags-$(CONFIG_CPU_BIG_ENDIAN) += $(call cc-option,-mabi=elfv1) + cflags-$(CONFIG_CPU_BIG_ENDIAN) += $(call cc-option,-mcall-aixdesc) + aflags-$(CONFIG_CPU_BIG_ENDIAN) += $(call cc-option,-mabi=elfv1) + aflags-$(CONFIG_CPU_LITTLE_ENDIAN) += -mabi=elfv2 + endif ++endif + + ifndef CONFIG_CC_IS_CLANG + cflags-$(CONFIG_CPU_LITTLE_ENDIAN) += -mno-strict-align +@@ -141,6 +143,7 @@ endif + endif + + CFLAGS-$(CONFIG_PPC64) := $(call cc-option,-mtraceback=no) ++ifndef CONFIG_CC_IS_CLANG + ifdef CONFIG_CPU_LITTLE_ENDIAN + CFLAGS-$(CONFIG_PPC64) += $(call cc-option,-mabi=elfv2,$(call cc-option,-mcall-aixdesc)) + AFLAGS-$(CONFIG_PPC64) += $(call cc-option,-mabi=elfv2) +@@ -149,6 +152,7 @@ CFLAGS-$(CONFIG_PPC64) += $(call cc-option,-mabi=elfv1) + CFLAGS-$(CONFIG_PPC64) += $(call cc-option,-mcall-aixdesc) + AFLAGS-$(CONFIG_PPC64) += $(call cc-option,-mabi=elfv1) + endif ++endif + CFLAGS-$(CONFIG_PPC64) += $(call cc-option,-mcmodel=medium,$(call cc-option,-mminimal-toc)) + CFLAGS-$(CONFIG_PPC64) += $(call cc-option,-mno-pointers-to-nested-functions) + +-- +2.20.1 + diff --git a/queue-5.4/powerpc-eeh-differentiate-duplicate-detection-messag.patch b/queue-5.4/powerpc-eeh-differentiate-duplicate-detection-messag.patch new file mode 100644 index 00000000000..ba94a2bd1e7 --- /dev/null +++ b/queue-5.4/powerpc-eeh-differentiate-duplicate-detection-messag.patch @@ -0,0 +1,58 @@ +From 8bebd0052740e024c3c8cb41e56202bcade0b9c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Oct 2019 15:59:37 +1100 +Subject: powerpc/eeh: differentiate duplicate detection message + +From: Sam Bobroff + +[ Upstream commit de84ffc3ccbeec3678f95a3d898fc188efa0d9c5 ] + +Currently when an EEH error is detected, the system log receives the +same (or almost the same) message twice: + + EEH: PHB#0 failure detected, location: N/A + EEH: PHB#0 failure detected, location: N/A +or + EEH: eeh_dev_check_failure: Frozen PHB#0-PE#0 detected + EEH: Frozen PHB#0-PE#0 detected + +This looks like a bug, but in fact the messages are from different +functions and mean slightly different things. So keep both but change +one of the messages slightly, so that it's clear they are different: + + EEH: PHB#0 failure detected, location: N/A + EEH: Recovering PHB#0, location: N/A +or + EEH: eeh_dev_check_failure: Frozen PHB#0-PE#0 detected + EEH: Recovering PHB#0-PE#0 + +Signed-off-by: Sam Bobroff +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/43817cb6e6631b0828b9a6e266f60d1f8ca8eb22.1571288375.git.sbobroff@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh_driver.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c +index d9279d0ee9f5..c031be8d41ff 100644 +--- a/arch/powerpc/kernel/eeh_driver.c ++++ b/arch/powerpc/kernel/eeh_driver.c +@@ -897,12 +897,12 @@ void eeh_handle_normal_event(struct eeh_pe *pe) + + /* Log the event */ + if (pe->type & EEH_PE_PHB) { +- pr_err("EEH: PHB#%x failure detected, location: %s\n", ++ pr_err("EEH: Recovering PHB#%x, location: %s\n", + pe->phb->global_number, eeh_pe_loc_get(pe)); + } else { + struct eeh_pe *phb_pe = eeh_phb_pe_get(pe->phb); + +- pr_err("EEH: Frozen PHB#%x-PE#%x detected\n", ++ pr_err("EEH: Recovering PHB#%x-PE#%x\n", + pe->phb->global_number, pe->addr); + pr_err("EEH: PE location: %s, PHB location: %s\n", + eeh_pe_loc_get(pe), eeh_pe_loc_get(phb_pe)); +-- +2.20.1 + diff --git a/queue-5.4/powerpc-fixmap-use-__fix_to_virt-instead-of-fix_to_v.patch b/queue-5.4/powerpc-fixmap-use-__fix_to_virt-instead-of-fix_to_v.patch new file mode 100644 index 00000000000..39e338789de --- /dev/null +++ b/queue-5.4/powerpc-fixmap-use-__fix_to_virt-instead-of-fix_to_v.patch @@ -0,0 +1,71 @@ +From 9c0c89e51eba1aa705320992ede5c0d16d81fecf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2019 13:49:42 +0000 +Subject: powerpc/fixmap: Use __fix_to_virt() instead of fix_to_virt() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christophe Leroy + +[ Upstream commit 77693a5fb57be4606a6024ec8e3076f9499b906b ] + +Modify back __set_fixmap() to using __fix_to_virt() instead +of fix_to_virt() otherwise the following happens because it +seems GCC doesn't see idx as a builtin const. + + CC mm/early_ioremap.o +In file included from ./include/linux/kernel.h:11:0, + from mm/early_ioremap.c:11: +In function ‘fix_to_virt’, + inlined from ‘__set_fixmap’ at ./arch/powerpc/include/asm/fixmap.h:87:2, + inlined from ‘__early_ioremap’ at mm/early_ioremap.c:156:4: +./include/linux/compiler.h:350:38: error: call to ‘__compiletime_assert_32’ declared with attribute error: BUILD_BUG_ON failed: idx >= __end_of_fixed_addresses + _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__) + ^ +./include/linux/compiler.h:331:4: note: in definition of macro ‘__compiletime_assert’ + prefix ## suffix(); \ + ^ +./include/linux/compiler.h:350:2: note: in expansion of macro ‘_compiletime_assert’ + _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__) + ^ +./include/linux/build_bug.h:39:37: note: in expansion of macro ‘compiletime_assert’ + #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg) + ^ +./include/linux/build_bug.h:50:2: note: in expansion of macro ‘BUILD_BUG_ON_MSG’ + BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition) + ^ +./include/asm-generic/fixmap.h:32:2: note: in expansion of macro ‘BUILD_BUG_ON’ + BUILD_BUG_ON(idx >= __end_of_fixed_addresses); + ^ + +Signed-off-by: Christophe Leroy +Fixes: 4cfac2f9c7f1 ("powerpc/mm: Simplify __set_fixmap()") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/f4984c615f90caa3277775a68849afeea846850d.1568295907.git.christophe.leroy@c-s.fr +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/fixmap.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/fixmap.h b/arch/powerpc/include/asm/fixmap.h +index 0cfc365d814b..722289a1d000 100644 +--- a/arch/powerpc/include/asm/fixmap.h ++++ b/arch/powerpc/include/asm/fixmap.h +@@ -77,7 +77,12 @@ enum fixed_addresses { + static inline void __set_fixmap(enum fixed_addresses idx, + phys_addr_t phys, pgprot_t flags) + { +- map_kernel_page(fix_to_virt(idx), phys, flags); ++ if (__builtin_constant_p(idx)) ++ BUILD_BUG_ON(idx >= __end_of_fixed_addresses); ++ else if (WARN_ON(idx >= __end_of_fixed_addresses)) ++ return; ++ ++ map_kernel_page(__fix_to_virt(idx), phys, flags); + } + + #endif /* !__ASSEMBLY__ */ +-- +2.20.1 + diff --git a/queue-5.4/powerpc-papr_scm-fix-an-off-by-one-check-in-papr_scm.patch b/queue-5.4/powerpc-papr_scm-fix-an-off-by-one-check-in-papr_scm.patch new file mode 100644 index 00000000000..1c74683b729 --- /dev/null +++ b/queue-5.4/powerpc-papr_scm-fix-an-off-by-one-check-in-papr_scm.patch @@ -0,0 +1,60 @@ +From a12b7d2f722e7496d02dd9dd0984f10f7ae091e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2019 11:50:02 +0530 +Subject: powerpc/papr_scm: Fix an off-by-one check in papr_scm_meta_{get, set} + +From: Vaibhav Jain + +[ Upstream commit 612ee81b9461475b5a5612c2e8d71559dd3c7920 ] + +A validation check to prevent out of bounds read/write inside +functions papr_scm_meta_{get,set}() is off-by-one that prevent reads +and writes to the last byte of the label area. + +This bug manifests as a failure to probe a dimm when libnvdimm is +unable to read the entire config-area as advertised by +ND_CMD_GET_CONFIG_SIZE. This usually happens when there are large +number of namespaces created in the region backed by the dimm and the +label-index spans max possible config-area. An error of the form below +usually reported in the kernel logs: + +[ 255.293912] nvdimm: probe of nmem0 failed with error -22 + +The patch fixes these validation checks there by letting libnvdimm +access the entire config-area. + +Fixes: 53e80bd042773('powerpc/nvdimm: Add support for multibyte read/write for metadata') +Signed-off-by: Vaibhav Jain +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190927062002.3169-1-vaibhav@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/papr_scm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/papr_scm.c b/arch/powerpc/platforms/pseries/papr_scm.c +index 61883291defc..ee07d0718bf1 100644 +--- a/arch/powerpc/platforms/pseries/papr_scm.c ++++ b/arch/powerpc/platforms/pseries/papr_scm.c +@@ -152,7 +152,7 @@ static int papr_scm_meta_get(struct papr_scm_priv *p, + int len, read; + int64_t ret; + +- if ((hdr->in_offset + hdr->in_length) >= p->metadata_size) ++ if ((hdr->in_offset + hdr->in_length) > p->metadata_size) + return -EINVAL; + + for (len = hdr->in_length; len; len -= read) { +@@ -206,7 +206,7 @@ static int papr_scm_meta_set(struct papr_scm_priv *p, + __be64 data_be; + int64_t ret; + +- if ((hdr->in_offset + hdr->in_length) >= p->metadata_size) ++ if ((hdr->in_offset + hdr->in_length) > p->metadata_size) + return -EINVAL; + + for (len = hdr->in_length; len; len -= wrote) { +-- +2.20.1 + diff --git a/queue-5.4/powerpc-pseries-cmm-implement-release-function-for-s.patch b/queue-5.4/powerpc-pseries-cmm-implement-release-function-for-s.patch new file mode 100644 index 00000000000..b6d09000cf0 --- /dev/null +++ b/queue-5.4/powerpc-pseries-cmm-implement-release-function-for-s.patch @@ -0,0 +1,52 @@ +From 291e5ef3fc6730adce9dc030a11401f1bdced395 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 15:29:22 +0100 +Subject: powerpc/pseries/cmm: Implement release() function for sysfs device + +From: David Hildenbrand + +[ Upstream commit 7d8212747435c534c8d564fbef4541a463c976ff ] + +When unloading the module, one gets + ------------[ cut here ]------------ + Device 'cmm0' does not have a release() function, it is broken and must be fixed. See Documentation/kobject.txt. + WARNING: CPU: 0 PID: 19308 at drivers/base/core.c:1244 .device_release+0xcc/0xf0 + ... + +We only have one static fake device. There is nothing to do when +releasing the device (via cmm_exit()). + +Signed-off-by: David Hildenbrand +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191031142933.10779-2-david@redhat.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/cmm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/cmm.c b/arch/powerpc/platforms/pseries/cmm.c +index b33251d75927..572651a5c87b 100644 +--- a/arch/powerpc/platforms/pseries/cmm.c ++++ b/arch/powerpc/platforms/pseries/cmm.c +@@ -411,6 +411,10 @@ static struct bus_type cmm_subsys = { + .dev_name = "cmm", + }; + ++static void cmm_release_device(struct device *dev) ++{ ++} ++ + /** + * cmm_sysfs_register - Register with sysfs + * +@@ -426,6 +430,7 @@ static int cmm_sysfs_register(struct device *dev) + + dev->id = 0; + dev->bus = &cmm_subsys; ++ dev->release = cmm_release_device; + + if ((rc = device_register(dev))) + goto subsys_unregister; +-- +2.20.1 + diff --git a/queue-5.4/powerpc-pseries-don-t-fail-hash-page-table-insert-fo.patch b/queue-5.4/powerpc-pseries-don-t-fail-hash-page-table-insert-fo.patch new file mode 100644 index 00000000000..3b1661e3f9a --- /dev/null +++ b/queue-5.4/powerpc-pseries-don-t-fail-hash-page-table-insert-fo.patch @@ -0,0 +1,67 @@ +From 23cb67b6ad01e3261a0d96f33de24c6a81288b3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 15:05:41 +0530 +Subject: powerpc/pseries: Don't fail hash page table insert for bolted mapping + +From: Aneesh Kumar K.V + +[ Upstream commit 75838a3290cd4ebbd1f567f310ba04b6ef017ce4 ] + +If the hypervisor returned H_PTEG_FULL for H_ENTER hcall, retry a hash page table +insert by removing a random entry from the group. + +After some runtime, it is very well possible to find all the 8 hash page table +entry slot in the hpte group used for mapping. Don't fail a bolted entry insert +in that case. With Storage class memory a user can find this error easily since +a namespace enable/disable is equivalent to memory add/remove. + +This results in failures as reported below: + +$ ndctl create-namespace -r region1 -t pmem -m devdax -a 65536 -s 100M +libndctl: ndctl_dax_enable: dax1.3: failed to enable + Error: namespace1.2: failed to enable + +failed to create namespace: No such device or address + +In kernel log we find the details as below: + +Unable to create mapping for hot added memory 0xc000042006000000..0xc00004200d000000: -1 +dax_pmem: probe of dax1.3 failed with error -14 + +This indicates that we failed to create a bolted hash table entry for direct-map +address backing the namespace. + +We also observe failures such that not all namespaces will be enabled with +ndctl enable-namespace all command. + +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191024093542.29777-2-aneesh.kumar@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/book3s64/hash_utils.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/mm/book3s64/hash_utils.c b/arch/powerpc/mm/book3s64/hash_utils.c +index 6c123760164e..6e5a769ebcb8 100644 +--- a/arch/powerpc/mm/book3s64/hash_utils.c ++++ b/arch/powerpc/mm/book3s64/hash_utils.c +@@ -294,7 +294,14 @@ int htab_bolt_mapping(unsigned long vstart, unsigned long vend, + ret = mmu_hash_ops.hpte_insert(hpteg, vpn, paddr, tprot, + HPTE_V_BOLTED, psize, psize, + ssize); +- ++ if (ret == -1) { ++ /* Try to remove a non bolted entry */ ++ ret = mmu_hash_ops.hpte_remove(hpteg); ++ if (ret != -1) ++ ret = mmu_hash_ops.hpte_insert(hpteg, vpn, paddr, tprot, ++ HPTE_V_BOLTED, psize, psize, ++ ssize); ++ } + if (ret < 0) + break; + +-- +2.20.1 + diff --git a/queue-5.4/powerpc-pseries-mark-accumulate_stolen_time-as-notra.patch b/queue-5.4/powerpc-pseries-mark-accumulate_stolen_time-as-notra.patch new file mode 100644 index 00000000000..5ba66a1ed13 --- /dev/null +++ b/queue-5.4/powerpc-pseries-mark-accumulate_stolen_time-as-notra.patch @@ -0,0 +1,52 @@ +From 9d08426819c8e35bdb8f89c5c766544512febe66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Oct 2019 21:23:51 +1100 +Subject: powerpc/pseries: Mark accumulate_stolen_time() as notrace + +From: Michael Ellerman + +[ Upstream commit eb8e20f89093b64f48975c74ccb114e6775cee22 ] + +accumulate_stolen_time() is called prior to interrupt state being +reconciled, which can trip the warning in arch_local_irq_restore(): + + WARNING: CPU: 5 PID: 1017 at arch/powerpc/kernel/irq.c:258 .arch_local_irq_restore+0x9c/0x130 + ... + NIP .arch_local_irq_restore+0x9c/0x130 + LR .rb_start_commit+0x38/0x80 + Call Trace: + .ring_buffer_lock_reserve+0xe4/0x620 + .trace_function+0x44/0x210 + .function_trace_call+0x148/0x170 + .ftrace_ops_no_ops+0x180/0x1d0 + ftrace_call+0x4/0x8 + .accumulate_stolen_time+0x1c/0xb0 + decrementer_common+0x124/0x160 + +For now just mark it as notrace. We may change the ordering to call it +after interrupt state has been reconciled, but that is a larger +change. + +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191024055932.27940-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/time.c b/arch/powerpc/kernel/time.c +index 619447b1b797..11301a1187f3 100644 +--- a/arch/powerpc/kernel/time.c ++++ b/arch/powerpc/kernel/time.c +@@ -232,7 +232,7 @@ static u64 scan_dispatch_log(u64 stop_tb) + * Accumulate stolen time by scanning the dispatch trace log. + * Called on entry from user mode. + */ +-void accumulate_stolen_time(void) ++void notrace accumulate_stolen_time(void) + { + u64 sst, ust; + unsigned long save_irq_soft_mask = irq_soft_mask_return(); +-- +2.20.1 + diff --git a/queue-5.4/powerpc-security-book3s64-report-l1tf-status-in-sysf.patch b/queue-5.4/powerpc-security-book3s64-report-l1tf-status-in-sysf.patch new file mode 100644 index 00000000000..ea60afc6f6f --- /dev/null +++ b/queue-5.4/powerpc-security-book3s64-report-l1tf-status-in-sysf.patch @@ -0,0 +1,45 @@ +From 6481036210fcd451154558573764597604f0f329 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 12:07:59 -0700 +Subject: powerpc/security/book3s64: Report L1TF status in sysfs + +From: Anthony Steinhauser + +[ Upstream commit 8e6b6da91ac9b9ec5a925b6cb13f287a54bd547d ] + +Some PowerPC CPUs are vulnerable to L1TF to the same extent as to +Meltdown. It is also mitigated by flushing the L1D on privilege +transition. + +Currently the sysfs gives a false negative on L1TF on CPUs that I +verified to be vulnerable, a Power9 Talos II Boston 004e 1202, PowerNV +T2P9D01. + +Signed-off-by: Anthony Steinhauser +Signed-off-by: Michael Ellerman +[mpe: Just have cpu_show_l1tf() call cpu_show_meltdown() directly] +Link: https://lore.kernel.org/r/20191029190759.84821-1-asteinhauser@google.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/security.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c +index bd91dceb7010..298a2e3ad6f4 100644 +--- a/arch/powerpc/kernel/security.c ++++ b/arch/powerpc/kernel/security.c +@@ -168,6 +168,11 @@ ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, cha + + return sprintf(buf, "Vulnerable\n"); + } ++ ++ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf) ++{ ++ return cpu_show_meltdown(dev, attr, buf); ++} + #endif + + ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf) +-- +2.20.1 + diff --git a/queue-5.4/powerpc-security-fix-wrong-message-when-rfi-flush-is.patch b/queue-5.4/powerpc-security-fix-wrong-message-when-rfi-flush-is.patch new file mode 100644 index 00000000000..50cd37b25c9 --- /dev/null +++ b/queue-5.4/powerpc-security-fix-wrong-message-when-rfi-flush-is.patch @@ -0,0 +1,95 @@ +From ba6d04dd596ba21b912da40149990d1160c0cf8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2019 18:09:07 -0300 +Subject: powerpc/security: Fix wrong message when RFI Flush is disable + +From: Gustavo L. F. Walbon + +[ Upstream commit 4e706af3cd8e1d0503c25332b30cad33c97ed442 ] + +The issue was showing "Mitigation" message via sysfs whatever the +state of "RFI Flush", but it should show "Vulnerable" when it is +disabled. + +If you have "L1D private" feature enabled and not "RFI Flush" you are +vulnerable to meltdown attacks. + +"RFI Flush" is the key feature to mitigate the meltdown whatever the +"L1D private" state. + +SEC_FTR_L1D_THREAD_PRIV is a feature for Power9 only. + +So the message should be as the truth table shows: + + CPU | L1D private | RFI Flush | sysfs + ----|-------------|-----------|------------------------------------- + P9 | False | False | Vulnerable + P9 | False | True | Mitigation: RFI Flush + P9 | True | False | Vulnerable: L1D private per thread + P9 | True | True | Mitigation: RFI Flush, L1D private per thread + P8 | False | False | Vulnerable + P8 | False | True | Mitigation: RFI Flush + +Output before this fix: + # cat /sys/devices/system/cpu/vulnerabilities/meltdown + Mitigation: RFI Flush, L1D private per thread + # echo 0 > /sys/kernel/debug/powerpc/rfi_flush + # cat /sys/devices/system/cpu/vulnerabilities/meltdown + Mitigation: L1D private per thread + +Output after fix: + # cat /sys/devices/system/cpu/vulnerabilities/meltdown + Mitigation: RFI Flush, L1D private per thread + # echo 0 > /sys/kernel/debug/powerpc/rfi_flush + # cat /sys/devices/system/cpu/vulnerabilities/meltdown + Vulnerable: L1D private per thread + +Signed-off-by: Gustavo L. F. Walbon +Signed-off-by: Mauro S. M. Rodrigues +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190502210907.42375-1-gwalbon@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/security.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c +index 298a2e3ad6f4..d341b464f23c 100644 +--- a/arch/powerpc/kernel/security.c ++++ b/arch/powerpc/kernel/security.c +@@ -142,26 +142,22 @@ ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, cha + + thread_priv = security_ftr_enabled(SEC_FTR_L1D_THREAD_PRIV); + +- if (rfi_flush || thread_priv) { ++ if (rfi_flush) { + struct seq_buf s; + seq_buf_init(&s, buf, PAGE_SIZE - 1); + +- seq_buf_printf(&s, "Mitigation: "); +- +- if (rfi_flush) +- seq_buf_printf(&s, "RFI Flush"); +- +- if (rfi_flush && thread_priv) +- seq_buf_printf(&s, ", "); +- ++ seq_buf_printf(&s, "Mitigation: RFI Flush"); + if (thread_priv) +- seq_buf_printf(&s, "L1D private per thread"); ++ seq_buf_printf(&s, ", L1D private per thread"); + + seq_buf_printf(&s, "\n"); + + return s.len; + } + ++ if (thread_priv) ++ return sprintf(buf, "Vulnerable: L1D private per thread\n"); ++ + if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) && + !security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR)) + return sprintf(buf, "Not affected\n"); +-- +2.20.1 + diff --git a/queue-5.4/powerpc-tools-don-t-quote-objdump-in-scripts.patch b/queue-5.4/powerpc-tools-don-t-quote-objdump-in-scripts.patch new file mode 100644 index 00000000000..b3c355d0f02 --- /dev/null +++ b/queue-5.4/powerpc-tools-don-t-quote-objdump-in-scripts.patch @@ -0,0 +1,67 @@ +From a7acf64b74fa930ac9f49a91ed80006e13e92aee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 11:47:30 +1100 +Subject: powerpc/tools: Don't quote $objdump in scripts + +From: Michael Ellerman + +[ Upstream commit e44ff9ea8f4c8a90c82f7b85bd4f5e497c841960 ] + +Some of our scripts are passed $objdump and then call it as +"$objdump". This doesn't work if it contains spaces because we're +using ccache, for example you get errors such as: + + ./arch/powerpc/tools/relocs_check.sh: line 48: ccache ppc64le-objdump: No such file or directory + ./arch/powerpc/tools/unrel_branch_check.sh: line 26: ccache ppc64le-objdump: No such file or directory + +Fix it by not quoting the string when we expand it, allowing the shell +to do the right thing for us. + +Fixes: a71aa05e1416 ("powerpc: Convert relocs_check to a shell script using grep") +Fixes: 4ea80652dc75 ("powerpc/64s: Tool to flag direct branches from unrelocated interrupt vectors") +Signed-off-by: Michael Ellerman +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191024004730.32135-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/tools/relocs_check.sh | 2 +- + arch/powerpc/tools/unrel_branch_check.sh | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/tools/relocs_check.sh b/arch/powerpc/tools/relocs_check.sh +index 2b4e959caa36..7b9fe0a567cf 100755 +--- a/arch/powerpc/tools/relocs_check.sh ++++ b/arch/powerpc/tools/relocs_check.sh +@@ -20,7 +20,7 @@ objdump="$1" + vmlinux="$2" + + bad_relocs=$( +-"$objdump" -R "$vmlinux" | ++$objdump -R "$vmlinux" | + # Only look at relocation lines. + grep -E '\:' | + awk '{print $1}' + ) + + BRANCHES=$( +-"$objdump" -R "$vmlinux" -D --start-address=0xc000000000000000 \ ++$objdump -R "$vmlinux" -D --start-address=0xc000000000000000 \ + --stop-address=${end_intr} | + grep -e "^c[0-9a-f]*:[[:space:]]*\([0-9a-f][0-9a-f][[:space:]]\)\{4\}[[:space:]]*b" | + grep -v '\<__start_initialization_multiplatform>' | +-- +2.20.1 + diff --git a/queue-5.4/s390-cpum_sf-check-for-sdbt-and-sdb-consistency.patch b/queue-5.4/s390-cpum_sf-check-for-sdbt-and-sdb-consistency.patch new file mode 100644 index 00000000000..64ddb460b78 --- /dev/null +++ b/queue-5.4/s390-cpum_sf-check-for-sdbt-and-sdb-consistency.patch @@ -0,0 +1,107 @@ +From 4d8a95da855d108a4c886bb5509b42443b375c10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2019 16:43:15 +0100 +Subject: s390/cpum_sf: Check for SDBT and SDB consistency + +From: Thomas Richter + +[ Upstream commit 247f265fa502e7b17a0cb0cc330e055a36aafce4 ] + +Each SBDT is located at a 4KB page and contains 512 entries. +Each entry of a SDBT points to a SDB, a 4KB page containing +sampled data. The last entry is a link to another SDBT page. + +When an event is created the function sequence executed is: + + __hw_perf_event_init() + +--> allocate_buffers() + +--> realloc_sampling_buffers() + +---> alloc_sample_data_block() + +Both functions realloc_sampling_buffers() and +alloc_sample_data_block() allocate pages and the allocation +can fail. This is handled correctly and all allocated +pages are freed and error -ENOMEM is returned to the +top calling function. Finally the event is not created. + +Once the event has been created, the amount of initially +allocated SDBT and SDB can be too low. This is detected +during measurement interrupt handling, where the amount +of lost samples is calculated. If the number of lost samples +is too high considering sampling frequency and already allocated +SBDs, the number of SDBs is enlarged during the next execution +of cpumsf_pmu_enable(). + +If more SBDs need to be allocated, functions + + realloc_sampling_buffers() + +---> alloc-sample_data_block() + +are called to allocate more pages. Page allocation may fail +and the returned error is ignored. A SDBT and SDB setup +already exists. + +However the modified SDBTs and SDBs might end up in a situation +where the first entry of an SDBT does not point to an SDB, +but another SDBT, basicly an SBDT without payload. +This can not be handled by the interrupt handler, where an SDBT +must have at least one entry pointing to an SBD. + +Add a check to avoid SDBTs with out payload (SDBs) when enlarging +the buffer setup. + +Signed-off-by: Thomas Richter +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_sf.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index 3d8b12a9a6ff..7511b71d2931 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -193,7 +193,7 @@ static int realloc_sampling_buffer(struct sf_buffer *sfb, + unsigned long num_sdb, gfp_t gfp_flags) + { + int i, rc; +- unsigned long *new, *tail; ++ unsigned long *new, *tail, *tail_prev = NULL; + + if (!sfb->sdbt || !sfb->tail) + return -EINVAL; +@@ -232,6 +232,7 @@ static int realloc_sampling_buffer(struct sf_buffer *sfb, + sfb->num_sdbt++; + /* Link current page to tail of chain */ + *tail = (unsigned long)(void *) new + 1; ++ tail_prev = tail; + tail = new; + } + +@@ -241,10 +242,22 @@ static int realloc_sampling_buffer(struct sf_buffer *sfb, + * issue, a new realloc call (if required) might succeed. + */ + rc = alloc_sample_data_block(tail, gfp_flags); +- if (rc) ++ if (rc) { ++ /* Undo last SDBT. An SDBT with no SDB at its first ++ * entry but with an SDBT entry instead can not be ++ * handled by the interrupt handler code. ++ * Avoid this situation. ++ */ ++ if (tail_prev) { ++ sfb->num_sdbt--; ++ free_page((unsigned long) new); ++ tail = tail_prev; ++ } + break; ++ } + sfb->num_sdb++; + tail++; ++ tail_prev = new = NULL; /* Allocated at least one SBD */ + } + + /* Link sampling buffer to its origin */ +-- +2.20.1 + diff --git a/queue-5.4/s390-disable-preemption-when-switching-to-nodat-stac.patch b/queue-5.4/s390-disable-preemption-when-switching-to-nodat-stac.patch new file mode 100644 index 00000000000..b2ec6b755bd --- /dev/null +++ b/queue-5.4/s390-disable-preemption-when-switching-to-nodat-stac.patch @@ -0,0 +1,61 @@ +From 84f298c980aba6fc02bd1cb96d03b868713fb871 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2019 12:19:16 +0100 +Subject: s390: disable preemption when switching to nodat stack with + CALL_ON_STACK + +From: Vasily Gorbik + +[ Upstream commit 7f28dad395243c5026d649136823bbc40029a828 ] + +Make sure preemption is disabled when temporary switching to nodat +stack with CALL_ON_STACK helper, because nodat stack is per cpu. + +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/machine_kexec.c | 2 ++ + arch/s390/mm/maccess.c | 12 +++++++++--- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/kernel/machine_kexec.c b/arch/s390/kernel/machine_kexec.c +index d402ced7f7c3..cb8b1cc285c9 100644 +--- a/arch/s390/kernel/machine_kexec.c ++++ b/arch/s390/kernel/machine_kexec.c +@@ -164,7 +164,9 @@ static bool kdump_csum_valid(struct kimage *image) + #ifdef CONFIG_CRASH_DUMP + int rc; + ++ preempt_disable(); + rc = CALL_ON_STACK(do_start_kdump, S390_lowcore.nodat_stack, 1, image); ++ preempt_enable(); + return rc == 0; + #else + return false; +diff --git a/arch/s390/mm/maccess.c b/arch/s390/mm/maccess.c +index 59ad7997fed1..de7ca4b6718f 100644 +--- a/arch/s390/mm/maccess.c ++++ b/arch/s390/mm/maccess.c +@@ -119,9 +119,15 @@ static unsigned long __no_sanitize_address _memcpy_real(unsigned long dest, + */ + int memcpy_real(void *dest, void *src, size_t count) + { +- if (S390_lowcore.nodat_stack != 0) +- return CALL_ON_STACK(_memcpy_real, S390_lowcore.nodat_stack, +- 3, dest, src, count); ++ int rc; ++ ++ if (S390_lowcore.nodat_stack != 0) { ++ preempt_disable(); ++ rc = CALL_ON_STACK(_memcpy_real, S390_lowcore.nodat_stack, 3, ++ dest, src, count); ++ preempt_enable(); ++ return rc; ++ } + /* + * This is a really early memcpy_real call, the stacks are + * not set up yet. Just call _memcpy_real on the early boot +-- +2.20.1 + diff --git a/queue-5.4/s390-unwind-filter-out-unreliable-bogus-r14.patch b/queue-5.4/s390-unwind-filter-out-unreliable-bogus-r14.patch new file mode 100644 index 00000000000..cf570533749 --- /dev/null +++ b/queue-5.4/s390-unwind-filter-out-unreliable-bogus-r14.patch @@ -0,0 +1,47 @@ +From b70b34a4384918bc10a60a12d4986c446ee96a80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 18:12:04 +0100 +Subject: s390/unwind: filter out unreliable bogus %r14 + +From: Vasily Gorbik + +[ Upstream commit bf018ee644897d7982e1b8dd8b15e97db6e1a4da ] + +Currently unwinder unconditionally returns %r14 from the first frame +pointed by %r15 from pt_regs. A task could be interrupted when a function +already allocated this frame (if it needs it) for its callees or to +store local variables. In that case this frame would contain random +values from stack or values stored there by a callee. As we are only +interested in %r14 to get potential return address, skip bogus return +addresses which doesn't belong to kernel text. + +This helps to avoid duplicating filtering logic in unwider users, most +of which use unwind_get_return_address() and would choke on bogus 0 +address returned by it otherwise. + +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/unwind_bc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/s390/kernel/unwind_bc.c b/arch/s390/kernel/unwind_bc.c +index a8204f952315..6e609b13c0ce 100644 +--- a/arch/s390/kernel/unwind_bc.c ++++ b/arch/s390/kernel/unwind_bc.c +@@ -60,6 +60,11 @@ bool unwind_next_frame(struct unwind_state *state) + ip = READ_ONCE_NOCHECK(sf->gprs[8]); + reliable = false; + regs = NULL; ++ if (!__kernel_text_address(ip)) { ++ /* skip bogus %r14 */ ++ state->regs = NULL; ++ return unwind_next_frame(state); ++ } + } else { + sf = (struct stack_frame *) state->sp; + sp = READ_ONCE_NOCHECK(sf->back_chain); +-- +2.20.1 + diff --git a/queue-5.4/s390-zcrypt-handle-new-reply-code-filtered_by_hyperv.patch b/queue-5.4/s390-zcrypt-handle-new-reply-code-filtered_by_hyperv.patch new file mode 100644 index 00000000000..26300d08970 --- /dev/null +++ b/queue-5.4/s390-zcrypt-handle-new-reply-code-filtered_by_hyperv.patch @@ -0,0 +1,51 @@ +From 1d35c40899ed0fdf4623192c3dcab6ca7dbf7495 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Nov 2019 11:44:31 +0100 +Subject: s390/zcrypt: handle new reply code FILTERED_BY_HYPERVISOR + +From: Harald Freudenberger + +[ Upstream commit 6733775a92eacd612ac88afa0fd922e4ffeb2bc7 ] + +This patch introduces support for a new architectured reply +code 0x8B indicating that a hypervisor layer (if any) has +rejected an ap message. + +Linux may run as a guest on top of a hypervisor like zVM +or KVM. So the crypto hardware seen by the ap bus may be +restricted by the hypervisor for example only a subset like +only clear key crypto requests may be supported. Other +requests will be filtered out - rejected by the hypervisor. +The new reply code 0x8B will appear in such cases and needs +to get recognized by the ap bus and zcrypt device driver zoo. + +Signed-off-by: Harald Freudenberger +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/zcrypt_error.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/s390/crypto/zcrypt_error.h b/drivers/s390/crypto/zcrypt_error.h +index f34ee41cbed8..4f4dd9d727c9 100644 +--- a/drivers/s390/crypto/zcrypt_error.h ++++ b/drivers/s390/crypto/zcrypt_error.h +@@ -61,6 +61,7 @@ struct error_hdr { + #define REP82_ERROR_EVEN_MOD_IN_OPND 0x85 + #define REP82_ERROR_RESERVED_FIELD 0x88 + #define REP82_ERROR_INVALID_DOMAIN_PENDING 0x8A ++#define REP82_ERROR_FILTERED_BY_HYPERVISOR 0x8B + #define REP82_ERROR_TRANSPORT_FAIL 0x90 + #define REP82_ERROR_PACKET_TRUNCATED 0xA0 + #define REP82_ERROR_ZERO_BUFFER_LEN 0xB0 +@@ -91,6 +92,7 @@ static inline int convert_error(struct zcrypt_queue *zq, + case REP82_ERROR_INVALID_DOMAIN_PRECHECK: + case REP82_ERROR_INVALID_DOMAIN_PENDING: + case REP82_ERROR_INVALID_SPECIAL_CMD: ++ case REP82_ERROR_FILTERED_BY_HYPERVISOR: + // REP88_ERROR_INVALID_KEY // '82' CEX2A + // REP88_ERROR_OPERAND // '84' CEX2A + // REP88_ERROR_OPERAND_EVEN_MOD // '85' CEX2A +-- +2.20.1 + diff --git a/queue-5.4/scripts-kallsyms-fix-definitely-lost-memory-leak.patch b/queue-5.4/scripts-kallsyms-fix-definitely-lost-memory-leak.patch new file mode 100644 index 00000000000..e4a344ce28e --- /dev/null +++ b/queue-5.4/scripts-kallsyms-fix-definitely-lost-memory-leak.patch @@ -0,0 +1,48 @@ +From fabf718d805277f1e3cd4d5327a8949ded938ece Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Nov 2019 01:04:30 +0900 +Subject: scripts/kallsyms: fix definitely-lost memory leak + +From: Masahiro Yamada + +[ Upstream commit 21915eca088dc271c970e8351290e83d938114ac ] + +build_initial_tok_table() overwrites unused sym_entry to shrink the +table size. Before the entry is overwritten, table[i].sym must be freed +since it is malloc'ed data. + +This fixes the 'definitely lost' report from valgrind. I ran valgrind +against x86_64_defconfig of v5.4-rc8 kernel, and here is the summary: + +[Before the fix] + + LEAK SUMMARY: + definitely lost: 53,184 bytes in 2,874 blocks + +[After the fix] + + LEAK SUMMARY: + definitely lost: 0 bytes in 0 blocks + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kallsyms.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c +index ae6504d07fd6..fb15f09e0e38 100644 +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -489,6 +489,8 @@ static void build_initial_tok_table(void) + table[pos] = table[i]; + learn_symbol(table[pos].sym, table[pos].len); + pos++; ++ } else { ++ free(table[i].sym); + } + } + table_cnt = pos; +-- +2.20.1 + diff --git a/queue-5.4/scsi-atari_scsi-sun3_scsi-set-sg_tablesize-to-1-inst.patch b/queue-5.4/scsi-atari_scsi-sun3_scsi-set-sg_tablesize-to-1-inst.patch new file mode 100644 index 00000000000..33cde5b74af --- /dev/null +++ b/queue-5.4/scsi-atari_scsi-sun3_scsi-set-sg_tablesize-to-1-inst.patch @@ -0,0 +1,163 @@ +From 49b6a835708f5be3a45bc6db0d26573f1e90dbf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Nov 2019 12:06:54 +1100 +Subject: scsi: atari_scsi: sun3_scsi: Set sg_tablesize to 1 instead of SG_NONE + +From: Finn Thain + +[ Upstream commit 79172ab20bfd8437b277254028efdb68484e2c21 ] + +Since the scsi subsystem adopted the blk-mq API, a host with zero +sg_tablesize crashes with a NULL pointer dereference. + +blk_queue_max_segments: set to minimum 1 +scsi 0:0:0:0: Direct-Access QEMU QEMU HARDDISK 2.5+ PQ: 0 ANSI: 5 +scsi target0:0:0: Beginning Domain Validation +scsi target0:0:0: Domain Validation skipping write tests +scsi target0:0:0: Ending Domain Validation +blk_queue_max_segments: set to minimum 1 +scsi 0:0:1:0: Direct-Access QEMU QEMU HARDDISK 2.5+ PQ: 0 ANSI: 5 +scsi target0:0:1: Beginning Domain Validation +scsi target0:0:1: Domain Validation skipping write tests +scsi target0:0:1: Ending Domain Validation +blk_queue_max_segments: set to minimum 1 +scsi 0:0:2:0: CD-ROM QEMU QEMU CD-ROM 2.5+ PQ: 0 ANSI: 5 +scsi target0:0:2: Beginning Domain Validation +scsi target0:0:2: Domain Validation skipping write tests +scsi target0:0:2: Ending Domain Validation +blk_queue_max_segments: set to minimum 1 +blk_queue_max_segments: set to minimum 1 +blk_queue_max_segments: set to minimum 1 +blk_queue_max_segments: set to minimum 1 +sr 0:0:2:0: Power-on or device reset occurred +sd 0:0:0:0: Power-on or device reset occurred +sd 0:0:1:0: Power-on or device reset occurred +sd 0:0:0:0: [sda] 10485762 512-byte logical blocks: (5.37 GB/5.00 GiB) +sd 0:0:0:0: [sda] Write Protect is off +sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA +Unable to handle kernel NULL pointer dereference at virtual address (ptrval) +Oops: 00000000 +Modules linked in: +PC: [<001cd874>] blk_mq_free_request+0x66/0xe2 +SR: 2004 SP: (ptrval) a2: 00874520 +d0: 00000000 d1: 00000000 d2: 009ba800 d3: 00000000 +d4: 00000000 d5: 08000002 a0: 0087be68 a1: 009a81e0 +Process kworker/u2:2 (pid: 15, task=(ptrval)) +Frame format=7 eff addr=0000007a ssw=0505 faddr=0000007a +wb 1 stat/addr/data: 0000 00000000 00000000 +wb 2 stat/addr/data: 0000 00000000 00000000 +wb 3 stat/addr/data: 0000 0000007a 00000000 +push data: 00000000 00000000 00000000 00000000 +Stack from 0087bd98: + 00000002 00000000 0087be72 009a7820 0087bdb4 001c4f6c 009a7820 0087bdd4 + 0024d200 009a7820 0024d0dc 0087be72 009baa00 0087be68 009a5000 0087be7c + 00265d10 009a5000 0087be72 00000003 00000000 00000000 00000000 0087be68 + 00000bb8 00000005 00000000 00000000 00000000 00000000 00265c56 00000000 + 009ba60c 0036ddf4 00000002 ffffffff 009baa00 009ba600 009a50d6 0087be74 + 00227ba0 009baa08 00000001 009baa08 009ba60c 0036ddf4 00000000 00000000 +Call Trace: [<001c4f6c>] blk_put_request+0xe/0x14 + [<0024d200>] __scsi_execute+0x124/0x174 + [<0024d0dc>] __scsi_execute+0x0/0x174 + [<00265d10>] sd_revalidate_disk+0xba/0x1f02 + [<00265c56>] sd_revalidate_disk+0x0/0x1f02 + [<0036ddf4>] strlen+0x0/0x22 + [<00227ba0>] device_add+0x3da/0x604 + [<0036ddf4>] strlen+0x0/0x22 + [<00267e64>] sd_probe+0x30c/0x4b4 + [<0002da44>] process_one_work+0x0/0x402 + [<0022b978>] really_probe+0x226/0x354 + [<0022bc34>] driver_probe_device+0xa4/0xf0 + [<0002da44>] process_one_work+0x0/0x402 + [<0022bcd0>] __driver_attach_async_helper+0x50/0x70 + [<00035dae>] async_run_entry_fn+0x36/0x130 + [<0002db88>] process_one_work+0x144/0x402 + [<0002e1aa>] worker_thread+0x0/0x570 + [<0002e29a>] worker_thread+0xf0/0x570 + [<0002e1aa>] worker_thread+0x0/0x570 + [<003768d8>] schedule+0x0/0xb8 + [<0003f58c>] __init_waitqueue_head+0x0/0x12 + [<00033e92>] kthread+0xc2/0xf6 + [<000331e8>] kthread_parkme+0x0/0x4e + [<003768d8>] schedule+0x0/0xb8 + [<00033dd0>] kthread+0x0/0xf6 + [<00002c10>] ret_from_kernel_thread+0xc/0x14 +Code: 0280 0006 0800 56c0 4400 0280 0000 00ff <52b4> 0c3a 082b 0006 0013 6706 2042 53a8 00c4 4ab9 0047 3374 6640 202d 000c 670c +Disabling lock debugging due to kernel taint + +Avoid this by setting sg_tablesize = 1. + +Link: https://lore.kernel.org/r/4567bcae94523b47d6f3b77450ba305823bca479.1572656814.git.fthain@telegraphics.com.au +Reported-and-tested-by: Michael Schmitz +Reviewed-by: Michael Schmitz +References: commit 68ab2d76e4be ("scsi: cxlflash: Set sg_tablesize to 1 instead of SG_NONE") +Signed-off-by: Finn Thain +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/atari_scsi.c | 6 +++--- + drivers/scsi/mac_scsi.c | 2 +- + drivers/scsi/sun3_scsi.c | 4 ++-- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/scsi/atari_scsi.c b/drivers/scsi/atari_scsi.c +index e809493d0d06..a82b63a66635 100644 +--- a/drivers/scsi/atari_scsi.c ++++ b/drivers/scsi/atari_scsi.c +@@ -742,7 +742,7 @@ static int __init atari_scsi_probe(struct platform_device *pdev) + atari_scsi_template.sg_tablesize = SG_ALL; + } else { + atari_scsi_template.can_queue = 1; +- atari_scsi_template.sg_tablesize = SG_NONE; ++ atari_scsi_template.sg_tablesize = 1; + } + + if (setup_can_queue > 0) +@@ -751,8 +751,8 @@ static int __init atari_scsi_probe(struct platform_device *pdev) + if (setup_cmd_per_lun > 0) + atari_scsi_template.cmd_per_lun = setup_cmd_per_lun; + +- /* Leave sg_tablesize at 0 on a Falcon! */ +- if (ATARIHW_PRESENT(TT_SCSI) && setup_sg_tablesize >= 0) ++ /* Don't increase sg_tablesize on Falcon! */ ++ if (ATARIHW_PRESENT(TT_SCSI) && setup_sg_tablesize > 0) + atari_scsi_template.sg_tablesize = setup_sg_tablesize; + + if (setup_hostid >= 0) { +diff --git a/drivers/scsi/mac_scsi.c b/drivers/scsi/mac_scsi.c +index 9c5566217ef6..b5dde9d0d054 100644 +--- a/drivers/scsi/mac_scsi.c ++++ b/drivers/scsi/mac_scsi.c +@@ -464,7 +464,7 @@ static int __init mac_scsi_probe(struct platform_device *pdev) + mac_scsi_template.can_queue = setup_can_queue; + if (setup_cmd_per_lun > 0) + mac_scsi_template.cmd_per_lun = setup_cmd_per_lun; +- if (setup_sg_tablesize >= 0) ++ if (setup_sg_tablesize > 0) + mac_scsi_template.sg_tablesize = setup_sg_tablesize; + if (setup_hostid >= 0) + mac_scsi_template.this_id = setup_hostid & 7; +diff --git a/drivers/scsi/sun3_scsi.c b/drivers/scsi/sun3_scsi.c +index 955e4c938d49..701b842296f0 100644 +--- a/drivers/scsi/sun3_scsi.c ++++ b/drivers/scsi/sun3_scsi.c +@@ -501,7 +501,7 @@ static struct scsi_host_template sun3_scsi_template = { + .eh_host_reset_handler = sun3scsi_host_reset, + .can_queue = 16, + .this_id = 7, +- .sg_tablesize = SG_NONE, ++ .sg_tablesize = 1, + .cmd_per_lun = 2, + .dma_boundary = PAGE_SIZE - 1, + .cmd_size = NCR5380_CMD_SIZE, +@@ -523,7 +523,7 @@ static int __init sun3_scsi_probe(struct platform_device *pdev) + sun3_scsi_template.can_queue = setup_can_queue; + if (setup_cmd_per_lun > 0) + sun3_scsi_template.cmd_per_lun = setup_cmd_per_lun; +- if (setup_sg_tablesize >= 0) ++ if (setup_sg_tablesize > 0) + sun3_scsi_template.sg_tablesize = setup_sg_tablesize; + if (setup_hostid >= 0) + sun3_scsi_template.this_id = setup_hostid & 7; +-- +2.20.1 + diff --git a/queue-5.4/scsi-csiostor-don-t-enable-irqs-too-early.patch b/queue-5.4/scsi-csiostor-don-t-enable-irqs-too-early.patch new file mode 100644 index 00000000000..486a0a04d95 --- /dev/null +++ b/queue-5.4/scsi-csiostor-don-t-enable-irqs-too-early.patch @@ -0,0 +1,100 @@ +From 8d7a4ed55eea225a8af85143b7fc0fcc240fdaaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Oct 2019 11:59:13 +0300 +Subject: scsi: csiostor: Don't enable IRQs too early + +From: Dan Carpenter + +[ Upstream commit d6c9b31ac3064fbedf8961f120a4c117daa59932 ] + +These are called with IRQs disabled from csio_mgmt_tmo_handler() so we +can't call spin_unlock_irq() or it will enable IRQs prematurely. + +Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver") +Link: https://lore.kernel.org/r/20191019085913.GA14245@mwanda +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_lnode.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/scsi/csiostor/csio_lnode.c b/drivers/scsi/csiostor/csio_lnode.c +index 66e58f0a75dc..23cbe4cda760 100644 +--- a/drivers/scsi/csiostor/csio_lnode.c ++++ b/drivers/scsi/csiostor/csio_lnode.c +@@ -301,6 +301,7 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req) + struct fc_fdmi_port_name *port_name; + uint8_t buf[64]; + uint8_t *fc4_type; ++ unsigned long flags; + + if (fdmi_req->wr_status != FW_SUCCESS) { + csio_ln_dbg(ln, "WR error:%x in processing fdmi rhba cmd\n", +@@ -385,13 +386,13 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req) + len = (uint32_t)(pld - (uint8_t *)cmd); + + /* Submit FDMI RPA request */ +- spin_lock_irq(&hw->lock); ++ spin_lock_irqsave(&hw->lock, flags); + if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_done, + FCOE_CT, &fdmi_req->dma_buf, len)) { + CSIO_INC_STATS(ln, n_fdmi_err); + csio_ln_dbg(ln, "Failed to issue fdmi rpa req\n"); + } +- spin_unlock_irq(&hw->lock); ++ spin_unlock_irqrestore(&hw->lock, flags); + } + + /* +@@ -412,6 +413,7 @@ csio_ln_fdmi_dprt_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req) + struct fc_fdmi_rpl *reg_pl; + struct fs_fdmi_attrs *attrib_blk; + uint8_t buf[64]; ++ unsigned long flags; + + if (fdmi_req->wr_status != FW_SUCCESS) { + csio_ln_dbg(ln, "WR error:%x in processing fdmi dprt cmd\n", +@@ -491,13 +493,13 @@ csio_ln_fdmi_dprt_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req) + attrib_blk->numattrs = htonl(numattrs); + + /* Submit FDMI RHBA request */ +- spin_lock_irq(&hw->lock); ++ spin_lock_irqsave(&hw->lock, flags); + if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_rhba_cbfn, + FCOE_CT, &fdmi_req->dma_buf, len)) { + CSIO_INC_STATS(ln, n_fdmi_err); + csio_ln_dbg(ln, "Failed to issue fdmi rhba req\n"); + } +- spin_unlock_irq(&hw->lock); ++ spin_unlock_irqrestore(&hw->lock, flags); + } + + /* +@@ -512,6 +514,7 @@ csio_ln_fdmi_dhba_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req) + void *cmd; + struct fc_fdmi_port_name *port_name; + uint32_t len; ++ unsigned long flags; + + if (fdmi_req->wr_status != FW_SUCCESS) { + csio_ln_dbg(ln, "WR error:%x in processing fdmi dhba cmd\n", +@@ -542,13 +545,13 @@ csio_ln_fdmi_dhba_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req) + len += sizeof(*port_name); + + /* Submit FDMI request */ +- spin_lock_irq(&hw->lock); ++ spin_lock_irqsave(&hw->lock, flags); + if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_dprt_cbfn, + FCOE_CT, &fdmi_req->dma_buf, len)) { + CSIO_INC_STATS(ln, n_fdmi_err); + csio_ln_dbg(ln, "Failed to issue fdmi dprt req\n"); + } +- spin_unlock_irq(&hw->lock); ++ spin_unlock_irqrestore(&hw->lock, flags); + } + + /** +-- +2.20.1 + diff --git a/queue-5.4/scsi-hisi_sas-delete-the-debugfs-folder-of-hisi_sas-.patch b/queue-5.4/scsi-hisi_sas-delete-the-debugfs-folder-of-hisi_sas-.patch new file mode 100644 index 00000000000..4d9b1f57412 --- /dev/null +++ b/queue-5.4/scsi-hisi_sas-delete-the-debugfs-folder-of-hisi_sas-.patch @@ -0,0 +1,54 @@ +From ecec161af14e7002fcab71cdc2928a80ccb3b97d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 22:08:24 +0800 +Subject: scsi: hisi_sas: Delete the debugfs folder of hisi_sas when the probe + fails + +From: Luo Jiaxing + +[ Upstream commit cabe7c10c97a0857a9fb14b6c772ab784947995d ] + +Although if the debugfs initialization fails, we will delete the debugfs +folder of hisi_sas, but we did not consider the scenario where debugfs was +successfully initialized, but the probe failed for other reasons. We found +out that hisi_sas folder is still remain after the probe failed. + +When probe fail, we should delete debugfs folder to avoid the above issue. + +Link: https://lore.kernel.org/r/1571926105-74636-18-git-send-email-john.garry@huawei.com +Signed-off-by: Luo Jiaxing +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_main.c | 1 + + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index 20f0cb4698b7..633effb09c9c 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -2682,6 +2682,7 @@ int hisi_sas_probe(struct platform_device *pdev, + err_out_register_ha: + scsi_remove_host(shost); + err_out_ha: ++ hisi_sas_debugfs_exit(hisi_hba); + hisi_sas_free(hisi_hba); + scsi_host_put(shost); + return rc; +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index cb8d087762db..ef32ee12f606 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -3259,6 +3259,7 @@ hisi_sas_v3_probe(struct pci_dev *pdev, const struct pci_device_id *id) + err_out_register_ha: + scsi_remove_host(shost); + err_out_ha: ++ hisi_sas_debugfs_exit(hisi_hba); + scsi_host_put(shost); + err_out_regions: + pci_release_regions(pdev); +-- +2.20.1 + diff --git a/queue-5.4/scsi-hisi_sas-replace-in_softirq-check-in-hisi_sas_t.patch b/queue-5.4/scsi-hisi_sas-replace-in_softirq-check-in-hisi_sas_t.patch new file mode 100644 index 00000000000..ff4ad40b246 --- /dev/null +++ b/queue-5.4/scsi-hisi_sas-replace-in_softirq-check-in-hisi_sas_t.patch @@ -0,0 +1,85 @@ +From feb803cd2ea6e75b16ebdab2e523d9ce5412b15c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2019 22:08:11 +0800 +Subject: scsi: hisi_sas: Replace in_softirq() check in hisi_sas_task_exec() + +From: Xiang Chen + +[ Upstream commit 550c0d89d52d3bec5c299f69b4ed5d2ee6b8a9a6 ] + +For IOs from upper layer, preemption may be disabled as it may be called by +function __blk_mq_delay_run_hw_queue which will call get_cpu() (it disables +preemption). So if flags HISI_SAS_REJECT_CMD_BIT is set in function +hisi_sas_task_exec(), it may disable preempt twice after down() and up() +which will cause following call trace: + +BUG: scheduling while atomic: fio/60373/0x00000002 +Call trace: +dump_backtrace+0x0/0x150 +show_stack+0x24/0x30 +dump_stack+0xa0/0xc4 +__schedule_bug+0x68/0x88 +__schedule+0x4b8/0x548 +schedule+0x40/0xd0 +schedule_timeout+0x200/0x378 +__down+0x78/0xc8 +down+0x54/0x70 +hisi_sas_task_exec.isra.10+0x598/0x8d8 [hisi_sas_main] +hisi_sas_queue_command+0x28/0x38 [hisi_sas_main] +sas_queuecommand+0x168/0x1b0 [libsas] +scsi_queue_rq+0x2ac/0x980 +blk_mq_dispatch_rq_list+0xb0/0x550 +blk_mq_do_dispatch_sched+0x6c/0x110 +blk_mq_sched_dispatch_requests+0x114/0x1d8 +__blk_mq_run_hw_queue+0xb8/0x130 +__blk_mq_delay_run_hw_queue+0x1c0/0x220 +blk_mq_run_hw_queue+0xb0/0x128 +blk_mq_sched_insert_requests+0xdc/0x208 +blk_mq_flush_plug_list+0x1b4/0x3a0 +blk_flush_plug_list+0xdc/0x110 +blk_finish_plug+0x3c/0x50 +blkdev_direct_IO+0x404/0x550 +generic_file_read_iter+0x9c/0x848 +blkdev_read_iter+0x50/0x78 +aio_read+0xc8/0x170 +io_submit_one+0x1fc/0x8d8 +__arm64_sys_io_submit+0xdc/0x280 +el0_svc_common.constprop.0+0xe0/0x1e0 +el0_svc_handler+0x34/0x90 +el0_svc+0x10/0x14 +... + +To solve the issue, check preemptible() to avoid disabling preempt multiple +when flag HISI_SAS_REJECT_CMD_BIT is set. + +Link: https://lore.kernel.org/r/1571926105-74636-5-git-send-email-john.garry@huawei.com +Signed-off-by: Xiang Chen +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_main.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index 0847e682797b..20f0cb4698b7 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -587,7 +587,13 @@ static int hisi_sas_task_exec(struct sas_task *task, gfp_t gfp_flags, + dev = hisi_hba->dev; + + if (unlikely(test_bit(HISI_SAS_REJECT_CMD_BIT, &hisi_hba->flags))) { +- if (in_softirq()) ++ /* ++ * For IOs from upper layer, it may already disable preempt ++ * in the IO path, if disable preempt again in down(), ++ * function schedule() will report schedule_bug(), so check ++ * preemptible() before goto down(). ++ */ ++ if (!preemptible()) + return -EINVAL; + + down(&hisi_hba->sem); +-- +2.20.1 + diff --git a/queue-5.4/scsi-iscsi-don-t-send-data-to-unbound-connection.patch b/queue-5.4/scsi-iscsi-don-t-send-data-to-unbound-connection.patch new file mode 100644 index 00000000000..3e967fdd781 --- /dev/null +++ b/queue-5.4/scsi-iscsi-don-t-send-data-to-unbound-connection.patch @@ -0,0 +1,96 @@ +From 8370ff0f9f71aca23fecd120b14ed98e5ec83d20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 19:47:35 -0500 +Subject: scsi: iscsi: Don't send data to unbound connection + +From: Anatol Pomazau + +[ Upstream commit 238191d65d7217982d69e21c1d623616da34b281 ] + +If a faulty initiator fails to bind the socket to the iSCSI connection +before emitting a command, for instance, a subsequent send_pdu, it will +crash the kernel due to a null pointer dereference in sock_sendmsg(), as +shown in the log below. This patch makes sure the bind succeeded before +trying to use the socket. + +BUG: kernel NULL pointer dereference, address: 0000000000000018 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page +PGD 0 P4D 0 +Oops: 0000 [#1] SMP PTI +CPU: 3 PID: 7 Comm: kworker/u8:0 Not tainted 5.4.0-rc2.iscsi+ #13 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +[ 24.158246] Workqueue: iscsi_q_0 iscsi_xmitworker +[ 24.158883] RIP: 0010:apparmor_socket_sendmsg+0x5/0x20 +[...] +[ 24.161739] RSP: 0018:ffffab6440043ca0 EFLAGS: 00010282 +[ 24.162400] RAX: ffffffff891c1c00 RBX: ffffffff89d53968 RCX: 0000000000000001 +[ 24.163253] RDX: 0000000000000030 RSI: ffffab6440043d00 RDI: 0000000000000000 +[ 24.164104] RBP: 0000000000000030 R08: 0000000000000030 R09: 0000000000000030 +[ 24.165166] R10: ffffffff893e66a0 R11: 0000000000000018 R12: ffffab6440043d00 +[ 24.166038] R13: 0000000000000000 R14: 0000000000000000 R15: ffff9d5575a62e90 +[ 24.166919] FS: 0000000000000000(0000) GS:ffff9d557db80000(0000) knlGS:0000000000000000 +[ 24.167890] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 24.168587] CR2: 0000000000000018 CR3: 000000007a838000 CR4: 00000000000006e0 +[ 24.169451] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 24.170320] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 24.171214] Call Trace: +[ 24.171537] security_socket_sendmsg+0x3a/0x50 +[ 24.172079] sock_sendmsg+0x16/0x60 +[ 24.172506] iscsi_sw_tcp_xmit_segment+0x77/0x120 +[ 24.173076] iscsi_sw_tcp_pdu_xmit+0x58/0x170 +[ 24.173604] ? iscsi_dbg_trace+0x63/0x80 +[ 24.174087] iscsi_tcp_task_xmit+0x101/0x280 +[ 24.174666] iscsi_xmit_task+0x83/0x110 +[ 24.175206] iscsi_xmitworker+0x57/0x380 +[ 24.175757] ? __schedule+0x2a2/0x700 +[ 24.176273] process_one_work+0x1b5/0x360 +[ 24.176837] worker_thread+0x50/0x3c0 +[ 24.177353] kthread+0xf9/0x130 +[ 24.177799] ? process_one_work+0x360/0x360 +[ 24.178401] ? kthread_park+0x90/0x90 +[ 24.178915] ret_from_fork+0x35/0x40 +[ 24.179421] Modules linked in: +[ 24.179856] CR2: 0000000000000018 +[ 24.180327] ---[ end trace b4b7674b6df5f480 ]--- + +Signed-off-by: Anatol Pomazau +Co-developed-by: Frank Mayhar +Signed-off-by: Frank Mayhar +Co-developed-by: Bharath Ravi +Signed-off-by: Bharath Ravi +Co-developed-by: Khazhimsel Kumykov +Signed-off-by: Khazhimsel Kumykov +Co-developed-by: Gabriel Krisman Bertazi +Signed-off-by: Gabriel Krisman Bertazi +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_tcp.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c +index 7bedbe877704..0bc63a7ab41c 100644 +--- a/drivers/scsi/iscsi_tcp.c ++++ b/drivers/scsi/iscsi_tcp.c +@@ -369,8 +369,16 @@ static int iscsi_sw_tcp_pdu_xmit(struct iscsi_task *task) + { + struct iscsi_conn *conn = task->conn; + unsigned int noreclaim_flag; ++ struct iscsi_tcp_conn *tcp_conn = conn->dd_data; ++ struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data; + int rc = 0; + ++ if (!tcp_sw_conn->sock) { ++ iscsi_conn_printk(KERN_ERR, conn, ++ "Transport not bound to socket!\n"); ++ return -EINVAL; ++ } ++ + noreclaim_flag = memalloc_noreclaim_save(); + + while (iscsi_sw_tcp_xmit_qlen(conn)) { +-- +2.20.1 + diff --git a/queue-5.4/scsi-lpfc-fix-coverity-lpfc_cmpl_els_rsp-null-pointe.patch b/queue-5.4/scsi-lpfc-fix-coverity-lpfc_cmpl_els_rsp-null-pointe.patch new file mode 100644 index 00000000000..e8c499478bd --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-coverity-lpfc_cmpl_els_rsp-null-pointe.patch @@ -0,0 +1,67 @@ +From e98400d7e4799f1ee040a81e7ab1dea5c693a8c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2019 15:03:57 -0800 +Subject: scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer + dereferences + +From: James Smart + +[ Upstream commit 6c6d59e0fe5b86cf273d6d744a6a9768c4ecc756 ] + +Coverity reported the following: + +*** CID 101747: Null pointer dereferences (FORWARD_NULL) +/drivers/scsi/lpfc/lpfc_els.c: 4439 in lpfc_cmpl_els_rsp() +4433 kfree(mp); +4434 } +4435 mempool_free(mbox, phba->mbox_mem_pool); +4436 } +4437 out: +4438 if (ndlp && NLP_CHK_NODE_ACT(ndlp)) { +vvv CID 101747: Null pointer dereferences (FORWARD_NULL) +vvv Dereferencing null pointer "shost". +4439 spin_lock_irq(shost->host_lock); +4440 ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI); +4441 spin_unlock_irq(shost->host_lock); +4442 +4443 /* If the node is not being used by another discovery thread, +4444 * and we are sending a reject, we are done with it. + +Fix by adding a check for non-null shost in line 4438. +The scenario when shost is set to null is when ndlp is null. +As such, the ndlp check present was sufficient. But better safe +than sorry so add the shost check. + +Reported-by: coverity-bot +Addresses-Coverity-ID: 101747 ("Null pointer dereferences") +Fixes: 2e0fef85e098 ("[SCSI] lpfc: NPIV: split ports") + +CC: James Bottomley +CC: "Gustavo A. R. Silva" +CC: linux-next@vger.kernel.org +Link: https://lore.kernel.org/r/20191111230401.12958-3-jsmart2021@gmail.com +Reviewed-by: Ewan D. Milne +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 4794a58deaf3..66f8867dd837 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -4440,7 +4440,7 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + mempool_free(mbox, phba->mbox_mem_pool); + } + out: +- if (ndlp && NLP_CHK_NODE_ACT(ndlp)) { ++ if (ndlp && NLP_CHK_NODE_ACT(ndlp) && shost) { + spin_lock_irq(shost->host_lock); + ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI); + spin_unlock_irq(shost->host_lock); +-- +2.20.1 + diff --git a/queue-5.4/scsi-lpfc-fix-discovery-failures-when-target-device-.patch b/queue-5.4/scsi-lpfc-fix-discovery-failures-when-target-device-.patch new file mode 100644 index 00000000000..0197ef6ff61 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-discovery-failures-when-target-device-.patch @@ -0,0 +1,60 @@ +From b1d2438f88d9a41610ec024ddb02a8c84446e41e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Sep 2019 20:58:55 -0700 +Subject: scsi: lpfc: Fix discovery failures when target device connectivity + bounces + +From: James Smart + +[ Upstream commit 3f97aed6117c7677eb16756c4ec8b86000fd5822 ] + +An issue was seen discovering all SCSI Luns when a target device undergoes +link bounce. + +The driver currently does not qualify the FC4 support on the target. +Therefore it will send a SCSI PRLI and an NVMe PRLI. The expectation is +that the target will reject the PRLI if it is not supported. If a PRLI +times out, the driver will retry. The driver will not proceed with the +device until both SCSI and NVMe PRLIs are resolved. In the failure case, +the device is FCP only and does not respond to the NVMe PRLI, thus +initiating the wait/retry loop in the driver. During that time, a RSCN is +received (device bounced) causing the driver to issue a GID_FT. The GID_FT +response comes back before the PRLI mess is resolved and it prematurely +cancels the PRLI retry logic and leaves the device in a STE_PRLI_ISSUE +state. Discovery with the target never completes or resets. + +Fix by resetting the node state back to STE_NPR_NODE when GID_FT completes, +thereby restarting the discovery process for the node. + +Link: https://lore.kernel.org/r/20190922035906.10977-10-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_hbadisc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index 749286acdc17..f7c205e1da48 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -5405,9 +5405,14 @@ lpfc_setup_disc_node(struct lpfc_vport *vport, uint32_t did) + /* If we've already received a PLOGI from this NPort + * we don't need to try to discover it again. + */ +- if (ndlp->nlp_flag & NLP_RCV_PLOGI) ++ if (ndlp->nlp_flag & NLP_RCV_PLOGI && ++ !(ndlp->nlp_type & ++ (NLP_FCP_TARGET | NLP_NVME_TARGET))) + return NULL; + ++ ndlp->nlp_prev_state = ndlp->nlp_state; ++ lpfc_nlp_set_state(vport, ndlp, NLP_STE_NPR_NODE); ++ + spin_lock_irq(shost->host_lock); + ndlp->nlp_flag |= NLP_NPR_2B_DISC; + spin_unlock_irq(shost->host_lock); +-- +2.20.1 + diff --git a/queue-5.4/scsi-lpfc-fix-duplicate-unreg_rpi-error-in-port-offl.patch b/queue-5.4/scsi-lpfc-fix-duplicate-unreg_rpi-error-in-port-offl.patch new file mode 100644 index 00000000000..dcd06cc9b0f --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-duplicate-unreg_rpi-error-in-port-offl.patch @@ -0,0 +1,54 @@ +From 6b3ec58ccc80642d7b843311cde1f92d00b5fe2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2019 16:56:58 -0800 +Subject: scsi: lpfc: Fix duplicate unreg_rpi error in port offline flow + +From: James Smart + +[ Upstream commit 7cfd5639d99bec0d27af089d0c8c114330e43a72 ] + +If the driver receives a login that is later then LOGO'd by the remote port +(aka ndlp), the driver, upon the completion of the LOGO ACC transmission, +will logout the node and unregister the rpi that is being used for the +node. As part of the unreg, the node's rpi value is replaced by the +LPFC_RPI_ALLOC_ERROR value. If the port is subsequently offlined, the +offline walks the nodes and ensures they are logged out, which possibly +entails unreg'ing their rpi values. This path does not validate the node's +rpi value, thus doesn't detect that it has been unreg'd already. The +replaced rpi value is then used when accessing the rpi bitmask array which +tracks active rpi values. As the LPFC_RPI_ALLOC_ERROR value is not a valid +index for the bitmask, it may fault the system. + +Revise the rpi release code to detect when the rpi value is the replaced +RPI_ALLOC_ERROR value and ignore further release steps. + +Link: https://lore.kernel.org/r/20191105005708.7399-2-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 9c5b1d138eb1..2b0e7b32c2df 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -18187,6 +18187,13 @@ lpfc_sli4_alloc_rpi(struct lpfc_hba *phba) + static void + __lpfc_sli4_free_rpi(struct lpfc_hba *phba, int rpi) + { ++ /* ++ * if the rpi value indicates a prior unreg has already ++ * been done, skip the unreg. ++ */ ++ if (rpi == LPFC_RPI_ALLOC_ERROR) ++ return; ++ + if (test_and_clear_bit(rpi, phba->sli4_hba.rpi_bmask)) { + phba->sli4_hba.rpi_count--; + phba->sli4_hba.max_cfg_param.rpi_used--; +-- +2.20.1 + diff --git a/queue-5.4/scsi-lpfc-fix-hardlockup-in-lpfc_abort_handler.patch b/queue-5.4/scsi-lpfc-fix-hardlockup-in-lpfc_abort_handler.patch new file mode 100644 index 00000000000..e03bca23b15 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-hardlockup-in-lpfc_abort_handler.patch @@ -0,0 +1,58 @@ +From 67c7d91a4a5da38091614d6086bd38344853400d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2019 14:18:22 -0700 +Subject: scsi: lpfc: Fix hardlockup in lpfc_abort_handler + +From: James Smart + +[ Upstream commit 91a52b617cdb8bf6d298892101c061d438b84a19 ] + +In lpfc_abort_handler, the lock acquire order is hbalock (irqsave), +buf_lock (irq) and ring_lock (irq). The issue is that in two places the +locks are released out of order - the buf_lock and the hbalock - resulting +in the cpu preemption/lock flags getting restored out of order and +deadlocking the cpu. + +Fix the unlock order by fully releasing the hbalocks as well. + +CC: Zhangguanghui +Link: https://lore.kernel.org/r/20191018211832.7917-7-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_scsi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c +index ad8ef67a1db3..aa82d538a18a 100644 +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -4846,20 +4846,21 @@ lpfc_abort_handler(struct scsi_cmnd *cmnd) + ret_val = __lpfc_sli_issue_iocb(phba, LPFC_FCP_RING, + abtsiocb, 0); + } +- /* no longer need the lock after this point */ +- spin_unlock_irqrestore(&phba->hbalock, flags); + + if (ret_val == IOCB_ERROR) { + /* Indicate the IO is not being aborted by the driver. */ + iocb->iocb_flag &= ~LPFC_DRIVER_ABORTED; + lpfc_cmd->waitq = NULL; + spin_unlock(&lpfc_cmd->buf_lock); ++ spin_unlock_irqrestore(&phba->hbalock, flags); + lpfc_sli_release_iocbq(phba, abtsiocb); + ret = FAILED; + goto out; + } + ++ /* no longer need the lock after this point */ + spin_unlock(&lpfc_cmd->buf_lock); ++ spin_unlock_irqrestore(&phba->hbalock, flags); + + if (phba->cfg_poll & DISABLE_FCP_RING_INT) + lpfc_sli_handle_fast_ring_event(phba, +-- +2.20.1 + diff --git a/queue-5.4/scsi-lpfc-fix-list-corruption-in-lpfc_sli_get_iocbq.patch b/queue-5.4/scsi-lpfc-fix-list-corruption-in-lpfc_sli_get_iocbq.patch new file mode 100644 index 00000000000..45fbcd7ff5c --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-list-corruption-in-lpfc_sli_get_iocbq.patch @@ -0,0 +1,117 @@ +From fb57bc191019e1b3f7379f568227841f41ff2614 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Sep 2019 20:58:59 -0700 +Subject: scsi: lpfc: Fix list corruption in lpfc_sli_get_iocbq + +From: James Smart + +[ Upstream commit 15498dc1a55b7aaea4b51ff03e3ff0f662e73f44 ] + +After study, it was determined there was a double free of a CT iocb during +execution of lpfc_offline_prep and lpfc_offline. The prep routine issued +an abort for some CT iocbs, but the aborts did not complete fast enough for +a subsequent routine that waits for completion. Thus the driver proceeded +to lpfc_offline, which releases any pending iocbs. Unfortunately, the +completions for the aborts were then received which re-released the ct +iocbs. + +Turns out the issue for why the aborts didn't complete fast enough was not +their time on the wire/in the adapter. It was the lpfc_work_done routine, +which requires the adapter state to be UP before it calls +lpfc_sli_handle_slow_ring_event() to process the completions. The issue is +the prep routine takes the link down as part of it's processing. + +To fix, the following was performed: + + - Prevent the offline routine from releasing iocbs that have had aborts + issued on them. Defer to the abort completions. Also means the driver + fully waits for the completions. Given this change, the recognition of + "driver-generated" status which then releases the iocb is no longer + valid. As such, the change made in the commit 296012285c90 is reverted. + As recognition of "driver-generated" status is no longer valid, this + patch reverts the changes made in + commit 296012285c90 ("scsi: lpfc: Fix leak of ELS completions on adapter reset") + + - Modify lpfc_work_done to allow slow path completions so that the abort + completions aren't ignored. + + - Updated the fdmi path to recognize a CT request that fails due to the + port being unusable. This stops FDMI retries. FDMI will be restarted on + next link up. + +Link: https://lore.kernel.org/r/20190922035906.10977-14-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_ct.c | 6 ++++++ + drivers/scsi/lpfc/lpfc_els.c | 3 +++ + drivers/scsi/lpfc/lpfc_hbadisc.c | 5 ++++- + drivers/scsi/lpfc/lpfc_sli.c | 3 --- + 4 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c +index 25e86706e207..f883fac2d2b1 100644 +--- a/drivers/scsi/lpfc/lpfc_ct.c ++++ b/drivers/scsi/lpfc/lpfc_ct.c +@@ -1868,6 +1868,12 @@ lpfc_cmpl_ct_disc_fdmi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + if (irsp->ulpStatus == IOSTAT_LOCAL_REJECT) { + switch ((irsp->un.ulpWord[4] & IOERR_PARAM_MASK)) { + case IOERR_SLI_ABORTED: ++ case IOERR_SLI_DOWN: ++ /* Driver aborted this IO. No retry as error ++ * is likely Offline->Online or some adapter ++ * error. Recovery will try again. ++ */ ++ break; + case IOERR_ABORT_IN_PROGRESS: + case IOERR_SEQUENCE_TIMEOUT: + case IOERR_ILLEGAL_FRAME: +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 0052b341587d..f293b48616ae 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -8016,6 +8016,9 @@ lpfc_els_flush_cmd(struct lpfc_vport *vport) + if (piocb->vport != vport) + continue; + ++ if (piocb->iocb_flag & LPFC_DRIVER_ABORTED) ++ continue; ++ + /* On the ELS ring we can have ELS_REQUESTs or + * GEN_REQUESTs waiting for a response. + */ +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index f7c205e1da48..1286c658ba34 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -700,7 +700,10 @@ lpfc_work_done(struct lpfc_hba *phba) + if (!(phba->hba_flag & HBA_SP_QUEUE_EVT)) + set_bit(LPFC_DATA_READY, &phba->data_flags); + } else { +- if (phba->link_state >= LPFC_LINK_UP || ++ /* Driver could have abort request completed in queue ++ * when link goes down. Allow for this transition. ++ */ ++ if (phba->link_state >= LPFC_LINK_DOWN || + phba->link_flag & LS_MDS_LOOPBACK) { + pring->flag &= ~LPFC_DEFERRED_RING_EVENT; + lpfc_sli_handle_slow_ring_event(phba, pring, +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index e847244dfde3..9c5b1d138eb1 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -11050,9 +11050,6 @@ lpfc_sli_abort_els_cmpl(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + irsp->ulpStatus, irsp->un.ulpWord[4]); + + spin_unlock_irq(&phba->hbalock); +- if (irsp->ulpStatus == IOSTAT_LOCAL_REJECT && +- irsp->un.ulpWord[4] == IOERR_SLI_ABORTED) +- lpfc_sli_release_iocbq(phba, abort_iocb); + } + release_iocb: + lpfc_sli_release_iocbq(phba, cmdiocb); +-- +2.20.1 + diff --git a/queue-5.4/scsi-lpfc-fix-locking-on-mailbox-command-completion.patch b/queue-5.4/scsi-lpfc-fix-locking-on-mailbox-command-completion.patch new file mode 100644 index 00000000000..c4af0bea5b0 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-locking-on-mailbox-command-completion.patch @@ -0,0 +1,68 @@ +From fb5c8b73b379be6bf99e23d4ca8cee8a08a37a70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Sep 2019 20:58:53 -0700 +Subject: scsi: lpfc: Fix locking on mailbox command completion + +From: James Smart + +[ Upstream commit 07b8582430370097238b589f4e24da7613ca6dd3 ] + +Symptoms were seen of the driver not having valid data for mailbox +commands. After debugging, the following sequence was found: + +The driver maintains a port-wide pointer of the mailbox command that is +currently in execution. Once finished, the port-wide pointer is cleared +(done in lpfc_sli4_mq_release()). The next mailbox command issued will set +the next pointer and so on. + +The mailbox response data is only copied if there is a valid port-wide +pointer. + +In the failing case, it was seen that a new mailbox command was being +attempted in parallel with the completion. The parallel path was seeing +the mailbox no long in use (flag check under lock) and thus set the port +pointer. The completion path had cleared the active flag under lock, but +had not touched the port pointer. The port pointer is cleared after the +lock is released. In this case, the completion path cleared the just-set +value by the parallel path. + +Fix by making the calls that clear mbox state/port pointer while under +lock. Also slightly cleaned up the error path. + +Link: https://lore.kernel.org/r/20190922035906.10977-8-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 5ed4219675eb..e847244dfde3 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -13161,13 +13161,19 @@ send_current_mbox: + phba->sli.sli_flag &= ~LPFC_SLI_MBOX_ACTIVE; + /* Setting active mailbox pointer need to be in sync to flag clear */ + phba->sli.mbox_active = NULL; ++ if (bf_get(lpfc_trailer_consumed, mcqe)) ++ lpfc_sli4_mq_release(phba->sli4_hba.mbx_wq); + spin_unlock_irqrestore(&phba->hbalock, iflags); + /* Wake up worker thread to post the next pending mailbox command */ + lpfc_worker_wake_up(phba); ++ return workposted; ++ + out_no_mqe_complete: ++ spin_lock_irqsave(&phba->hbalock, iflags); + if (bf_get(lpfc_trailer_consumed, mcqe)) + lpfc_sli4_mq_release(phba->sli4_hba.mbx_wq); +- return workposted; ++ spin_unlock_irqrestore(&phba->hbalock, iflags); ++ return false; + } + + /** +-- +2.20.1 + diff --git a/queue-5.4/scsi-lpfc-fix-sli3-hba-in-loop-mode-not-discovering-.patch b/queue-5.4/scsi-lpfc-fix-sli3-hba-in-loop-mode-not-discovering-.patch new file mode 100644 index 00000000000..d19f8a80fc4 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-sli3-hba-in-loop-mode-not-discovering-.patch @@ -0,0 +1,45 @@ +From 682856c87655c20f743604ca4fd12276d5779973 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Oct 2019 14:18:20 -0700 +Subject: scsi: lpfc: Fix SLI3 hba in loop mode not discovering devices + +From: James Smart + +[ Upstream commit feff8b3d84d3d9570f893b4d83e5eab6693d6a52 ] + +When operating in private loop mode, PLOGI exchanges are racing and the +driver tries to abort it's PLOGI. But the PLOGI abort ends up terminating +the login with the other end causing the other end to abort its PLOGI as +well. Discovery never fully completes. + +Fix by disabling the PLOGI abort when private loop and letting the state +machine play out. + +Link: https://lore.kernel.org/r/20191018211832.7917-5-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nportdisc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index fc6e4546d738..696171382558 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -484,8 +484,10 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + * single discovery thread, this will cause a huge delay in + * discovery. Also this will cause multiple state machines + * running in parallel for this node. ++ * This only applies to a fabric environment. + */ +- if (ndlp->nlp_state == NLP_STE_PLOGI_ISSUE) { ++ if ((ndlp->nlp_state == NLP_STE_PLOGI_ISSUE) && ++ (vport->fc_flag & FC_FABRIC)) { + /* software abort outstanding PLOGI */ + lpfc_els_abort(phba, ndlp); + } +-- +2.20.1 + diff --git a/queue-5.4/scsi-lpfc-fix-spinlock_irq-issues-in-lpfc_els_flush_.patch b/queue-5.4/scsi-lpfc-fix-spinlock_irq-issues-in-lpfc_els_flush_.patch new file mode 100644 index 00000000000..23d88b1031a --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-spinlock_irq-issues-in-lpfc_els_flush_.patch @@ -0,0 +1,91 @@ +From e77b797ac9c51278bb46023a72cc5236d7987ed5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Sep 2019 20:59:00 -0700 +Subject: scsi: lpfc: Fix spinlock_irq issues in lpfc_els_flush_cmd() + +From: James Smart + +[ Upstream commit d38b4a527fe898f859f74a3a43d4308f48ac7855 ] + +While reviewing the CT behavior, issues with spinlock_irq were seen. The +driver should be using spinlock_irqsave/irqrestore in the els flush +routine. + +Changed to spinlock_irqsave/irqrestore. + +Link: https://lore.kernel.org/r/20190922035906.10977-15-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index d5303994bfd6..0052b341587d 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -7986,20 +7986,22 @@ lpfc_els_flush_cmd(struct lpfc_vport *vport) + struct lpfc_sli_ring *pring; + struct lpfc_iocbq *tmp_iocb, *piocb; + IOCB_t *cmd = NULL; ++ unsigned long iflags = 0; + + lpfc_fabric_abort_vport(vport); ++ + /* + * For SLI3, only the hbalock is required. But SLI4 needs to coordinate + * with the ring insert operation. Because lpfc_sli_issue_abort_iotag + * ultimately grabs the ring_lock, the driver must splice the list into + * a working list and release the locks before calling the abort. + */ +- spin_lock_irq(&phba->hbalock); ++ spin_lock_irqsave(&phba->hbalock, iflags); + pring = lpfc_phba_elsring(phba); + + /* Bail out if we've no ELS wq, like in PCI error recovery case. */ + if (unlikely(!pring)) { +- spin_unlock_irq(&phba->hbalock); ++ spin_unlock_irqrestore(&phba->hbalock, iflags); + return; + } + +@@ -8037,21 +8039,21 @@ lpfc_els_flush_cmd(struct lpfc_vport *vport) + + if (phba->sli_rev == LPFC_SLI_REV4) + spin_unlock(&pring->ring_lock); +- spin_unlock_irq(&phba->hbalock); ++ spin_unlock_irqrestore(&phba->hbalock, iflags); + + /* Abort each txcmpl iocb on aborted list and remove the dlist links. */ + list_for_each_entry_safe(piocb, tmp_iocb, &abort_list, dlist) { +- spin_lock_irq(&phba->hbalock); ++ spin_lock_irqsave(&phba->hbalock, iflags); + list_del_init(&piocb->dlist); + lpfc_sli_issue_abort_iotag(phba, pring, piocb); +- spin_unlock_irq(&phba->hbalock); ++ spin_unlock_irqrestore(&phba->hbalock, iflags); + } + if (!list_empty(&abort_list)) + lpfc_printf_vlog(vport, KERN_ERR, LOG_ELS, + "3387 abort list for txq not empty\n"); + INIT_LIST_HEAD(&abort_list); + +- spin_lock_irq(&phba->hbalock); ++ spin_lock_irqsave(&phba->hbalock, iflags); + if (phba->sli_rev == LPFC_SLI_REV4) + spin_lock(&pring->ring_lock); + +@@ -8091,7 +8093,7 @@ lpfc_els_flush_cmd(struct lpfc_vport *vport) + + if (phba->sli_rev == LPFC_SLI_REV4) + spin_unlock(&pring->ring_lock); +- spin_unlock_irq(&phba->hbalock); ++ spin_unlock_irqrestore(&phba->hbalock, iflags); + + /* Cancel all the IOCBs from the completions list */ + lpfc_sli_cancel_iocbs(phba, &abort_list, +-- +2.20.1 + diff --git a/queue-5.4/scsi-lpfc-fix-unexpected-error-messages-during-rscn-.patch b/queue-5.4/scsi-lpfc-fix-unexpected-error-messages-during-rscn-.patch new file mode 100644 index 00000000000..f90f5f51390 --- /dev/null +++ b/queue-5.4/scsi-lpfc-fix-unexpected-error-messages-during-rscn-.patch @@ -0,0 +1,91 @@ +From 1e95752483904719af1f1b0224d11172255c07f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2019 16:57:01 -0800 +Subject: scsi: lpfc: Fix unexpected error messages during RSCN handling + +From: James Smart + +[ Upstream commit 2332e6e475b016e2026763f51333f84e2e6c57a3 ] + +During heavy RCN activity and log_verbose = 0 we see these messages: + + 2754 PRLI failure DID:521245 Status:x9/xb2c00, data: x0 + 0231 RSCN timeout Data: x0 x3 + 0230 Unexpected timeout, hba link state x5 + +This is due to delayed RSCN activity. + +Correct by avoiding the timeout thus the messages by restarting the +discovery timeout whenever an rscn is received. + +Filter PRLI responses such that severity depends on whether expected for +the configuration or not. For example, PRLI errors on a fabric will be +informational (they are expected), but Point-to-Point errors are not +necessarily expected so they are raised to an error level. + +Link: https://lore.kernel.org/r/20191105005708.7399-5-jsmart2021@gmail.com +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index f293b48616ae..4794a58deaf3 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -2236,6 +2236,7 @@ lpfc_cmpl_els_prli(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + struct Scsi_Host *shost = lpfc_shost_from_vport(vport); + IOCB_t *irsp; + struct lpfc_nodelist *ndlp; ++ char *mode; + + /* we pass cmdiocb to state machine which needs rspiocb as well */ + cmdiocb->context_un.rsp_iocb = rspiocb; +@@ -2273,8 +2274,17 @@ lpfc_cmpl_els_prli(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + goto out; + } + ++ /* If we don't send GFT_ID to Fabric, a PRLI error ++ * could be expected. ++ */ ++ if ((vport->fc_flag & FC_FABRIC) || ++ (vport->cfg_enable_fc4_type != LPFC_ENABLE_BOTH)) ++ mode = KERN_ERR; ++ else ++ mode = KERN_INFO; ++ + /* PRLI failed */ +- lpfc_printf_vlog(vport, KERN_ERR, LOG_ELS, ++ lpfc_printf_vlog(vport, mode, LOG_ELS, + "2754 PRLI failure DID:%06X Status:x%x/x%x, " + "data: x%x\n", + ndlp->nlp_DID, irsp->ulpStatus, +@@ -6455,7 +6465,7 @@ lpfc_els_rcv_rscn(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb, + uint32_t payload_len, length, nportid, *cmd; + int rscn_cnt; + int rscn_id = 0, hba_id = 0; +- int i; ++ int i, tmo; + + pcmd = (struct lpfc_dmabuf *) cmdiocb->context2; + lp = (uint32_t *) pcmd->virt; +@@ -6561,6 +6571,13 @@ lpfc_els_rcv_rscn(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb, + + spin_lock_irq(shost->host_lock); + vport->fc_flag |= FC_RSCN_DEFERRED; ++ ++ /* Restart disctmo if its already running */ ++ if (vport->fc_flag & FC_DISC_TMO) { ++ tmo = ((phba->fc_ratov * 3) + 3); ++ mod_timer(&vport->fc_disctmo, ++ jiffies + msecs_to_jiffies(1000 * tmo)); ++ } + if ((rscn_cnt < FC_MAX_HOLD_RSCN) && + !(vport->fc_flag & FC_RSCN_DISCOVERY)) { + vport->fc_flag |= FC_RSCN_MODE; +-- +2.20.1 + diff --git a/queue-5.4/scsi-mpt3sas-fix-clear-pending-bit-in-ioctl-status.patch b/queue-5.4/scsi-mpt3sas-fix-clear-pending-bit-in-ioctl-status.patch new file mode 100644 index 00000000000..b3cb3bb3d32 --- /dev/null +++ b/queue-5.4/scsi-mpt3sas-fix-clear-pending-bit-in-ioctl-status.patch @@ -0,0 +1,45 @@ +From daad0bad5d6cec153e2242b49867fc39ec870547 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2019 09:04:40 -0400 +Subject: scsi: mpt3sas: Fix clear pending bit in ioctl status + +From: Sreekanth Reddy + +[ Upstream commit 782b281883caf70289ba6a186af29441a117d23e ] + +When user issues diag register command from application with required size, +and if driver unable to allocate the memory, then it will fail the register +command. While failing the register command, driver is not currently +clearing MPT3_CMD_PENDING bit in ctl_cmds.status variable which was set +before trying to allocate the memory. As this bit is set, subsequent +register command will be failed with BUSY status even when user wants to +register the trace buffer will less memory. + +Clear MPT3_CMD_PENDING bit in ctl_cmds.status before returning the diag +register command with no memory status. + +Link: https://lore.kernel.org/r/1568379890-18347-4-git-send-email-sreekanth.reddy@broadcom.com +Signed-off-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_ctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c +index 7d696952b376..3c463e8f6074 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c +@@ -1584,7 +1584,8 @@ _ctl_diag_register_2(struct MPT3SAS_ADAPTER *ioc, + ioc_err(ioc, "%s: failed allocating memory for diag buffers, requested size(%d)\n", + __func__, request_data_sz); + mpt3sas_base_free_smid(ioc, smid); +- return -ENOMEM; ++ rc = -ENOMEM; ++ goto out; + } + ioc->diag_buffer[buffer_type] = request_data; + ioc->diag_buffer_sz[buffer_type] = request_data_sz; +-- +2.20.1 + diff --git a/queue-5.4/scsi-mpt3sas-reject-nvme-encap-cmnds-to-unsupported-.patch b/queue-5.4/scsi-mpt3sas-reject-nvme-encap-cmnds-to-unsupported-.patch new file mode 100644 index 00000000000..07aaa035663 --- /dev/null +++ b/queue-5.4/scsi-mpt3sas-reject-nvme-encap-cmnds-to-unsupported-.patch @@ -0,0 +1,69 @@ +From 09d7e9e7ab1460b19fa119a742b4ea52c48d9396 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2019 09:04:48 -0400 +Subject: scsi: mpt3sas: Reject NVMe Encap cmnds to unsupported HBA + +From: Sreekanth Reddy + +[ Upstream commit 77fd4f2c88bf83205a21f9ca49fdcc0c7868dba9 ] + +If any faulty application issues an NVMe Encapsulated commands to HBA which +doesn't support NVMe protocol then driver should return the command as +invalid with the following message. + +"HBA doesn't support NVMe. Rejecting NVMe Encapsulated request." + +Otherwise below page fault kernel panic will be observed while building the +PRPs as there is no PRP pools allocated for the HBA which doesn't support +NVMe drives. + +RIP: 0010:_base_build_nvme_prp+0x3b/0xf0 [mpt3sas] +Call Trace: + _ctl_do_mpt_command+0x931/0x1120 [mpt3sas] + _ctl_ioctl_main.isra.11+0xa28/0x11e0 [mpt3sas] + ? prepare_to_wait+0xb0/0xb0 + ? tty_ldisc_deref+0x16/0x20 + _ctl_ioctl+0x1a/0x20 [mpt3sas] + do_vfs_ioctl+0xaa/0x620 + ? vfs_read+0x117/0x140 + ksys_ioctl+0x67/0x90 + __x64_sys_ioctl+0x1a/0x20 + do_syscall_64+0x60/0x190 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[mkp: tweaked error string] + +Link: https://lore.kernel.org/r/1568379890-18347-12-git-send-email-sreekanth.reddy@broadcom.com +Signed-off-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_ctl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c +index 3c463e8f6074..b95f7d062ea4 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c +@@ -778,6 +778,18 @@ _ctl_do_mpt_command(struct MPT3SAS_ADAPTER *ioc, struct mpt3_ioctl_command karg, + case MPI2_FUNCTION_NVME_ENCAPSULATED: + { + nvme_encap_request = (Mpi26NVMeEncapsulatedRequest_t *)request; ++ if (!ioc->pcie_sg_lookup) { ++ dtmprintk(ioc, ioc_info(ioc, ++ "HBA doesn't support NVMe. Rejecting NVMe Encapsulated request.\n" ++ )); ++ ++ if (ioc->logging_level & MPT_DEBUG_TM) ++ _debug_dump_mf(nvme_encap_request, ++ ioc->request_sz/4); ++ mpt3sas_base_free_smid(ioc, smid); ++ ret = -EINVAL; ++ goto out; ++ } + /* + * Get the Physical Address of the sense buffer. + * Use Error Response buffer address field to hold the sense +-- +2.20.1 + diff --git a/queue-5.4/scsi-ncr5380-add-disconnect_mask-module-parameter.patch b/queue-5.4/scsi-ncr5380-add-disconnect_mask-module-parameter.patch new file mode 100644 index 00000000000..3183b15f33e --- /dev/null +++ b/queue-5.4/scsi-ncr5380-add-disconnect_mask-module-parameter.patch @@ -0,0 +1,54 @@ +From cf0ac561b7e3c2a4159c2ad54174b4a6e40e76d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Nov 2019 14:36:57 +1100 +Subject: scsi: NCR5380: Add disconnect_mask module parameter + +From: Finn Thain + +[ Upstream commit 0b7a223552d455bcfba6fb9cfc5eef2b5fce1491 ] + +Add a module parameter to inhibit disconnect/reselect for individual +targets. This gains compatibility with Aztec PowerMonster SCSI/SATA +adapters with buggy firmware. (No fix is available from the vendor.) + +Apparently these adapters pass-through the product/vendor of the attached +SATA device. Since they can't be identified from the response to an INQUIRY +command, a device blacklist flag won't work. + +Cc: Michael Schmitz +Link: https://lore.kernel.org/r/993b17545990f31f9fa5a98202b51102a68e7594.1573875417.git.fthain@telegraphics.com.au +Reviewed-and-tested-by: Michael Schmitz +Signed-off-by: Finn Thain +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/NCR5380.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/NCR5380.c b/drivers/scsi/NCR5380.c +index 536426f25e86..d4401c768a0c 100644 +--- a/drivers/scsi/NCR5380.c ++++ b/drivers/scsi/NCR5380.c +@@ -129,6 +129,9 @@ + #define NCR5380_release_dma_irq(x) + #endif + ++static unsigned int disconnect_mask = ~0; ++module_param(disconnect_mask, int, 0444); ++ + static int do_abort(struct Scsi_Host *); + static void do_reset(struct Scsi_Host *); + static void bus_reset_cleanup(struct Scsi_Host *); +@@ -954,7 +957,8 @@ static bool NCR5380_select(struct Scsi_Host *instance, struct scsi_cmnd *cmd) + int err; + bool ret = true; + bool can_disconnect = instance->irq != NO_IRQ && +- cmd->cmnd[0] != REQUEST_SENSE; ++ cmd->cmnd[0] != REQUEST_SENSE && ++ (disconnect_mask & BIT(scmd_id(cmd))); + + NCR5380_dprint(NDEBUG_ARBITRATION, instance); + dsprintk(NDEBUG_ARBITRATION, instance, "starting arbitration, id = %d\n", +-- +2.20.1 + diff --git a/queue-5.4/scsi-pm80xx-fix-for-sata-device-discovery.patch b/queue-5.4/scsi-pm80xx-fix-for-sata-device-discovery.patch new file mode 100644 index 00000000000..f1f4e6f8c6c --- /dev/null +++ b/queue-5.4/scsi-pm80xx-fix-for-sata-device-discovery.patch @@ -0,0 +1,41 @@ +From 4b3a90431923d63e36e246a37093ebabe5a0ad4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 15:38:58 +0530 +Subject: scsi: pm80xx: Fix for SATA device discovery + +From: peter chang + +[ Upstream commit ce21c63ee995b7a8b7b81245f2cee521f8c3c220 ] + +Driver was missing complete() call in mpi_sata_completion which result in +SATA abort error handling timing out. That causes the device to be left in +the in_recovery state so subsequent commands sent to the device fail and +the OS removes access to it. + +Link: https://lore.kernel.org/r/20191114100910.6153-2-deepak.ukey@microchip.com +Acked-by: Jack Wang +Signed-off-by: peter chang +Signed-off-by: Deepak Ukey +Signed-off-by: Viswas G +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm80xx_hwi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/pm8001/pm80xx_hwi.c b/drivers/scsi/pm8001/pm80xx_hwi.c +index 73261902d75d..161bf4760eac 100644 +--- a/drivers/scsi/pm8001/pm80xx_hwi.c ++++ b/drivers/scsi/pm8001/pm80xx_hwi.c +@@ -2382,6 +2382,8 @@ mpi_sata_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) + pm8001_printk("task 0x%p done with io_status 0x%x" + " resp 0x%x stat 0x%x but aborted by upper layer!\n", + t, status, ts->resp, ts->stat)); ++ if (t->slow_task) ++ complete(&t->slow_task->completion); + pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); + } else { + spin_unlock_irqrestore(&t->task_state_lock, flags); +-- +2.20.1 + diff --git a/queue-5.4/scsi-scsi_debug-num_tgts-must-be-0.patch b/queue-5.4/scsi-scsi_debug-num_tgts-must-be-0.patch new file mode 100644 index 00000000000..7a4092ef511 --- /dev/null +++ b/queue-5.4/scsi-scsi_debug-num_tgts-must-be-0.patch @@ -0,0 +1,40 @@ +From 128bf82a212616982a1e9da7dc21b52946c12eda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 17:37:27 +0100 +Subject: scsi: scsi_debug: num_tgts must be >= 0 + +From: Maurizio Lombardi + +[ Upstream commit aa5334c4f3014940f11bf876e919c956abef4089 ] + +Passing the parameter "num_tgts=-1" will start an infinite loop that +exhausts the system memory + +Link: https://lore.kernel.org/r/20191115163727.24626-1-mlombard@redhat.com +Signed-off-by: Maurizio Lombardi +Acked-by: Douglas Gilbert +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_debug.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c +index d323523f5f9d..32965ec76965 100644 +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -5263,6 +5263,11 @@ static int __init scsi_debug_init(void) + return -EINVAL; + } + ++ if (sdebug_num_tgts < 0) { ++ pr_err("num_tgts must be >= 0\n"); ++ return -EINVAL; ++ } ++ + if (sdebug_guard > 1) { + pr_err("guard must be 0 or 1\n"); + return -EINVAL; +-- +2.20.1 + diff --git a/queue-5.4/scsi-target-compare-full-chap_a-algorithm-strings.patch b/queue-5.4/scsi-target-compare-full-chap_a-algorithm-strings.patch new file mode 100644 index 00000000000..0eabd44c51f --- /dev/null +++ b/queue-5.4/scsi-target-compare-full-chap_a-algorithm-strings.patch @@ -0,0 +1,53 @@ +From a649220d2b265db71fb150be332d3337ba402bef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2019 11:55:45 +0200 +Subject: scsi: target: compare full CHAP_A Algorithm strings + +From: David Disseldorp + +[ Upstream commit 9cef2a7955f2754257a7cddedec16edae7b587d0 ] + +RFC 2307 states: + + For CHAP [RFC1994], in the first step, the initiator MUST send: + + CHAP_A= + + Where A1,A2... are proposed algorithms, in order of preference. +... + For the Algorithm, as stated in [RFC1994], one value is required to + be implemented: + + 5 (CHAP with MD5) + +LIO currently checks for this value by only comparing a single byte in +the tokenized Algorithm string, which means that any value starting with +a '5' (e.g. "55") is interpreted as "CHAP with MD5". Fix this by +comparing the entire tokenized string. + +Reviewed-by: Lee Duncan +Reviewed-by: Mike Christie +Signed-off-by: David Disseldorp +Link: https://lore.kernel.org/r/20190912095547.22427-2-ddiss@suse.de +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c +index 51ddca2033e0..8fe9b12a07a4 100644 +--- a/drivers/target/iscsi/iscsi_target_auth.c ++++ b/drivers/target/iscsi/iscsi_target_auth.c +@@ -70,7 +70,7 @@ static int chap_check_algorithm(const char *a_str) + if (!token) + goto out; + +- if (!strncmp(token, "5", 1)) { ++ if (!strcmp(token, "5")) { + pr_debug("Selected MD5 Algorithm\n"); + kfree(orig); + return CHAP_DIGEST_MD5; +-- +2.20.1 + diff --git a/queue-5.4/scsi-target-core-release-spc-2-reservations-when-clo.patch b/queue-5.4/scsi-target-core-release-spc-2-reservations-when-clo.patch new file mode 100644 index 00000000000..0122c8ce119 --- /dev/null +++ b/queue-5.4/scsi-target-core-release-spc-2-reservations-when-clo.patch @@ -0,0 +1,128 @@ +From 14639b09d34fd972b85921f13770af0ce7ef25fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 14:05:07 -0800 +Subject: scsi: target: core: Release SPC-2 reservations when closing a session + +From: Bart Van Assche + +[ Upstream commit 80647a89eaf3f2549741648f3230cd6ff68c23b4 ] + +The SCSI specs require releasing SPC-2 reservations when a session is +closed. Make sure that the target core does this. + +Running the libiscsi tests triggers the KASAN complaint shown below. This +patch fixes that use-after-free. + +BUG: KASAN: use-after-free in target_check_reservation+0x171/0x980 [target_core_mod] +Read of size 8 at addr ffff88802ecd1878 by task iscsi_trx/17200 + +CPU: 0 PID: 17200 Comm: iscsi_trx Not tainted 5.4.0-rc1-dbg+ #1 +Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +Call Trace: + dump_stack+0x8a/0xd6 + print_address_description.constprop.0+0x40/0x60 + __kasan_report.cold+0x1b/0x34 + kasan_report+0x16/0x20 + __asan_load8+0x58/0x90 + target_check_reservation+0x171/0x980 [target_core_mod] + __target_execute_cmd+0xb1/0xf0 [target_core_mod] + target_execute_cmd+0x22d/0x4d0 [target_core_mod] + transport_generic_new_cmd+0x31f/0x5b0 [target_core_mod] + transport_handle_cdb_direct+0x6f/0x90 [target_core_mod] + iscsit_execute_cmd+0x381/0x3f0 [iscsi_target_mod] + iscsit_sequence_cmd+0x13b/0x1f0 [iscsi_target_mod] + iscsit_process_scsi_cmd+0x4c/0x130 [iscsi_target_mod] + iscsit_get_rx_pdu+0x8e8/0x15f0 [iscsi_target_mod] + iscsi_target_rx_thread+0x105/0x1b0 [iscsi_target_mod] + kthread+0x1bc/0x210 + ret_from_fork+0x24/0x30 + +Allocated by task 1079: + save_stack+0x23/0x90 + __kasan_kmalloc.constprop.0+0xcf/0xe0 + kasan_slab_alloc+0x12/0x20 + kmem_cache_alloc+0xfe/0x3a0 + transport_alloc_session+0x29/0x80 [target_core_mod] + iscsi_target_login_thread+0xceb/0x1920 [iscsi_target_mod] + kthread+0x1bc/0x210 + ret_from_fork+0x24/0x30 + +Freed by task 17193: + save_stack+0x23/0x90 + __kasan_slab_free+0x13a/0x190 + kasan_slab_free+0x12/0x20 + kmem_cache_free+0xc8/0x3e0 + transport_free_session+0x179/0x2f0 [target_core_mod] + transport_deregister_session+0x121/0x170 [target_core_mod] + iscsit_close_session+0x12c/0x350 [iscsi_target_mod] + iscsit_logout_post_handler+0x136/0x380 [iscsi_target_mod] + iscsit_response_queue+0x8fa/0xc00 [iscsi_target_mod] + iscsi_target_tx_thread+0x28e/0x390 [iscsi_target_mod] + kthread+0x1bc/0x210 + ret_from_fork+0x24/0x30 + +The buggy address belongs to the object at ffff88802ecd1860 + which belongs to the cache se_sess_cache of size 352 +The buggy address is located 24 bytes inside of + 352-byte region [ffff88802ecd1860, ffff88802ecd19c0) +The buggy address belongs to the page: +page:ffffea0000bb3400 refcount:1 mapcount:0 mapping:ffff8880bef2ed00 index:0x0 compound_mapcount: 0 +flags: 0x1000000000010200(slab|head) +raw: 1000000000010200 dead000000000100 dead000000000122 ffff8880bef2ed00 +raw: 0000000000000000 0000000080270027 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88802ecd1700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88802ecd1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88802ecd1800: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb + ^ + ffff88802ecd1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88802ecd1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Cc: Mike Christie +Link: https://lore.kernel.org/r/20191113220508.198257-2-bvanassche@acm.org +Reviewed-by: Roman Bolshakov +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_transport.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 7f06a62f8661..eda8b4736c15 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -584,6 +584,15 @@ void transport_free_session(struct se_session *se_sess) + } + EXPORT_SYMBOL(transport_free_session); + ++static int target_release_res(struct se_device *dev, void *data) ++{ ++ struct se_session *sess = data; ++ ++ if (dev->reservation_holder == sess) ++ target_release_reservation(dev); ++ return 0; ++} ++ + void transport_deregister_session(struct se_session *se_sess) + { + struct se_portal_group *se_tpg = se_sess->se_tpg; +@@ -600,6 +609,12 @@ void transport_deregister_session(struct se_session *se_sess) + se_sess->fabric_sess_ptr = NULL; + spin_unlock_irqrestore(&se_tpg->session_lock, flags); + ++ /* ++ * Since the session is being removed, release SPC-2 ++ * reservations held by the session that is disappearing. ++ */ ++ target_for_each_device(target_release_res, se_sess); ++ + pr_debug("TARGET_CORE[%s]: Deregistered fabric_sess\n", + se_tpg->se_tpg_tfo->fabric_name); + /* +-- +2.20.1 + diff --git a/queue-5.4/scsi-target-iscsi-wait-for-all-commands-to-finish-be.patch b/queue-5.4/scsi-target-iscsi-wait-for-all-commands-to-finish-be.patch new file mode 100644 index 00000000000..ffea0a6bde2 --- /dev/null +++ b/queue-5.4/scsi-target-iscsi-wait-for-all-commands-to-finish-be.patch @@ -0,0 +1,144 @@ +From f8884c9b526f6fddabe073110adf7fcdd773cdda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 14:05:08 -0800 +Subject: scsi: target: iscsi: Wait for all commands to finish before freeing a + session + +From: Bart Van Assche + +[ Upstream commit e9d3009cb936bd0faf0719f68d98ad8afb1e613b ] + +The iSCSI target driver is the only target driver that does not wait for +ongoing commands to finish before freeing a session. Make the iSCSI target +driver wait for ongoing commands to finish before freeing a session. This +patch fixes the following KASAN complaint: + +BUG: KASAN: use-after-free in __lock_acquire+0xb1a/0x2710 +Read of size 8 at addr ffff8881154eca70 by task kworker/0:2/247 + +CPU: 0 PID: 247 Comm: kworker/0:2 Not tainted 5.4.0-rc1-dbg+ #6 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +Workqueue: target_completion target_complete_ok_work [target_core_mod] +Call Trace: + dump_stack+0x8a/0xd6 + print_address_description.constprop.0+0x40/0x60 + __kasan_report.cold+0x1b/0x33 + kasan_report+0x16/0x20 + __asan_load8+0x58/0x90 + __lock_acquire+0xb1a/0x2710 + lock_acquire+0xd3/0x200 + _raw_spin_lock_irqsave+0x43/0x60 + target_release_cmd_kref+0x162/0x7f0 [target_core_mod] + target_put_sess_cmd+0x2e/0x40 [target_core_mod] + lio_check_stop_free+0x12/0x20 [iscsi_target_mod] + transport_cmd_check_stop_to_fabric+0xd8/0xe0 [target_core_mod] + target_complete_ok_work+0x1b0/0x790 [target_core_mod] + process_one_work+0x549/0xa40 + worker_thread+0x7a/0x5d0 + kthread+0x1bc/0x210 + ret_from_fork+0x24/0x30 + +Allocated by task 889: + save_stack+0x23/0x90 + __kasan_kmalloc.constprop.0+0xcf/0xe0 + kasan_slab_alloc+0x12/0x20 + kmem_cache_alloc+0xf6/0x360 + transport_alloc_session+0x29/0x80 [target_core_mod] + iscsi_target_login_thread+0xcd6/0x18f0 [iscsi_target_mod] + kthread+0x1bc/0x210 + ret_from_fork+0x24/0x30 + +Freed by task 1025: + save_stack+0x23/0x90 + __kasan_slab_free+0x13a/0x190 + kasan_slab_free+0x12/0x20 + kmem_cache_free+0x146/0x400 + transport_free_session+0x179/0x2f0 [target_core_mod] + transport_deregister_session+0x130/0x180 [target_core_mod] + iscsit_close_session+0x12c/0x350 [iscsi_target_mod] + iscsit_logout_post_handler+0x136/0x380 [iscsi_target_mod] + iscsit_response_queue+0x8de/0xbe0 [iscsi_target_mod] + iscsi_target_tx_thread+0x27f/0x370 [iscsi_target_mod] + kthread+0x1bc/0x210 + ret_from_fork+0x24/0x30 + +The buggy address belongs to the object at ffff8881154ec9c0 + which belongs to the cache se_sess_cache of size 352 +The buggy address is located 176 bytes inside of + 352-byte region [ffff8881154ec9c0, ffff8881154ecb20) +The buggy address belongs to the page: +page:ffffea0004553b00 refcount:1 mapcount:0 mapping:ffff888101755400 index:0x0 compound_mapcount: 0 +flags: 0x2fff000000010200(slab|head) +raw: 2fff000000010200 dead000000000100 dead000000000122 ffff888101755400 +raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8881154ec900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8881154ec980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb +>ffff8881154eca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8881154eca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8881154ecb00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc + +Cc: Mike Christie +Link: https://lore.kernel.org/r/20191113220508.198257-3-bvanassche@acm.org +Reviewed-by: Roman Bolshakov +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target.c | 10 ++++++++-- + include/scsi/iscsi_proto.h | 1 + + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index d19e051f2bc2..f194ffc4699e 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -1165,7 +1165,9 @@ int iscsit_setup_scsi_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, + hdr->cmdsn, be32_to_cpu(hdr->data_length), payload_length, + conn->cid); + +- target_get_sess_cmd(&cmd->se_cmd, true); ++ if (target_get_sess_cmd(&cmd->se_cmd, true) < 0) ++ return iscsit_add_reject_cmd(cmd, ++ ISCSI_REASON_WAITING_FOR_LOGOUT, buf); + + cmd->sense_reason = transport_lookup_cmd_lun(&cmd->se_cmd, + scsilun_to_int(&hdr->lun)); +@@ -2002,7 +2004,9 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd, + conn->sess->se_sess, 0, DMA_NONE, + TCM_SIMPLE_TAG, cmd->sense_buffer + 2); + +- target_get_sess_cmd(&cmd->se_cmd, true); ++ if (target_get_sess_cmd(&cmd->se_cmd, true) < 0) ++ return iscsit_add_reject_cmd(cmd, ++ ISCSI_REASON_WAITING_FOR_LOGOUT, buf); + + /* + * TASK_REASSIGN for ERL=2 / connection stays inside of +@@ -4232,6 +4236,8 @@ int iscsit_close_connection( + * must wait until they have completed. + */ + iscsit_check_conn_usage_count(conn); ++ target_sess_cmd_list_set_waiting(sess->se_sess); ++ target_wait_for_sess_cmds(sess->se_sess); + + ahash_request_free(conn->conn_tx_hash); + if (conn->conn_rx_hash) { +diff --git a/include/scsi/iscsi_proto.h b/include/scsi/iscsi_proto.h +index b71b5c4f418c..533f56733ba8 100644 +--- a/include/scsi/iscsi_proto.h ++++ b/include/scsi/iscsi_proto.h +@@ -627,6 +627,7 @@ struct iscsi_reject { + #define ISCSI_REASON_BOOKMARK_INVALID 9 + #define ISCSI_REASON_BOOKMARK_NO_RESOURCES 10 + #define ISCSI_REASON_NEGOTIATION_RESET 11 ++#define ISCSI_REASON_WAITING_FOR_LOGOUT 12 + + /* Max. number of Key=Value pairs in a text message */ + #define MAX_KEY_VALUE_PAIRS 8192 +-- +2.20.1 + diff --git a/queue-5.4/scsi-tracing-fix-handling-of-transfer-length-0-for-r.patch b/queue-5.4/scsi-tracing-fix-handling-of-transfer-length-0-for-r.patch new file mode 100644 index 00000000000..f4c6854fa25 --- /dev/null +++ b/queue-5.4/scsi-tracing-fix-handling-of-transfer-length-0-for-r.patch @@ -0,0 +1,55 @@ +From a710597d7a34d731aa86d2851ab4314d60502034 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 13:55:53 -0800 +Subject: scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and + WRITE(6) + +From: Bart Van Assche + +[ Upstream commit f6b8540f40201bff91062dd64db8e29e4ddaaa9d ] + +According to SBC-2 a TRANSFER LENGTH field of zero means that 256 logical +blocks must be transferred. Make the SCSI tracing code follow SBC-2. + +Fixes: bf8162354233 ("[SCSI] add scsi trace core functions and put trace points") +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Cc: Douglas Gilbert +Link: https://lore.kernel.org/r/20191105215553.185018-1-bvanassche@acm.org +Signed-off-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_trace.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/scsi_trace.c b/drivers/scsi/scsi_trace.c +index 0f17e7dac1b0..07a2425ffa2c 100644 +--- a/drivers/scsi/scsi_trace.c ++++ b/drivers/scsi/scsi_trace.c +@@ -18,15 +18,18 @@ static const char * + scsi_trace_rw6(struct trace_seq *p, unsigned char *cdb, int len) + { + const char *ret = trace_seq_buffer_ptr(p); +- sector_t lba = 0, txlen = 0; ++ u32 lba = 0, txlen; + + lba |= ((cdb[1] & 0x1F) << 16); + lba |= (cdb[2] << 8); + lba |= cdb[3]; +- txlen = cdb[4]; ++ /* ++ * From SBC-2: a TRANSFER LENGTH field set to zero specifies that 256 ++ * logical blocks shall be read (READ(6)) or written (WRITE(6)). ++ */ ++ txlen = cdb[4] ? cdb[4] : 256; + +- trace_seq_printf(p, "lba=%llu txlen=%llu", +- (unsigned long long)lba, (unsigned long long)txlen); ++ trace_seq_printf(p, "lba=%u txlen=%u", lba, txlen); + trace_seq_putc(p, 0); + + return ret; +-- +2.20.1 + diff --git a/queue-5.4/scsi-ufs-fix-error-handing-during-hibern8-enter.patch b/queue-5.4/scsi-ufs-fix-error-handing-during-hibern8-enter.patch new file mode 100644 index 00000000000..8f1993cf0af --- /dev/null +++ b/queue-5.4/scsi-ufs-fix-error-handing-during-hibern8-enter.patch @@ -0,0 +1,86 @@ +From d7e0d8414a0d9f8b64fe8e2c7f6144002c7b4ea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 22:09:30 -0800 +Subject: scsi: ufs: Fix error handing during hibern8 enter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Subhash Jadavani + +[ Upstream commit 6d303e4b19d694cdbebf76bcdb51ada664ee953d ] + +During clock gating (ufshcd_gate_work()), we first put the link hibern8 by +calling ufshcd_uic_hibern8_enter() and if ufshcd_uic_hibern8_enter() +returns success (0) then we gate all the clocks. Now let’s zoom in to what +ufshcd_uic_hibern8_enter() does internally: It calls +__ufshcd_uic_hibern8_enter() and if failure is encountered, link recovery +shall put the link back to the highest HS gear and returns success (0) to +ufshcd_uic_hibern8_enter() which is the issue as link is still in active +state due to recovery! Now ufshcd_uic_hibern8_enter() returns success to +ufshcd_gate_work() and hence it goes ahead with gating the UFS clock while +link is still in active state hence I believe controller would raise UIC +error interrupts. But when we service the interrupt, clocks might have +already been disabled! + +This change fixes for this by returning failure from +__ufshcd_uic_hibern8_enter() if recovery succeeds as link is still not in +hibern8, upon receiving the error ufshcd_hibern8_enter() would initiate +retry to put the link state back into hibern8. + +Link: https://lore.kernel.org/r/1573798172-20534-8-git-send-email-cang@codeaurora.org +Reviewed-by: Avri Altman +Reviewed-by: Bean Huo +Signed-off-by: Subhash Jadavani +Signed-off-by: Can Guo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 358ff7b01568..0036dcffc4a9 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -3885,15 +3885,24 @@ static int __ufshcd_uic_hibern8_enter(struct ufs_hba *hba) + ktime_to_us(ktime_sub(ktime_get(), start)), ret); + + if (ret) { ++ int err; ++ + dev_err(hba->dev, "%s: hibern8 enter failed. ret = %d\n", + __func__, ret); + + /* +- * If link recovery fails then return error so that caller +- * don't retry the hibern8 enter again. ++ * If link recovery fails then return error code returned from ++ * ufshcd_link_recovery(). ++ * If link recovery succeeds then return -EAGAIN to attempt ++ * hibern8 enter retry again. + */ +- if (ufshcd_link_recovery(hba)) +- ret = -ENOLINK; ++ err = ufshcd_link_recovery(hba); ++ if (err) { ++ dev_err(hba->dev, "%s: link recovery failed", __func__); ++ ret = err; ++ } else { ++ ret = -EAGAIN; ++ } + } else + ufshcd_vops_hibern8_notify(hba, UIC_CMD_DME_HIBER_ENTER, + POST_CHANGE); +@@ -3907,7 +3916,7 @@ static int ufshcd_uic_hibern8_enter(struct ufs_hba *hba) + + for (retries = UIC_HIBERN8_ENTER_RETRIES; retries > 0; retries--) { + ret = __ufshcd_uic_hibern8_enter(hba); +- if (!ret || ret == -ENOLINK) ++ if (!ret) + goto out; + } + out: +-- +2.20.1 + diff --git a/queue-5.4/scsi-ufs-fix-potential-bug-which-ends-in-system-hang.patch b/queue-5.4/scsi-ufs-fix-potential-bug-which-ends-in-system-hang.patch new file mode 100644 index 00000000000..db1f5e76840 --- /dev/null +++ b/queue-5.4/scsi-ufs-fix-potential-bug-which-ends-in-system-hang.patch @@ -0,0 +1,82 @@ +From 6ed73af32c5854d6fe3c59b021d9854fe2e46206 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2019 23:34:36 +0100 +Subject: scsi: ufs: fix potential bug which ends in system hang + +From: Bean Huo + +[ Upstream commit cfcbae3895b86c390ede57b2a8f601dd5972b47b ] + +In function __ufshcd_query_descriptor(), in the event of an error +happening, we directly goto out_unlock and forget to invaliate +hba->dev_cmd.query.descriptor pointer. This results in this pointer still +valid in ufshcd_copy_query_response() for other query requests which go +through ufshcd_exec_raw_upiu_cmd(). This will cause __memcpy() crash and +system hangs. Log as shown below: + +Unable to handle kernel paging request at virtual address +ffff000012233c40 +Mem abort info: + ESR = 0x96000047 + Exception class = DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 +Data abort info: + ISV = 0, ISS = 0x00000047 + CM = 0, WnR = 1 +swapper pgtable: 4k pages, 48-bit VAs, pgdp = 0000000028cc735c +[ffff000012233c40] pgd=00000000bffff003, pud=00000000bfffe003, +pmd=00000000ba8b8003, pte=0000000000000000 + Internal error: Oops: 96000047 [#2] PREEMPT SMP + ... + Call trace: + __memcpy+0x74/0x180 + ufshcd_issue_devman_upiu_cmd+0x250/0x3c0 + ufshcd_exec_raw_upiu_cmd+0xfc/0x1a8 + ufs_bsg_request+0x178/0x3b0 + bsg_queue_rq+0xc0/0x118 + blk_mq_dispatch_rq_list+0xb0/0x538 + blk_mq_sched_dispatch_requests+0x18c/0x1d8 + __blk_mq_run_hw_queue+0xb4/0x118 + blk_mq_run_work_fn+0x28/0x38 + process_one_work+0x1ec/0x470 + worker_thread+0x48/0x458 + kthread+0x130/0x138 + ret_from_fork+0x10/0x1c + Code: 540000ab a8c12027 a88120c7 a8c12027 (a88120c7) + ---[ end trace 793e1eb5dff69f2d ]--- + note: kworker/0:2H[2054] exited with preempt_count 1 + +This patch is to move "descriptor = NULL" down to below the label +"out_unlock". + +Fixes: d44a5f98bb49b2(ufs: query descriptor API) +Link: https://lore.kernel.org/r/20191112223436.27449-3-huobean@gmail.com +Reviewed-by: Alim Akhtar +Reviewed-by: Bart Van Assche +Signed-off-by: Bean Huo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 11a87f51c442..358ff7b01568 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -2986,10 +2986,10 @@ static int __ufshcd_query_descriptor(struct ufs_hba *hba, + goto out_unlock; + } + +- hba->dev_cmd.query.descriptor = NULL; + *buf_len = be16_to_cpu(response->upiu_res.length); + + out_unlock: ++ hba->dev_cmd.query.descriptor = NULL; + mutex_unlock(&hba->dev_cmd.lock); + out: + ufshcd_release(hba); +-- +2.20.1 + diff --git a/queue-5.4/scsi-ufs-fix-up-auto-hibern8-enablement.patch b/queue-5.4/scsi-ufs-fix-up-auto-hibern8-enablement.patch new file mode 100644 index 00000000000..4958ac13240 --- /dev/null +++ b/queue-5.4/scsi-ufs-fix-up-auto-hibern8-enablement.patch @@ -0,0 +1,116 @@ +From 692298fdbdb9788a28b939354ea1b4fa2ba7d276 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 22:09:26 -0800 +Subject: scsi: ufs: Fix up auto hibern8 enablement + +From: Can Guo + +[ Upstream commit 71d848b8d97ec0f8e993d63cf9de6ac8b3f7c43d ] + +Fix up possible unclocked register access to auto hibern8 register in +resume path and through sysfs entry. Meanwhile, enable auto hibern8 only +after device is fully initialized in probe path. + +Link: https://lore.kernel.org/r/1573798172-20534-4-git-send-email-cang@codeaurora.org +Reviewed-by: Stanley Chu +Signed-off-by: Can Guo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufs-sysfs.c | 15 +++++++++------ + drivers/scsi/ufs/ufshcd.c | 14 +++++++------- + drivers/scsi/ufs/ufshcd.h | 2 ++ + 3 files changed, 18 insertions(+), 13 deletions(-) + +diff --git a/drivers/scsi/ufs/ufs-sysfs.c b/drivers/scsi/ufs/ufs-sysfs.c +index 969a36b15897..ad2abc96c0f1 100644 +--- a/drivers/scsi/ufs/ufs-sysfs.c ++++ b/drivers/scsi/ufs/ufs-sysfs.c +@@ -126,13 +126,16 @@ static void ufshcd_auto_hibern8_update(struct ufs_hba *hba, u32 ahit) + return; + + spin_lock_irqsave(hba->host->host_lock, flags); +- if (hba->ahit == ahit) +- goto out_unlock; +- hba->ahit = ahit; +- if (!pm_runtime_suspended(hba->dev)) +- ufshcd_writel(hba, hba->ahit, REG_AUTO_HIBERNATE_IDLE_TIMER); +-out_unlock: ++ if (hba->ahit != ahit) ++ hba->ahit = ahit; + spin_unlock_irqrestore(hba->host->host_lock, flags); ++ if (!pm_runtime_suspended(hba->dev)) { ++ pm_runtime_get_sync(hba->dev); ++ ufshcd_hold(hba, false); ++ ufshcd_auto_hibern8_enable(hba); ++ ufshcd_release(hba); ++ pm_runtime_put(hba->dev); ++ } + } + + /* Convert Auto-Hibernate Idle Timer register value to microseconds */ +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 0036dcffc4a9..25a6a25b17a2 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -3950,7 +3950,7 @@ static int ufshcd_uic_hibern8_exit(struct ufs_hba *hba) + return ret; + } + +-static void ufshcd_auto_hibern8_enable(struct ufs_hba *hba) ++void ufshcd_auto_hibern8_enable(struct ufs_hba *hba) + { + unsigned long flags; + +@@ -6890,9 +6890,6 @@ static int ufshcd_probe_hba(struct ufs_hba *hba) + /* UniPro link is active now */ + ufshcd_set_link_active(hba); + +- /* Enable Auto-Hibernate if configured */ +- ufshcd_auto_hibern8_enable(hba); +- + ret = ufshcd_verify_dev_init(hba); + if (ret) + goto out; +@@ -6943,6 +6940,9 @@ static int ufshcd_probe_hba(struct ufs_hba *hba) + /* set the state as operational after switching to desired gear */ + hba->ufshcd_state = UFSHCD_STATE_OPERATIONAL; + ++ /* Enable Auto-Hibernate if configured */ ++ ufshcd_auto_hibern8_enable(hba); ++ + /* + * If we are in error handling context or in power management callbacks + * context, no need to scan the host +@@ -7959,12 +7959,12 @@ static int ufshcd_resume(struct ufs_hba *hba, enum ufs_pm_op pm_op) + if (hba->clk_scaling.is_allowed) + ufshcd_resume_clkscaling(hba); + +- /* Schedule clock gating in case of no access to UFS device yet */ +- ufshcd_release(hba); +- + /* Enable Auto-Hibernate if configured */ + ufshcd_auto_hibern8_enable(hba); + ++ /* Schedule clock gating in case of no access to UFS device yet */ ++ ufshcd_release(hba); ++ + goto out; + + set_old_link_state: +diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h +index c94cfda52829..52c9676a1242 100644 +--- a/drivers/scsi/ufs/ufshcd.h ++++ b/drivers/scsi/ufs/ufshcd.h +@@ -916,6 +916,8 @@ int ufshcd_query_attr(struct ufs_hba *hba, enum query_opcode opcode, + int ufshcd_query_flag(struct ufs_hba *hba, enum query_opcode opcode, + enum flag_idn idn, bool *flag_res); + ++void ufshcd_auto_hibern8_enable(struct ufs_hba *hba); ++ + #define SD_ASCII_STD true + #define SD_RAW false + int ufshcd_read_string_desc(struct ufs_hba *hba, u8 desc_index, +-- +2.20.1 + diff --git a/queue-5.4/scsi-zorro_esp-limit-dma-transfers-to-65536-bytes-ex.patch b/queue-5.4/scsi-zorro_esp-limit-dma-transfers-to-65536-bytes-ex.patch new file mode 100644 index 00000000000..9d6901cf3b4 --- /dev/null +++ b/queue-5.4/scsi-zorro_esp-limit-dma-transfers-to-65536-bytes-ex.patch @@ -0,0 +1,70 @@ +From c69b071533cecfb322aae59e536ee905c301d129 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2019 18:55:23 +0100 +Subject: scsi: zorro_esp: Limit DMA transfers to 65536 bytes (except on + Fastlane) + +From: Kars de Jong + +[ Upstream commit 02f7e9f351a9de95577eafdc3bd413ed1c3b589f ] + +When using this driver on a Blizzard 1260, there were failures whenever DMA +transfers from the SCSI bus to memory of 65535 bytes were followed by a DMA +transfer of 1 byte. This caused the byte at offset 65535 to be overwritten +with 0xff. The Blizzard hardware can't handle single byte DMA transfers. + +Besides this issue, limiting the DMA length to something that is not a +multiple of the page size is very inefficient on most file systems. + +It seems this limit was chosen because the DMA transfer counter of the ESP +by default is 16 bits wide, thus limiting the length to 65535 bytes. +However, the value 0 means 65536 bytes, which is handled by the ESP and the +Blizzard just fine. It is also the default maximum used by esp_scsi when +drivers don't provide their own dma_length_limit() function. + +The limit of 65536 bytes can be used by all boards except the Fastlane. The +old driver used a limit of 65532 bytes (0xfffc), which is reintroduced in +this patch. + +Fixes: b7ded0e8b0d1 ("scsi: zorro_esp: Limit DMA transfers to 65535 bytes") +Link: https://lore.kernel.org/r/20191112175523.23145-1-jongk@linux-m68k.org +Signed-off-by: Kars de Jong +Reviewed-by: Finn Thain +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/zorro_esp.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/zorro_esp.c b/drivers/scsi/zorro_esp.c +index ca8e3abeb2c7..a23a8e5794f5 100644 +--- a/drivers/scsi/zorro_esp.c ++++ b/drivers/scsi/zorro_esp.c +@@ -218,7 +218,14 @@ static int fastlane_esp_irq_pending(struct esp *esp) + static u32 zorro_esp_dma_length_limit(struct esp *esp, u32 dma_addr, + u32 dma_len) + { +- return dma_len > 0xFFFF ? 0xFFFF : dma_len; ++ return dma_len > (1U << 16) ? (1U << 16) : dma_len; ++} ++ ++static u32 fastlane_esp_dma_length_limit(struct esp *esp, u32 dma_addr, ++ u32 dma_len) ++{ ++ /* The old driver used 0xfffc as limit, so do that here too */ ++ return dma_len > 0xfffc ? 0xfffc : dma_len; + } + + static void zorro_esp_reset_dma(struct esp *esp) +@@ -604,7 +611,7 @@ static const struct esp_driver_ops fastlane_esp_ops = { + .esp_write8 = zorro_esp_write8, + .esp_read8 = zorro_esp_read8, + .irq_pending = fastlane_esp_irq_pending, +- .dma_length_limit = zorro_esp_dma_length_limit, ++ .dma_length_limit = fastlane_esp_dma_length_limit, + .reset_dma = zorro_esp_reset_dma, + .dma_drain = zorro_esp_dma_drain, + .dma_invalidate = fastlane_esp_dma_invalidate, +-- +2.20.1 + diff --git a/queue-5.4/selftests-powerpc-fixup-clobbers-for-tm-tests.patch b/queue-5.4/selftests-powerpc-fixup-clobbers-for-tm-tests.patch new file mode 100644 index 00000000000..ca47482bbdc --- /dev/null +++ b/queue-5.4/selftests-powerpc-fixup-clobbers-for-tm-tests.patch @@ -0,0 +1,101 @@ +From 4af1cd5672fe791f7ed6d3c1a9642111a1854a5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2019 13:30:43 +1100 +Subject: selftests/powerpc: Fixup clobbers for TM tests + +From: Michael Ellerman + +[ Upstream commit a02cbc7ffe529ed58b6bbe54652104fc2c88bd77 ] + +Some of our TM (Transactional Memory) tests, list "r1" (the stack +pointer) as a clobbered register. + +GCC >= 9 doesn't accept this, and the build breaks: + + ptrace-tm-spd-tar.c: In function 'tm_spd_tar': + ptrace-tm-spd-tar.c:31:2: error: listing the stack pointer register 'r1' in a clobber list is deprecated [-Werror=deprecated] + 31 | asm __volatile__( + | ^~~ + ptrace-tm-spd-tar.c:31:2: note: the value of the stack pointer after an 'asm' statement must be the same as it was before the statement + +We do have some fairly large inline asm blocks in these tests, and +some of them do change the value of r1. However they should all return +to C with the value in r1 restored, so I think it's legitimate to say +r1 is not clobbered. + +As Segher points out, the r1 clobbers may have been added because of +the use of `or 1,1,1`, however that doesn't actually clobber r1. + +Segher also points out that some of these tests do clobber LR, because +they call functions, and that is not listed in the clobbers, so add +that where appropriate. + +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191029095324.14669-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-tar.c | 2 +- + tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-vsx.c | 4 ++-- + tools/testing/selftests/powerpc/ptrace/ptrace-tm-tar.c | 2 +- + tools/testing/selftests/powerpc/ptrace/ptrace-tm-vsx.c | 4 ++-- + 4 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-tar.c b/tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-tar.c +index 25e23e73c72e..2ecfa1158e2b 100644 +--- a/tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-tar.c ++++ b/tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-tar.c +@@ -73,7 +73,7 @@ trans: + [sprn_texasr]"i"(SPRN_TEXASR), [tar_1]"i"(TAR_1), + [dscr_1]"i"(DSCR_1), [tar_2]"i"(TAR_2), [dscr_2]"i"(DSCR_2), + [tar_3]"i"(TAR_3), [dscr_3]"i"(DSCR_3) +- : "memory", "r0", "r1", "r3", "r4", "r5", "r6" ++ : "memory", "r0", "r3", "r4", "r5", "r6", "lr" + ); + + /* TM failed, analyse */ +diff --git a/tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-vsx.c b/tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-vsx.c +index f603fe5a445b..6f7fb51f0809 100644 +--- a/tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-vsx.c ++++ b/tools/testing/selftests/powerpc/ptrace/ptrace-tm-spd-vsx.c +@@ -74,8 +74,8 @@ trans: + "3: ;" + : [res] "=r" (result), [texasr] "=r" (texasr) + : [sprn_texasr] "i" (SPRN_TEXASR) +- : "memory", "r0", "r1", "r3", "r4", +- "r7", "r8", "r9", "r10", "r11" ++ : "memory", "r0", "r3", "r4", ++ "r7", "r8", "r9", "r10", "r11", "lr" + ); + + if (result) { +diff --git a/tools/testing/selftests/powerpc/ptrace/ptrace-tm-tar.c b/tools/testing/selftests/powerpc/ptrace/ptrace-tm-tar.c +index e0d37f07bdeb..46ef378a15ec 100644 +--- a/tools/testing/selftests/powerpc/ptrace/ptrace-tm-tar.c ++++ b/tools/testing/selftests/powerpc/ptrace/ptrace-tm-tar.c +@@ -62,7 +62,7 @@ trans: + [sprn_ppr]"i"(SPRN_PPR), [sprn_texasr]"i"(SPRN_TEXASR), + [tar_1]"i"(TAR_1), [dscr_1]"i"(DSCR_1), [tar_2]"i"(TAR_2), + [dscr_2]"i"(DSCR_2), [cptr1] "b" (&cptr[1]) +- : "memory", "r0", "r1", "r3", "r4", "r5", "r6" ++ : "memory", "r0", "r3", "r4", "r5", "r6" + ); + + /* TM failed, analyse */ +diff --git a/tools/testing/selftests/powerpc/ptrace/ptrace-tm-vsx.c b/tools/testing/selftests/powerpc/ptrace/ptrace-tm-vsx.c +index 8027457b97b7..70ca01234f79 100644 +--- a/tools/testing/selftests/powerpc/ptrace/ptrace-tm-vsx.c ++++ b/tools/testing/selftests/powerpc/ptrace/ptrace-tm-vsx.c +@@ -62,8 +62,8 @@ trans: + "3: ;" + : [res] "=r" (result), [texasr] "=r" (texasr) + : [sprn_texasr] "i" (SPRN_TEXASR), [cptr1] "b" (&cptr[1]) +- : "memory", "r0", "r1", "r3", "r4", +- "r7", "r8", "r9", "r10", "r11" ++ : "memory", "r0", "r3", "r4", ++ "r7", "r8", "r9", "r10", "r11", "lr" + ); + + if (result) { +-- +2.20.1 + diff --git a/queue-5.4/selftests-powerpc-skip-tm-signal-sigreturn-nt-if-tm-.patch b/queue-5.4/selftests-powerpc-skip-tm-signal-sigreturn-nt-if-tm-.patch new file mode 100644 index 00000000000..ee3293a7518 --- /dev/null +++ b/queue-5.4/selftests-powerpc-skip-tm-signal-sigreturn-nt-if-tm-.patch @@ -0,0 +1,56 @@ +From c5888cb2169091adea87c23831be0e58676cce94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 10:15:56 +1100 +Subject: selftests/powerpc: Skip tm-signal-sigreturn-nt if TM not available + +From: Michael Ellerman + +[ Upstream commit 505127068d9b705a6cf335143239db91bfe7bbe2 ] + +On systems where TM (Transactional Memory) is disabled the +tm-signal-sigreturn-nt test causes a SIGILL: + + test: tm_signal_sigreturn_nt + tags: git_version:7c202575ef63 + !! child died by signal 4 + failure: tm_signal_sigreturn_nt + +We should skip the test if TM is not available. + +Fixes: 34642d70ac7e ("selftests/powerpc: Add checks for transactional sigreturn") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191104233524.24348-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/powerpc/tm/tm-signal-sigreturn-nt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/powerpc/tm/tm-signal-sigreturn-nt.c b/tools/testing/selftests/powerpc/tm/tm-signal-sigreturn-nt.c +index 56fbf9f6bbf3..07c388147b75 100644 +--- a/tools/testing/selftests/powerpc/tm/tm-signal-sigreturn-nt.c ++++ b/tools/testing/selftests/powerpc/tm/tm-signal-sigreturn-nt.c +@@ -10,10 +10,12 @@ + */ + + #define _GNU_SOURCE ++#include + #include + #include + + #include "utils.h" ++#include "tm.h" + + void trap_signal_handler(int signo, siginfo_t *si, void *uc) + { +@@ -29,6 +31,8 @@ int tm_signal_sigreturn_nt(void) + { + struct sigaction trap_sa; + ++ SKIP_IF(!have_htm()); ++ + trap_sa.sa_flags = SA_SIGINFO; + trap_sa.sa_sigaction = trap_signal_handler; + +-- +2.20.1 + diff --git a/queue-5.4/selftests-vm-add-fragment-config_test_vmalloc.patch b/queue-5.4/selftests-vm-add-fragment-config_test_vmalloc.patch new file mode 100644 index 00000000000..40c613071e9 --- /dev/null +++ b/queue-5.4/selftests-vm-add-fragment-config_test_vmalloc.patch @@ -0,0 +1,40 @@ +From 6777db44cdeb3112d5a381cfd4f5f6487dc9f733 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2019 17:54:43 -0800 +Subject: selftests: vm: add fragment CONFIG_TEST_VMALLOC + +From: Anders Roxell + +[ Upstream commit 746dd4012d215b53152f0001a48856e41ea31730 ] + +When running test_vmalloc.sh smoke the following print out states that +the fragment is missing. + + # ./test_vmalloc.sh: You must have the following enabled in your kernel: + # CONFIG_TEST_VMALLOC=m + +Rework to add the fragment 'CONFIG_TEST_VMALLOC=m' to the config file. + +Link: http://lkml.kernel.org/r/20190916095217.19665-1-anders.roxell@linaro.org +Fixes: a05ef00c9790 ("selftests/vm: add script helper for CONFIG_TEST_VMALLOC_MODULE") +Signed-off-by: Anders Roxell +Cc: Shuah Khan +Cc: "Uladzislau Rezki (Sony)" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vm/config | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/vm/config b/tools/testing/selftests/vm/config +index 1c0d76cb5adf..93b90a9b1eeb 100644 +--- a/tools/testing/selftests/vm/config ++++ b/tools/testing/selftests/vm/config +@@ -1,2 +1,3 @@ + CONFIG_SYSVIPC=y + CONFIG_USERFAULTFD=y ++CONFIG_TEST_VMALLOC=m +-- +2.20.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 3a63ecd3890..72744d49175 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1,2 +1,130 @@ revert-mips-futex-restore-n-after-sync-instructions.patch revert-mips-futex-emit-loongson3-sync-workarounds-within-asm.patch +scsi-lpfc-fix-spinlock_irq-issues-in-lpfc_els_flush_.patch +scsi-lpfc-fix-discovery-failures-when-target-device-.patch +scsi-mpt3sas-fix-clear-pending-bit-in-ioctl-status.patch +scsi-lpfc-fix-locking-on-mailbox-command-completion.patch +scsi-mpt3sas-reject-nvme-encap-cmnds-to-unsupported-.patch +gpio-mxc-only-get-the-second-irq-when-there-is-more-.patch +scsi-lpfc-fix-list-corruption-in-lpfc_sli_get_iocbq.patch +input-atmel_mxt_ts-disable-irq-across-suspend.patch +f2fs-fix-to-update-time-in-lazytime-mode.patch +powerpc-papr_scm-fix-an-off-by-one-check-in-papr_scm.patch +tools-power-x86-intel-speed-select-remove-warning-fo.patch +platform-x86-peaq-wmi-switch-to-using-polled-mode-of.patch +iommu-rockchip-free-domain-on-.domain_free.patch +iommu-tegra-smmu-fix-page-tables-in-4-gib-memory.patch +dmaengine-xilinx_dma-clear-desc_pendingcount-in-xili.patch +scsi-target-compare-full-chap_a-algorithm-strings.patch +scsi-lpfc-fix-hardlockup-in-lpfc_abort_handler.patch +scsi-lpfc-fix-sli3-hba-in-loop-mode-not-discovering-.patch +scsi-csiostor-don-t-enable-irqs-too-early.patch +scsi-hisi_sas-replace-in_softirq-check-in-hisi_sas_t.patch +scsi-hisi_sas-delete-the-debugfs-folder-of-hisi_sas-.patch +powerpc-pseries-mark-accumulate_stolen_time-as-notra.patch +powerpc-pseries-don-t-fail-hash-page-table-insert-fo.patch +input-st1232-do-not-reset-the-chip-too-early.patch +selftests-powerpc-fixup-clobbers-for-tm-tests.patch +powerpc-tools-don-t-quote-objdump-in-scripts.patch +dma-debug-add-a-schedule-point-in-debug_dma_dump_map.patch +dma-mapping-add-vmap-checks-to-dma_map_single.patch +dma-mapping-fix-handling-of-dma-ranges-for-reserved-.patch +dmaengine-fsl-qdma-handle-invalid-qdma-queue0-irq.patch +leds-lm3692x-handle-failure-to-probe-the-regulator.patch +leds-an30259a-add-a-check-for-devm_regmap_init_i2c.patch +leds-trigger-netdev-fix-handling-on-interface-rename.patch +clocksource-drivers-asm9260-add-a-check-for-of_clk_g.patch +clocksource-drivers-timer-of-use-unique-device-name-.patch +dtc-use-pkg-config-to-locate-libyaml.patch +selftests-powerpc-skip-tm-signal-sigreturn-nt-if-tm-.patch +powerpc-security-book3s64-report-l1tf-status-in-sysf.patch +powerpc-book3s64-hash-add-cond_resched-to-avoid-soft.patch +ext4-update-direct-i-o-read-lock-pattern-for-iocb_no.patch +ext4-iomap-that-extends-beyond-eof-should-be-marked-.patch +jbd2-fix-statistics-for-the-number-of-logged-blocks.patch +scsi-tracing-fix-handling-of-transfer-length-0-for-r.patch +scsi-lpfc-fix-unexpected-error-messages-during-rscn-.patch +scsi-lpfc-fix-duplicate-unreg_rpi-error-in-port-offl.patch +f2fs-fix-to-update-dir-s-i_pino-during-cross_rename.patch +clk-qcom-smd-add-missing-pnoc-clock.patch +clk-qcom-allow-constant-ratio-freq-tables-for-rcg.patch +clk-clk-gpio-propagate-rate-change-to-parent.patch +irqchip-irq-bcm7038-l1-enable-parent-irq-if-necessar.patch +irqchip-ingenic-error-out-if-irq-domain-creation-fai.patch +dma-direct-check-for-overflows-on-32-bit-dma-address.patch +mfd-mfd-core-honour-device-tree-s-request-to-disable.patch +fs-quota-handle-overflows-of-sysctl-fs.quota.-and-re.patch +iommu-arm-smmu-v3-don-t-display-an-error-when-irq-li.patch +i2c-stm32f7-fix-reorder-remove-probe-error-handling.patch +iomap-fix-return-value-of-iomap_dio_bio_actor-on-32b.patch +input-ili210x-handle-errors-from-input_mt_init_slots.patch +scsi-lpfc-fix-coverity-lpfc_cmpl_els_rsp-null-pointe.patch +scsi-zorro_esp-limit-dma-transfers-to-65536-bytes-ex.patch +pci-rpaphp-fix-up-pointer-to-first-drc-info-entry.patch +scsi-ufs-fix-potential-bug-which-ends-in-system-hang.patch +powerpc-pseries-cmm-implement-release-function-for-s.patch +pci-rpaphp-don-t-rely-on-firmware-feature-to-imply-d.patch +pci-rpaphp-annotate-and-correctly-byte-swap-drc-prop.patch +pci-rpaphp-correctly-match-ibm-my-drc-index-to-drc-n.patch +powerpc-security-fix-wrong-message-when-rfi-flush-is.patch +powerpc-eeh-differentiate-duplicate-detection-messag.patch +powerpc-book3s-mm-update-oops-message-to-print-the-c.patch +scsi-atari_scsi-sun3_scsi-set-sg_tablesize-to-1-inst.patch +clk-pxa-fix-one-of-the-pxa-rtc-clocks.patch +bcache-at-least-try-to-shrink-1-node-in-bch_mca_scan.patch +hid-quirks-add-quirk-for-hp-msu1465-pixart-oem-mouse.patch +dt-bindings-improve-validation-build-error-handling.patch +hid-logitech-hidpp-silence-intermittent-get_battery_.patch +hid-i2c-hid-fix-no-irq-after-reset-on-raydium-3118.patch +arm-8937-1-spectre-v2-remove-brahma-b53-from-hardeni.patch +libnvdimm-btt-fix-variable-rc-set-but-not-used.patch +hid-improve-windows-precision-touchpad-detection.patch +hid-rmi-check-that-the-rmi_started-bit-is-set-before.patch +watchdog-imx7ulp-fix-reboot-hang.patch +watchdog-prevent-deferral-of-watchdogd-wakeup-on-rt.patch +watchdog-fix-the-race-between-the-release-of-watchdo.patch +powerpc-fixmap-use-__fix_to_virt-instead-of-fix_to_v.patch +clk-fix-memory-leak-in-clk_unregister.patch +scsi-pm80xx-fix-for-sata-device-discovery.patch +scsi-ufs-fix-error-handing-during-hibern8-enter.patch +scsi-scsi_debug-num_tgts-must-be-0.patch +scsi-ncr5380-add-disconnect_mask-module-parameter.patch +scsi-target-core-release-spc-2-reservations-when-clo.patch +scsi-ufs-fix-up-auto-hibern8-enablement.patch +scsi-iscsi-don-t-send-data-to-unbound-connection.patch +scsi-target-iscsi-wait-for-all-commands-to-finish-be.patch +f2fs-fix-deadlock-in-f2fs_gc-context-during-atomic-f.patch +habanalabs-skip-va-block-list-update-in-reset-flow.patch +gpio-mpc8xxx-fix-qoriq-gpio-reading.patch +platform-x86-intel_pmc_core-fix-the-soc-naming-incon.patch +platform-x86-intel_pmc_core-add-comet-lake-cml-platf.patch +gpio-mpc8xxx-don-t-overwrite-default-irq_set_type-ca.patch +gpio-lynxpoint-setup-correct-irq-handlers.patch +tools-power-x86-intel-speed-select-ignore-missing-co.patch +drivers-hv-vmbus-fix-crash-handler-reset-of-hyper-v-.patch +apparmor-fix-unsigned-len-comparison-with-less-than-.patch +drm-amdgpu-call-find_vma-under-mmap_sem.patch +scripts-kallsyms-fix-definitely-lost-memory-leak.patch +powerpc-don-t-add-mabi-flags-when-building-with-clan.patch +f2fs-choose-hardlimit-when-softlimit-is-larger-than-.patch +cifs-fix-use-after-free-bug-in-cifs_reconnect.patch +um-virtio-keep-reading-on-eagain.patch +io_uring-io_allocate_scq_urings-should-return-a-sane.patch +of-unittest-fix-memory-leak-in-attach_node_and_child.patch +cdrom-respect-device-capabilities-during-opening-act.patch +cifs-move-cifsfileinfo_put-logic-into-a-work-queue.patch +perf-diff-use-llabs-with-64-bit-values.patch +perf-script-fix-brstackinsn-for-auxtrace.patch +perf-regs-make-perf_reg_name-return-unknown-instead-.patch +s390-zcrypt-handle-new-reply-code-filtered_by_hyperv.patch +mailbox-imx-clear-the-right-interrupts-at-shutdown.patch +libfdt-define-int32_max-and-uint32_max-in-libfdt_env.patch +s390-unwind-filter-out-unreliable-bogus-r14.patch +s390-cpum_sf-check-for-sdbt-and-sdb-consistency.patch +ocfs2-fix-passing-zero-to-ptr_err-warning.patch +mailbox-imx-fix-tx-doorbell-shutdown-path.patch +s390-disable-preemption-when-switching-to-nodat-stac.patch +selftests-vm-add-fragment-config_test_vmalloc.patch +mm-hugetlbfs-fix-error-handling-when-setting-up-moun.patch +kernel-sysctl-make-drop_caches-write-only.patch +userfaultfd-require-cap_sys_ptrace-for-uffd_feature_.patch diff --git a/queue-5.4/tools-power-x86-intel-speed-select-ignore-missing-co.patch b/queue-5.4/tools-power-x86-intel-speed-select-ignore-missing-co.patch new file mode 100644 index 00000000000..815adc087cb --- /dev/null +++ b/queue-5.4/tools-power-x86-intel-speed-select-ignore-missing-co.patch @@ -0,0 +1,77 @@ +From 3115a364938cf03981c525b64db0a5eda4b84466 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 12:35:22 -0800 +Subject: tools/power/x86/intel-speed-select: Ignore missing config level + +From: Srinivas Pandruvada + +[ Upstream commit 20183ccd3e4d01d23b0a01fe9f3ee73fbae312fa ] + +It is possible that certain config levels are not available, even +if the max level includes the level. There can be missing levels in +some platforms. So ignore the level when called for information dump +for all levels and fail if specifically ask for the missing level. + +Here the changes is to continue reading information about other levels +even if we fail to get information for the current level. But use the +"processed" flag to indicate the failure. When the "processed" flag is +not set, don't dump information about that level. + +Signed-off-by: Srinivas Pandruvada +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + tools/power/x86/intel-speed-select/isst-core.c | 8 ++++---- + tools/power/x86/intel-speed-select/isst-display.c | 3 ++- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/tools/power/x86/intel-speed-select/isst-core.c b/tools/power/x86/intel-speed-select/isst-core.c +index 6dee5332c9d3..fde3f9cefc6d 100644 +--- a/tools/power/x86/intel-speed-select/isst-core.c ++++ b/tools/power/x86/intel-speed-select/isst-core.c +@@ -553,7 +553,6 @@ int isst_get_process_ctdp(int cpu, int tdp_level, struct isst_pkg_ctdp *pkg_dev) + i); + ctdp_level = &pkg_dev->ctdp_level[i]; + +- ctdp_level->processed = 1; + ctdp_level->level = i; + ctdp_level->control_cpu = cpu; + ctdp_level->pkg_id = get_physical_package_id(cpu); +@@ -561,7 +560,10 @@ int isst_get_process_ctdp(int cpu, int tdp_level, struct isst_pkg_ctdp *pkg_dev) + + ret = isst_get_ctdp_control(cpu, i, ctdp_level); + if (ret) +- return ret; ++ continue; ++ ++ pkg_dev->processed = 1; ++ ctdp_level->processed = 1; + + ret = isst_get_tdp_info(cpu, i, ctdp_level); + if (ret) +@@ -614,8 +616,6 @@ int isst_get_process_ctdp(int cpu, int tdp_level, struct isst_pkg_ctdp *pkg_dev) + } + } + +- pkg_dev->processed = 1; +- + return 0; + } + +diff --git a/tools/power/x86/intel-speed-select/isst-display.c b/tools/power/x86/intel-speed-select/isst-display.c +index 40346d534f78..b11575c3e886 100644 +--- a/tools/power/x86/intel-speed-select/isst-display.c ++++ b/tools/power/x86/intel-speed-select/isst-display.c +@@ -314,7 +314,8 @@ void isst_ctdp_display_information(int cpu, FILE *outf, int tdp_level, + char value[256]; + int i, base_level = 1; + +- print_package_info(cpu, outf); ++ if (pkg_dev->processed) ++ print_package_info(cpu, outf); + + for (i = 0; i <= pkg_dev->levels; ++i) { + struct isst_pkg_ctdp_level_info *ctdp_level; +-- +2.20.1 + diff --git a/queue-5.4/tools-power-x86-intel-speed-select-remove-warning-fo.patch b/queue-5.4/tools-power-x86-intel-speed-select-remove-warning-fo.patch new file mode 100644 index 00000000000..d673323cd45 --- /dev/null +++ b/queue-5.4/tools-power-x86-intel-speed-select-remove-warning-fo.patch @@ -0,0 +1,56 @@ +From 6528b8b970f8247c5b2c8d365596e10fca40253d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2019 13:29:36 -0700 +Subject: tools/power/x86/intel-speed-select: Remove warning for unused result +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivas Pandruvada + +[ Upstream commit abd120e3bdf3dd72ba1ed9ac077a861e0e3dc43a ] + +Fix warning for: +isst-config.c: In function ‘set_cpu_online_offline’: +isst-config.c:221:3: warning: ignoring return value of ‘write’, +declared with attribute warn_unused_result [-Wunused-result] + write(fd, "1\n", 2); + +Signed-off-by: Srinivas Pandruvada +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + tools/power/x86/intel-speed-select/isst-config.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tools/power/x86/intel-speed-select/isst-config.c b/tools/power/x86/intel-speed-select/isst-config.c +index 2a9890c8395a..21fcfe621d3a 100644 +--- a/tools/power/x86/intel-speed-select/isst-config.c ++++ b/tools/power/x86/intel-speed-select/isst-config.c +@@ -169,7 +169,7 @@ int get_topo_max_cpus(void) + static void set_cpu_online_offline(int cpu, int state) + { + char buffer[128]; +- int fd; ++ int fd, ret; + + snprintf(buffer, sizeof(buffer), + "/sys/devices/system/cpu/cpu%d/online", cpu); +@@ -179,9 +179,12 @@ static void set_cpu_online_offline(int cpu, int state) + err(-1, "%s open failed", buffer); + + if (state) +- write(fd, "1\n", 2); ++ ret = write(fd, "1\n", 2); + else +- write(fd, "0\n", 2); ++ ret = write(fd, "0\n", 2); ++ ++ if (ret == -1) ++ perror("Online/Offline: Operation failed\n"); + + close(fd); + } +-- +2.20.1 + diff --git a/queue-5.4/um-virtio-keep-reading-on-eagain.patch b/queue-5.4/um-virtio-keep-reading-on-eagain.patch new file mode 100644 index 00000000000..3b6545c3154 --- /dev/null +++ b/queue-5.4/um-virtio-keep-reading-on-eagain.patch @@ -0,0 +1,94 @@ +From 5d95c9cd34f766721803cf3ffbe7006396bf8dae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2019 09:21:17 +0200 +Subject: um: virtio: Keep reading on -EAGAIN + +From: Johannes Berg + +[ Upstream commit 7e60746005573a06149cdee7acedf428906f3a59 ] + +When we get an interrupt from the socket getting readable, +and start reading, there's a possibility for a race. This +depends on the implementation of the device, but e.g. with +qemu's libvhost-user, we can see: + + device virtio_uml +--------------------------------------- + write header + get interrupt + read header + read body -> returns -EAGAIN + write body + +The -EAGAIN return is because the socket is non-blocking, +and then this leads us to abandon this message. + +In fact, we've already read the header, so when the get +another signal/interrupt for the body, we again read it +as though it's a new message header, and also abandon it +for the same reason (wrong size etc.) + +This essentially breaks things, and if that message was +one that required a response, it leads to a deadlock as +the device is waiting for the response but we'll never +reply. + +Fix this by spinning on -EAGAIN as well when we read the +message body. We need to handle -EAGAIN as "no message" +while reading the header, since we share an interrupt. + +Note that this situation is highly unlikely to occur in +normal usage, since there will be very few messages and +only in the startup phase. With the inband call feature +this does tend to happen (eventually) though. + +Signed-off-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/virtio_uml.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/um/drivers/virtio_uml.c b/arch/um/drivers/virtio_uml.c +index fc8c52cff5aa..c5643a59a8c7 100644 +--- a/arch/um/drivers/virtio_uml.c ++++ b/arch/um/drivers/virtio_uml.c +@@ -83,7 +83,7 @@ static int full_sendmsg_fds(int fd, const void *buf, unsigned int len, + return 0; + } + +-static int full_read(int fd, void *buf, int len) ++static int full_read(int fd, void *buf, int len, bool abortable) + { + int rc; + +@@ -93,7 +93,7 @@ static int full_read(int fd, void *buf, int len) + buf += rc; + len -= rc; + } +- } while (len && (rc > 0 || rc == -EINTR)); ++ } while (len && (rc > 0 || rc == -EINTR || (!abortable && rc == -EAGAIN))); + + if (rc < 0) + return rc; +@@ -104,7 +104,7 @@ static int full_read(int fd, void *buf, int len) + + static int vhost_user_recv_header(int fd, struct vhost_user_msg *msg) + { +- return full_read(fd, msg, sizeof(msg->header)); ++ return full_read(fd, msg, sizeof(msg->header), true); + } + + static int vhost_user_recv(int fd, struct vhost_user_msg *msg, +@@ -118,7 +118,7 @@ static int vhost_user_recv(int fd, struct vhost_user_msg *msg, + size = msg->header.size; + if (size > max_payload_size) + return -EPROTO; +- return full_read(fd, &msg->payload, size); ++ return full_read(fd, &msg->payload, size, false); + } + + static int vhost_user_recv_resp(struct virtio_uml_device *vu_dev, +-- +2.20.1 + diff --git a/queue-5.4/userfaultfd-require-cap_sys_ptrace-for-uffd_feature_.patch b/queue-5.4/userfaultfd-require-cap_sys_ptrace-for-uffd_feature_.patch new file mode 100644 index 00000000000..5061e726560 --- /dev/null +++ b/queue-5.4/userfaultfd-require-cap_sys_ptrace-for-uffd_feature_.patch @@ -0,0 +1,86 @@ +From 7228e7741b6dd3ecc962c05e0ec3746256f00568 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2019 17:58:01 -0800 +Subject: userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK + +From: Mike Rapoport + +[ Upstream commit 3c1c24d91ffd536de0a64688a9df7f49e58fadbc ] + +A while ago Andy noticed +(http://lkml.kernel.org/r/CALCETrWY+5ynDct7eU_nDUqx=okQvjm=Y5wJvA4ahBja=CQXGw@mail.gmail.com) +that UFFD_FEATURE_EVENT_FORK used by an unprivileged user may have +security implications. + +As the first step of the solution the following patch limits the availably +of UFFD_FEATURE_EVENT_FORK only for those having CAP_SYS_PTRACE. + +The usage of CAP_SYS_PTRACE ensures compatibility with CRIU. + +Yet, if there are other users of non-cooperative userfaultfd that run +without CAP_SYS_PTRACE, they would be broken :( + +Current implementation of UFFD_FEATURE_EVENT_FORK modifies the file +descriptor table from the read() implementation of uffd, which may have +security implications for unprivileged use of the userfaultfd. + +Limit availability of UFFD_FEATURE_EVENT_FORK only for callers that have +CAP_SYS_PTRACE. + +Link: http://lkml.kernel.org/r/1572967777-8812-2-git-send-email-rppt@linux.ibm.com +Signed-off-by: Mike Rapoport +Reviewed-by: Andrea Arcangeli +Cc: Daniel Colascione +Cc: Jann Horn +Cc: Lokesh Gidra +Cc: Nick Kralevich +Cc: Nosh Minwalla +Cc: Pavel Emelyanov +Cc: Tim Murray +Cc: Aleksa Sarai +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/userfaultfd.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index f9fd18670e22..d99d166fd892 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -1834,13 +1834,12 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx, + if (copy_from_user(&uffdio_api, buf, sizeof(uffdio_api))) + goto out; + features = uffdio_api.features; +- if (uffdio_api.api != UFFD_API || (features & ~UFFD_API_FEATURES)) { +- memset(&uffdio_api, 0, sizeof(uffdio_api)); +- if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api))) +- goto out; +- ret = -EINVAL; +- goto out; +- } ++ ret = -EINVAL; ++ if (uffdio_api.api != UFFD_API || (features & ~UFFD_API_FEATURES)) ++ goto err_out; ++ ret = -EPERM; ++ if ((features & UFFD_FEATURE_EVENT_FORK) && !capable(CAP_SYS_PTRACE)) ++ goto err_out; + /* report all available features and ioctls to userland */ + uffdio_api.features = UFFD_API_FEATURES; + uffdio_api.ioctls = UFFD_API_IOCTLS; +@@ -1853,6 +1852,11 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx, + ret = 0; + out: + return ret; ++err_out: ++ memset(&uffdio_api, 0, sizeof(uffdio_api)); ++ if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api))) ++ ret = -EFAULT; ++ goto out; + } + + static long userfaultfd_ioctl(struct file *file, unsigned cmd, +-- +2.20.1 + diff --git a/queue-5.4/watchdog-fix-the-race-between-the-release-of-watchdo.patch b/queue-5.4/watchdog-fix-the-race-between-the-release-of-watchdo.patch new file mode 100644 index 00000000000..28ad711a556 --- /dev/null +++ b/queue-5.4/watchdog-fix-the-race-between-the-release-of-watchdo.patch @@ -0,0 +1,289 @@ +From 6d6d16170c8aa90108e5c0917961f6f86f068e8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2019 19:29:34 +0800 +Subject: watchdog: Fix the race between the release of watchdog_core_data and + cdev + +From: Kevin Hao + +[ Upstream commit 72139dfa2464e43957d330266994740bb7be2535 ] + +The struct cdev is embedded in the struct watchdog_core_data. In the +current code, we manage the watchdog_core_data with a kref, but the +cdev is manged by a kobject. There is no any relationship between +this kref and kobject. So it is possible that the watchdog_core_data is +freed before the cdev is entirely released. We can easily get the +following call trace with CONFIG_DEBUG_KOBJECT_RELEASE and +CONFIG_DEBUG_OBJECTS_TIMERS enabled. + ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x38 + WARNING: CPU: 23 PID: 1028 at lib/debugobjects.c:481 debug_print_object+0xb0/0xf0 + Modules linked in: softdog(-) deflate ctr twofish_generic twofish_common camellia_generic serpent_generic blowfish_generic blowfish_common cast5_generic cast_common cmac xcbc af_key sch_fq_codel openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 + CPU: 23 PID: 1028 Comm: modprobe Not tainted 5.3.0-next-20190924-yoctodev-standard+ #180 + Hardware name: Marvell OcteonTX CN96XX board (DT) + pstate: 00400009 (nzcv daif +PAN -UAO) + pc : debug_print_object+0xb0/0xf0 + lr : debug_print_object+0xb0/0xf0 + sp : ffff80001cbcfc70 + x29: ffff80001cbcfc70 x28: ffff800010ea2128 + x27: ffff800010bad000 x26: 0000000000000000 + x25: ffff80001103c640 x24: ffff80001107b268 + x23: ffff800010bad9e8 x22: ffff800010ea2128 + x21: ffff000bc2c62af8 x20: ffff80001103c600 + x19: ffff800010e867d8 x18: 0000000000000060 + x17: 0000000000000000 x16: 0000000000000000 + x15: ffff000bd7240470 x14: 6e6968207473696c + x13: 5f72656d6974203a x12: 6570797420746365 + x11: 6a626f2029302065 x10: 7461747320657669 + x9 : 7463612820657669 x8 : 3378302f3078302b + x7 : 0000000000001d7a x6 : ffff800010fd5889 + x5 : 0000000000000000 x4 : 0000000000000000 + x3 : 0000000000000000 x2 : ffff000bff948548 + x1 : 276a1c9e1edc2300 x0 : 0000000000000000 + Call trace: + debug_print_object+0xb0/0xf0 + debug_check_no_obj_freed+0x1e8/0x210 + kfree+0x1b8/0x368 + watchdog_cdev_unregister+0x88/0xc8 + watchdog_dev_unregister+0x38/0x48 + watchdog_unregister_device+0xa8/0x100 + softdog_exit+0x18/0xfec4 [softdog] + __arm64_sys_delete_module+0x174/0x200 + el0_svc_handler+0xd0/0x1c8 + el0_svc+0x8/0xc + +This is a common issue when using cdev embedded in a struct. +Fortunately, we already have a mechanism to solve this kind of issue. +Please see commit 233ed09d7fda ("chardev: add helper function to +register char devs with a struct device") for more detail. + +In this patch, we choose to embed the struct device into the +watchdog_core_data, and use the API provided by the commit 233ed09d7fda +to make sure that the release of watchdog_core_data and cdev are +in sequence. + +Signed-off-by: Kevin Hao +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20191008112934.29669-1-haokexin@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/watchdog_dev.c | 70 +++++++++++++++------------------ + 1 file changed, 32 insertions(+), 38 deletions(-) + +diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c +index d3acc0a7256c..62483a99105c 100644 +--- a/drivers/watchdog/watchdog_dev.c ++++ b/drivers/watchdog/watchdog_dev.c +@@ -34,7 +34,6 @@ + #include /* For __init/__exit/... */ + #include /* For hrtimers */ + #include /* For printk/panic/... */ +-#include /* For data references */ + #include /* For kthread_work */ + #include /* For handling misc devices */ + #include /* For module stuff/... */ +@@ -52,14 +51,14 @@ + + /* + * struct watchdog_core_data - watchdog core internal data +- * @kref: Reference count. ++ * @dev: The watchdog's internal device + * @cdev: The watchdog's Character device. + * @wdd: Pointer to watchdog device. + * @lock: Lock for watchdog core. + * @status: Watchdog core internal status bits. + */ + struct watchdog_core_data { +- struct kref kref; ++ struct device dev; + struct cdev cdev; + struct watchdog_device *wdd; + struct mutex lock; +@@ -840,7 +839,7 @@ static int watchdog_open(struct inode *inode, struct file *file) + file->private_data = wd_data; + + if (!hw_running) +- kref_get(&wd_data->kref); ++ get_device(&wd_data->dev); + + /* + * open_timeout only applies for the first open from +@@ -861,11 +860,11 @@ out_clear: + return err; + } + +-static void watchdog_core_data_release(struct kref *kref) ++static void watchdog_core_data_release(struct device *dev) + { + struct watchdog_core_data *wd_data; + +- wd_data = container_of(kref, struct watchdog_core_data, kref); ++ wd_data = container_of(dev, struct watchdog_core_data, dev); + + kfree(wd_data); + } +@@ -925,7 +924,7 @@ done: + */ + if (!running) { + module_put(wd_data->cdev.owner); +- kref_put(&wd_data->kref, watchdog_core_data_release); ++ put_device(&wd_data->dev); + } + return 0; + } +@@ -944,17 +943,22 @@ static struct miscdevice watchdog_miscdev = { + .fops = &watchdog_fops, + }; + ++static struct class watchdog_class = { ++ .name = "watchdog", ++ .owner = THIS_MODULE, ++ .dev_groups = wdt_groups, ++}; ++ + /* + * watchdog_cdev_register: register watchdog character device + * @wdd: watchdog device +- * @devno: character device number + * + * Register a watchdog character device including handling the legacy + * /dev/watchdog node. /dev/watchdog is actually a miscdevice and + * thus we set it up like that. + */ + +-static int watchdog_cdev_register(struct watchdog_device *wdd, dev_t devno) ++static int watchdog_cdev_register(struct watchdog_device *wdd) + { + struct watchdog_core_data *wd_data; + int err; +@@ -962,7 +966,6 @@ static int watchdog_cdev_register(struct watchdog_device *wdd, dev_t devno) + wd_data = kzalloc(sizeof(struct watchdog_core_data), GFP_KERNEL); + if (!wd_data) + return -ENOMEM; +- kref_init(&wd_data->kref); + mutex_init(&wd_data->lock); + + wd_data->wdd = wdd; +@@ -991,23 +994,33 @@ static int watchdog_cdev_register(struct watchdog_device *wdd, dev_t devno) + } + } + ++ device_initialize(&wd_data->dev); ++ wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id); ++ wd_data->dev.class = &watchdog_class; ++ wd_data->dev.parent = wdd->parent; ++ wd_data->dev.groups = wdd->groups; ++ wd_data->dev.release = watchdog_core_data_release; ++ dev_set_drvdata(&wd_data->dev, wdd); ++ dev_set_name(&wd_data->dev, "watchdog%d", wdd->id); ++ + /* Fill in the data structures */ + cdev_init(&wd_data->cdev, &watchdog_fops); +- wd_data->cdev.owner = wdd->ops->owner; + + /* Add the device */ +- err = cdev_add(&wd_data->cdev, devno, 1); ++ err = cdev_device_add(&wd_data->cdev, &wd_data->dev); + if (err) { + pr_err("watchdog%d unable to add device %d:%d\n", + wdd->id, MAJOR(watchdog_devt), wdd->id); + if (wdd->id == 0) { + misc_deregister(&watchdog_miscdev); + old_wd_data = NULL; +- kref_put(&wd_data->kref, watchdog_core_data_release); ++ put_device(&wd_data->dev); + } + return err; + } + ++ wd_data->cdev.owner = wdd->ops->owner; ++ + /* Record time of most recent heartbeat as 'just before now'. */ + wd_data->last_hw_keepalive = ktime_sub(ktime_get(), 1); + watchdog_set_open_deadline(wd_data); +@@ -1018,7 +1031,7 @@ static int watchdog_cdev_register(struct watchdog_device *wdd, dev_t devno) + */ + if (watchdog_hw_running(wdd)) { + __module_get(wdd->ops->owner); +- kref_get(&wd_data->kref); ++ get_device(&wd_data->dev); + if (handle_boot_enabled) + hrtimer_start(&wd_data->timer, 0, + HRTIMER_MODE_REL_HARD); +@@ -1042,7 +1055,7 @@ static void watchdog_cdev_unregister(struct watchdog_device *wdd) + { + struct watchdog_core_data *wd_data = wdd->wd_data; + +- cdev_del(&wd_data->cdev); ++ cdev_device_del(&wd_data->cdev, &wd_data->dev); + if (wdd->id == 0) { + misc_deregister(&watchdog_miscdev); + old_wd_data = NULL; +@@ -1061,15 +1074,9 @@ static void watchdog_cdev_unregister(struct watchdog_device *wdd) + hrtimer_cancel(&wd_data->timer); + kthread_cancel_work_sync(&wd_data->work); + +- kref_put(&wd_data->kref, watchdog_core_data_release); ++ put_device(&wd_data->dev); + } + +-static struct class watchdog_class = { +- .name = "watchdog", +- .owner = THIS_MODULE, +- .dev_groups = wdt_groups, +-}; +- + static int watchdog_reboot_notifier(struct notifier_block *nb, + unsigned long code, void *data) + { +@@ -1100,27 +1107,14 @@ static int watchdog_reboot_notifier(struct notifier_block *nb, + + int watchdog_dev_register(struct watchdog_device *wdd) + { +- struct device *dev; +- dev_t devno; + int ret; + +- devno = MKDEV(MAJOR(watchdog_devt), wdd->id); +- +- ret = watchdog_cdev_register(wdd, devno); ++ ret = watchdog_cdev_register(wdd); + if (ret) + return ret; + +- dev = device_create_with_groups(&watchdog_class, wdd->parent, +- devno, wdd, wdd->groups, +- "watchdog%d", wdd->id); +- if (IS_ERR(dev)) { +- watchdog_cdev_unregister(wdd); +- return PTR_ERR(dev); +- } +- + ret = watchdog_register_pretimeout(wdd); + if (ret) { +- device_destroy(&watchdog_class, devno); + watchdog_cdev_unregister(wdd); + return ret; + } +@@ -1128,7 +1122,8 @@ int watchdog_dev_register(struct watchdog_device *wdd) + if (test_bit(WDOG_STOP_ON_REBOOT, &wdd->status)) { + wdd->reboot_nb.notifier_call = watchdog_reboot_notifier; + +- ret = devm_register_reboot_notifier(dev, &wdd->reboot_nb); ++ ret = devm_register_reboot_notifier(&wdd->wd_data->dev, ++ &wdd->reboot_nb); + if (ret) { + pr_err("watchdog%d: Cannot register reboot notifier (%d)\n", + wdd->id, ret); +@@ -1150,7 +1145,6 @@ int watchdog_dev_register(struct watchdog_device *wdd) + void watchdog_dev_unregister(struct watchdog_device *wdd) + { + watchdog_unregister_pretimeout(wdd); +- device_destroy(&watchdog_class, wdd->wd_data->cdev.dev); + watchdog_cdev_unregister(wdd); + } + +-- +2.20.1 + diff --git a/queue-5.4/watchdog-imx7ulp-fix-reboot-hang.patch b/queue-5.4/watchdog-imx7ulp-fix-reboot-hang.patch new file mode 100644 index 00000000000..ee0a13dd757 --- /dev/null +++ b/queue-5.4/watchdog-imx7ulp-fix-reboot-hang.patch @@ -0,0 +1,73 @@ +From 64ccba2b2bf5ec7bd5336f1dcef5fb45d1acea06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Oct 2019 14:40:33 -0300 +Subject: watchdog: imx7ulp: Fix reboot hang + +From: Fabio Estevam + +[ Upstream commit 6083ab7b2f3f25022e2e8f4c42f14a8521f47873 ] + +The following hang is observed when a 'reboot' command is issued: + +# reboot +# Stopping network: OK +Stopping klogd: OK +Stopping syslogd: OK +umount: devtmpfs busy - remounted read-only +[ 8.612079] EXT4-fs (mmcblk0p2): re-mounted. Opts: (null) +The system is going down NOW! +Sent SIGTERM to all processes +Sent SIGKILL to all processes +Requesting system reboot +[ 10.694753] reboot: Restarting system +[ 11.699008] Reboot failed -- System halted + +Fix this problem by adding a .restart ops member. + +Fixes: 41b630f41bf7 ("watchdog: Add i.MX7ULP watchdog support") +Signed-off-by: Fabio Estevam +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20191029174037.25381-1-festevam@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/imx7ulp_wdt.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/watchdog/imx7ulp_wdt.c b/drivers/watchdog/imx7ulp_wdt.c +index 5ce51026989a..ba5d535a6db2 100644 +--- a/drivers/watchdog/imx7ulp_wdt.c ++++ b/drivers/watchdog/imx7ulp_wdt.c +@@ -106,12 +106,28 @@ static int imx7ulp_wdt_set_timeout(struct watchdog_device *wdog, + return 0; + } + ++static int imx7ulp_wdt_restart(struct watchdog_device *wdog, ++ unsigned long action, void *data) ++{ ++ struct imx7ulp_wdt_device *wdt = watchdog_get_drvdata(wdog); ++ ++ imx7ulp_wdt_enable(wdt->base, true); ++ imx7ulp_wdt_set_timeout(&wdt->wdd, 1); ++ ++ /* wait for wdog to fire */ ++ while (true) ++ ; ++ ++ return NOTIFY_DONE; ++} ++ + static const struct watchdog_ops imx7ulp_wdt_ops = { + .owner = THIS_MODULE, + .start = imx7ulp_wdt_start, + .stop = imx7ulp_wdt_stop, + .ping = imx7ulp_wdt_ping, + .set_timeout = imx7ulp_wdt_set_timeout, ++ .restart = imx7ulp_wdt_restart, + }; + + static const struct watchdog_info imx7ulp_wdt_info = { +-- +2.20.1 + diff --git a/queue-5.4/watchdog-prevent-deferral-of-watchdogd-wakeup-on-rt.patch b/queue-5.4/watchdog-prevent-deferral-of-watchdogd-wakeup-on-rt.patch new file mode 100644 index 00000000000..1b069705a57 --- /dev/null +++ b/queue-5.4/watchdog-prevent-deferral-of-watchdogd-wakeup-on-rt.patch @@ -0,0 +1,92 @@ +From 1b2b866c3a782feb5c0a92193592043ad23f7ed0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 15:45:06 +0100 +Subject: watchdog: prevent deferral of watchdogd wakeup on RT + +From: Julia Cartwright + +[ Upstream commit a19f89335f4bda3d77d991c96583e3e51856acbb ] + +When PREEMPT_RT is enabled, all hrtimer expiry functions are +deferred for execution into the context of ksoftirqd unless otherwise +annotated. + +Deferring the expiry of the hrtimer used by the watchdog core, however, +is a waste, as the callback does nothing but queue a kthread work item +and wakeup watchdogd. + +It's worst then that, too: the deferral through ksoftirqd also means +that for correct behavior a user must adjust the scheduling parameters +of both watchdogd _and_ ksoftirqd, which is unnecessary and has other +side effects (like causing unrelated expiry functions to execute at +potentially elevated priority). + +Instead, mark the hrtimer used by the watchdog core as being _HARD to +allow it's execution directly from hardirq context. The work done in +this expiry function is well-bounded and minimal. + +A user still must adjust the scheduling parameters of the watchdogd +to be correct w.r.t. their application needs. + +Link: https://lkml.kernel.org/r/0e02d8327aeca344096c246713033887bc490dd7.1538089180.git.julia@ni.com +Cc: Guenter Roeck +Reported-and-tested-by: Steffen Trumtrar +Reported-by: Tim Sander +Signed-off-by: Julia Cartwright +Acked-by: Guenter Roeck +[bigeasy: use only HRTIMER_MODE_REL_HARD] +Signed-off-by: Sebastian Andrzej Siewior +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20191105144506.clyadjbvnn7b7b2m@linutronix.de +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/watchdog_dev.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c +index dbd2ad4c9294..d3acc0a7256c 100644 +--- a/drivers/watchdog/watchdog_dev.c ++++ b/drivers/watchdog/watchdog_dev.c +@@ -158,7 +158,8 @@ static inline void watchdog_update_worker(struct watchdog_device *wdd) + ktime_t t = watchdog_next_keepalive(wdd); + + if (t > 0) +- hrtimer_start(&wd_data->timer, t, HRTIMER_MODE_REL); ++ hrtimer_start(&wd_data->timer, t, ++ HRTIMER_MODE_REL_HARD); + } else { + hrtimer_cancel(&wd_data->timer); + } +@@ -177,7 +178,7 @@ static int __watchdog_ping(struct watchdog_device *wdd) + if (ktime_after(earliest_keepalive, now)) { + hrtimer_start(&wd_data->timer, + ktime_sub(earliest_keepalive, now), +- HRTIMER_MODE_REL); ++ HRTIMER_MODE_REL_HARD); + return 0; + } + +@@ -971,7 +972,7 @@ static int watchdog_cdev_register(struct watchdog_device *wdd, dev_t devno) + return -ENODEV; + + kthread_init_work(&wd_data->work, watchdog_ping_work); +- hrtimer_init(&wd_data->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); ++ hrtimer_init(&wd_data->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL_HARD); + wd_data->timer.function = watchdog_timer_expired; + + if (wdd->id == 0) { +@@ -1019,7 +1020,8 @@ static int watchdog_cdev_register(struct watchdog_device *wdd, dev_t devno) + __module_get(wdd->ops->owner); + kref_get(&wd_data->kref); + if (handle_boot_enabled) +- hrtimer_start(&wd_data->timer, 0, HRTIMER_MODE_REL); ++ hrtimer_start(&wd_data->timer, 0, ++ HRTIMER_MODE_REL_HARD); + else + pr_info("watchdog%d running and kernel based pre-userspace handler disabled\n", + wdd->id); +-- +2.20.1 + -- 2.47.3