From 6ce8f5d40fdb1d6223558bb40a56cf53dbc5ee98 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 16 Sep 2019 17:33:56 +0200 Subject: [PATCH] 5.2-stable patches added patches: btrfs-fix-assertion-failure-during-fsync-and-use-of-stale-transaction.patch cgroup-freezer-fix-frozen-state-inheritance.patch drm-i915-limit-mst-to-8bpc-once-again.patch drm-i915-restore-relaxed-padding-ocl_oob_suppres_enable-for-skl.patch drm-lima-fix-lima_gem_wait-return-value.patch genirq-prevent-null-pointer-dereference-in-resend_irqs.patch gpio-fix-line-flag-validation-in-lineevent_create.patch gpio-fix-line-flag-validation-in-linehandle_create.patch gpio-mockup-add-missing-single_release.patch gpiolib-acpi-add-gpiolib_acpi_run_edge_events_on_boot-option-and-blacklist.patch ipc-fix-semtimedop-for-generic-32-bit-architectures.patch ipc-fix-sparc64-ipc-wrapper.patch ixgbe-fix-double-clean-of-tx-descriptors-with-xdp.patch ixgbe-prevent-u8-wrapping-of-itr-value-to-something-less-than-10us.patch kvm-nvmx-handle-page-fault-in-vmread.patch kvm-s390-do-not-leak-kernel-stack-data-in-the-kvm_s390_interrupt-ioctl.patch kvm-s390-kvm_s390_vm_start_migration-check-dirty_bitmap-before-using-it-as-target-for-memset.patch kvm-x86-mmu-reintroduce-fast-invalidate-zap-for-flushing-memslot.patch kvm-x86-work-around-leak-of-uninitialized-stack-contents.patch mmc-tmio-fixup-runtime-pm-management-during-probe.patch mmc-tmio-fixup-runtime-pm-management-during-remove.patch mt76-mt76x0e-disable-5ghz-band-for-mt7630e.patch regulator-twl-voltage-lists-for-vdd1-2-on-twl4030.patch revert-mmc-bcm2835-terminate-timeout-work-synchronously.patch revert-mmc-sdhci-remove-unneeded-quirk2-flag-of-o2-sd-host-controller.patch revert-rt2800-enable-tx_pin_cfg_lna_pe_-bits-per-band.patch --- ...g-fsync-and-use-of-stale-transaction.patch | 187 ++++++++++++++ ...freezer-fix-frozen-state-inheritance.patch | 75 ++++++ ...rm-i915-limit-mst-to-8bpc-once-again.patch | 57 +++++ ...dding-ocl_oob_suppres_enable-for-skl.patch | 51 ++++ ...-lima-fix-lima_gem_wait-return-value.patch | 34 +++ ...l-pointer-dereference-in-resend_irqs.patch | 76 ++++++ ...-flag-validation-in-lineevent_create.patch | 46 ++++ ...flag-validation-in-linehandle_create.patch | 39 +++ ...io-mockup-add-missing-single_release.patch | 32 +++ ..._events_on_boot-option-and-blacklist.patch | 115 +++++++++ ...dop-for-generic-32-bit-architectures.patch | 54 +++++ queue-5.2/ipc-fix-sparc64-ipc-wrapper.patch | 188 +++++++++++++++ ...ble-clean-of-tx-descriptors-with-xdp.patch | 98 ++++++++ ...tr-value-to-something-less-than-10us.patch | 48 ++++ ...kvm-nvmx-handle-page-fault-in-vmread.patch | 40 +++ ...data-in-the-kvm_s390_interrupt-ioctl.patch | 77 ++++++ ...before-using-it-as-target-for-memset.patch | 63 +++++ ...-invalidate-zap-for-flushing-memslot.patch | 228 ++++++++++++++++++ ...leak-of-uninitialized-stack-contents.patch | 44 ++++ ...p-runtime-pm-management-during-probe.patch | 86 +++++++ ...-runtime-pm-management-during-remove.patch | 47 ++++ ...t76x0e-disable-5ghz-band-for-mt7630e.patch | 39 +++ ...-voltage-lists-for-vdd1-2-on-twl4030.patch | 107 ++++++++ ...terminate-timeout-work-synchronously.patch | 35 +++ ...quirk2-flag-of-o2-sd-host-controller.patch | 55 +++++ ...ble-tx_pin_cfg_lna_pe_-bits-per-band.patch | 66 +++++ queue-5.2/series | 26 ++ 27 files changed, 2013 insertions(+) create mode 100644 queue-5.2/btrfs-fix-assertion-failure-during-fsync-and-use-of-stale-transaction.patch create mode 100644 queue-5.2/cgroup-freezer-fix-frozen-state-inheritance.patch create mode 100644 queue-5.2/drm-i915-limit-mst-to-8bpc-once-again.patch create mode 100644 queue-5.2/drm-i915-restore-relaxed-padding-ocl_oob_suppres_enable-for-skl.patch create mode 100644 queue-5.2/drm-lima-fix-lima_gem_wait-return-value.patch create mode 100644 queue-5.2/genirq-prevent-null-pointer-dereference-in-resend_irqs.patch create mode 100644 queue-5.2/gpio-fix-line-flag-validation-in-lineevent_create.patch create mode 100644 queue-5.2/gpio-fix-line-flag-validation-in-linehandle_create.patch create mode 100644 queue-5.2/gpio-mockup-add-missing-single_release.patch create mode 100644 queue-5.2/gpiolib-acpi-add-gpiolib_acpi_run_edge_events_on_boot-option-and-blacklist.patch create mode 100644 queue-5.2/ipc-fix-semtimedop-for-generic-32-bit-architectures.patch create mode 100644 queue-5.2/ipc-fix-sparc64-ipc-wrapper.patch create mode 100644 queue-5.2/ixgbe-fix-double-clean-of-tx-descriptors-with-xdp.patch create mode 100644 queue-5.2/ixgbe-prevent-u8-wrapping-of-itr-value-to-something-less-than-10us.patch create mode 100644 queue-5.2/kvm-nvmx-handle-page-fault-in-vmread.patch create mode 100644 queue-5.2/kvm-s390-do-not-leak-kernel-stack-data-in-the-kvm_s390_interrupt-ioctl.patch create mode 100644 queue-5.2/kvm-s390-kvm_s390_vm_start_migration-check-dirty_bitmap-before-using-it-as-target-for-memset.patch create mode 100644 queue-5.2/kvm-x86-mmu-reintroduce-fast-invalidate-zap-for-flushing-memslot.patch create mode 100644 queue-5.2/kvm-x86-work-around-leak-of-uninitialized-stack-contents.patch create mode 100644 queue-5.2/mmc-tmio-fixup-runtime-pm-management-during-probe.patch create mode 100644 queue-5.2/mmc-tmio-fixup-runtime-pm-management-during-remove.patch create mode 100644 queue-5.2/mt76-mt76x0e-disable-5ghz-band-for-mt7630e.patch create mode 100644 queue-5.2/regulator-twl-voltage-lists-for-vdd1-2-on-twl4030.patch create mode 100644 queue-5.2/revert-mmc-bcm2835-terminate-timeout-work-synchronously.patch create mode 100644 queue-5.2/revert-mmc-sdhci-remove-unneeded-quirk2-flag-of-o2-sd-host-controller.patch create mode 100644 queue-5.2/revert-rt2800-enable-tx_pin_cfg_lna_pe_-bits-per-band.patch diff --git a/queue-5.2/btrfs-fix-assertion-failure-during-fsync-and-use-of-stale-transaction.patch b/queue-5.2/btrfs-fix-assertion-failure-during-fsync-and-use-of-stale-transaction.patch new file mode 100644 index 00000000000..3c56b6ffde2 --- /dev/null +++ b/queue-5.2/btrfs-fix-assertion-failure-during-fsync-and-use-of-stale-transaction.patch @@ -0,0 +1,187 @@ +From 410f954cb1d1c79ae485dd83a175f21954fd87cd Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 10 Sep 2019 15:26:49 +0100 +Subject: Btrfs: fix assertion failure during fsync and use of stale transaction + +From: Filipe Manana + +commit 410f954cb1d1c79ae485dd83a175f21954fd87cd upstream. + +Sometimes when fsync'ing a file we need to log that other inodes exist and +when we need to do that we acquire a reference on the inodes and then drop +that reference using iput() after logging them. + +That generally is not a problem except if we end up doing the final iput() +(dropping the last reference) on the inode and that inode has a link count +of 0, which can happen in a very short time window if the logging path +gets a reference on the inode while it's being unlinked. + +In that case we end up getting the eviction callback, btrfs_evict_inode(), +invoked through the iput() call chain which needs to drop all of the +inode's items from its subvolume btree, and in order to do that, it needs +to join a transaction at the helper function evict_refill_and_join(). +However because the task previously started a transaction at the fsync +handler, btrfs_sync_file(), it has current->journal_info already pointing +to a transaction handle and therefore evict_refill_and_join() will get +that transaction handle from btrfs_join_transaction(). From this point on, +two different problems can happen: + +1) evict_refill_and_join() will often change the transaction handle's + block reserve (->block_rsv) and set its ->bytes_reserved field to a + value greater than 0. If evict_refill_and_join() never commits the + transaction, the eviction handler ends up decreasing the reference + count (->use_count) of the transaction handle through the call to + btrfs_end_transaction(), and after that point we have a transaction + handle with a NULL ->block_rsv (which is the value prior to the + transaction join from evict_refill_and_join()) and a ->bytes_reserved + value greater than 0. If after the eviction/iput completes the inode + logging path hits an error or it decides that it must fallback to a + transaction commit, the btrfs fsync handle, btrfs_sync_file(), gets a + non-zero value from btrfs_log_dentry_safe(), and because of that + non-zero value it tries to commit the transaction using a handle with + a NULL ->block_rsv and a non-zero ->bytes_reserved value. This makes + the transaction commit hit an assertion failure at + btrfs_trans_release_metadata() because ->bytes_reserved is not zero but + the ->block_rsv is NULL. The produced stack trace for that is like the + following: + + [192922.917158] assertion failed: !trans->bytes_reserved, file: fs/btrfs/transaction.c, line: 816 + [192922.917553] ------------[ cut here ]------------ + [192922.917922] kernel BUG at fs/btrfs/ctree.h:3532! + [192922.918310] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI + [192922.918666] CPU: 2 PID: 883 Comm: fsstress Tainted: G W 5.1.4-btrfs-next-47 #1 + [192922.919035] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014 + [192922.919801] RIP: 0010:assfail.constprop.25+0x18/0x1a [btrfs] + (...) + [192922.920925] RSP: 0018:ffffaebdc8a27da8 EFLAGS: 00010286 + [192922.921315] RAX: 0000000000000051 RBX: ffff95c9c16a41c0 RCX: 0000000000000000 + [192922.921692] RDX: 0000000000000000 RSI: ffff95cab6b16838 RDI: ffff95cab6b16838 + [192922.922066] RBP: ffff95c9c16a41c0 R08: 0000000000000000 R09: 0000000000000000 + [192922.922442] R10: ffffaebdc8a27e70 R11: 0000000000000000 R12: ffff95ca731a0980 + [192922.922820] R13: 0000000000000000 R14: ffff95ca84c73338 R15: ffff95ca731a0ea8 + [192922.923200] FS: 00007f337eda4e80(0000) GS:ffff95cab6b00000(0000) knlGS:0000000000000000 + [192922.923579] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [192922.923948] CR2: 00007f337edad000 CR3: 00000001e00f6002 CR4: 00000000003606e0 + [192922.924329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [192922.924711] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [192922.925105] Call Trace: + [192922.925505] btrfs_trans_release_metadata+0x10c/0x170 [btrfs] + [192922.925911] btrfs_commit_transaction+0x3e/0xaf0 [btrfs] + [192922.926324] btrfs_sync_file+0x44c/0x490 [btrfs] + [192922.926731] do_fsync+0x38/0x60 + [192922.927138] __x64_sys_fdatasync+0x13/0x20 + [192922.927543] do_syscall_64+0x60/0x1c0 + [192922.927939] entry_SYSCALL_64_after_hwframe+0x49/0xbe + (...) + [192922.934077] ---[ end trace f00808b12068168f ]--- + +2) If evict_refill_and_join() decides to commit the transaction, it will + be able to do it, since the nested transaction join only increments the + transaction handle's ->use_count reference counter and it does not + prevent the transaction from getting committed. This means that after + eviction completes, the fsync logging path will be using a transaction + handle that refers to an already committed transaction. What happens + when using such a stale transaction can be unpredictable, we are at + least having a use-after-free on the transaction handle itself, since + the transaction commit will call kmem_cache_free() against the handle + regardless of its ->use_count value, or we can end up silently losing + all the updates to the log tree after that iput() in the logging path, + or using a transaction handle that in the meanwhile was allocated to + another task for a new transaction, etc, pretty much unpredictable + what can happen. + +In order to fix both of them, instead of using iput() during logging, use +btrfs_add_delayed_iput(), so that the logging path of fsync never drops +the last reference on an inode, that step is offloaded to a safe context +(usually the cleaner kthread). + +The assertion failure issue was sporadically triggered by the test case +generic/475 from fstests, which loads the dm error target while fsstress +is running, which lead to fsync failing while logging inodes with -EIO +errors and then trying later to commit the transaction, triggering the +assertion failure. + +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-log.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4985,7 +4985,7 @@ static int log_conflicting_inodes(struct + BTRFS_I(inode), + LOG_OTHER_INODE_ALL, + 0, LLONG_MAX, ctx); +- iput(inode); ++ btrfs_add_delayed_iput(inode); + } + } + continue; +@@ -5000,7 +5000,7 @@ static int log_conflicting_inodes(struct + ret = btrfs_log_inode(trans, root, BTRFS_I(inode), + LOG_OTHER_INODE, 0, LLONG_MAX, ctx); + if (ret) { +- iput(inode); ++ btrfs_add_delayed_iput(inode); + continue; + } + +@@ -5009,7 +5009,7 @@ static int log_conflicting_inodes(struct + key.offset = 0; + ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); + if (ret < 0) { +- iput(inode); ++ btrfs_add_delayed_iput(inode); + continue; + } + +@@ -5056,7 +5056,7 @@ static int log_conflicting_inodes(struct + } + path->slots[0]++; + } +- iput(inode); ++ btrfs_add_delayed_iput(inode); + } + + return ret; +@@ -5689,7 +5689,7 @@ process_leaf: + } + + if (btrfs_inode_in_log(BTRFS_I(di_inode), trans->transid)) { +- iput(di_inode); ++ btrfs_add_delayed_iput(di_inode); + break; + } + +@@ -5701,7 +5701,7 @@ process_leaf: + if (!ret && + btrfs_must_commit_transaction(trans, BTRFS_I(di_inode))) + ret = 1; +- iput(di_inode); ++ btrfs_add_delayed_iput(di_inode); + if (ret) + goto next_dir_inode; + if (ctx->log_new_dentries) { +@@ -5848,7 +5848,7 @@ static int btrfs_log_all_parents(struct + if (!ret && ctx && ctx->log_new_dentries) + ret = log_new_dir_dentries(trans, root, + BTRFS_I(dir_inode), ctx); +- iput(dir_inode); ++ btrfs_add_delayed_iput(dir_inode); + if (ret) + goto out; + } +@@ -5891,7 +5891,7 @@ static int log_new_ancestors(struct btrf + ret = btrfs_log_inode(trans, root, BTRFS_I(inode), + LOG_INODE_EXISTS, + 0, LLONG_MAX, ctx); +- iput(inode); ++ btrfs_add_delayed_iput(inode); + if (ret) + return ret; + diff --git a/queue-5.2/cgroup-freezer-fix-frozen-state-inheritance.patch b/queue-5.2/cgroup-freezer-fix-frozen-state-inheritance.patch new file mode 100644 index 00000000000..751a1bf066d --- /dev/null +++ b/queue-5.2/cgroup-freezer-fix-frozen-state-inheritance.patch @@ -0,0 +1,75 @@ +From 97a61369830ab085df5aed0ff9256f35b07d425a Mon Sep 17 00:00:00 2001 +From: Roman Gushchin +Date: Thu, 12 Sep 2019 10:56:45 -0700 +Subject: cgroup: freezer: fix frozen state inheritance + +From: Roman Gushchin + +commit 97a61369830ab085df5aed0ff9256f35b07d425a upstream. + +If a new child cgroup is created in the frozen cgroup hierarchy +(one or more of ancestor cgroups is frozen), the CGRP_FREEZE cgroup +flag should be set. Otherwise if a process will be attached to the +child cgroup, it won't become frozen. + +The problem can be reproduced with the test_cgfreezer_mkdir test. + +This is the output before this patch: + ~/test_freezer + ok 1 test_cgfreezer_simple + ok 2 test_cgfreezer_tree + ok 3 test_cgfreezer_forkbomb + Cgroup /sys/fs/cgroup/cg_test_mkdir_A/cg_test_mkdir_B isn't frozen + not ok 4 test_cgfreezer_mkdir + ok 5 test_cgfreezer_rmdir + ok 6 test_cgfreezer_migrate + ok 7 test_cgfreezer_ptrace + ok 8 test_cgfreezer_stopped + ok 9 test_cgfreezer_ptraced + ok 10 test_cgfreezer_vfork + +And with this patch: + ~/test_freezer + ok 1 test_cgfreezer_simple + ok 2 test_cgfreezer_tree + ok 3 test_cgfreezer_forkbomb + ok 4 test_cgfreezer_mkdir + ok 5 test_cgfreezer_rmdir + ok 6 test_cgfreezer_migrate + ok 7 test_cgfreezer_ptrace + ok 8 test_cgfreezer_stopped + ok 9 test_cgfreezer_ptraced + ok 10 test_cgfreezer_vfork + +Reported-by: Mark Crossen +Signed-off-by: Roman Gushchin +Fixes: 76f969e8948d ("cgroup: cgroup v2 freezer") +Cc: Tejun Heo +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup/cgroup.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -5213,8 +5213,16 @@ static struct cgroup *cgroup_create(stru + * if the parent has to be frozen, the child has too. + */ + cgrp->freezer.e_freeze = parent->freezer.e_freeze; +- if (cgrp->freezer.e_freeze) ++ if (cgrp->freezer.e_freeze) { ++ /* ++ * Set the CGRP_FREEZE flag, so when a process will be ++ * attached to the child cgroup, it will become frozen. ++ * At this point the new cgroup is unpopulated, so we can ++ * consider it frozen immediately. ++ */ ++ set_bit(CGRP_FREEZE, &cgrp->flags); + set_bit(CGRP_FROZEN, &cgrp->flags); ++ } + + spin_lock_irq(&css_set_lock); + for (tcgrp = cgrp; tcgrp; tcgrp = cgroup_parent(tcgrp)) { diff --git a/queue-5.2/drm-i915-limit-mst-to-8bpc-once-again.patch b/queue-5.2/drm-i915-limit-mst-to-8bpc-once-again.patch new file mode 100644 index 00000000000..50dfee58144 --- /dev/null +++ b/queue-5.2/drm-i915-limit-mst-to-8bpc-once-again.patch @@ -0,0 +1,57 @@ +From bb1a71f9c4672fbfcf2158fd57d0c5c0cdae5612 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 28 Aug 2019 13:20:59 +0300 +Subject: drm/i915: Limit MST to <= 8bpc once again +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit bb1a71f9c4672fbfcf2158fd57d0c5c0cdae5612 upstream. + +My attempt at allowing MST to use the higher color depths has +regressed some configurations. Apparently people have setups +where all MST streams will fit into the DP link with 8bpc but +won't fit with higher color depths. + +What we really should be doing is reducing the bpc for all the +streams on the same link until they start to fit. But that requires +a bit more work, so in the meantime let's revert back closer to +the old behavior and limit MST to at most 8bpc. + +Cc: stable@vger.kernel.org +Cc: Lyude Paul +Tested-by: Geoffrey Bennett +Fixes: f1477219869c ("drm/i915: Remove the 8bpc shackles from DP MST") +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=111505 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20190828102059.2512-1-ville.syrjala@linux.intel.com +Reviewed-by: Lyude Paul +(cherry picked from commit 75427b2a2bffc083d51dec389c235722a9c69b05) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_dp_mst.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_dp_mst.c ++++ b/drivers/gpu/drm/i915/intel_dp_mst.c +@@ -125,7 +125,15 @@ static int intel_dp_mst_compute_config(s + limits.max_lane_count = intel_dp_max_lane_count(intel_dp); + + limits.min_bpp = intel_dp_min_bpp(pipe_config); +- limits.max_bpp = pipe_config->pipe_bpp; ++ /* ++ * FIXME: If all the streams can't fit into the link with ++ * their current pipe_bpp we should reduce pipe_bpp across ++ * the board until things start to fit. Until then we ++ * limit to <= 8bpc since that's what was hardcoded for all ++ * MST streams previously. This hack should be removed once ++ * we have the proper retry logic in place. ++ */ ++ limits.max_bpp = min(pipe_config->pipe_bpp, 24); + + intel_dp_adjust_compliance_config(intel_dp, pipe_config, &limits); + diff --git a/queue-5.2/drm-i915-restore-relaxed-padding-ocl_oob_suppres_enable-for-skl.patch b/queue-5.2/drm-i915-restore-relaxed-padding-ocl_oob_suppres_enable-for-skl.patch new file mode 100644 index 00000000000..579b064f06e --- /dev/null +++ b/queue-5.2/drm-i915-restore-relaxed-padding-ocl_oob_suppres_enable-for-skl.patch @@ -0,0 +1,51 @@ +From 2eb0964eec5f1d99f9eaf4963eee267acc72b615 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Wed, 4 Sep 2019 11:07:07 +0100 +Subject: drm/i915: Restore relaxed padding (OCL_OOB_SUPPRES_ENABLE) for skl+ + +From: Chris Wilson + +commit 2eb0964eec5f1d99f9eaf4963eee267acc72b615 upstream. + +This bit was fliped on for "syncing dependencies between camera and +graphics". BSpec has no recollection why, and it is causing +unrecoverable GPU hangs with Vulkan compute workloads. + +From BSpec, setting bit5 to 0 enables relaxed padding requirements for +buffers, 1D and 2D non-array, non-MSAA, non-mip-mapped linear surfaces; +and *must* be set to 0h on skl+ to ensure "Out of Bounds" case is +suppressed. + +Reported-by: Jason Ekstrand +Suggested-by: Jason Ekstrand +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=110998 +Fixes: 8424171e135c ("drm/i915/gen9: h/w w/a: syncing dependencies between camera and graphics") +Signed-off-by: Chris Wilson +Tested-by: denys.kostin@globallogic.com +Cc: Jason Ekstrand +Cc: Mika Kuoppala +Cc: # v4.1+ +Reviewed-by: Mika Kuoppala +Link: https://patchwork.freedesktop.org/patch/msgid/20190904100707.7377-1-chris@chris-wilson.co.uk +(cherry picked from commit 9d7b01e93526efe79dbf75b69cc5972b5a4f7b37) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_workarounds.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_workarounds.c ++++ b/drivers/gpu/drm/i915/intel_workarounds.c +@@ -294,11 +294,6 @@ static void gen9_ctx_workarounds_init(st + FLOW_CONTROL_ENABLE | + PARTIAL_INSTRUCTION_SHOOTDOWN_DISABLE); + +- /* Syncing dependencies between camera and graphics:skl,bxt,kbl */ +- if (!IS_COFFEELAKE(i915)) +- WA_SET_BIT_MASKED(HALF_SLICE_CHICKEN3, +- GEN9_DISABLE_OCL_OOB_SUPPRESS_LOGIC); +- + /* WaEnableYV12BugFixInHalfSliceChicken7:skl,bxt,kbl,glk,cfl */ + /* WaEnableSamplerGPGPUPreemptionSupport:skl,bxt,kbl,cfl */ + WA_SET_BIT_MASKED(GEN9_HALF_SLICE_CHICKEN7, diff --git a/queue-5.2/drm-lima-fix-lima_gem_wait-return-value.patch b/queue-5.2/drm-lima-fix-lima_gem_wait-return-value.patch new file mode 100644 index 00000000000..ebe60b14b83 --- /dev/null +++ b/queue-5.2/drm-lima-fix-lima_gem_wait-return-value.patch @@ -0,0 +1,34 @@ +From 21670bd78a25001cf8ef2679b378c73fb73b904f Mon Sep 17 00:00:00 2001 +From: Vasily Khoruzhick +Date: Sat, 7 Sep 2019 19:48:00 -0700 +Subject: drm/lima: fix lima_gem_wait() return value + +From: Vasily Khoruzhick + +commit 21670bd78a25001cf8ef2679b378c73fb73b904f upstream. + +drm_gem_reservation_object_wait() returns 0 if it succeeds and -ETIME +if it timeouts, but lima driver assumed that 0 is error. + +Cc: stable@vger.kernel.org +Fixes: a1d2a6339961e ("drm/lima: driver for ARM Mali4xx GPUs") +Signed-off-by: Vasily Khoruzhick +Signed-off-by: Qiang Yu +Link: https://patchwork.freedesktop.org/patch/msgid/20190908024800.23229-1-anarsoul@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/lima/lima_gem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/lima/lima_gem.c ++++ b/drivers/gpu/drm/lima/lima_gem.c +@@ -342,7 +342,7 @@ int lima_gem_wait(struct drm_file *file, + timeout = drm_timeout_abs_to_jiffies(timeout_ns); + + ret = drm_gem_reservation_object_wait(file, handle, write, timeout); +- if (ret == 0) ++ if (ret == -ETIME) + ret = timeout ? -ETIMEDOUT : -EBUSY; + + return ret; diff --git a/queue-5.2/genirq-prevent-null-pointer-dereference-in-resend_irqs.patch b/queue-5.2/genirq-prevent-null-pointer-dereference-in-resend_irqs.patch new file mode 100644 index 00000000000..dce0912c4f2 --- /dev/null +++ b/queue-5.2/genirq-prevent-null-pointer-dereference-in-resend_irqs.patch @@ -0,0 +1,76 @@ +From eddf3e9c7c7e4d0707c68d1bb22cc6ec8aef7d4a Mon Sep 17 00:00:00 2001 +From: Yunfeng Ye +Date: Wed, 4 Sep 2019 20:46:25 +0800 +Subject: genirq: Prevent NULL pointer dereference in resend_irqs() + +From: Yunfeng Ye + +commit eddf3e9c7c7e4d0707c68d1bb22cc6ec8aef7d4a upstream. + +The following crash was observed: + + Unable to handle kernel NULL pointer dereference at 0000000000000158 + Internal error: Oops: 96000004 [#1] SMP + pc : resend_irqs+0x68/0xb0 + lr : resend_irqs+0x64/0xb0 + ... + Call trace: + resend_irqs+0x68/0xb0 + tasklet_action_common.isra.6+0x84/0x138 + tasklet_action+0x2c/0x38 + __do_softirq+0x120/0x324 + run_ksoftirqd+0x44/0x60 + smpboot_thread_fn+0x1ac/0x1e8 + kthread+0x134/0x138 + ret_from_fork+0x10/0x18 + +The reason for this is that the interrupt resend mechanism happens in soft +interrupt context, which is a asynchronous mechanism versus other +operations on interrupts. free_irq() does not take resend handling into +account. Thus, the irq descriptor might be already freed before the resend +tasklet is executed. resend_irqs() does not check the return value of the +interrupt descriptor lookup and derefences the return value +unconditionally. + + 1): + __setup_irq + irq_startup + check_irq_resend // activate softirq to handle resend irq + 2): + irq_domain_free_irqs + irq_free_descs + free_desc + call_rcu(&desc->rcu, delayed_free_desc) + 3): + __do_softirq + tasklet_action + resend_irqs + desc = irq_to_desc(irq) + desc->handle_irq(desc) // desc is NULL --> Ooops + +Fix this by adding a NULL pointer check in resend_irqs() before derefencing +the irq descriptor. + +Fixes: a4633adcdbc1 ("[PATCH] genirq: add genirq sw IRQ-retrigger") +Signed-off-by: Yunfeng Ye +Signed-off-by: Thomas Gleixner +Reviewed-by: Zhiqiang Liu +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1630ae13-5c8e-901e-de09-e740b6a426a7@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/resend.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/irq/resend.c ++++ b/kernel/irq/resend.c +@@ -36,6 +36,8 @@ static void resend_irqs(unsigned long ar + irq = find_first_bit(irqs_resend, nr_irqs); + clear_bit(irq, irqs_resend); + desc = irq_to_desc(irq); ++ if (!desc) ++ continue; + local_irq_disable(); + desc->handle_irq(desc); + local_irq_enable(); diff --git a/queue-5.2/gpio-fix-line-flag-validation-in-lineevent_create.patch b/queue-5.2/gpio-fix-line-flag-validation-in-lineevent_create.patch new file mode 100644 index 00000000000..410fdf8ed08 --- /dev/null +++ b/queue-5.2/gpio-fix-line-flag-validation-in-lineevent_create.patch @@ -0,0 +1,46 @@ +From 5ca2f54b597c816df54ff1b28eb99cf7262b955d Mon Sep 17 00:00:00 2001 +From: Kent Gibson +Date: Mon, 9 Sep 2019 03:24:06 +0000 +Subject: gpio: fix line flag validation in lineevent_create + +From: Kent Gibson + +commit 5ca2f54b597c816df54ff1b28eb99cf7262b955d upstream. + +lineevent_create should not allow any of GPIOHANDLE_REQUEST_OUTPUT, +GPIOHANDLE_REQUEST_OPEN_DRAIN or GPIOHANDLE_REQUEST_OPEN_SOURCE to be set. + +Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines") +Cc: stable +Signed-off-by: Kent Gibson +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -934,7 +934,9 @@ static int lineevent_create(struct gpio_ + } + + /* This is just wrong: we don't look for events on output lines */ +- if (lflags & GPIOHANDLE_REQUEST_OUTPUT) { ++ if ((lflags & GPIOHANDLE_REQUEST_OUTPUT) || ++ (lflags & GPIOHANDLE_REQUEST_OPEN_DRAIN) || ++ (lflags & GPIOHANDLE_REQUEST_OPEN_SOURCE)) { + ret = -EINVAL; + goto out_free_label; + } +@@ -948,10 +950,6 @@ static int lineevent_create(struct gpio_ + + if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW) + set_bit(FLAG_ACTIVE_LOW, &desc->flags); +- if (lflags & GPIOHANDLE_REQUEST_OPEN_DRAIN) +- set_bit(FLAG_OPEN_DRAIN, &desc->flags); +- if (lflags & GPIOHANDLE_REQUEST_OPEN_SOURCE) +- set_bit(FLAG_OPEN_SOURCE, &desc->flags); + + ret = gpiod_direction_input(desc); + if (ret) diff --git a/queue-5.2/gpio-fix-line-flag-validation-in-linehandle_create.patch b/queue-5.2/gpio-fix-line-flag-validation-in-linehandle_create.patch new file mode 100644 index 00000000000..030c1dc3d67 --- /dev/null +++ b/queue-5.2/gpio-fix-line-flag-validation-in-linehandle_create.patch @@ -0,0 +1,39 @@ +From e95fbc130a162ba9ad956311b95aa0da269eea48 Mon Sep 17 00:00:00 2001 +From: Kent Gibson +Date: Mon, 9 Sep 2019 03:22:18 +0000 +Subject: gpio: fix line flag validation in linehandle_create + +From: Kent Gibson + +commit e95fbc130a162ba9ad956311b95aa0da269eea48 upstream. + +linehandle_create should not allow both GPIOHANDLE_REQUEST_INPUT +and GPIOHANDLE_REQUEST_OUTPUT to be set. + +Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines") +Cc: stable +Signed-off-by: Kent Gibson +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -536,6 +536,14 @@ static int linehandle_create(struct gpio + return -EINVAL; + + /* ++ * Do not allow both INPUT & OUTPUT flags to be set as they are ++ * contradictory. ++ */ ++ if ((lflags & GPIOHANDLE_REQUEST_INPUT) && ++ (lflags & GPIOHANDLE_REQUEST_OUTPUT)) ++ return -EINVAL; ++ ++ /* + * Do not allow OPEN_SOURCE & OPEN_DRAIN flags in a single request. If + * the hardware actually supports enabling both at the same time the + * electrical result would be disastrous. diff --git a/queue-5.2/gpio-mockup-add-missing-single_release.patch b/queue-5.2/gpio-mockup-add-missing-single_release.patch new file mode 100644 index 00000000000..7f9c404e3b5 --- /dev/null +++ b/queue-5.2/gpio-mockup-add-missing-single_release.patch @@ -0,0 +1,32 @@ +From 59929d3a2eb6c4abafc5b61a20c98aa8728ec378 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Wed, 4 Sep 2019 14:18:34 +0000 +Subject: gpio: mockup: add missing single_release() + +From: Wei Yongjun + +commit 59929d3a2eb6c4abafc5b61a20c98aa8728ec378 upstream. + +When using single_open() for opening, single_release() should be +used instead of seq_release(), otherwise there is a memory leak. + +Fixes: 2a9e27408e12 ("gpio: mockup: rework debugfs interface") +Cc: stable +Signed-off-by: Wei Yongjun +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-mockup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpio-mockup.c ++++ b/drivers/gpio/gpio-mockup.c +@@ -309,6 +309,7 @@ static const struct file_operations gpio + .read = gpio_mockup_debugfs_read, + .write = gpio_mockup_debugfs_write, + .llseek = no_llseek, ++ .release = single_release, + }; + + static void gpio_mockup_debugfs_setup(struct device *dev, diff --git a/queue-5.2/gpiolib-acpi-add-gpiolib_acpi_run_edge_events_on_boot-option-and-blacklist.patch b/queue-5.2/gpiolib-acpi-add-gpiolib_acpi_run_edge_events_on_boot-option-and-blacklist.patch new file mode 100644 index 00000000000..ddaa7ca5f38 --- /dev/null +++ b/queue-5.2/gpiolib-acpi-add-gpiolib_acpi_run_edge_events_on_boot-option-and-blacklist.patch @@ -0,0 +1,115 @@ +From 61f7f7c8f978b1c0d80e43c83b7d110ca0496eb4 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 27 Aug 2019 22:28:35 +0200 +Subject: gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist + +From: Hans de Goede + +commit 61f7f7c8f978b1c0d80e43c83b7d110ca0496eb4 upstream. + +Another day; another DSDT bug we need to workaround... + +Since commit ca876c7483b6 ("gpiolib-acpi: make sure we trigger edge events +at least once on boot") we call _AEI edge handlers at boot. + +In some rare cases this causes problems. One example of this is the Minix +Neo Z83-4 mini PC, this device has a clear DSDT bug where it has some copy +and pasted code for dealing with Micro USB-B connector host/device role +switching, while the mini PC does not even have a micro-USB connector. +This code, which should not be there, messes with the DDC data pin from +the HDMI connector (switching it to GPIO mode) breaking HDMI support. + +To avoid problems like this, this commit adds a new +gpiolib_acpi.run_edge_events_on_boot kernel commandline option, which +allows disabling the running of _AEI edge event handlers at boot. + +The default value is -1/auto which uses a DMI based blacklist, the initial +version of this blacklist contains the Neo Z83-4 fixing the HDMI breakage. + +Cc: stable@vger.kernel.org +Cc: Daniel Drake +Cc: Ian W MORRISON +Reported-by: Ian W MORRISON +Suggested-by: Ian W MORRISON +Fixes: ca876c7483b6 ("gpiolib-acpi: make sure we trigger edge events at least once on boot") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20190827202835.213456-1-hdegoede@redhat.com +Acked-by: Mika Westerberg +Reviewed-by: Andy Shevchenko +Tested-by: Ian W MORRISON +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib-acpi.c | 42 ++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 38 insertions(+), 4 deletions(-) + +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -7,6 +7,7 @@ + * Mika Westerberg + */ + ++#include + #include + #include + #include +@@ -19,6 +20,11 @@ + + #include "gpiolib.h" + ++static int run_edge_events_on_boot = -1; ++module_param(run_edge_events_on_boot, int, 0444); ++MODULE_PARM_DESC(run_edge_events_on_boot, ++ "Run edge _AEI event-handlers at boot: 0=no, 1=yes, -1=auto"); ++ + /** + * struct acpi_gpio_event - ACPI GPIO event handler data + * +@@ -170,10 +176,13 @@ static void acpi_gpiochip_request_irq(st + event->irq_requested = true; + + /* Make sure we trigger the initial state of edge-triggered IRQs */ +- value = gpiod_get_raw_value_cansleep(event->desc); +- if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) || +- ((event->irqflags & IRQF_TRIGGER_FALLING) && value == 0)) +- event->handler(event->irq, event); ++ if (run_edge_events_on_boot && ++ (event->irqflags & (IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING))) { ++ value = gpiod_get_raw_value_cansleep(event->desc); ++ if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) || ++ ((event->irqflags & IRQF_TRIGGER_FALLING) && value == 0)) ++ event->handler(event->irq, event); ++ } + } + + static void acpi_gpiochip_request_irqs(struct acpi_gpio_chip *acpi_gpio) +@@ -1283,3 +1292,28 @@ static int acpi_gpio_handle_deferred_req + } + /* We must use _sync so that this runs after the first deferred_probe run */ + late_initcall_sync(acpi_gpio_handle_deferred_request_irqs); ++ ++static const struct dmi_system_id run_edge_events_on_boot_blacklist[] = { ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "MINIX"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Z83-4"), ++ } ++ }, ++ {} /* Terminating entry */ ++}; ++ ++static int acpi_gpio_setup_params(void) ++{ ++ if (run_edge_events_on_boot < 0) { ++ if (dmi_check_system(run_edge_events_on_boot_blacklist)) ++ run_edge_events_on_boot = 0; ++ else ++ run_edge_events_on_boot = 1; ++ } ++ ++ return 0; ++} ++ ++/* Directly after dmi_setup() which runs as core_initcall() */ ++postcore_initcall(acpi_gpio_setup_params); diff --git a/queue-5.2/ipc-fix-semtimedop-for-generic-32-bit-architectures.patch b/queue-5.2/ipc-fix-semtimedop-for-generic-32-bit-architectures.patch new file mode 100644 index 00000000000..a61d11b142b --- /dev/null +++ b/queue-5.2/ipc-fix-semtimedop-for-generic-32-bit-architectures.patch @@ -0,0 +1,54 @@ +From 78e05972c5e6c8e9ca4c00ccc6985409da69f904 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 5 Sep 2019 16:20:09 +0200 +Subject: ipc: fix semtimedop for generic 32-bit architectures + +From: Arnd Bergmann + +commit 78e05972c5e6c8e9ca4c00ccc6985409da69f904 upstream. + +As Vincent noticed, the y2038 conversion of semtimedop in linux-5.1 +broke when commit 00bf25d693e7 ("y2038: use time32 syscall names on +32-bit") changed all system calls on all architectures that take +a 32-bit time_t to point to the _time32 implementation, but left out +semtimedop in the asm-generic header. + +This affects all 32-bit architectures using asm-generic/unistd.h: +h8300, unicore32, openrisc, nios2, hexagon, c6x, arc, nds32 and csky. + +The notable exception is riscv32, which has dropped support for the +time32 system calls entirely. + +Reported-by: Vincent Chen +Cc: stable@vger.kernel.org +Cc: Vincent Chen +Cc: Greentime Hu +Cc: Yoshinori Sato +Cc: Guan Xuetao +Cc: Stafford Horne +Cc: Jonas Bonn +Cc: Stefan Kristiansson +Cc: Ley Foon Tan +Cc: Richard Kuo +Cc: Mark Salter +Cc: Aurelien Jacquiot +Cc: Guo Ren +Fixes: 00bf25d693e7 ("y2038: use time32 syscall names on 32-bit") +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/asm-generic/unistd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/uapi/asm-generic/unistd.h ++++ b/include/uapi/asm-generic/unistd.h +@@ -569,7 +569,7 @@ __SYSCALL(__NR_semget, sys_semget) + __SC_COMP(__NR_semctl, sys_semctl, compat_sys_semctl) + #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32 + #define __NR_semtimedop 192 +-__SC_COMP(__NR_semtimedop, sys_semtimedop, sys_semtimedop_time32) ++__SC_3264(__NR_semtimedop, sys_semtimedop_time32, sys_semtimedop) + #endif + #define __NR_semop 193 + __SYSCALL(__NR_semop, sys_semop) diff --git a/queue-5.2/ipc-fix-sparc64-ipc-wrapper.patch b/queue-5.2/ipc-fix-sparc64-ipc-wrapper.patch new file mode 100644 index 00000000000..ae2b2ac539b --- /dev/null +++ b/queue-5.2/ipc-fix-sparc64-ipc-wrapper.patch @@ -0,0 +1,188 @@ +From fb377eb80c80339b580831a3c0fcce34a4c9d1ad Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 5 Sep 2019 16:48:38 +0200 +Subject: ipc: fix sparc64 ipc() wrapper + +From: Arnd Bergmann + +commit fb377eb80c80339b580831a3c0fcce34a4c9d1ad upstream. + +Matt bisected a sparc64 specific issue with semctl, shmctl and msgctl +to a commit from my y2038 series in linux-5.1, as I missed the custom +sys_ipc() wrapper that sparc64 uses in place of the generic version that +I patched. + +The problem is that the sys_{sem,shm,msg}ctl() functions in the kernel +now do not allow being called with the IPC_64 flag any more, resulting +in a -EINVAL error when they don't recognize the command. + +Instead, the correct way to do this now is to call the internal +ksys_old_{sem,shm,msg}ctl() functions to select the API version. + +As we generally move towards these functions anyway, change all of +sparc_ipc() to consistently use those in place of the sys_*() versions, +and move the required ksys_*() declarations into linux/syscalls.h + +The IS_ENABLED(CONFIG_SYSVIPC) check is required to avoid link +errors when ipc is disabled. + +Reported-by: Matt Turner +Fixes: 275f22148e87 ("ipc: rename old-style shmctl/semctl/msgctl syscalls") +Cc: stable@vger.kernel.org +Tested-by: Matt Turner +Tested-by: Anatoly Pugachev +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc/kernel/sys_sparc_64.c | 33 ++++++++++++++++++--------------- + include/linux/syscalls.h | 19 +++++++++++++++++++ + ipc/util.h | 25 ++----------------------- + 3 files changed, 39 insertions(+), 38 deletions(-) + +--- a/arch/sparc/kernel/sys_sparc_64.c ++++ b/arch/sparc/kernel/sys_sparc_64.c +@@ -336,25 +336,28 @@ SYSCALL_DEFINE6(sparc_ipc, unsigned int, + { + long err; + ++ if (!IS_ENABLED(CONFIG_SYSVIPC)) ++ return -ENOSYS; ++ + /* No need for backward compatibility. We can start fresh... */ + if (call <= SEMTIMEDOP) { + switch (call) { + case SEMOP: +- err = sys_semtimedop(first, ptr, +- (unsigned int)second, NULL); ++ err = ksys_semtimedop(first, ptr, ++ (unsigned int)second, NULL); + goto out; + case SEMTIMEDOP: +- err = sys_semtimedop(first, ptr, (unsigned int)second, ++ err = ksys_semtimedop(first, ptr, (unsigned int)second, + (const struct __kernel_timespec __user *) +- (unsigned long) fifth); ++ (unsigned long) fifth); + goto out; + case SEMGET: +- err = sys_semget(first, (int)second, (int)third); ++ err = ksys_semget(first, (int)second, (int)third); + goto out; + case SEMCTL: { +- err = sys_semctl(first, second, +- (int)third | IPC_64, +- (unsigned long) ptr); ++ err = ksys_old_semctl(first, second, ++ (int)third | IPC_64, ++ (unsigned long) ptr); + goto out; + } + default: +@@ -365,18 +368,18 @@ SYSCALL_DEFINE6(sparc_ipc, unsigned int, + if (call <= MSGCTL) { + switch (call) { + case MSGSND: +- err = sys_msgsnd(first, ptr, (size_t)second, ++ err = ksys_msgsnd(first, ptr, (size_t)second, + (int)third); + goto out; + case MSGRCV: +- err = sys_msgrcv(first, ptr, (size_t)second, fifth, ++ err = ksys_msgrcv(first, ptr, (size_t)second, fifth, + (int)third); + goto out; + case MSGGET: +- err = sys_msgget((key_t)first, (int)second); ++ err = ksys_msgget((key_t)first, (int)second); + goto out; + case MSGCTL: +- err = sys_msgctl(first, (int)second | IPC_64, ptr); ++ err = ksys_old_msgctl(first, (int)second | IPC_64, ptr); + goto out; + default: + err = -ENOSYS; +@@ -396,13 +399,13 @@ SYSCALL_DEFINE6(sparc_ipc, unsigned int, + goto out; + } + case SHMDT: +- err = sys_shmdt(ptr); ++ err = ksys_shmdt(ptr); + goto out; + case SHMGET: +- err = sys_shmget(first, (size_t)second, (int)third); ++ err = ksys_shmget(first, (size_t)second, (int)third); + goto out; + case SHMCTL: +- err = sys_shmctl(first, (int)second | IPC_64, ptr); ++ err = ksys_old_shmctl(first, (int)second | IPC_64, ptr); + goto out; + default: + err = -ENOSYS; +--- a/include/linux/syscalls.h ++++ b/include/linux/syscalls.h +@@ -1397,4 +1397,23 @@ static inline unsigned int ksys_personal + return old; + } + ++/* for __ARCH_WANT_SYS_IPC */ ++long ksys_semtimedop(int semid, struct sembuf __user *tsops, ++ unsigned int nsops, ++ const struct __kernel_timespec __user *timeout); ++long ksys_semget(key_t key, int nsems, int semflg); ++long ksys_old_semctl(int semid, int semnum, int cmd, unsigned long arg); ++long ksys_msgget(key_t key, int msgflg); ++long ksys_old_msgctl(int msqid, int cmd, struct msqid_ds __user *buf); ++long ksys_msgrcv(int msqid, struct msgbuf __user *msgp, size_t msgsz, ++ long msgtyp, int msgflg); ++long ksys_msgsnd(int msqid, struct msgbuf __user *msgp, size_t msgsz, ++ int msgflg); ++long ksys_shmget(key_t key, size_t size, int shmflg); ++long ksys_shmdt(char __user *shmaddr); ++long ksys_old_shmctl(int shmid, int cmd, struct shmid_ds __user *buf); ++long compat_ksys_semtimedop(int semid, struct sembuf __user *tsems, ++ unsigned int nsops, ++ const struct old_timespec32 __user *timeout); ++ + #endif +--- a/ipc/util.h ++++ b/ipc/util.h +@@ -276,29 +276,7 @@ static inline int compat_ipc_parse_versi + *cmd &= ~IPC_64; + return version; + } +-#endif +- +-/* for __ARCH_WANT_SYS_IPC */ +-long ksys_semtimedop(int semid, struct sembuf __user *tsops, +- unsigned int nsops, +- const struct __kernel_timespec __user *timeout); +-long ksys_semget(key_t key, int nsems, int semflg); +-long ksys_old_semctl(int semid, int semnum, int cmd, unsigned long arg); +-long ksys_msgget(key_t key, int msgflg); +-long ksys_old_msgctl(int msqid, int cmd, struct msqid_ds __user *buf); +-long ksys_msgrcv(int msqid, struct msgbuf __user *msgp, size_t msgsz, +- long msgtyp, int msgflg); +-long ksys_msgsnd(int msqid, struct msgbuf __user *msgp, size_t msgsz, +- int msgflg); +-long ksys_shmget(key_t key, size_t size, int shmflg); +-long ksys_shmdt(char __user *shmaddr); +-long ksys_old_shmctl(int shmid, int cmd, struct shmid_ds __user *buf); + +-/* for CONFIG_ARCH_WANT_OLD_COMPAT_IPC */ +-long compat_ksys_semtimedop(int semid, struct sembuf __user *tsems, +- unsigned int nsops, +- const struct old_timespec32 __user *timeout); +-#ifdef CONFIG_COMPAT + long compat_ksys_old_semctl(int semid, int semnum, int cmd, int arg); + long compat_ksys_old_msgctl(int msqid, int cmd, void __user *uptr); + long compat_ksys_msgrcv(int msqid, compat_uptr_t msgp, compat_ssize_t msgsz, +@@ -306,6 +284,7 @@ long compat_ksys_msgrcv(int msqid, compa + long compat_ksys_msgsnd(int msqid, compat_uptr_t msgp, + compat_ssize_t msgsz, int msgflg); + long compat_ksys_old_shmctl(int shmid, int cmd, void __user *uptr); +-#endif /* CONFIG_COMPAT */ ++ ++#endif + + #endif diff --git a/queue-5.2/ixgbe-fix-double-clean-of-tx-descriptors-with-xdp.patch b/queue-5.2/ixgbe-fix-double-clean-of-tx-descriptors-with-xdp.patch new file mode 100644 index 00000000000..6f4082eeef7 --- /dev/null +++ b/queue-5.2/ixgbe-fix-double-clean-of-tx-descriptors-with-xdp.patch @@ -0,0 +1,98 @@ +From bf280c0387ebbf8eebad1036fca8f7b85ebfde32 Mon Sep 17 00:00:00 2001 +From: Ilya Maximets +Date: Thu, 22 Aug 2019 20:12:37 +0300 +Subject: ixgbe: fix double clean of Tx descriptors with xdp + +From: Ilya Maximets + +commit bf280c0387ebbf8eebad1036fca8f7b85ebfde32 upstream. + +Tx code doesn't clear the descriptors' status after cleaning. +So, if the budget is larger than number of used elems in a ring, some +descriptors will be accounted twice and xsk_umem_complete_tx will move +prod_tail far beyond the prod_head breaking the completion queue ring. + +Fix that by limiting the number of descriptors to clean by the number +of used descriptors in the Tx ring. + +'ixgbe_clean_xdp_tx_irq()' function refactored to look more like +'ixgbe_xsk_clean_tx_ring()' since we're allowed to directly use +'next_to_clean' and 'next_to_use' indexes. + +CC: stable@vger.kernel.org +Fixes: 8221c5eba8c1 ("ixgbe: add AF_XDP zero-copy Tx support") +Signed-off-by: Ilya Maximets +Tested-by: William Tu +Tested-by: Eelco Chaudron +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 29 ++++++++++----------------- + 1 file changed, 11 insertions(+), 18 deletions(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c +@@ -679,19 +679,17 @@ static void ixgbe_clean_xdp_tx_buffer(st + bool ixgbe_clean_xdp_tx_irq(struct ixgbe_q_vector *q_vector, + struct ixgbe_ring *tx_ring, int napi_budget) + { ++ u16 ntc = tx_ring->next_to_clean, ntu = tx_ring->next_to_use; + unsigned int total_packets = 0, total_bytes = 0; +- u32 i = tx_ring->next_to_clean, xsk_frames = 0; +- unsigned int budget = q_vector->tx.work_limit; + struct xdp_umem *umem = tx_ring->xsk_umem; + union ixgbe_adv_tx_desc *tx_desc; + struct ixgbe_tx_buffer *tx_bi; +- bool xmit_done; ++ u32 xsk_frames = 0; + +- tx_bi = &tx_ring->tx_buffer_info[i]; +- tx_desc = IXGBE_TX_DESC(tx_ring, i); +- i -= tx_ring->count; ++ tx_bi = &tx_ring->tx_buffer_info[ntc]; ++ tx_desc = IXGBE_TX_DESC(tx_ring, ntc); + +- do { ++ while (ntc != ntu) { + if (!(tx_desc->wb.status & cpu_to_le32(IXGBE_TXD_STAT_DD))) + break; + +@@ -708,22 +706,18 @@ bool ixgbe_clean_xdp_tx_irq(struct ixgbe + + tx_bi++; + tx_desc++; +- i++; +- if (unlikely(!i)) { +- i -= tx_ring->count; ++ ntc++; ++ if (unlikely(ntc == tx_ring->count)) { ++ ntc = 0; + tx_bi = tx_ring->tx_buffer_info; + tx_desc = IXGBE_TX_DESC(tx_ring, 0); + } + + /* issue prefetch for next Tx descriptor */ + prefetch(tx_desc); ++ } + +- /* update budget accounting */ +- budget--; +- } while (likely(budget)); +- +- i += tx_ring->count; +- tx_ring->next_to_clean = i; ++ tx_ring->next_to_clean = ntc; + + u64_stats_update_begin(&tx_ring->syncp); + tx_ring->stats.bytes += total_bytes; +@@ -735,8 +729,7 @@ bool ixgbe_clean_xdp_tx_irq(struct ixgbe + if (xsk_frames) + xsk_umem_complete_tx(umem, xsk_frames); + +- xmit_done = ixgbe_xmit_zc(tx_ring, q_vector->tx.work_limit); +- return budget > 0 && xmit_done; ++ return ixgbe_xmit_zc(tx_ring, q_vector->tx.work_limit); + } + + int ixgbe_xsk_async_xmit(struct net_device *dev, u32 qid) diff --git a/queue-5.2/ixgbe-prevent-u8-wrapping-of-itr-value-to-something-less-than-10us.patch b/queue-5.2/ixgbe-prevent-u8-wrapping-of-itr-value-to-something-less-than-10us.patch new file mode 100644 index 00000000000..e5f0084a7ce --- /dev/null +++ b/queue-5.2/ixgbe-prevent-u8-wrapping-of-itr-value-to-something-less-than-10us.patch @@ -0,0 +1,48 @@ +From 377228accbbb8b9738f615d791aa803f41c067e0 Mon Sep 17 00:00:00 2001 +From: Alexander Duyck +Date: Wed, 4 Sep 2019 08:07:11 -0700 +Subject: ixgbe: Prevent u8 wrapping of ITR value to something less than 10us + +From: Alexander Duyck + +commit 377228accbbb8b9738f615d791aa803f41c067e0 upstream. + +There were a couple cases where the ITR value generated via the adaptive +ITR scheme could exceed 126. This resulted in the value becoming either 0 +or something less than 10. Switching back and forth between a value less +than 10 and a value greater than 10 can cause issues as certain hardware +features such as RSC to not function well when the ITR value has dropped +that low. + +CC: stable@vger.kernel.org +Fixes: b4ded8327fea ("ixgbe: Update adaptive ITR algorithm") +Reported-by: Gregg Leventhal +Signed-off-by: Alexander Duyck +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -2622,7 +2622,7 @@ adjust_by_size: + /* 16K ints/sec to 9.2K ints/sec */ + avg_wire_size *= 15; + avg_wire_size += 11452; +- } else if (avg_wire_size <= 1980) { ++ } else if (avg_wire_size < 1968) { + /* 9.2K ints/sec to 8K ints/sec */ + avg_wire_size *= 5; + avg_wire_size += 22420; +@@ -2655,6 +2655,8 @@ adjust_by_size: + case IXGBE_LINK_SPEED_2_5GB_FULL: + case IXGBE_LINK_SPEED_1GB_FULL: + case IXGBE_LINK_SPEED_10_FULL: ++ if (avg_wire_size > 8064) ++ avg_wire_size = 8064; + itr += DIV_ROUND_UP(avg_wire_size, + IXGBE_ITR_ADAPTIVE_MIN_INC * 64) * + IXGBE_ITR_ADAPTIVE_MIN_INC; diff --git a/queue-5.2/kvm-nvmx-handle-page-fault-in-vmread.patch b/queue-5.2/kvm-nvmx-handle-page-fault-in-vmread.patch new file mode 100644 index 00000000000..db9a9069ab9 --- /dev/null +++ b/queue-5.2/kvm-nvmx-handle-page-fault-in-vmread.patch @@ -0,0 +1,40 @@ +From f7eea636c3d505fe6f1d1066234f1aaf7171b681 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Sat, 14 Sep 2019 00:26:27 +0200 +Subject: KVM: nVMX: handle page fault in vmread + +From: Paolo Bonzini + +commit f7eea636c3d505fe6f1d1066234f1aaf7171b681 upstream. + +The implementation of vmread to memory is still incomplete, as it +lacks the ability to do vmread to I/O memory just like vmptrst. + +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx/nested.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -4411,6 +4411,7 @@ static int handle_vmread(struct kvm_vcpu + int len; + gva_t gva = 0; + struct vmcs12 *vmcs12; ++ struct x86_exception e; + + if (!nested_vmx_check_permission(vcpu)) + return 1; +@@ -4451,7 +4452,8 @@ static int handle_vmread(struct kvm_vcpu + vmx_instruction_info, true, len, &gva)) + return 1; + /* _system ok, nested_vmx_check_permission has verified cpl=0 */ +- kvm_write_guest_virt_system(vcpu, gva, &field_value, len, NULL); ++ if (kvm_write_guest_virt_system(vcpu, gva, &field_value, len, &e)) ++ kvm_inject_page_fault(vcpu, &e); + } + + return nested_vmx_succeed(vcpu); diff --git a/queue-5.2/kvm-s390-do-not-leak-kernel-stack-data-in-the-kvm_s390_interrupt-ioctl.patch b/queue-5.2/kvm-s390-do-not-leak-kernel-stack-data-in-the-kvm_s390_interrupt-ioctl.patch new file mode 100644 index 00000000000..97cd1cc6af7 --- /dev/null +++ b/queue-5.2/kvm-s390-do-not-leak-kernel-stack-data-in-the-kvm_s390_interrupt-ioctl.patch @@ -0,0 +1,77 @@ +From 53936b5bf35e140ae27e4bbf0447a61063f400da Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Thu, 12 Sep 2019 13:54:38 +0200 +Subject: KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl + +From: Thomas Huth + +commit 53936b5bf35e140ae27e4bbf0447a61063f400da upstream. + +When the userspace program runs the KVM_S390_INTERRUPT ioctl to inject +an interrupt, we convert them from the legacy struct kvm_s390_interrupt +to the new struct kvm_s390_irq via the s390int_to_s390irq() function. +However, this function does not take care of all types of interrupts +that we can inject into the guest later (see do_inject_vcpu()). Since we +do not clear out the s390irq values before calling s390int_to_s390irq(), +there is a chance that we copy random data from the kernel stack which +could be leaked to the userspace later. + +Specifically, the problem exists with the KVM_S390_INT_PFAULT_INIT +interrupt: s390int_to_s390irq() does not handle it, and the function +__inject_pfault_init() later copies irq->u.ext which contains the +random kernel stack data. This data can then be leaked either to +the guest memory in __deliver_pfault_init(), or the userspace might +retrieve it directly with the KVM_S390_GET_IRQ_STATE ioctl. + +Fix it by handling that interrupt type in s390int_to_s390irq(), too, +and by making sure that the s390irq struct is properly pre-initialized. +And while we're at it, make sure that s390int_to_s390irq() now +directly returns -EINVAL for unknown interrupt types, so that we +immediately get a proper error code in case we add more interrupt +types to do_inject_vcpu() without updating s390int_to_s390irq() +sometime in the future. + +Cc: stable@vger.kernel.org +Reviewed-by: David Hildenbrand +Reviewed-by: Christian Borntraeger +Reviewed-by: Janosch Frank +Signed-off-by: Thomas Huth +Link: https://lore.kernel.org/kvm/20190912115438.25761-1-thuth@redhat.com +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/interrupt.c | 10 ++++++++++ + arch/s390/kvm/kvm-s390.c | 2 +- + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1978,6 +1978,16 @@ int s390int_to_s390irq(struct kvm_s390_i + case KVM_S390_MCHK: + irq->u.mchk.mcic = s390int->parm64; + break; ++ case KVM_S390_INT_PFAULT_INIT: ++ irq->u.ext.ext_params = s390int->parm; ++ irq->u.ext.ext_params2 = s390int->parm64; ++ break; ++ case KVM_S390_RESTART: ++ case KVM_S390_INT_CLOCK_COMP: ++ case KVM_S390_INT_CPU_TIMER: ++ break; ++ default: ++ return -EINVAL; + } + return 0; + } +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -4327,7 +4327,7 @@ long kvm_arch_vcpu_async_ioctl(struct fi + } + case KVM_S390_INTERRUPT: { + struct kvm_s390_interrupt s390int; +- struct kvm_s390_irq s390irq; ++ struct kvm_s390_irq s390irq = {}; + + if (copy_from_user(&s390int, argp, sizeof(s390int))) + return -EFAULT; diff --git a/queue-5.2/kvm-s390-kvm_s390_vm_start_migration-check-dirty_bitmap-before-using-it-as-target-for-memset.patch b/queue-5.2/kvm-s390-kvm_s390_vm_start_migration-check-dirty_bitmap-before-using-it-as-target-for-memset.patch new file mode 100644 index 00000000000..392f165d0ad --- /dev/null +++ b/queue-5.2/kvm-s390-kvm_s390_vm_start_migration-check-dirty_bitmap-before-using-it-as-target-for-memset.patch @@ -0,0 +1,63 @@ +From 13a17cc0526f08d1df9507f7484176371cd263a0 Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Wed, 11 Sep 2019 03:52:18 -0400 +Subject: KVM: s390: kvm_s390_vm_start_migration: check dirty_bitmap before using it as target for memset() + +From: Igor Mammedov + +commit 13a17cc0526f08d1df9507f7484176371cd263a0 upstream. + +If userspace doesn't set KVM_MEM_LOG_DIRTY_PAGES on memslot before calling +kvm_s390_vm_start_migration(), kernel will oops with: + + Unable to handle kernel pointer dereference in virtual kernel address space + Failing address: 0000000000000000 TEID: 0000000000000483 + Fault in home space mode while using kernel ASCE. + AS:0000000002a2000b R2:00000001bff8c00b R3:00000001bff88007 S:00000001bff91000 P:000000000000003d + Oops: 0004 ilc:2 [#1] SMP + ... + Call Trace: + ([<001fffff804ec552>] kvm_s390_vm_set_attr+0x347a/0x3828 [kvm]) + [<001fffff804ecfc0>] kvm_arch_vm_ioctl+0x6c0/0x1998 [kvm] + [<001fffff804b67e4>] kvm_vm_ioctl+0x51c/0x11a8 [kvm] + [<00000000008ba572>] do_vfs_ioctl+0x1d2/0xe58 + [<00000000008bb284>] ksys_ioctl+0x8c/0xb8 + [<00000000008bb2e2>] sys_ioctl+0x32/0x40 + [<000000000175552c>] system_call+0x2b8/0x2d8 + INFO: lockdep is turned off. + Last Breaking-Event-Address: + [<0000000000dbaf60>] __memset+0xc/0xa0 + +due to ms->dirty_bitmap being NULL, which might crash the host. + +Make sure that ms->dirty_bitmap is set before using it or +return -EINVAL otherwise. + +Cc: +Fixes: afdad61615cc ("KVM: s390: Fix storage attributes migration with memory slots") +Signed-off-by: Igor Mammedov +Link: https://lore.kernel.org/kvm/20190911075218.29153-1-imammedo@redhat.com/ +Reviewed-by: David Hildenbrand +Reviewed-by: Christian Borntraeger +Reviewed-by: Claudio Imbrenda +Reviewed-by: Cornelia Huck +Reviewed-by: Janosch Frank +Signed-off-by: Janosch Frank +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/kvm-s390.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -1013,6 +1013,8 @@ static int kvm_s390_vm_start_migration(s + /* mark all the pages in active slots as dirty */ + for (slotnr = 0; slotnr < slots->used_slots; slotnr++) { + ms = slots->memslots + slotnr; ++ if (!ms->dirty_bitmap) ++ return -EINVAL; + /* + * The second half of the bitmap is only used on x86, + * and would be wasted otherwise, so we put it to good diff --git a/queue-5.2/kvm-x86-mmu-reintroduce-fast-invalidate-zap-for-flushing-memslot.patch b/queue-5.2/kvm-x86-mmu-reintroduce-fast-invalidate-zap-for-flushing-memslot.patch new file mode 100644 index 00000000000..d240a06e98a --- /dev/null +++ b/queue-5.2/kvm-x86-mmu-reintroduce-fast-invalidate-zap-for-flushing-memslot.patch @@ -0,0 +1,228 @@ +From 002c5f73c508f7df5681bda339831c27f3c1aef4 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 12 Sep 2019 19:46:02 -0700 +Subject: KVM: x86/mmu: Reintroduce fast invalidate/zap for flushing memslot + +From: Sean Christopherson + +commit 002c5f73c508f7df5681bda339831c27f3c1aef4 upstream. + +James Harvey reported a livelock that was introduced by commit +d012a06ab1d23 ("Revert "KVM: x86/mmu: Zap only the relevant pages when +removing a memslot""). + +The livelock occurs because kvm_mmu_zap_all() as it exists today will +voluntarily reschedule and drop KVM's mmu_lock, which allows other vCPUs +to add shadow pages. With enough vCPUs, kvm_mmu_zap_all() can get stuck +in an infinite loop as it can never zap all pages before observing lock +contention or the need to reschedule. The equivalent of kvm_mmu_zap_all() +that was in use at the time of the reverted commit (4e103134b8623, "KVM: +x86/mmu: Zap only the relevant pages when removing a memslot") employed +a fast invalidate mechanism and was not susceptible to the above livelock. + +There are three ways to fix the livelock: + +- Reverting the revert (commit d012a06ab1d23) is not a viable option as + the revert is needed to fix a regression that occurs when the guest has + one or more assigned devices. It's unlikely we'll root cause the device + assignment regression soon enough to fix the regression timely. + +- Remove the conditional reschedule from kvm_mmu_zap_all(). However, although + removing the reschedule would be a smaller code change, it's less safe + in the sense that the resulting kvm_mmu_zap_all() hasn't been used in + the wild for flushing memslots since the fast invalidate mechanism was + introduced by commit 6ca18b6950f8d ("KVM: x86: use the fast way to + invalidate all pages"), back in 2013. + +- Reintroduce the fast invalidate mechanism and use it when zapping shadow + pages in response to a memslot being deleted/moved, which is what this + patch does. + +For all intents and purposes, this is a revert of commit ea145aacf4ae8 +("Revert "KVM: MMU: fast invalidate all pages"") and a partial revert of +commit 7390de1e99a70 ("Revert "KVM: x86: use the fast way to invalidate +all pages""), i.e. restores the behavior of commit 5304b8d37c2a5 ("KVM: +MMU: fast invalidate all pages") and commit 6ca18b6950f8d ("KVM: x86: +use the fast way to invalidate all pages") respectively. + +Fixes: d012a06ab1d23 ("Revert "KVM: x86/mmu: Zap only the relevant pages when removing a memslot"") +Reported-by: James Harvey +Cc: Alex Willamson +Cc: Paolo Bonzini +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 2 + arch/x86/kvm/mmu.c | 101 +++++++++++++++++++++++++++++++++++++++- + 2 files changed, 101 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -333,6 +333,7 @@ struct kvm_mmu_page { + int root_count; /* Currently serving as active root */ + unsigned int unsync_children; + struct kvm_rmap_head parent_ptes; /* rmap pointers to parent sptes */ ++ unsigned long mmu_valid_gen; + DECLARE_BITMAP(unsync_child_bitmap, 512); + + #ifdef CONFIG_X86_32 +@@ -851,6 +852,7 @@ struct kvm_arch { + unsigned long n_requested_mmu_pages; + unsigned long n_max_mmu_pages; + unsigned int indirect_shadow_pages; ++ unsigned long mmu_valid_gen; + struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES]; + /* + * Hash table of struct kvm_mmu_page. +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -2066,6 +2066,12 @@ static struct kvm_mmu_page *kvm_mmu_allo + if (!direct) + sp->gfns = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_cache); + set_page_private(virt_to_page(sp->spt), (unsigned long)sp); ++ ++ /* ++ * active_mmu_pages must be a FIFO list, as kvm_zap_obsolete_pages() ++ * depends on valid pages being added to the head of the list. See ++ * comments in kvm_zap_obsolete_pages(). ++ */ + list_add(&sp->link, &vcpu->kvm->arch.active_mmu_pages); + kvm_mod_used_mmu_pages(vcpu->kvm, +1); + return sp; +@@ -2215,7 +2221,7 @@ static void kvm_mmu_commit_zap_page(stru + #define for_each_valid_sp(_kvm, _sp, _gfn) \ + hlist_for_each_entry(_sp, \ + &(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)], hash_link) \ +- if ((_sp)->role.invalid) { \ ++ if (is_obsolete_sp((_kvm), (_sp)) || (_sp)->role.invalid) { \ + } else + + #define for_each_gfn_indirect_valid_sp(_kvm, _sp, _gfn) \ +@@ -2272,6 +2278,11 @@ static void kvm_mmu_audit(struct kvm_vcp + static void mmu_audit_disable(void) { } + #endif + ++static bool is_obsolete_sp(struct kvm *kvm, struct kvm_mmu_page *sp) ++{ ++ return unlikely(sp->mmu_valid_gen != kvm->arch.mmu_valid_gen); ++} ++ + static bool kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp, + struct list_head *invalid_list) + { +@@ -2496,6 +2507,7 @@ static struct kvm_mmu_page *kvm_mmu_get_ + if (level > PT_PAGE_TABLE_LEVEL && need_sync) + flush |= kvm_sync_pages(vcpu, gfn, &invalid_list); + } ++ sp->mmu_valid_gen = vcpu->kvm->arch.mmu_valid_gen; + clear_page(sp->spt); + trace_kvm_mmu_get_page(sp, true); + +@@ -4229,6 +4241,13 @@ static bool fast_cr3_switch(struct kvm_v + return false; + + if (cached_root_available(vcpu, new_cr3, new_role)) { ++ /* ++ * It is possible that the cached previous root page is ++ * obsolete because of a change in the MMU generation ++ * number. However, changing the generation number is ++ * accompanied by KVM_REQ_MMU_RELOAD, which will free ++ * the root set here and allocate a new one. ++ */ + kvm_make_request(KVM_REQ_LOAD_CR3, vcpu); + if (!skip_tlb_flush) { + kvm_make_request(KVM_REQ_MMU_SYNC, vcpu); +@@ -5645,11 +5664,89 @@ int kvm_mmu_create(struct kvm_vcpu *vcpu + return alloc_mmu_pages(vcpu); + } + ++ ++static void kvm_zap_obsolete_pages(struct kvm *kvm) ++{ ++ struct kvm_mmu_page *sp, *node; ++ LIST_HEAD(invalid_list); ++ int ign; ++ ++restart: ++ list_for_each_entry_safe_reverse(sp, node, ++ &kvm->arch.active_mmu_pages, link) { ++ /* ++ * No obsolete valid page exists before a newly created page ++ * since active_mmu_pages is a FIFO list. ++ */ ++ if (!is_obsolete_sp(kvm, sp)) ++ break; ++ ++ /* ++ * Do not repeatedly zap a root page to avoid unnecessary ++ * KVM_REQ_MMU_RELOAD, otherwise we may not be able to ++ * progress: ++ * vcpu 0 vcpu 1 ++ * call vcpu_enter_guest(): ++ * 1): handle KVM_REQ_MMU_RELOAD ++ * and require mmu-lock to ++ * load mmu ++ * repeat: ++ * 1): zap root page and ++ * send KVM_REQ_MMU_RELOAD ++ * ++ * 2): if (cond_resched_lock(mmu-lock)) ++ * ++ * 2): hold mmu-lock and load mmu ++ * ++ * 3): see KVM_REQ_MMU_RELOAD bit ++ * on vcpu->requests is set ++ * then return 1 to call ++ * vcpu_enter_guest() again. ++ * goto repeat; ++ * ++ * Since we are reversely walking the list and the invalid ++ * list will be moved to the head, skip the invalid page ++ * can help us to avoid the infinity list walking. ++ */ ++ if (sp->role.invalid) ++ continue; ++ ++ if (need_resched() || spin_needbreak(&kvm->mmu_lock)) { ++ kvm_mmu_commit_zap_page(kvm, &invalid_list); ++ cond_resched_lock(&kvm->mmu_lock); ++ goto restart; ++ } ++ ++ if (__kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list, &ign)) ++ goto restart; ++ } ++ ++ kvm_mmu_commit_zap_page(kvm, &invalid_list); ++} ++ ++/* ++ * Fast invalidate all shadow pages and use lock-break technique ++ * to zap obsolete pages. ++ * ++ * It's required when memslot is being deleted or VM is being ++ * destroyed, in these cases, we should ensure that KVM MMU does ++ * not use any resource of the being-deleted slot or all slots ++ * after calling the function. ++ */ ++static void kvm_mmu_zap_all_fast(struct kvm *kvm) ++{ ++ spin_lock(&kvm->mmu_lock); ++ kvm->arch.mmu_valid_gen++; ++ ++ kvm_zap_obsolete_pages(kvm); ++ spin_unlock(&kvm->mmu_lock); ++} ++ + static void kvm_mmu_invalidate_zap_pages_in_memslot(struct kvm *kvm, + struct kvm_memory_slot *slot, + struct kvm_page_track_notifier_node *node) + { +- kvm_mmu_zap_all(kvm); ++ kvm_mmu_zap_all_fast(kvm); + } + + void kvm_mmu_init_vm(struct kvm *kvm) diff --git a/queue-5.2/kvm-x86-work-around-leak-of-uninitialized-stack-contents.patch b/queue-5.2/kvm-x86-work-around-leak-of-uninitialized-stack-contents.patch new file mode 100644 index 00000000000..10b2ebdcd0a --- /dev/null +++ b/queue-5.2/kvm-x86-work-around-leak-of-uninitialized-stack-contents.patch @@ -0,0 +1,44 @@ +From 541ab2aeb28251bf7135c7961f3a6080eebcc705 Mon Sep 17 00:00:00 2001 +From: Fuqian Huang +Date: Thu, 12 Sep 2019 12:18:17 +0800 +Subject: KVM: x86: work around leak of uninitialized stack contents + +From: Fuqian Huang + +commit 541ab2aeb28251bf7135c7961f3a6080eebcc705 upstream. + +Emulation of VMPTRST can incorrectly inject a page fault +when passed an operand that points to an MMIO address. +The page fault will use uninitialized kernel stack memory +as the CR2 and error code. + +The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR +exit to userspace; however, it is not an easy fix, so for now just ensure +that the error code and CR2 are zero. + +Signed-off-by: Fuqian Huang +Cc: stable@vger.kernel.org +[add comment] +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5265,6 +5265,13 @@ int kvm_write_guest_virt_system(struct k + /* kvm_write_guest_virt_system can pull in tons of pages. */ + vcpu->arch.l1tf_flush_l1d = true; + ++ /* ++ * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED ++ * is returned, but our callers are not ready for that and they blindly ++ * call kvm_inject_page_fault. Ensure that they at least do not leak ++ * uninitialized kernel stack memory into cr2 and error code. ++ */ ++ memset(exception, 0, sizeof(*exception)); + return kvm_write_guest_virt_helper(addr, val, bytes, vcpu, + PFERR_WRITE_MASK, exception); + } diff --git a/queue-5.2/mmc-tmio-fixup-runtime-pm-management-during-probe.patch b/queue-5.2/mmc-tmio-fixup-runtime-pm-management-during-probe.patch new file mode 100644 index 00000000000..f608f4b5747 --- /dev/null +++ b/queue-5.2/mmc-tmio-fixup-runtime-pm-management-during-probe.patch @@ -0,0 +1,86 @@ +From aa86f1a3887523d78bfadd1c4e4df8f919336511 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Fri, 13 Sep 2019 11:19:26 +0200 +Subject: mmc: tmio: Fixup runtime PM management during probe + +From: Ulf Hansson + +commit aa86f1a3887523d78bfadd1c4e4df8f919336511 upstream. + +The tmio_mmc_host_probe() calls pm_runtime_set_active() to update the +runtime PM status of the device, as to make it reflect the current status +of the HW. This works fine for most cases, but unfortunate not for all. +Especially, there is a generic problem when the device has a genpd attached +and that genpd have the ->start|stop() callbacks assigned. + +More precisely, if the driver calls pm_runtime_set_active() during +->probe(), genpd does not get to invoke the ->start() callback for it, +which means the HW isn't really fully powered on. Furthermore, in the next +phase, when the device becomes runtime suspended, genpd will invoke the +->stop() callback for it, potentially leading to usage count imbalance +problems, depending on what's implemented behind the callbacks of course. + +To fix this problem, convert to call pm_runtime_get_sync() from +tmio_mmc_host_probe() rather than pm_runtime_set_active(). Additionally, to +avoid bumping usage counters and unnecessary re-initializing the HW the +first time the tmio driver's ->runtime_resume() callback is called, +introduce a state flag to keeping track of this. + +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Tested-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/tmio_mmc.h | 1 + + drivers/mmc/host/tmio_mmc_core.c | 9 ++++++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/tmio_mmc.h ++++ b/drivers/mmc/host/tmio_mmc.h +@@ -163,6 +163,7 @@ struct tmio_mmc_host { + unsigned long last_req_ts; + struct mutex ios_lock; /* protect set_ios() context */ + bool native_hotplug; ++ bool runtime_synced; + bool sdio_irq_enabled; + + /* Mandatory callback */ +--- a/drivers/mmc/host/tmio_mmc_core.c ++++ b/drivers/mmc/host/tmio_mmc_core.c +@@ -1258,20 +1258,22 @@ int tmio_mmc_host_probe(struct tmio_mmc_ + /* See if we also get DMA */ + tmio_mmc_request_dma(_host, pdata); + +- pm_runtime_set_active(&pdev->dev); + pm_runtime_set_autosuspend_delay(&pdev->dev, 50); + pm_runtime_use_autosuspend(&pdev->dev); + pm_runtime_enable(&pdev->dev); ++ pm_runtime_get_sync(&pdev->dev); + + ret = mmc_add_host(mmc); + if (ret) + goto remove_host; + + dev_pm_qos_expose_latency_limit(&pdev->dev, 100); ++ pm_runtime_put(&pdev->dev); + + return 0; + + remove_host: ++ pm_runtime_put_noidle(&pdev->dev); + tmio_mmc_host_remove(_host); + return ret; + } +@@ -1340,6 +1342,11 @@ int tmio_mmc_host_runtime_resume(struct + { + struct tmio_mmc_host *host = dev_get_drvdata(dev); + ++ if (!host->runtime_synced) { ++ host->runtime_synced = true; ++ return 0; ++ } ++ + tmio_mmc_clk_enable(host); + tmio_mmc_hw_reset(host->mmc); + diff --git a/queue-5.2/mmc-tmio-fixup-runtime-pm-management-during-remove.patch b/queue-5.2/mmc-tmio-fixup-runtime-pm-management-during-remove.patch new file mode 100644 index 00000000000..663a8a95993 --- /dev/null +++ b/queue-5.2/mmc-tmio-fixup-runtime-pm-management-during-remove.patch @@ -0,0 +1,47 @@ +From 87b5d602a1cc76169b8d81ec2c74c8d95d9350dc Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Fri, 13 Sep 2019 11:20:22 +0200 +Subject: mmc: tmio: Fixup runtime PM management during remove + +From: Ulf Hansson + +commit 87b5d602a1cc76169b8d81ec2c74c8d95d9350dc upstream. + +Accessing the device when it may be runtime suspended is a bug, which is +the case in tmio_mmc_host_remove(). Let's fix the behaviour. + +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Tested-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/tmio_mmc_core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/tmio_mmc_core.c ++++ b/drivers/mmc/host/tmio_mmc_core.c +@@ -1284,12 +1284,11 @@ void tmio_mmc_host_remove(struct tmio_mm + struct platform_device *pdev = host->pdev; + struct mmc_host *mmc = host->mmc; + ++ pm_runtime_get_sync(&pdev->dev); ++ + if (host->pdata->flags & TMIO_MMC_SDIO_IRQ) + sd_ctrl_write16(host, CTL_TRANSACTION_CTL, 0x0000); + +- if (!host->native_hotplug) +- pm_runtime_get_sync(&pdev->dev); +- + dev_pm_qos_hide_latency_limit(&pdev->dev); + + mmc_remove_host(mmc); +@@ -1298,6 +1297,8 @@ void tmio_mmc_host_remove(struct tmio_mm + tmio_mmc_release_dma(host); + + pm_runtime_dont_use_autosuspend(&pdev->dev); ++ if (host->native_hotplug) ++ pm_runtime_put_noidle(&pdev->dev); + pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); + } diff --git a/queue-5.2/mt76-mt76x0e-disable-5ghz-band-for-mt7630e.patch b/queue-5.2/mt76-mt76x0e-disable-5ghz-band-for-mt7630e.patch new file mode 100644 index 00000000000..8e926839dce --- /dev/null +++ b/queue-5.2/mt76-mt76x0e-disable-5ghz-band-for-mt7630e.patch @@ -0,0 +1,39 @@ +From 70702265a04aa0ce5a7bde77d13456209992b32f Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Tue, 13 Aug 2019 15:36:56 +0200 +Subject: mt76: mt76x0e: disable 5GHz band for MT7630E + +From: Stanislaw Gruszka + +commit 70702265a04aa0ce5a7bde77d13456209992b32f upstream. + +MT7630E hardware does support 5GHz, but we do not properly configure phy +for 5GHz channels. Scanning at this band not only do not show any APs +but also can hang the firmware. + +Since vendor reference driver do not support 5GHz we don't know how +properly configure 5GHz channels. So disable this band for MT7630E . + +Cc: stable@vger.kernel.org +Signed-off-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mediatek/mt76/mt76x0/eeprom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt76x0/eeprom.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x0/eeprom.c +@@ -59,6 +59,11 @@ static void mt76x0_set_chip_cap(struct m + dev_dbg(dev->mt76.dev, "mask out 2GHz support\n"); + } + ++ if (is_mt7630(dev)) { ++ dev->mt76.cap.has_5ghz = false; ++ dev_dbg(dev->mt76.dev, "mask out 5GHz support\n"); ++ } ++ + if (!mt76x02_field_valid(nic_conf1 & 0xff)) + nic_conf1 &= 0xff00; + diff --git a/queue-5.2/regulator-twl-voltage-lists-for-vdd1-2-on-twl4030.patch b/queue-5.2/regulator-twl-voltage-lists-for-vdd1-2-on-twl4030.patch new file mode 100644 index 00000000000..b2b54832b89 --- /dev/null +++ b/queue-5.2/regulator-twl-voltage-lists-for-vdd1-2-on-twl4030.patch @@ -0,0 +1,107 @@ +From 3829100a63724f6dbf264b2a7f06e7f638ed952d Mon Sep 17 00:00:00 2001 +From: Andreas Kemnade +Date: Wed, 14 Aug 2019 23:43:19 +0200 +Subject: regulator: twl: voltage lists for vdd1/2 on twl4030 + +From: Andreas Kemnade + +commit 3829100a63724f6dbf264b2a7f06e7f638ed952d upstream. + +_opp_supported_by_regulators() wrongly ignored errors from +regulator_is_supported_voltage(), so it considered errors as +success. Since +commit 498209445124 ("regulator: core: simplify return value on suported_voltage") +regulator_is_supported_voltage() returns a real boolean, so +errors make _opp_supported_by_regulators() return false. + +That reveals a problem with the declaration of the VDD1/2 +regulators on twl4030. +The VDD1/VDD2 regulators on twl4030 are neither defined with +voltage lists nor with the continuous flag set, so +regulator_is_supported_voltage() returns false and an error +before above mentioned commit (which was considered success) +The result is that after the above mentioned commit cpufreq +does not work properly e.g. dm3730. + +[ 2.490997] core: _opp_supported_by_regulators: OPP minuV: 1012500 maxuV: 1012500, not supported by regulator +[ 2.501617] cpu cpu0: _opp_add: OPP not supported by regulators (300000000) +[ 2.509246] core: _opp_supported_by_regulators: OPP minuV: 1200000 maxuV: 1200000, not supported by regulator +[ 2.519775] cpu cpu0: _opp_add: OPP not supported by regulators (600000000) +[ 2.527313] core: _opp_supported_by_regulators: OPP minuV: 1325000 maxuV: 1325000, not supported by regulator +[ 2.537750] cpu cpu0: _opp_add: OPP not supported by regulators (800000000) + +The patch fixes declaration of VDD1/2 regulators by +adding proper voltage lists. + +Fixes: 498209445124 ("regulator: core: simplify return value on suported_voltage") +Cc: stable@vger.kernel.org +Signed-off-by: Andreas Kemnade +Tested-by: Adam Ford #logicpd-torpedo-37xx-devkit +Link: https://lore.kernel.org/r/20190814214319.24087-1-andreas@kemnade.info +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/twl-regulator.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +--- a/drivers/regulator/twl-regulator.c ++++ b/drivers/regulator/twl-regulator.c +@@ -359,6 +359,17 @@ static const u16 VINTANA2_VSEL_table[] = + 2500, 2750, + }; + ++/* 600mV to 1450mV in 12.5 mV steps */ ++static const struct regulator_linear_range VDD1_ranges[] = { ++ REGULATOR_LINEAR_RANGE(600000, 0, 68, 12500) ++}; ++ ++/* 600mV to 1450mV in 12.5 mV steps, everything above = 1500mV */ ++static const struct regulator_linear_range VDD2_ranges[] = { ++ REGULATOR_LINEAR_RANGE(600000, 0, 68, 12500), ++ REGULATOR_LINEAR_RANGE(1500000, 69, 69, 12500) ++}; ++ + static int twl4030ldo_list_voltage(struct regulator_dev *rdev, unsigned index) + { + struct twlreg_info *info = rdev_get_drvdata(rdev); +@@ -427,6 +438,8 @@ static int twl4030smps_get_voltage(struc + } + + static const struct regulator_ops twl4030smps_ops = { ++ .list_voltage = regulator_list_voltage_linear_range, ++ + .set_voltage = twl4030smps_set_voltage, + .get_voltage = twl4030smps_get_voltage, + }; +@@ -466,7 +479,8 @@ static const struct twlreg_info TWL4030_ + }, \ + } + +-#define TWL4030_ADJUSTABLE_SMPS(label, offset, num, turnon_delay, remap_conf) \ ++#define TWL4030_ADJUSTABLE_SMPS(label, offset, num, turnon_delay, remap_conf, \ ++ n_volt) \ + static const struct twlreg_info TWL4030_INFO_##label = { \ + .base = offset, \ + .id = num, \ +@@ -479,6 +493,9 @@ static const struct twlreg_info TWL4030_ + .owner = THIS_MODULE, \ + .enable_time = turnon_delay, \ + .of_map_mode = twl4030reg_map_mode, \ ++ .n_voltages = n_volt, \ ++ .n_linear_ranges = ARRAY_SIZE(label ## _ranges), \ ++ .linear_ranges = label ## _ranges, \ + }, \ + } + +@@ -518,8 +535,8 @@ TWL4030_ADJUSTABLE_LDO(VSIM, 0x37, 9, 10 + TWL4030_ADJUSTABLE_LDO(VDAC, 0x3b, 10, 100, 0x08); + TWL4030_ADJUSTABLE_LDO(VINTANA2, 0x43, 12, 100, 0x08); + TWL4030_ADJUSTABLE_LDO(VIO, 0x4b, 14, 1000, 0x08); +-TWL4030_ADJUSTABLE_SMPS(VDD1, 0x55, 15, 1000, 0x08); +-TWL4030_ADJUSTABLE_SMPS(VDD2, 0x63, 16, 1000, 0x08); ++TWL4030_ADJUSTABLE_SMPS(VDD1, 0x55, 15, 1000, 0x08, 68); ++TWL4030_ADJUSTABLE_SMPS(VDD2, 0x63, 16, 1000, 0x08, 69); + /* VUSBCP is managed *only* by the USB subchip */ + TWL4030_FIXED_LDO(VINTANA1, 0x3f, 1500, 11, 100, 0x08); + TWL4030_FIXED_LDO(VINTDIG, 0x47, 1500, 13, 100, 0x08); diff --git a/queue-5.2/revert-mmc-bcm2835-terminate-timeout-work-synchronously.patch b/queue-5.2/revert-mmc-bcm2835-terminate-timeout-work-synchronously.patch new file mode 100644 index 00000000000..7a23ae1a159 --- /dev/null +++ b/queue-5.2/revert-mmc-bcm2835-terminate-timeout-work-synchronously.patch @@ -0,0 +1,35 @@ +From aea64b583601aa5e0d6ea51a0420e46e43710bd4 Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Sun, 8 Sep 2019 09:45:52 +0200 +Subject: Revert "mmc: bcm2835: Terminate timeout work synchronously" + +From: Stefan Wahren + +commit aea64b583601aa5e0d6ea51a0420e46e43710bd4 upstream. + +The commit 37fefadee8bb ("mmc: bcm2835: Terminate timeout work +synchronously") causes lockups in case of hardware timeouts due the +timeout work also calling cancel_delayed_work_sync() on its own. +So revert it. + +Fixes: 37fefadee8bb ("mmc: bcm2835: Terminate timeout work synchronously") +Cc: stable@vger.kernel.org +Signed-off-by: Stefan Wahren +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/bcm2835.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/bcm2835.c ++++ b/drivers/mmc/host/bcm2835.c +@@ -597,7 +597,7 @@ static void bcm2835_finish_request(struc + struct dma_chan *terminate_chan = NULL; + struct mmc_request *mrq; + +- cancel_delayed_work_sync(&host->timeout_work); ++ cancel_delayed_work(&host->timeout_work); + + mrq = host->mrq; + diff --git a/queue-5.2/revert-mmc-sdhci-remove-unneeded-quirk2-flag-of-o2-sd-host-controller.patch b/queue-5.2/revert-mmc-sdhci-remove-unneeded-quirk2-flag-of-o2-sd-host-controller.patch new file mode 100644 index 00000000000..5a38a9a64a3 --- /dev/null +++ b/queue-5.2/revert-mmc-sdhci-remove-unneeded-quirk2-flag-of-o2-sd-host-controller.patch @@ -0,0 +1,55 @@ +From 49baa01c8b99ef92958e18fb58ebeb5dfdcde8af Mon Sep 17 00:00:00 2001 +From: Daniel Drake +Date: Thu, 5 Sep 2019 12:55:57 +0800 +Subject: Revert "mmc: sdhci: Remove unneeded quirk2 flag of O2 SD host controller" + +From: Daniel Drake + +commit 49baa01c8b99ef92958e18fb58ebeb5dfdcde8af upstream. + +This reverts commit 414126f9e5abf1973c661d24229543a9458fa8ce. + +This commit broke eMMC storage access on a new consumer MiniPC based on +AMD SoC, which has eMMC connected to: + +02:00.0 SD Host controller: O2 Micro, Inc. Device 8620 (rev 01) (prog-if 01) + Subsystem: O2 Micro, Inc. Device 0002 + +During probe, several errors are seen including: + + mmc1: Got data interrupt 0x02000000 even though no data operation was in progress. + mmc1: Timeout waiting for hardware interrupt. + mmc1: error -110 whilst initialising MMC card + +Reverting this commit allows the eMMC storage to be detected & usable +again. + +Signed-off-by: Daniel Drake +Fixes: 414126f9e5ab ("mmc: sdhci: Remove unneeded quirk2 flag of O2 SD host +controller") +Cc: stable@vger.kernel.org # v5.1+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-pci-o2micro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-pci-o2micro.c ++++ b/drivers/mmc/host/sdhci-pci-o2micro.c +@@ -432,7 +432,6 @@ int sdhci_pci_o2_probe_slot(struct sdhci + mmc_hostname(host->mmc)); + host->flags &= ~SDHCI_SIGNALING_330; + host->flags |= SDHCI_SIGNALING_180; +- host->quirks2 |= SDHCI_QUIRK2_CLEAR_TRANSFERMODE_REG_BEFORE_CMD; + host->mmc->caps2 |= MMC_CAP2_NO_SD; + host->mmc->caps2 |= MMC_CAP2_NO_SDIO; + pci_write_config_dword(chip->pdev, +@@ -682,6 +681,7 @@ static const struct sdhci_ops sdhci_pci_ + const struct sdhci_pci_fixes sdhci_o2 = { + .probe = sdhci_pci_o2_probe, + .quirks = SDHCI_QUIRK_NO_ENDATTR_IN_NOPDESC, ++ .quirks2 = SDHCI_QUIRK2_CLEAR_TRANSFERMODE_REG_BEFORE_CMD, + .probe_slot = sdhci_pci_o2_probe_slot, + #ifdef CONFIG_PM_SLEEP + .resume = sdhci_pci_o2_resume, diff --git a/queue-5.2/revert-rt2800-enable-tx_pin_cfg_lna_pe_-bits-per-band.patch b/queue-5.2/revert-rt2800-enable-tx_pin_cfg_lna_pe_-bits-per-band.patch new file mode 100644 index 00000000000..c287cdf928b --- /dev/null +++ b/queue-5.2/revert-rt2800-enable-tx_pin_cfg_lna_pe_-bits-per-band.patch @@ -0,0 +1,66 @@ +From 13fa451568ab9e8b3074ef741477c7938c713c42 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Thu, 29 Aug 2019 13:29:59 +0200 +Subject: Revert "rt2800: enable TX_PIN_CFG_LNA_PE_ bits per band" + +From: Stanislaw Gruszka + +commit 13fa451568ab9e8b3074ef741477c7938c713c42 upstream. + +This reverts commit 9ad3b55654455258a9463384edb40077439d879f. + +As reported by Sergey: + +"I got some problem after upgrade kernel to 5.2 version (debian testing +linux-image-5.2.0-2-amd64). 5Ghz client stopped to see AP. +Some tests with 1metre distance between client-AP: 2.4Ghz -22dBm, for +5Ghz - 53dBm !, for longer distance (8m + walls) 2.4 - 61dBm, 5Ghz not +visible." + +It was identified that rx signal level degradation was caused by +9ad3b5565445 ("rt2800: enable TX_PIN_CFG_LNA_PE_ bits per band"). +So revert this commit. + +Cc: # v5.1+ +Reported-and-tested-by: Sergey Maranchuk +Signed-off-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 18 ++++++------------ + 1 file changed, 6 insertions(+), 12 deletions(-) + +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -4156,24 +4156,18 @@ static void rt2800_config_channel(struct + switch (rt2x00dev->default_ant.rx_chain_num) { + case 3: + /* Turn on tertiary LNAs */ +- rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_A2_EN, +- rf->channel > 14); +- rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_G2_EN, +- rf->channel <= 14); ++ rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_A2_EN, 1); ++ rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_G2_EN, 1); + /* fall-through */ + case 2: + /* Turn on secondary LNAs */ +- rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_A1_EN, +- rf->channel > 14); +- rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_G1_EN, +- rf->channel <= 14); ++ rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_A1_EN, 1); ++ rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_G1_EN, 1); + /* fall-through */ + case 1: + /* Turn on primary LNAs */ +- rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_A0_EN, +- rf->channel > 14); +- rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_G0_EN, +- rf->channel <= 14); ++ rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_A0_EN, 1); ++ rt2x00_set_field32(&tx_pin, TX_PIN_CFG_LNA_PE_G0_EN, 1); + break; + } + diff --git a/queue-5.2/series b/queue-5.2/series index b3188c74fed..98034ba1d73 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -19,3 +19,29 @@ ipv6-addrconf_f6i_alloc-fix-non-null-pointer-check-to-is_err.patch net-fixed_phy-add-forward-declaration-for-struct-gpio_desc.patch sctp-fix-the-missing-put_user-when-dumping-transport-thresholds.patch net-sock_map-fix-missing-ulp-check-in-sock-hash-case.patch +gpiolib-acpi-add-gpiolib_acpi_run_edge_events_on_boot-option-and-blacklist.patch +gpio-mockup-add-missing-single_release.patch +gpio-fix-line-flag-validation-in-linehandle_create.patch +gpio-fix-line-flag-validation-in-lineevent_create.patch +btrfs-fix-assertion-failure-during-fsync-and-use-of-stale-transaction.patch +cgroup-freezer-fix-frozen-state-inheritance.patch +revert-mmc-bcm2835-terminate-timeout-work-synchronously.patch +revert-mmc-sdhci-remove-unneeded-quirk2-flag-of-o2-sd-host-controller.patch +mmc-tmio-fixup-runtime-pm-management-during-probe.patch +mmc-tmio-fixup-runtime-pm-management-during-remove.patch +drm-lima-fix-lima_gem_wait-return-value.patch +drm-i915-limit-mst-to-8bpc-once-again.patch +drm-i915-restore-relaxed-padding-ocl_oob_suppres_enable-for-skl.patch +ipc-fix-semtimedop-for-generic-32-bit-architectures.patch +ipc-fix-sparc64-ipc-wrapper.patch +ixgbe-fix-double-clean-of-tx-descriptors-with-xdp.patch +ixgbe-prevent-u8-wrapping-of-itr-value-to-something-less-than-10us.patch +revert-rt2800-enable-tx_pin_cfg_lna_pe_-bits-per-band.patch +mt76-mt76x0e-disable-5ghz-band-for-mt7630e.patch +genirq-prevent-null-pointer-dereference-in-resend_irqs.patch +regulator-twl-voltage-lists-for-vdd1-2-on-twl4030.patch +kvm-s390-kvm_s390_vm_start_migration-check-dirty_bitmap-before-using-it-as-target-for-memset.patch +kvm-s390-do-not-leak-kernel-stack-data-in-the-kvm_s390_interrupt-ioctl.patch +kvm-x86-work-around-leak-of-uninitialized-stack-contents.patch +kvm-x86-mmu-reintroduce-fast-invalidate-zap-for-flushing-memslot.patch +kvm-nvmx-handle-page-fault-in-vmread.patch -- 2.47.3