From 59d24dff7e65953220e375fbbd2989eddfc58ddc Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 13 Dec 2018 10:21:13 -0500 Subject: [PATCH] patches for 4.9 Signed-off-by: Sasha Levin --- ...cpd-somlv-fix-interrupt-on-mmc3_dat1.patch | 36 ++++ ...lta-fix-possible-use-of-uninitialize.patch | 40 ++++ ...x-fix-section-annotation-on-omap44xx.patch | 45 ++++ ...ulate-audio-map-forcely-when-card-in.patch | 57 +++++ ...l6040-fix-missing-audio-card-caused-.patch | 159 ++++++++++++++ ...dd-pm_qos-handling-to-avoid-overruns.patch | 63 ++++++ ...add-pm_qos-handling-to-avoid-under-o.patch | 127 +++++++++++ ...-allowed-specifiers-in-bpf_trace_pri.patch | 44 ++++ ...nfinite-loop-due-to-directory-rename.patch | 200 ++++++++++++++++++ ...age-leak-in-cachefiles_read_backing_.patch | 87 ++++++++ ...-avoid-recursive-calls-with-kmemleak.patch | 58 +++++ ...eading-monitor-edid-not-stable-issue.patch | 94 ++++++++ ...portfs-do-not-read-dentry-after-free.patch | 40 ++++ ...iles-remove-redundant-variable-cache.patch | 39 ++++ ...-between-enablement-and-dropping-of-.patch | 74 +++++++ .../hfs-do-not-free-node-before-using.patch | 49 +++++ ...fsplus-do-not-free-node-before-using.patch | 49 +++++ ...ina2xx-fix-current-value-calculation.patch | 39 ++++ ...5-temp4_type-has-writable-permission.patch | 35 +++ .../igb-fix-uninitialized-variables.patch | 32 +++ ...dst_notifier-earlier-than-ipv6_dev_n.patch | 57 +++++ ...nize-1000baselx-sfp-modules-as-1gbps.patch | 43 ++++ .../kvm-x86-fix-empty-body-warnings.patch | 43 ++++ ...ilicon-remove-unexpected-free_netdev.patch | 37 ++++ ...-null-pointer-dereference-in-nic_rem.patch | 82 +++++++ ...le-free-in-.cold-detection-error-pat.patch | 42 ++++ ...ault-in-.cold-detection-with-ffuncti.patch | 76 +++++++ ...adlock-caused-by-ocfs2_defrag_extent.patch | 147 +++++++++++++ .../ocfs2-fix-potential-use-after-free.patch | 47 ++++ ...nvert-console-write-to-use-write_buf.patch | 42 ++++ ...ix-fence-type-for-ib_wr_local_inv-wr.patch | 67 ++++++ ...ect-request-for-sampling-in-event-in.patch | 113 ++++++++++ ...ript-to-stress-test-nft-packet-path-.patch | 150 +++++++++++++ queue-4.9/series | 40 ++++ ...r-instead-of-0-in-__sysv_write_inode.patch | 39 ++++ ...-crashes-on-probe-error-and-module-r.patch | 114 ++++++++++ ...-fix-omap_udc_start-on-15xx-machines.patch | 41 ++++ ...-usb-gadget-functionality-on-palm-tu.patch | 32 +++ .../usb-omap_udc-use-devm_request_irq.patch | 102 +++++++++ ...x-fix-old-style-function-declaration.patch | 68 ++++++ ...dd-missing-header-to-fix-w-1-warning.patch | 37 ++++ 41 files changed, 2786 insertions(+) create mode 100644 queue-4.9/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch create mode 100644 queue-4.9/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch create mode 100644 queue-4.9/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch create mode 100644 queue-4.9/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch create mode 100644 queue-4.9/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch create mode 100644 queue-4.9/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch create mode 100644 queue-4.9/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch create mode 100644 queue-4.9/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch create mode 100644 queue-4.9/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch create mode 100644 queue-4.9/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch create mode 100644 queue-4.9/debugobjects-avoid-recursive-calls-with-kmemleak.patch create mode 100644 queue-4.9/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch create mode 100644 queue-4.9/exportfs-do-not-read-dentry-after-free.patch create mode 100644 queue-4.9/fscache-cachefiles-remove-redundant-variable-cache.patch create mode 100644 queue-4.9/fscache-fix-race-between-enablement-and-dropping-of-.patch create mode 100644 queue-4.9/hfs-do-not-free-node-before-using.patch create mode 100644 queue-4.9/hfsplus-do-not-free-node-before-using.patch create mode 100644 queue-4.9/hwmon-ina2xx-fix-current-value-calculation.patch create mode 100644 queue-4.9/hwmon-w83795-temp4_type-has-writable-permission.patch create mode 100644 queue-4.9/igb-fix-uninitialized-variables.patch create mode 100644 queue-4.9/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch create mode 100644 queue-4.9/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch create mode 100644 queue-4.9/kvm-x86-fix-empty-body-warnings.patch create mode 100644 queue-4.9/net-hisilicon-remove-unexpected-free_netdev.patch create mode 100644 queue-4.9/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch create mode 100644 queue-4.9/objtool-fix-double-free-in-.cold-detection-error-pat.patch create mode 100644 queue-4.9/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch create mode 100644 queue-4.9/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch create mode 100644 queue-4.9/ocfs2-fix-potential-use-after-free.patch create mode 100644 queue-4.9/pstore-convert-console-write-to-use-write_buf.patch create mode 100644 queue-4.9/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch create mode 100644 queue-4.9/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch create mode 100644 queue-4.9/selftests-add-script-to-stress-test-nft-packet-path-.patch create mode 100644 queue-4.9/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch create mode 100644 queue-4.9/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch create mode 100644 queue-4.9/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch create mode 100644 queue-4.9/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch create mode 100644 queue-4.9/usb-omap_udc-use-devm_request_irq.patch create mode 100644 queue-4.9/x86-kvm-vmx-fix-old-style-function-declaration.patch create mode 100644 queue-4.9/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch diff --git a/queue-4.9/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch b/queue-4.9/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch new file mode 100644 index 00000000000..34fe7ed33aa --- /dev/null +++ b/queue-4.9/arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch @@ -0,0 +1,36 @@ +From ff07c06245cf5f1bb52297083cfbde649ff64485 Mon Sep 17 00:00:00 2001 +From: Adam Ford +Date: Sun, 28 Oct 2018 15:29:27 -0500 +Subject: ARM: dts: logicpd-somlv: Fix interrupt on mmc3_dat1 + +[ Upstream commit 3d8b804bc528d3720ec0c39c212af92dafaf6e84 ] + +The interrupt on mmc3_dat1 is wrong which prevents this from +appearing in /proc/interrupts. + +Fixes: ab8dd3aed011 ("ARM: DTS: Add minimal Support for Logic PD +DM3730 SOM-LV") #Kernel 4.9+ + +Signed-off-by: Adam Ford +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/logicpd-som-lv.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/logicpd-som-lv.dtsi b/arch/arm/boot/dts/logicpd-som-lv.dtsi +index e262fa9ef334..876ed5f2922c 100644 +--- a/arch/arm/boot/dts/logicpd-som-lv.dtsi ++++ b/arch/arm/boot/dts/logicpd-som-lv.dtsi +@@ -122,7 +122,7 @@ + }; + + &mmc3 { +- interrupts-extended = <&intc 94 &omap3_pmx_core2 0x46>; ++ interrupts-extended = <&intc 94 &omap3_pmx_core 0x136>; + pinctrl-0 = <&mmc3_pins &wl127x_gpio>; + pinctrl-names = "default"; + vmmc-supply = <&wl12xx_vmmc>; +-- +2.19.1 + diff --git a/queue-4.9/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch b/queue-4.9/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch new file mode 100644 index 00000000000..ef90b19d345 --- /dev/null +++ b/queue-4.9/arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch @@ -0,0 +1,40 @@ +From 4e8073cb4b28db7146b4f88f877aae0ec67991d0 Mon Sep 17 00:00:00 2001 +From: Janusz Krzysztofik +Date: Wed, 7 Nov 2018 22:30:31 +0100 +Subject: ARM: OMAP1: ams-delta: Fix possible use of uninitialized field + +[ Upstream commit cec83ff1241ec98113a19385ea9e9cfa9aa4125b ] + +While playing with initialization order of modem device, it has been +discovered that under some circumstances (early console init, I +believe) its .pm() callback may be called before the +uart_port->private_data pointer is initialized from +plat_serial8250_port->private_data, resulting in NULL pointer +dereference. Fix it by checking for uninitialized pointer before using +it in modem_pm(). + +Fixes: aabf31737a6a ("ARM: OMAP1: ams-delta: update the modem to use regulator API") +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap1/board-ams-delta.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/mach-omap1/board-ams-delta.c b/arch/arm/mach-omap1/board-ams-delta.c +index 6613a6ff5dbc..c4b634c54fbd 100644 +--- a/arch/arm/mach-omap1/board-ams-delta.c ++++ b/arch/arm/mach-omap1/board-ams-delta.c +@@ -511,6 +511,9 @@ static void modem_pm(struct uart_port *port, unsigned int state, unsigned old) + { + struct modem_private_data *priv = port->private_data; + ++ if (!priv) ++ return; ++ + if (IS_ERR(priv->regulator)) + return; + +-- +2.19.1 + diff --git a/queue-4.9/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch b/queue-4.9/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch new file mode 100644 index 00000000000..3b04b83a8b7 --- /dev/null +++ b/queue-4.9/arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch @@ -0,0 +1,45 @@ +From 7610bf4fa9c1d0c1a2f6ef993b1550abc80aab09 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 17 Oct 2018 17:54:00 -0700 +Subject: ARM: OMAP2+: prm44xx: Fix section annotation on + omap44xx_prm_enable_io_wakeup + +[ Upstream commit eef3dc34a1e0b01d53328b88c25237bcc7323777 ] + +When building the kernel with Clang, the following section mismatch +warning appears: + +WARNING: vmlinux.o(.text+0x38b3c): Section mismatch in reference from +the function omap44xx_prm_late_init() to the function +.init.text:omap44xx_prm_enable_io_wakeup() +The function omap44xx_prm_late_init() references +the function __init omap44xx_prm_enable_io_wakeup(). +This is often because omap44xx_prm_late_init lacks a __init +annotation or the annotation of omap44xx_prm_enable_io_wakeup is wrong. + +Remove the __init annotation from omap44xx_prm_enable_io_wakeup so there +is no more mismatch. + +Signed-off-by: Nathan Chancellor +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/prm44xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/prm44xx.c b/arch/arm/mach-omap2/prm44xx.c +index 30768003f854..8c505284bc0c 100644 +--- a/arch/arm/mach-omap2/prm44xx.c ++++ b/arch/arm/mach-omap2/prm44xx.c +@@ -344,7 +344,7 @@ static void omap44xx_prm_reconfigure_io_chain(void) + * to occur, WAKEUPENABLE bits must be set in the pad mux registers, and + * omap44xx_prm_reconfigure_io_chain() must be called. No return value. + */ +-static void __init omap44xx_prm_enable_io_wakeup(void) ++static void omap44xx_prm_enable_io_wakeup(void) + { + s32 inst = omap4_prmst_get_prm_dev_inst(); + +-- +2.19.1 + diff --git a/queue-4.9/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch b/queue-4.9/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch new file mode 100644 index 00000000000..3203ea54deb --- /dev/null +++ b/queue-4.9/asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch @@ -0,0 +1,57 @@ +From c65fb8dc94c146e95d8f2fa63edc1a4f9d01fd4e Mon Sep 17 00:00:00 2001 +From: Tzung-Bi Shih +Date: Wed, 14 Nov 2018 17:06:13 +0800 +Subject: ASoC: dapm: Recalculate audio map forcely when card instantiated + +[ Upstream commit 882eab6c28d23a970ae73b7eb831b169a672d456 ] + +Audio map are possible in wrong state before card->instantiated has +been set to true. Imaging the following examples: + +time 1: at the beginning + + in:-1 in:-1 in:-1 in:-1 + out:-1 out:-1 out:-1 out:-1 + SIGGEN A B Spk + +time 2: after someone called snd_soc_dapm_new_widgets() +(e.g. create_fill_widget_route_map() in sound/soc/codecs/hdac_hdmi.c) + + in:1 in:0 in:0 in:0 + out:0 out:0 out:0 out:1 + SIGGEN A B Spk + +time 3: routes added + + in:1 in:0 in:0 in:0 + out:0 out:0 out:0 out:1 + SIGGEN -----> A -----> B ---> Spk + +In the end, the path should be powered on but it did not. At time 3, +"in" of SIGGEN and "out" of Spk did not propagate to their neighbors +because snd_soc_dapm_add_path() will not invalidate the paths if +the card has not instantiated (i.e. card->instantiated is false). +To correct the state of audio map, recalculate the whole map forcely. + +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 4e3de566809c..168559b5e9f3 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2018,6 +2018,7 @@ static int snd_soc_instantiate_card(struct snd_soc_card *card) + } + + card->instantiated = 1; ++ dapm_mark_endpoints_dirty(card); + snd_soc_dapm_sync(&card->dapm); + mutex_unlock(&card->mutex); + mutex_unlock(&client_mutex); +-- +2.19.1 + diff --git a/queue-4.9/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch b/queue-4.9/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch new file mode 100644 index 00000000000..c43cbf82008 --- /dev/null +++ b/queue-4.9/asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch @@ -0,0 +1,159 @@ +From d24a41764912ea9a45a4d49667d24486e694d753 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 14 Nov 2018 14:58:20 +0200 +Subject: ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred + probing + +[ Upstream commit 76836fd354922ebe4798a64fda01f8dc6a8b0984 ] + +The machine driver fails to probe in next-20181113 with: + +[ 2.539093] omap-abe-twl6040 sound: ASoC: CODEC DAI twl6040-legacy not registered +[ 2.546630] omap-abe-twl6040 sound: devm_snd_soc_register_card() failed: -517 +... +[ 3.693206] omap-abe-twl6040 sound: ASoC: Both platform name/of_node are set for TWL6040 +[ 3.701446] omap-abe-twl6040 sound: ASoC: failed to init link TWL6040 +[ 3.708007] omap-abe-twl6040 sound: devm_snd_soc_register_card() failed: -22 +[ 3.715148] omap-abe-twl6040: probe of sound failed with error -22 + +Bisect pointed to a merge commit: +first bad commit: [0f688ab20a540aafa984c5dbd68a71debebf4d7f] Merge remote-tracking branch 'net-next/master' + +and a diff between a working kernel does not reveal anything which would +explain the change in behavior. + +Further investigation showed that on the second try of loading fails +because the dai_link->platform is no longer NULL and it might be pointing +to uninitialized memory. + +The fix is to move the snd_soc_dai_link and snd_soc_card inside of the +abe_twl6040 struct, which is dynamically allocated every time the driver +probes. + +Signed-off-by: Peter Ujfalusi +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/omap/omap-abe-twl6040.c | 67 +++++++++++++------------------ + 1 file changed, 29 insertions(+), 38 deletions(-) + +diff --git a/sound/soc/omap/omap-abe-twl6040.c b/sound/soc/omap/omap-abe-twl6040.c +index 89fe95e877db..07af30017b48 100644 +--- a/sound/soc/omap/omap-abe-twl6040.c ++++ b/sound/soc/omap/omap-abe-twl6040.c +@@ -36,6 +36,8 @@ + #include "../codecs/twl6040.h" + + struct abe_twl6040 { ++ struct snd_soc_card card; ++ struct snd_soc_dai_link dai_links[2]; + int jack_detection; /* board can detect jack events */ + int mclk_freq; /* MCLK frequency speed for twl6040 */ + }; +@@ -208,40 +210,10 @@ static int omap_abe_dmic_init(struct snd_soc_pcm_runtime *rtd) + ARRAY_SIZE(dmic_audio_map)); + } + +-/* Digital audio interface glue - connects codec <--> CPU */ +-static struct snd_soc_dai_link abe_twl6040_dai_links[] = { +- { +- .name = "TWL6040", +- .stream_name = "TWL6040", +- .codec_dai_name = "twl6040-legacy", +- .codec_name = "twl6040-codec", +- .init = omap_abe_twl6040_init, +- .ops = &omap_abe_ops, +- }, +- { +- .name = "DMIC", +- .stream_name = "DMIC Capture", +- .codec_dai_name = "dmic-hifi", +- .codec_name = "dmic-codec", +- .init = omap_abe_dmic_init, +- .ops = &omap_abe_dmic_ops, +- }, +-}; +- +-/* Audio machine driver */ +-static struct snd_soc_card omap_abe_card = { +- .owner = THIS_MODULE, +- +- .dapm_widgets = twl6040_dapm_widgets, +- .num_dapm_widgets = ARRAY_SIZE(twl6040_dapm_widgets), +- .dapm_routes = audio_map, +- .num_dapm_routes = ARRAY_SIZE(audio_map), +-}; +- + static int omap_abe_probe(struct platform_device *pdev) + { + struct device_node *node = pdev->dev.of_node; +- struct snd_soc_card *card = &omap_abe_card; ++ struct snd_soc_card *card; + struct device_node *dai_node; + struct abe_twl6040 *priv; + int num_links = 0; +@@ -252,12 +224,18 @@ static int omap_abe_probe(struct platform_device *pdev) + return -ENODEV; + } + +- card->dev = &pdev->dev; +- + priv = devm_kzalloc(&pdev->dev, sizeof(struct abe_twl6040), GFP_KERNEL); + if (priv == NULL) + return -ENOMEM; + ++ card = &priv->card; ++ card->dev = &pdev->dev; ++ card->owner = THIS_MODULE; ++ card->dapm_widgets = twl6040_dapm_widgets; ++ card->num_dapm_widgets = ARRAY_SIZE(twl6040_dapm_widgets); ++ card->dapm_routes = audio_map; ++ card->num_dapm_routes = ARRAY_SIZE(audio_map); ++ + if (snd_soc_of_parse_card_name(card, "ti,model")) { + dev_err(&pdev->dev, "Card name is not provided\n"); + return -ENODEV; +@@ -274,14 +252,27 @@ static int omap_abe_probe(struct platform_device *pdev) + dev_err(&pdev->dev, "McPDM node is not provided\n"); + return -EINVAL; + } +- abe_twl6040_dai_links[0].cpu_of_node = dai_node; +- abe_twl6040_dai_links[0].platform_of_node = dai_node; ++ ++ priv->dai_links[0].name = "DMIC"; ++ priv->dai_links[0].stream_name = "TWL6040"; ++ priv->dai_links[0].cpu_of_node = dai_node; ++ priv->dai_links[0].platform_of_node = dai_node; ++ priv->dai_links[0].codec_dai_name = "twl6040-legacy"; ++ priv->dai_links[0].codec_name = "twl6040-codec"; ++ priv->dai_links[0].init = omap_abe_twl6040_init; ++ priv->dai_links[0].ops = &omap_abe_ops; + + dai_node = of_parse_phandle(node, "ti,dmic", 0); + if (dai_node) { + num_links = 2; +- abe_twl6040_dai_links[1].cpu_of_node = dai_node; +- abe_twl6040_dai_links[1].platform_of_node = dai_node; ++ priv->dai_links[1].name = "TWL6040"; ++ priv->dai_links[1].stream_name = "DMIC Capture"; ++ priv->dai_links[1].cpu_of_node = dai_node; ++ priv->dai_links[1].platform_of_node = dai_node; ++ priv->dai_links[1].codec_dai_name = "dmic-hifi"; ++ priv->dai_links[1].codec_name = "dmic-codec"; ++ priv->dai_links[1].init = omap_abe_dmic_init; ++ priv->dai_links[1].ops = &omap_abe_dmic_ops; + } else { + num_links = 1; + } +@@ -300,7 +291,7 @@ static int omap_abe_probe(struct platform_device *pdev) + return -ENODEV; + } + +- card->dai_link = abe_twl6040_dai_links; ++ card->dai_link = priv->dai_links; + card->num_links = num_links; + + snd_soc_card_set_drvdata(card, priv); +-- +2.19.1 + diff --git a/queue-4.9/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch b/queue-4.9/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch new file mode 100644 index 00000000000..0e35201eab9 --- /dev/null +++ b/queue-4.9/asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch @@ -0,0 +1,63 @@ +From ee26808b1fae2a1bebe2f2d78e272f25df3ad38a Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 14 Nov 2018 13:06:23 +0200 +Subject: ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE + +[ Upstream commit ffdcc3638c58d55a6fa68b6e5dfd4fb4109652eb ] + +We need to block sleep states which would require longer time to leave than +the time the DMA must react to the DMA request in order to keep the FIFO +serviced without overrun. + +Signed-off-by: Peter Ujfalusi +Acked-by: Jarkko Nikula +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/omap/omap-dmic.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/sound/soc/omap/omap-dmic.c b/sound/soc/omap/omap-dmic.c +index 09db2aec12a3..776e809a8aab 100644 +--- a/sound/soc/omap/omap-dmic.c ++++ b/sound/soc/omap/omap-dmic.c +@@ -48,6 +48,8 @@ struct omap_dmic { + struct device *dev; + void __iomem *io_base; + struct clk *fclk; ++ struct pm_qos_request pm_qos_req; ++ int latency; + int fclk_freq; + int out_freq; + int clk_div; +@@ -124,6 +126,8 @@ static void omap_dmic_dai_shutdown(struct snd_pcm_substream *substream, + + mutex_lock(&dmic->mutex); + ++ pm_qos_remove_request(&dmic->pm_qos_req); ++ + if (!dai->active) + dmic->active = 0; + +@@ -226,6 +230,8 @@ static int omap_dmic_dai_hw_params(struct snd_pcm_substream *substream, + /* packet size is threshold * channels */ + dma_data = snd_soc_dai_get_dma_data(dai, substream); + dma_data->maxburst = dmic->threshold * channels; ++ dmic->latency = (OMAP_DMIC_THRES_MAX - dmic->threshold) * USEC_PER_SEC / ++ params_rate(params); + + return 0; + } +@@ -236,6 +242,9 @@ static int omap_dmic_dai_prepare(struct snd_pcm_substream *substream, + struct omap_dmic *dmic = snd_soc_dai_get_drvdata(dai); + u32 ctrl; + ++ if (pm_qos_request_active(&dmic->pm_qos_req)) ++ pm_qos_update_request(&dmic->pm_qos_req, dmic->latency); ++ + /* Configure uplink threshold */ + omap_dmic_write(dmic, OMAP_DMIC_FIFO_CTRL_REG, dmic->threshold); + +-- +2.19.1 + diff --git a/queue-4.9/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch b/queue-4.9/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch new file mode 100644 index 00000000000..613fe130fc2 --- /dev/null +++ b/queue-4.9/asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch @@ -0,0 +1,127 @@ +From 9b897f00c1c5cb88bde1c4cca82aeec060517bc1 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 14 Nov 2018 13:06:22 +0200 +Subject: ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with + CPU_IDLE + +[ Upstream commit 373a500e34aea97971c9d71e45edad458d3da98f ] + +We need to block sleep states which would require longer time to leave than +the time the DMA must react to the DMA request in order to keep the FIFO +serviced without under of overrun. + +Signed-off-by: Peter Ujfalusi +Acked-by: Jarkko Nikula +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/omap/omap-mcpdm.c | 43 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 42 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/omap/omap-mcpdm.c b/sound/soc/omap/omap-mcpdm.c +index 64609c77a79d..44ffeb71cd1d 100644 +--- a/sound/soc/omap/omap-mcpdm.c ++++ b/sound/soc/omap/omap-mcpdm.c +@@ -54,6 +54,8 @@ struct omap_mcpdm { + unsigned long phys_base; + void __iomem *io_base; + int irq; ++ struct pm_qos_request pm_qos_req; ++ int latency[2]; + + struct mutex mutex; + +@@ -277,6 +279,9 @@ static void omap_mcpdm_dai_shutdown(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { + struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai); ++ int tx = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK); ++ int stream1 = tx ? SNDRV_PCM_STREAM_PLAYBACK : SNDRV_PCM_STREAM_CAPTURE; ++ int stream2 = tx ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; + + mutex_lock(&mcpdm->mutex); + +@@ -289,6 +294,14 @@ static void omap_mcpdm_dai_shutdown(struct snd_pcm_substream *substream, + } + } + ++ if (mcpdm->latency[stream2]) ++ pm_qos_update_request(&mcpdm->pm_qos_req, ++ mcpdm->latency[stream2]); ++ else if (mcpdm->latency[stream1]) ++ pm_qos_remove_request(&mcpdm->pm_qos_req); ++ ++ mcpdm->latency[stream1] = 0; ++ + mutex_unlock(&mcpdm->mutex); + } + +@@ -300,7 +313,7 @@ static int omap_mcpdm_dai_hw_params(struct snd_pcm_substream *substream, + int stream = substream->stream; + struct snd_dmaengine_dai_dma_data *dma_data; + u32 threshold; +- int channels; ++ int channels, latency; + int link_mask = 0; + + channels = params_channels(params); +@@ -340,14 +353,25 @@ static int omap_mcpdm_dai_hw_params(struct snd_pcm_substream *substream, + + dma_data->maxburst = + (MCPDM_DN_THRES_MAX - threshold) * channels; ++ latency = threshold; + } else { + /* If playback is not running assume a stereo stream to come */ + if (!mcpdm->config[!stream].link_mask) + mcpdm->config[!stream].link_mask = (0x3 << 3); + + dma_data->maxburst = threshold * channels; ++ latency = (MCPDM_DN_THRES_MAX - threshold); + } + ++ /* ++ * The DMA must act to a DMA request within latency time (usec) to avoid ++ * under/overflow ++ */ ++ mcpdm->latency[stream] = latency * USEC_PER_SEC / params_rate(params); ++ ++ if (!mcpdm->latency[stream]) ++ mcpdm->latency[stream] = 10; ++ + /* Check if we need to restart McPDM with this stream */ + if (mcpdm->config[stream].link_mask && + mcpdm->config[stream].link_mask != link_mask) +@@ -362,6 +386,20 @@ static int omap_mcpdm_prepare(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { + struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai); ++ struct pm_qos_request *pm_qos_req = &mcpdm->pm_qos_req; ++ int tx = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK); ++ int stream1 = tx ? SNDRV_PCM_STREAM_PLAYBACK : SNDRV_PCM_STREAM_CAPTURE; ++ int stream2 = tx ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; ++ int latency = mcpdm->latency[stream2]; ++ ++ /* Prevent omap hardware from hitting off between FIFO fills */ ++ if (!latency || mcpdm->latency[stream1] < latency) ++ latency = mcpdm->latency[stream1]; ++ ++ if (pm_qos_request_active(pm_qos_req)) ++ pm_qos_update_request(pm_qos_req, latency); ++ else if (latency) ++ pm_qos_add_request(pm_qos_req, PM_QOS_CPU_DMA_LATENCY, latency); + + if (!omap_mcpdm_active(mcpdm)) { + omap_mcpdm_start(mcpdm); +@@ -423,6 +461,9 @@ static int omap_mcpdm_remove(struct snd_soc_dai *dai) + free_irq(mcpdm->irq, (void *)mcpdm); + pm_runtime_disable(mcpdm->dev); + ++ if (pm_qos_request_active(&mcpdm->pm_qos_req)) ++ pm_qos_remove_request(&mcpdm->pm_qos_req); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.9/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch b/queue-4.9/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch new file mode 100644 index 00000000000..374365f6e68 --- /dev/null +++ b/queue-4.9/bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch @@ -0,0 +1,44 @@ +From 97f2d10ac553c0653190711ff64348308c55fb10 Mon Sep 17 00:00:00 2001 +From: Martynas Pumputis +Date: Fri, 23 Nov 2018 17:43:26 +0100 +Subject: bpf: fix check of allowed specifiers in bpf_trace_printk + +[ Upstream commit 1efb6ee3edea57f57f9fb05dba8dcb3f7333f61f ] + +A format string consisting of "%p" or "%s" followed by an invalid +specifier (e.g. "%p%\n" or "%s%") could pass the check which +would make format_decode (lib/vsprintf.c) to warn. + +Fixes: 9c959c863f82 ("tracing: Allow BPF programs to call bpf_trace_printk()") +Reported-by: syzbot+1ec5c5ec949c4adaa0c4@syzkaller.appspotmail.com +Signed-off-by: Martynas Pumputis +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 41805fb3c661..7cc06f267be5 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -161,11 +161,13 @@ BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1, + i++; + } else if (fmt[i] == 'p' || fmt[i] == 's') { + mod[fmt_cnt]++; +- i++; +- if (!isspace(fmt[i]) && !ispunct(fmt[i]) && fmt[i] != 0) ++ /* disallow any further format extensions */ ++ if (fmt[i + 1] != 0 && ++ !isspace(fmt[i + 1]) && ++ !ispunct(fmt[i + 1])) + return -EINVAL; + fmt_cnt++; +- if (fmt[i - 1] == 's') { ++ if (fmt[i] == 's') { + if (str_seen) + /* allow only one '%s' per fmt string */ + return -EINVAL; +-- +2.19.1 + diff --git a/queue-4.9/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch b/queue-4.9/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch new file mode 100644 index 00000000000..31e1683ccc3 --- /dev/null +++ b/queue-4.9/btrfs-send-fix-infinite-loop-due-to-directory-rename.patch @@ -0,0 +1,200 @@ +From 85ff69fb231aef87cacda61e9f7beb8c123f25f9 Mon Sep 17 00:00:00 2001 +From: Robbie Ko +Date: Wed, 14 Nov 2018 18:32:37 +0000 +Subject: Btrfs: send, fix infinite loop due to directory rename dependencies + +[ Upstream commit a4390aee72713d9e73f1132bcdeb17d72fbbf974 ] + +When doing an incremental send, due to the need of delaying directory move +(rename) operations we can end up in infinite loop at +apply_children_dir_moves(). + +An example scenario that triggers this problem is described below, where +directory names correspond to the numbers of their respective inodes. + +Parent snapshot: + + . + |--- 261/ + |--- 271/ + |--- 266/ + |--- 259/ + |--- 260/ + | |--- 267 + | + |--- 264/ + | |--- 258/ + | |--- 257/ + | + |--- 265/ + |--- 268/ + |--- 269/ + | |--- 262/ + | + |--- 270/ + |--- 272/ + | |--- 263/ + | |--- 275/ + | + |--- 274/ + |--- 273/ + +Send snapshot: + + . + |-- 275/ + |-- 274/ + |-- 273/ + |-- 262/ + |-- 269/ + |-- 258/ + |-- 271/ + |-- 268/ + |-- 267/ + |-- 270/ + |-- 259/ + | |-- 265/ + | + |-- 272/ + |-- 257/ + |-- 260/ + |-- 264/ + |-- 263/ + |-- 261/ + |-- 266/ + +When processing inode 257 we delay its move (rename) operation because its +new parent in the send snapshot, inode 272, was not yet processed. Then +when processing inode 272, we delay the move operation for that inode +because inode 274 is its ancestor in the send snapshot. Finally we delay +the move operation for inode 274 when processing it because inode 275 is +its new parent in the send snapshot and was not yet moved. + +When finishing processing inode 275, we start to do the move operations +that were previously delayed (at apply_children_dir_moves()), resulting in +the following iterations: + +1) We issue the move operation for inode 274; + +2) Because inode 262 depended on the move operation of inode 274 (it was + delayed because 274 is its ancestor in the send snapshot), we issue the + move operation for inode 262; + +3) We issue the move operation for inode 272, because it was delayed by + inode 274 too (ancestor of 272 in the send snapshot); + +4) We issue the move operation for inode 269 (it was delayed by 262); + +5) We issue the move operation for inode 257 (it was delayed by 272); + +6) We issue the move operation for inode 260 (it was delayed by 272); + +7) We issue the move operation for inode 258 (it was delayed by 269); + +8) We issue the move operation for inode 264 (it was delayed by 257); + +9) We issue the move operation for inode 271 (it was delayed by 258); + +10) We issue the move operation for inode 263 (it was delayed by 264); + +11) We issue the move operation for inode 268 (it was delayed by 271); + +12) We verify if we can issue the move operation for inode 270 (it was + delayed by 271). We detect a path loop in the current state, because + inode 267 needs to be moved first before we can issue the move + operation for inode 270. So we delay again the move operation for + inode 270, this time we will attempt to do it after inode 267 is + moved; + +13) We issue the move operation for inode 261 (it was delayed by 263); + +14) We verify if we can issue the move operation for inode 266 (it was + delayed by 263). We detect a path loop in the current state, because + inode 270 needs to be moved first before we can issue the move + operation for inode 266. So we delay again the move operation for + inode 266, this time we will attempt to do it after inode 270 is + moved (its move operation was delayed in step 12); + +15) We issue the move operation for inode 267 (it was delayed by 268); + +16) We verify if we can issue the move operation for inode 266 (it was + delayed by 270). We detect a path loop in the current state, because + inode 270 needs to be moved first before we can issue the move + operation for inode 266. So we delay again the move operation for + inode 266, this time we will attempt to do it after inode 270 is + moved (its move operation was delayed in step 12). So here we added + again the same delayed move operation that we added in step 14; + +17) We attempt again to see if we can issue the move operation for inode + 266, and as in step 16, we realize we can not due to a path loop in + the current state due to a dependency on inode 270. Again we delay + inode's 266 rename to happen after inode's 270 move operation, adding + the same dependency to the empty stack that we did in steps 14 and 16. + The next iteration will pick the same move dependency on the stack + (the only entry) and realize again there is still a path loop and then + again the same dependency to the stack, over and over, resulting in + an infinite loop. + +So fix this by preventing adding the same move dependency entries to the +stack by removing each pending move record from the red black tree of +pending moves. This way the next call to get_pending_dir_moves() will +not return anything for the current parent inode. + +A test case for fstests, with this reproducer, follows soon. + +Signed-off-by: Robbie Ko +Reviewed-by: Filipe Manana +[Wrote changelog with example and more clear explanation] +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index 79dc3ee1de58..a45f26ac5da7 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -3349,7 +3349,8 @@ static void free_pending_move(struct send_ctx *sctx, struct pending_dir_move *m) + kfree(m); + } + +-static void tail_append_pending_moves(struct pending_dir_move *moves, ++static void tail_append_pending_moves(struct send_ctx *sctx, ++ struct pending_dir_move *moves, + struct list_head *stack) + { + if (list_empty(&moves->list)) { +@@ -3360,6 +3361,10 @@ static void tail_append_pending_moves(struct pending_dir_move *moves, + list_add_tail(&moves->list, stack); + list_splice_tail(&list, stack); + } ++ if (!RB_EMPTY_NODE(&moves->node)) { ++ rb_erase(&moves->node, &sctx->pending_dir_moves); ++ RB_CLEAR_NODE(&moves->node); ++ } + } + + static int apply_children_dir_moves(struct send_ctx *sctx) +@@ -3374,7 +3379,7 @@ static int apply_children_dir_moves(struct send_ctx *sctx) + return 0; + + INIT_LIST_HEAD(&stack); +- tail_append_pending_moves(pm, &stack); ++ tail_append_pending_moves(sctx, pm, &stack); + + while (!list_empty(&stack)) { + pm = list_first_entry(&stack, struct pending_dir_move, list); +@@ -3385,7 +3390,7 @@ static int apply_children_dir_moves(struct send_ctx *sctx) + goto out; + pm = get_pending_dir_moves(sctx, parent_ino); + if (pm) +- tail_append_pending_moves(pm, &stack); ++ tail_append_pending_moves(sctx, pm, &stack); + } + return 0; + +-- +2.19.1 + diff --git a/queue-4.9/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch b/queue-4.9/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch new file mode 100644 index 00000000000..31b35ff4f6c --- /dev/null +++ b/queue-4.9/cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch @@ -0,0 +1,87 @@ +From 14849ad2414c5ae90db1a06d7b15892811c31c01 Mon Sep 17 00:00:00 2001 +From: Kiran Kumar Modukuri +Date: Mon, 24 Sep 2018 12:02:39 +1000 +Subject: cachefiles: Fix page leak in cachefiles_read_backing_file while + vmscan is active + +[ Upstream commit 9a24ce5b66f9c8190d63b15f4473600db4935f1f ] + +[Description] + +In a heavily loaded system where the system pagecache is nearing memory +limits and fscache is enabled, pages can be leaked by fscache while trying +read pages from cachefiles backend. This can happen because two +applications can be reading same page from a single mount, two threads can +be trying to read the backing page at same time. This results in one of +the threads finding that a page for the backing file or netfs file is +already in the radix tree. During the error handling cachefiles does not +clean up the reference on backing page, leading to page leak. + +[Fix] +The fix is straightforward, to decrement the reference when error is +encountered. + + [dhowells: Note that I've removed the clearance and put of newpage as + they aren't attested in the commit message and don't appear to actually + achieve anything since a new page is only allocated is newpage!=NULL and + any residual new page is cleared before returning.] + +[Testing] +I have tested the fix using following method for 12+ hrs. + +1) mkdir -p /mnt/nfs ; mount -o vers=3,fsc :/export /mnt/nfs +2) create 10000 files of 2.8MB in a NFS mount. +3) start a thread to simulate heavy VM presssure + (while true ; do echo 3 > /proc/sys/vm/drop_caches ; sleep 1 ; done)& +4) start multiple parallel reader for data set at same time + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & + .. + .. + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & + find /mnt/nfs -type f | xargs -P 80 cat > /dev/null & +5) finally check using cat /proc/fs/fscache/stats | grep -i pages ; + free -h , cat /proc/meminfo and page-types -r -b lru + to ensure all pages are freed. + +Reviewed-by: Daniel Axtens +Signed-off-by: Shantanu Goel +Signed-off-by: Kiran Kumar Modukuri +[dja: forward ported to current upstream] +Signed-off-by: Daniel Axtens +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/cachefiles/rdwr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c +index 5e3bc9de7a16..8d43306c038b 100644 +--- a/fs/cachefiles/rdwr.c ++++ b/fs/cachefiles/rdwr.c +@@ -537,7 +537,10 @@ static int cachefiles_read_backing_file(struct cachefiles_object *object, + netpage->index, cachefiles_gfp); + if (ret < 0) { + if (ret == -EEXIST) { ++ put_page(backpage); ++ backpage = NULL; + put_page(netpage); ++ netpage = NULL; + fscache_retrieval_complete(op, 1); + continue; + } +@@ -610,7 +613,10 @@ static int cachefiles_read_backing_file(struct cachefiles_object *object, + netpage->index, cachefiles_gfp); + if (ret < 0) { + if (ret == -EEXIST) { ++ put_page(backpage); ++ backpage = NULL; + put_page(netpage); ++ netpage = NULL; + fscache_retrieval_complete(op, 1); + continue; + } +-- +2.19.1 + diff --git a/queue-4.9/debugobjects-avoid-recursive-calls-with-kmemleak.patch b/queue-4.9/debugobjects-avoid-recursive-calls-with-kmemleak.patch new file mode 100644 index 00000000000..ec0271f3c63 --- /dev/null +++ b/queue-4.9/debugobjects-avoid-recursive-calls-with-kmemleak.patch @@ -0,0 +1,58 @@ +From 8669323839ae5501dcad5363851e70960c21adc0 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Fri, 30 Nov 2018 14:09:48 -0800 +Subject: debugobjects: avoid recursive calls with kmemleak + +[ Upstream commit 8de456cf87ba863e028c4dd01bae44255ce3d835 ] + +CONFIG_DEBUG_OBJECTS_RCU_HEAD does not play well with kmemleak due to +recursive calls. + +fill_pool + kmemleak_ignore + make_black_object + put_object + __call_rcu (kernel/rcu/tree.c) + debug_rcu_head_queue + debug_object_activate + debug_object_init + fill_pool + kmemleak_ignore + make_black_object + ... + +So add SLAB_NOLEAKTRACE to kmem_cache_create() to not register newly +allocated debug objects at all. + +Link: http://lkml.kernel.org/r/20181126165343.2339-1-cai@gmx.us +Signed-off-by: Qian Cai +Suggested-by: Catalin Marinas +Acked-by: Waiman Long +Acked-by: Catalin Marinas +Cc: Thomas Gleixner +Cc: Yang Shi +Cc: Arnd Bergmann +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/debugobjects.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/debugobjects.c b/lib/debugobjects.c +index 88580e8ee39e..1c43d4c5d2ab 100644 +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -1110,7 +1110,8 @@ void __init debug_objects_mem_init(void) + + obj_cache = kmem_cache_create("debug_objects_cache", + sizeof (struct debug_obj), 0, +- SLAB_DEBUG_OBJECTS, NULL); ++ SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE, ++ NULL); + + if (!obj_cache || debug_objects_replace_static_objects()) { + debug_objects_enabled = 0; +-- +2.19.1 + diff --git a/queue-4.9/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch b/queue-4.9/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch new file mode 100644 index 00000000000..f29c3b890d0 --- /dev/null +++ b/queue-4.9/drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch @@ -0,0 +1,94 @@ +From 924770877b5ec2917e3e3bcce1d3a8a1c20238b3 Mon Sep 17 00:00:00 2001 +From: "Y.C. Chen" +Date: Thu, 22 Nov 2018 11:56:28 +0800 +Subject: drm/ast: fixed reading monitor EDID not stable issue + +[ Upstream commit 300625620314194d9e6d4f6dda71f2dc9cf62d9f ] + +v1: over-sample data to increase the stability with some specific monitors +v2: refine to avoid infinite loop +v3: remove un-necessary "volatile" declaration + +[airlied: fix two checkpatch warnings] + +Signed-off-by: Y.C. Chen +Signed-off-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/1542858988-1127-1-git-send-email-yc_chen@aspeedtech.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ast/ast_mode.c | 36 ++++++++++++++++++++++++++++------ + 1 file changed, 30 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c +index 57205016b04a..201874b96dd6 100644 +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -954,9 +954,21 @@ static int get_clock(void *i2c_priv) + { + struct ast_i2c_chan *i2c = i2c_priv; + struct ast_private *ast = i2c->dev->dev_private; +- uint32_t val; ++ uint32_t val, val2, count, pass; ++ ++ count = 0; ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01; ++ do { ++ val2 = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01; ++ if (val == val2) { ++ pass++; ++ } else { ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4) & 0x01; ++ } ++ } while ((pass < 5) && (count++ < 0x10000)); + +- val = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x10) >> 4; + return val & 1 ? 1 : 0; + } + +@@ -964,9 +976,21 @@ static int get_data(void *i2c_priv) + { + struct ast_i2c_chan *i2c = i2c_priv; + struct ast_private *ast = i2c->dev->dev_private; +- uint32_t val; ++ uint32_t val, val2, count, pass; ++ ++ count = 0; ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01; ++ do { ++ val2 = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01; ++ if (val == val2) { ++ pass++; ++ } else { ++ pass = 0; ++ val = (ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5) & 0x01; ++ } ++ } while ((pass < 5) && (count++ < 0x10000)); + +- val = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x20) >> 5; + return val & 1 ? 1 : 0; + } + +@@ -979,7 +1003,7 @@ static void set_clock(void *i2c_priv, int clock) + + for (i = 0; i < 0x10000; i++) { + ujcrb7 = ((clock & 0x01) ? 0 : 1); +- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xfe, ujcrb7); ++ ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xf4, ujcrb7); + jtemp = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x01); + if (ujcrb7 == jtemp) + break; +@@ -995,7 +1019,7 @@ static void set_data(void *i2c_priv, int data) + + for (i = 0; i < 0x10000; i++) { + ujcrb7 = ((data & 0x01) ? 0 : 1) << 2; +- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xfb, ujcrb7); ++ ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0xf1, ujcrb7); + jtemp = ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xb7, 0x04); + if (ujcrb7 == jtemp) + break; +-- +2.19.1 + diff --git a/queue-4.9/exportfs-do-not-read-dentry-after-free.patch b/queue-4.9/exportfs-do-not-read-dentry-after-free.patch new file mode 100644 index 00000000000..b8fda8bbcc9 --- /dev/null +++ b/queue-4.9/exportfs-do-not-read-dentry-after-free.patch @@ -0,0 +1,40 @@ +From 950e51a9e1b7422e5d1567f3424dd547d81f4a3e Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 23 Nov 2018 15:56:33 +0800 +Subject: exportfs: do not read dentry after free + +[ Upstream commit 2084ac6c505a58f7efdec13eba633c6aaa085ca5 ] + +The function dentry_connected calls dput(dentry) to drop the previously +acquired reference to dentry. In this case, dentry can be released. +After that, IS_ROOT(dentry) checks the condition +(dentry == dentry->d_parent), which may result in a use-after-free bug. +This patch directly compares dentry with its parent obtained before +dropping the reference. + +Fixes: a056cc8934c("exportfs: stop retrying once we race with +rename/remove") + +Signed-off-by: Pan Bian +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/exportfs/expfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c +index a4b531be9168..7a7bba7c2328 100644 +--- a/fs/exportfs/expfs.c ++++ b/fs/exportfs/expfs.c +@@ -76,7 +76,7 @@ static bool dentry_connected(struct dentry *dentry) + struct dentry *parent = dget_parent(dentry); + + dput(dentry); +- if (IS_ROOT(dentry)) { ++ if (dentry == parent) { + dput(parent); + return false; + } +-- +2.19.1 + diff --git a/queue-4.9/fscache-cachefiles-remove-redundant-variable-cache.patch b/queue-4.9/fscache-cachefiles-remove-redundant-variable-cache.patch new file mode 100644 index 00000000000..4fd48dd83e2 --- /dev/null +++ b/queue-4.9/fscache-cachefiles-remove-redundant-variable-cache.patch @@ -0,0 +1,39 @@ +From 5e010d140f9dd87d399a995b2100aecb033b45f3 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 17 Jul 2018 09:53:42 +0100 +Subject: fscache, cachefiles: remove redundant variable 'cache' + +[ Upstream commit 31ffa563833576bd49a8bf53120568312755e6e2 ] + +Variable 'cache' is being assigned but is never used hence it is +redundant and can be removed. + +Cleans up clang warning: +warning: variable 'cache' set but not used [-Wunused-but-set-variable] + +Signed-off-by: Colin Ian King +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/cachefiles/rdwr.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c +index 8d43306c038b..799b59d96fe2 100644 +--- a/fs/cachefiles/rdwr.c ++++ b/fs/cachefiles/rdwr.c +@@ -969,11 +969,8 @@ int cachefiles_write_page(struct fscache_storage *op, struct page *page) + void cachefiles_uncache_page(struct fscache_object *_object, struct page *page) + { + struct cachefiles_object *object; +- struct cachefiles_cache *cache; + + object = container_of(_object, struct cachefiles_object, fscache); +- cache = container_of(object->fscache.cache, +- struct cachefiles_cache, cache); + + _enter("%p,{%lu}", object, page->index); + +-- +2.19.1 + diff --git a/queue-4.9/fscache-fix-race-between-enablement-and-dropping-of-.patch b/queue-4.9/fscache-fix-race-between-enablement-and-dropping-of-.patch new file mode 100644 index 00000000000..cdf24d445e6 --- /dev/null +++ b/queue-4.9/fscache-fix-race-between-enablement-and-dropping-of-.patch @@ -0,0 +1,74 @@ +From a13e0b8a52e6eeff44a24ac089fba662fb210d24 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 26 Oct 2018 17:16:29 +1100 +Subject: fscache: fix race between enablement and dropping of object + +[ Upstream commit c5a94f434c82529afda290df3235e4d85873c5b4 ] + +It was observed that a process blocked indefintely in +__fscache_read_or_alloc_page(), waiting for FSCACHE_COOKIE_LOOKING_UP +to be cleared via fscache_wait_for_deferred_lookup(). + +At this time, ->backing_objects was empty, which would normaly prevent +__fscache_read_or_alloc_page() from getting to the point of waiting. +This implies that ->backing_objects was cleared *after* +__fscache_read_or_alloc_page was was entered. + +When an object is "killed" and then "dropped", +FSCACHE_COOKIE_LOOKING_UP is cleared in fscache_lookup_failure(), then +KILL_OBJECT and DROP_OBJECT are "called" and only in DROP_OBJECT is +->backing_objects cleared. This leaves a window where +something else can set FSCACHE_COOKIE_LOOKING_UP and +__fscache_read_or_alloc_page() can start waiting, before +->backing_objects is cleared + +There is some uncertainty in this analysis, but it seems to be fit the +observations. Adding the wake in this patch will be handled correctly +by __fscache_read_or_alloc_page(), as it checks if ->backing_objects +is empty again, after waiting. + +Customer which reported the hang, also report that the hang cannot be +reproduced with this fix. + +The backtrace for the blocked process looked like: + +PID: 29360 TASK: ffff881ff2ac0f80 CPU: 3 COMMAND: "zsh" + #0 [ffff881ff43efbf8] schedule at ffffffff815e56f1 + #1 [ffff881ff43efc58] bit_wait at ffffffff815e64ed + #2 [ffff881ff43efc68] __wait_on_bit at ffffffff815e61b8 + #3 [ffff881ff43efca0] out_of_line_wait_on_bit at ffffffff815e625e + #4 [ffff881ff43efd08] fscache_wait_for_deferred_lookup at ffffffffa04f2e8f [fscache] + #5 [ffff881ff43efd18] __fscache_read_or_alloc_page at ffffffffa04f2ffe [fscache] + #6 [ffff881ff43efd58] __nfs_readpage_from_fscache at ffffffffa0679668 [nfs] + #7 [ffff881ff43efd78] nfs_readpage at ffffffffa067092b [nfs] + #8 [ffff881ff43efda0] generic_file_read_iter at ffffffff81187a73 + #9 [ffff881ff43efe50] nfs_file_read at ffffffffa066544b [nfs] +#10 [ffff881ff43efe70] __vfs_read at ffffffff811fc756 +#11 [ffff881ff43efee8] vfs_read at ffffffff811fccfa +#12 [ffff881ff43eff18] sys_read at ffffffff811fda62 +#13 [ffff881ff43eff50] entry_SYSCALL_64_fastpath at ffffffff815e986e + +Signed-off-by: NeilBrown +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/fscache/object.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/fscache/object.c b/fs/fscache/object.c +index 7a182c87f378..ab1d7f35f6c2 100644 +--- a/fs/fscache/object.c ++++ b/fs/fscache/object.c +@@ -715,6 +715,9 @@ static const struct fscache_state *fscache_drop_object(struct fscache_object *ob + + if (awaken) + wake_up_bit(&cookie->flags, FSCACHE_COOKIE_INVALIDATING); ++ if (test_and_clear_bit(FSCACHE_COOKIE_LOOKING_UP, &cookie->flags)) ++ wake_up_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP); ++ + + /* Prevent a race with our last child, which has to signal EV_CLEARED + * before dropping our spinlock. +-- +2.19.1 + diff --git a/queue-4.9/hfs-do-not-free-node-before-using.patch b/queue-4.9/hfs-do-not-free-node-before-using.patch new file mode 100644 index 00000000000..80d8eb33d48 --- /dev/null +++ b/queue-4.9/hfs-do-not-free-node-before-using.patch @@ -0,0 +1,49 @@ +From 9e20841da546bad1d1b976ea5f15fa5987ed3982 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 30 Nov 2018 14:09:14 -0800 +Subject: hfs: do not free node before using + +[ Upstream commit ce96a407adef126870b3f4a1b73529dd8aa80f49 ] + +hfs_bmap_free() frees the node via hfs_bnode_put(node). However, it +then reads node->this when dumping error message on an error path, which +may result in a use-after-free bug. This patch frees the node only when +it is never again used. + +Link: http://lkml.kernel.org/r/1542963889-128825-1-git-send-email-bianpan2016@163.com +Fixes: a1185ffa2fc ("HFS rewrite") +Signed-off-by: Pan Bian +Reviewed-by: Andrew Morton +Cc: Joe Perches +Cc: Ernesto A. Fernandez +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfs/btree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c +index 37cdd955eceb..320f4372f172 100644 +--- a/fs/hfs/btree.c ++++ b/fs/hfs/btree.c +@@ -328,13 +328,14 @@ void hfs_bmap_free(struct hfs_bnode *node) + + nidx -= len * 8; + i = node->next; +- hfs_bnode_put(node); + if (!i) { + /* panic */; + pr_crit("unable to free bnode %u. bmap not found!\n", + node->this); ++ hfs_bnode_put(node); + return; + } ++ hfs_bnode_put(node); + node = hfs_bnode_find(tree, i); + if (IS_ERR(node)) + return; +-- +2.19.1 + diff --git a/queue-4.9/hfsplus-do-not-free-node-before-using.patch b/queue-4.9/hfsplus-do-not-free-node-before-using.patch new file mode 100644 index 00000000000..1c9368f6fe1 --- /dev/null +++ b/queue-4.9/hfsplus-do-not-free-node-before-using.patch @@ -0,0 +1,49 @@ +From 35598283f79dab8e3c73f78676f2c240d566d589 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 30 Nov 2018 14:09:18 -0800 +Subject: hfsplus: do not free node before using + +[ Upstream commit c7d7d620dcbd2a1c595092280ca943f2fced7bbd ] + +hfs_bmap_free() frees node via hfs_bnode_put(node). However it then +reads node->this when dumping error message on an error path, which may +result in a use-after-free bug. This patch frees node only when it is +never used. + +Link: http://lkml.kernel.org/r/1543053441-66942-1-git-send-email-bianpan2016@163.com +Signed-off-by: Pan Bian +Reviewed-by: Andrew Morton +Cc: Ernesto A. Fernandez +Cc: Joe Perches +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfsplus/btree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c +index d9d1a36ba826..8d2256454efe 100644 +--- a/fs/hfsplus/btree.c ++++ b/fs/hfsplus/btree.c +@@ -453,14 +453,15 @@ void hfs_bmap_free(struct hfs_bnode *node) + + nidx -= len * 8; + i = node->next; +- hfs_bnode_put(node); + if (!i) { + /* panic */; + pr_crit("unable to free bnode %u. " + "bmap not found!\n", + node->this); ++ hfs_bnode_put(node); + return; + } ++ hfs_bnode_put(node); + node = hfs_bnode_find(tree, i); + if (IS_ERR(node)) + return; +-- +2.19.1 + diff --git a/queue-4.9/hwmon-ina2xx-fix-current-value-calculation.patch b/queue-4.9/hwmon-ina2xx-fix-current-value-calculation.patch new file mode 100644 index 00000000000..0b388166440 --- /dev/null +++ b/queue-4.9/hwmon-ina2xx-fix-current-value-calculation.patch @@ -0,0 +1,39 @@ +From 3b870aae4955cd740f398b078f018edb05d8c8f7 Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Tue, 13 Nov 2018 19:48:54 -0800 +Subject: hwmon: (ina2xx) Fix current value calculation + +[ Upstream commit 38cd989ee38c16388cde89db5b734f9d55b905f9 ] + +The current register (04h) has a sign bit at MSB. The comments +for this calculation also mention that it's a signed register. + +However, the regval is unsigned type so result of calculation +turns out to be an incorrect value when current is negative. + +This patch simply fixes this by adding a casting to s16. + +Fixes: 5d389b125186c ("hwmon: (ina2xx) Make calibration register value fixed") +Signed-off-by: Nicolin Chen +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ina2xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/ina2xx.c b/drivers/hwmon/ina2xx.c +index 9ac6e1673375..1f291b344178 100644 +--- a/drivers/hwmon/ina2xx.c ++++ b/drivers/hwmon/ina2xx.c +@@ -273,7 +273,7 @@ static int ina2xx_get_value(struct ina2xx_data *data, u8 reg, + break; + case INA2XX_CURRENT: + /* signed register, result in mA */ +- val = regval * data->current_lsb_uA; ++ val = (s16)regval * data->current_lsb_uA; + val = DIV_ROUND_CLOSEST(val, 1000); + break; + case INA2XX_CALIBRATION: +-- +2.19.1 + diff --git a/queue-4.9/hwmon-w83795-temp4_type-has-writable-permission.patch b/queue-4.9/hwmon-w83795-temp4_type-has-writable-permission.patch new file mode 100644 index 00000000000..2908d132b6f --- /dev/null +++ b/queue-4.9/hwmon-w83795-temp4_type-has-writable-permission.patch @@ -0,0 +1,35 @@ +From 3b6c2be027fb75a13a0da40703cf00ac5083fafe Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 15 Nov 2018 10:44:57 +0800 +Subject: hwmon: (w83795) temp4_type has writable permission + +[ Upstream commit 09aaf6813cfca4c18034fda7a43e68763f34abb1 ] + +Both datasheet and comments of store_temp_mode() tell us that temp1~4_type +is writable, so fix it. + +Signed-off-by: Yao Wang +Signed-off-by: Huacai Chen +Fixes: 39deb6993e7c (" hwmon: (w83795) Simplify temperature sensor type handling") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/w83795.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/w83795.c b/drivers/hwmon/w83795.c +index 49276bbdac3d..1bb80f992aa8 100644 +--- a/drivers/hwmon/w83795.c ++++ b/drivers/hwmon/w83795.c +@@ -1691,7 +1691,7 @@ store_sf_setup(struct device *dev, struct device_attribute *attr, + * somewhere else in the code + */ + #define SENSOR_ATTR_TEMP(index) { \ +- SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 4 ? S_IWUSR : 0), \ ++ SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 5 ? S_IWUSR : 0), \ + show_temp_mode, store_temp_mode, NOT_USED, index - 1), \ + SENSOR_ATTR_2(temp##index##_input, S_IRUGO, show_temp, \ + NULL, TEMP_READ, index - 1), \ +-- +2.19.1 + diff --git a/queue-4.9/igb-fix-uninitialized-variables.patch b/queue-4.9/igb-fix-uninitialized-variables.patch new file mode 100644 index 00000000000..3809306b956 --- /dev/null +++ b/queue-4.9/igb-fix-uninitialized-variables.patch @@ -0,0 +1,32 @@ +From e8f9283a4b171219473fb503aad91519f2b766d8 Mon Sep 17 00:00:00 2001 +From: Yunjian Wang +Date: Tue, 6 Nov 2018 16:27:12 +0800 +Subject: igb: fix uninitialized variables + +[ Upstream commit e4c39f7926b4de355f7df75651d75003806aae09 ] + +This patch fixes the variable 'phy_word' may be used uninitialized. + +Signed-off-by: Yunjian Wang +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/e1000_i210.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/igb/e1000_i210.c b/drivers/net/ethernet/intel/igb/e1000_i210.c +index 07d48f2e3369..6766081f5ab9 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_i210.c ++++ b/drivers/net/ethernet/intel/igb/e1000_i210.c +@@ -862,6 +862,7 @@ s32 igb_pll_workaround_i210(struct e1000_hw *hw) + nvm_word = E1000_INVM_DEFAULT_AL; + tmp_nvm = nvm_word | E1000_INVM_PLL_WO_VAL; + igb_write_phy_reg_82580(hw, I347AT4_PAGE_SELECT, E1000_PHY_PLL_FREQ_PAGE); ++ phy_word = E1000_PHY_PLL_UNCONF; + for (i = 0; i < E1000_MAX_PLL_TRIES; i++) { + /* check current state directly from internal PHY */ + igb_read_phy_reg_82580(hw, E1000_PHY_PLL_FREQ_REG, &phy_word); +-- +2.19.1 + diff --git a/queue-4.9/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch b/queue-4.9/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch new file mode 100644 index 00000000000..04782cb3400 --- /dev/null +++ b/queue-4.9/ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch @@ -0,0 +1,57 @@ +From 41ba66694ca775a147a8475b2e58bba0bd917956 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Thu, 15 Nov 2018 15:14:30 +0800 +Subject: ipvs: call ip_vs_dst_notifier earlier than ipv6_dev_notf + +[ Upstream commit 2a31e4bd9ad255ee40809b5c798c4b1c2b09703b ] + +ip_vs_dst_event is supposed to clean up all dst used in ipvs' +destinations when a net dev is going down. But it works only +when the dst's dev is the same as the dev from the event. + +Now with the same priority but late registration, +ip_vs_dst_notifier is always called later than ipv6_dev_notf +where the dst's dev is set to lo for NETDEV_DOWN event. + +As the dst's dev lo is not the same as the dev from the event +in ip_vs_dst_event, ip_vs_dst_notifier doesn't actually work. +Also as these dst have to wait for dest_trash_timer to clean +them up. It would cause some non-permanent kernel warnings: + + unregister_netdevice: waiting for br0 to become free. Usage count = 3 + +To fix it, call ip_vs_dst_notifier earlier than ipv6_dev_notf +by increasing its priority to ADDRCONF_NOTIFY_PRIORITY + 5. + +Note that for ipv4 route fib_netdev_notifier doesn't set dst's +dev to lo in NETDEV_DOWN event, so this fix is only needed when +IP_VS_IPV6 is defined. + +Fixes: 7a4f0761fce3 ("IPVS: init and cleanup restructuring") +Reported-by: Li Shuang +Signed-off-by: Xin Long +Acked-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 079b3c426720..8382b7880b24 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -4013,6 +4013,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct netns_ipvs *ipvs) + + static struct notifier_block ip_vs_dst_notifier = { + .notifier_call = ip_vs_dst_event, ++#ifdef CONFIG_IP_VS_IPV6 ++ .priority = ADDRCONF_NOTIFY_PRIORITY + 5, ++#endif + }; + + int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs) +-- +2.19.1 + diff --git a/queue-4.9/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch b/queue-4.9/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch new file mode 100644 index 00000000000..864244cc9de --- /dev/null +++ b/queue-4.9/ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch @@ -0,0 +1,43 @@ +From 2edbd15d68fd35690f5c589e38b07400629ab172 Mon Sep 17 00:00:00 2001 +From: Josh Elsasser +Date: Sat, 24 Nov 2018 12:57:33 -0800 +Subject: ixgbe: recognize 1000BaseLX SFP modules as 1Gbps +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit a8bf879af7b1999eba36303ce9cc60e0e7dd816c ] + +Add the two 1000BaseLX enum values to the X550's check for 1Gbps modules, +allowing the core driver code to establish a link over this SFP type. + +This is done by the out-of-tree driver but the fix wasn't in mainline. + +Fixes: e23f33367882 ("ixgbe: Fix 1G and 10G link stability for X550EM_x SFP+”) +Fixes: 6a14ee0cfb19 ("ixgbe: Add X550 support function pointers") +Signed-off-by: Josh Elsasser +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +index 77a60aa5dc7e..8466f3874a28 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +@@ -1702,7 +1702,9 @@ static s32 ixgbe_get_link_capabilities_X550em(struct ixgbe_hw *hw, + *autoneg = false; + + if (hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core0 || +- hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1) { ++ hw->phy.sfp_type == ixgbe_sfp_type_1g_sx_core1 || ++ hw->phy.sfp_type == ixgbe_sfp_type_1g_lx_core0 || ++ hw->phy.sfp_type == ixgbe_sfp_type_1g_lx_core1) { + *speed = IXGBE_LINK_SPEED_1GB_FULL; + return 0; + } +-- +2.19.1 + diff --git a/queue-4.9/kvm-x86-fix-empty-body-warnings.patch b/queue-4.9/kvm-x86-fix-empty-body-warnings.patch new file mode 100644 index 00000000000..9a8c1d44f70 --- /dev/null +++ b/queue-4.9/kvm-x86-fix-empty-body-warnings.patch @@ -0,0 +1,43 @@ +From 0b1b5ef4244e3ddfb03a84ac418f5c28bb7023cc Mon Sep 17 00:00:00 2001 +From: Yi Wang +Date: Thu, 8 Nov 2018 16:48:36 +0800 +Subject: KVM: x86: fix empty-body warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 354cb410d87314e2eda344feea84809e4261570a ] + +We get the following warnings about empty statements when building +with 'W=1': + +arch/x86/kvm/lapic.c:632:53: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1907:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1936:65: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +arch/x86/kvm/lapic.c:1975:44: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] + +Rework the debug helper macro to get rid of these warnings. + +Signed-off-by: Yi Wang +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/lapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 69a81a7daa24..c8630569e392 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -57,7 +57,7 @@ + #define APIC_BUS_CYCLE_NS 1 + + /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */ +-#define apic_debug(fmt, arg...) ++#define apic_debug(fmt, arg...) do {} while (0) + + /* 14 is the version for Xeon and Pentium 8.4.8*/ + #define APIC_VERSION (0x14UL | ((KVM_APIC_LVT_NUM - 1) << 16)) +-- +2.19.1 + diff --git a/queue-4.9/net-hisilicon-remove-unexpected-free_netdev.patch b/queue-4.9/net-hisilicon-remove-unexpected-free_netdev.patch new file mode 100644 index 00000000000..3fb9aed9eea --- /dev/null +++ b/queue-4.9/net-hisilicon-remove-unexpected-free_netdev.patch @@ -0,0 +1,37 @@ +From ca1b7aac9eb0bcc2a9bd7a3c4af771202a5767ae Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Wed, 28 Nov 2018 15:30:24 +0800 +Subject: net: hisilicon: remove unexpected free_netdev + +[ Upstream commit c758940158bf29fe14e9d0f89d5848f227b48134 ] + +The net device ndev is freed via free_netdev when failing to register +the device. The control flow then jumps to the error handling code +block. ndev is used and freed again. Resulting in a use-after-free bug. + +Signed-off-by: Pan Bian +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index 39778892b3b3..b5d18d95d7b9 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -922,10 +922,8 @@ static int hip04_mac_probe(struct platform_device *pdev) + } + + ret = register_netdev(ndev); +- if (ret) { +- free_netdev(ndev); ++ if (ret) + goto alloc_fail; +- } + + return 0; + +-- +2.19.1 + diff --git a/queue-4.9/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch b/queue-4.9/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch new file mode 100644 index 00000000000..ef4a936b768 --- /dev/null +++ b/queue-4.9/net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch @@ -0,0 +1,82 @@ +From f6416d12ab1df085dfd6b93eb36cc999c84febff Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Mon, 26 Nov 2018 15:07:16 +0100 +Subject: net: thunderx: fix NULL pointer dereference in nic_remove + +[ Upstream commit 24a6d2dd263bc910de018c78d1148b3e33b94512 ] + +Fix a possible NULL pointer dereference in nic_remove routine +removing the nicpf module if nic_probe fails. +The issue can be triggered with the following reproducer: + +$rmmod nicvf +$rmmod nicpf + +[ 521.412008] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000014 +[ 521.422777] Mem abort info: +[ 521.425561] ESR = 0x96000004 +[ 521.428624] Exception class = DABT (current EL), IL = 32 bits +[ 521.434535] SET = 0, FnV = 0 +[ 521.437579] EA = 0, S1PTW = 0 +[ 521.440730] Data abort info: +[ 521.443603] ISV = 0, ISS = 0x00000004 +[ 521.447431] CM = 0, WnR = 0 +[ 521.450417] user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000072a3da42 +[ 521.457022] [0000000000000014] pgd=0000000000000000 +[ 521.461916] Internal error: Oops: 96000004 [#1] SMP +[ 521.511801] Hardware name: GIGABYTE H270-T70/MT70-HD0, BIOS T49 02/02/2018 +[ 521.518664] pstate: 80400005 (Nzcv daif +PAN -UAO) +[ 521.523451] pc : nic_remove+0x24/0x88 [nicpf] +[ 521.527808] lr : pci_device_remove+0x48/0xd8 +[ 521.532066] sp : ffff000013433cc0 +[ 521.535370] x29: ffff000013433cc0 x28: ffff810f6ac50000 +[ 521.540672] x27: 0000000000000000 x26: 0000000000000000 +[ 521.545974] x25: 0000000056000000 x24: 0000000000000015 +[ 521.551274] x23: ffff8007ff89a110 x22: ffff000001667070 +[ 521.556576] x21: ffff8007ffb170b0 x20: ffff8007ffb17000 +[ 521.561877] x19: 0000000000000000 x18: 0000000000000025 +[ 521.567178] x17: 0000000000000000 x16: 000000000000010ffc33ff98 x8 : 0000000000000000 +[ 521.593683] x7 : 0000000000000000 x6 : 0000000000000001 +[ 521.598983] x5 : 0000000000000002 x4 : 0000000000000003 +[ 521.604284] x3 : ffff8007ffb17184 x2 : ffff8007ffb17184 +[ 521.609585] x1 : ffff000001662118 x0 : ffff000008557be0 +[ 521.614887] Process rmmod (pid: 1897, stack limit = 0x00000000859535c3) +[ 521.621490] Call trace: +[ 521.623928] nic_remove+0x24/0x88 [nicpf] +[ 521.627927] pci_device_remove+0x48/0xd8 +[ 521.631847] device_release_driver_internal+0x1b0/0x248 +[ 521.637062] driver_detach+0x50/0xc0 +[ 521.640628] bus_remove_driver+0x60/0x100 +[ 521.644627] driver_unregister+0x34/0x60 +[ 521.648538] pci_unregister_driver+0x24/0xd8 +[ 521.652798] nic_cleanup_module+0x14/0x111c [nicpf] +[ 521.657672] __arm64_sys_delete_module+0x150/0x218 +[ 521.662460] el0_svc_handler+0x94/0x110 +[ 521.666287] el0_svc+0x8/0xc +[ 521.669160] Code: aa1e03e0 9102c295 d503201f f9404eb3 (b9401660) + +Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/nic_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/cavium/thunder/nic_main.c b/drivers/net/ethernet/cavium/thunder/nic_main.c +index 6677b96e1f3f..da142f6bd0c3 100644 +--- a/drivers/net/ethernet/cavium/thunder/nic_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nic_main.c +@@ -1371,6 +1371,9 @@ static void nic_remove(struct pci_dev *pdev) + { + struct nicpf *nic = pci_get_drvdata(pdev); + ++ if (!nic) ++ return; ++ + if (nic->flags & NIC_SRIOV_ENABLED) + pci_disable_sriov(pdev); + +-- +2.19.1 + diff --git a/queue-4.9/objtool-fix-double-free-in-.cold-detection-error-pat.patch b/queue-4.9/objtool-fix-double-free-in-.cold-detection-error-pat.patch new file mode 100644 index 00000000000..4783306790e --- /dev/null +++ b/queue-4.9/objtool-fix-double-free-in-.cold-detection-error-pat.patch @@ -0,0 +1,42 @@ +From 63163084ec60bfde6a0942039b6b2ff43c41ae3d Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Tue, 20 Nov 2018 11:52:15 -0600 +Subject: objtool: Fix double-free in .cold detection error path + +[ Upstream commit 0b9301fb632f7111a3293a30cc5b20f1b82ed08d ] + +If read_symbols() fails during second list traversal (the one dealing +with ".cold" subfunctions) it frees the symbol, but never deletes it +from the list/hash_table resulting in symbol being freed again in +elf_close(). Fix it by just returning an error, leaving cleanup to +elf_close(). + +Signed-off-by: Artem Savkov +Signed-off-by: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions") +Link: http://lkml.kernel.org/r/beac5a9b7da9e8be90223459dcbe07766ae437dd.1542736240.git.jpoimboe@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + tools/objtool/elf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c +index 0d1acb704f64..3616d626991e 100644 +--- a/tools/objtool/elf.c ++++ b/tools/objtool/elf.c +@@ -312,7 +312,7 @@ static int read_symbols(struct elf *elf) + if (!pfunc) { + WARN("%s(): can't find parent function", + sym->name); +- goto err; ++ return -1; + } + + sym->pfunc = pfunc; +-- +2.19.1 + diff --git a/queue-4.9/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch b/queue-4.9/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch new file mode 100644 index 00000000000..642d97e2f7f --- /dev/null +++ b/queue-4.9/objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch @@ -0,0 +1,76 @@ +From 458892705d029b1a90a3d1fea9c89a1e041cfabc Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Tue, 20 Nov 2018 11:52:16 -0600 +Subject: objtool: Fix segfault in .cold detection with -ffunction-sections + +[ Upstream commit 22566c1603030f0a036ad564634b064ad1a55db2 ] + +Because find_symbol_by_name() traverses the same lists as +read_symbols(), changing sym->name in place without copying it affects +the result of find_symbol_by_name(). In the case where a ".cold" +function precedes its parent in sec->symbol_list, it can result in a +function being considered a parent of itself. This leads to function +length being set to 0 and other consequent side-effects including a +segfault in add_switch_table(). The effects of this bug are only +visible when building with -ffunction-sections in KCFLAGS. + +Fix by copying the search string instead of modifying it in place. + +Signed-off-by: Artem Savkov +Signed-off-by: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions") +Link: http://lkml.kernel.org/r/910abd6b5a4945130fd44f787c24e07b9e07c8da.1542736240.git.jpoimboe@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + tools/objtool/elf.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c +index 3616d626991e..dd4ed7c3c062 100644 +--- a/tools/objtool/elf.c ++++ b/tools/objtool/elf.c +@@ -31,6 +31,8 @@ + #include "elf.h" + #include "warn.h" + ++#define MAX_NAME_LEN 128 ++ + struct section *find_section_by_name(struct elf *elf, const char *name) + { + struct section *sec; +@@ -298,6 +300,8 @@ static int read_symbols(struct elf *elf) + /* Create parent/child links for any cold subfunctions */ + list_for_each_entry(sec, &elf->sections, list) { + list_for_each_entry(sym, &sec->symbol_list, list) { ++ char pname[MAX_NAME_LEN + 1]; ++ size_t pnamelen; + if (sym->type != STT_FUNC) + continue; + sym->pfunc = sym->cfunc = sym; +@@ -305,9 +309,16 @@ static int read_symbols(struct elf *elf) + if (!coldstr) + continue; + +- coldstr[0] = '\0'; +- pfunc = find_symbol_by_name(elf, sym->name); +- coldstr[0] = '.'; ++ pnamelen = coldstr - sym->name; ++ if (pnamelen > MAX_NAME_LEN) { ++ WARN("%s(): parent function name exceeds maximum length of %d characters", ++ sym->name, MAX_NAME_LEN); ++ return -1; ++ } ++ ++ strncpy(pname, sym->name, pnamelen); ++ pname[pnamelen] = '\0'; ++ pfunc = find_symbol_by_name(elf, pname); + + if (!pfunc) { + WARN("%s(): can't find parent function", +-- +2.19.1 + diff --git a/queue-4.9/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch b/queue-4.9/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch new file mode 100644 index 00000000000..45073731d90 --- /dev/null +++ b/queue-4.9/ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch @@ -0,0 +1,147 @@ +From fea3cae39d7071c977be805f05c36feef17a788b Mon Sep 17 00:00:00 2001 +From: Larry Chen +Date: Fri, 30 Nov 2018 14:08:56 -0800 +Subject: ocfs2: fix deadlock caused by ocfs2_defrag_extent() + +[ Upstream commit e21e57445a64598b29a6f629688f9b9a39e7242a ] + +ocfs2_defrag_extent may fall into deadlock. + +ocfs2_ioctl_move_extents + ocfs2_ioctl_move_extents + ocfs2_move_extents + ocfs2_defrag_extent + ocfs2_lock_allocators_move_extents + + ocfs2_reserve_clusters + inode_lock GLOBAL_BITMAP_SYSTEM_INODE + + __ocfs2_flush_truncate_log + inode_lock GLOBAL_BITMAP_SYSTEM_INODE + +As backtrace shows above, ocfs2_reserve_clusters() will call inode_lock +against the global bitmap if local allocator has not sufficient cluters. +Once global bitmap could meet the demand, ocfs2_reserve_cluster will +return success with global bitmap locked. + +After ocfs2_reserve_cluster(), if truncate log is full, +__ocfs2_flush_truncate_log() will definitely fall into deadlock because +it needs to inode_lock global bitmap, which has already been locked. + +To fix this bug, we could remove from +ocfs2_lock_allocators_move_extents() the code which intends to lock +global allocator, and put the removed code after +__ocfs2_flush_truncate_log(). + +ocfs2_lock_allocators_move_extents() is referred by 2 places, one is +here, the other does not need the data allocator context, which means +this patch does not affect the caller so far. + +Link: http://lkml.kernel.org/r/20181101071422.14470-1-lchen@suse.com +Signed-off-by: Larry Chen +Reviewed-by: Changwei Ge +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/move_extents.c | 47 +++++++++++++++++++++++------------------ + 1 file changed, 26 insertions(+), 21 deletions(-) + +diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c +index 4e8f32eb0bdb..c179afd0051a 100644 +--- a/fs/ocfs2/move_extents.c ++++ b/fs/ocfs2/move_extents.c +@@ -156,18 +156,14 @@ static int __ocfs2_move_extent(handle_t *handle, + } + + /* +- * lock allocators, and reserving appropriate number of bits for +- * meta blocks and data clusters. +- * +- * in some cases, we don't need to reserve clusters, just let data_ac +- * be NULL. ++ * lock allocator, and reserve appropriate number of bits for ++ * meta blocks. + */ +-static int ocfs2_lock_allocators_move_extents(struct inode *inode, ++static int ocfs2_lock_meta_allocator_move_extents(struct inode *inode, + struct ocfs2_extent_tree *et, + u32 clusters_to_move, + u32 extents_to_split, + struct ocfs2_alloc_context **meta_ac, +- struct ocfs2_alloc_context **data_ac, + int extra_blocks, + int *credits) + { +@@ -192,13 +188,6 @@ static int ocfs2_lock_allocators_move_extents(struct inode *inode, + goto out; + } + +- if (data_ac) { +- ret = ocfs2_reserve_clusters(osb, clusters_to_move, data_ac); +- if (ret) { +- mlog_errno(ret); +- goto out; +- } +- } + + *credits += ocfs2_calc_extend_credits(osb->sb, et->et_root_el); + +@@ -260,10 +249,10 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context, + } + } + +- ret = ocfs2_lock_allocators_move_extents(inode, &context->et, *len, 1, +- &context->meta_ac, +- &context->data_ac, +- extra_blocks, &credits); ++ ret = ocfs2_lock_meta_allocator_move_extents(inode, &context->et, ++ *len, 1, ++ &context->meta_ac, ++ extra_blocks, &credits); + if (ret) { + mlog_errno(ret); + goto out; +@@ -286,6 +275,21 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context, + } + } + ++ /* ++ * Make sure ocfs2_reserve_cluster is called after ++ * __ocfs2_flush_truncate_log, otherwise, dead lock may happen. ++ * ++ * If ocfs2_reserve_cluster is called ++ * before __ocfs2_flush_truncate_log, dead lock on global bitmap ++ * may happen. ++ * ++ */ ++ ret = ocfs2_reserve_clusters(osb, *len, &context->data_ac); ++ if (ret) { ++ mlog_errno(ret); ++ goto out_unlock_mutex; ++ } ++ + handle = ocfs2_start_trans(osb, credits); + if (IS_ERR(handle)) { + ret = PTR_ERR(handle); +@@ -606,9 +610,10 @@ static int ocfs2_move_extent(struct ocfs2_move_extents_context *context, + } + } + +- ret = ocfs2_lock_allocators_move_extents(inode, &context->et, len, 1, +- &context->meta_ac, +- NULL, extra_blocks, &credits); ++ ret = ocfs2_lock_meta_allocator_move_extents(inode, &context->et, ++ len, 1, ++ &context->meta_ac, ++ extra_blocks, &credits); + if (ret) { + mlog_errno(ret); + goto out; +-- +2.19.1 + diff --git a/queue-4.9/ocfs2-fix-potential-use-after-free.patch b/queue-4.9/ocfs2-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..00c703922c4 --- /dev/null +++ b/queue-4.9/ocfs2-fix-potential-use-after-free.patch @@ -0,0 +1,47 @@ +From a5ccdc9d1f0f9605b3f4ec8516494cf025edfbbf Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 30 Nov 2018 14:10:54 -0800 +Subject: ocfs2: fix potential use after free + +[ Upstream commit 164f7e586739d07eb56af6f6d66acebb11f315c8 ] + +ocfs2_get_dentry() calls iput(inode) to drop the reference count of +inode, and if the reference count hits 0, inode is freed. However, in +this function, it then reads inode->i_generation, which may result in a +use after free bug. Move the put operation later. + +Link: http://lkml.kernel.org/r/1543109237-110227-1-git-send-email-bianpan2016@163.com +Fixes: 781f200cb7a("ocfs2: Remove masklog ML_EXPORT.") +Signed-off-by: Pan Bian +Reviewed-by: Andrew Morton +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/export.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ocfs2/export.c b/fs/ocfs2/export.c +index 827fc9809bc2..3494e220b510 100644 +--- a/fs/ocfs2/export.c ++++ b/fs/ocfs2/export.c +@@ -125,10 +125,10 @@ static struct dentry *ocfs2_get_dentry(struct super_block *sb, + + check_gen: + if (handle->ih_generation != inode->i_generation) { +- iput(inode); + trace_ocfs2_get_dentry_generation((unsigned long long)blkno, + handle->ih_generation, + inode->i_generation); ++ iput(inode); + result = ERR_PTR(-ESTALE); + goto bail; + } +-- +2.19.1 + diff --git a/queue-4.9/pstore-convert-console-write-to-use-write_buf.patch b/queue-4.9/pstore-convert-console-write-to-use-write_buf.patch new file mode 100644 index 00000000000..ad81e8a0275 --- /dev/null +++ b/queue-4.9/pstore-convert-console-write-to-use-write_buf.patch @@ -0,0 +1,42 @@ +From 0c04812aeb1a2ea1248ed5c822099c80dd47a847 Mon Sep 17 00:00:00 2001 +From: Namhyung Kim +Date: Wed, 19 Oct 2016 10:23:41 +0900 +Subject: pstore: Convert console write to use ->write_buf + +[ Upstream commit 70ad35db3321a6d129245979de4ac9d06eed897c ] + +Maybe I'm missing something, but I don't know why it needs to copy the +input buffer to psinfo->buf and then write. Instead we can write the +input buffer directly. The only implementation that supports console +message (i.e. ramoops) already does it for ftrace messages. + +For the upcoming virtio backend driver, it needs to protect psinfo->buf +overwritten from console messages. If it could use ->write_buf method +instead of ->write, the problem will be solved easily. + +Cc: Stefan Hajnoczi +Signed-off-by: Namhyung Kim +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/pstore/platform.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c +index 43033a3d66d5..2434bffbc6dd 100644 +--- a/fs/pstore/platform.c ++++ b/fs/pstore/platform.c +@@ -584,8 +584,8 @@ static void pstore_console_write(struct console *con, const char *s, unsigned c) + } else { + spin_lock_irqsave(&psinfo->buf_lock, flags); + } +- memcpy(psinfo->buf, s, c); +- psinfo->write(PSTORE_TYPE_CONSOLE, 0, &id, 0, 0, 0, c, psinfo); ++ psinfo->write_buf(PSTORE_TYPE_CONSOLE, 0, &id, 0, ++ s, 0, c, psinfo); + spin_unlock_irqrestore(&psinfo->buf_lock, flags); + s += c; + c = e - s; +-- +2.19.1 + diff --git a/queue-4.9/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch b/queue-4.9/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch new file mode 100644 index 00000000000..d592a9dcefd --- /dev/null +++ b/queue-4.9/rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch @@ -0,0 +1,67 @@ +From c0e56ea253ea3107c5fa581900789262d06f02a2 Mon Sep 17 00:00:00 2001 +From: Majd Dibbiny +Date: Mon, 5 Nov 2018 08:07:37 +0200 +Subject: RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR + +[ Upstream commit 074fca3a18e7e1e0d4d7dcc9d7badc43b90232f4 ] + +Currently, for IB_WR_LOCAL_INV WR, when the next fence is None, the +current fence will be SMALL instead of Normal Fence. + +Without this patch krping doesn't work on CX-5 devices and throws +following error: + +The error messages are from CX5 driver are: (from server side) +[ 710.434014] mlx5_0:dump_cqe:278:(pid 2712): dump error cqe +[ 710.434016] 00000000 00000000 00000000 00000000 +[ 710.434016] 00000000 00000000 00000000 00000000 +[ 710.434017] 00000000 00000000 00000000 00000000 +[ 710.434018] 00000000 93003204 100000b8 000524d2 +[ 710.434019] krping: cq completion failed with wr_id 0 status 4 opcode 128 vender_err 32 + +Fixed the logic to set the correct fence type. + +Fixes: 6e8484c5cf07 ("RDMA/mlx5: set UMR wqe fence according to HCA cap") +Signed-off-by: Majd Dibbiny +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/qp.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index f8f7a2191b98..f89489b28575 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -3888,17 +3888,18 @@ int mlx5_ib_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr, + goto out; + } + +- if (wr->opcode == IB_WR_LOCAL_INV || +- wr->opcode == IB_WR_REG_MR) { ++ if (wr->opcode == IB_WR_REG_MR) { + fence = dev->umr_fence; + next_fence = MLX5_FENCE_MODE_INITIATOR_SMALL; +- } else if (wr->send_flags & IB_SEND_FENCE) { +- if (qp->next_fence) +- fence = MLX5_FENCE_MODE_SMALL_AND_FENCE; +- else +- fence = MLX5_FENCE_MODE_FENCE; +- } else { +- fence = qp->next_fence; ++ } else { ++ if (wr->send_flags & IB_SEND_FENCE) { ++ if (qp->next_fence) ++ fence = MLX5_FENCE_MODE_SMALL_AND_FENCE; ++ else ++ fence = MLX5_FENCE_MODE_FENCE; ++ } else { ++ fence = qp->next_fence; ++ } + } + + switch (ibqp->qp_type) { +-- +2.19.1 + diff --git a/queue-4.9/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch b/queue-4.9/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch new file mode 100644 index 00000000000..402b64f4e97 --- /dev/null +++ b/queue-4.9/s390-cpum_cf-reject-request-for-sampling-in-event-in.patch @@ -0,0 +1,113 @@ +From b6f5dd1bba553ee08e8e46afa0299e9648e921e6 Mon Sep 17 00:00:00 2001 +From: Thomas Richter +Date: Tue, 13 Nov 2018 15:38:22 +0000 +Subject: s390/cpum_cf: Reject request for sampling in event initialization + +[ Upstream commit 613a41b0d16e617f46776a93b975a1eeea96417c ] + +On s390 command perf top fails +[root@s35lp76 perf] # ./perf top -F100000 --stdio + Error: + cycles: PMU Hardware doesn't support sampling/overflow-interrupts. + Try 'perf stat' +[root@s35lp76 perf] # + +Using event -e rb0000 works as designed. Event rb0000 is the event +number of the sampling facility for basic sampling. + +During system start up the following PMUs are installed in the kernel's +PMU list (from head to tail): + cpum_cf --> s390 PMU counter facility device driver + cpum_sf --> s390 PMU sampling facility device driver + uprobe + kprobe + tracepoint + task_clock + cpu_clock + +Perf top executes following functions and calls perf_event_open(2) system +call with different parameters many times: + +cmd_top +--> __cmd_top + --> perf_evlist__add_default + --> __perf_evlist__add_default + --> perf_evlist__new_cycles (creates event type:0 (HW) + config 0 (CPU_CYCLES) + --> perf_event_attr__set_max_precise_ip + Uses perf_event_open(2) to detect correct + precise_ip level. Fails 3 times on s390 which is ok. + +Then functions cmd_top +--> __cmd_top + --> perf_top__start_counters + -->perf_evlist__config + --> perf_can_comm_exec + --> perf_probe_api + This functions test support for the following events: + "cycles:u", "instructions:u", "cpu-clock:u" using + --> perf_do_probe_api + --> perf_event_open_cloexec + Test the close on exec flag support with + perf_event_open(2). + perf_do_probe_api returns true if the event is + supported. + The function returns true because event cpu-clock is + supported by the PMU cpu_clock. + This is achieved by many calls to perf_event_open(2). + +Function perf_top__start_counters now calls perf_evsel__open() for every +event, which is the default event cpu_cycles (config:0) and type HARDWARE +(type:0) which a predfined frequence of 4000. + +Given the above order of the PMU list, the PMU cpum_cf gets called first +and returns 0, which indicates support for this sampling. The event is +fully allocated in the function perf_event_open (file kernel/event/core.c +near line 10521 and the following check fails: + + event = perf_event_alloc(&attr, cpu, task, group_leader, NULL, + NULL, NULL, cgroup_fd); + if (IS_ERR(event)) { + err = PTR_ERR(event); + goto err_cred; + } + + if (is_sampling_event(event)) { + if (event->pmu->capabilities & PERF_PMU_CAP_NO_INTERRUPT) { + err = -EOPNOTSUPP; + goto err_alloc; + } + } + +The check for the interrupt capabilities fails and the system call +perf_event_open() returns -EOPNOTSUPP (-95). + +Add a check to return -ENODEV when sampling is requested in PMU cpum_cf. +This allows common kernel code in the perf_event_open() system call to +test the next PMU in above list. + +Fixes: 97b1198fece0 (" "s390, perf: Use common PMU interrupt disabled code") +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_cf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c +index 037c2a253ae4..1238e7ef1170 100644 +--- a/arch/s390/kernel/perf_cpum_cf.c ++++ b/arch/s390/kernel/perf_cpum_cf.c +@@ -344,6 +344,8 @@ static int __hw_perf_event_init(struct perf_event *event) + break; + + case PERF_TYPE_HARDWARE: ++ if (is_sampling_event(event)) /* No sampling support */ ++ return -ENOENT; + ev = attr->config; + /* Count user space (problem-state) only */ + if (!attr->exclude_user && attr->exclude_kernel) { +-- +2.19.1 + diff --git a/queue-4.9/selftests-add-script-to-stress-test-nft-packet-path-.patch b/queue-4.9/selftests-add-script-to-stress-test-nft-packet-path-.patch new file mode 100644 index 00000000000..df48137c7f9 --- /dev/null +++ b/queue-4.9/selftests-add-script-to-stress-test-nft-packet-path-.patch @@ -0,0 +1,150 @@ +From 3b2962f4a5da424e08916f9d2f81f313bae28a88 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 31 Oct 2018 18:26:21 +0100 +Subject: selftests: add script to stress-test nft packet path vs. control + plane + +[ Upstream commit 25d8bcedbf4329895dbaf9dd67baa6f18dad918c ] + +Start flood ping for each cpu while loading/flushing rulesets to make +sure we do not access already-free'd rules from nf_tables evaluation loop. + +Also add this to TARGETS so 'make run_tests' in selftest dir runs it +automatically. + +This would have caught the bug fixed in previous change +("netfilter: nf_tables: do not skip inactive chains during generation update") +sooner. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/Makefile | 1 + + tools/testing/selftests/netfilter/Makefile | 6 ++ + tools/testing/selftests/netfilter/config | 2 + + .../selftests/netfilter/nft_trans_stress.sh | 78 +++++++++++++++++++ + 4 files changed, 87 insertions(+) + create mode 100644 tools/testing/selftests/netfilter/Makefile + create mode 100644 tools/testing/selftests/netfilter/config + create mode 100755 tools/testing/selftests/netfilter/nft_trans_stress.sh + +diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile +index 76faf5bf0b32..d37dfc6608c6 100644 +--- a/tools/testing/selftests/Makefile ++++ b/tools/testing/selftests/Makefile +@@ -15,6 +15,7 @@ TARGETS += memory-hotplug + TARGETS += mount + TARGETS += mqueue + TARGETS += net ++TARGETS += netfilter + TARGETS += nsfs + TARGETS += powerpc + TARGETS += pstore +diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile +new file mode 100644 +index 000000000000..47ed6cef93fb +--- /dev/null ++++ b/tools/testing/selftests/netfilter/Makefile +@@ -0,0 +1,6 @@ ++# SPDX-License-Identifier: GPL-2.0 ++# Makefile for netfilter selftests ++ ++TEST_PROGS := nft_trans_stress.sh ++ ++include ../lib.mk +diff --git a/tools/testing/selftests/netfilter/config b/tools/testing/selftests/netfilter/config +new file mode 100644 +index 000000000000..1017313e41a8 +--- /dev/null ++++ b/tools/testing/selftests/netfilter/config +@@ -0,0 +1,2 @@ ++CONFIG_NET_NS=y ++NF_TABLES_INET=y +diff --git a/tools/testing/selftests/netfilter/nft_trans_stress.sh b/tools/testing/selftests/netfilter/nft_trans_stress.sh +new file mode 100755 +index 000000000000..f1affd12c4b1 +--- /dev/null ++++ b/tools/testing/selftests/netfilter/nft_trans_stress.sh +@@ -0,0 +1,78 @@ ++#!/bin/bash ++# ++# This test is for stress-testing the nf_tables config plane path vs. ++# packet path processing: Make sure we never release rules that are ++# still visible to other cpus. ++# ++# set -e ++ ++# Kselftest framework requirement - SKIP code is 4. ++ksft_skip=4 ++ ++testns=testns1 ++tables="foo bar baz quux" ++ ++nft --version > /dev/null 2>&1 ++if [ $? -ne 0 ];then ++ echo "SKIP: Could not run test without nft tool" ++ exit $ksft_skip ++fi ++ ++ip -Version > /dev/null 2>&1 ++if [ $? -ne 0 ];then ++ echo "SKIP: Could not run test without ip tool" ++ exit $ksft_skip ++fi ++ ++tmp=$(mktemp) ++ ++for table in $tables; do ++ echo add table inet "$table" >> "$tmp" ++ echo flush table inet "$table" >> "$tmp" ++ ++ echo "add chain inet $table INPUT { type filter hook input priority 0; }" >> "$tmp" ++ echo "add chain inet $table OUTPUT { type filter hook output priority 0; }" >> "$tmp" ++ for c in $(seq 1 400); do ++ chain=$(printf "chain%03u" "$c") ++ echo "add chain inet $table $chain" >> "$tmp" ++ done ++ ++ for c in $(seq 1 400); do ++ chain=$(printf "chain%03u" "$c") ++ for BASE in INPUT OUTPUT; do ++ echo "add rule inet $table $BASE counter jump $chain" >> "$tmp" ++ done ++ echo "add rule inet $table $chain counter return" >> "$tmp" ++ done ++done ++ ++ip netns add "$testns" ++ip -netns "$testns" link set lo up ++ ++lscpu | grep ^CPU\(s\): | ( read cpu cpunum ; ++cpunum=$((cpunum-1)) ++for i in $(seq 0 $cpunum);do ++ mask=$(printf 0x%x $((1<<$i))) ++ ip netns exec "$testns" taskset $mask ping -4 127.0.0.1 -fq > /dev/null & ++ ip netns exec "$testns" taskset $mask ping -6 ::1 -fq > /dev/null & ++done) ++ ++sleep 1 ++ ++for i in $(seq 1 10) ; do ip netns exec "$testns" nft -f "$tmp" & done ++ ++for table in $tables;do ++ randsleep=$((RANDOM%10)) ++ sleep $randsleep ++ ip netns exec "$testns" nft delete table inet $table 2>/dev/null ++done ++ ++randsleep=$((RANDOM%10)) ++sleep $randsleep ++ ++pkill -9 ping ++ ++wait ++ ++rm -f "$tmp" ++ip netns del "$testns" +-- +2.19.1 + diff --git a/queue-4.9/series b/queue-4.9/series index b98b8101d4e..ba3287be2b9 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -8,3 +8,43 @@ rtnetlink-ndo_dflt_fdb_dump-only-work-for-arphrd_ether-devices.patch tcp-fix-null-ref-in-tail-loss-probe.patch tun-forbid-iface-creation-with-rtnl-ops.patch neighbour-avoid-writing-before-skb-head-in-neigh_hh_output.patch +arm-omap2-prm44xx-fix-section-annotation-on-omap44xx.patch +arm-dts-logicpd-somlv-fix-interrupt-on-mmc3_dat1.patch +arm-omap1-ams-delta-fix-possible-use-of-uninitialize.patch +sysv-return-err-instead-of-0-in-__sysv_write_inode.patch +selftests-add-script-to-stress-test-nft-packet-path-.patch +s390-cpum_cf-reject-request-for-sampling-in-event-in.patch +hwmon-ina2xx-fix-current-value-calculation.patch +asoc-omap-abe-twl6040-fix-missing-audio-card-caused-.patch +asoc-dapm-recalculate-audio-map-forcely-when-card-in.patch +hwmon-w83795-temp4_type-has-writable-permission.patch +objtool-fix-double-free-in-.cold-detection-error-pat.patch +objtool-fix-segfault-in-.cold-detection-with-ffuncti.patch +btrfs-send-fix-infinite-loop-due-to-directory-rename.patch +rdma-mlx5-fix-fence-type-for-ib_wr_local_inv-wr.patch +asoc-omap-mcpdm-add-pm_qos-handling-to-avoid-under-o.patch +asoc-omap-dmic-add-pm_qos-handling-to-avoid-overruns.patch +exportfs-do-not-read-dentry-after-free.patch +bpf-fix-check-of-allowed-specifiers-in-bpf_trace_pri.patch +ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch +usb-omap_udc-use-devm_request_irq.patch +usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch +usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch +usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch +kvm-x86-fix-empty-body-warnings.patch +x86-kvm-vmx-fix-old-style-function-declaration.patch +net-thunderx-fix-null-pointer-dereference-in-nic_rem.patch +cachefiles-fix-page-leak-in-cachefiles_read_backing_.patch +igb-fix-uninitialized-variables.patch +ixgbe-recognize-1000baselx-sfp-modules-as-1gbps.patch +net-hisilicon-remove-unexpected-free_netdev.patch +drm-ast-fixed-reading-monitor-edid-not-stable-issue.patch +xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch +fscache-fix-race-between-enablement-and-dropping-of-.patch +fscache-cachefiles-remove-redundant-variable-cache.patch +ocfs2-fix-deadlock-caused-by-ocfs2_defrag_extent.patch +hfs-do-not-free-node-before-using.patch +hfsplus-do-not-free-node-before-using.patch +debugobjects-avoid-recursive-calls-with-kmemleak.patch +ocfs2-fix-potential-use-after-free.patch +pstore-convert-console-write-to-use-write_buf.patch diff --git a/queue-4.9/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch b/queue-4.9/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch new file mode 100644 index 00000000000..79dc84edeeb --- /dev/null +++ b/queue-4.9/sysv-return-err-instead-of-0-in-__sysv_write_inode.patch @@ -0,0 +1,39 @@ +From c4d7bb9d94ff971c8f9a7b170aaa01d745cd8528 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 10 Nov 2018 04:13:24 +0000 +Subject: sysv: return 'err' instead of 0 in __sysv_write_inode + +[ Upstream commit c4b7d1ba7d263b74bb72e9325262a67139605cde ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +fs/sysv/inode.c: In function '__sysv_write_inode': +fs/sysv/inode.c:239:6: warning: + variable 'err' set but not used [-Wunused-but-set-variable] + +__sysv_write_inode should return 'err' instead of 0 + +Fixes: 05459ca81ac3 ("repair sysv_write_inode(), switch sysv to simple_fsync()") +Signed-off-by: YueHaibing +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/sysv/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c +index d62c423a5a2d..7b391b43bcf5 100644 +--- a/fs/sysv/inode.c ++++ b/fs/sysv/inode.c +@@ -275,7 +275,7 @@ static int __sysv_write_inode(struct inode *inode, int wait) + } + } + brelse(bh); +- return 0; ++ return err; + } + + int sysv_write_inode(struct inode *inode, struct writeback_control *wbc) +-- +2.19.1 + diff --git a/queue-4.9/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch b/queue-4.9/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch new file mode 100644 index 00000000000..233be0bbe43 --- /dev/null +++ b/queue-4.9/usb-omap_udc-fix-crashes-on-probe-error-and-module-r.patch @@ -0,0 +1,114 @@ +From ecc78d588b88f5617e40d42271198742c0592916 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:05 +0200 +Subject: USB: omap_udc: fix crashes on probe error and module removal + +[ Upstream commit 99f700366fcea1aa2fa3c49c99f371670c3c62f8 ] + +We currently crash if usb_add_gadget_udc_release() fails, since the +udc->done is not initialized until in the remove function. +Furthermore, on module removal the udc data is accessed although +the release function is already triggered by usb_del_gadget_udc() +early in the function. + +Fix by rewriting the release and remove functions, basically moving +all the cleanup into the release function, and doing the completion +only in the module removal case. + +The patch fixes omap_udc module probe with a failing gadged, and also +allows the removal of omap_udc. Tested by running "modprobe omap_udc; +modprobe -r omap_udc" in a loop. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 50 ++++++++++++------------------- + 1 file changed, 19 insertions(+), 31 deletions(-) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index 2945408f0eec..2a23b21fe153 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2612,9 +2612,22 @@ omap_ep_setup(char *name, u8 addr, u8 type, + + static void omap_udc_release(struct device *dev) + { +- complete(udc->done); ++ pullup_disable(udc); ++ if (!IS_ERR_OR_NULL(udc->transceiver)) { ++ usb_put_phy(udc->transceiver); ++ udc->transceiver = NULL; ++ } ++ omap_writew(0, UDC_SYSCON1); ++ remove_proc_file(); ++ if (udc->dc_clk) { ++ if (udc->clk_requested) ++ omap_udc_enable_clock(0); ++ clk_put(udc->hhc_clk); ++ clk_put(udc->dc_clk); ++ } ++ if (udc->done) ++ complete(udc->done); + kfree(udc); +- udc = NULL; + } + + static int +@@ -2919,12 +2932,8 @@ static int omap_udc_probe(struct platform_device *pdev) + } + + create_proc_file(); +- status = usb_add_gadget_udc_release(&pdev->dev, &udc->gadget, +- omap_udc_release); +- if (!status) +- return 0; +- +- remove_proc_file(); ++ return usb_add_gadget_udc_release(&pdev->dev, &udc->gadget, ++ omap_udc_release); + + cleanup1: + kfree(udc); +@@ -2951,36 +2960,15 @@ static int omap_udc_remove(struct platform_device *pdev) + { + DECLARE_COMPLETION_ONSTACK(done); + +- if (!udc) +- return -ENODEV; +- +- usb_del_gadget_udc(&udc->gadget); +- if (udc->driver) +- return -EBUSY; +- + udc->done = &done; + +- pullup_disable(udc); +- if (!IS_ERR_OR_NULL(udc->transceiver)) { +- usb_put_phy(udc->transceiver); +- udc->transceiver = NULL; +- } +- omap_writew(0, UDC_SYSCON1); +- +- remove_proc_file(); ++ usb_del_gadget_udc(&udc->gadget); + +- if (udc->dc_clk) { +- if (udc->clk_requested) +- omap_udc_enable_clock(0); +- clk_put(udc->hhc_clk); +- clk_put(udc->dc_clk); +- } ++ wait_for_completion(&done); + + release_mem_region(pdev->resource[0].start, + pdev->resource[0].end - pdev->resource[0].start + 1); + +- wait_for_completion(&done); +- + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.9/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch b/queue-4.9/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch new file mode 100644 index 00000000000..54147f32535 --- /dev/null +++ b/queue-4.9/usb-omap_udc-fix-omap_udc_start-on-15xx-machines.patch @@ -0,0 +1,41 @@ +From cccf734ea58984e0b1e59f0bf17cd57f7edcc8e8 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:06 +0200 +Subject: USB: omap_udc: fix omap_udc_start() on 15xx machines + +[ Upstream commit 6ca6695f576b8453fe68865e84d25946d63b10ad ] + +On OMAP 15xx machines there are no transceivers, and omap_udc_start() +always fails as it forgot to adjust the default return value. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index 2a23b21fe153..8f044caa8ad4 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2045,7 +2045,7 @@ static inline int machine_without_vbus_sense(void) + static int omap_udc_start(struct usb_gadget *g, + struct usb_gadget_driver *driver) + { +- int status = -ENODEV; ++ int status; + struct omap_ep *ep; + unsigned long flags; + +@@ -2083,6 +2083,7 @@ static int omap_udc_start(struct usb_gadget *g, + goto done; + } + } else { ++ status = 0; + if (can_pullup(udc)) + pullup_enable(udc); + else +-- +2.19.1 + diff --git a/queue-4.9/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch b/queue-4.9/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch new file mode 100644 index 00000000000..1c9a81b1261 --- /dev/null +++ b/queue-4.9/usb-omap_udc-fix-usb-gadget-functionality-on-palm-tu.patch @@ -0,0 +1,32 @@ +From 641555751792449957b493fca3d4b1db5b419e9b Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:07 +0200 +Subject: USB: omap_udc: fix USB gadget functionality on Palm Tungsten E + +[ Upstream commit 2c2322fbcab8102b8cadc09d66714700a2da42c2 ] + +On Palm TE nothing happens when you try to use gadget drivers and plug +the USB cable. Fix by adding the board to the vbus sense quirk list. + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index 8f044caa8ad4..9eed4947aad8 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2037,6 +2037,7 @@ static inline int machine_without_vbus_sense(void) + { + return machine_is_omap_innovator() + || machine_is_omap_osk() ++ || machine_is_omap_palmte() + || machine_is_sx1() + /* No known omap7xx boards with vbus sense */ + || cpu_is_omap7xx(); +-- +2.19.1 + diff --git a/queue-4.9/usb-omap_udc-use-devm_request_irq.patch b/queue-4.9/usb-omap_udc-use-devm_request_irq.patch new file mode 100644 index 00000000000..68bddb90f63 --- /dev/null +++ b/queue-4.9/usb-omap_udc-use-devm_request_irq.patch @@ -0,0 +1,102 @@ +From 4194600a6d04cfa6eb9984f245bb6770625e196d Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 25 Nov 2018 00:17:04 +0200 +Subject: USB: omap_udc: use devm_request_irq() + +[ Upstream commit 286afdde1640d8ea8916a0f05e811441fbbf4b9d ] + +The current code fails to release the third irq on the error path +(observed by reading the code), and we get also multiple WARNs with +failing gadget drivers due to duplicate IRQ releases. Fix by using +devm_request_irq(). + +Signed-off-by: Aaro Koskinen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/omap_udc.c | 37 +++++++++---------------------- + 1 file changed, 10 insertions(+), 27 deletions(-) + +diff --git a/drivers/usb/gadget/udc/omap_udc.c b/drivers/usb/gadget/udc/omap_udc.c +index a8709f9e5648..2945408f0eec 100644 +--- a/drivers/usb/gadget/udc/omap_udc.c ++++ b/drivers/usb/gadget/udc/omap_udc.c +@@ -2886,8 +2886,8 @@ static int omap_udc_probe(struct platform_device *pdev) + udc->clr_halt = UDC_RESET_EP; + + /* USB general purpose IRQ: ep0, state changes, dma, etc */ +- status = request_irq(pdev->resource[1].start, omap_udc_irq, +- 0, driver_name, udc); ++ status = devm_request_irq(&pdev->dev, pdev->resource[1].start, ++ omap_udc_irq, 0, driver_name, udc); + if (status != 0) { + ERR("can't get irq %d, err %d\n", + (int) pdev->resource[1].start, status); +@@ -2895,20 +2895,20 @@ static int omap_udc_probe(struct platform_device *pdev) + } + + /* USB "non-iso" IRQ (PIO for all but ep0) */ +- status = request_irq(pdev->resource[2].start, omap_udc_pio_irq, +- 0, "omap_udc pio", udc); ++ status = devm_request_irq(&pdev->dev, pdev->resource[2].start, ++ omap_udc_pio_irq, 0, "omap_udc pio", udc); + if (status != 0) { + ERR("can't get irq %d, err %d\n", + (int) pdev->resource[2].start, status); +- goto cleanup2; ++ goto cleanup1; + } + #ifdef USE_ISO +- status = request_irq(pdev->resource[3].start, omap_udc_iso_irq, +- 0, "omap_udc iso", udc); ++ status = devm_request_irq(&pdev->dev, pdev->resource[3].start, ++ omap_udc_iso_irq, 0, "omap_udc iso", udc); + if (status != 0) { + ERR("can't get irq %d, err %d\n", + (int) pdev->resource[3].start, status); +- goto cleanup3; ++ goto cleanup1; + } + #endif + if (cpu_is_omap16xx() || cpu_is_omap7xx()) { +@@ -2921,22 +2921,11 @@ static int omap_udc_probe(struct platform_device *pdev) + create_proc_file(); + status = usb_add_gadget_udc_release(&pdev->dev, &udc->gadget, + omap_udc_release); +- if (status) +- goto cleanup4; +- +- return 0; ++ if (!status) ++ return 0; + +-cleanup4: + remove_proc_file(); + +-#ifdef USE_ISO +-cleanup3: +- free_irq(pdev->resource[2].start, udc); +-#endif +- +-cleanup2: +- free_irq(pdev->resource[1].start, udc); +- + cleanup1: + kfree(udc); + udc = NULL; +@@ -2980,12 +2969,6 @@ static int omap_udc_remove(struct platform_device *pdev) + + remove_proc_file(); + +-#ifdef USE_ISO +- free_irq(pdev->resource[3].start, udc); +-#endif +- free_irq(pdev->resource[2].start, udc); +- free_irq(pdev->resource[1].start, udc); +- + if (udc->dc_clk) { + if (udc->clk_requested) + omap_udc_enable_clock(0); +-- +2.19.1 + diff --git a/queue-4.9/x86-kvm-vmx-fix-old-style-function-declaration.patch b/queue-4.9/x86-kvm-vmx-fix-old-style-function-declaration.patch new file mode 100644 index 00000000000..f34ba644d1a --- /dev/null +++ b/queue-4.9/x86-kvm-vmx-fix-old-style-function-declaration.patch @@ -0,0 +1,68 @@ +From 31989e869b781c45eee91d4577562fa69e6f0a7c Mon Sep 17 00:00:00 2001 +From: Yi Wang +Date: Thu, 8 Nov 2018 11:22:21 +0800 +Subject: x86/kvm/vmx: fix old-style function declaration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 1e4329ee2c52692ea42cc677fb2133519718b34a ] + +The inline keyword which is not at the beginning of the function +declaration may trigger the following build warnings, so let's fix it: + +arch/x86/kvm/vmx.c:1309:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:5947:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:5985:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] +arch/x86/kvm/vmx.c:6023:1: warning: ‘inline’ is not at beginning of declaration [-Wold-style-declaration] + +Signed-off-by: Yi Wang +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 8888d894bf39..011050820608 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1077,7 +1077,7 @@ static void copy_vmcs12_to_shadow(struct vcpu_vmx *vmx); + static void copy_shadow_to_vmcs12(struct vcpu_vmx *vmx); + static int alloc_identity_pagetable(struct kvm *kvm); + static void vmx_update_msr_bitmap(struct kvm_vcpu *vcpu); +-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type); + + static DEFINE_PER_CPU(struct vmcs *, vmxarea); +@@ -4872,7 +4872,7 @@ static void free_vpid(int vpid) + spin_unlock(&vmx_vpid_lock); + } + +-static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type) + { + int f = sizeof(unsigned long); +@@ -4907,7 +4907,7 @@ static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bit + } + } + +-static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_enable_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type) + { + int f = sizeof(unsigned long); +@@ -4942,7 +4942,7 @@ static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitm + } + } + +-static void __always_inline vmx_set_intercept_for_msr(unsigned long *msr_bitmap, ++static __always_inline void vmx_set_intercept_for_msr(unsigned long *msr_bitmap, + u32 msr, int type, bool value) + { + if (value) +-- +2.19.1 + diff --git a/queue-4.9/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch b/queue-4.9/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch new file mode 100644 index 00000000000..3243bec2a12 --- /dev/null +++ b/queue-4.9/xen-xlate_mmu-add-missing-header-to-fix-w-1-warning.patch @@ -0,0 +1,37 @@ +From 98f6f0f4042d5613b4b3ea4c2b756ffba8d88cee Mon Sep 17 00:00:00 2001 +From: Srikanth Boddepalli +Date: Tue, 27 Nov 2018 19:53:27 +0530 +Subject: xen: xlate_mmu: add missing header to fix 'W=1' warning + +[ Upstream commit 72791ac854fea36034fa7976b748fde585008e78 ] + +Add a missing header otherwise compiler warns about missed prototype: + +drivers/xen/xlate_mmu.c:183:5: warning: no previous prototype for 'xen_xlate_unmap_gfn_range?' [-Wmissing-prototypes] + int xen_xlate_unmap_gfn_range(struct vm_area_struct *vma, + ^~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Srikanth Boddepalli +Reviewed-by: Boris Ostrovsky +Reviewed-by: Joey Pabalinas +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/xlate_mmu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/xen/xlate_mmu.c b/drivers/xen/xlate_mmu.c +index 23f1387b3ef7..e7df65d32c91 100644 +--- a/drivers/xen/xlate_mmu.c ++++ b/drivers/xen/xlate_mmu.c +@@ -36,6 +36,7 @@ + #include + + #include ++#include + #include + #include + #include +-- +2.19.1 + -- 2.47.3