From 80cbc9788eafe71bd979c10c74fe77f459b2d927 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 17 Jun 2020 13:38:02 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...1-mm-make-act_mm-respect-thread_size.patch | 65 ++++ ...4-cacheflush-fix-kgdb-trap-detection.patch | 64 ++++ ...wo-bugs-in-encoding-32-bit-logical-i.patch | 99 ++++++ ...du-from-idr-when-management-pkt-send.patch | 122 +++++++ ...reference-leak-in-audit_list_rules_s.patch | 103 ++++++ ...t-reference-leak-in-audit_send_reply.patch | 114 +++++++ ...t-disable-ethtool-link-speed-detecti.patch | 68 ++++ ...ount-underflow-in-bcache_device_free.patch | 92 ++++++ ...o-fallback-for-invalid-lmp-parameter.patch | 113 +++++++ ...add-2-missing-models-to-subver-table.patch | 54 +++ ...ong-location-to-get-firmware-feature.patch | 45 +++ ...ore-error-from-btrfs_next_leaf-when-.patch | 49 +++ ...k-qgroup-inconsistent-if-we-re-inher.patch | 124 +++++++ ...pb_timer-make-cpu-affiliation-being-.patch | 77 +++++ ...pb_timer_of-fix-missing-clockevent-t.patch | 74 +++++ ...idle-fix-three-reference-count-leaks.patch | 57 ++++ ...o-ccp-don-t-select-config_dmadevices.patch | 59 ++++ ...pto-chcr-fix-for-ccm-aes-failed-test.patch | 39 +++ ...o-stm32-crc32-fix-ext4-chksum-bug_on.patch | 183 +++++++++++ ...rypto-stm32-crc32-fix-multi-instance.patch | 122 +++++++ ...2-crc32-fix-run-time-self-test-issue.patch | 61 ++++ ...i-fix-typo-in-events-attribute-array.patch | 38 +++ ...11-extend-list-of-audio-sample-rates.patch | 50 +++ ...lay-mediatek-control-dpi-pins-mode-t.patch | 49 +++ ...-switch-variables-for-initialization.patch | 67 ++++ ...work-around-llvm-elf-quirk-build-reg.patch | 51 +++ ...tion-fixup-up-move-blocking-operatio.patch | 84 +++++ ...-fix-signed-integer-overflow-warning.patch | 56 ++++ ...direct-on-archs-with-page_size-above.patch | 48 +++ ...e-warn_console_unlocked-for-all-kgdb.patch | 74 +++++ ...fix-spurious-true-from-in_dbg_master.patch | 47 +++ ...inite-recursive-entries-to-the-debug.patch | 38 +++ ...mpi-fix-64-bit-mips-build-with-clang.patch | 69 ++++ ...n-t-call-via_flush_cache-on-mac-iifx.patch | 171 ++++++++++ ...-skip-loopback-packets-in-rx-handler.patch | 102 ++++++ ...workqueue-unconditionally-in-md_open.patch | 163 +++++++++ ...e-shift-wrapping-warning-in-__cec_s_.patch | 56 ++++ ...rn-eremoteio-on-i2c-transfer-failure.patch | 43 +++ ...m-fcp-set-appropriate-dma-parameters.patch | 71 ++++ ...tter-check-for-running-tuner-in-init.patch | 61 ++++ ...ps-add-udelay-lpj-numbers-adjustment.patch | 127 ++++++++ ...an-invalid-error-code-of-intvn_-_err.patch | 53 +++ ...cing-when-call-handle_fpe-and-handle.patch | 54 +++ ...uild-ati-radeon-gpu-driver-as-module.patch | 46 +++ ...s-maar-use-more-precise-address-mask.patch | 50 +++ ...parse_init-using-top-down-allocation.patch | 98 ++++++ ...nk-address-into-32bit-for-32bit-kern.patch | 88 +++++ ...o-trigger-a-soft-reset-after-a-timeo.patch | 79 +++++ ...imx-fix-the-mask-for-tuning-start-po.patch | 38 +++ ...t-sdhci_quirk_multiblock_read_acmd12.patch | 39 +++ ...spect-the-cmd-busy_timeout-from-the-.patch | 65 ++++ ...t76-avoid-rx-reorder-buffer-overflow.patch | 80 +++++ ...ix-memory-corruption-in-dump_station.patch | 92 ++++++ ...x-use-correct-return-type-for-ndo_st.patch | 45 +++ ...t-atlantic-make-hw_get_regs-optional.patch | 45 +++ ...et-set-rx-mode-before-starting-netif.patch | 51 +++ ...r-returning-in-ena_com_get_hash_func.patch | 52 +++ ...-move-gpr-register-offset-and-bit-in.patch | 112 +++++++ ...ix-error-return-code-in-lpc_mii_init.patch | 38 +++ ...drop-multicast-packets-that-this-int.patch | 73 +++++ ...x-and-tx-default-ring-count-when-run.patch | 145 +++++++++ ...possible-buffer-overflow-caused-by-b.patch | 41 +++ ...t-return-eopnotsupp-if-type-or-flags.patch | 44 +++ ...e-refine-the-qemu-identify-cns-quirk.patch | 59 ++++ .../objtool-ignore-empty-alternatives.patch | 45 +++ ...e-decoding-when-mmio_always_on-is-se.patch | 39 +++ ...wmi-convert-simple_strtoul-to-kstrto.patch | 44 +++ ...el-hid-add-a-quirk-to-support-hp-spe.patch | 42 +++ ...el-vbtn-also-handle-tablet-mode-swit.patch | 70 ++++ ...el-vbtn-do-not-advertise-switches-to.patch | 108 ++++++ ...el-vbtn-only-blacklist-sw_tablet_mod.patch | 83 +++++ ...el-vbtn-split-keymap-into-buttons-an.patch | 85 +++++ ...intel-vbtn-use-acpi_evaluate_integer.patch | 64 ++++ ...-spufs-fix-copy_to_user-while-atomic.patch | 284 ++++++++++++++++ ...double-free-in-_rtl_usb_tx_urb_setup.patch | 62 ++++ ...re-fix-illegal-rcu-from-offline-cpus.patch | 154 +++++++++ ...-fix-memory-leak-in-extract_build_id.patch | 36 ++ queue-4.19/series | 94 ++++++ ...terrupts-in-accordance-with-dma-xfer.patch | 70 ++++ .../spi-dw-fix-rx-only-dma-transfers.patch | 53 +++ ...y-value-retrieved-from-the-dma_trans.patch | 71 ++++ ...ma-tx-and-rx-configurations-on-stack.patch | 48 +++ ...spi-pxa2xx-apply-cs-clk-quirk-to-bxt.patch | 44 +++ ...d-ion-use-vmap-instead-of-vm_map_ram.patch | 69 ++++ ...sdio-respect-the-cmd-busy_timeout-fr.patch | 67 ++++ ...ompatibility-between-fortify_source-.patch | 308 ++++++++++++++++++ ...s-make-xxx__mountpoint-more-scalable.patch | 182 +++++++++++ ..._start-offset-on-redirect-xdp-frames.patch | 89 +++++ ...error-handling-path-in-wcn36xx_probe.patch | 56 ++++ ...-relocation-destination-on-old-linke.patch | 114 +++++++ ...explicitly-align-hcall-param-for-kvm.patch | 75 +++++ .../x86-mm-stop-printing-brk-addresses.patch | 37 +++ ...e-error-handling-in-xfs_swap_extents.patch | 36 ++ ...ate-verification-from-xfs_qm_dqflush.patch | 50 +++ ...-write-failure-state-on-successful-c.patch | 83 +++++ 95 files changed, 7398 insertions(+) create mode 100644 queue-4.19/arm-8978-1-mm-make-act_mm-respect-thread_size.patch create mode 100644 queue-4.19/arm64-cacheflush-fix-kgdb-trap-detection.patch create mode 100644 queue-4.19/arm64-insn-fix-two-bugs-in-encoding-32-bit-logical-i.patch create mode 100644 queue-4.19/ath10k-remove-msdu-from-idr-when-management-pkt-send.patch create mode 100644 queue-4.19/audit-fix-a-net-reference-leak-in-audit_list_rules_s.patch create mode 100644 queue-4.19/audit-fix-a-net-reference-leak-in-audit_send_reply.patch create mode 100644 queue-4.19/batman-adv-revert-disable-ethtool-link-speed-detecti.patch create mode 100644 queue-4.19/bcache-fix-refcount-underflow-in-bcache_device_free.patch create mode 100644 queue-4.19/bluetooth-add-sco-fallback-for-invalid-lmp-parameter.patch create mode 100644 queue-4.19/bluetooth-btbcm-add-2-missing-models-to-subver-table.patch create mode 100644 queue-4.19/brcmfmac-fix-wrong-location-to-get-firmware-feature.patch create mode 100644 queue-4.19/btrfs-do-not-ignore-error-from-btrfs_next_leaf-when-.patch create mode 100644 queue-4.19/btrfs-qgroup-mark-qgroup-inconsistent-if-we-re-inher.patch create mode 100644 queue-4.19/clocksource-dw_apb_timer-make-cpu-affiliation-being-.patch create mode 100644 queue-4.19/clocksource-dw_apb_timer_of-fix-missing-clockevent-t.patch create mode 100644 queue-4.19/cpuidle-fix-three-reference-count-leaks.patch create mode 100644 queue-4.19/crypto-ccp-don-t-select-config_dmadevices.patch create mode 100644 queue-4.19/crypto-chcr-fix-for-ccm-aes-failed-test.patch create mode 100644 queue-4.19/crypto-stm32-crc32-fix-ext4-chksum-bug_on.patch create mode 100644 queue-4.19/crypto-stm32-crc32-fix-multi-instance.patch create mode 100644 queue-4.19/crypto-stm32-crc32-fix-run-time-self-test-issue.patch create mode 100644 queue-4.19/drivers-perf-hisi-fix-typo-in-events-attribute-array.patch create mode 100644 queue-4.19/drm-bridge-adv7511-extend-list-of-audio-sample-rates.patch create mode 100644 queue-4.19/dt-bindings-display-mediatek-control-dpi-pins-mode-t.patch create mode 100644 queue-4.19/e1000-distribute-switch-variables-for-initialization.patch create mode 100644 queue-4.19/efi-libstub-x86-work-around-llvm-elf-quirk-build-reg.patch create mode 100644 queue-4.19/exit-move-preemption-fixup-up-move-blocking-operatio.patch create mode 100644 queue-4.19/ixgbe-fix-signed-integer-overflow-warning.patch create mode 100644 queue-4.19/ixgbe-fix-xdp-redirect-on-archs-with-page_size-above.patch create mode 100644 queue-4.19/kgdb-disable-warn_console_unlocked-for-all-kgdb.patch create mode 100644 queue-4.19/kgdb-fix-spurious-true-from-in_dbg_master.patch create mode 100644 queue-4.19/kgdb-prevent-infinite-recursive-entries-to-the-debug.patch create mode 100644 queue-4.19/lib-mpi-fix-64-bit-mips-build-with-clang.patch create mode 100644 queue-4.19/m68k-mac-don-t-call-via_flush_cache-on-mac-iifx.patch create mode 100644 queue-4.19/macvlan-skip-loopback-packets-in-rx-handler.patch create mode 100644 queue-4.19/md-don-t-flush-workqueue-unconditionally-in-md_open.patch create mode 100644 queue-4.19/media-cec-silence-shift-wrapping-warning-in-__cec_s_.patch create mode 100644 queue-4.19/media-dvb-return-eremoteio-on-i2c-transfer-failure.patch create mode 100644 queue-4.19/media-platform-fcp-set-appropriate-dma-parameters.patch create mode 100644 queue-4.19/media-si2157-better-check-for-running-tuner-in-init.patch create mode 100644 queue-4.19/mips-add-udelay-lpj-numbers-adjustment.patch create mode 100644 queue-4.19/mips-cm-fix-an-invalid-error-code-of-intvn_-_err.patch create mode 100644 queue-4.19/mips-fix-irq-tracing-when-call-handle_fpe-and-handle.patch create mode 100644 queue-4.19/mips-loongson-build-ati-radeon-gpu-driver-as-module.patch create mode 100644 queue-4.19/mips-maar-use-more-precise-address-mask.patch create mode 100644 queue-4.19/mips-make-sparse_init-using-top-down-allocation.patch create mode 100644 queue-4.19/mips-truncate-link-address-into-32bit-for-32bit-kern.patch create mode 100644 queue-4.19/mmc-meson-mx-sdio-trigger-a-soft-reset-after-a-timeo.patch create mode 100644 queue-4.19/mmc-sdhci-esdhc-imx-fix-the-mask-for-tuning-start-po.patch create mode 100644 queue-4.19/mmc-sdhci-msm-set-sdhci_quirk_multiblock_read_acmd12.patch create mode 100644 queue-4.19/mmc-via-sdmmc-respect-the-cmd-busy_timeout-from-the-.patch create mode 100644 queue-4.19/mt76-avoid-rx-reorder-buffer-overflow.patch create mode 100644 queue-4.19/mwifiex-fix-memory-corruption-in-dump_station.patch create mode 100644 queue-4.19/net-allwinner-fix-use-correct-return-type-for-ndo_st.patch create mode 100644 queue-4.19/net-atlantic-make-hw_get_regs-optional.patch create mode 100644 queue-4.19/net-bcmgenet-set-rx-mode-before-starting-netif.patch create mode 100644 queue-4.19/net-ena-fix-error-returning-in-ena_com_get_hash_func.patch create mode 100644 queue-4.19/net-ethernet-fec-move-gpr-register-offset-and-bit-in.patch create mode 100644 queue-4.19/net-lpc-enet-fix-error-return-code-in-lpc_mii_init.patch create mode 100644 queue-4.19/net-mlx5e-ipoib-drop-multicast-packets-that-this-int.patch create mode 100644 queue-4.19/net-qed-reduce-rx-and-tx-default-ring-count-when-run.patch create mode 100644 queue-4.19/net-vmxnet3-fix-possible-buffer-overflow-caused-by-b.patch create mode 100644 queue-4.19/netfilter-nft_nat-return-eopnotsupp-if-type-or-flags.patch create mode 100644 queue-4.19/nvme-refine-the-qemu-identify-cns-quirk.patch create mode 100644 queue-4.19/objtool-ignore-empty-alternatives.patch create mode 100644 queue-4.19/pci-don-t-disable-decoding-when-mmio_always_on-is-se.patch create mode 100644 queue-4.19/platform-x86-hp-wmi-convert-simple_strtoul-to-kstrto.patch create mode 100644 queue-4.19/platform-x86-intel-hid-add-a-quirk-to-support-hp-spe.patch create mode 100644 queue-4.19/platform-x86-intel-vbtn-also-handle-tablet-mode-swit.patch create mode 100644 queue-4.19/platform-x86-intel-vbtn-do-not-advertise-switches-to.patch create mode 100644 queue-4.19/platform-x86-intel-vbtn-only-blacklist-sw_tablet_mod.patch create mode 100644 queue-4.19/platform-x86-intel-vbtn-split-keymap-into-buttons-an.patch create mode 100644 queue-4.19/platform-x86-intel-vbtn-use-acpi_evaluate_integer.patch create mode 100644 queue-4.19/powerpc-spufs-fix-copy_to_user-while-atomic.patch create mode 100644 queue-4.19/rtlwifi-fix-a-double-free-in-_rtl_usb_tx_urb_setup.patch create mode 100644 queue-4.19/sched-core-fix-illegal-rcu-from-offline-cpus.patch create mode 100644 queue-4.19/selftests-bpf-fix-memory-leak-in-extract_build_id.patch create mode 100644 queue-4.19/spi-dw-enable-interrupts-in-accordance-with-dma-xfer.patch create mode 100644 queue-4.19/spi-dw-fix-rx-only-dma-transfers.patch create mode 100644 queue-4.19/spi-dw-return-any-value-retrieved-from-the-dma_trans.patch create mode 100644 queue-4.19/spi-dw-zero-dma-tx-and-rx-configurations-on-stack.patch create mode 100644 queue-4.19/spi-pxa2xx-apply-cs-clk-quirk-to-bxt.patch create mode 100644 queue-4.19/staging-android-ion-use-vmap-instead-of-vm_map_ram.patch create mode 100644 queue-4.19/staging-greybus-sdio-respect-the-cmd-busy_timeout-fr.patch create mode 100644 queue-4.19/string.h-fix-incompatibility-between-fortify_source-.patch create mode 100644 queue-4.19/tools-api-fs-make-xxx__mountpoint-more-scalable.patch create mode 100644 queue-4.19/veth-adjust-hard_start-offset-on-redirect-xdp-frames.patch create mode 100644 queue-4.19/wcn36xx-fix-error-handling-path-in-wcn36xx_probe.patch create mode 100644 queue-4.19/x86-boot-correct-relocation-destination-on-old-linke.patch create mode 100644 queue-4.19/x86-kvm-hyper-v-explicitly-align-hcall-param-for-kvm.patch create mode 100644 queue-4.19/x86-mm-stop-printing-brk-addresses.patch create mode 100644 queue-4.19/xfs-clean-up-the-error-handling-in-xfs_swap_extents.patch create mode 100644 queue-4.19/xfs-fix-duplicate-verification-from-xfs_qm_dqflush.patch create mode 100644 queue-4.19/xfs-reset-buffer-write-failure-state-on-successful-c.patch diff --git a/queue-4.19/arm-8978-1-mm-make-act_mm-respect-thread_size.patch b/queue-4.19/arm-8978-1-mm-make-act_mm-respect-thread_size.patch new file mode 100644 index 00000000000..d3f6ecf72b2 --- /dev/null +++ b/queue-4.19/arm-8978-1-mm-make-act_mm-respect-thread_size.patch @@ -0,0 +1,65 @@ +From 29cbcc1e9d856994c73f89407eefcae187f42be9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2020 12:59:12 +0100 +Subject: ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE + +From: Linus Walleij + +[ Upstream commit e1de94380af588bdf6ad6f0cc1f75004c35bc096 ] + +Recent work with KASan exposed the folling hard-coded bitmask +in arch/arm/mm/proc-macros.S: + + bic rd, sp, #8128 + bic rd, rd, #63 + +This forms the bitmask 0x1FFF that is coinciding with +(PAGE_SIZE << THREAD_SIZE_ORDER) - 1, this code was assuming +that THREAD_SIZE is always 8K (8192). + +As KASan was increasing THREAD_SIZE_ORDER to 2, I ran into +this bug. + +Fix it by this little oneline suggested by Ard: + + bic rd, sp, #(THREAD_SIZE - 1) & ~63 + +Where THREAD_SIZE is defined using THREAD_SIZE_ORDER. + +We have to also include since the THREAD_SIZE +expands to use the _AC() macro. + +Cc: Ard Biesheuvel +Cc: Florian Fainelli +Suggested-by: Ard Biesheuvel +Signed-off-by: Linus Walleij +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/proc-macros.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mm/proc-macros.S b/arch/arm/mm/proc-macros.S +index 5461d589a1e2..60ac7c5999a9 100644 +--- a/arch/arm/mm/proc-macros.S ++++ b/arch/arm/mm/proc-macros.S +@@ -5,6 +5,7 @@ + * VMA_VM_FLAGS + * VM_EXEC + */ ++#include + #include + #include + +@@ -30,7 +31,7 @@ + * act_mm - get current->active_mm + */ + .macro act_mm, rd +- bic \rd, sp, #8128 ++ bic \rd, sp, #(THREAD_SIZE - 1) & ~63 + bic \rd, \rd, #63 + ldr \rd, [\rd, #TI_TASK] + .if (TSK_ACTIVE_MM > IMM12_MASK) +-- +2.25.1 + diff --git a/queue-4.19/arm64-cacheflush-fix-kgdb-trap-detection.patch b/queue-4.19/arm64-cacheflush-fix-kgdb-trap-detection.patch new file mode 100644 index 00000000000..fa386261ee3 --- /dev/null +++ b/queue-4.19/arm64-cacheflush-fix-kgdb-trap-detection.patch @@ -0,0 +1,64 @@ +From 914d84eda73466823b012ca9a24c18b5ffb2b8d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 May 2020 18:05:18 +0100 +Subject: arm64: cacheflush: Fix KGDB trap detection + +From: Daniel Thompson + +[ Upstream commit ab8ad279ceac4fc78ae4dcf1a26326e05695e537 ] + +flush_icache_range() contains a bodge to avoid issuing IPIs when the kgdb +trap handler is running because issuing IPIs is unsafe (and not needed) +in this execution context. However the current test, based on +kgdb_connected is flawed: it both over-matches and under-matches. + +The over match occurs because kgdb_connected is set when gdb attaches +to the stub and remains set during normal running. This is relatively +harmelss because in almost all cases irq_disabled() will be false. + +The under match is more serious. When kdb is used instead of kgdb to access +the debugger then kgdb_connected is not set in all the places that the +debug core updates sw breakpoints (and hence flushes the icache). This +can lead to deadlock. + +Fix by replacing the ad-hoc check with the proper kgdb macro. This also +allows us to drop the #ifdef wrapper. + +Fixes: 3b8c9f1cdfc5 ("arm64: IPI each CPU after invalidating the I-cache for kernel mappings") +Signed-off-by: Daniel Thompson +Reviewed-by: Douglas Anderson +Link: https://lore.kernel.org/r/20200504170518.2959478-1-daniel.thompson@linaro.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/cacheflush.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/include/asm/cacheflush.h b/arch/arm64/include/asm/cacheflush.h +index 19844211a4e6..a449a1c602d3 100644 +--- a/arch/arm64/include/asm/cacheflush.h ++++ b/arch/arm64/include/asm/cacheflush.h +@@ -90,7 +90,7 @@ static inline void flush_icache_range(unsigned long start, unsigned long end) + * IPI all online CPUs so that they undergo a context synchronization + * event and are forced to refetch the new instructions. + */ +-#ifdef CONFIG_KGDB ++ + /* + * KGDB performs cache maintenance with interrupts disabled, so we + * will deadlock trying to IPI the secondary CPUs. In theory, we can +@@ -100,9 +100,9 @@ static inline void flush_icache_range(unsigned long start, unsigned long end) + * the patching operation, so we don't need extra IPIs here anyway. + * In which case, add a KGDB-specific bodge and return early. + */ +- if (kgdb_connected && irqs_disabled()) ++ if (in_dbg_master()) + return; +-#endif ++ + kick_all_cpus_sync(); + } + +-- +2.25.1 + diff --git a/queue-4.19/arm64-insn-fix-two-bugs-in-encoding-32-bit-logical-i.patch b/queue-4.19/arm64-insn-fix-two-bugs-in-encoding-32-bit-logical-i.patch new file mode 100644 index 00000000000..8d6f0bdf596 --- /dev/null +++ b/queue-4.19/arm64-insn-fix-two-bugs-in-encoding-32-bit-logical-i.patch @@ -0,0 +1,99 @@ +From fbe14b2a520aaa916ea2e4177f606264cbdabb57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 11:15:44 -0700 +Subject: arm64: insn: Fix two bugs in encoding 32-bit logical immediates + +From: Luke Nelson + +[ Upstream commit 579d1b3faa3735e781ff74aac0afd598515dbc63 ] + +This patch fixes two issues present in the current function for encoding +arm64 logical immediates when using the 32-bit variants of instructions. + +First, the code does not correctly reject an all-ones 32-bit immediate, +and returns an undefined instruction encoding. + +Second, the code incorrectly rejects some 32-bit immediates that are +actually encodable as logical immediates. The root cause is that the code +uses a default mask of 64-bit all-ones, even for 32-bit immediates. +This causes an issue later on when the default mask is used to fill the +top bits of the immediate with ones, shown here: + + /* + * Pattern: 0..01..10..01..1 + * + * Fill the unused top bits with ones, and check if + * the result is a valid immediate (all ones with a + * contiguous ranges of zeroes). + */ + imm |= ~mask; + if (!range_of_ones(~imm)) + return AARCH64_BREAK_FAULT; + +To see the problem, consider an immediate of the form 0..01..10..01..1, +where the upper 32 bits are zero, such as 0x80000001. The code checks +if ~(imm | ~mask) contains a range of ones: the incorrect mask yields +1..10..01..10..0, which fails the check; the correct mask yields +0..01..10..0, which succeeds. + +The fix for both issues is to generate a correct mask based on the +instruction immediate size, and use the mask to check for all-ones, +all-zeroes, and values wider than the mask. + +Currently, arch/arm64/kvm/va_layout.c is the only user of this function, +which uses 64-bit immediates and therefore won't trigger these bugs. + +We tested the new code against llvm-mc with all 1,302 encodable 32-bit +logical immediates and all 5,334 encodable 64-bit logical immediates. + +Fixes: ef3935eeebff ("arm64: insn: Add encoder for bitwise operations using literals") +Suggested-by: Will Deacon +Co-developed-by: Xi Wang +Signed-off-by: Xi Wang +Signed-off-by: Luke Nelson +Reviewed-by: Marc Zyngier +Link: https://lore.kernel.org/r/20200508181547.24783-2-luke.r.nels@gmail.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/insn.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/arm64/kernel/insn.c b/arch/arm64/kernel/insn.c +index 3e6229e30109..cd37edbdedcb 100644 +--- a/arch/arm64/kernel/insn.c ++++ b/arch/arm64/kernel/insn.c +@@ -1490,16 +1490,10 @@ static u32 aarch64_encode_immediate(u64 imm, + u32 insn) + { + unsigned int immr, imms, n, ones, ror, esz, tmp; +- u64 mask = ~0UL; +- +- /* Can't encode full zeroes or full ones */ +- if (!imm || !~imm) +- return AARCH64_BREAK_FAULT; ++ u64 mask; + + switch (variant) { + case AARCH64_INSN_VARIANT_32BIT: +- if (upper_32_bits(imm)) +- return AARCH64_BREAK_FAULT; + esz = 32; + break; + case AARCH64_INSN_VARIANT_64BIT: +@@ -1511,6 +1505,12 @@ static u32 aarch64_encode_immediate(u64 imm, + return AARCH64_BREAK_FAULT; + } + ++ mask = GENMASK(esz - 1, 0); ++ ++ /* Can't encode full zeroes, full ones, or value wider than the mask */ ++ if (!imm || imm == mask || imm & ~mask) ++ return AARCH64_BREAK_FAULT; ++ + /* + * Inverse of Replicate(). Try to spot a repeating pattern + * with a pow2 stride. +-- +2.25.1 + diff --git a/queue-4.19/ath10k-remove-msdu-from-idr-when-management-pkt-send.patch b/queue-4.19/ath10k-remove-msdu-from-idr-when-management-pkt-send.patch new file mode 100644 index 00000000000..42aade268ee --- /dev/null +++ b/queue-4.19/ath10k-remove-msdu-from-idr-when-management-pkt-send.patch @@ -0,0 +1,122 @@ +From 53defb7534215b7bc02a7571a4c7d49b0521de22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 05:55:18 +0300 +Subject: ath10k: Remove msdu from idr when management pkt send fails + +From: Rakesh Pillai + +[ Upstream commit c730c477176ad4af86d9aae4d360a7ad840b073a ] + +Currently when the sending of any management pkt +via wmi command fails, the packet is being unmapped +freed in the error handling. But the idr entry added, +which is used to track these packet is not getting removed. + +Hence, during unload, in wmi cleanup, all the entries +in IDR are removed and the corresponding buffer is +attempted to be freed. This can cause a situation where +one packet is attempted to be freed twice. + +Fix this error by rmeoving the msdu from the idr +list when the sending of a management packet over +wmi fails. + +Tested HW: WCN3990 +Tested FW: WLAN.HL.3.1-01040-QCAHLSWMTPLZ-1 + +Fixes: 1807da49733e ("ath10k: wmi: add management tx by reference support over wmi") +Signed-off-by: Rakesh Pillai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1588667015-25490-1-git-send-email-pillair@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 3 +++ + drivers/net/wireless/ath/ath10k/wmi-ops.h | 10 ++++++++++ + drivers/net/wireless/ath/ath10k/wmi-tlv.c | 15 +++++++++++++++ + 3 files changed, 28 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index a09d7a07e90a..81af403c19c2 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -3852,6 +3852,9 @@ void ath10k_mgmt_over_wmi_tx_work(struct work_struct *work) + if (ret) { + ath10k_warn(ar, "failed to transmit management frame by ref via WMI: %d\n", + ret); ++ /* remove this msdu from idr tracking */ ++ ath10k_wmi_cleanup_mgmt_tx_send(ar, skb); ++ + dma_unmap_single(ar->dev, paddr, skb->len, + DMA_TO_DEVICE); + ieee80211_free_txskb(ar->hw, skb); +diff --git a/drivers/net/wireless/ath/ath10k/wmi-ops.h b/drivers/net/wireless/ath/ath10k/wmi-ops.h +index 7fd63bbf8e24..b6cd33fa79f8 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi-ops.h ++++ b/drivers/net/wireless/ath/ath10k/wmi-ops.h +@@ -139,6 +139,7 @@ struct wmi_ops { + struct sk_buff *(*gen_mgmt_tx_send)(struct ath10k *ar, + struct sk_buff *skb, + dma_addr_t paddr); ++ int (*cleanup_mgmt_tx_send)(struct ath10k *ar, struct sk_buff *msdu); + struct sk_buff *(*gen_dbglog_cfg)(struct ath10k *ar, u64 module_enable, + u32 log_level); + struct sk_buff *(*gen_pktlog_enable)(struct ath10k *ar, u32 filter); +@@ -431,6 +432,15 @@ ath10k_wmi_get_txbf_conf_scheme(struct ath10k *ar) + return ar->wmi.ops->get_txbf_conf_scheme(ar); + } + ++static inline int ++ath10k_wmi_cleanup_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu) ++{ ++ if (!ar->wmi.ops->cleanup_mgmt_tx_send) ++ return -EOPNOTSUPP; ++ ++ return ar->wmi.ops->cleanup_mgmt_tx_send(ar, msdu); ++} ++ + static inline int + ath10k_wmi_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu, + dma_addr_t paddr) +diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +index 248decb494c2..7f435fa29f75 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c ++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +@@ -2638,6 +2638,18 @@ ath10k_wmi_tlv_op_gen_request_stats(struct ath10k *ar, u32 stats_mask) + return skb; + } + ++static int ++ath10k_wmi_tlv_op_cleanup_mgmt_tx_send(struct ath10k *ar, ++ struct sk_buff *msdu) ++{ ++ struct ath10k_skb_cb *cb = ATH10K_SKB_CB(msdu); ++ struct ath10k_wmi *wmi = &ar->wmi; ++ ++ idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id); ++ ++ return 0; ++} ++ + static int + ath10k_wmi_mgmt_tx_alloc_msdu_id(struct ath10k *ar, struct sk_buff *skb, + dma_addr_t paddr) +@@ -2710,6 +2722,8 @@ ath10k_wmi_tlv_op_gen_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu, + if (desc_id < 0) + goto err_free_skb; + ++ cb->msdu_id = desc_id; ++ + ptr = (void *)skb->data; + tlv = ptr; + tlv->tag = __cpu_to_le16(WMI_TLV_TAG_STRUCT_MGMT_TX_CMD); +@@ -3949,6 +3963,7 @@ static const struct wmi_ops wmi_tlv_ops = { + .gen_force_fw_hang = ath10k_wmi_tlv_op_gen_force_fw_hang, + /* .gen_mgmt_tx = not implemented; HTT is used */ + .gen_mgmt_tx_send = ath10k_wmi_tlv_op_gen_mgmt_tx_send, ++ .cleanup_mgmt_tx_send = ath10k_wmi_tlv_op_cleanup_mgmt_tx_send, + .gen_dbglog_cfg = ath10k_wmi_tlv_op_gen_dbglog_cfg, + .gen_pktlog_enable = ath10k_wmi_tlv_op_gen_pktlog_enable, + .gen_pktlog_disable = ath10k_wmi_tlv_op_gen_pktlog_disable, +-- +2.25.1 + diff --git a/queue-4.19/audit-fix-a-net-reference-leak-in-audit_list_rules_s.patch b/queue-4.19/audit-fix-a-net-reference-leak-in-audit_list_rules_s.patch new file mode 100644 index 00000000000..3e51beb31ce --- /dev/null +++ b/queue-4.19/audit-fix-a-net-reference-leak-in-audit_list_rules_s.patch @@ -0,0 +1,103 @@ +From cb64a003ee5410860fb1810bdac492097ea50fcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Apr 2020 09:10:56 -0400 +Subject: audit: fix a net reference leak in audit_list_rules_send() + +From: Paul Moore + +[ Upstream commit 3054d06719079388a543de6adb812638675ad8f5 ] + +If audit_list_rules_send() fails when trying to create a new thread +to send the rules it also fails to cleanup properly, leaking a +reference to a net structure. This patch fixes the error patch and +renames audit_send_list() to audit_send_list_thread() to better +match its cousin, audit_send_reply_thread(). + +Reported-by: teroincn@gmail.com +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/audit.c | 2 +- + kernel/audit.h | 2 +- + kernel/auditfilter.c | 16 +++++++--------- + 3 files changed, 9 insertions(+), 11 deletions(-) + +diff --git a/kernel/audit.c b/kernel/audit.c +index 20c78480d632..45741c3c48a4 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -893,7 +893,7 @@ main_queue: + return 0; + } + +-int audit_send_list(void *_dest) ++int audit_send_list_thread(void *_dest) + { + struct audit_netlink_list *dest = _dest; + struct sk_buff *skb; +diff --git a/kernel/audit.h b/kernel/audit.h +index 214e14948370..99badd7ba56f 100644 +--- a/kernel/audit.h ++++ b/kernel/audit.h +@@ -248,7 +248,7 @@ struct audit_netlink_list { + struct sk_buff_head q; + }; + +-int audit_send_list(void *_dest); ++int audit_send_list_thread(void *_dest); + + extern int selinux_audit_rule_update(void); + +diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c +index 1c8a48abda80..b2cc63ca0068 100644 +--- a/kernel/auditfilter.c ++++ b/kernel/auditfilter.c +@@ -1157,11 +1157,8 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz) + */ + int audit_list_rules_send(struct sk_buff *request_skb, int seq) + { +- u32 portid = NETLINK_CB(request_skb).portid; +- struct net *net = sock_net(NETLINK_CB(request_skb).sk); + struct task_struct *tsk; + struct audit_netlink_list *dest; +- int err = 0; + + /* We can't just spew out the rules here because we might fill + * the available socket buffer space and deadlock waiting for +@@ -1169,25 +1166,26 @@ int audit_list_rules_send(struct sk_buff *request_skb, int seq) + * happen if we're actually running in the context of auditctl + * trying to _send_ the stuff */ + +- dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL); ++ dest = kmalloc(sizeof(*dest), GFP_KERNEL); + if (!dest) + return -ENOMEM; +- dest->net = get_net(net); +- dest->portid = portid; ++ dest->net = get_net(sock_net(NETLINK_CB(request_skb).sk)); ++ dest->portid = NETLINK_CB(request_skb).portid; + skb_queue_head_init(&dest->q); + + mutex_lock(&audit_filter_mutex); + audit_list_rules(seq, &dest->q); + mutex_unlock(&audit_filter_mutex); + +- tsk = kthread_run(audit_send_list, dest, "audit_send_list"); ++ tsk = kthread_run(audit_send_list_thread, dest, "audit_send_list"); + if (IS_ERR(tsk)) { + skb_queue_purge(&dest->q); ++ put_net(dest->net); + kfree(dest); +- err = PTR_ERR(tsk); ++ return PTR_ERR(tsk); + } + +- return err; ++ return 0; + } + + int audit_comparator(u32 left, u32 op, u32 right) +-- +2.25.1 + diff --git a/queue-4.19/audit-fix-a-net-reference-leak-in-audit_send_reply.patch b/queue-4.19/audit-fix-a-net-reference-leak-in-audit_send_reply.patch new file mode 100644 index 00000000000..54b7b85c7e1 --- /dev/null +++ b/queue-4.19/audit-fix-a-net-reference-leak-in-audit_send_reply.patch @@ -0,0 +1,114 @@ +From 2d4f5e7f9e51e2bd597dcac9e29dfe27dbd618ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Apr 2020 10:09:29 -0400 +Subject: audit: fix a net reference leak in audit_send_reply() + +From: Paul Moore + +[ Upstream commit a48b284b403a4a073d8beb72d2bb33e54df67fb6 ] + +If audit_send_reply() fails when trying to create a new thread to +send the reply it also fails to cleanup properly, leaking a reference +to a net structure. This patch fixes the error path and makes a +handful of other cleanups that came up while fixing the code. + +Reported-by: teroincn@gmail.com +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/audit.c | 50 +++++++++++++++++++++++++++++--------------------- + 1 file changed, 29 insertions(+), 21 deletions(-) + +diff --git a/kernel/audit.c b/kernel/audit.c +index 7afec5f43c63..20c78480d632 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -937,19 +937,30 @@ out_kfree_skb: + return NULL; + } + ++static void audit_free_reply(struct audit_reply *reply) ++{ ++ if (!reply) ++ return; ++ ++ if (reply->skb) ++ kfree_skb(reply->skb); ++ if (reply->net) ++ put_net(reply->net); ++ kfree(reply); ++} ++ + static int audit_send_reply_thread(void *arg) + { + struct audit_reply *reply = (struct audit_reply *)arg; +- struct sock *sk = audit_get_sk(reply->net); + + audit_ctl_lock(); + audit_ctl_unlock(); + + /* Ignore failure. It'll only happen if the sender goes away, + because our timeout is set to infinite. */ +- netlink_unicast(sk, reply->skb, reply->portid, 0); +- put_net(reply->net); +- kfree(reply); ++ netlink_unicast(audit_get_sk(reply->net), reply->skb, reply->portid, 0); ++ reply->skb = NULL; ++ audit_free_reply(reply); + return 0; + } + +@@ -963,35 +974,32 @@ static int audit_send_reply_thread(void *arg) + * @payload: payload data + * @size: payload size + * +- * Allocates an skb, builds the netlink message, and sends it to the port id. +- * No failure notifications. ++ * Allocates a skb, builds the netlink message, and sends it to the port id. + */ + static void audit_send_reply(struct sk_buff *request_skb, int seq, int type, int done, + int multi, const void *payload, int size) + { +- struct net *net = sock_net(NETLINK_CB(request_skb).sk); +- struct sk_buff *skb; + struct task_struct *tsk; +- struct audit_reply *reply = kmalloc(sizeof(struct audit_reply), +- GFP_KERNEL); ++ struct audit_reply *reply; + ++ reply = kzalloc(sizeof(*reply), GFP_KERNEL); + if (!reply) + return; + +- skb = audit_make_reply(seq, type, done, multi, payload, size); +- if (!skb) +- goto out; +- +- reply->net = get_net(net); ++ reply->skb = audit_make_reply(seq, type, done, multi, payload, size); ++ if (!reply->skb) ++ goto err; ++ reply->net = get_net(sock_net(NETLINK_CB(request_skb).sk)); + reply->portid = NETLINK_CB(request_skb).portid; +- reply->skb = skb; + + tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply"); +- if (!IS_ERR(tsk)) +- return; +- kfree_skb(skb); +-out: +- kfree(reply); ++ if (IS_ERR(tsk)) ++ goto err; ++ ++ return; ++ ++err: ++ audit_free_reply(reply); + } + + /* +-- +2.25.1 + diff --git a/queue-4.19/batman-adv-revert-disable-ethtool-link-speed-detecti.patch b/queue-4.19/batman-adv-revert-disable-ethtool-link-speed-detecti.patch new file mode 100644 index 00000000000..080039c843e --- /dev/null +++ b/queue-4.19/batman-adv-revert-disable-ethtool-link-speed-detecti.patch @@ -0,0 +1,68 @@ +From 30563b24214ee13950f5afd11b5ce5a81ac9af10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 10:46:50 +0100 +Subject: batman-adv: Revert "disable ethtool link speed detection when auto + negotiation off" + +From: Sven Eckelmann + +[ Upstream commit 9ad346c90509ebd983f60da7d082f261ad329507 ] + +The commit 8c46fcd78308 ("batman-adv: disable ethtool link speed detection +when auto negotiation off") disabled the usage of ethtool's link_ksetting +when auto negotation was enabled due to invalid values when used with +tun/tap virtual net_devices. According to the patch, automatic measurements +should be used for these kind of interfaces. + +But there are major flaws with this argumentation: + +* automatic measurements are not implemented +* auto negotiation has nothing to do with the validity of the retrieved + values + +The first point has to be fixed by a longer patch series. The "validity" +part of the second point must be addressed in the same patch series by +dropping the usage of ethtool's link_ksetting (thus always doing automatic +measurements over ethernet). + +Drop the patch again to have more default values for various net_device +types/configurations. The user can still overwrite them using the +batadv_hardif's BATADV_ATTR_THROUGHPUT_OVERRIDE. + +Reported-by: Matthias Schiffer +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bat_v_elp.c | 15 +-------------- + 1 file changed, 1 insertion(+), 14 deletions(-) + +diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c +index 5da183b2f4c9..af3da6cdfc79 100644 +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -132,20 +132,7 @@ static u32 batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh) + rtnl_lock(); + ret = __ethtool_get_link_ksettings(hard_iface->net_dev, &link_settings); + rtnl_unlock(); +- +- /* Virtual interface drivers such as tun / tap interfaces, VLAN, etc +- * tend to initialize the interface throughput with some value for the +- * sake of having a throughput number to export via ethtool. This +- * exported throughput leaves batman-adv to conclude the interface +- * throughput is genuine (reflecting reality), thus no measurements +- * are necessary. +- * +- * Based on the observation that those interface types also tend to set +- * the link auto-negotiation to 'off', batman-adv shall check this +- * setting to differentiate between genuine link throughput information +- * and placeholders installed by virtual interfaces. +- */ +- if (ret == 0 && link_settings.base.autoneg == AUTONEG_ENABLE) { ++ if (ret == 0) { + /* link characteristics might change over time */ + if (link_settings.base.duplex == DUPLEX_FULL) + hard_iface->bat_v.flags |= BATADV_FULL_DUPLEX; +-- +2.25.1 + diff --git a/queue-4.19/bcache-fix-refcount-underflow-in-bcache_device_free.patch b/queue-4.19/bcache-fix-refcount-underflow-in-bcache_device_free.patch new file mode 100644 index 00000000000..5e5497f80a5 --- /dev/null +++ b/queue-4.19/bcache-fix-refcount-underflow-in-bcache_device_free.patch @@ -0,0 +1,92 @@ +From e5e751fcf1ef0a047d5fc9498eef460e936c2ef9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2020 12:01:53 +0800 +Subject: bcache: fix refcount underflow in bcache_device_free() + +From: Coly Li + +[ Upstream commit 86da9f736740eba602389908574dfbb0f517baa5 ] + +The problematic code piece in bcache_device_free() is, + + 785 static void bcache_device_free(struct bcache_device *d) + 786 { + 787 struct gendisk *disk = d->disk; + [snipped] + 799 if (disk) { + 800 if (disk->flags & GENHD_FL_UP) + 801 del_gendisk(disk); + 802 + 803 if (disk->queue) + 804 blk_cleanup_queue(disk->queue); + 805 + 806 ida_simple_remove(&bcache_device_idx, + 807 first_minor_to_idx(disk->first_minor)); + 808 put_disk(disk); + 809 } + [snipped] + 816 } + +At line 808, put_disk(disk) may encounter kobject refcount of 'disk' +being underflow. + +Here is how to reproduce the issue, +- Attche the backing device to a cache device and do random write to + make the cache being dirty. +- Stop the bcache device while the cache device has dirty data of the + backing device. +- Only register the backing device back, NOT register cache device. +- The bcache device node /dev/bcache0 won't show up, because backing + device waits for the cache device shows up for the missing dirty + data. +- Now echo 1 into /sys/fs/bcache/pendings_cleanup, to stop the pending + backing device. +- After the pending backing device stopped, use 'dmesg' to check kernel + message, a use-after-free warning from KASA reported the refcount of + kobject linked to the 'disk' is underflow. + +The dropping refcount at line 808 in the above code piece is added by +add_disk(d->disk) in bch_cached_dev_run(). But in the above condition +the cache device is not registered, bch_cached_dev_run() has no chance +to be called and the refcount is not added. The put_disk() for a non- +added refcount of gendisk kobject triggers a underflow warning. + +This patch checks whether GENHD_FL_UP is set in disk->flags, if it is +not set then the bcache device was not added, don't call put_disk() +and the the underflow issue can be avoided. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/super.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 5b5cbfadd003..68ebc2759c2e 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -775,7 +775,9 @@ static void bcache_device_free(struct bcache_device *d) + bcache_device_detach(d); + + if (disk) { +- if (disk->flags & GENHD_FL_UP) ++ bool disk_added = (disk->flags & GENHD_FL_UP) != 0; ++ ++ if (disk_added) + del_gendisk(disk); + + if (disk->queue) +@@ -783,7 +785,8 @@ static void bcache_device_free(struct bcache_device *d) + + ida_simple_remove(&bcache_device_idx, + first_minor_to_idx(disk->first_minor)); +- put_disk(disk); ++ if (disk_added) ++ put_disk(disk); + } + + bioset_exit(&d->bio_split); +-- +2.25.1 + diff --git a/queue-4.19/bluetooth-add-sco-fallback-for-invalid-lmp-parameter.patch b/queue-4.19/bluetooth-add-sco-fallback-for-invalid-lmp-parameter.patch new file mode 100644 index 00000000000..a7ed89e9f02 --- /dev/null +++ b/queue-4.19/bluetooth-add-sco-fallback-for-invalid-lmp-parameter.patch @@ -0,0 +1,113 @@ +From 121da5b242b6d968dff047d49d3e2c2900f98844 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 May 2020 17:27:04 +0800 +Subject: Bluetooth: Add SCO fallback for invalid LMP parameters error + +From: Hsin-Yu Chao + +[ Upstream commit 56b5453a86203a44726f523b4133c1feca49ce7c ] + +Bluetooth PTS test case HFP/AG/ACC/BI-12-I accepts SCO connection +with invalid parameter at the first SCO request expecting AG to +attempt another SCO request with the use of "safe settings" for +given codec, base on section 5.7.1.2 of HFP 1.7 specification. + +This patch addresses it by adding "Invalid LMP Parameters" (0x1e) +to the SCO fallback case. Verified with below log: + +< HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17 + Handle: 256 + Transmit bandwidth: 8000 + Receive bandwidth: 8000 + Max latency: 13 + Setting: 0x0003 + Input Coding: Linear + Input Data Format: 1's complement + Input Sample Size: 8-bit + # of bits padding at MSB: 0 + Air Coding Format: Transparent Data + Retransmission effort: Optimize for link quality (0x02) + Packet type: 0x0380 + 3-EV3 may not be used + 2-EV5 may not be used + 3-EV5 may not be used +> HCI Event: Command Status (0x0f) plen 4 + Setup Synchronous Connection (0x01|0x0028) ncmd 1 + Status: Success (0x00) +> HCI Event: Number of Completed Packets (0x13) plen 5 + Num handles: 1 + Handle: 256 + Count: 1 +> HCI Event: Max Slots Change (0x1b) plen 3 + Handle: 256 + Max slots: 1 +> HCI Event: Synchronous Connect Complete (0x2c) plen 17 + Status: Invalid LMP Parameters / Invalid LL Parameters (0x1e) + Handle: 0 + Address: 00:1B:DC:F2:21:59 (OUI 00-1B-DC) + Link type: eSCO (0x02) + Transmission interval: 0x00 + Retransmission window: 0x02 + RX packet length: 0 + TX packet length: 0 + Air mode: Transparent (0x03) +< HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17 + Handle: 256 + Transmit bandwidth: 8000 + Receive bandwidth: 8000 + Max latency: 8 + Setting: 0x0003 + Input Coding: Linear + Input Data Format: 1's complement + Input Sample Size: 8-bit + # of bits padding at MSB: 0 + Air Coding Format: Transparent Data + Retransmission effort: Optimize for link quality (0x02) + Packet type: 0x03c8 + EV3 may be used + 2-EV3 may not be used + 3-EV3 may not be used + 2-EV5 may not be used + 3-EV5 may not be used +> HCI Event: Command Status (0x0f) plen 4 + Setup Synchronous Connection (0x01|0x0028) ncmd 1 + Status: Success (0x00) +> HCI Event: Max Slots Change (0x1b) plen 3 + Handle: 256 + Max slots: 5 +> HCI Event: Max Slots Change (0x1b) plen 3 + Handle: 256 + Max slots: 1 +> HCI Event: Synchronous Connect Complete (0x2c) plen 17 + Status: Success (0x00) + Handle: 257 + Address: 00:1B:DC:F2:21:59 (OUI 00-1B-DC) + Link type: eSCO (0x02) + Transmission interval: 0x06 + Retransmission window: 0x04 + RX packet length: 30 + TX packet length: 30 + Air mode: Transparent (0x03) + +Signed-off-by: Hsin-Yu Chao +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 3e7badb3ac2d..a044e6bb12b8 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4097,6 +4097,7 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, + case 0x11: /* Unsupported Feature or Parameter Value */ + case 0x1c: /* SCO interval rejected */ + case 0x1a: /* Unsupported Remote Feature */ ++ case 0x1e: /* Invalid LMP Parameters */ + case 0x1f: /* Unspecified error */ + case 0x20: /* Unsupported LMP Parameter value */ + if (conn->out) { +-- +2.25.1 + diff --git a/queue-4.19/bluetooth-btbcm-add-2-missing-models-to-subver-table.patch b/queue-4.19/bluetooth-btbcm-add-2-missing-models-to-subver-table.patch new file mode 100644 index 00000000000..dab08f107f4 --- /dev/null +++ b/queue-4.19/bluetooth-btbcm-add-2-missing-models-to-subver-table.patch @@ -0,0 +1,54 @@ +From c203ea298417bcef18fd065a2a52944aa263ed4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Apr 2020 19:15:32 +0200 +Subject: Bluetooth: btbcm: Add 2 missing models to subver tables + +From: Hans de Goede + +[ Upstream commit c03ee9af4e07112bd3fc688daca9e654f41eca93 ] + +Currently the bcm_uart_subver_ and bcm_usb_subver_table-s lack entries +for the BCM4324B5 and BCM20703A1 chipsets. This makes the code use just +"BCM" as prefix for the filename to pass to request-firmware, making it +harder for users to figure out which firmware they need. This especially +is problematic with the UART attached BCM4324B5 where this leads to the +filename being just "BCM.hcd". + +Add the 2 missing devices to subver tables. This has been tested on: + +1. A Dell XPS15 9550 where this makes btbcm.c try to load +"BCM20703A1-0a5c-6410.hcd" before it tries to load "BCM-0a5c-6410.hcd". + +2. A Thinkpad 8 where this makes btbcm.c try to load +"BCM4324B5.hcd" before it tries to load "BCM.hcd" + +Signed-off-by: Hans de Goede +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btbcm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c +index e3e4d929e74f..ff6203c331ff 100644 +--- a/drivers/bluetooth/btbcm.c ++++ b/drivers/bluetooth/btbcm.c +@@ -324,6 +324,7 @@ static const struct bcm_subver_table bcm_uart_subver_table[] = { + { 0x4103, "BCM4330B1" }, /* 002.001.003 */ + { 0x410e, "BCM43341B0" }, /* 002.001.014 */ + { 0x4406, "BCM4324B3" }, /* 002.004.006 */ ++ { 0x4606, "BCM4324B5" }, /* 002.006.006 */ + { 0x6109, "BCM4335C0" }, /* 003.001.009 */ + { 0x610c, "BCM4354" }, /* 003.001.012 */ + { 0x2122, "BCM4343A0" }, /* 001.001.034 */ +@@ -334,6 +335,7 @@ static const struct bcm_subver_table bcm_uart_subver_table[] = { + }; + + static const struct bcm_subver_table bcm_usb_subver_table[] = { ++ { 0x2105, "BCM20703A1" }, /* 001.001.005 */ + { 0x210b, "BCM43142A0" }, /* 001.001.011 */ + { 0x2112, "BCM4314A0" }, /* 001.001.018 */ + { 0x2118, "BCM20702A0" }, /* 001.001.024 */ +-- +2.25.1 + diff --git a/queue-4.19/brcmfmac-fix-wrong-location-to-get-firmware-feature.patch b/queue-4.19/brcmfmac-fix-wrong-location-to-get-firmware-feature.patch new file mode 100644 index 00000000000..4f341cf97d8 --- /dev/null +++ b/queue-4.19/brcmfmac-fix-wrong-location-to-get-firmware-feature.patch @@ -0,0 +1,45 @@ +From f4ad78f152e6bda172b3c30a9a70d86c6a393467 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Mar 2020 14:25:28 +0900 +Subject: brcmfmac: fix wrong location to get firmware feature + +From: Jaehoon Chung + +[ Upstream commit c57673852062428cdeabdd6501ac8b8e4c302067 ] + +sup_wpa feature is getting after setting feature_disable flag. +If firmware is supported sup_wpa feature, it's always enabled +regardless of feature_disable flag. + +Fixes: b8a64f0e96c2 ("brcmfmac: support 4-way handshake offloading for WPA/WPA2-PSK") +Signed-off-by: Jaehoon Chung +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200330052528.10503-1-jh80.chung@samsung.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c +index 4c5a3995dc35..d7f41caa0b0b 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c +@@ -281,13 +281,14 @@ void brcmf_feat_attach(struct brcmf_pub *drvr) + if (!err) + ifp->drvr->feat_flags |= BIT(BRCMF_FEAT_SCAN_RANDOM_MAC); + ++ brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_FWSUP, "sup_wpa"); ++ + if (drvr->settings->feature_disable) { + brcmf_dbg(INFO, "Features: 0x%02x, disable: 0x%02x\n", + ifp->drvr->feat_flags, + drvr->settings->feature_disable); + ifp->drvr->feat_flags &= ~drvr->settings->feature_disable; + } +- brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_FWSUP, "sup_wpa"); + + brcmf_feat_firmware_overrides(drvr); + +-- +2.25.1 + diff --git a/queue-4.19/btrfs-do-not-ignore-error-from-btrfs_next_leaf-when-.patch b/queue-4.19/btrfs-do-not-ignore-error-from-btrfs_next_leaf-when-.patch new file mode 100644 index 00000000000..1a392438f49 --- /dev/null +++ b/queue-4.19/btrfs-do-not-ignore-error-from-btrfs_next_leaf-when-.patch @@ -0,0 +1,49 @@ +From 9a8810c9b133bc5e2fcf2817e305da4f9ebcc716 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 May 2020 12:15:09 +0100 +Subject: btrfs: do not ignore error from btrfs_next_leaf() when inserting + checksums + +From: Filipe Manana + +[ Upstream commit 7e4a3f7ed5d54926ec671bbb13e171cfe179cc50 ] + +We are currently treating any non-zero return value from btrfs_next_leaf() +the same way, by going to the code that inserts a new checksum item in the +tree. However if btrfs_next_leaf() returns an error (a value < 0), we +should just stop and return the error, and not behave as if nothing has +happened, since in that case we do not have a way to know if there is a +next leaf or we are currently at the last leaf already. + +So fix that by returning the error from btrfs_next_leaf(). + +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/file-item.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/file-item.c b/fs/btrfs/file-item.c +index f9e280d0b44f..1b8a04b767ff 100644 +--- a/fs/btrfs/file-item.c ++++ b/fs/btrfs/file-item.c +@@ -785,10 +785,12 @@ again: + nritems = btrfs_header_nritems(path->nodes[0]); + if (!nritems || (path->slots[0] >= nritems - 1)) { + ret = btrfs_next_leaf(root, path); +- if (ret == 1) ++ if (ret < 0) { ++ goto out; ++ } else if (ret > 0) { + found_next = 1; +- if (ret != 0) + goto insert; ++ } + slot = path->slots[0]; + } + btrfs_item_key_to_cpu(path->nodes[0], &found_key, slot); +-- +2.25.1 + diff --git a/queue-4.19/btrfs-qgroup-mark-qgroup-inconsistent-if-we-re-inher.patch b/queue-4.19/btrfs-qgroup-mark-qgroup-inconsistent-if-we-re-inher.patch new file mode 100644 index 00000000000..1fdc192be8c --- /dev/null +++ b/queue-4.19/btrfs-qgroup-mark-qgroup-inconsistent-if-we-re-inher.patch @@ -0,0 +1,124 @@ +From 4ef8d6a4d54b41b0f4b4cbf994769ef970b05409 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2020 14:37:35 +0800 +Subject: btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot + to a new qgroup + +From: Qu Wenruo + +[ Upstream commit cbab8ade585a18c4334b085564d9d046e01a3f70 ] + +[BUG] +For the following operation, qgroup is guaranteed to be screwed up due +to snapshot adding to a new qgroup: + + # mkfs.btrfs -f $dev + # mount $dev $mnt + # btrfs qgroup en $mnt + # btrfs subv create $mnt/src + # xfs_io -f -c "pwrite 0 1m" $mnt/src/file + # sync + # btrfs qgroup create 1/0 $mnt/src + # btrfs subv snapshot -i 1/0 $mnt/src $mnt/snapshot + # btrfs qgroup show -prce $mnt/src + qgroupid rfer excl max_rfer max_excl parent child + -------- ---- ---- -------- -------- ------ ----- + 0/5 16.00KiB 16.00KiB none none --- --- + 0/257 1.02MiB 16.00KiB none none --- --- + 0/258 1.02MiB 16.00KiB none none 1/0 --- + 1/0 0.00B 0.00B none none --- 0/258 + ^^^^^^^^^^^^^^^^^^^^ + +[CAUSE] +The problem is in btrfs_qgroup_inherit(), we don't have good enough +check to determine if the new relation would break the existing +accounting. + +Unlike btrfs_add_qgroup_relation(), which has proper check to determine +if we can do quick update without a rescan, in btrfs_qgroup_inherit() we +can even assign a snapshot to multiple qgroups. + +[FIX] +Fix it by manually marking qgroup inconsistent for snapshot inheritance. + +For subvolume creation, since all its extents are exclusively owned, we +don't need to rescan. + +In theory, we should call relation check like quick_update_accounting() +when doing qgroup inheritance and inform user about qgroup accounting +inconsistency. + +But we don't have good mechanism to relay that back to the user in the +snapshot creation context, thus we can only silently mark the qgroup +inconsistent. + +Anyway, user shouldn't use qgroup inheritance during snapshot creation, +and should add qgroup relationship after snapshot creation by 'btrfs +qgroup assign', which has a much better UI to inform user about qgroup +inconsistent and kick in rescan automatically. + +Reviewed-by: Josef Bacik +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index cbd40826f5dc..c8ed4db73b84 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2259,6 +2259,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, + struct btrfs_root *quota_root; + struct btrfs_qgroup *srcgroup; + struct btrfs_qgroup *dstgroup; ++ bool need_rescan = false; + u32 level_size = 0; + u64 nums; + +@@ -2402,6 +2403,13 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, + goto unlock; + } + ++i_qgroups; ++ ++ /* ++ * If we're doing a snapshot, and adding the snapshot to a new ++ * qgroup, the numbers are guaranteed to be incorrect. ++ */ ++ if (srcid) ++ need_rescan = true; + } + + for (i = 0; i < inherit->num_ref_copies; ++i, i_qgroups += 2) { +@@ -2421,6 +2429,9 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, + + dst->rfer = src->rfer - level_size; + dst->rfer_cmpr = src->rfer_cmpr - level_size; ++ ++ /* Manually tweaking numbers certainly needs a rescan */ ++ need_rescan = true; + } + for (i = 0; i < inherit->num_excl_copies; ++i, i_qgroups += 2) { + struct btrfs_qgroup *src; +@@ -2439,6 +2450,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, + + dst->excl = src->excl + level_size; + dst->excl_cmpr = src->excl_cmpr + level_size; ++ need_rescan = true; + } + + unlock: +@@ -2446,6 +2458,8 @@ unlock: + out: + if (!committing) + mutex_unlock(&fs_info->qgroup_ioctl_lock); ++ if (need_rescan) ++ fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT; + return ret; + } + +-- +2.25.1 + diff --git a/queue-4.19/clocksource-dw_apb_timer-make-cpu-affiliation-being-.patch b/queue-4.19/clocksource-dw_apb_timer-make-cpu-affiliation-being-.patch new file mode 100644 index 00000000000..ce4ae2c06e1 --- /dev/null +++ b/queue-4.19/clocksource-dw_apb_timer-make-cpu-affiliation-being-.patch @@ -0,0 +1,77 @@ +From 8693a742c3af0e38ea937ee33bb8aae4f50f5127 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 23:48:13 +0300 +Subject: clocksource: dw_apb_timer: Make CPU-affiliation being optional + +From: Serge Semin + +[ Upstream commit cee43dbf2ee3f430434e2b66994eff8a1aeda889 ] + +Currently the DW APB Timer driver binds each clockevent timers to a +particular CPU. This isn't good for multiple reasons. First of all seeing +the device is placed on APB bus (which makes it accessible from any CPU +core), accessible over MMIO and having the DYNIRQ flag set we can be sure +that manually binding the timer to any CPU just isn't correct. By doing +so we just set an extra limitation on device usage. This also doesn't +reflect the device actual capability, since by setting the IRQ affinity +we can make it virtually local to any CPU. Secondly imagine if you had a +real CPU-local timer with the same rating and the same CPU-affinity. +In this case if DW APB timer was registered first, then due to the +clockevent framework tick-timer selection procedure we'll end up with the +real CPU-local timer being left unselected for clock-events tracking. But +on most of the platforms (MIPS/ARM/etc) such timers are normally embedded +into the CPU core and are accessible with much better performance then +devices placed on APB. For instance in MIPS architectures there is +r4k-timer, which is CPU-local, assigned with the same rating, and normally +its clockevent device is registered after the platform-specific one. + +So in order to fix all of these issues let's make the DW APB Timer CPU +affinity being optional and deactivated by passing a negative CPU id, +which will effectively set the DW APB clockevent timer cpumask to +'cpu_possible_mask'. + +Signed-off-by: Serge Semin +Cc: Alexey Malahov +Cc: Thomas Bogendoerfer +Cc: Paul Burton +Cc: Ralf Baechle +Cc: Alessandro Zummo +Cc: Alexandre Belloni +Cc: Arnd Bergmann +Cc: Rob Herring +Cc: linux-mips@vger.kernel.org +Cc: linux-rtc@vger.kernel.org +Cc: devicetree@vger.kernel.org +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20200521204818.25436-5-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Sasha Levin +--- + drivers/clocksource/dw_apb_timer.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/clocksource/dw_apb_timer.c b/drivers/clocksource/dw_apb_timer.c +index 1f5f734e4919..a018199575e3 100644 +--- a/drivers/clocksource/dw_apb_timer.c ++++ b/drivers/clocksource/dw_apb_timer.c +@@ -225,7 +225,8 @@ static int apbt_next_event(unsigned long delta, + /** + * dw_apb_clockevent_init() - use an APB timer as a clock_event_device + * +- * @cpu: The CPU the events will be targeted at. ++ * @cpu: The CPU the events will be targeted at or -1 if CPU affiliation ++ * isn't required. + * @name: The name used for the timer and the IRQ for it. + * @rating: The rating to give the timer. + * @base: I/O base for the timer registers. +@@ -260,7 +261,7 @@ dw_apb_clockevent_init(int cpu, const char *name, unsigned rating, + dw_ced->ced.max_delta_ticks = 0x7fffffff; + dw_ced->ced.min_delta_ns = clockevent_delta2ns(5000, &dw_ced->ced); + dw_ced->ced.min_delta_ticks = 5000; +- dw_ced->ced.cpumask = cpumask_of(cpu); ++ dw_ced->ced.cpumask = cpu < 0 ? cpu_possible_mask : cpumask_of(cpu); + dw_ced->ced.features = CLOCK_EVT_FEAT_PERIODIC | + CLOCK_EVT_FEAT_ONESHOT | CLOCK_EVT_FEAT_DYNIRQ; + dw_ced->ced.set_state_shutdown = apbt_shutdown; +-- +2.25.1 + diff --git a/queue-4.19/clocksource-dw_apb_timer_of-fix-missing-clockevent-t.patch b/queue-4.19/clocksource-dw_apb_timer_of-fix-missing-clockevent-t.patch new file mode 100644 index 00000000000..71965b93b46 --- /dev/null +++ b/queue-4.19/clocksource-dw_apb_timer_of-fix-missing-clockevent-t.patch @@ -0,0 +1,74 @@ +From da4be9588c799db4cb9503c284f2d10126dfd6d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 23:48:15 +0300 +Subject: clocksource: dw_apb_timer_of: Fix missing clockevent timers + +From: Serge Semin + +[ Upstream commit 6d2e16a3181bafb77b535095c39ad1c8b9558c8c ] + +Commit 100214889973 ("clocksource: dw_apb_timer_of: use +clocksource_of_init") replaced a publicly available driver +initialization method with one called by the timer_probe() method +available after CLKSRC_OF. In current implementation it traverses +all the timers available in the system and calls their initialization +methods if corresponding devices were either in dtb or in acpi. But +if before the commit any number of available timers would be installed +as clockevent and clocksource devices, after that there would be at most +two. The rest are just ignored since default case branch doesn't do +anything. I don't see a reason of such behaviour, neither the commit +message explains it. Moreover this might be wrong if on some platforms +these timers might be used for different purpose, as virtually CPU-local +clockevent timers and as an independent broadcast timer. So in order +to keep the compatibility with the platforms where the order of the +timers detection has some meaning, lets add the secondly discovered +timer to be of clocksource/sched_clock type, while the very first and +the others would provide the clockevents service. + +Fixes: 100214889973 ("clocksource: dw_apb_timer_of: use clocksource_of_init") +Signed-off-by: Serge Semin +Cc: Alexey Malahov +Cc: Thomas Bogendoerfer +Cc: Paul Burton +Cc: Ralf Baechle +Cc: Alessandro Zummo +Cc: Alexandre Belloni +Cc: Arnd Bergmann +Cc: Rob Herring +Cc: linux-mips@vger.kernel.org +Cc: linux-rtc@vger.kernel.org +Cc: devicetree@vger.kernel.org +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20200521204818.25436-7-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Sasha Levin +--- + drivers/clocksource/dw_apb_timer_of.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/clocksource/dw_apb_timer_of.c b/drivers/clocksource/dw_apb_timer_of.c +index 69866cd8f4bb..3e4d0e5733d3 100644 +--- a/drivers/clocksource/dw_apb_timer_of.c ++++ b/drivers/clocksource/dw_apb_timer_of.c +@@ -146,10 +146,6 @@ static int num_called; + static int __init dw_apb_timer_init(struct device_node *timer) + { + switch (num_called) { +- case 0: +- pr_debug("%s: found clockevent timer\n", __func__); +- add_clockevent(timer); +- break; + case 1: + pr_debug("%s: found clocksource timer\n", __func__); + add_clocksource(timer); +@@ -160,6 +156,8 @@ static int __init dw_apb_timer_init(struct device_node *timer) + #endif + break; + default: ++ pr_debug("%s: found clockevent timer\n", __func__); ++ add_clockevent(timer); + break; + } + +-- +2.25.1 + diff --git a/queue-4.19/cpuidle-fix-three-reference-count-leaks.patch b/queue-4.19/cpuidle-fix-three-reference-count-leaks.patch new file mode 100644 index 00000000000..5df5ddb33a4 --- /dev/null +++ b/queue-4.19/cpuidle-fix-three-reference-count-leaks.patch @@ -0,0 +1,57 @@ +From 4cfe13130a59ad533b0a1b318d4c6a49db406b53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 13:20:46 -0500 +Subject: cpuidle: Fix three reference count leaks + +From: Qiushi Wu + +[ Upstream commit c343bf1ba5efcbf2266a1fe3baefec9cc82f867f ] + +kobject_init_and_add() takes reference even when it fails. +If this function returns an error, kobject_put() must be called to +properly clean up the memory associated with the object. + +Previous commit "b8eb718348b8" fixed a similar problem. + +Signed-off-by: Qiushi Wu +[ rjw: Subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/sysfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c +index e754c7aae7f7..66979dc33680 100644 +--- a/drivers/cpuidle/sysfs.c ++++ b/drivers/cpuidle/sysfs.c +@@ -467,7 +467,7 @@ static int cpuidle_add_state_sysfs(struct cpuidle_device *device) + ret = kobject_init_and_add(&kobj->kobj, &ktype_state_cpuidle, + &kdev->kobj, "state%d", i); + if (ret) { +- kfree(kobj); ++ kobject_put(&kobj->kobj); + goto error_state; + } + cpuidle_add_s2idle_attr_group(kobj); +@@ -598,7 +598,7 @@ static int cpuidle_add_driver_sysfs(struct cpuidle_device *dev) + ret = kobject_init_and_add(&kdrv->kobj, &ktype_driver_cpuidle, + &kdev->kobj, "driver"); + if (ret) { +- kfree(kdrv); ++ kobject_put(&kdrv->kobj); + return ret; + } + +@@ -692,7 +692,7 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev) + error = kobject_init_and_add(&kdev->kobj, &ktype_cpuidle, &cpu_dev->kobj, + "cpuidle"); + if (error) { +- kfree(kdev); ++ kobject_put(&kdev->kobj); + return error; + } + +-- +2.25.1 + diff --git a/queue-4.19/crypto-ccp-don-t-select-config_dmadevices.patch b/queue-4.19/crypto-ccp-don-t-select-config_dmadevices.patch new file mode 100644 index 00000000000..d159b5ad305 --- /dev/null +++ b/queue-4.19/crypto-ccp-don-t-select-config_dmadevices.patch @@ -0,0 +1,59 @@ +From 604d69f1c96bb8d4f56c938256307a8209db72e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2020 18:26:48 +0200 +Subject: crypto: ccp -- don't "select" CONFIG_DMADEVICES + +From: Arnd Bergmann + +[ Upstream commit eebac678556d6927f09a992872f4464cf3aecc76 ] + +DMADEVICES is the top-level option for the slave DMA +subsystem, and should not be selected by device drivers, +as this can cause circular dependencies such as: + +drivers/net/ethernet/freescale/Kconfig:6:error: recursive dependency detected! +drivers/net/ethernet/freescale/Kconfig:6: symbol NET_VENDOR_FREESCALE depends on PPC_BESTCOMM +drivers/dma/bestcomm/Kconfig:6: symbol PPC_BESTCOMM depends on DMADEVICES +drivers/dma/Kconfig:6: symbol DMADEVICES is selected by CRYPTO_DEV_SP_CCP +drivers/crypto/ccp/Kconfig:10: symbol CRYPTO_DEV_SP_CCP depends on CRYPTO +crypto/Kconfig:16: symbol CRYPTO is selected by LIBCRC32C +lib/Kconfig:222: symbol LIBCRC32C is selected by LIQUIDIO +drivers/net/ethernet/cavium/Kconfig:65: symbol LIQUIDIO depends on PTP_1588_CLOCK +drivers/ptp/Kconfig:8: symbol PTP_1588_CLOCK is implied by FEC +drivers/net/ethernet/freescale/Kconfig:23: symbol FEC depends on NET_VENDOR_FREESCALE + +The LIQUIDIO driver causing this problem is addressed in a +separate patch, but this change is needed to prevent it from +happening again. + +Using "depends on DMADEVICES" is what we do for all other +implementations of slave DMA controllers as well. + +Fixes: b3c2fee5d66b ("crypto: ccp - Ensure all dependencies are specified") +Signed-off-by: Arnd Bergmann +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/Kconfig | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/crypto/ccp/Kconfig b/drivers/crypto/ccp/Kconfig +index b9dfae47aefd..7f5fc705503d 100644 +--- a/drivers/crypto/ccp/Kconfig ++++ b/drivers/crypto/ccp/Kconfig +@@ -9,10 +9,9 @@ config CRYPTO_DEV_CCP_DD + config CRYPTO_DEV_SP_CCP + bool "Cryptographic Coprocessor device" + default y +- depends on CRYPTO_DEV_CCP_DD ++ depends on CRYPTO_DEV_CCP_DD && DMADEVICES + select HW_RANDOM + select DMA_ENGINE +- select DMADEVICES + select CRYPTO_SHA1 + select CRYPTO_SHA256 + help +-- +2.25.1 + diff --git a/queue-4.19/crypto-chcr-fix-for-ccm-aes-failed-test.patch b/queue-4.19/crypto-chcr-fix-for-ccm-aes-failed-test.patch new file mode 100644 index 00000000000..7b4f83d3796 --- /dev/null +++ b/queue-4.19/crypto-chcr-fix-for-ccm-aes-failed-test.patch @@ -0,0 +1,39 @@ +From f673733e3c3b8ff49f8da89d32d881c28199722c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 08:42:55 +0530 +Subject: Crypto/chcr: fix for ccm(aes) failed test + +From: Devulapally Shiva Krishna + +[ Upstream commit 10b0c75d7bc19606fa9a62c8ab9180e95c0e0385 ] + +The ccm(aes) test fails when req->assoclen > ~240bytes. + +The problem is the value assigned to auth_offset is wrong. +As auth_offset is unsigned char, it can take max value as 255. +So fix it by making it unsigned int. + +Signed-off-by: Ayush Sawal +Signed-off-by: Devulapally Shiva Krishna +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/crypto/chelsio/chcr_algo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/chelsio/chcr_algo.c b/drivers/crypto/chelsio/chcr_algo.c +index c435f89f34e3..9b3c259f081d 100644 +--- a/drivers/crypto/chelsio/chcr_algo.c ++++ b/drivers/crypto/chelsio/chcr_algo.c +@@ -2764,7 +2764,7 @@ static void fill_sec_cpl_for_aead(struct cpl_tx_sec_pdu *sec_cpl, + unsigned int mac_mode = CHCR_SCMD_AUTH_MODE_CBCMAC; + unsigned int c_id = a_ctx(tfm)->dev->rx_channel_id; + unsigned int ccm_xtra; +- unsigned char tag_offset = 0, auth_offset = 0; ++ unsigned int tag_offset = 0, auth_offset = 0; + unsigned int assoclen; + + if (get_aead_subtype(tfm) == CRYPTO_ALG_SUB_TYPE_AEAD_RFC4309) +-- +2.25.1 + diff --git a/queue-4.19/crypto-stm32-crc32-fix-ext4-chksum-bug_on.patch b/queue-4.19/crypto-stm32-crc32-fix-ext4-chksum-bug_on.patch new file mode 100644 index 00000000000..6208f473369 --- /dev/null +++ b/queue-4.19/crypto-stm32-crc32-fix-ext4-chksum-bug_on.patch @@ -0,0 +1,183 @@ +From 61ca1eb1ea47efc3a3dc3174168d8111ec3ee545 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 May 2020 16:11:09 +0200 +Subject: crypto: stm32/crc32 - fix ext4 chksum BUG_ON() + +From: Nicolas Toromanoff + +[ Upstream commit 49c2c082e00e0bc4f5cbb7c21c7f0f873b35ab09 ] + +Allow use of crc_update without prior call to crc_init. +And change (and fix) driver to use CRC device even on unaligned buffers. + +Fixes: b51dbe90912a ("crypto: stm32 - Support for STM32 CRC32 crypto module") + +Signed-off-by: Nicolas Toromanoff +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32_crc32.c | 98 +++++++++++++++--------------- + 1 file changed, 48 insertions(+), 50 deletions(-) + +diff --git a/drivers/crypto/stm32/stm32_crc32.c b/drivers/crypto/stm32/stm32_crc32.c +index 29d2095d9dfd..749b51762b18 100644 +--- a/drivers/crypto/stm32/stm32_crc32.c ++++ b/drivers/crypto/stm32/stm32_crc32.c +@@ -28,8 +28,10 @@ + + /* Registers values */ + #define CRC_CR_RESET BIT(0) +-#define CRC_CR_REVERSE (BIT(7) | BIT(6) | BIT(5)) + #define CRC_INIT_DEFAULT 0xFFFFFFFF ++#define CRC_CR_REV_IN_WORD (BIT(6) | BIT(5)) ++#define CRC_CR_REV_IN_BYTE BIT(5) ++#define CRC_CR_REV_OUT BIT(7) + + #define CRC_AUTOSUSPEND_DELAY 50 + +@@ -38,8 +40,6 @@ struct stm32_crc { + struct device *dev; + void __iomem *regs; + struct clk *clk; +- u8 pending_data[sizeof(u32)]; +- size_t nb_pending_bytes; + }; + + struct stm32_crc_list { +@@ -59,7 +59,6 @@ struct stm32_crc_ctx { + + struct stm32_crc_desc_ctx { + u32 partial; /* crc32c: partial in first 4 bytes of that struct */ +- struct stm32_crc *crc; + }; + + static int stm32_crc32_cra_init(struct crypto_tfm *tfm) +@@ -101,25 +100,22 @@ static int stm32_crc_init(struct shash_desc *desc) + struct stm32_crc *crc; + + spin_lock_bh(&crc_list.lock); +- list_for_each_entry(crc, &crc_list.dev_list, list) { +- ctx->crc = crc; +- break; +- } ++ crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list); + spin_unlock_bh(&crc_list.lock); + +- pm_runtime_get_sync(ctx->crc->dev); ++ pm_runtime_get_sync(crc->dev); + + /* Reset, set key, poly and configure in bit reverse mode */ +- writel_relaxed(bitrev32(mctx->key), ctx->crc->regs + CRC_INIT); +- writel_relaxed(bitrev32(mctx->poly), ctx->crc->regs + CRC_POL); +- writel_relaxed(CRC_CR_RESET | CRC_CR_REVERSE, ctx->crc->regs + CRC_CR); ++ writel_relaxed(bitrev32(mctx->key), crc->regs + CRC_INIT); ++ writel_relaxed(bitrev32(mctx->poly), crc->regs + CRC_POL); ++ writel_relaxed(CRC_CR_RESET | CRC_CR_REV_IN_WORD | CRC_CR_REV_OUT, ++ crc->regs + CRC_CR); + + /* Store partial result */ +- ctx->partial = readl_relaxed(ctx->crc->regs + CRC_DR); +- ctx->crc->nb_pending_bytes = 0; ++ ctx->partial = readl_relaxed(crc->regs + CRC_DR); + +- pm_runtime_mark_last_busy(ctx->crc->dev); +- pm_runtime_put_autosuspend(ctx->crc->dev); ++ pm_runtime_mark_last_busy(crc->dev); ++ pm_runtime_put_autosuspend(crc->dev); + + return 0; + } +@@ -128,31 +124,49 @@ static int stm32_crc_update(struct shash_desc *desc, const u8 *d8, + unsigned int length) + { + struct stm32_crc_desc_ctx *ctx = shash_desc_ctx(desc); +- struct stm32_crc *crc = ctx->crc; +- u32 *d32; +- unsigned int i; ++ struct stm32_crc_ctx *mctx = crypto_shash_ctx(desc->tfm); ++ struct stm32_crc *crc; ++ ++ spin_lock_bh(&crc_list.lock); ++ crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list); ++ spin_unlock_bh(&crc_list.lock); + + pm_runtime_get_sync(crc->dev); + +- if (unlikely(crc->nb_pending_bytes)) { +- while (crc->nb_pending_bytes != sizeof(u32) && length) { +- /* Fill in pending data */ +- crc->pending_data[crc->nb_pending_bytes++] = *(d8++); ++ /* ++ * Restore previously calculated CRC for this context as init value ++ * Restore polynomial configuration ++ * Configure in register for word input data, ++ * Configure out register in reversed bit mode data. ++ */ ++ writel_relaxed(bitrev32(ctx->partial), crc->regs + CRC_INIT); ++ writel_relaxed(bitrev32(mctx->poly), crc->regs + CRC_POL); ++ writel_relaxed(CRC_CR_RESET | CRC_CR_REV_IN_WORD | CRC_CR_REV_OUT, ++ crc->regs + CRC_CR); ++ ++ if (d8 != PTR_ALIGN(d8, sizeof(u32))) { ++ /* Configure for byte data */ ++ writel_relaxed(CRC_CR_REV_IN_BYTE | CRC_CR_REV_OUT, ++ crc->regs + CRC_CR); ++ while (d8 != PTR_ALIGN(d8, sizeof(u32)) && length) { ++ writeb_relaxed(*d8++, crc->regs + CRC_DR); + length--; + } +- +- if (crc->nb_pending_bytes == sizeof(u32)) { +- /* Process completed pending data */ +- writel_relaxed(*(u32 *)crc->pending_data, +- crc->regs + CRC_DR); +- crc->nb_pending_bytes = 0; +- } ++ /* Configure for word data */ ++ writel_relaxed(CRC_CR_REV_IN_WORD | CRC_CR_REV_OUT, ++ crc->regs + CRC_CR); + } + +- d32 = (u32 *)d8; +- for (i = 0; i < length >> 2; i++) +- /* Process 32 bits data */ +- writel_relaxed(*(d32++), crc->regs + CRC_DR); ++ for (; length >= sizeof(u32); d8 += sizeof(u32), length -= sizeof(u32)) ++ writel_relaxed(*((u32 *)d8), crc->regs + CRC_DR); ++ ++ if (length) { ++ /* Configure for byte data */ ++ writel_relaxed(CRC_CR_REV_IN_BYTE | CRC_CR_REV_OUT, ++ crc->regs + CRC_CR); ++ while (length--) ++ writeb_relaxed(*d8++, crc->regs + CRC_DR); ++ } + + /* Store partial result */ + ctx->partial = readl_relaxed(crc->regs + CRC_DR); +@@ -160,22 +174,6 @@ static int stm32_crc_update(struct shash_desc *desc, const u8 *d8, + pm_runtime_mark_last_busy(crc->dev); + pm_runtime_put_autosuspend(crc->dev); + +- /* Check for pending data (non 32 bits) */ +- length &= 3; +- if (likely(!length)) +- return 0; +- +- if ((crc->nb_pending_bytes + length) >= sizeof(u32)) { +- /* Shall not happen */ +- dev_err(crc->dev, "Pending data overflow\n"); +- return -EINVAL; +- } +- +- d8 = (const u8 *)d32; +- for (i = 0; i < length; i++) +- /* Store pending data */ +- crc->pending_data[crc->nb_pending_bytes++] = *(d8++); +- + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.19/crypto-stm32-crc32-fix-multi-instance.patch b/queue-4.19/crypto-stm32-crc32-fix-multi-instance.patch new file mode 100644 index 00000000000..9885ffb7784 --- /dev/null +++ b/queue-4.19/crypto-stm32-crc32-fix-multi-instance.patch @@ -0,0 +1,122 @@ +From b3359f834b65fcbec078db514952f10ea55a7d88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 May 2020 16:11:11 +0200 +Subject: crypto: stm32/crc32 - fix multi-instance + +From: Nicolas Toromanoff + +[ Upstream commit 10b89c43a64eb0d236903b79a3bc9d8f6cbfd9c7 ] + +Ensure CRC algorithm is registered only once in crypto framework when +there are several instances of CRC devices. + +Update the CRC device list management to avoid that only the first CRC +instance is used. + +Fixes: b51dbe90912a ("crypto: stm32 - Support for STM32 CRC32 crypto module") + +Signed-off-by: Nicolas Toromanoff +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32_crc32.c | 48 ++++++++++++++++++++++-------- + 1 file changed, 36 insertions(+), 12 deletions(-) + +diff --git a/drivers/crypto/stm32/stm32_crc32.c b/drivers/crypto/stm32/stm32_crc32.c +index c5ad83ad2f72..47d31335c2d4 100644 +--- a/drivers/crypto/stm32/stm32_crc32.c ++++ b/drivers/crypto/stm32/stm32_crc32.c +@@ -93,16 +93,29 @@ static int stm32_crc_setkey(struct crypto_shash *tfm, const u8 *key, + return 0; + } + +-static int stm32_crc_init(struct shash_desc *desc) ++static struct stm32_crc *stm32_crc_get_next_crc(void) + { +- struct stm32_crc_desc_ctx *ctx = shash_desc_ctx(desc); +- struct stm32_crc_ctx *mctx = crypto_shash_ctx(desc->tfm); + struct stm32_crc *crc; + + spin_lock_bh(&crc_list.lock); + crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list); ++ if (crc) ++ list_move_tail(&crc->list, &crc_list.dev_list); + spin_unlock_bh(&crc_list.lock); + ++ return crc; ++} ++ ++static int stm32_crc_init(struct shash_desc *desc) ++{ ++ struct stm32_crc_desc_ctx *ctx = shash_desc_ctx(desc); ++ struct stm32_crc_ctx *mctx = crypto_shash_ctx(desc->tfm); ++ struct stm32_crc *crc; ++ ++ crc = stm32_crc_get_next_crc(); ++ if (!crc) ++ return -ENODEV; ++ + pm_runtime_get_sync(crc->dev); + + /* Reset, set key, poly and configure in bit reverse mode */ +@@ -127,9 +140,9 @@ static int stm32_crc_update(struct shash_desc *desc, const u8 *d8, + struct stm32_crc_ctx *mctx = crypto_shash_ctx(desc->tfm); + struct stm32_crc *crc; + +- spin_lock_bh(&crc_list.lock); +- crc = list_first_entry(&crc_list.dev_list, struct stm32_crc, list); +- spin_unlock_bh(&crc_list.lock); ++ crc = stm32_crc_get_next_crc(); ++ if (!crc) ++ return -ENODEV; + + pm_runtime_get_sync(crc->dev); + +@@ -202,6 +215,8 @@ static int stm32_crc_digest(struct shash_desc *desc, const u8 *data, + return stm32_crc_init(desc) ?: stm32_crc_finup(desc, data, length, out); + } + ++static unsigned int refcnt; ++static DEFINE_MUTEX(refcnt_lock); + static struct shash_alg algs[] = { + /* CRC-32 */ + { +@@ -294,12 +309,18 @@ static int stm32_crc_probe(struct platform_device *pdev) + list_add(&crc->list, &crc_list.dev_list); + spin_unlock(&crc_list.lock); + +- ret = crypto_register_shashes(algs, ARRAY_SIZE(algs)); +- if (ret) { +- dev_err(dev, "Failed to register\n"); +- clk_disable_unprepare(crc->clk); +- return ret; ++ mutex_lock(&refcnt_lock); ++ if (!refcnt) { ++ ret = crypto_register_shashes(algs, ARRAY_SIZE(algs)); ++ if (ret) { ++ mutex_unlock(&refcnt_lock); ++ dev_err(dev, "Failed to register\n"); ++ clk_disable_unprepare(crc->clk); ++ return ret; ++ } + } ++ refcnt++; ++ mutex_unlock(&refcnt_lock); + + dev_info(dev, "Initialized\n"); + +@@ -320,7 +341,10 @@ static int stm32_crc_remove(struct platform_device *pdev) + list_del(&crc->list); + spin_unlock(&crc_list.lock); + +- crypto_unregister_shashes(algs, ARRAY_SIZE(algs)); ++ mutex_lock(&refcnt_lock); ++ if (!--refcnt) ++ crypto_unregister_shashes(algs, ARRAY_SIZE(algs)); ++ mutex_unlock(&refcnt_lock); + + pm_runtime_disable(crc->dev); + pm_runtime_put_noidle(crc->dev); +-- +2.25.1 + diff --git a/queue-4.19/crypto-stm32-crc32-fix-run-time-self-test-issue.patch b/queue-4.19/crypto-stm32-crc32-fix-run-time-self-test-issue.patch new file mode 100644 index 00000000000..062ce773f89 --- /dev/null +++ b/queue-4.19/crypto-stm32-crc32-fix-run-time-self-test-issue.patch @@ -0,0 +1,61 @@ +From b0f88751d8a08d7bf93ae9596f5b391e5868dd31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 May 2020 16:11:10 +0200 +Subject: crypto: stm32/crc32 - fix run-time self test issue. + +From: Nicolas Toromanoff + +[ Upstream commit a8cc3128bf2c01c4d448fe17149e87132113b445 ] + +Fix wrong crc32 initialisation value: +"alg: shash: stm32_crc32 test failed (wrong result) on test vector 0, +cfg="init+update+final aligned buffer" +cra_name="crc32c" expects an init value of 0XFFFFFFFF, +cra_name="crc32" expects an init value of 0. + +Fixes: b51dbe90912a ("crypto: stm32 - Support for STM32 CRC32 crypto module") + +Signed-off-by: Nicolas Toromanoff +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32_crc32.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/stm32/stm32_crc32.c b/drivers/crypto/stm32/stm32_crc32.c +index 749b51762b18..c5ad83ad2f72 100644 +--- a/drivers/crypto/stm32/stm32_crc32.c ++++ b/drivers/crypto/stm32/stm32_crc32.c +@@ -28,10 +28,10 @@ + + /* Registers values */ + #define CRC_CR_RESET BIT(0) +-#define CRC_INIT_DEFAULT 0xFFFFFFFF + #define CRC_CR_REV_IN_WORD (BIT(6) | BIT(5)) + #define CRC_CR_REV_IN_BYTE BIT(5) + #define CRC_CR_REV_OUT BIT(7) ++#define CRC32C_INIT_DEFAULT 0xFFFFFFFF + + #define CRC_AUTOSUSPEND_DELAY 50 + +@@ -65,7 +65,7 @@ static int stm32_crc32_cra_init(struct crypto_tfm *tfm) + { + struct stm32_crc_ctx *mctx = crypto_tfm_ctx(tfm); + +- mctx->key = CRC_INIT_DEFAULT; ++ mctx->key = 0; + mctx->poly = CRC32_POLY_LE; + return 0; + } +@@ -74,7 +74,7 @@ static int stm32_crc32c_cra_init(struct crypto_tfm *tfm) + { + struct stm32_crc_ctx *mctx = crypto_tfm_ctx(tfm); + +- mctx->key = CRC_INIT_DEFAULT; ++ mctx->key = CRC32C_INIT_DEFAULT; + mctx->poly = CRC32C_POLY_LE; + return 0; + } +-- +2.25.1 + diff --git a/queue-4.19/drivers-perf-hisi-fix-typo-in-events-attribute-array.patch b/queue-4.19/drivers-perf-hisi-fix-typo-in-events-attribute-array.patch new file mode 100644 index 00000000000..7b3c3316464 --- /dev/null +++ b/queue-4.19/drivers-perf-hisi-fix-typo-in-events-attribute-array.patch @@ -0,0 +1,38 @@ +From d4304cbc3d39f5620ce916f11a5138be7013afd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Apr 2020 20:05:30 +0800 +Subject: drivers/perf: hisi: Fix typo in events attribute array + +From: Shaokun Zhang + +[ Upstream commit 88562f06ebf56587788783e5420f25fde3ca36c8 ] + +Fix up one typo: wr_dr_64b -> wr_ddr_64b. + +Fixes: 2bab3cf9104c ("perf: hisi: Add support for HiSilicon SoC HHA PMU driver") +Signed-off-by: Shaokun Zhang +Cc: Will Deacon +Cc: Mark Rutland +Link: https://lore.kernel.org/r/1587643530-34357-1-git-send-email-zhangshaokun@hisilicon.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/hisilicon/hisi_uncore_hha_pmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/perf/hisilicon/hisi_uncore_hha_pmu.c b/drivers/perf/hisilicon/hisi_uncore_hha_pmu.c +index 443906e0aff3..0393c4471227 100644 +--- a/drivers/perf/hisilicon/hisi_uncore_hha_pmu.c ++++ b/drivers/perf/hisilicon/hisi_uncore_hha_pmu.c +@@ -290,7 +290,7 @@ static struct attribute *hisi_hha_pmu_events_attr[] = { + HISI_PMU_EVENT_ATTR(rx_wbip, 0x05), + HISI_PMU_EVENT_ATTR(rx_wtistash, 0x11), + HISI_PMU_EVENT_ATTR(rd_ddr_64b, 0x1c), +- HISI_PMU_EVENT_ATTR(wr_dr_64b, 0x1d), ++ HISI_PMU_EVENT_ATTR(wr_ddr_64b, 0x1d), + HISI_PMU_EVENT_ATTR(rd_ddr_128b, 0x1e), + HISI_PMU_EVENT_ATTR(wr_ddr_128b, 0x1f), + HISI_PMU_EVENT_ATTR(spill_num, 0x20), +-- +2.25.1 + diff --git a/queue-4.19/drm-bridge-adv7511-extend-list-of-audio-sample-rates.patch b/queue-4.19/drm-bridge-adv7511-extend-list-of-audio-sample-rates.patch new file mode 100644 index 00000000000..2c848b8226b --- /dev/null +++ b/queue-4.19/drm-bridge-adv7511-extend-list-of-audio-sample-rates.patch @@ -0,0 +1,50 @@ +From a0de38e3802e5749f3aac391fe80e2406fe41295 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Apr 2020 14:35:08 +0300 +Subject: drm: bridge: adv7511: Extend list of audio sample rates + +From: Bogdan Togorean + +[ Upstream commit b97b6a1f6e14a25d1e1ca2a46c5fa3e2ca374e22 ] + +ADV7511 support sample rates up to 192kHz. CTS and N parameters should +be computed accordingly so this commit extend the list up to maximum +supported sample rate. + +Signed-off-by: Bogdan Togorean +Reviewed-by: Andrzej Hajda +Signed-off-by: Andrzej Hajda +Link: https://patchwork.freedesktop.org/patch/msgid/20200413113513.86091-2-bogdan.togorean@analog.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c +index 1b4783d45c53..3a218b56a008 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c +@@ -20,13 +20,15 @@ static void adv7511_calc_cts_n(unsigned int f_tmds, unsigned int fs, + { + switch (fs) { + case 32000: +- *n = 4096; ++ case 48000: ++ case 96000: ++ case 192000: ++ *n = fs * 128 / 1000; + break; + case 44100: +- *n = 6272; +- break; +- case 48000: +- *n = 6144; ++ case 88200: ++ case 176400: ++ *n = fs * 128 / 900; + break; + } + +-- +2.25.1 + diff --git a/queue-4.19/dt-bindings-display-mediatek-control-dpi-pins-mode-t.patch b/queue-4.19/dt-bindings-display-mediatek-control-dpi-pins-mode-t.patch new file mode 100644 index 00000000000..8500142d3d1 --- /dev/null +++ b/queue-4.19/dt-bindings-display-mediatek-control-dpi-pins-mode-t.patch @@ -0,0 +1,49 @@ +From 5325c5e39621adbeedd5732d2c53d09e65e6363a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Apr 2020 09:13:17 +0800 +Subject: dt-bindings: display: mediatek: control dpi pins mode to avoid + leakage + +From: Jitao Shi + +[ Upstream commit b0ff9b590733079f7f9453e5976a9dd2630949e3 ] + +Add property "pinctrl-names" to swap pin mode between gpio and dpi mode. +Set the dpi pins to gpio mode and output-low to avoid leakage current +when dpi disabled. + +Acked-by: Rob Herring +Signed-off-by: Jitao Shi +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/display/mediatek/mediatek,dpi.txt | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/Documentation/devicetree/bindings/display/mediatek/mediatek,dpi.txt b/Documentation/devicetree/bindings/display/mediatek/mediatek,dpi.txt +index b6a7e7397b8b..b944fe067188 100644 +--- a/Documentation/devicetree/bindings/display/mediatek/mediatek,dpi.txt ++++ b/Documentation/devicetree/bindings/display/mediatek/mediatek,dpi.txt +@@ -16,6 +16,9 @@ Required properties: + Documentation/devicetree/bindings/graph.txt. This port should be connected + to the input port of an attached HDMI or LVDS encoder chip. + ++Optional properties: ++- pinctrl-names: Contain "default" and "sleep". ++ + Example: + + dpi0: dpi@1401d000 { +@@ -26,6 +29,9 @@ dpi0: dpi@1401d000 { + <&mmsys CLK_MM_DPI_ENGINE>, + <&apmixedsys CLK_APMIXED_TVDPLL>; + clock-names = "pixel", "engine", "pll"; ++ pinctrl-names = "default", "sleep"; ++ pinctrl-0 = <&dpi_pin_func>; ++ pinctrl-1 = <&dpi_pin_idle>; + + port { + dpi0_out: endpoint { +-- +2.25.1 + diff --git a/queue-4.19/e1000-distribute-switch-variables-for-initialization.patch b/queue-4.19/e1000-distribute-switch-variables-for-initialization.patch new file mode 100644 index 00000000000..f9de8ce9baa --- /dev/null +++ b/queue-4.19/e1000-distribute-switch-variables-for-initialization.patch @@ -0,0 +1,67 @@ +From ffdbe05585c1d4d22b43feb271feb10d0a446cc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Feb 2020 22:23:02 -0800 +Subject: e1000: Distribute switch variables for initialization +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit a34c7f5156654ebaf7eaace102938be7ff7036cb ] + +Variables declared in a switch statement before any case statements +cannot be automatically initialized with compiler instrumentation (as +they are not part of any execution flow). With GCC's proposed automatic +stack variable initialization feature, this triggers a warning (and they +don't get initialized). Clang's automatic stack variable initialization +(via CONFIG_INIT_STACK_ALL=y) doesn't throw a warning, but it also +doesn't initialize such variables[1]. Note that these warnings (or silent +skipping) happen before the dead-store elimination optimization phase, +so even when the automatic initializations are later elided in favor of +direct initializations, the warnings remain. + +To avoid these problems, move such variables into the "case" where +they're used or lift them up into the main function body. + +drivers/net/ethernet/intel/e1000/e1000_main.c: In function ‘e1000_xmit_frame’: +drivers/net/ethernet/intel/e1000/e1000_main.c:3143:18: warning: statement will never be executed [-Wswitch-unreachable] + 3143 | unsigned int pull_size; + | ^~~~~~~~~ + +[1] https://bugs.llvm.org/show_bug.cgi?id=44916 + +Signed-off-by: Kees Cook +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index 2110d5f2da19..47b867c64b14 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -3144,8 +3144,9 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb, + hdr_len = skb_transport_offset(skb) + tcp_hdrlen(skb); + if (skb->data_len && hdr_len == len) { + switch (hw->mac_type) { ++ case e1000_82544: { + unsigned int pull_size; +- case e1000_82544: ++ + /* Make sure we have room to chop off 4 bytes, + * and that the end alignment will work out to + * this hardware's requirements +@@ -3166,6 +3167,7 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb, + } + len = skb_headlen(skb); + break; ++ } + default: + /* do nothing */ + break; +-- +2.25.1 + diff --git a/queue-4.19/efi-libstub-x86-work-around-llvm-elf-quirk-build-reg.patch b/queue-4.19/efi-libstub-x86-work-around-llvm-elf-quirk-build-reg.patch new file mode 100644 index 00000000000..1a7990b6057 --- /dev/null +++ b/queue-4.19/efi-libstub-x86-work-around-llvm-elf-quirk-build-reg.patch @@ -0,0 +1,51 @@ +From 8464883403076b48e374d3dcd3745a41a9144f29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 May 2020 10:06:29 +0200 +Subject: efi/libstub/x86: Work around LLVM ELF quirk build regression + +From: Ard Biesheuvel + +[ Upstream commit f77767ed5f4d398b29119563155e4ece2dfeee13 ] + +When building the x86 EFI stub with Clang, the libstub Makefile rules +that manipulate the ELF object files may throw an error like: + + STUBCPY drivers/firmware/efi/libstub/efi-stub-helper.stub.o + strip: drivers/firmware/efi/libstub/efi-stub-helper.stub.o: Failed to find link section for section 10 + objcopy: drivers/firmware/efi/libstub/efi-stub-helper.stub.o: Failed to find link section for section 10 + +This is the result of a LLVM feature [0] where symbol references are +stored in a LLVM specific .llvm_addrsig section in a non-transparent way, +causing generic ELF tools such as strip or objcopy to choke on them. + +So force the compiler not to emit these sections, by passing the +appropriate command line option. + +[0] https://sourceware.org/bugzilla/show_bug.cgi?id=23817 + +Cc: Nick Desaulniers +Cc: Peter Collingbourne +Cc: Sami Tolvanen +Reported-by: Arnd Bergmann +Suggested-by: Fangrui Song +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile +index d9845099635e..d3777d754984 100644 +--- a/drivers/firmware/efi/libstub/Makefile ++++ b/drivers/firmware/efi/libstub/Makefile +@@ -28,6 +28,7 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \ + -D__NO_FORTIFY \ + $(call cc-option,-ffreestanding) \ + $(call cc-option,-fno-stack-protector) \ ++ $(call cc-option,-fno-addrsig) \ + -D__DISABLE_EXPORTS + + GCOV_PROFILE := n +-- +2.25.1 + diff --git a/queue-4.19/exit-move-preemption-fixup-up-move-blocking-operatio.patch b/queue-4.19/exit-move-preemption-fixup-up-move-blocking-operatio.patch new file mode 100644 index 00000000000..ed420248717 --- /dev/null +++ b/queue-4.19/exit-move-preemption-fixup-up-move-blocking-operatio.patch @@ -0,0 +1,84 @@ +From 7d2684c4848821098b6ee2aebfee74375e1a8232 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2020 23:06:57 +0100 +Subject: exit: Move preemption fixup up, move blocking operations down + +From: Jann Horn + +[ Upstream commit 586b58cac8b4683eb58a1446fbc399de18974e40 ] + +With CONFIG_DEBUG_ATOMIC_SLEEP=y and CONFIG_CGROUPS=y, kernel oopses in +non-preemptible context look untidy; after the main oops, the kernel prints +a "sleeping function called from invalid context" report because +exit_signals() -> cgroup_threadgroup_change_begin() -> percpu_down_read() +can sleep, and that happens before the preempt_count_set(PREEMPT_ENABLED) +fixup. + +It looks like the same thing applies to profile_task_exit() and +kcov_task_exit(). + +Fix it by moving the preemption fixup up and the calls to +profile_task_exit() and kcov_task_exit() down. + +Fixes: 1dc0fffc48af ("sched/core: Robustify preemption leak checks") +Signed-off-by: Jann Horn +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20200305220657.46800-1-jannh@google.com +Signed-off-by: Sasha Levin +--- + kernel/exit.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/kernel/exit.c b/kernel/exit.c +index 894fca56a38c..eeaafd4064c9 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -772,8 +772,12 @@ void __noreturn do_exit(long code) + struct task_struct *tsk = current; + int group_dead; + +- profile_task_exit(tsk); +- kcov_task_exit(tsk); ++ /* ++ * We can get here from a kernel oops, sometimes with preemption off. ++ * Start by checking for critical errors. ++ * Then fix up important state like USER_DS and preemption. ++ * Then do everything else. ++ */ + + WARN_ON(blk_needs_flush_plug(tsk)); + +@@ -791,6 +795,16 @@ void __noreturn do_exit(long code) + */ + set_fs(USER_DS); + ++ if (unlikely(in_atomic())) { ++ pr_info("note: %s[%d] exited with preempt_count %d\n", ++ current->comm, task_pid_nr(current), ++ preempt_count()); ++ preempt_count_set(PREEMPT_ENABLED); ++ } ++ ++ profile_task_exit(tsk); ++ kcov_task_exit(tsk); ++ + ptrace_event(PTRACE_EVENT_EXIT, code); + + validate_creds_for_do_exit(tsk); +@@ -828,13 +842,6 @@ void __noreturn do_exit(long code) + raw_spin_lock_irq(&tsk->pi_lock); + raw_spin_unlock_irq(&tsk->pi_lock); + +- if (unlikely(in_atomic())) { +- pr_info("note: %s[%d] exited with preempt_count %d\n", +- current->comm, task_pid_nr(current), +- preempt_count()); +- preempt_count_set(PREEMPT_ENABLED); +- } +- + /* sync mm's RSS info before statistics gathering */ + if (tsk->mm) + sync_mm_rss(tsk->mm); +-- +2.25.1 + diff --git a/queue-4.19/ixgbe-fix-signed-integer-overflow-warning.patch b/queue-4.19/ixgbe-fix-signed-integer-overflow-warning.patch new file mode 100644 index 00000000000..c423a916eb5 --- /dev/null +++ b/queue-4.19/ixgbe-fix-signed-integer-overflow-warning.patch @@ -0,0 +1,56 @@ +From 1d9662780f9dd760194702ee3cbfeef79e03809a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 10:45:21 +0800 +Subject: ixgbe: fix signed-integer-overflow warning + +From: Xie XiuQi + +[ Upstream commit 3b70683fc4d68f5d915d9dc7e5ba72c732c7315c ] + +ubsan report this warning, fix it by adding a unsigned suffix. + +UBSAN: signed-integer-overflow in +drivers/net/ethernet/intel/ixgbe/ixgbe_common.c:2246:26 +65535 * 65537 cannot be represented in type 'int' +CPU: 21 PID: 7 Comm: kworker/u256:0 Not tainted 5.7.0-rc3-debug+ #39 +Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 03/27/2020 +Workqueue: ixgbe ixgbe_service_task [ixgbe] +Call trace: + dump_backtrace+0x0/0x3f0 + show_stack+0x28/0x38 + dump_stack+0x154/0x1e4 + ubsan_epilogue+0x18/0x60 + handle_overflow+0xf8/0x148 + __ubsan_handle_mul_overflow+0x34/0x48 + ixgbe_fc_enable_generic+0x4d0/0x590 [ixgbe] + ixgbe_service_task+0xc20/0x1f78 [ixgbe] + process_one_work+0x8f0/0xf18 + worker_thread+0x430/0x6d0 + kthread+0x218/0x238 + ret_from_fork+0x10/0x18 + +Reported-by: Hulk Robot +Signed-off-by: Xie XiuQi +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c +index 0bd1294ba517..39c5e6fdb72c 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c +@@ -2243,7 +2243,7 @@ s32 ixgbe_fc_enable_generic(struct ixgbe_hw *hw) + } + + /* Configure pause time (2 TCs per register) */ +- reg = hw->fc.pause_time * 0x00010001; ++ reg = hw->fc.pause_time * 0x00010001U; + for (i = 0; i < (MAX_TRAFFIC_CLASS / 2); i++) + IXGBE_WRITE_REG(hw, IXGBE_FCTTV(i), reg); + +-- +2.25.1 + diff --git a/queue-4.19/ixgbe-fix-xdp-redirect-on-archs-with-page_size-above.patch b/queue-4.19/ixgbe-fix-xdp-redirect-on-archs-with-page_size-above.patch new file mode 100644 index 00000000000..61ee1cc752a --- /dev/null +++ b/queue-4.19/ixgbe-fix-xdp-redirect-on-archs-with-page_size-above.patch @@ -0,0 +1,48 @@ +From be9024d2ff01ce511cff6362e7d7138256bb594e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 May 2020 12:50:49 +0200 +Subject: ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K + +From: Jesper Dangaard Brouer + +[ Upstream commit 88eb0ee17b2ece64fcf6689a4557a5c2e7a89c4b ] + +The ixgbe driver have another memory model when compiled on archs with +PAGE_SIZE above 4096 bytes. In this mode it doesn't split the page in +two halves, but instead increment rx_buffer->page_offset by truesize of +packet (which include headroom and tailroom for skb_shared_info). + +This is done correctly in ixgbe_build_skb(), but in ixgbe_rx_buffer_flip +which is currently only called on XDP_TX and XDP_REDIRECT, it forgets +to add the tailroom for skb_shared_info. This breaks XDP_REDIRECT, for +veth and cpumap. Fix by adding size of skb_shared_info tailroom. + +Maintainers notice: This fix have been queued to Jeff. + +Fixes: 6453073987ba ("ixgbe: add initial support for xdp redirect") +Signed-off-by: Jesper Dangaard Brouer +Signed-off-by: Alexei Starovoitov +Cc: Jeff Kirsher +Link: https://lore.kernel.org/bpf/158945344946.97035.17031588499266605743.stgit@firesoul +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 8177276500f5..7d723b70fcf6 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -2258,7 +2258,8 @@ static void ixgbe_rx_buffer_flip(struct ixgbe_ring *rx_ring, + rx_buffer->page_offset ^= truesize; + #else + unsigned int truesize = ring_uses_build_skb(rx_ring) ? +- SKB_DATA_ALIGN(IXGBE_SKB_PAD + size) : ++ SKB_DATA_ALIGN(IXGBE_SKB_PAD + size) + ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) : + SKB_DATA_ALIGN(size); + + rx_buffer->page_offset += truesize; +-- +2.25.1 + diff --git a/queue-4.19/kgdb-disable-warn_console_unlocked-for-all-kgdb.patch b/queue-4.19/kgdb-disable-warn_console_unlocked-for-all-kgdb.patch new file mode 100644 index 00000000000..d538edf9db4 --- /dev/null +++ b/queue-4.19/kgdb-disable-warn_console_unlocked-for-all-kgdb.patch @@ -0,0 +1,74 @@ +From 649e1b78925e70cd02e10a77bb45d0ac8d6d89f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 13:08:39 -0700 +Subject: kgdb: Disable WARN_CONSOLE_UNLOCKED for all kgdb + +From: Douglas Anderson + +[ Upstream commit 202164fbfa2b2ffa3e66b504e0f126ba9a745006 ] + +In commit 81eaadcae81b ("kgdboc: disable the console lock when in +kgdb") we avoided the WARN_CONSOLE_UNLOCKED() yell when we were in +kgdboc. That still works fine, but it turns out that we get a similar +yell when using other I/O drivers. One example is the "I/O driver" +for the kgdb test suite (kgdbts). When I enabled that I again got the +same yells. + +Even though "kgdbts" doesn't actually interact with the user over the +console, using it still causes kgdb to print to the consoles. That +trips the same warning: + con_is_visible+0x60/0x68 + con_scroll+0x110/0x1b8 + lf+0x4c/0xc8 + vt_console_print+0x1b8/0x348 + vkdb_printf+0x320/0x89c + kdb_printf+0x68/0x90 + kdb_main_loop+0x190/0x860 + kdb_stub+0x2cc/0x3ec + kgdb_cpu_enter+0x268/0x744 + kgdb_handle_exception+0x1a4/0x200 + kgdb_compiled_brk_fn+0x34/0x44 + brk_handler+0x7c/0xb8 + do_debug_exception+0x1b4/0x228 + +Let's increment/decrement the "ignore_console_lock_warning" variable +all the time when we enter the debugger. + +This will allow us to later revert commit 81eaadcae81b ("kgdboc: +disable the console lock when in kgdb"). + +Signed-off-by: Douglas Anderson +Reviewed-by: Greg Kroah-Hartman +Reviewed-by: Daniel Thompson +Link: https://lore.kernel.org/r/20200507130644.v4.1.Ied2b058357152ebcc8bf68edd6f20a11d98d7d4e@changeid +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/debug_core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c +index 94aa9ae0007a..d2799767aab8 100644 +--- a/kernel/debug/debug_core.c ++++ b/kernel/debug/debug_core.c +@@ -577,6 +577,8 @@ return_normal: + if (kgdb_skipexception(ks->ex_vector, ks->linux_regs)) + goto kgdb_restore; + ++ atomic_inc(&ignore_console_lock_warning); ++ + /* Call the I/O driver's pre_exception routine */ + if (dbg_io_ops->pre_exception) + dbg_io_ops->pre_exception(); +@@ -649,6 +651,8 @@ cpu_master_loop: + if (dbg_io_ops->post_exception) + dbg_io_ops->post_exception(); + ++ atomic_dec(&ignore_console_lock_warning); ++ + if (!kgdb_single_step) { + raw_spin_unlock(&dbg_slave_lock); + /* Wait till all the CPUs have quit from the debugger. */ +-- +2.25.1 + diff --git a/queue-4.19/kgdb-fix-spurious-true-from-in_dbg_master.patch b/queue-4.19/kgdb-fix-spurious-true-from-in_dbg_master.patch new file mode 100644 index 00000000000..5f258cfd485 --- /dev/null +++ b/queue-4.19/kgdb-fix-spurious-true-from-in_dbg_master.patch @@ -0,0 +1,47 @@ +From 0158332aecf3d2a0b7aa78fdb400a9c9b188cdc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 17:42:23 +0100 +Subject: kgdb: Fix spurious true from in_dbg_master() + +From: Daniel Thompson + +[ Upstream commit 3fec4aecb311995189217e64d725cfe84a568de3 ] + +Currently there is a small window where a badly timed migration could +cause in_dbg_master() to spuriously return true. Specifically if we +migrate to a new core after reading the processor id and the previous +core takes a breakpoint then we will evaluate true if we read +kgdb_active before we get the IPI to bring us to halt. + +Fix this by checking irqs_disabled() first. Interrupts are always +disabled when we are executing the kgdb trap so this is an acceptable +prerequisite. This also allows us to replace raw_smp_processor_id() +with smp_processor_id() since the short circuit logic will prevent +warnings from PREEMPT_DEBUG. + +Fixes: dcc7871128e9 ("kgdb: core changes to support kdb") +Suggested-by: Will Deacon +Link: https://lore.kernel.org/r/20200506164223.2875760-1-daniel.thompson@linaro.org +Reviewed-by: Douglas Anderson +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + include/linux/kgdb.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/kgdb.h b/include/linux/kgdb.h +index e465bb15912d..6be5545d3584 100644 +--- a/include/linux/kgdb.h ++++ b/include/linux/kgdb.h +@@ -317,7 +317,7 @@ extern void gdbstub_exit(int status); + extern int kgdb_single_step; + extern atomic_t kgdb_active; + #define in_dbg_master() \ +- (raw_smp_processor_id() == atomic_read(&kgdb_active)) ++ (irqs_disabled() && (smp_processor_id() == atomic_read(&kgdb_active))) + extern bool dbg_is_early; + extern void __init dbg_late_init(void); + #else /* ! CONFIG_KGDB */ +-- +2.25.1 + diff --git a/queue-4.19/kgdb-prevent-infinite-recursive-entries-to-the-debug.patch b/queue-4.19/kgdb-prevent-infinite-recursive-entries-to-the-debug.patch new file mode 100644 index 00000000000..91eda918e86 --- /dev/null +++ b/queue-4.19/kgdb-prevent-infinite-recursive-entries-to-the-debug.patch @@ -0,0 +1,38 @@ +From 804b2c8af9fc170e9c950089e3ee86435129596d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 13:08:44 -0700 +Subject: kgdb: Prevent infinite recursive entries to the debugger + +From: Douglas Anderson + +[ Upstream commit 3ca676e4ca60d1834bb77535dafe24169cadacef ] + +If we detect that we recursively entered the debugger we should hack +our I/O ops to NULL so that the panic() in the next line won't +actually cause another recursion into the debugger. The first line of +kgdb_panic() will check this and return. + +Signed-off-by: Douglas Anderson +Reviewed-by: Daniel Thompson +Link: https://lore.kernel.org/r/20200507130644.v4.6.I89de39f68736c9de610e6f241e68d8dbc44bc266@changeid +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/debug_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c +index d2799767aab8..6a1dc2613bb9 100644 +--- a/kernel/debug/debug_core.c ++++ b/kernel/debug/debug_core.c +@@ -444,6 +444,7 @@ static int kgdb_reenter_check(struct kgdb_state *ks) + + if (exception_level > 1) { + dump_stack(); ++ kgdb_io_module_registered = false; + panic("Recursive entry to debugger"); + } + +-- +2.25.1 + diff --git a/queue-4.19/lib-mpi-fix-64-bit-mips-build-with-clang.patch b/queue-4.19/lib-mpi-fix-64-bit-mips-build-with-clang.patch new file mode 100644 index 00000000000..48c1bb648dc --- /dev/null +++ b/queue-4.19/lib-mpi-fix-64-bit-mips-build-with-clang.patch @@ -0,0 +1,69 @@ +From 6c5af935bcb4222df93ac330005983bad80a39e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Apr 2020 14:47:04 -0700 +Subject: lib/mpi: Fix 64-bit MIPS build with Clang + +From: Nathan Chancellor + +[ Upstream commit 18f1ca46858eac22437819937ae44aa9a8f9f2fa ] + +When building 64r6_defconfig with CONFIG_MIPS32_O32 disabled and +CONFIG_CRYPTO_RSA enabled: + +lib/mpi/generic_mpih-mul1.c:37:24: error: invalid use of a cast in a +inline asm context requiring an l-value: remove the cast +or build with -fheinous-gnu-extensions + umul_ppmm(prod_high, prod_low, s1_ptr[j], s2_limb); + ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +lib/mpi/longlong.h:664:22: note: expanded from macro 'umul_ppmm' + : "=d" ((UDItype)(w0)) + ~~~~~~~~~~^~~ +lib/mpi/generic_mpih-mul1.c:37:13: error: invalid use of a cast in a +inline asm context requiring an l-value: remove the cast +or build with -fheinous-gnu-extensions + umul_ppmm(prod_high, prod_low, s1_ptr[j], s2_limb); + ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +lib/mpi/longlong.h:668:22: note: expanded from macro 'umul_ppmm' + : "=d" ((UDItype)(w1)) + ~~~~~~~~~~^~~ +2 errors generated. + +This special case for umul_ppmm for MIPS64r6 was added in +commit bbc25bee37d2b ("lib/mpi: Fix umul_ppmm() for MIPS64r6"), due to +GCC being inefficient and emitting a __multi3 intrinsic. + +There is no such issue with clang; with this patch applied, I can build +this configuration without any problems and there are no link errors +like mentioned in the commit above (which I can still reproduce with +GCC 9.3.0 when that commit is reverted). Only use this definition when +GCC is being used. + +This really should have been caught by commit b0c091ae04f67 ("lib/mpi: +Eliminate unused umul_ppmm definitions for MIPS") when I was messing +around in this area but I was not testing 64-bit MIPS at the time. + +Link: https://github.com/ClangBuiltLinux/linux/issues/885 +Reported-by: Dmitry Golovin +Signed-off-by: Nathan Chancellor +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + lib/mpi/longlong.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/mpi/longlong.h b/lib/mpi/longlong.h +index e01b705556aa..6c5229f98c9e 100644 +--- a/lib/mpi/longlong.h ++++ b/lib/mpi/longlong.h +@@ -671,7 +671,7 @@ do { \ + ************** MIPS/64 ************** + ***************************************/ + #if (defined(__mips) && __mips >= 3) && W_TYPE_SIZE == 64 +-#if defined(__mips_isa_rev) && __mips_isa_rev >= 6 ++#if defined(__mips_isa_rev) && __mips_isa_rev >= 6 && defined(CONFIG_CC_IS_GCC) + /* + * GCC ends up emitting a __multi3 intrinsic call for MIPS64r6 with the plain C + * code below, so we special case MIPS64r6 until the compiler can do better. +-- +2.25.1 + diff --git a/queue-4.19/m68k-mac-don-t-call-via_flush_cache-on-mac-iifx.patch b/queue-4.19/m68k-mac-don-t-call-via_flush_cache-on-mac-iifx.patch new file mode 100644 index 00000000000..a0b6df9b774 --- /dev/null +++ b/queue-4.19/m68k-mac-don-t-call-via_flush_cache-on-mac-iifx.patch @@ -0,0 +1,171 @@ +From fb6aa3f6caf8700bb4d29bee7005c6bcb5449da4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 May 2020 14:32:02 +1000 +Subject: m68k: mac: Don't call via_flush_cache() on Mac IIfx + +From: Finn Thain + +[ Upstream commit bcc44f6b74106b31f0b0408b70305a40360d63b7 ] + +There is no VIA2 chip on the Mac IIfx, so don't call via_flush_cache(). +This avoids a boot crash which appeared in v5.4. + +printk: console [ttyS0] enabled +printk: bootconsole [debug0] disabled +printk: bootconsole [debug0] disabled +Calibrating delay loop... 9.61 BogoMIPS (lpj=48064) +pid_max: default: 32768 minimum: 301 +Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear) +Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear) +devtmpfs: initialized +random: get_random_u32 called from bucket_table_alloc.isra.27+0x68/0x194 with crng_init=0 +clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns +futex hash table entries: 256 (order: -1, 3072 bytes, linear) +NET: Registered protocol family 16 +Data read fault at 0x00000000 in Super Data (pc=0x8a6a) +BAD KERNEL BUSERR +Oops: 00000000 +Modules linked in: +PC: [<00008a6a>] via_flush_cache+0x12/0x2c +SR: 2700 SP: 01c1fe3c a2: 01c24000 +d0: 00001119 d1: 0000000c d2: 00012000 d3: 0000000f +d4: 01c06840 d5: 00033b92 a0: 00000000 a1: 00000000 +Process swapper (pid: 1, task=01c24000) +Frame format=B ssw=0755 isc=0200 isb=fff7 daddr=00000000 dobuf=01c1fed0 +baddr=00008a6e dibuf=0000004e ver=f +Stack from 01c1fec4: + 01c1fed0 00007d7e 00010080 01c1fedc 0000792e 00000001 01c1fef4 00006b40 + 01c80000 00040000 00000006 00000003 01c1ff1c 004a545e 004ff200 00040000 + 00000000 00000003 01c06840 00033b92 004a5410 004b6c88 01c1ff84 000021e2 + 00000073 00000003 01c06840 00033b92 0038507a 004bb094 004b6ca8 004b6c88 + 004b6ca4 004b6c88 000021ae 00020002 00000000 01c0685d 00000000 01c1ffb4 + 0049f938 00409c85 01c06840 0045bd40 00000073 00000002 00000002 00000000 +Call Trace: [<00007d7e>] mac_cache_card_flush+0x12/0x1c + [<00010080>] fix_dnrm+0x2/0x18 + [<0000792e>] cache_push+0x46/0x5a + [<00006b40>] arch_dma_prep_coherent+0x60/0x6e + [<00040000>] switched_to_dl+0x76/0xd0 + [<004a545e>] dma_atomic_pool_init+0x4e/0x188 + [<00040000>] switched_to_dl+0x76/0xd0 + [<00033b92>] parse_args+0x0/0x370 + [<004a5410>] dma_atomic_pool_init+0x0/0x188 + [<000021e2>] do_one_initcall+0x34/0x1be + [<00033b92>] parse_args+0x0/0x370 + [<0038507a>] strcpy+0x0/0x1e + [<000021ae>] do_one_initcall+0x0/0x1be + [<00020002>] do_proc_dointvec_conv+0x54/0x74 + [<0049f938>] kernel_init_freeable+0x126/0x190 + [<0049f94c>] kernel_init_freeable+0x13a/0x190 + [<004a5410>] dma_atomic_pool_init+0x0/0x188 + [<00041798>] complete+0x0/0x3c + [<000b9b0c>] kfree+0x0/0x20a + [<0038df98>] schedule+0x0/0xd0 + [<0038d604>] kernel_init+0x0/0xda + [<0038d610>] kernel_init+0xc/0xda + [<0038d604>] kernel_init+0x0/0xda + [<00002d38>] ret_from_kernel_thread+0xc/0x14 +Code: 0000 2079 0048 10da 2279 0048 10c8 d3c8 <1011> 0200 fff7 1280 d1f9 0048 10c8 1010 0000 0008 1080 4e5e 4e75 4e56 0000 2039 +Disabling lock debugging due to kernel taint +Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b + +Thanks to Stan Johnson for capturing the console log and running git +bisect. + +Git bisect said commit 8e3a68fb55e0 ("dma-mapping: make +dma_atomic_pool_init self-contained") is the first "bad" commit. I don't +know why. Perhaps mach_l2_flush first became reachable with that commit. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: Stan Johnson +Signed-off-by: Finn Thain +Cc: Joshua Thompson +Link: https://lore.kernel.org/r/b8bbeef197d6b3898e82ed0d231ad08f575a4b34.1589949122.git.fthain@telegraphics.com.au +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/mac_via.h | 1 + + arch/m68k/mac/config.c | 21 ++------------------- + arch/m68k/mac/via.c | 6 +++++- + 3 files changed, 8 insertions(+), 20 deletions(-) + +diff --git a/arch/m68k/include/asm/mac_via.h b/arch/m68k/include/asm/mac_via.h +index de1470c4d829..1149251ea58d 100644 +--- a/arch/m68k/include/asm/mac_via.h ++++ b/arch/m68k/include/asm/mac_via.h +@@ -257,6 +257,7 @@ extern int rbv_present,via_alt_mapping; + + struct irq_desc; + ++extern void via_l2_flush(int writeback); + extern void via_register_interrupts(void); + extern void via_irq_enable(int); + extern void via_irq_disable(int); +diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c +index cd9317d53276..a4f91bea6c88 100644 +--- a/arch/m68k/mac/config.c ++++ b/arch/m68k/mac/config.c +@@ -61,7 +61,6 @@ extern void iop_preinit(void); + extern void iop_init(void); + extern void via_init(void); + extern void via_init_clock(irq_handler_t func); +-extern void via_flush_cache(void); + extern void oss_init(void); + extern void psc_init(void); + extern void baboon_init(void); +@@ -132,21 +131,6 @@ int __init mac_parse_bootinfo(const struct bi_record *record) + return unknown; + } + +-/* +- * Flip into 24bit mode for an instant - flushes the L2 cache card. We +- * have to disable interrupts for this. Our IRQ handlers will crap +- * themselves if they take an IRQ in 24bit mode! +- */ +- +-static void mac_cache_card_flush(int writeback) +-{ +- unsigned long flags; +- +- local_irq_save(flags); +- via_flush_cache(); +- local_irq_restore(flags); +-} +- + void __init config_mac(void) + { + if (!MACH_IS_MAC) +@@ -178,9 +162,8 @@ void __init config_mac(void) + * not. + */ + +- if (macintosh_config->ident == MAC_MODEL_IICI +- || macintosh_config->ident == MAC_MODEL_IIFX) +- mach_l2_flush = mac_cache_card_flush; ++ if (macintosh_config->ident == MAC_MODEL_IICI) ++ mach_l2_flush = via_l2_flush; + } + + +diff --git a/arch/m68k/mac/via.c b/arch/m68k/mac/via.c +index 038d5a1c4d48..8307da441a10 100644 +--- a/arch/m68k/mac/via.c ++++ b/arch/m68k/mac/via.c +@@ -289,10 +289,14 @@ void via_debug_dump(void) + * the system into 24-bit mode for an instant. + */ + +-void via_flush_cache(void) ++void via_l2_flush(int writeback) + { ++ unsigned long flags; ++ ++ local_irq_save(flags); + via2[gBufB] &= ~VIA2B_vMode32; + via2[gBufB] |= VIA2B_vMode32; ++ local_irq_restore(flags); + } + + /* +-- +2.25.1 + diff --git a/queue-4.19/macvlan-skip-loopback-packets-in-rx-handler.patch b/queue-4.19/macvlan-skip-loopback-packets-in-rx-handler.patch new file mode 100644 index 00000000000..6232725e30e --- /dev/null +++ b/queue-4.19/macvlan-skip-loopback-packets-in-rx-handler.patch @@ -0,0 +1,102 @@ +From f6b56c835d60a45418b624a306dfe1d23190c858 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 May 2020 14:27:51 +0200 +Subject: macvlan: Skip loopback packets in RX handler + +From: Alexander Sverdlin + +[ Upstream commit 81f3dc9349ce0bf7b8447f147f45e70f0a5b36a6 ] + +Ignore loopback-originatig packets soon enough and don't try to process L2 +header where it doesn't exist. The very similar br_handle_frame() in bridge +code performs exactly the same check. + +This is an example of such ICMPv6 packet: + +skb len=96 headroom=40 headlen=96 tailroom=56 +mac=(40,0) net=(40,40) trans=80 +shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0)) +csum(0xae2e9a2f ip_summed=1 complete_sw=0 valid=0 level=0) +hash(0xc97ebd88 sw=1 l4=1) proto=0x86dd pkttype=5 iif=24 +dev name=etha01.212 feat=0x0x0000000040005000 +skb headroom: 00000000: 00 7c 86 52 84 88 ff ff 00 00 00 00 00 00 08 00 +skb headroom: 00000010: 45 00 00 9e 5d 5c 40 00 40 11 33 33 00 00 00 01 +skb headroom: 00000020: 02 40 43 80 00 00 86 dd +skb linear: 00000000: 60 09 88 bd 00 38 3a ff fe 80 00 00 00 00 00 00 +skb linear: 00000010: 00 40 43 ff fe 80 00 00 ff 02 00 00 00 00 00 00 +skb linear: 00000020: 00 00 00 00 00 00 00 01 86 00 61 00 40 00 00 2d +skb linear: 00000030: 00 00 00 00 00 00 00 00 03 04 40 e0 00 00 01 2c +skb linear: 00000040: 00 00 00 78 00 00 00 00 fd 5f 42 68 23 87 a8 81 +skb linear: 00000050: 00 00 00 00 00 00 00 00 01 01 02 40 43 80 00 00 +skb tailroom: 00000000: ... +skb tailroom: 00000010: ... +skb tailroom: 00000020: ... +skb tailroom: 00000030: ... + +Call Trace, how it happens exactly: + ... + macvlan_handle_frame+0x321/0x425 [macvlan] + ? macvlan_forward_source+0x110/0x110 [macvlan] + __netif_receive_skb_core+0x545/0xda0 + ? enqueue_task_fair+0xe5/0x8e0 + ? __netif_receive_skb_one_core+0x36/0x70 + __netif_receive_skb_one_core+0x36/0x70 + process_backlog+0x97/0x140 + net_rx_action+0x1eb/0x350 + ? __hrtimer_run_queues+0x136/0x2e0 + __do_softirq+0xe3/0x383 + do_softirq_own_stack+0x2a/0x40 + + do_softirq.part.4+0x4e/0x50 + netif_rx_ni+0x60/0xd0 + dev_loopback_xmit+0x83/0xf0 + ip6_finish_output2+0x575/0x590 [ipv6] + ? ip6_cork_release.isra.1+0x64/0x90 [ipv6] + ? __ip6_make_skb+0x38d/0x680 [ipv6] + ? ip6_output+0x6c/0x140 [ipv6] + ip6_output+0x6c/0x140 [ipv6] + ip6_send_skb+0x1e/0x60 [ipv6] + rawv6_sendmsg+0xc4b/0xe10 [ipv6] + ? proc_put_long+0xd0/0xd0 + ? rw_copy_check_uvector+0x4e/0x110 + ? sock_sendmsg+0x36/0x40 + sock_sendmsg+0x36/0x40 + ___sys_sendmsg+0x2b6/0x2d0 + ? proc_dointvec+0x23/0x30 + ? addrconf_sysctl_forward+0x8d/0x250 [ipv6] + ? dev_forward_change+0x130/0x130 [ipv6] + ? _raw_spin_unlock+0x12/0x30 + ? proc_sys_call_handler.isra.14+0x9f/0x110 + ? __call_rcu+0x213/0x510 + ? get_max_files+0x10/0x10 + ? trace_hardirqs_on+0x2c/0xe0 + ? __sys_sendmsg+0x63/0xa0 + __sys_sendmsg+0x63/0xa0 + do_syscall_64+0x6c/0x1e0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Signed-off-by: Alexander Sverdlin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 225bfc808112..349123592af0 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -451,6 +451,10 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb) + int ret; + rx_handler_result_t handle_res; + ++ /* Packets from dev_loopback_xmit() do not have L2 header, bail out */ ++ if (unlikely(skb->pkt_type == PACKET_LOOPBACK)) ++ return RX_HANDLER_PASS; ++ + port = macvlan_port_get_rcu(skb->dev); + if (is_multicast_ether_addr(eth->h_dest)) { + unsigned int hash; +-- +2.25.1 + diff --git a/queue-4.19/md-don-t-flush-workqueue-unconditionally-in-md_open.patch b/queue-4.19/md-don-t-flush-workqueue-unconditionally-in-md_open.patch new file mode 100644 index 00000000000..6c6fab6c383 --- /dev/null +++ b/queue-4.19/md-don-t-flush-workqueue-unconditionally-in-md_open.patch @@ -0,0 +1,163 @@ +From 5e725f149b4914dc77160ffc48fe14ad3e996886 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2020 23:57:09 +0200 +Subject: md: don't flush workqueue unconditionally in md_open + +From: Guoqing Jiang + +[ Upstream commit f6766ff6afff70e2aaf39e1511e16d471de7c3ae ] + +We need to check mddev->del_work before flush workqueu since the purpose +of flush is to ensure the previous md is disappeared. Otherwise the similar +deadlock appeared if LOCKDEP is enabled, it is due to md_open holds the +bdev->bd_mutex before flush workqueue. + +kernel: [ 154.522645] ====================================================== +kernel: [ 154.522647] WARNING: possible circular locking dependency detected +kernel: [ 154.522650] 5.6.0-rc7-lp151.27-default #25 Tainted: G O +kernel: [ 154.522651] ------------------------------------------------------ +kernel: [ 154.522653] mdadm/2482 is trying to acquire lock: +kernel: [ 154.522655] ffff888078529128 ((wq_completion)md_misc){+.+.}, at: flush_workqueue+0x84/0x4b0 +kernel: [ 154.522673] +kernel: [ 154.522673] but task is already holding lock: +kernel: [ 154.522675] ffff88804efa9338 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x79/0x590 +kernel: [ 154.522691] +kernel: [ 154.522691] which lock already depends on the new lock. +kernel: [ 154.522691] +kernel: [ 154.522694] +kernel: [ 154.522694] the existing dependency chain (in reverse order) is: +kernel: [ 154.522696] +kernel: [ 154.522696] -> #4 (&bdev->bd_mutex){+.+.}: +kernel: [ 154.522704] __mutex_lock+0x87/0x950 +kernel: [ 154.522706] __blkdev_get+0x79/0x590 +kernel: [ 154.522708] blkdev_get+0x65/0x140 +kernel: [ 154.522709] blkdev_get_by_dev+0x2f/0x40 +kernel: [ 154.522716] lock_rdev+0x3d/0x90 [md_mod] +kernel: [ 154.522719] md_import_device+0xd6/0x1b0 [md_mod] +kernel: [ 154.522723] new_dev_store+0x15e/0x210 [md_mod] +kernel: [ 154.522728] md_attr_store+0x7a/0xc0 [md_mod] +kernel: [ 154.522732] kernfs_fop_write+0x117/0x1b0 +kernel: [ 154.522735] vfs_write+0xad/0x1a0 +kernel: [ 154.522737] ksys_write+0xa4/0xe0 +kernel: [ 154.522745] do_syscall_64+0x64/0x2b0 +kernel: [ 154.522748] entry_SYSCALL_64_after_hwframe+0x49/0xbe +kernel: [ 154.522749] +kernel: [ 154.522749] -> #3 (&mddev->reconfig_mutex){+.+.}: +kernel: [ 154.522752] __mutex_lock+0x87/0x950 +kernel: [ 154.522756] new_dev_store+0xc9/0x210 [md_mod] +kernel: [ 154.522759] md_attr_store+0x7a/0xc0 [md_mod] +kernel: [ 154.522761] kernfs_fop_write+0x117/0x1b0 +kernel: [ 154.522763] vfs_write+0xad/0x1a0 +kernel: [ 154.522765] ksys_write+0xa4/0xe0 +kernel: [ 154.522767] do_syscall_64+0x64/0x2b0 +kernel: [ 154.522769] entry_SYSCALL_64_after_hwframe+0x49/0xbe +kernel: [ 154.522770] +kernel: [ 154.522770] -> #2 (kn->count#253){++++}: +kernel: [ 154.522775] __kernfs_remove+0x253/0x2c0 +kernel: [ 154.522778] kernfs_remove+0x1f/0x30 +kernel: [ 154.522780] kobject_del+0x28/0x60 +kernel: [ 154.522783] mddev_delayed_delete+0x24/0x30 [md_mod] +kernel: [ 154.522786] process_one_work+0x2a7/0x5f0 +kernel: [ 154.522788] worker_thread+0x2d/0x3d0 +kernel: [ 154.522793] kthread+0x117/0x130 +kernel: [ 154.522795] ret_from_fork+0x3a/0x50 +kernel: [ 154.522796] +kernel: [ 154.522796] -> #1 ((work_completion)(&mddev->del_work)){+.+.}: +kernel: [ 154.522800] process_one_work+0x27e/0x5f0 +kernel: [ 154.522802] worker_thread+0x2d/0x3d0 +kernel: [ 154.522804] kthread+0x117/0x130 +kernel: [ 154.522806] ret_from_fork+0x3a/0x50 +kernel: [ 154.522807] +kernel: [ 154.522807] -> #0 ((wq_completion)md_misc){+.+.}: +kernel: [ 154.522813] __lock_acquire+0x1392/0x1690 +kernel: [ 154.522816] lock_acquire+0xb4/0x1a0 +kernel: [ 154.522818] flush_workqueue+0xab/0x4b0 +kernel: [ 154.522821] md_open+0xb6/0xc0 [md_mod] +kernel: [ 154.522823] __blkdev_get+0xea/0x590 +kernel: [ 154.522825] blkdev_get+0x65/0x140 +kernel: [ 154.522828] do_dentry_open+0x1d1/0x380 +kernel: [ 154.522831] path_openat+0x567/0xcc0 +kernel: [ 154.522834] do_filp_open+0x9b/0x110 +kernel: [ 154.522836] do_sys_openat2+0x201/0x2a0 +kernel: [ 154.522838] do_sys_open+0x57/0x80 +kernel: [ 154.522840] do_syscall_64+0x64/0x2b0 +kernel: [ 154.522842] entry_SYSCALL_64_after_hwframe+0x49/0xbe +kernel: [ 154.522844] +kernel: [ 154.522844] other info that might help us debug this: +kernel: [ 154.522844] +kernel: [ 154.522846] Chain exists of: +kernel: [ 154.522846] (wq_completion)md_misc --> &mddev->reconfig_mutex --> &bdev->bd_mutex +kernel: [ 154.522846] +kernel: [ 154.522850] Possible unsafe locking scenario: +kernel: [ 154.522850] +kernel: [ 154.522852] CPU0 CPU1 +kernel: [ 154.522853] ---- ---- +kernel: [ 154.522854] lock(&bdev->bd_mutex); +kernel: [ 154.522856] lock(&mddev->reconfig_mutex); +kernel: [ 154.522858] lock(&bdev->bd_mutex); +kernel: [ 154.522860] lock((wq_completion)md_misc); +kernel: [ 154.522861] +kernel: [ 154.522861] *** DEADLOCK *** +kernel: [ 154.522861] +kernel: [ 154.522864] 1 lock held by mdadm/2482: +kernel: [ 154.522865] #0: ffff88804efa9338 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x79/0x590 +kernel: [ 154.522868] +kernel: [ 154.522868] stack backtrace: +kernel: [ 154.522873] CPU: 1 PID: 2482 Comm: mdadm Tainted: G O 5.6.0-rc7-lp151.27-default #25 +kernel: [ 154.522875] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +kernel: [ 154.522878] Call Trace: +kernel: [ 154.522881] dump_stack+0x8f/0xcb +kernel: [ 154.522884] check_noncircular+0x194/0x1b0 +kernel: [ 154.522888] ? __lock_acquire+0x1392/0x1690 +kernel: [ 154.522890] __lock_acquire+0x1392/0x1690 +kernel: [ 154.522893] lock_acquire+0xb4/0x1a0 +kernel: [ 154.522895] ? flush_workqueue+0x84/0x4b0 +kernel: [ 154.522898] flush_workqueue+0xab/0x4b0 +kernel: [ 154.522900] ? flush_workqueue+0x84/0x4b0 +kernel: [ 154.522905] ? md_open+0xb6/0xc0 [md_mod] +kernel: [ 154.522908] md_open+0xb6/0xc0 [md_mod] +kernel: [ 154.522910] __blkdev_get+0xea/0x590 +kernel: [ 154.522912] ? bd_acquire+0xc0/0xc0 +kernel: [ 154.522914] blkdev_get+0x65/0x140 +kernel: [ 154.522916] ? bd_acquire+0xc0/0xc0 +kernel: [ 154.522918] do_dentry_open+0x1d1/0x380 +kernel: [ 154.522921] path_openat+0x567/0xcc0 +kernel: [ 154.522923] ? __lock_acquire+0x380/0x1690 +kernel: [ 154.522926] do_filp_open+0x9b/0x110 +kernel: [ 154.522929] ? __alloc_fd+0xe5/0x1f0 +kernel: [ 154.522935] ? kmem_cache_alloc+0x28c/0x630 +kernel: [ 154.522939] ? do_sys_openat2+0x201/0x2a0 +kernel: [ 154.522941] do_sys_openat2+0x201/0x2a0 +kernel: [ 154.522944] do_sys_open+0x57/0x80 +kernel: [ 154.522946] do_syscall_64+0x64/0x2b0 +kernel: [ 154.522948] entry_SYSCALL_64_after_hwframe+0x49/0xbe +kernel: [ 154.522951] RIP: 0033:0x7f98d279d9ae + +And md_alloc also flushed the same workqueue, but the thing is different +here. Because all the paths call md_alloc don't hold bdev->bd_mutex, and +the flush is necessary to avoid race condition, so leave it as it is. + +Signed-off-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 9426976e0860..a6db4fd267aa 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7438,7 +7438,8 @@ static int md_open(struct block_device *bdev, fmode_t mode) + */ + mddev_put(mddev); + /* Wait until bdev->bd_disk is definitely gone */ +- flush_workqueue(md_misc_wq); ++ if (work_pending(&mddev->del_work)) ++ flush_workqueue(md_misc_wq); + /* Then retry the open from the top */ + return -ERESTARTSYS; + } +-- +2.25.1 + diff --git a/queue-4.19/media-cec-silence-shift-wrapping-warning-in-__cec_s_.patch b/queue-4.19/media-cec-silence-shift-wrapping-warning-in-__cec_s_.patch new file mode 100644 index 00000000000..623659d05f2 --- /dev/null +++ b/queue-4.19/media-cec-silence-shift-wrapping-warning-in-__cec_s_.patch @@ -0,0 +1,56 @@ +From 0b97969daa2fd4317683e170aeadd74d08784bf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 10:25:56 +0200 +Subject: media: cec: silence shift wrapping warning in __cec_s_log_addrs() + +From: Dan Carpenter + +[ Upstream commit 3b5af3171e2d5a73ae6f04965ed653d039904eb6 ] + +The log_addrs->log_addr_type[i] value is a u8 which is controlled by +the user and comes from the ioctl. If it's over 31 then that results in +undefined behavior (shift wrapping) and that leads to a Smatch static +checker warning. We already cap the value later so we can silence the +warning just by re-ordering the existing checks. + +I think the UBSan checker will also catch this bug at runtime and +generate a warning. But otherwise the bug is harmless. + +Fixes: 9881fe0ca187 ("[media] cec: add HDMI CEC framework (adapter)") +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/cec/cec-adap.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c +index ba7e976bf6dc..60b20ae02b05 100644 +--- a/drivers/media/cec/cec-adap.c ++++ b/drivers/media/cec/cec-adap.c +@@ -1668,6 +1668,10 @@ int __cec_s_log_addrs(struct cec_adapter *adap, + unsigned j; + + log_addrs->log_addr[i] = CEC_LOG_ADDR_INVALID; ++ if (log_addrs->log_addr_type[i] > CEC_LOG_ADDR_TYPE_UNREGISTERED) { ++ dprintk(1, "unknown logical address type\n"); ++ return -EINVAL; ++ } + if (type_mask & (1 << log_addrs->log_addr_type[i])) { + dprintk(1, "duplicate logical address type\n"); + return -EINVAL; +@@ -1688,10 +1692,6 @@ int __cec_s_log_addrs(struct cec_adapter *adap, + dprintk(1, "invalid primary device type\n"); + return -EINVAL; + } +- if (log_addrs->log_addr_type[i] > CEC_LOG_ADDR_TYPE_UNREGISTERED) { +- dprintk(1, "unknown logical address type\n"); +- return -EINVAL; +- } + for (j = 0; j < feature_sz; j++) { + if ((features[j] & 0x80) == 0) { + if (op_is_dev_features) +-- +2.25.1 + diff --git a/queue-4.19/media-dvb-return-eremoteio-on-i2c-transfer-failure.patch b/queue-4.19/media-dvb-return-eremoteio-on-i2c-transfer-failure.patch new file mode 100644 index 00000000000..79b1eb85b8d --- /dev/null +++ b/queue-4.19/media-dvb-return-eremoteio-on-i2c-transfer-failure.patch @@ -0,0 +1,43 @@ +From bcff98838ffcf013802755e8b0457acd117ffac3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2020 18:51:33 +0100 +Subject: media: dvb: return -EREMOTEIO on i2c transfer failure. + +From: Colin Ian King + +[ Upstream commit 96f3a9392799dd0f6472648a7366622ffd0989f3 ] + +Currently when i2c transfers fail the error return -EREMOTEIO +is assigned to err but then later overwritten when the tuner +attach call is made. Fix this by returning early with the +error return code -EREMOTEIO on i2c transfer failure errors. + +If the transfer fails, an uninitialized value will be read from b2. + +Addresses-Coverity: ("Unused value") + +Fixes: fbfee8684ff2 ("V4L/DVB (5651): Dibusb-mb: convert pll handling to properly use dvb-pll") +Signed-off-by: Colin Ian King +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dibusb-mb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb/dibusb-mb.c b/drivers/media/usb/dvb-usb/dibusb-mb.c +index 408920577716..94f59c7765dc 100644 +--- a/drivers/media/usb/dvb-usb/dibusb-mb.c ++++ b/drivers/media/usb/dvb-usb/dibusb-mb.c +@@ -84,7 +84,7 @@ static int dibusb_tuner_probe_and_attach(struct dvb_usb_adapter *adap) + + if (i2c_transfer(&adap->dev->i2c_adap, msg, 2) != 2) { + err("tuner i2c write failed."); +- ret = -EREMOTEIO; ++ return -EREMOTEIO; + } + + if (adap->fe_adap[0].fe->ops.i2c_gate_ctrl) +-- +2.25.1 + diff --git a/queue-4.19/media-platform-fcp-set-appropriate-dma-parameters.patch b/queue-4.19/media-platform-fcp-set-appropriate-dma-parameters.patch new file mode 100644 index 00000000000..43a39ac9de0 --- /dev/null +++ b/queue-4.19/media-platform-fcp-set-appropriate-dma-parameters.patch @@ -0,0 +1,71 @@ +From 86cc1526f20f05f8bc0e4dc368f613dd0dcc41d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2020 17:44:17 +0200 +Subject: media: platform: fcp: Set appropriate DMA parameters + +From: Kieran Bingham + +[ Upstream commit dd844fb8e50b12e65bbdc5746c9876c6735500df ] + +Enabling CONFIG_DMA_API_DEBUG=y and CONFIG_DMA_API_DEBUG_SG=y will +enable extra validation on DMA operations ensuring that the size +restraints are met. + +When using the FCP in conjunction with the VSP1/DU, and display frames, +the size of the DMA operations is larger than the default maximum +segment size reported by the DMA core (64K). With the DMA debug enabled, +this produces a warning such as the following: + +"DMA-API: rcar-fcp fea27000.fcp: mapping sg segment longer than device +claims to support [len=3145728] [max=65536]" + +We have no specific limitation on the segment size which isn't already +handled by the VSP1/DU which actually handles the DMA allcoations and +buffer management, so define a maximum segment size of up to 4GB (a 32 +bit mask). + +Reported-by: Geert Uytterhoeven +Fixes: 7b49235e83b2 ("[media] v4l: Add Renesas R-Car FCP driver") +Signed-off-by: Kieran Bingham +Reviewed-by: Geert Uytterhoeven +Tested-by: Geert Uytterhoeven +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-fcp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/platform/rcar-fcp.c b/drivers/media/platform/rcar-fcp.c +index 43c78620c9d8..5c6b00737fe7 100644 +--- a/drivers/media/platform/rcar-fcp.c ++++ b/drivers/media/platform/rcar-fcp.c +@@ -8,6 +8,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -21,6 +22,7 @@ + struct rcar_fcp_device { + struct list_head list; + struct device *dev; ++ struct device_dma_parameters dma_parms; + }; + + static LIST_HEAD(fcp_devices); +@@ -136,6 +138,9 @@ static int rcar_fcp_probe(struct platform_device *pdev) + + fcp->dev = &pdev->dev; + ++ fcp->dev->dma_parms = &fcp->dma_parms; ++ dma_set_max_seg_size(fcp->dev, DMA_BIT_MASK(32)); ++ + pm_runtime_enable(&pdev->dev); + + mutex_lock(&fcp_lock); +-- +2.25.1 + diff --git a/queue-4.19/media-si2157-better-check-for-running-tuner-in-init.patch b/queue-4.19/media-si2157-better-check-for-running-tuner-in-init.patch new file mode 100644 index 00000000000..209c89b2917 --- /dev/null +++ b/queue-4.19/media-si2157-better-check-for-running-tuner-in-init.patch @@ -0,0 +1,61 @@ +From 59133ccb8c2cccaa63f1971b72273f998a6e48f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 21:03:57 +0100 +Subject: media: si2157: Better check for running tuner in init + +From: Brad Love + +[ Upstream commit e955f959ac52e145f27ff2be9078b646d0352af0 ] + +Getting the Xtal trim property to check if running is less error prone. +Reset if_frequency if state is unknown. + +Replaces the previous "garbage check". + +Signed-off-by: Brad Love +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/tuners/si2157.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c +index a08d8fe2bb1b..13770b038048 100644 +--- a/drivers/media/tuners/si2157.c ++++ b/drivers/media/tuners/si2157.c +@@ -84,24 +84,23 @@ static int si2157_init(struct dvb_frontend *fe) + struct si2157_cmd cmd; + const struct firmware *fw; + const char *fw_name; +- unsigned int uitmp, chip_id; ++ unsigned int chip_id, xtal_trim; + + dev_dbg(&client->dev, "\n"); + +- /* Returned IF frequency is garbage when firmware is not running */ +- memcpy(cmd.args, "\x15\x00\x06\x07", 4); ++ /* Try to get Xtal trim property, to verify tuner still running */ ++ memcpy(cmd.args, "\x15\x00\x04\x02", 4); + cmd.wlen = 4; + cmd.rlen = 4; + ret = si2157_cmd_execute(client, &cmd); +- if (ret) +- goto err; + +- uitmp = cmd.args[2] << 0 | cmd.args[3] << 8; +- dev_dbg(&client->dev, "if_frequency kHz=%u\n", uitmp); ++ xtal_trim = cmd.args[2] | (cmd.args[3] << 8); + +- if (uitmp == dev->if_frequency / 1000) ++ if (ret == 0 && xtal_trim < 16) + goto warm; + ++ dev->if_frequency = 0; /* we no longer know current tuner state */ ++ + /* power up */ + if (dev->chiptype == SI2157_CHIPTYPE_SI2146) { + memcpy(cmd.args, "\xc0\x05\x01\x00\x00\x0b\x00\x00\x01", 9); +-- +2.25.1 + diff --git a/queue-4.19/mips-add-udelay-lpj-numbers-adjustment.patch b/queue-4.19/mips-add-udelay-lpj-numbers-adjustment.patch new file mode 100644 index 00000000000..b10e4e903cb --- /dev/null +++ b/queue-4.19/mips-add-udelay-lpj-numbers-adjustment.patch @@ -0,0 +1,127 @@ +From bb0438a633ffaf251942b770ec0fd87aa0d2aed1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 17:07:22 +0300 +Subject: mips: Add udelay lpj numbers adjustment + +From: Serge Semin + +[ Upstream commit ed26aacfb5f71eecb20a51c4467da440cb719d66 ] + +Loops-per-jiffies is a special number which represents a number of +noop-loop cycles per CPU-scheduler quantum - jiffies. As you +understand aside from CPU-specific implementation it depends on +the CPU frequency. So when a platform has the CPU frequency fixed, +we have no problem and the current udelay interface will work +just fine. But as soon as CPU-freq driver is enabled and the cores +frequency changes, we'll end up with distorted udelay's. In order +to fix this we have to accordinly adjust the per-CPU udelay_val +(the same as the global loops_per_jiffy) number. This can be done +in the CPU-freq transition event handler. We subscribe to that event +in the MIPS arch time-inititalization method. + +Co-developed-by: Alexey Malahov +Signed-off-by: Alexey Malahov +Signed-off-by: Serge Semin +Reviewed-by: Jiaxun Yang +Cc: Thomas Bogendoerfer +Cc: Paul Burton +Cc: Ralf Baechle +Cc: Arnd Bergmann +Cc: Rob Herring +Cc: devicetree@vger.kernel.org +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/time.c | 70 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 70 insertions(+) + +diff --git a/arch/mips/kernel/time.c b/arch/mips/kernel/time.c +index bfe02ded25d1..1e631a484ddf 100644 +--- a/arch/mips/kernel/time.c ++++ b/arch/mips/kernel/time.c +@@ -22,12 +22,82 @@ + #include + #include + #include ++#include ++#include + + #include + #include + #include + #include + ++#ifdef CONFIG_CPU_FREQ ++ ++static DEFINE_PER_CPU(unsigned long, pcp_lpj_ref); ++static DEFINE_PER_CPU(unsigned long, pcp_lpj_ref_freq); ++static unsigned long glb_lpj_ref; ++static unsigned long glb_lpj_ref_freq; ++ ++static int cpufreq_callback(struct notifier_block *nb, ++ unsigned long val, void *data) ++{ ++ struct cpufreq_freqs *freq = data; ++ struct cpumask *cpus = freq->policy->cpus; ++ unsigned long lpj; ++ int cpu; ++ ++ /* ++ * Skip lpj numbers adjustment if the CPU-freq transition is safe for ++ * the loops delay. (Is this possible?) ++ */ ++ if (freq->flags & CPUFREQ_CONST_LOOPS) ++ return NOTIFY_OK; ++ ++ /* Save the initial values of the lpjes for future scaling. */ ++ if (!glb_lpj_ref) { ++ glb_lpj_ref = boot_cpu_data.udelay_val; ++ glb_lpj_ref_freq = freq->old; ++ ++ for_each_online_cpu(cpu) { ++ per_cpu(pcp_lpj_ref, cpu) = ++ cpu_data[cpu].udelay_val; ++ per_cpu(pcp_lpj_ref_freq, cpu) = freq->old; ++ } ++ } ++ ++ /* ++ * Adjust global lpj variable and per-CPU udelay_val number in ++ * accordance with the new CPU frequency. ++ */ ++ if ((val == CPUFREQ_PRECHANGE && freq->old < freq->new) || ++ (val == CPUFREQ_POSTCHANGE && freq->old > freq->new)) { ++ loops_per_jiffy = cpufreq_scale(glb_lpj_ref, ++ glb_lpj_ref_freq, ++ freq->new); ++ ++ for_each_cpu(cpu, cpus) { ++ lpj = cpufreq_scale(per_cpu(pcp_lpj_ref, cpu), ++ per_cpu(pcp_lpj_ref_freq, cpu), ++ freq->new); ++ cpu_data[cpu].udelay_val = (unsigned int)lpj; ++ } ++ } ++ ++ return NOTIFY_OK; ++} ++ ++static struct notifier_block cpufreq_notifier = { ++ .notifier_call = cpufreq_callback, ++}; ++ ++static int __init register_cpufreq_notifier(void) ++{ ++ return cpufreq_register_notifier(&cpufreq_notifier, ++ CPUFREQ_TRANSITION_NOTIFIER); ++} ++core_initcall(register_cpufreq_notifier); ++ ++#endif /* CONFIG_CPU_FREQ */ ++ + /* + * forward reference + */ +-- +2.25.1 + diff --git a/queue-4.19/mips-cm-fix-an-invalid-error-code-of-intvn_-_err.patch b/queue-4.19/mips-cm-fix-an-invalid-error-code-of-intvn_-_err.patch new file mode 100644 index 00000000000..7c942974c1d --- /dev/null +++ b/queue-4.19/mips-cm-fix-an-invalid-error-code-of-intvn_-_err.patch @@ -0,0 +1,53 @@ +From 1a4037f09e3f7a04513ab22c80b81d4cca3893a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 20:42:22 +0300 +Subject: mips: cm: Fix an invalid error code of INTVN_*_ERR + +From: Serge Semin + +[ Upstream commit 8a0efb8b101665a843205eab3d67ab09cb2d9a8d ] + +Commit 3885c2b463f6 ("MIPS: CM: Add support for reporting CM cache +errors") adds cm2_causes[] array with map of error type ID and +pointers to the short description string. There is a mistake in +the table, since according to MIPS32 manual CM2_ERROR_TYPE = {17,18} +correspond to INTVN_WR_ERR and INTVN_RD_ERR, while the table +claims they have {0x17,0x18} codes. This is obviously hex-dec +copy-paste bug. Moreover codes {0x18 - 0x1a} indicate L2 ECC errors. + +Fixes: 3885c2b463f6 ("MIPS: CM: Add support for reporting CM cache errors") +Signed-off-by: Serge Semin +Cc: Alexey Malahov +Cc: Thomas Bogendoerfer +Cc: Paul Burton +Cc: Ralf Baechle +Cc: Arnd Bergmann +Cc: Rob Herring +Cc: linux-pm@vger.kernel.org +Cc: devicetree@vger.kernel.org +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/mips-cm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c +index 7f3f136572de..50d3d74001cb 100644 +--- a/arch/mips/kernel/mips-cm.c ++++ b/arch/mips/kernel/mips-cm.c +@@ -123,9 +123,9 @@ static char *cm2_causes[32] = { + "COH_RD_ERR", "MMIO_WR_ERR", "MMIO_RD_ERR", "0x07", + "0x08", "0x09", "0x0a", "0x0b", + "0x0c", "0x0d", "0x0e", "0x0f", +- "0x10", "0x11", "0x12", "0x13", +- "0x14", "0x15", "0x16", "INTVN_WR_ERR", +- "INTVN_RD_ERR", "0x19", "0x1a", "0x1b", ++ "0x10", "INTVN_WR_ERR", "INTVN_RD_ERR", "0x13", ++ "0x14", "0x15", "0x16", "0x17", ++ "0x18", "0x19", "0x1a", "0x1b", + "0x1c", "0x1d", "0x1e", "0x1f" + }; + +-- +2.25.1 + diff --git a/queue-4.19/mips-fix-irq-tracing-when-call-handle_fpe-and-handle.patch b/queue-4.19/mips-fix-irq-tracing-when-call-handle_fpe-and-handle.patch new file mode 100644 index 00000000000..eeb808e48ca --- /dev/null +++ b/queue-4.19/mips-fix-irq-tracing-when-call-handle_fpe-and-handle.patch @@ -0,0 +1,54 @@ +From e593230bc53ae07419ae9043a1ccc57d05b4a90f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2020 14:11:30 +0800 +Subject: MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe() + +From: YuanJunQing + +[ Upstream commit 31e1b3efa802f97a17628dde280006c4cee4ce5e ] + +Register "a1" is unsaved in this function, + when CONFIG_TRACE_IRQFLAGS is enabled, + the TRACE_IRQS_OFF macro will call trace_hardirqs_off(), + and this may change register "a1". + The changed register "a1" as argument will be send + to do_fpe() and do_msa_fpe(). + +Signed-off-by: YuanJunQing +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/genex.S | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/mips/kernel/genex.S b/arch/mips/kernel/genex.S +index 6c257b52f57f..7fad007fe025 100644 +--- a/arch/mips/kernel/genex.S ++++ b/arch/mips/kernel/genex.S +@@ -477,20 +477,20 @@ NESTED(nmi_handler, PT_SIZE, sp) + .endm + + .macro __build_clear_fpe ++ CLI ++ TRACE_IRQS_OFF + .set push + /* gas fails to assemble cfc1 for some archs (octeon).*/ \ + .set mips1 + SET_HARDFLOAT + cfc1 a1, fcr31 + .set pop +- CLI +- TRACE_IRQS_OFF + .endm + + .macro __build_clear_msa_fpe +- _cfcmsa a1, MSA_CSR + CLI + TRACE_IRQS_OFF ++ _cfcmsa a1, MSA_CSR + .endm + + .macro __build_clear_ade +-- +2.25.1 + diff --git a/queue-4.19/mips-loongson-build-ati-radeon-gpu-driver-as-module.patch b/queue-4.19/mips-loongson-build-ati-radeon-gpu-driver-as-module.patch new file mode 100644 index 00000000000..63734de2d88 --- /dev/null +++ b/queue-4.19/mips-loongson-build-ati-radeon-gpu-driver-as-module.patch @@ -0,0 +1,46 @@ +From d1e88ad37541468fe2f5d60d145cf29182e1fab7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 May 2020 10:15:48 +0800 +Subject: MIPS: Loongson: Build ATI Radeon GPU driver as module + +From: Tiezhu Yang + +[ Upstream commit a44de7497f91834df0b8b6d459e259788ba66794 ] + +When ATI Radeon GPU driver has been compiled directly into the kernel +instead of as a module, we should make sure the firmware for the model +(check available ones in /lib/firmware/radeon) is built-in to the kernel +as well, otherwise there exists the following fatal error during GPU init, +change CONFIG_DRM_RADEON=y to CONFIG_DRM_RADEON=m to fix it. + +[ 1.900997] [drm] Loading RS780 Microcode +[ 1.905077] radeon 0000:01:05.0: Direct firmware load for radeon/RS780_pfp.bin failed with error -2 +[ 1.914140] r600_cp: Failed to load firmware "radeon/RS780_pfp.bin" +[ 1.920405] [drm:r600_init] *ERROR* Failed to load firmware! +[ 1.926069] radeon 0000:01:05.0: Fatal error during GPU init +[ 1.931729] [drm] radeon: finishing device. + +Fixes: 024e6a8b5bb1 ("MIPS: Loongson: Add a Loongson-3 default config file") +Signed-off-by: Tiezhu Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/configs/loongson3_defconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/configs/loongson3_defconfig b/arch/mips/configs/loongson3_defconfig +index 324dfee23dfb..c871e40b8878 100644 +--- a/arch/mips/configs/loongson3_defconfig ++++ b/arch/mips/configs/loongson3_defconfig +@@ -250,7 +250,7 @@ CONFIG_MEDIA_CAMERA_SUPPORT=y + CONFIG_MEDIA_USB_SUPPORT=y + CONFIG_USB_VIDEO_CLASS=m + CONFIG_DRM=y +-CONFIG_DRM_RADEON=y ++CONFIG_DRM_RADEON=m + CONFIG_FB_RADEON=y + CONFIG_LCD_CLASS_DEVICE=y + CONFIG_LCD_PLATFORM=m +-- +2.25.1 + diff --git a/queue-4.19/mips-maar-use-more-precise-address-mask.patch b/queue-4.19/mips-maar-use-more-precise-address-mask.patch new file mode 100644 index 00000000000..7f7d6a52ab2 --- /dev/null +++ b/queue-4.19/mips-maar-use-more-precise-address-mask.patch @@ -0,0 +1,50 @@ +From 13cf47d4555b00d9151c4475fcad4a9907f50ed5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 03:34:37 +0300 +Subject: mips: MAAR: Use more precise address mask + +From: Serge Semin + +[ Upstream commit bbb5946eb545fab8ad8f46bce8a803e1c0c39d47 ] + +Indeed according to the MIPS32 Privileged Resource Architecgture the MAAR +pair register address field either takes [12:31] bits for non-XPA systems +and [12:55] otherwise. In any case the current address mask is just +wrong for 64-bit and 32-bits XPA chips. So lets extend it to 59-bits +of physical address value. This shall cover the 64-bits architecture and +systems with XPA enabled, and won't cause any problem for non-XPA 32-bit +systems, since address values exceeding the architecture specific MAAR +mask will be just truncated with setting zeros in the unsupported upper +bits. + +Co-developed-by: Alexey Malahov +Signed-off-by: Alexey Malahov +Signed-off-by: Serge Semin +Cc: Thomas Bogendoerfer +Cc: Paul Burton +Cc: Ralf Baechle +Cc: Arnd Bergmann +Cc: Rob Herring +Cc: devicetree@vger.kernel.org +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mipsregs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/include/asm/mipsregs.h b/arch/mips/include/asm/mipsregs.h +index 1bb9448777c5..f9a7c137be9f 100644 +--- a/arch/mips/include/asm/mipsregs.h ++++ b/arch/mips/include/asm/mipsregs.h +@@ -749,7 +749,7 @@ + + /* MAAR bit definitions */ + #define MIPS_MAAR_VH (_U64CAST_(1) << 63) +-#define MIPS_MAAR_ADDR ((BIT_ULL(BITS_PER_LONG - 12) - 1) << 12) ++#define MIPS_MAAR_ADDR GENMASK_ULL(55, 12) + #define MIPS_MAAR_ADDR_SHIFT 12 + #define MIPS_MAAR_S (_ULCAST_(1) << 1) + #define MIPS_MAAR_VL (_ULCAST_(1) << 0) +-- +2.25.1 + diff --git a/queue-4.19/mips-make-sparse_init-using-top-down-allocation.patch b/queue-4.19/mips-make-sparse_init-using-top-down-allocation.patch new file mode 100644 index 00000000000..ab49e05d9f5 --- /dev/null +++ b/queue-4.19/mips-make-sparse_init-using-top-down-allocation.patch @@ -0,0 +1,98 @@ +From abc53cf23a55df18601ab092806fe7e59170a0ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Apr 2020 19:59:46 +0800 +Subject: MIPS: Make sparse_init() using top-down allocation + +From: Tiezhu Yang + +[ Upstream commit 269b3a9ac538c4ae87f84be640b9fa89914a2489 ] + +In the current code, if CONFIG_SWIOTLB is set, when failed to get IO TLB +memory from the low pages by plat_swiotlb_setup(), it may lead to the boot +process failed with kernel panic. + +(1) On the Loongson and SiByte platform +arch/mips/loongson64/dma.c +arch/mips/sibyte/common/dma.c +void __init plat_swiotlb_setup(void) +{ + swiotlb_init(1); +} + +kernel/dma/swiotlb.c +void __init +swiotlb_init(int verbose) +{ +... + vstart = memblock_alloc_low(PAGE_ALIGN(bytes), PAGE_SIZE); + if (vstart && !swiotlb_init_with_tbl(vstart, io_tlb_nslabs, verbose)) + return; +... + pr_warn("Cannot allocate buffer"); + no_iotlb_memory = true; +} + +phys_addr_t swiotlb_tbl_map_single() +{ +... + if (no_iotlb_memory) + panic("Can not allocate SWIOTLB buffer earlier ..."); +... +} + +(2) On the Cavium OCTEON platform +arch/mips/cavium-octeon/dma-octeon.c +void __init plat_swiotlb_setup(void) +{ +... + octeon_swiotlb = memblock_alloc_low(swiotlbsize, PAGE_SIZE); + if (!octeon_swiotlb) + panic("%s: Failed to allocate %zu bytes align=%lx\n", + __func__, swiotlbsize, PAGE_SIZE); +... +} + +Because IO_TLB_DEFAULT_SIZE is 64M, if the rest size of low memory is less +than 64M when call plat_swiotlb_setup(), we can easily reproduce the panic +case. + +In order to reduce the possibility of kernel panic when failed to get IO +TLB memory under CONFIG_SWIOTLB, it is better to allocate low memory as +small as possible before plat_swiotlb_setup(), so make sparse_init() using +top-down allocation. + +Reported-by: Juxin Gao +Co-developed-by: Juxin Gao +Signed-off-by: Juxin Gao +Signed-off-by: Tiezhu Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/setup.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c +index e87c98b8a72c..2c2480be3f36 100644 +--- a/arch/mips/kernel/setup.c ++++ b/arch/mips/kernel/setup.c +@@ -933,7 +933,17 @@ static void __init arch_mem_init(char **cmdline_p) + BOOTMEM_DEFAULT); + #endif + device_tree_init(); ++ ++ /* ++ * In order to reduce the possibility of kernel panic when failed to ++ * get IO TLB memory under CONFIG_SWIOTLB, it is better to allocate ++ * low memory as small as possible before plat_swiotlb_setup(), so ++ * make sparse_init() using top-down allocation. ++ */ ++ memblock_set_bottom_up(false); + sparse_init(); ++ memblock_set_bottom_up(true); ++ + plat_swiotlb_setup(); + + dma_contiguous_reserve(PFN_PHYS(max_low_pfn)); +-- +2.25.1 + diff --git a/queue-4.19/mips-truncate-link-address-into-32bit-for-32bit-kern.patch b/queue-4.19/mips-truncate-link-address-into-32bit-for-32bit-kern.patch new file mode 100644 index 00000000000..f1affd3ad36 --- /dev/null +++ b/queue-4.19/mips-truncate-link-address-into-32bit-for-32bit-kern.patch @@ -0,0 +1,88 @@ +From 12fe5e63a8b7f68f237941ee1c3af88789a37388 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 13:52:45 +0800 +Subject: MIPS: Truncate link address into 32bit for 32bit kernel + +From: Jiaxun Yang + +[ Upstream commit ff487d41036035376e47972c7c522490b839ab37 ] + +LLD failed to link vmlinux with 64bit load address for 32bit ELF +while bfd will strip 64bit address into 32bit silently. +To fix LLD build, we should truncate load address provided by platform +into 32bit for 32bit kernel. + +Signed-off-by: Jiaxun Yang +Link: https://github.com/ClangBuiltLinux/linux/issues/786 +Link: https://sourceware.org/bugzilla/show_bug.cgi?id=25784 +Reviewed-by: Fangrui Song +Reviewed-by: Kees Cook +Tested-by: Nathan Chancellor +Cc: Maciej W. Rozycki +Tested-by: Nick Desaulniers +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/Makefile | 13 ++++++++++++- + arch/mips/boot/compressed/Makefile | 2 +- + arch/mips/kernel/vmlinux.lds.S | 2 +- + 3 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/arch/mips/Makefile b/arch/mips/Makefile +index ad0a92f95af1..63e2ad43bd6a 100644 +--- a/arch/mips/Makefile ++++ b/arch/mips/Makefile +@@ -290,12 +290,23 @@ ifdef CONFIG_64BIT + endif + endif + ++# When linking a 32-bit executable the LLVM linker cannot cope with a ++# 32-bit load address that has been sign-extended to 64 bits. Simply ++# remove the upper 32 bits then, as it is safe to do so with other ++# linkers. ++ifdef CONFIG_64BIT ++ load-ld = $(load-y) ++else ++ load-ld = $(subst 0xffffffff,0x,$(load-y)) ++endif ++ + KBUILD_AFLAGS += $(cflags-y) + KBUILD_CFLAGS += $(cflags-y) +-KBUILD_CPPFLAGS += -DVMLINUX_LOAD_ADDRESS=$(load-y) ++KBUILD_CPPFLAGS += -DVMLINUX_LOAD_ADDRESS=$(load-y) -DLINKER_LOAD_ADDRESS=$(load-ld) + KBUILD_CPPFLAGS += -DDATAOFFSET=$(if $(dataoffset-y),$(dataoffset-y),0) + + bootvars-y = VMLINUX_LOAD_ADDRESS=$(load-y) \ ++ LINKER_LOAD_ADDRESS=$(load-ld) \ + VMLINUX_ENTRY_ADDRESS=$(entry-y) \ + PLATFORM="$(platform-y)" \ + ITS_INPUTS="$(its-y)" +diff --git a/arch/mips/boot/compressed/Makefile b/arch/mips/boot/compressed/Makefile +index d859f079b771..378cbfb31ee7 100644 +--- a/arch/mips/boot/compressed/Makefile ++++ b/arch/mips/boot/compressed/Makefile +@@ -90,7 +90,7 @@ ifneq ($(zload-y),) + VMLINUZ_LOAD_ADDRESS := $(zload-y) + else + VMLINUZ_LOAD_ADDRESS = $(shell $(obj)/calc_vmlinuz_load_addr \ +- $(obj)/vmlinux.bin $(VMLINUX_LOAD_ADDRESS)) ++ $(obj)/vmlinux.bin $(LINKER_LOAD_ADDRESS)) + endif + UIMAGE_LOADADDR = $(VMLINUZ_LOAD_ADDRESS) + +diff --git a/arch/mips/kernel/vmlinux.lds.S b/arch/mips/kernel/vmlinux.lds.S +index 36f2e860ba3e..be63fff95b2a 100644 +--- a/arch/mips/kernel/vmlinux.lds.S ++++ b/arch/mips/kernel/vmlinux.lds.S +@@ -50,7 +50,7 @@ SECTIONS + /* . = 0xa800000000300000; */ + . = 0xffffffff80300000; + #endif +- . = VMLINUX_LOAD_ADDRESS; ++ . = LINKER_LOAD_ADDRESS; + /* read-only */ + _text = .; /* Text and read-only data */ + .text : { +-- +2.25.1 + diff --git a/queue-4.19/mmc-meson-mx-sdio-trigger-a-soft-reset-after-a-timeo.patch b/queue-4.19/mmc-meson-mx-sdio-trigger-a-soft-reset-after-a-timeo.patch new file mode 100644 index 00000000000..d5aa779c576 --- /dev/null +++ b/queue-4.19/mmc-meson-mx-sdio-trigger-a-soft-reset-after-a-timeo.patch @@ -0,0 +1,79 @@ +From 7d5c1559f8c0bd96e14ddfd639915d9cf63cd80c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 May 2020 00:28:05 +0200 +Subject: mmc: meson-mx-sdio: trigger a soft reset after a timeout or CRC error + +From: Martin Blumenstingl + +[ Upstream commit 91995b904ec2e44b5c159ac6a5d3f154345a4de7 ] + +The vendor driver (from the 3.10 kernel) triggers a soft reset every +time before starting a new command. While this fixes a problem where +SDIO cards are not detected at all (because all commands simply +timed out) this hurts SD card read performance a bit (in my tests +between 10% to 20%). + +Trigger a soft reset after we got a CRC error or if the previous command +timed out (just like the vendor driver from the same 3.10 kernel for the +newer SDHC controller IP does). This fixes detection of SDIO cards and +doesn't hurt SD card read performance at the same time. + +With this patch the initialization of an RTL8723BS SDIO card looks like +this: + req done (CMD52): -110: 00000000 00000000 00000000 00000000 + clock 400000Hz busmode 2 powermode 2 cs 1 Vdd 21 width 1 timing 0 + starting CMD0 arg 00000000 flags 000000c0 + req done (CMD0): 0: 00000000 00000000 00000000 00000000 + clock 400000Hz busmode 2 powermode 2 cs 0 Vdd 21 width 1 timing 0 + starting CMD8 arg 000001aa flags 000002f5 + req done (CMD8): -110: 00000000 00000000 00000000 00000000 + starting CMD5 arg 00000000 flags 000002e1 + req done (CMD5): 0: 90ff0000 00000000 00000000 00000000 + starting CMD5 arg 00200000 flags 000002e1 + req done (CMD5): 0: 90ff0000 00000000 00000000 00000000 + starting CMD3 arg 00000000 flags 00000075 + req done (CMD3): 0: 00010000 00000000 00000000 00000000 + starting CMD7 arg 00010000 flags 00000015 + req done (CMD7): 0: 00001e00 00000000 00000000 00000000 + starting CMD52 arg 00000000 flags 00000195 + req done (CMD52): 0: 00001032 00000000 00000000 00000000 + [... more CMD52 omitted ...] + clock 400000Hz busmode 2 powermode 2 cs 0 Vdd 21 width 1 timing 2 + clock 50000000Hz busmode 2 powermode 2 cs 0 Vdd 21 width 1 timing 2 + starting CMD52 arg 00000e00 flags 00000195 + req done (CMD52): 0: 00001000 00000000 00000000 00000000 + starting CMD52 arg 80000e02 flags 00000195 + req done (CMD52): 0: 00001002 00000000 00000000 00000000 + clock 50000000Hz busmode 2 powermode 2 cs 0 Vdd 21 width 4 timing 2 + starting CMD52 arg 00020000 flags 00000195 + req done (CMD52): 0: 00001007 00000000 00000000 00000000 + [... more CMD52 omitted ...] + new high speed SDIO card at address 0001 + +Fixes: ed80a13bb4c4c9 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoCs") +Signed-off-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20200503222805.2668941-1-martin.blumenstingl@googlemail.com +Tested-by: Tobias Baumann <017623705678@o2online.de> +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/meson-mx-sdio.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/host/meson-mx-sdio.c b/drivers/mmc/host/meson-mx-sdio.c +index 1c062473b1c2..27837a794e7b 100644 +--- a/drivers/mmc/host/meson-mx-sdio.c ++++ b/drivers/mmc/host/meson-mx-sdio.c +@@ -249,6 +249,9 @@ static void meson_mx_mmc_request_done(struct meson_mx_mmc_host *host) + + mrq = host->mrq; + ++ if (host->cmd->error) ++ meson_mx_mmc_soft_reset(host); ++ + host->mrq = NULL; + host->cmd = NULL; + +-- +2.25.1 + diff --git a/queue-4.19/mmc-sdhci-esdhc-imx-fix-the-mask-for-tuning-start-po.patch b/queue-4.19/mmc-sdhci-esdhc-imx-fix-the-mask-for-tuning-start-po.patch new file mode 100644 index 00000000000..258d8a7449e --- /dev/null +++ b/queue-4.19/mmc-sdhci-esdhc-imx-fix-the-mask-for-tuning-start-po.patch @@ -0,0 +1,38 @@ +From b625ff0bef18a95f8d607b7f18d1a8f36267e89a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 May 2020 18:22:01 +0800 +Subject: mmc: sdhci-esdhc-imx: fix the mask for tuning start point + +From: Haibo Chen + +[ Upstream commit 1194be8c949b8190b2882ad8335a5d98aa50c735 ] + +According the RM, the bit[6~0] of register ESDHC_TUNING_CTRL is +TUNING_START_TAP, bit[7] of this register is to disable the command +CRC check for standard tuning. So fix it here. + +Fixes: d87fc9663688 ("mmc: sdhci-esdhc-imx: support setting tuning start point") +Signed-off-by: Haibo Chen +Link: https://lore.kernel.org/r/1590488522-9292-1-git-send-email-haibo.chen@nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c +index 629860f7327c..bd502f4f4704 100644 +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -82,7 +82,7 @@ + #define ESDHC_STD_TUNING_EN (1 << 24) + /* NOTE: the minimum valid tuning start tap for mx6sl is 1 */ + #define ESDHC_TUNING_START_TAP_DEFAULT 0x1 +-#define ESDHC_TUNING_START_TAP_MASK 0xff ++#define ESDHC_TUNING_START_TAP_MASK 0x7f + #define ESDHC_TUNING_STEP_MASK 0x00070000 + #define ESDHC_TUNING_STEP_SHIFT 16 + +-- +2.25.1 + diff --git a/queue-4.19/mmc-sdhci-msm-set-sdhci_quirk_multiblock_read_acmd12.patch b/queue-4.19/mmc-sdhci-msm-set-sdhci_quirk_multiblock_read_acmd12.patch new file mode 100644 index 00000000000..b850b0b7684 --- /dev/null +++ b/queue-4.19/mmc-sdhci-msm-set-sdhci_quirk_multiblock_read_acmd12.patch @@ -0,0 +1,39 @@ +From e8ac7c4b33f655cd8bb5848137b23a3aa4d52d92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Apr 2020 11:50:24 +0530 +Subject: mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk + +From: Veerabhadrarao Badiganti + +[ Upstream commit d863cb03fb2aac07f017b2a1d923cdbc35021280 ] + +sdhci-msm can support auto cmd12. +So enable SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk. + +Signed-off-by: Veerabhadrarao Badiganti +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/1587363626-20413-3-git-send-email-vbadigan@codeaurora.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-msm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c +index 4cff758767cb..643fd1a1b88b 100644 +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -1706,7 +1706,9 @@ static const struct sdhci_ops sdhci_msm_ops = { + static const struct sdhci_pltfm_data sdhci_msm_pdata = { + .quirks = SDHCI_QUIRK_BROKEN_CARD_DETECTION | + SDHCI_QUIRK_SINGLE_POWER_WRITE | +- SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN, ++ SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN | ++ SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12, ++ + .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, + .ops = &sdhci_msm_ops, + }; +-- +2.25.1 + diff --git a/queue-4.19/mmc-via-sdmmc-respect-the-cmd-busy_timeout-from-the-.patch b/queue-4.19/mmc-via-sdmmc-respect-the-cmd-busy_timeout-from-the-.patch new file mode 100644 index 00000000000..f9aba9e4e97 --- /dev/null +++ b/queue-4.19/mmc-via-sdmmc-respect-the-cmd-busy_timeout-from-the-.patch @@ -0,0 +1,65 @@ +From 00fc65014b922962d2b11a932b414ceb37af798f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Apr 2020 18:14:10 +0200 +Subject: mmc: via-sdmmc: Respect the cmd->busy_timeout from the mmc core + +From: Ulf Hansson + +[ Upstream commit 966244ccd2919e28f25555a77f204cd1c109cad8 ] + +Using a fixed 1s timeout for all commands (and data transfers) is a bit +problematic. + +For some commands it means waiting longer than needed for the timer to +expire, which may not a big issue, but still. For other commands, like for +an erase (CMD38) that uses a R1B response, may require longer timeouts than +1s. In these cases, we may end up treating the command as it failed, while +it just needed some more time to complete successfully. + +Fix the problem by respecting the cmd->busy_timeout, which is provided by +the mmc core. + +Cc: Bruce Chang +Cc: Harald Welte +Signed-off-by: Ulf Hansson +Link: https://lore.kernel.org/r/20200414161413.3036-17-ulf.hansson@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/via-sdmmc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c +index 32c4211506fc..246dc6255e69 100644 +--- a/drivers/mmc/host/via-sdmmc.c ++++ b/drivers/mmc/host/via-sdmmc.c +@@ -323,6 +323,8 @@ struct via_crdr_mmc_host { + /* some devices need a very long delay for power to stabilize */ + #define VIA_CRDR_QUIRK_300MS_PWRDELAY 0x0001 + ++#define VIA_CMD_TIMEOUT_MS 1000 ++ + static const struct pci_device_id via_ids[] = { + {PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_9530, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0,}, +@@ -555,14 +557,17 @@ static void via_sdc_send_command(struct via_crdr_mmc_host *host, + { + void __iomem *addrbase; + struct mmc_data *data; ++ unsigned int timeout_ms; + u32 cmdctrl = 0; + + WARN_ON(host->cmd); + + data = cmd->data; +- mod_timer(&host->timer, jiffies + HZ); + host->cmd = cmd; + ++ timeout_ms = cmd->busy_timeout ? cmd->busy_timeout : VIA_CMD_TIMEOUT_MS; ++ mod_timer(&host->timer, jiffies + msecs_to_jiffies(timeout_ms)); ++ + /*Command index*/ + cmdctrl = cmd->opcode << 8; + +-- +2.25.1 + diff --git a/queue-4.19/mt76-avoid-rx-reorder-buffer-overflow.patch b/queue-4.19/mt76-avoid-rx-reorder-buffer-overflow.patch new file mode 100644 index 00000000000..21111ad40a3 --- /dev/null +++ b/queue-4.19/mt76-avoid-rx-reorder-buffer-overflow.patch @@ -0,0 +1,80 @@ +From 4d46089590469986cf66e5ffb2bb4720ef8e008f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Apr 2020 03:32:22 +0800 +Subject: mt76: avoid rx reorder buffer overflow + +From: Ryder Lee + +[ Upstream commit 7c4f744d6703757be959f521a7a441bf34745d99 ] + +Enlarge slot to support 11ax 256 BA (256 MPDUs in an AMPDU) + +Signed-off-by: Chih-Min Chen +Signed-off-by: Ryder Lee +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/agg-rx.c | 8 ++++---- + drivers/net/wireless/mediatek/mt76/mt76.h | 6 +++--- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/agg-rx.c b/drivers/net/wireless/mediatek/mt76/agg-rx.c +index 73c8b2805c97..d44d57e6eb27 100644 +--- a/drivers/net/wireless/mediatek/mt76/agg-rx.c ++++ b/drivers/net/wireless/mediatek/mt76/agg-rx.c +@@ -154,8 +154,8 @@ void mt76_rx_aggr_reorder(struct sk_buff *skb, struct sk_buff_head *frames) + struct ieee80211_sta *sta; + struct mt76_rx_tid *tid; + bool sn_less; +- u16 seqno, head, size; +- u8 ackp, idx; ++ u16 seqno, head, size, idx; ++ u8 ackp; + + __skb_queue_tail(frames, skb); + +@@ -240,7 +240,7 @@ out: + } + + int mt76_rx_aggr_start(struct mt76_dev *dev, struct mt76_wcid *wcid, u8 tidno, +- u16 ssn, u8 size) ++ u16 ssn, u16 size) + { + struct mt76_rx_tid *tid; + +@@ -264,7 +264,7 @@ EXPORT_SYMBOL_GPL(mt76_rx_aggr_start); + + static void mt76_rx_aggr_shutdown(struct mt76_dev *dev, struct mt76_rx_tid *tid) + { +- u8 size = tid->size; ++ u16 size = tid->size; + int i; + + cancel_delayed_work(&tid->reorder_work); +diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h +index 2eab35879163..7b1667ec619e 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76.h ++++ b/drivers/net/wireless/mediatek/mt76/mt76.h +@@ -193,8 +193,8 @@ struct mt76_rx_tid { + struct delayed_work reorder_work; + + u16 head; +- u8 size; +- u8 nframes; ++ u16 size; ++ u16 nframes; + + u8 started:1, stopped:1, timer_pending:1; + +@@ -537,7 +537,7 @@ int mt76_get_survey(struct ieee80211_hw *hw, int idx, + void mt76_set_stream_caps(struct mt76_dev *dev, bool vht); + + int mt76_rx_aggr_start(struct mt76_dev *dev, struct mt76_wcid *wcid, u8 tid, +- u16 ssn, u8 size); ++ u16 ssn, u16 size); + void mt76_rx_aggr_stop(struct mt76_dev *dev, struct mt76_wcid *wcid, u8 tid); + + void mt76_wcid_key_setup(struct mt76_dev *dev, struct mt76_wcid *wcid, +-- +2.25.1 + diff --git a/queue-4.19/mwifiex-fix-memory-corruption-in-dump_station.patch b/queue-4.19/mwifiex-fix-memory-corruption-in-dump_station.patch new file mode 100644 index 00000000000..32e663690e3 --- /dev/null +++ b/queue-4.19/mwifiex-fix-memory-corruption-in-dump_station.patch @@ -0,0 +1,92 @@ +From d107999567737c71a51cd088b63f12e446427c91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 May 2020 09:59:24 +0200 +Subject: mwifiex: Fix memory corruption in dump_station +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 3aa42bae9c4d1641aeb36f1a8585cd1d506cf471 ] + +The mwifiex_cfg80211_dump_station() uses static variable for iterating +over a linked list of all associated stations (when the driver is in UAP +role). This has a race condition if .dump_station is called in parallel +for multiple interfaces. This corruption can be triggered by registering +multiple SSIDs and calling, in parallel for multiple interfaces + iw dev station dump + +[16750.719775] Unable to handle kernel paging request at virtual address dead000000000110 +... +[16750.899173] Call trace: +[16750.901696] mwifiex_cfg80211_dump_station+0x94/0x100 [mwifiex] +[16750.907824] nl80211_dump_station+0xbc/0x278 [cfg80211] +[16750.913160] netlink_dump+0xe8/0x320 +[16750.916827] netlink_recvmsg+0x1b4/0x338 +[16750.920861] ____sys_recvmsg+0x7c/0x2b0 +[16750.924801] ___sys_recvmsg+0x70/0x98 +[16750.928564] __sys_recvmsg+0x58/0xa0 +[16750.932238] __arm64_sys_recvmsg+0x28/0x30 +[16750.936453] el0_svc_common.constprop.3+0x90/0x158 +[16750.941378] do_el0_svc+0x74/0x90 +[16750.944784] el0_sync_handler+0x12c/0x1a8 +[16750.948903] el0_sync+0x114/0x140 +[16750.952312] Code: f9400003 f907f423 eb02007f 54fffd60 (b9401060) +[16750.958583] ---[ end trace c8ad181c2f4b8576 ]--- + +This patch drops the use of the static iterator, and instead every time +the function is called iterates to the idx-th position of the +linked-list. + +It would be better to convert the code not to use linked list for +associated stations storage (since the chip has a limited number of +associated stations anyway - it could just be an array). Such a change +may be proposed in the future. In the meantime this patch can backported +into stable kernels in this simple form. + +Fixes: 8baca1a34d4c ("mwifiex: dump station support in uap mode") +Signed-off-by: Pali Rohár +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200515075924.13841-1-pali@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +index 7b74ef71bef1..650191db25cb 100644 +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -1468,7 +1468,8 @@ mwifiex_cfg80211_dump_station(struct wiphy *wiphy, struct net_device *dev, + int idx, u8 *mac, struct station_info *sinfo) + { + struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev); +- static struct mwifiex_sta_node *node; ++ struct mwifiex_sta_node *node; ++ int i; + + if ((GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) && + priv->media_connected && idx == 0) { +@@ -1478,13 +1479,10 @@ mwifiex_cfg80211_dump_station(struct wiphy *wiphy, struct net_device *dev, + mwifiex_send_cmd(priv, HOST_CMD_APCMD_STA_LIST, + HostCmd_ACT_GEN_GET, 0, NULL, true); + +- if (node && (&node->list == &priv->sta_list)) { +- node = NULL; +- return -ENOENT; +- } +- +- node = list_prepare_entry(node, &priv->sta_list, list); +- list_for_each_entry_continue(node, &priv->sta_list, list) { ++ i = 0; ++ list_for_each_entry(node, &priv->sta_list, list) { ++ if (i++ != idx) ++ continue; + ether_addr_copy(mac, node->mac_addr); + return mwifiex_dump_station_info(priv, node, sinfo); + } +-- +2.25.1 + diff --git a/queue-4.19/net-allwinner-fix-use-correct-return-type-for-ndo_st.patch b/queue-4.19/net-allwinner-fix-use-correct-return-type-for-ndo_st.patch new file mode 100644 index 00000000000..1556723a3fe --- /dev/null +++ b/queue-4.19/net-allwinner-fix-use-correct-return-type-for-ndo_st.patch @@ -0,0 +1,45 @@ +From a375ded02b41c5ef79f05658e170aedc4f2e9698 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 10:49:20 +0800 +Subject: net: allwinner: Fix use correct return type for ndo_start_xmit() + +From: Yunjian Wang + +[ Upstream commit 09f6c44aaae0f1bdb8b983d7762676d5018c53bc ] + +The method ndo_start_xmit() returns a value of type netdev_tx_t. Fix +the ndo function to use the correct type. And emac_start_xmit() can +leak one skb if 'channel' == 3. + +Signed-off-by: Yunjian Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/allwinner/sun4i-emac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/allwinner/sun4i-emac.c b/drivers/net/ethernet/allwinner/sun4i-emac.c +index 3143de45baaa..c458b81ba63a 100644 +--- a/drivers/net/ethernet/allwinner/sun4i-emac.c ++++ b/drivers/net/ethernet/allwinner/sun4i-emac.c +@@ -433,7 +433,7 @@ static void emac_timeout(struct net_device *dev) + /* Hardware start transmission. + * Send a packet to media from the upper layer. + */ +-static int emac_start_xmit(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t emac_start_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct emac_board_info *db = netdev_priv(dev); + unsigned long channel; +@@ -441,7 +441,7 @@ static int emac_start_xmit(struct sk_buff *skb, struct net_device *dev) + + channel = db->tx_fifo_stat & 3; + if (channel == 3) +- return 1; ++ return NETDEV_TX_BUSY; + + channel = (channel == 1 ? 1 : 0); + +-- +2.25.1 + diff --git a/queue-4.19/net-atlantic-make-hw_get_regs-optional.patch b/queue-4.19/net-atlantic-make-hw_get_regs-optional.patch new file mode 100644 index 00000000000..22976b4f13f --- /dev/null +++ b/queue-4.19/net-atlantic-make-hw_get_regs-optional.patch @@ -0,0 +1,45 @@ +From afa4af5d271839c23a66d9b43051760ce2b9333e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 11:04:34 +0300 +Subject: net: atlantic: make hw_get_regs optional + +From: Mark Starovoytov + +[ Upstream commit d0f23741c202c685447050713907f3be39a985ee ] + +This patch fixes potential crash in case if hw_get_regs is NULL. + +Signed-off-by: Mark Starovoytov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +index 15dcfb6704e5..adac5df0d6b4 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -620,6 +620,9 @@ int aq_nic_get_regs(struct aq_nic_s *self, struct ethtool_regs *regs, void *p) + u32 *regs_buff = p; + int err = 0; + ++ if (unlikely(!self->aq_hw_ops->hw_get_regs)) ++ return -EOPNOTSUPP; ++ + regs->version = 1; + + err = self->aq_hw_ops->hw_get_regs(self->aq_hw, +@@ -634,6 +637,9 @@ err_exit: + + int aq_nic_get_regs_count(struct aq_nic_s *self) + { ++ if (unlikely(!self->aq_hw_ops->hw_get_regs)) ++ return 0; ++ + return self->aq_nic_cfg.aq_hw_caps->mac_regs_count; + } + +-- +2.25.1 + diff --git a/queue-4.19/net-bcmgenet-set-rx-mode-before-starting-netif.patch b/queue-4.19/net-bcmgenet-set-rx-mode-before-starting-netif.patch new file mode 100644 index 00000000000..f06908811be --- /dev/null +++ b/queue-4.19/net-bcmgenet-set-rx-mode-before-starting-netif.patch @@ -0,0 +1,51 @@ +From 206c8cc78b387c9fe391dc336c346dc6b47e15af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 13:02:00 -0700 +Subject: net: bcmgenet: set Rx mode before starting netif + +From: Doug Berger + +[ Upstream commit 72f96347628e73dbb61b307f18dd19293cc6792a ] + +This commit explicitly calls the bcmgenet_set_rx_mode() function when +the network interface is started. This function is normally called by +ndo_set_rx_mode when the flags are changed, but apparently not when +the driver is suspended and resumed. + +This change ensures that address filtering or promiscuous mode are +properly restored by the driver after the MAC may have been reset. + +Fixes: b6e978e50444 ("net: bcmgenet: add suspend/resume callbacks") +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 047fc0cf0263..40e8ef984b62 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -72,6 +72,9 @@ + #define GENET_RDMA_REG_OFF (priv->hw_params->rdma_offset + \ + TOTAL_DESC * DMA_DESC_SIZE) + ++/* Forward declarations */ ++static void bcmgenet_set_rx_mode(struct net_device *dev); ++ + static inline void bcmgenet_writel(u32 value, void __iomem *offset) + { + /* MIPS chips strapped for BE will automagically configure the +@@ -2859,6 +2862,7 @@ static void bcmgenet_netif_start(struct net_device *dev) + struct bcmgenet_priv *priv = netdev_priv(dev); + + /* Start the network engine */ ++ bcmgenet_set_rx_mode(dev); + bcmgenet_enable_rx_napi(priv); + + umac_enable_set(priv, CMD_TX_EN | CMD_RX_EN, true); +-- +2.25.1 + diff --git a/queue-4.19/net-ena-fix-error-returning-in-ena_com_get_hash_func.patch b/queue-4.19/net-ena-fix-error-returning-in-ena_com_get_hash_func.patch new file mode 100644 index 00000000000..08fb3e4882d --- /dev/null +++ b/queue-4.19/net-ena-fix-error-returning-in-ena_com_get_hash_func.patch @@ -0,0 +1,52 @@ +From 57ac786dee1be77ec52f5a3a1203cb1de1f137ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 May 2020 09:52:11 +0000 +Subject: net: ena: fix error returning in ena_com_get_hash_function() + +From: Arthur Kiyanovski + +[ Upstream commit e9a1de378dd46375f9abfd8de1e6f59ee114a793 ] + +In case the "func" parameter is NULL we now return "-EINVAL". +This shouldn't happen in general, but when it does happen, this is the +proper way to handle it. + +We also check func for NULL in the beginning of the function, as there +is no reason to do all the work and realize in the end of the function +it was useless. + +Signed-off-by: Sameeh Jubran +Signed-off-by: Arthur Kiyanovski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_com.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_com.c b/drivers/net/ethernet/amazon/ena/ena_com.c +index 3afc0e59a2bd..d07f7f65169a 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_com.c ++++ b/drivers/net/ethernet/amazon/ena/ena_com.c +@@ -2137,6 +2137,9 @@ int ena_com_get_hash_function(struct ena_com_dev *ena_dev, + rss->hash_key; + int rc; + ++ if (unlikely(!func)) ++ return -EINVAL; ++ + rc = ena_com_get_feature_ex(ena_dev, &get_resp, + ENA_ADMIN_RSS_HASH_FUNCTION, + rss->hash_key_dma_addr, +@@ -2149,8 +2152,7 @@ int ena_com_get_hash_function(struct ena_com_dev *ena_dev, + if (rss->hash_func) + rss->hash_func--; + +- if (func) +- *func = rss->hash_func; ++ *func = rss->hash_func; + + if (key) + memcpy(key, hash_key->key, (size_t)(hash_key->keys_num) << 2); +-- +2.25.1 + diff --git a/queue-4.19/net-ethernet-fec-move-gpr-register-offset-and-bit-in.patch b/queue-4.19/net-ethernet-fec-move-gpr-register-offset-and-bit-in.patch new file mode 100644 index 00000000000..184204a576b --- /dev/null +++ b/queue-4.19/net-ethernet-fec-move-gpr-register-offset-and-bit-in.patch @@ -0,0 +1,112 @@ +From 94c047ba0f334828fa522def4a0e7ba7eed8d1d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 May 2020 00:27:10 +0800 +Subject: net: ethernet: fec: move GPR register offset and bit into DT + +From: Fugang Duan + +[ Upstream commit 8a448bf832af537d26aa557d183a16943dce4510 ] + +The commit da722186f654 (net: fec: set GPR bit on suspend by DT +configuration) set the GPR reigster offset and bit in driver for +wake on lan feature. + +But it introduces two issues here: +- one SOC has two instances, they have different bit +- different SOCs may have different offset and bit + +So to support wake-on-lan feature on other i.MX platforms, it should +configure the GPR reigster offset and bit from DT. + +So the patch is to improve the commit da722186f654 (net: fec: set GPR +bit on suspend by DT configuration) to support multiple ethernet +instances on i.MX series. + +v2: + * switch back to store the quirks bitmask in driver_data +v3: + * suggested by Sascha Hauer, use a struct fec_devinfo for + abstracting differences between different hardware variants, + it can give more freedom to describe the differences. + +Signed-off-by: Fugang Duan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 24 +++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 48c58f93b124..6702bc2dd92f 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -88,8 +88,6 @@ static void fec_enet_itr_coal_init(struct net_device *ndev); + + struct fec_devinfo { + u32 quirks; +- u8 stop_gpr_reg; +- u8 stop_gpr_bit; + }; + + static const struct fec_devinfo fec_imx25_info = { +@@ -112,8 +110,6 @@ static const struct fec_devinfo fec_imx6q_info = { + FEC_QUIRK_HAS_BUFDESC_EX | FEC_QUIRK_HAS_CSUM | + FEC_QUIRK_HAS_VLAN | FEC_QUIRK_ERR006358 | + FEC_QUIRK_HAS_RACC, +- .stop_gpr_reg = 0x34, +- .stop_gpr_bit = 27, + }; + + static const struct fec_devinfo fec_mvf600_info = { +@@ -3401,19 +3397,23 @@ static int fec_enet_get_irq_cnt(struct platform_device *pdev) + } + + static int fec_enet_init_stop_mode(struct fec_enet_private *fep, +- struct fec_devinfo *dev_info, + struct device_node *np) + { + struct device_node *gpr_np; ++ u32 out_val[3]; + int ret = 0; + +- if (!dev_info) +- return 0; +- +- gpr_np = of_parse_phandle(np, "gpr", 0); ++ gpr_np = of_parse_phandle(np, "fsl,stop-mode", 0); + if (!gpr_np) + return 0; + ++ ret = of_property_read_u32_array(np, "fsl,stop-mode", out_val, ++ ARRAY_SIZE(out_val)); ++ if (ret) { ++ dev_dbg(&fep->pdev->dev, "no stop mode property\n"); ++ return ret; ++ } ++ + fep->stop_gpr.gpr = syscon_node_to_regmap(gpr_np); + if (IS_ERR(fep->stop_gpr.gpr)) { + dev_err(&fep->pdev->dev, "could not find gpr regmap\n"); +@@ -3422,8 +3422,8 @@ static int fec_enet_init_stop_mode(struct fec_enet_private *fep, + goto out; + } + +- fep->stop_gpr.reg = dev_info->stop_gpr_reg; +- fep->stop_gpr.bit = dev_info->stop_gpr_bit; ++ fep->stop_gpr.reg = out_val[1]; ++ fep->stop_gpr.bit = out_val[2]; + + out: + of_node_put(gpr_np); +@@ -3501,7 +3501,7 @@ fec_probe(struct platform_device *pdev) + if (of_get_property(np, "fsl,magic-packet", NULL)) + fep->wol_flag |= FEC_WOL_HAS_MAGIC_PACKET; + +- ret = fec_enet_init_stop_mode(fep, dev_info, np); ++ ret = fec_enet_init_stop_mode(fep, np); + if (ret) + goto failed_stop_mode; + +-- +2.25.1 + diff --git a/queue-4.19/net-lpc-enet-fix-error-return-code-in-lpc_mii_init.patch b/queue-4.19/net-lpc-enet-fix-error-return-code-in-lpc_mii_init.patch new file mode 100644 index 00000000000..abffe037207 --- /dev/null +++ b/queue-4.19/net-lpc-enet-fix-error-return-code-in-lpc_mii_init.patch @@ -0,0 +1,38 @@ +From 75fc5cf69e0cb467a109064569a01bd9a0c72a76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 12:15:07 +0000 +Subject: net: lpc-enet: fix error return code in lpc_mii_init() + +From: Wei Yongjun + +[ Upstream commit 88ec7cb22ddde725ed4ce15991f0bd9dd817fd85 ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: b7370112f519 ("lpc32xx: Added ethernet driver") +Signed-off-by: Wei Yongjun +Acked-by: Vladimir Zapolskiy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/nxp/lpc_eth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/nxp/lpc_eth.c b/drivers/net/ethernet/nxp/lpc_eth.c +index 41d30f55c946..6bd6c261f2ba 100644 +--- a/drivers/net/ethernet/nxp/lpc_eth.c ++++ b/drivers/net/ethernet/nxp/lpc_eth.c +@@ -845,7 +845,8 @@ static int lpc_mii_init(struct netdata_local *pldat) + if (mdiobus_register(pldat->mii_bus)) + goto err_out_unregister_bus; + +- if (lpc_mii_probe(pldat->ndev) != 0) ++ err = lpc_mii_probe(pldat->ndev); ++ if (err) + goto err_out_unregister_bus; + + return 0; +-- +2.25.1 + diff --git a/queue-4.19/net-mlx5e-ipoib-drop-multicast-packets-that-this-int.patch b/queue-4.19/net-mlx5e-ipoib-drop-multicast-packets-that-this-int.patch new file mode 100644 index 00000000000..4917a1d8c1d --- /dev/null +++ b/queue-4.19/net-mlx5e-ipoib-drop-multicast-packets-that-this-int.patch @@ -0,0 +1,73 @@ +From aa91a9c8dd7c1bad8917e4dff00ed8a847794da4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 May 2020 11:46:25 +0300 +Subject: net/mlx5e: IPoIB, Drop multicast packets that this interface sent + +From: Erez Shitrit + +[ Upstream commit 8b46d424a743ddfef8056d5167f13ee7ebd1dcad ] + +After enabled loopback packets for IPoIB, we need to drop these packets +that this HCA has replicated and came back to the same interface that +sent them. + +Fixes: 4c6c615e3f30 ("net/mlx5e: IPoIB, Add PKEY child interface nic profile") +Signed-off-by: Erez Shitrit +Reviewed-by: Alex Vesker +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 044687a1f27c..9d86e49a7f44 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -1314,6 +1314,7 @@ out: + + #ifdef CONFIG_MLX5_CORE_IPOIB + ++#define MLX5_IB_GRH_SGID_OFFSET 8 + #define MLX5_IB_GRH_DGID_OFFSET 24 + #define MLX5_GID_SIZE 16 + +@@ -1327,6 +1328,7 @@ static inline void mlx5i_complete_rx_cqe(struct mlx5e_rq *rq, + struct net_device *netdev; + struct mlx5e_priv *priv; + char *pseudo_header; ++ u32 flags_rqpn; + u32 qpn; + u8 *dgid; + u8 g; +@@ -1347,7 +1349,8 @@ static inline void mlx5i_complete_rx_cqe(struct mlx5e_rq *rq, + priv = mlx5i_epriv(netdev); + tstamp = &priv->tstamp; + +- g = (be32_to_cpu(cqe->flags_rqpn) >> 28) & 3; ++ flags_rqpn = be32_to_cpu(cqe->flags_rqpn); ++ g = (flags_rqpn >> 28) & 3; + dgid = skb->data + MLX5_IB_GRH_DGID_OFFSET; + if ((!g) || dgid[0] != 0xff) + skb->pkt_type = PACKET_HOST; +@@ -1356,9 +1359,15 @@ static inline void mlx5i_complete_rx_cqe(struct mlx5e_rq *rq, + else + skb->pkt_type = PACKET_MULTICAST; + +- /* TODO: IB/ipoib: Allow mcast packets from other VFs +- * 68996a6e760e5c74654723eeb57bf65628ae87f4 ++ /* Drop packets that this interface sent, ie multicast packets ++ * that the HCA has replicated. + */ ++ if (g && (qpn == (flags_rqpn & 0xffffff)) && ++ (memcmp(netdev->dev_addr + 4, skb->data + MLX5_IB_GRH_SGID_OFFSET, ++ MLX5_GID_SIZE) == 0)) { ++ skb->dev = NULL; ++ return; ++ } + + skb_pull(skb, MLX5_IB_GRH_BYTES); + +-- +2.25.1 + diff --git a/queue-4.19/net-qed-reduce-rx-and-tx-default-ring-count-when-run.patch b/queue-4.19/net-qed-reduce-rx-and-tx-default-ring-count-when-run.patch new file mode 100644 index 00000000000..41dbdbf4222 --- /dev/null +++ b/queue-4.19/net-qed-reduce-rx-and-tx-default-ring-count-when-run.patch @@ -0,0 +1,145 @@ +From bdbbfd303adb4d6b6e36bde7437b2a4e1d6b70bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2020 15:41:41 +0530 +Subject: net: qed*: Reduce RX and TX default ring count when running inside + kdump kernel + +From: Bhupesh Sharma + +[ Upstream commit 73e030977f7884dbe1be0018bab517e8d02760f8 ] + +Normally kdump kernel(s) run under severe memory constraint with the +basic idea being to save the crashdump vmcore reliably when the primary +kernel panics/hangs. + +Currently the qed* ethernet driver ends up consuming a lot of memory in +the kdump kernel, leading to kdump kernel panic when one tries to save +the vmcore via ssh/nfs (thus utilizing the services of the underlying +qed* network interfaces). + +An example OOM message log seen in the kdump kernel can be seen here +[1], with crashkernel size reservation of 512M. + +Using tools like memstrack (see [2]), we can track the modules taking up +the bulk of memory in the kdump kernel and organize the memory usage +output as per 'highest allocator first'. An example log for the OOM case +indicates that the qed* modules end up allocating approximately 216M +memory, which is a large part of the total crashkernel size: + + dracut-pre-pivot[676]: ======== Report format module_summary: ======== + dracut-pre-pivot[676]: Module qed using 149.6MB (2394 pages), peak allocation 149.6MB (2394 pages) + dracut-pre-pivot[676]: Module qede using 65.3MB (1045 pages), peak allocation 65.3MB (1045 pages) + +This patch reduces the default RX and TX ring count from 1024 to 64 +when running inside kdump kernel, which leads to a significant memory +saving. + +An example log with the patch applied shows the reduced memory +allocation in the kdump kernel: + dracut-pre-pivot[674]: ======== Report format module_summary: ======== + dracut-pre-pivot[674]: Module qed using 141.8MB (2268 pages), peak allocation 141.8MB (2268 pages) + <..snip..> +[dracut-pre-pivot[674]: Module qede using 4.8MB (76 pages), peak allocation 4.9MB (78 pages) + +Tested crashdump vmcore save via ssh/nfs protocol using underlying qed* +network interface after applying this patch. + +[1] OOM log: +------------ + + kworker/0:6: page allocation failure: order:6, + mode:0x60c0c0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), nodemask=(null) + kworker/0:6 cpuset=/ mems_allowed=0 + CPU: 0 PID: 145 Comm: kworker/0:6 Not tainted 4.18.0-109.el8.aarch64 #1 + Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL025 + 01/18/2019 + Workqueue: events work_for_cpu_fn + Call trace: + dump_backtrace+0x0/0x188 + show_stack+0x24/0x30 + dump_stack+0x90/0xb4 + warn_alloc+0xf4/0x178 + __alloc_pages_nodemask+0xcac/0xd58 + alloc_pages_current+0x8c/0xf8 + kmalloc_order_trace+0x38/0x108 + qed_iov_alloc+0x40/0x248 [qed] + qed_resc_alloc+0x224/0x518 [qed] + qed_slowpath_start+0x254/0x928 [qed] + __qede_probe+0xf8/0x5e0 [qede] + qede_probe+0x68/0xd8 [qede] + local_pci_probe+0x44/0xa8 + work_for_cpu_fn+0x20/0x30 + process_one_work+0x1ac/0x3e8 + worker_thread+0x44/0x448 + kthread+0x130/0x138 + ret_from_fork+0x10/0x18 + Cannot start slowpath + qede: probe of 0000:05:00.1 failed with error -12 + +[2]. Memstrack tool: https://github.com/ryncsn/memstrack + +Cc: kexec@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Cc: Ariel Elior +Cc: GR-everest-linux-l2@marvell.com +Cc: Manish Chopra +Cc: David S. Miller +Signed-off-by: Bhupesh Sharma +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede.h | 2 ++ + drivers/net/ethernet/qlogic/qede/qede_main.c | 11 +++++++++-- + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede.h b/drivers/net/ethernet/qlogic/qede/qede.h +index dc3be8a4acf4..2bdc410d1144 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede.h ++++ b/drivers/net/ethernet/qlogic/qede/qede.h +@@ -550,12 +550,14 @@ int qede_add_tc_flower_fltr(struct qede_dev *edev, __be16 proto, + #define RX_RING_SIZE ((u16)BIT(RX_RING_SIZE_POW)) + #define NUM_RX_BDS_MAX (RX_RING_SIZE - 1) + #define NUM_RX_BDS_MIN 128 ++#define NUM_RX_BDS_KDUMP_MIN 63 + #define NUM_RX_BDS_DEF ((u16)BIT(10) - 1) + + #define TX_RING_SIZE_POW 13 + #define TX_RING_SIZE ((u16)BIT(TX_RING_SIZE_POW)) + #define NUM_TX_BDS_MAX (TX_RING_SIZE - 1) + #define NUM_TX_BDS_MIN 128 ++#define NUM_TX_BDS_KDUMP_MIN 63 + #define NUM_TX_BDS_DEF NUM_TX_BDS_MAX + + #define QEDE_MIN_PKT_LEN 64 +diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c +index 0d8e39ffbcd1..1aabb2e7a38b 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -29,6 +29,7 @@ + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ ++#include + #include + #include + #include +@@ -730,8 +731,14 @@ static struct qede_dev *qede_alloc_etherdev(struct qed_dev *cdev, + edev->dp_module = dp_module; + edev->dp_level = dp_level; + edev->ops = qed_ops; +- edev->q_num_rx_buffers = NUM_RX_BDS_DEF; +- edev->q_num_tx_buffers = NUM_TX_BDS_DEF; ++ ++ if (is_kdump_kernel()) { ++ edev->q_num_rx_buffers = NUM_RX_BDS_KDUMP_MIN; ++ edev->q_num_tx_buffers = NUM_TX_BDS_KDUMP_MIN; ++ } else { ++ edev->q_num_rx_buffers = NUM_RX_BDS_DEF; ++ edev->q_num_tx_buffers = NUM_TX_BDS_DEF; ++ } + + DP_INFO(edev, "Allocated netdev with %d tx queues and %d rx queues\n", + info->num_queues, info->num_queues); +-- +2.25.1 + diff --git a/queue-4.19/net-vmxnet3-fix-possible-buffer-overflow-caused-by-b.patch b/queue-4.19/net-vmxnet3-fix-possible-buffer-overflow-caused-by-b.patch new file mode 100644 index 00000000000..a20b97930af --- /dev/null +++ b/queue-4.19/net-vmxnet3-fix-possible-buffer-overflow-caused-by-b.patch @@ -0,0 +1,41 @@ +From 77845331d7a535153e87269d3fd66460af8c9c0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 May 2020 10:41:50 +0800 +Subject: net: vmxnet3: fix possible buffer overflow caused by bad DMA value in + vmxnet3_get_rss() + +From: Jia-Ju Bai + +[ Upstream commit 3e1c6846b9e108740ef8a37be80314053f5dd52a ] + +The value adapter->rss_conf is stored in DMA memory, and it is assigned +to rssConf, so rssConf->indTableSize can be modified at anytime by +malicious hardware. Because rssConf->indTableSize is assigned to n, +buffer overflow may occur when the code "rssConf->indTable[n]" is +executed. + +To fix this possible bug, n is checked after being used. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_ethtool.c b/drivers/net/vmxnet3/vmxnet3_ethtool.c +index 559db051a500..88d18ab83e54 100644 +--- a/drivers/net/vmxnet3/vmxnet3_ethtool.c ++++ b/drivers/net/vmxnet3/vmxnet3_ethtool.c +@@ -692,6 +692,8 @@ vmxnet3_get_rss(struct net_device *netdev, u32 *p, u8 *key, u8 *hfunc) + *hfunc = ETH_RSS_HASH_TOP; + if (!p) + return 0; ++ if (n > UPT1_RSS_MAX_IND_TABLE_SIZE) ++ return 0; + while (n--) + p[n] = rssConf->indTable[n]; + return 0; +-- +2.25.1 + diff --git a/queue-4.19/netfilter-nft_nat-return-eopnotsupp-if-type-or-flags.patch b/queue-4.19/netfilter-nft_nat-return-eopnotsupp-if-type-or-flags.patch new file mode 100644 index 00000000000..a2893cbbda6 --- /dev/null +++ b/queue-4.19/netfilter-nft_nat-return-eopnotsupp-if-type-or-flags.patch @@ -0,0 +1,44 @@ +From b60994cce8423f29205dfe0014c5f6dd0106f8e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Apr 2020 21:55:34 +0200 +Subject: netfilter: nft_nat: return EOPNOTSUPP if type or flags are not + supported + +From: Pablo Neira Ayuso + +[ Upstream commit 0d7c83463fdf7841350f37960a7abadd3e650b41 ] + +Instead of EINVAL which should be used for malformed netlink messages. + +Fixes: eb31628e37a0 ("netfilter: nf_tables: Add support for IPv6 NAT") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_nat.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c +index c15807d10b91..3e82a7d0df2a 100644 +--- a/net/netfilter/nft_nat.c ++++ b/net/netfilter/nft_nat.c +@@ -135,7 +135,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + priv->type = NF_NAT_MANIP_DST; + break; + default: +- return -EINVAL; ++ return -EOPNOTSUPP; + } + + if (tb[NFTA_NAT_FAMILY] == NULL) +@@ -202,7 +202,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + if (tb[NFTA_NAT_FLAGS]) { + priv->flags = ntohl(nla_get_be32(tb[NFTA_NAT_FLAGS])); + if (priv->flags & ~NF_NAT_RANGE_MASK) +- return -EINVAL; ++ return -EOPNOTSUPP; + } + + return nf_ct_netns_get(ctx->net, family); +-- +2.25.1 + diff --git a/queue-4.19/nvme-refine-the-qemu-identify-cns-quirk.patch b/queue-4.19/nvme-refine-the-qemu-identify-cns-quirk.patch new file mode 100644 index 00000000000..0e7c7f2e1c3 --- /dev/null +++ b/queue-4.19/nvme-refine-the-qemu-identify-cns-quirk.patch @@ -0,0 +1,59 @@ +From 71e35e7ef105a0d8f09f4542015740ad411892f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2020 10:11:28 +0200 +Subject: nvme: refine the Qemu Identify CNS quirk + +From: Christoph Hellwig + +[ Upstream commit b9a5c3d4c34d8bd9fd75f7f28d18a57cb68da237 ] + +Add a helper to check if we can use Identify CNS values > 1, and refine +the Qemu quirk to not apply to reported versions larger than 1.1, as the +Qemu implementation had been fixed by then. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index d5359c7c811a..0d60f2f8f3ee 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -926,6 +926,19 @@ void nvme_stop_keep_alive(struct nvme_ctrl *ctrl) + } + EXPORT_SYMBOL_GPL(nvme_stop_keep_alive); + ++/* ++ * In NVMe 1.0 the CNS field was just a binary controller or namespace ++ * flag, thus sending any new CNS opcodes has a big chance of not working. ++ * Qemu unfortunately had that bug after reporting a 1.1 version compliance ++ * (but not for any later version). ++ */ ++static bool nvme_ctrl_limited_cns(struct nvme_ctrl *ctrl) ++{ ++ if (ctrl->quirks & NVME_QUIRK_IDENTIFY_CNS) ++ return ctrl->vs < NVME_VS(1, 2, 0); ++ return ctrl->vs < NVME_VS(1, 1, 0); ++} ++ + static int nvme_identify_ctrl(struct nvme_ctrl *dev, struct nvme_id_ctrl **id) + { + struct nvme_command c = { }; +@@ -3368,8 +3381,7 @@ static void nvme_scan_work(struct work_struct *work) + + mutex_lock(&ctrl->scan_lock); + nn = le32_to_cpu(id->nn); +- if (ctrl->vs >= NVME_VS(1, 1, 0) && +- !(ctrl->quirks & NVME_QUIRK_IDENTIFY_CNS)) { ++ if (!nvme_ctrl_limited_cns(ctrl)) { + if (!nvme_scan_ns_list(ctrl, nn)) + goto out_free_id; + } +-- +2.25.1 + diff --git a/queue-4.19/objtool-ignore-empty-alternatives.patch b/queue-4.19/objtool-ignore-empty-alternatives.patch new file mode 100644 index 00000000000..d5cc6815eac --- /dev/null +++ b/queue-4.19/objtool-ignore-empty-alternatives.patch @@ -0,0 +1,45 @@ +From 5616e2870091251291cb7ce3c28090132c64f91a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2020 15:28:41 +0000 +Subject: objtool: Ignore empty alternatives + +From: Julien Thierry + +[ Upstream commit 7170cf47d16f1ba29eca07fd818870b7af0a93a5 ] + +The .alternatives section can contain entries with no original +instructions. Objtool will currently crash when handling such an entry. + +Just skip that entry, but still give a warning to discourage useless +entries. + +Signed-off-by: Julien Thierry +Acked-by: Peter Zijlstra (Intel) +Reviewed-by: Miroslav Benes +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + tools/objtool/check.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index 4d509734b695..fd3071d83dea 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -801,6 +801,12 @@ static int add_special_section_alts(struct objtool_file *file) + } + + if (special_alt->group) { ++ if (!special_alt->orig_len) { ++ WARN_FUNC("empty alternative entry", ++ orig_insn->sec, orig_insn->offset); ++ continue; ++ } ++ + ret = handle_group_alt(file, special_alt, orig_insn, + &new_insn); + if (ret) +-- +2.25.1 + diff --git a/queue-4.19/pci-don-t-disable-decoding-when-mmio_always_on-is-se.patch b/queue-4.19/pci-don-t-disable-decoding-when-mmio_always_on-is-se.patch new file mode 100644 index 00000000000..981d63dab87 --- /dev/null +++ b/queue-4.19/pci-don-t-disable-decoding-when-mmio_always_on-is-se.patch @@ -0,0 +1,39 @@ +From 6ce37ed3271654f9a9ad9b994cc0bec3b96a2164 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 May 2020 17:21:12 +0800 +Subject: PCI: Don't disable decoding when mmio_always_on is set + +From: Jiaxun Yang + +[ Upstream commit b6caa1d8c80cb71b6162cb1f1ec13aa655026c9f ] + +Don't disable MEM/IO decoding when a device have both non_compliant_bars +and mmio_always_on. + +That would allow us quirk devices with junk in BARs but can't disable +their decoding. + +Signed-off-by: Jiaxun Yang +Acked-by: Bjorn Helgaas +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + drivers/pci/probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index fa4c386c8cd8..a21c04d8a40b 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1634,7 +1634,7 @@ int pci_setup_device(struct pci_dev *dev) + /* Device class may be changed after fixup */ + class = dev->class >> 8; + +- if (dev->non_compliant_bars) { ++ if (dev->non_compliant_bars && !dev->mmio_always_on) { + pci_read_config_word(dev, PCI_COMMAND, &cmd); + if (cmd & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) { + pci_info(dev, "device has non-compliant BARs; disabling IO/MEM decoding\n"); +-- +2.25.1 + diff --git a/queue-4.19/platform-x86-hp-wmi-convert-simple_strtoul-to-kstrto.patch b/queue-4.19/platform-x86-hp-wmi-convert-simple_strtoul-to-kstrto.patch new file mode 100644 index 00000000000..8b062f8eedf --- /dev/null +++ b/queue-4.19/platform-x86-hp-wmi-convert-simple_strtoul-to-kstrto.patch @@ -0,0 +1,44 @@ +From 864e414fc2dc2f282cd2d9cde721be03dcb100e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 May 2020 16:27:04 +0300 +Subject: platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32() + +From: Andy Shevchenko + +[ Upstream commit 5cdc45ed3948042f0d73c6fec5ee9b59e637d0d2 ] + +First of all, unsigned long can overflow u32 value on 64-bit machine. +Second, simple_strtoul() doesn't check for overflow in the input. + +Convert simple_strtoul() to kstrtou32() to eliminate above issues. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp-wmi.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c +index 06a3c1ef8eee..952544ca0d84 100644 +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -474,8 +474,14 @@ static ssize_t postcode_show(struct device *dev, struct device_attribute *attr, + static ssize_t als_store(struct device *dev, struct device_attribute *attr, + const char *buf, size_t count) + { +- u32 tmp = simple_strtoul(buf, NULL, 10); +- int ret = hp_wmi_perform_query(HPWMI_ALS_QUERY, HPWMI_WRITE, &tmp, ++ u32 tmp; ++ int ret; ++ ++ ret = kstrtou32(buf, 10, &tmp); ++ if (ret) ++ return ret; ++ ++ ret = hp_wmi_perform_query(HPWMI_ALS_QUERY, HPWMI_WRITE, &tmp, + sizeof(tmp), sizeof(tmp)); + if (ret) + return ret < 0 ? ret : -EINVAL; +-- +2.25.1 + diff --git a/queue-4.19/platform-x86-intel-hid-add-a-quirk-to-support-hp-spe.patch b/queue-4.19/platform-x86-intel-hid-add-a-quirk-to-support-hp-spe.patch new file mode 100644 index 00000000000..983f934319a --- /dev/null +++ b/queue-4.19/platform-x86-intel-hid-add-a-quirk-to-support-hp-spe.patch @@ -0,0 +1,42 @@ +From 7c37ec5a5688e6621c620bef64393ebf0b240007 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 May 2020 22:07:20 +0500 +Subject: platform/x86: intel-hid: Add a quirk to support HP Spectre X2 (2015) + +From: Nickolai Kozachenko + +[ Upstream commit 8fe63eb757ac6e661a384cc760792080bdc738dc ] + +HEBC method reports capabilities of 5 button array but HP Spectre X2 (2015) +does not have this control method (the same was for Wacom MobileStudio Pro). +Expand previous DMI quirk by Alex Hung to also enable 5 button array +for this system. + +Signed-off-by: Nickolai Kozachenko +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel-hid.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/platform/x86/intel-hid.c b/drivers/platform/x86/intel-hid.c +index 3201a83073b5..c514cb73bb50 100644 +--- a/drivers/platform/x86/intel-hid.c ++++ b/drivers/platform/x86/intel-hid.c +@@ -87,6 +87,13 @@ static const struct dmi_system_id button_array_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Wacom MobileStudio Pro 16"), + }, + }, ++ { ++ .ident = "HP Spectre x2 (2015)", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "HP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Spectre x2 Detachable"), ++ }, ++ }, + { } + }; + +-- +2.25.1 + diff --git a/queue-4.19/platform-x86-intel-vbtn-also-handle-tablet-mode-swit.patch b/queue-4.19/platform-x86-intel-vbtn-also-handle-tablet-mode-swit.patch new file mode 100644 index 00000000000..7a4cadb65d6 --- /dev/null +++ b/queue-4.19/platform-x86-intel-vbtn-also-handle-tablet-mode-swit.patch @@ -0,0 +1,70 @@ +From 90bd52e84f3bf2938cfdce3f4fd7bf7e5245483a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 May 2020 20:29:50 +0200 +Subject: platform/x86: intel-vbtn: Also handle tablet-mode switch on + "Detachable" and "Portable" chassis-types + +From: Hans de Goede + +[ Upstream commit 1fac39fd0316b19c3e57a182524332332d1643ce ] + +Commit de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode +switch on 2-in-1's") added a DMI chassis-type check to avoid accidentally +reporting SW_TABLET_MODE = 1 to userspace on laptops. + +Some devices with a detachable keyboard and using the intel-vbnt (INT33D6) +interface to report if they are in tablet mode (keyboard detached) or not, +report 32 / "Detachable" as chassis-type, e.g. the HP Pavilion X2 series. + +Other devices with a detachable keyboard and using the intel-vbnt (INT33D6) +interface to report SW_TABLET_MODE, report 8 / "Portable" as chassis-type. +The Dell Venue 11 Pro 7130 is an example of this. + +Extend the DMI chassis-type check to also accept Portables and Detachables +so that the intel-vbtn driver will report SW_TABLET_MODE on these devices. + +Note the chassis-type check was originally added to avoid a false-positive +tablet-mode report on the Dell XPS 9360 laptop. To the best of my knowledge +that laptop is using a chassis-type of 9 / "Laptop", so after this commit +we still ignore the tablet-switch for that chassis-type. + +Fixes: de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's") +Signed-off-by: Hans de Goede +Reviewed-by: Mario Limonciello +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel-vbtn.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c +index 23cda7aa96cd..5f8120d12859 100644 +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -157,12 +157,22 @@ static void detect_tablet_mode(struct platform_device *device) + static bool intel_vbtn_has_switches(acpi_handle handle) + { + const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE); ++ unsigned long chassis_type_int; + unsigned long long vgbs; + acpi_status status; + +- if (!(chassis_type && strcmp(chassis_type, "31") == 0)) ++ if (kstrtoul(chassis_type, 10, &chassis_type_int)) + return false; + ++ switch (chassis_type_int) { ++ case 8: /* Portable */ ++ case 31: /* Convertible */ ++ case 32: /* Detachable */ ++ break; ++ default: ++ return false; ++ } ++ + status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs); + return ACPI_SUCCESS(status); + } +-- +2.25.1 + diff --git a/queue-4.19/platform-x86-intel-vbtn-do-not-advertise-switches-to.patch b/queue-4.19/platform-x86-intel-vbtn-do-not-advertise-switches-to.patch new file mode 100644 index 00000000000..087e0475e41 --- /dev/null +++ b/queue-4.19/platform-x86-intel-vbtn-do-not-advertise-switches-to.patch @@ -0,0 +1,108 @@ +From 298f6ae8ae3902b82254af609db5fa833fe8081d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 May 2020 20:29:49 +0200 +Subject: platform/x86: intel-vbtn: Do not advertise switches to userspace if + they are not there + +From: Hans de Goede + +[ Upstream commit 990fbb48067bf8cfa34b7d1e6e1674eaaef2f450 ] + +Commit de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode +switch on 2-in-1's") added a DMI chassis-type check to avoid accidentally +reporting SW_TABLET_MODE = 1 to userspace on laptops (specifically on the +Dell XPS 9360), to avoid e.g. userspace ignoring touchpad events because +userspace thought the device was in tablet-mode. + +But if we are not getting the initial status of the switch because the +device does not have a tablet mode, then we really should not advertise +the presence of a tablet-mode switch to userspace at all, as userspace may +use the mere presence of this switch for certain heuristics. + +Fixes: de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's") +Signed-off-by: Hans de Goede +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel-vbtn.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c +index e42203776727..23cda7aa96cd 100644 +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -54,6 +54,7 @@ static const struct key_entry intel_vbtn_switchmap[] = { + struct intel_vbtn_priv { + struct key_entry keymap[KEYMAP_LEN]; + struct input_dev *input_dev; ++ bool has_switches; + bool wakeup_mode; + }; + +@@ -69,7 +70,7 @@ static int intel_vbtn_input_setup(struct platform_device *device) + keymap_len += ARRAY_SIZE(intel_vbtn_keymap); + } + +- if (true) { ++ if (priv->has_switches) { + memcpy(&priv->keymap[keymap_len], intel_vbtn_switchmap, + ARRAY_SIZE(intel_vbtn_switchmap) * + sizeof(struct key_entry)); +@@ -137,16 +138,12 @@ out_unknown: + + static void detect_tablet_mode(struct platform_device *device) + { +- const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE); + struct intel_vbtn_priv *priv = dev_get_drvdata(&device->dev); + acpi_handle handle = ACPI_HANDLE(&device->dev); + unsigned long long vgbs; + acpi_status status; + int m; + +- if (!(chassis_type && strcmp(chassis_type, "31") == 0)) +- return; +- + status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs); + if (ACPI_FAILURE(status)) + return; +@@ -157,6 +154,19 @@ static void detect_tablet_mode(struct platform_device *device) + input_report_switch(priv->input_dev, SW_DOCK, m); + } + ++static bool intel_vbtn_has_switches(acpi_handle handle) ++{ ++ const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE); ++ unsigned long long vgbs; ++ acpi_status status; ++ ++ if (!(chassis_type && strcmp(chassis_type, "31") == 0)) ++ return false; ++ ++ status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs); ++ return ACPI_SUCCESS(status); ++} ++ + static int intel_vbtn_probe(struct platform_device *device) + { + acpi_handle handle = ACPI_HANDLE(&device->dev); +@@ -175,13 +185,16 @@ static int intel_vbtn_probe(struct platform_device *device) + return -ENOMEM; + dev_set_drvdata(&device->dev, priv); + ++ priv->has_switches = intel_vbtn_has_switches(handle); ++ + err = intel_vbtn_input_setup(device); + if (err) { + pr_err("Failed to setup Intel Virtual Button\n"); + return err; + } + +- detect_tablet_mode(device); ++ if (priv->has_switches) ++ detect_tablet_mode(device); + + status = acpi_install_notify_handler(handle, + ACPI_DEVICE_NOTIFY, +-- +2.25.1 + diff --git a/queue-4.19/platform-x86-intel-vbtn-only-blacklist-sw_tablet_mod.patch b/queue-4.19/platform-x86-intel-vbtn-only-blacklist-sw_tablet_mod.patch new file mode 100644 index 00000000000..7ceb605faae --- /dev/null +++ b/queue-4.19/platform-x86-intel-vbtn-only-blacklist-sw_tablet_mod.patch @@ -0,0 +1,83 @@ +From 36f3e84a6cb295b217a8bc58f4ebc96c8b53d615 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 May 2020 20:39:16 +0200 +Subject: platform/x86: intel-vbtn: Only blacklist SW_TABLET_MODE on the 9 / + "Laptop" chasis-type + +From: Hans de Goede + +[ Upstream commit cfae58ed681c5fe0185db843013ecc71cd265ebf ] + +The HP Stream x360 11-p000nd no longer report SW_TABLET_MODE state / events +with recent kernels. This model reports a chassis-type of 10 / "Notebook" +which is not on the recently introduced chassis-type whitelist + +Commit de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode +switch on 2-in-1's") added a chassis-type whitelist and only listed 31 / +"Convertible" as being capable of generating valid SW_TABLET_MOD events. + +Commit 1fac39fd0316 ("platform/x86: intel-vbtn: Also handle tablet-mode +switch on "Detachable" and "Portable" chassis-types") extended the +whitelist with chassis-types 8 / "Portable" and 32 / "Detachable". + +And now we need to exten the whitelist again with 10 / "Notebook"... + +The issue original fixed by the whitelist is really a ACPI DSDT bug on +the Dell XPS 9360 where it has a VGBS which reports it is in tablet mode +even though it is not a 2-in-1 at all, but a regular laptop. + +So since this is a workaround for a DSDT issue on that specific model, +instead of extending the whitelist over and over again, lets switch to +a blacklist and only blacklist the chassis-type of the model for which +the chassis-type check was added. + +Note this also fixes the current version of the code no longer checking +if dmi_get_system_info(DMI_CHASSIS_TYPE) returns NULL. + +Fixes: 1fac39fd0316 ("platform/x86: intel-vbtn: Also handle tablet-mode switch on "Detachable" and "Portable" chassis-types") +Cc: Mario Limonciello +Signed-off-by: Hans de Goede +Reviewed-by: Mario Limonciello +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel-vbtn.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c +index 5f8120d12859..d122f33d43ac 100644 +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -157,21 +157,18 @@ static void detect_tablet_mode(struct platform_device *device) + static bool intel_vbtn_has_switches(acpi_handle handle) + { + const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE); +- unsigned long chassis_type_int; + unsigned long long vgbs; + acpi_status status; + +- if (kstrtoul(chassis_type, 10, &chassis_type_int)) +- return false; +- +- switch (chassis_type_int) { +- case 8: /* Portable */ +- case 31: /* Convertible */ +- case 32: /* Detachable */ +- break; +- default: ++ /* ++ * Some normal laptops have a VGBS method despite being non-convertible ++ * and their VGBS method always returns 0, causing detect_tablet_mode() ++ * to report SW_TABLET_MODE=1 to userspace, which causes issues. ++ * These laptops have a DMI chassis_type of 9 ("Laptop"), do not report ++ * switches on any devices with a DMI chassis_type of 9. ++ */ ++ if (chassis_type && strcmp(chassis_type, "9") == 0) + return false; +- } + + status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs); + return ACPI_SUCCESS(status); +-- +2.25.1 + diff --git a/queue-4.19/platform-x86-intel-vbtn-split-keymap-into-buttons-an.patch b/queue-4.19/platform-x86-intel-vbtn-split-keymap-into-buttons-an.patch new file mode 100644 index 00000000000..470b688ada7 --- /dev/null +++ b/queue-4.19/platform-x86-intel-vbtn-split-keymap-into-buttons-an.patch @@ -0,0 +1,85 @@ +From 85587fcf3f7b3e0963693aafceb8bbaa8131a0b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 May 2020 20:29:48 +0200 +Subject: platform/x86: intel-vbtn: Split keymap into buttons and switches + parts + +From: Hans de Goede + +[ Upstream commit f6ba524970c4b73b234bf41ecd6628f5803b1559 ] + +Split the sparse keymap into 2 separate keymaps, a buttons and a switches +keymap and combine the 2 to a single map again in intel_vbtn_input_setup(). + +This is a preparation patch for not telling userspace that we have switches +when we do not have them (and for doing the same for the buttons). + +Fixes: de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's") +Signed-off-by: Hans de Goede +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel-vbtn.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c +index 0bcfa20dd614..e42203776727 100644 +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -39,14 +39,20 @@ static const struct key_entry intel_vbtn_keymap[] = { + { KE_IGNORE, 0xC7, { KEY_VOLUMEDOWN } }, /* volume-down key release */ + { KE_KEY, 0xC8, { KEY_ROTATE_LOCK_TOGGLE } }, /* rotate-lock key press */ + { KE_KEY, 0xC9, { KEY_ROTATE_LOCK_TOGGLE } }, /* rotate-lock key release */ ++}; ++ ++static const struct key_entry intel_vbtn_switchmap[] = { + { KE_SW, 0xCA, { .sw = { SW_DOCK, 1 } } }, /* Docked */ + { KE_SW, 0xCB, { .sw = { SW_DOCK, 0 } } }, /* Undocked */ + { KE_SW, 0xCC, { .sw = { SW_TABLET_MODE, 1 } } }, /* Tablet */ + { KE_SW, 0xCD, { .sw = { SW_TABLET_MODE, 0 } } }, /* Laptop */ +- { KE_END }, + }; + ++#define KEYMAP_LEN \ ++ (ARRAY_SIZE(intel_vbtn_keymap) + ARRAY_SIZE(intel_vbtn_switchmap) + 1) ++ + struct intel_vbtn_priv { ++ struct key_entry keymap[KEYMAP_LEN]; + struct input_dev *input_dev; + bool wakeup_mode; + }; +@@ -54,13 +60,29 @@ struct intel_vbtn_priv { + static int intel_vbtn_input_setup(struct platform_device *device) + { + struct intel_vbtn_priv *priv = dev_get_drvdata(&device->dev); +- int ret; ++ int ret, keymap_len = 0; ++ ++ if (true) { ++ memcpy(&priv->keymap[keymap_len], intel_vbtn_keymap, ++ ARRAY_SIZE(intel_vbtn_keymap) * ++ sizeof(struct key_entry)); ++ keymap_len += ARRAY_SIZE(intel_vbtn_keymap); ++ } ++ ++ if (true) { ++ memcpy(&priv->keymap[keymap_len], intel_vbtn_switchmap, ++ ARRAY_SIZE(intel_vbtn_switchmap) * ++ sizeof(struct key_entry)); ++ keymap_len += ARRAY_SIZE(intel_vbtn_switchmap); ++ } ++ ++ priv->keymap[keymap_len].type = KE_END; + + priv->input_dev = devm_input_allocate_device(&device->dev); + if (!priv->input_dev) + return -ENOMEM; + +- ret = sparse_keymap_setup(priv->input_dev, intel_vbtn_keymap, NULL); ++ ret = sparse_keymap_setup(priv->input_dev, priv->keymap, NULL); + if (ret) + return ret; + +-- +2.25.1 + diff --git a/queue-4.19/platform-x86-intel-vbtn-use-acpi_evaluate_integer.patch b/queue-4.19/platform-x86-intel-vbtn-use-acpi_evaluate_integer.patch new file mode 100644 index 00000000000..b73d923cde1 --- /dev/null +++ b/queue-4.19/platform-x86-intel-vbtn-use-acpi_evaluate_integer.patch @@ -0,0 +1,64 @@ +From 7c79f82eb86d7f0050b9ec307a8e994fe65a8cb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 May 2020 20:29:47 +0200 +Subject: platform/x86: intel-vbtn: Use acpi_evaluate_integer() + +From: Hans de Goede + +[ Upstream commit 18937875a231d831c309716d6d8fc358f8381881 ] + +Use acpi_evaluate_integer() instead of open-coding it. + +This is a preparation patch for adding a intel_vbtn_has_switches() +helper function. + +Fixes: de9647efeaa9 ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's") +Signed-off-by: Hans de Goede +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel-vbtn.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c +index a0d0cecff55f..0bcfa20dd614 100644 +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -118,28 +118,21 @@ static void detect_tablet_mode(struct platform_device *device) + const char *chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE); + struct intel_vbtn_priv *priv = dev_get_drvdata(&device->dev); + acpi_handle handle = ACPI_HANDLE(&device->dev); +- struct acpi_buffer vgbs_output = { ACPI_ALLOCATE_BUFFER, NULL }; +- union acpi_object *obj; ++ unsigned long long vgbs; + acpi_status status; + int m; + + if (!(chassis_type && strcmp(chassis_type, "31") == 0)) +- goto out; ++ return; + +- status = acpi_evaluate_object(handle, "VGBS", NULL, &vgbs_output); ++ status = acpi_evaluate_integer(handle, "VGBS", NULL, &vgbs); + if (ACPI_FAILURE(status)) +- goto out; +- +- obj = vgbs_output.pointer; +- if (!(obj && obj->type == ACPI_TYPE_INTEGER)) +- goto out; ++ return; + +- m = !(obj->integer.value & TABLET_MODE_FLAG); ++ m = !(vgbs & TABLET_MODE_FLAG); + input_report_switch(priv->input_dev, SW_TABLET_MODE, m); +- m = (obj->integer.value & DOCK_MODE_FLAG) ? 1 : 0; ++ m = (vgbs & DOCK_MODE_FLAG) ? 1 : 0; + input_report_switch(priv->input_dev, SW_DOCK, m); +-out: +- kfree(vgbs_output.pointer); + } + + static int intel_vbtn_probe(struct platform_device *device) +-- +2.25.1 + diff --git a/queue-4.19/powerpc-spufs-fix-copy_to_user-while-atomic.patch b/queue-4.19/powerpc-spufs-fix-copy_to_user-while-atomic.patch new file mode 100644 index 00000000000..feb34bc1fcb --- /dev/null +++ b/queue-4.19/powerpc-spufs-fix-copy_to_user-while-atomic.patch @@ -0,0 +1,284 @@ +From bda23d5fc6e76679b6dfb567b985d78d727afe80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 12:12:50 +0200 +Subject: powerpc/spufs: fix copy_to_user while atomic + +From: Jeremy Kerr + +[ Upstream commit 88413a6bfbbe2f648df399b62f85c934460b7a4d ] + +Currently, we may perform a copy_to_user (through +simple_read_from_buffer()) while holding a context's register_lock, +while accessing the context save area. + +This change uses a temporary buffer for the context save area data, +which we then pass to simple_read_from_buffer. + +Includes changes from Christoph Hellwig . + +Fixes: bf1ab978be23 ("[POWERPC] coredump: Add SPU elf notes to coredump.") +Signed-off-by: Jeremy Kerr +Reviewed-by: Arnd Bergmann +[hch: renamed to function to avoid ___-prefixes] +Signed-off-by: Christoph Hellwig +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/cell/spufs/file.c | 113 +++++++++++++++-------- + 1 file changed, 75 insertions(+), 38 deletions(-) + +diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c +index 43e7b93f27c7..d16adcd93921 100644 +--- a/arch/powerpc/platforms/cell/spufs/file.c ++++ b/arch/powerpc/platforms/cell/spufs/file.c +@@ -1991,8 +1991,9 @@ static ssize_t __spufs_mbox_info_read(struct spu_context *ctx, + static ssize_t spufs_mbox_info_read(struct file *file, char __user *buf, + size_t len, loff_t *pos) + { +- int ret; + struct spu_context *ctx = file->private_data; ++ u32 stat, data; ++ int ret; + + if (!access_ok(VERIFY_WRITE, buf, len)) + return -EFAULT; +@@ -2001,11 +2002,16 @@ static ssize_t spufs_mbox_info_read(struct file *file, char __user *buf, + if (ret) + return ret; + spin_lock(&ctx->csa.register_lock); +- ret = __spufs_mbox_info_read(ctx, buf, len, pos); ++ stat = ctx->csa.prob.mb_stat_R; ++ data = ctx->csa.prob.pu_mb_R; + spin_unlock(&ctx->csa.register_lock); + spu_release_saved(ctx); + +- return ret; ++ /* EOF if there's no entry in the mbox */ ++ if (!(stat & 0x0000ff)) ++ return 0; ++ ++ return simple_read_from_buffer(buf, len, pos, &data, sizeof(data)); + } + + static const struct file_operations spufs_mbox_info_fops = { +@@ -2032,6 +2038,7 @@ static ssize_t spufs_ibox_info_read(struct file *file, char __user *buf, + size_t len, loff_t *pos) + { + struct spu_context *ctx = file->private_data; ++ u32 stat, data; + int ret; + + if (!access_ok(VERIFY_WRITE, buf, len)) +@@ -2041,11 +2048,16 @@ static ssize_t spufs_ibox_info_read(struct file *file, char __user *buf, + if (ret) + return ret; + spin_lock(&ctx->csa.register_lock); +- ret = __spufs_ibox_info_read(ctx, buf, len, pos); ++ stat = ctx->csa.prob.mb_stat_R; ++ data = ctx->csa.priv2.puint_mb_R; + spin_unlock(&ctx->csa.register_lock); + spu_release_saved(ctx); + +- return ret; ++ /* EOF if there's no entry in the ibox */ ++ if (!(stat & 0xff0000)) ++ return 0; ++ ++ return simple_read_from_buffer(buf, len, pos, &data, sizeof(data)); + } + + static const struct file_operations spufs_ibox_info_fops = { +@@ -2054,6 +2066,11 @@ static const struct file_operations spufs_ibox_info_fops = { + .llseek = generic_file_llseek, + }; + ++static size_t spufs_wbox_info_cnt(struct spu_context *ctx) ++{ ++ return (4 - ((ctx->csa.prob.mb_stat_R & 0x00ff00) >> 8)) * sizeof(u32); ++} ++ + static ssize_t __spufs_wbox_info_read(struct spu_context *ctx, + char __user *buf, size_t len, loff_t *pos) + { +@@ -2062,7 +2079,7 @@ static ssize_t __spufs_wbox_info_read(struct spu_context *ctx, + u32 wbox_stat; + + wbox_stat = ctx->csa.prob.mb_stat_R; +- cnt = 4 - ((wbox_stat & 0x00ff00) >> 8); ++ cnt = spufs_wbox_info_cnt(ctx); + for (i = 0; i < cnt; i++) { + data[i] = ctx->csa.spu_mailbox_data[i]; + } +@@ -2075,7 +2092,8 @@ static ssize_t spufs_wbox_info_read(struct file *file, char __user *buf, + size_t len, loff_t *pos) + { + struct spu_context *ctx = file->private_data; +- int ret; ++ u32 data[ARRAY_SIZE(ctx->csa.spu_mailbox_data)]; ++ int ret, count; + + if (!access_ok(VERIFY_WRITE, buf, len)) + return -EFAULT; +@@ -2084,11 +2102,13 @@ static ssize_t spufs_wbox_info_read(struct file *file, char __user *buf, + if (ret) + return ret; + spin_lock(&ctx->csa.register_lock); +- ret = __spufs_wbox_info_read(ctx, buf, len, pos); ++ count = spufs_wbox_info_cnt(ctx); ++ memcpy(&data, &ctx->csa.spu_mailbox_data, sizeof(data)); + spin_unlock(&ctx->csa.register_lock); + spu_release_saved(ctx); + +- return ret; ++ return simple_read_from_buffer(buf, len, pos, &data, ++ count * sizeof(u32)); + } + + static const struct file_operations spufs_wbox_info_fops = { +@@ -2097,27 +2117,33 @@ static const struct file_operations spufs_wbox_info_fops = { + .llseek = generic_file_llseek, + }; + +-static ssize_t __spufs_dma_info_read(struct spu_context *ctx, +- char __user *buf, size_t len, loff_t *pos) ++static void spufs_get_dma_info(struct spu_context *ctx, ++ struct spu_dma_info *info) + { +- struct spu_dma_info info; +- struct mfc_cq_sr *qp, *spuqp; + int i; + +- info.dma_info_type = ctx->csa.priv2.spu_tag_status_query_RW; +- info.dma_info_mask = ctx->csa.lscsa->tag_mask.slot[0]; +- info.dma_info_status = ctx->csa.spu_chnldata_RW[24]; +- info.dma_info_stall_and_notify = ctx->csa.spu_chnldata_RW[25]; +- info.dma_info_atomic_command_status = ctx->csa.spu_chnldata_RW[27]; ++ info->dma_info_type = ctx->csa.priv2.spu_tag_status_query_RW; ++ info->dma_info_mask = ctx->csa.lscsa->tag_mask.slot[0]; ++ info->dma_info_status = ctx->csa.spu_chnldata_RW[24]; ++ info->dma_info_stall_and_notify = ctx->csa.spu_chnldata_RW[25]; ++ info->dma_info_atomic_command_status = ctx->csa.spu_chnldata_RW[27]; + for (i = 0; i < 16; i++) { +- qp = &info.dma_info_command_data[i]; +- spuqp = &ctx->csa.priv2.spuq[i]; ++ struct mfc_cq_sr *qp = &info->dma_info_command_data[i]; ++ struct mfc_cq_sr *spuqp = &ctx->csa.priv2.spuq[i]; + + qp->mfc_cq_data0_RW = spuqp->mfc_cq_data0_RW; + qp->mfc_cq_data1_RW = spuqp->mfc_cq_data1_RW; + qp->mfc_cq_data2_RW = spuqp->mfc_cq_data2_RW; + qp->mfc_cq_data3_RW = spuqp->mfc_cq_data3_RW; + } ++} ++ ++static ssize_t __spufs_dma_info_read(struct spu_context *ctx, ++ char __user *buf, size_t len, loff_t *pos) ++{ ++ struct spu_dma_info info; ++ ++ spufs_get_dma_info(ctx, &info); + + return simple_read_from_buffer(buf, len, pos, &info, + sizeof info); +@@ -2127,6 +2153,7 @@ static ssize_t spufs_dma_info_read(struct file *file, char __user *buf, + size_t len, loff_t *pos) + { + struct spu_context *ctx = file->private_data; ++ struct spu_dma_info info; + int ret; + + if (!access_ok(VERIFY_WRITE, buf, len)) +@@ -2136,11 +2163,12 @@ static ssize_t spufs_dma_info_read(struct file *file, char __user *buf, + if (ret) + return ret; + spin_lock(&ctx->csa.register_lock); +- ret = __spufs_dma_info_read(ctx, buf, len, pos); ++ spufs_get_dma_info(ctx, &info); + spin_unlock(&ctx->csa.register_lock); + spu_release_saved(ctx); + +- return ret; ++ return simple_read_from_buffer(buf, len, pos, &info, ++ sizeof(info)); + } + + static const struct file_operations spufs_dma_info_fops = { +@@ -2149,13 +2177,31 @@ static const struct file_operations spufs_dma_info_fops = { + .llseek = no_llseek, + }; + ++static void spufs_get_proxydma_info(struct spu_context *ctx, ++ struct spu_proxydma_info *info) ++{ ++ int i; ++ ++ info->proxydma_info_type = ctx->csa.prob.dma_querytype_RW; ++ info->proxydma_info_mask = ctx->csa.prob.dma_querymask_RW; ++ info->proxydma_info_status = ctx->csa.prob.dma_tagstatus_R; ++ ++ for (i = 0; i < 8; i++) { ++ struct mfc_cq_sr *qp = &info->proxydma_info_command_data[i]; ++ struct mfc_cq_sr *puqp = &ctx->csa.priv2.puq[i]; ++ ++ qp->mfc_cq_data0_RW = puqp->mfc_cq_data0_RW; ++ qp->mfc_cq_data1_RW = puqp->mfc_cq_data1_RW; ++ qp->mfc_cq_data2_RW = puqp->mfc_cq_data2_RW; ++ qp->mfc_cq_data3_RW = puqp->mfc_cq_data3_RW; ++ } ++} ++ + static ssize_t __spufs_proxydma_info_read(struct spu_context *ctx, + char __user *buf, size_t len, loff_t *pos) + { + struct spu_proxydma_info info; +- struct mfc_cq_sr *qp, *puqp; + int ret = sizeof info; +- int i; + + if (len < ret) + return -EINVAL; +@@ -2163,18 +2209,7 @@ static ssize_t __spufs_proxydma_info_read(struct spu_context *ctx, + if (!access_ok(VERIFY_WRITE, buf, len)) + return -EFAULT; + +- info.proxydma_info_type = ctx->csa.prob.dma_querytype_RW; +- info.proxydma_info_mask = ctx->csa.prob.dma_querymask_RW; +- info.proxydma_info_status = ctx->csa.prob.dma_tagstatus_R; +- for (i = 0; i < 8; i++) { +- qp = &info.proxydma_info_command_data[i]; +- puqp = &ctx->csa.priv2.puq[i]; +- +- qp->mfc_cq_data0_RW = puqp->mfc_cq_data0_RW; +- qp->mfc_cq_data1_RW = puqp->mfc_cq_data1_RW; +- qp->mfc_cq_data2_RW = puqp->mfc_cq_data2_RW; +- qp->mfc_cq_data3_RW = puqp->mfc_cq_data3_RW; +- } ++ spufs_get_proxydma_info(ctx, &info); + + return simple_read_from_buffer(buf, len, pos, &info, + sizeof info); +@@ -2184,17 +2219,19 @@ static ssize_t spufs_proxydma_info_read(struct file *file, char __user *buf, + size_t len, loff_t *pos) + { + struct spu_context *ctx = file->private_data; ++ struct spu_proxydma_info info; + int ret; + + ret = spu_acquire_saved(ctx); + if (ret) + return ret; + spin_lock(&ctx->csa.register_lock); +- ret = __spufs_proxydma_info_read(ctx, buf, len, pos); ++ spufs_get_proxydma_info(ctx, &info); + spin_unlock(&ctx->csa.register_lock); + spu_release_saved(ctx); + +- return ret; ++ return simple_read_from_buffer(buf, len, pos, &info, ++ sizeof(info)); + } + + static const struct file_operations spufs_proxydma_info_fops = { +-- +2.25.1 + diff --git a/queue-4.19/rtlwifi-fix-a-double-free-in-_rtl_usb_tx_urb_setup.patch b/queue-4.19/rtlwifi-fix-a-double-free-in-_rtl_usb_tx_urb_setup.patch new file mode 100644 index 00000000000..37f8eb1bbef --- /dev/null +++ b/queue-4.19/rtlwifi-fix-a-double-free-in-_rtl_usb_tx_urb_setup.patch @@ -0,0 +1,62 @@ +From 13c551b556101c1fb5bb56319b4eca33a6da456c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 May 2020 12:39:51 +0300 +Subject: rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() + +From: Dan Carpenter + +[ Upstream commit beb12813bc75d4a23de43b85ad1c7cb28d27631e ] + +Seven years ago we tried to fix a leak but actually introduced a double +free instead. It was an understandable mistake because the code was a +bit confusing and the free was done in the wrong place. The "skb" +pointer is freed in both _rtl_usb_tx_urb_setup() and _rtl_usb_transmit(). +The free belongs _rtl_usb_transmit() instead of _rtl_usb_tx_urb_setup() +and I've cleaned the code up a bit to hopefully make it more clear. + +Fixes: 36ef0b473fbf ("rtlwifi: usb: add missing freeing of skbuff") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200513093951.GD347693@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/usb.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index 1181b725f503..1893640555c1 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -910,10 +910,8 @@ static struct urb *_rtl_usb_tx_urb_setup(struct ieee80211_hw *hw, + + WARN_ON(NULL == skb); + _urb = usb_alloc_urb(0, GFP_ATOMIC); +- if (!_urb) { +- kfree_skb(skb); ++ if (!_urb) + return NULL; +- } + _rtl_install_trx_info(rtlusb, skb, ep_num); + usb_fill_bulk_urb(_urb, rtlusb->udev, usb_sndbulkpipe(rtlusb->udev, + ep_num), skb->data, skb->len, _rtl_tx_complete, skb); +@@ -927,7 +925,6 @@ static void _rtl_usb_transmit(struct ieee80211_hw *hw, struct sk_buff *skb, + struct rtl_usb *rtlusb = rtl_usbdev(rtl_usbpriv(hw)); + u32 ep_num; + struct urb *_urb = NULL; +- struct sk_buff *_skb = NULL; + + WARN_ON(NULL == rtlusb->usb_tx_aggregate_hdl); + if (unlikely(IS_USB_STOP(rtlusb))) { +@@ -936,8 +933,7 @@ static void _rtl_usb_transmit(struct ieee80211_hw *hw, struct sk_buff *skb, + return; + } + ep_num = rtlusb->ep_map.ep_mapping[qnum]; +- _skb = skb; +- _urb = _rtl_usb_tx_urb_setup(hw, _skb, ep_num); ++ _urb = _rtl_usb_tx_urb_setup(hw, skb, ep_num); + if (unlikely(!_urb)) { + pr_err("Can't allocate urb. Drop skb!\n"); + kfree_skb(skb); +-- +2.25.1 + diff --git a/queue-4.19/sched-core-fix-illegal-rcu-from-offline-cpus.patch b/queue-4.19/sched-core-fix-illegal-rcu-from-offline-cpus.patch new file mode 100644 index 00000000000..b50c84bdd21 --- /dev/null +++ b/queue-4.19/sched-core-fix-illegal-rcu-from-offline-cpus.patch @@ -0,0 +1,154 @@ +From 097fdd238fddb1abfdee5086cb4354987c1f3b37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2020 17:40:33 -0400 +Subject: sched/core: Fix illegal RCU from offline CPUs + +From: Peter Zijlstra + +[ Upstream commit bf2c59fce4074e55d622089b34be3a6bc95484fb ] + +In the CPU-offline process, it calls mmdrop() after idle entry and the +subsequent call to cpuhp_report_idle_dead(). Once execution passes the +call to rcu_report_dead(), RCU is ignoring the CPU, which results in +lockdep complaining when mmdrop() uses RCU from either memcg or +debugobjects below. + +Fix it by cleaning up the active_mm state from BP instead. Every arch +which has CONFIG_HOTPLUG_CPU should have already called idle_task_exit() +from AP. The only exception is parisc because it switches them to +&init_mm unconditionally (see smp_boot_one_cpu() and smp_cpu_init()), +but the patch will still work there because it calls mmgrab(&init_mm) in +smp_cpu_init() and then should call mmdrop(&init_mm) in finish_cpu(). + + WARNING: suspicious RCU usage + ----------------------------- + kernel/workqueue.c:710 RCU or wq_pool_mutex should be held! + + other info that might help us debug this: + + RCU used illegally from offline CPU! + Call Trace: + dump_stack+0xf4/0x164 (unreliable) + lockdep_rcu_suspicious+0x140/0x164 + get_work_pool+0x110/0x150 + __queue_work+0x1bc/0xca0 + queue_work_on+0x114/0x120 + css_release+0x9c/0xc0 + percpu_ref_put_many+0x204/0x230 + free_pcp_prepare+0x264/0x570 + free_unref_page+0x38/0xf0 + __mmdrop+0x21c/0x2c0 + idle_task_exit+0x170/0x1b0 + pnv_smp_cpu_kill_self+0x38/0x2e0 + cpu_die+0x48/0x64 + arch_cpu_idle_dead+0x30/0x50 + do_idle+0x2f4/0x470 + cpu_startup_entry+0x38/0x40 + start_secondary+0x7a8/0xa80 + start_secondary_resume+0x10/0x14 + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Qian Cai +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Michael Ellerman (powerpc) +Link: https://lkml.kernel.org/r/20200401214033.8448-1-cai@lca.pw +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/smp.c | 1 - + include/linux/sched/mm.h | 2 ++ + kernel/cpu.c | 18 +++++++++++++++++- + kernel/sched/core.c | 5 +++-- + 4 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/platforms/powernv/smp.c b/arch/powerpc/platforms/powernv/smp.c +index 3d3c989e44dd..8d49ba370c50 100644 +--- a/arch/powerpc/platforms/powernv/smp.c ++++ b/arch/powerpc/platforms/powernv/smp.c +@@ -171,7 +171,6 @@ static void pnv_smp_cpu_kill_self(void) + /* Standard hot unplug procedure */ + + idle_task_exit(); +- current->active_mm = NULL; /* for sanity */ + cpu = smp_processor_id(); + DBG("CPU%d offline\n", cpu); + generic_set_cpu_dead(cpu); +diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h +index e9d4e389aed9..766bbe813861 100644 +--- a/include/linux/sched/mm.h ++++ b/include/linux/sched/mm.h +@@ -49,6 +49,8 @@ static inline void mmdrop(struct mm_struct *mm) + __mmdrop(mm); + } + ++void mmdrop(struct mm_struct *mm); ++ + /* + * This has to be called after a get_task_mm()/mmget_not_zero() + * followed by taking the mmap_sem for writing before modifying the +diff --git a/kernel/cpu.c b/kernel/cpu.c +index 6d6c106a495c..08b9d6ba0807 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -3,6 +3,7 @@ + * + * This code is licenced under the GPL. + */ ++#include + #include + #include + #include +@@ -532,6 +533,21 @@ static int bringup_cpu(unsigned int cpu) + return bringup_wait_for_ap(cpu); + } + ++static int finish_cpu(unsigned int cpu) ++{ ++ struct task_struct *idle = idle_thread_get(cpu); ++ struct mm_struct *mm = idle->active_mm; ++ ++ /* ++ * idle_task_exit() will have switched to &init_mm, now ++ * clean up any remaining active_mm state. ++ */ ++ if (mm != &init_mm) ++ idle->active_mm = &init_mm; ++ mmdrop(mm); ++ return 0; ++} ++ + /* + * Hotplug state machine related functions + */ +@@ -1379,7 +1395,7 @@ static struct cpuhp_step cpuhp_hp_states[] = { + [CPUHP_BRINGUP_CPU] = { + .name = "cpu:bringup", + .startup.single = bringup_cpu, +- .teardown.single = NULL, ++ .teardown.single = finish_cpu, + .cant_stop = true, + }, + /* Final state before CPU kills itself */ +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 2befd2c4ce9e..0325ccf3a8e4 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -5571,13 +5571,14 @@ void idle_task_exit(void) + struct mm_struct *mm = current->active_mm; + + BUG_ON(cpu_online(smp_processor_id())); ++ BUG_ON(current != this_rq()->idle); + + if (mm != &init_mm) { + switch_mm(mm, &init_mm, current); +- current->active_mm = &init_mm; + finish_arch_post_lock_switch(); + } +- mmdrop(mm); ++ ++ /* finish_cpu(), as ran on the BP, will clean up the active_mm state */ + } + + /* +-- +2.25.1 + diff --git a/queue-4.19/selftests-bpf-fix-memory-leak-in-extract_build_id.patch b/queue-4.19/selftests-bpf-fix-memory-leak-in-extract_build_id.patch new file mode 100644 index 00000000000..03b77a04846 --- /dev/null +++ b/queue-4.19/selftests-bpf-fix-memory-leak-in-extract_build_id.patch @@ -0,0 +1,36 @@ +From 67b7fa9ae8f17021b64bb6abca696128427660a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 18:21:06 -0700 +Subject: selftests/bpf: Fix memory leak in extract_build_id() + +From: Andrii Nakryiko + +[ Upstream commit 9f56bb531a809ecaa7f0ddca61d2cf3adc1cb81a ] + +getline() allocates string, which has to be freed. + +Fixes: 81f77fd0deeb ("bpf: add selftest for stackmap with BPF_F_STACK_BUILD_ID") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Cc: Song Liu +Link: https://lore.kernel.org/bpf/20200429012111.277390-7-andriin@fb.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_progs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c +index 89f8b0dae7ef..bad3505d66e0 100644 +--- a/tools/testing/selftests/bpf/test_progs.c ++++ b/tools/testing/selftests/bpf/test_progs.c +@@ -1118,6 +1118,7 @@ static int extract_build_id(char *build_id, size_t size) + len = size; + memcpy(build_id, line, len); + build_id[len] = '\0'; ++ free(line); + return 0; + err: + fclose(fp); +-- +2.25.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 4e4e19962ed..0af5a334f4e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -91,3 +91,97 @@ mmc-sdio-fix-potential-null-pointer-error-in-mmc_sdio_init_card.patch xen-pvcalls-back-test-for-errors-when-calling-backend_connect.patch kvm-arm64-synchronize-sysreg-state-on-injecting-an-aarch32-exception.patch acpi-ged-use-correct-trigger-type-field-in-_exx-_lxx-handling.patch +drm-bridge-adv7511-extend-list-of-audio-sample-rates.patch +crypto-ccp-don-t-select-config_dmadevices.patch +media-si2157-better-check-for-running-tuner-in-init.patch +objtool-ignore-empty-alternatives.patch +spi-pxa2xx-apply-cs-clk-quirk-to-bxt.patch +net-atlantic-make-hw_get_regs-optional.patch +net-ena-fix-error-returning-in-ena_com_get_hash_func.patch +efi-libstub-x86-work-around-llvm-elf-quirk-build-reg.patch +arm64-cacheflush-fix-kgdb-trap-detection.patch +spi-dw-zero-dma-tx-and-rx-configurations-on-stack.patch +arm64-insn-fix-two-bugs-in-encoding-32-bit-logical-i.patch +ixgbe-fix-xdp-redirect-on-archs-with-page_size-above.patch +mips-loongson-build-ati-radeon-gpu-driver-as-module.patch +bluetooth-add-sco-fallback-for-invalid-lmp-parameter.patch +kgdb-disable-warn_console_unlocked-for-all-kgdb.patch +kgdb-prevent-infinite-recursive-entries-to-the-debug.patch +spi-dw-enable-interrupts-in-accordance-with-dma-xfer.patch +clocksource-dw_apb_timer-make-cpu-affiliation-being-.patch +clocksource-dw_apb_timer_of-fix-missing-clockevent-t.patch +btrfs-do-not-ignore-error-from-btrfs_next_leaf-when-.patch +arm-8978-1-mm-make-act_mm-respect-thread_size.patch +batman-adv-revert-disable-ethtool-link-speed-detecti.patch +mmc-meson-mx-sdio-trigger-a-soft-reset-after-a-timeo.patch +spi-dw-fix-rx-only-dma-transfers.patch +x86-kvm-hyper-v-explicitly-align-hcall-param-for-kvm.patch +net-vmxnet3-fix-possible-buffer-overflow-caused-by-b.patch +staging-android-ion-use-vmap-instead-of-vm_map_ram.patch +brcmfmac-fix-wrong-location-to-get-firmware-feature.patch +tools-api-fs-make-xxx__mountpoint-more-scalable.patch +e1000-distribute-switch-variables-for-initialization.patch +dt-bindings-display-mediatek-control-dpi-pins-mode-t.patch +audit-fix-a-net-reference-leak-in-audit_send_reply.patch +media-dvb-return-eremoteio-on-i2c-transfer-failure.patch +media-platform-fcp-set-appropriate-dma-parameters.patch +mips-make-sparse_init-using-top-down-allocation.patch +bluetooth-btbcm-add-2-missing-models-to-subver-table.patch +audit-fix-a-net-reference-leak-in-audit_list_rules_s.patch +netfilter-nft_nat-return-eopnotsupp-if-type-or-flags.patch +selftests-bpf-fix-memory-leak-in-extract_build_id.patch +net-bcmgenet-set-rx-mode-before-starting-netif.patch +lib-mpi-fix-64-bit-mips-build-with-clang.patch +exit-move-preemption-fixup-up-move-blocking-operatio.patch +sched-core-fix-illegal-rcu-from-offline-cpus.patch +drivers-perf-hisi-fix-typo-in-events-attribute-array.patch +net-lpc-enet-fix-error-return-code-in-lpc_mii_init.patch +media-cec-silence-shift-wrapping-warning-in-__cec_s_.patch +net-allwinner-fix-use-correct-return-type-for-ndo_st.patch +powerpc-spufs-fix-copy_to_user-while-atomic.patch +xfs-clean-up-the-error-handling-in-xfs_swap_extents.patch +crypto-chcr-fix-for-ccm-aes-failed-test.patch +mips-truncate-link-address-into-32bit-for-32bit-kern.patch +mips-cm-fix-an-invalid-error-code-of-intvn_-_err.patch +kgdb-fix-spurious-true-from-in_dbg_master.patch +xfs-reset-buffer-write-failure-state-on-successful-c.patch +xfs-fix-duplicate-verification-from-xfs_qm_dqflush.patch +platform-x86-intel-vbtn-use-acpi_evaluate_integer.patch +platform-x86-intel-vbtn-split-keymap-into-buttons-an.patch +platform-x86-intel-vbtn-do-not-advertise-switches-to.patch +platform-x86-intel-vbtn-also-handle-tablet-mode-swit.patch +nvme-refine-the-qemu-identify-cns-quirk.patch +ath10k-remove-msdu-from-idr-when-management-pkt-send.patch +wcn36xx-fix-error-handling-path-in-wcn36xx_probe.patch +net-qed-reduce-rx-and-tx-default-ring-count-when-run.patch +mt76-avoid-rx-reorder-buffer-overflow.patch +md-don-t-flush-workqueue-unconditionally-in-md_open.patch +veth-adjust-hard_start-offset-on-redirect-xdp-frames.patch +net-mlx5e-ipoib-drop-multicast-packets-that-this-int.patch +rtlwifi-fix-a-double-free-in-_rtl_usb_tx_urb_setup.patch +mwifiex-fix-memory-corruption-in-dump_station.patch +x86-boot-correct-relocation-destination-on-old-linke.patch +mips-maar-use-more-precise-address-mask.patch +mips-add-udelay-lpj-numbers-adjustment.patch +crypto-stm32-crc32-fix-ext4-chksum-bug_on.patch +crypto-stm32-crc32-fix-run-time-self-test-issue.patch +crypto-stm32-crc32-fix-multi-instance.patch +x86-mm-stop-printing-brk-addresses.patch +m68k-mac-don-t-call-via_flush_cache-on-mac-iifx.patch +btrfs-qgroup-mark-qgroup-inconsistent-if-we-re-inher.patch +net-ethernet-fec-move-gpr-register-offset-and-bit-in.patch +macvlan-skip-loopback-packets-in-rx-handler.patch +pci-don-t-disable-decoding-when-mmio_always_on-is-se.patch +mips-fix-irq-tracing-when-call-handle_fpe-and-handle.patch +bcache-fix-refcount-underflow-in-bcache_device_free.patch +mmc-sdhci-msm-set-sdhci_quirk_multiblock_read_acmd12.patch +staging-greybus-sdio-respect-the-cmd-busy_timeout-fr.patch +mmc-via-sdmmc-respect-the-cmd-busy_timeout-from-the-.patch +ixgbe-fix-signed-integer-overflow-warning.patch +mmc-sdhci-esdhc-imx-fix-the-mask-for-tuning-start-po.patch +spi-dw-return-any-value-retrieved-from-the-dma_trans.patch +cpuidle-fix-three-reference-count-leaks.patch +platform-x86-hp-wmi-convert-simple_strtoul-to-kstrto.patch +platform-x86-intel-hid-add-a-quirk-to-support-hp-spe.patch +platform-x86-intel-vbtn-only-blacklist-sw_tablet_mod.patch +string.h-fix-incompatibility-between-fortify_source-.patch diff --git a/queue-4.19/spi-dw-enable-interrupts-in-accordance-with-dma-xfer.patch b/queue-4.19/spi-dw-enable-interrupts-in-accordance-with-dma-xfer.patch new file mode 100644 index 00000000000..727832468c9 --- /dev/null +++ b/queue-4.19/spi-dw-enable-interrupts-in-accordance-with-dma-xfer.patch @@ -0,0 +1,70 @@ +From 180d25d8ef04c896123a86f88d04378f01dbb8ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 May 2020 03:07:51 +0300 +Subject: spi: dw: Enable interrupts in accordance with DMA xfer mode + +From: Serge Semin + +[ Upstream commit 43dba9f3f98c2b184a19f856f06fe22817bfd9e0 ] + +It's pointless to track the Tx overrun interrupts if Rx-only SPI +transfer is issued. Similarly there is no need in handling the Rx +overrun/underrun interrupts if Tx-only SPI transfer is executed. +So lets unmask the interrupts only if corresponding SPI +transactions are implied. + +Co-developed-by: Georgy Vlasov +Signed-off-by: Georgy Vlasov +Signed-off-by: Serge Semin +Cc: Ramil Zaripov +Cc: Alexey Malahov +Cc: Thomas Bogendoerfer +Cc: Paul Burton +Cc: Ralf Baechle +Cc: Arnd Bergmann +Cc: Andy Shevchenko +Cc: Rob Herring +Cc: linux-mips@vger.kernel.org +Cc: devicetree@vger.kernel.org +Link: https://lore.kernel.org/r/20200522000806.7381-3-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw-mid.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c +index f7ec8b98e6db..e1b34ef9a31c 100644 +--- a/drivers/spi/spi-dw-mid.c ++++ b/drivers/spi/spi-dw-mid.c +@@ -228,19 +228,23 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_rx(struct dw_spi *dws, + + static int mid_spi_dma_setup(struct dw_spi *dws, struct spi_transfer *xfer) + { +- u16 dma_ctrl = 0; ++ u16 imr = 0, dma_ctrl = 0; + + dw_writel(dws, DW_SPI_DMARDLR, 0xf); + dw_writel(dws, DW_SPI_DMATDLR, 0x10); + +- if (xfer->tx_buf) ++ if (xfer->tx_buf) { + dma_ctrl |= SPI_DMA_TDMAE; +- if (xfer->rx_buf) ++ imr |= SPI_INT_TXOI; ++ } ++ if (xfer->rx_buf) { + dma_ctrl |= SPI_DMA_RDMAE; ++ imr |= SPI_INT_RXUI | SPI_INT_RXOI; ++ } + dw_writel(dws, DW_SPI_DMACR, dma_ctrl); + + /* Set the interrupt mask */ +- spi_umask_intr(dws, SPI_INT_TXOI | SPI_INT_RXUI | SPI_INT_RXOI); ++ spi_umask_intr(dws, imr); + + dws->transfer_handler = dma_transfer; + +-- +2.25.1 + diff --git a/queue-4.19/spi-dw-fix-rx-only-dma-transfers.patch b/queue-4.19/spi-dw-fix-rx-only-dma-transfers.patch new file mode 100644 index 00000000000..b807311cf82 --- /dev/null +++ b/queue-4.19/spi-dw-fix-rx-only-dma-transfers.patch @@ -0,0 +1,53 @@ +From af2292769a59792bf88ef93c3f2cf1223f3ef428 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 May 2020 16:11:57 +0300 +Subject: spi: dw: Fix Rx-only DMA transfers + +From: Serge Semin + +[ Upstream commit 46164fde6b7890e7a3982d54549947c8394c0192 ] + +Tx-only DMA transfers are working perfectly fine since in this case +the code just ignores the Rx FIFO overflow interrupts. But it turns +out the SPI Rx-only transfers are broken since nothing pushing any +data to the shift registers, so the Rx FIFO is left empty and the +SPI core subsystems just returns a timeout error. Since DW DMAC +driver doesn't support something like cyclic write operations of +a single byte to a device register, the only way to support the +Rx-only SPI transfers is to fake it by using a dummy Tx-buffer. +This is what we intend to fix in this commit by setting the +SPI_CONTROLLER_MUST_TX flag for DMA-capable platform. + +Signed-off-by: Serge Semin +Reviewed-by: Andy Shevchenko +Cc: Georgy Vlasov +Cc: Ramil Zaripov +Cc: Alexey Malahov +Cc: Thomas Bogendoerfer +Cc: Arnd Bergmann +Cc: Feng Tang +Cc: Rob Herring +Cc: linux-mips@vger.kernel.org +Cc: devicetree@vger.kernel.org +Link: https://lore.kernel.org/r/20200529131205.31838-9-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c +index ac888a3d03aa..3fbd6f01fb10 100644 +--- a/drivers/spi/spi-dw.c ++++ b/drivers/spi/spi-dw.c +@@ -533,6 +533,7 @@ int dw_spi_add_host(struct device *dev, struct dw_spi *dws) + dws->dma_inited = 0; + } else { + master->can_dma = dws->dma_ops->can_dma; ++ master->flags |= SPI_CONTROLLER_MUST_TX; + } + } + +-- +2.25.1 + diff --git a/queue-4.19/spi-dw-return-any-value-retrieved-from-the-dma_trans.patch b/queue-4.19/spi-dw-return-any-value-retrieved-from-the-dma_trans.patch new file mode 100644 index 00000000000..278608463d0 --- /dev/null +++ b/queue-4.19/spi-dw-return-any-value-retrieved-from-the-dma_trans.patch @@ -0,0 +1,71 @@ +From 558f5fc6ef870a6506e28107d134b5915b1e2f12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 May 2020 16:11:51 +0300 +Subject: spi: dw: Return any value retrieved from the dma_transfer callback + +From: Serge Semin + +[ Upstream commit f0410bbf7d0fb80149e3b17d11d31f5b5197873e ] + +DW APB SSI DMA-part of the driver may need to perform the requested +SPI-transfer synchronously. In that case the dma_transfer() callback +will return 0 as a marker of the SPI transfer being finished so the +SPI core doesn't need to wait and may proceed with the SPI message +trasnfers pumping procedure. This will be needed to fix the problem +when DMA transactions are finished, but there is still data left in +the SPI Tx/Rx FIFOs being sent/received. But for now make dma_transfer +to return 1 as the normal dw_spi_transfer_one() method. + +Signed-off-by: Serge Semin +Cc: Georgy Vlasov +Cc: Ramil Zaripov +Cc: Alexey Malahov +Cc: Thomas Bogendoerfer +Cc: Arnd Bergmann +Cc: Andy Shevchenko +Cc: Feng Tang +Cc: Rob Herring +Cc: linux-mips@vger.kernel.org +Cc: devicetree@vger.kernel.org +Link: https://lore.kernel.org/r/20200529131205.31838-3-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw-mid.c | 2 +- + drivers/spi/spi-dw.c | 7 ++----- + 2 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c +index e1b34ef9a31c..10f328558d55 100644 +--- a/drivers/spi/spi-dw-mid.c ++++ b/drivers/spi/spi-dw-mid.c +@@ -274,7 +274,7 @@ static int mid_spi_dma_transfer(struct dw_spi *dws, struct spi_transfer *xfer) + dma_async_issue_pending(dws->txchan); + } + +- return 0; ++ return 1; + } + + static void mid_spi_dma_stop(struct dw_spi *dws) +diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c +index 3fbd6f01fb10..b1c137261d0f 100644 +--- a/drivers/spi/spi-dw.c ++++ b/drivers/spi/spi-dw.c +@@ -383,11 +383,8 @@ static int dw_spi_transfer_one(struct spi_controller *master, + + spi_enable_chip(dws, 1); + +- if (dws->dma_mapped) { +- ret = dws->dma_ops->dma_transfer(dws, transfer); +- if (ret < 0) +- return ret; +- } ++ if (dws->dma_mapped) ++ return dws->dma_ops->dma_transfer(dws, transfer); + + if (chip->poll_mode) + return poll_transfer(dws); +-- +2.25.1 + diff --git a/queue-4.19/spi-dw-zero-dma-tx-and-rx-configurations-on-stack.patch b/queue-4.19/spi-dw-zero-dma-tx-and-rx-configurations-on-stack.patch new file mode 100644 index 00000000000..28449eed742 --- /dev/null +++ b/queue-4.19/spi-dw-zero-dma-tx-and-rx-configurations-on-stack.patch @@ -0,0 +1,48 @@ +From 6e51268c5f9d39a0042ffeca6adad3fc98c4c6b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 18:30:18 +0300 +Subject: spi: dw: Zero DMA Tx and Rx configurations on stack + +From: Andy Shevchenko + +[ Upstream commit 3cb97e223d277f84171cc4ccecab31e08b2ee7b5 ] + +Some DMA controller drivers do not tolerate non-zero values in +the DMA configuration structures. Zero them to avoid issues with +such DMA controller drivers. Even despite above this is a good +practice per se. + +Fixes: 7063c0d942a1 ("spi/dw_spi: add DMA support") +Signed-off-by: Andy Shevchenko +Acked-by: Feng Tang +Cc: Feng Tang +Link: https://lore.kernel.org/r/20200506153025.21441-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw-mid.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c +index 3db905f5f345..f7ec8b98e6db 100644 +--- a/drivers/spi/spi-dw-mid.c ++++ b/drivers/spi/spi-dw-mid.c +@@ -155,6 +155,7 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_tx(struct dw_spi *dws, + if (!xfer->tx_buf) + return NULL; + ++ memset(&txconf, 0, sizeof(txconf)); + txconf.direction = DMA_MEM_TO_DEV; + txconf.dst_addr = dws->dma_addr; + txconf.dst_maxburst = 16; +@@ -201,6 +202,7 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_rx(struct dw_spi *dws, + if (!xfer->rx_buf) + return NULL; + ++ memset(&rxconf, 0, sizeof(rxconf)); + rxconf.direction = DMA_DEV_TO_MEM; + rxconf.src_addr = dws->dma_addr; + rxconf.src_maxburst = 16; +-- +2.25.1 + diff --git a/queue-4.19/spi-pxa2xx-apply-cs-clk-quirk-to-bxt.patch b/queue-4.19/spi-pxa2xx-apply-cs-clk-quirk-to-bxt.patch new file mode 100644 index 00000000000..daa1b1daa2e --- /dev/null +++ b/queue-4.19/spi-pxa2xx-apply-cs-clk-quirk-to-bxt.patch @@ -0,0 +1,44 @@ +From 2cea164ec59dafc120a5222790d0685b13143516 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 16:32:48 -0700 +Subject: spi: pxa2xx: Apply CS clk quirk to BXT + +From: Evan Green + +[ Upstream commit 6eefaee4f2d366a389da0eb95e524ba82bf358c4 ] + +With a couple allies at Intel, and much badgering, I got confirmation +from Intel that at least BXT suffers from the same SPI chip-select +issue as Cannonlake (and beyond). The issue being that after going +through runtime suspend/resume, toggling the chip-select line without +also sending data does nothing. + +Add the quirk to BXT to briefly toggle dynamic clock gating off and +on, forcing the fabric to wake up enough to notice the CS register +change. + +Signed-off-by: Evan Green +Cc: Shobhit Srivastava +Cc: Andy Shevchenko +Link: https://lore.kernel.org/r/20200427163238.1.Ib1faaabe236e37ea73be9b8dcc6aa034cb3c8804@changeid +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-pxa2xx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c +index 2525fd9c8aa4..eafd0c2135a1 100644 +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -156,6 +156,7 @@ static const struct lpss_config lpss_platforms[] = { + .tx_threshold_hi = 48, + .cs_sel_shift = 8, + .cs_sel_mask = 3 << 8, ++ .cs_clk_stays_gated = true, + }, + { /* LPSS_CNL_SSP */ + .offset = 0x200, +-- +2.25.1 + diff --git a/queue-4.19/staging-android-ion-use-vmap-instead-of-vm_map_ram.patch b/queue-4.19/staging-android-ion-use-vmap-instead-of-vm_map_ram.patch new file mode 100644 index 00000000000..5148f42a48b --- /dev/null +++ b/queue-4.19/staging-android-ion-use-vmap-instead-of-vm_map_ram.patch @@ -0,0 +1,69 @@ +From 001c55185ebaa65d40a9a8def933ffff7ee3b383 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jun 2020 21:50:23 -0700 +Subject: staging: android: ion: use vmap instead of vm_map_ram + +From: Christoph Hellwig + +[ Upstream commit 5bf9917452112694b2c774465ee4dbe441c84b77 ] + +vm_map_ram can keep mappings around after the vm_unmap_ram. Using that +with non-PAGE_KERNEL mappings can lead to all kinds of aliasing issues. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Andrew Morton +Acked-by: Greg Kroah-Hartman +Acked-by: Peter Zijlstra (Intel) +Cc: Christian Borntraeger +Cc: Christophe Leroy +Cc: Daniel Vetter +Cc: David Airlie +Cc: Gao Xiang +Cc: Haiyang Zhang +Cc: Johannes Weiner +Cc: "K. Y. Srinivasan" +Cc: Laura Abbott +Cc: Mark Rutland +Cc: Michael Kelley +Cc: Minchan Kim +Cc: Nitin Gupta +Cc: Robin Murphy +Cc: Sakari Ailus +Cc: Stephen Hemminger +Cc: Sumit Semwal +Cc: Wei Liu +Cc: Benjamin Herrenschmidt +Cc: Catalin Marinas +Cc: Heiko Carstens +Cc: Paul Mackerras +Cc: Vasily Gorbik +Cc: Will Deacon +Link: http://lkml.kernel.org/r/20200414131348.444715-4-hch@lst.de +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/staging/android/ion/ion_heap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c +index 31db510018a9..6babcdb4d7d2 100644 +--- a/drivers/staging/android/ion/ion_heap.c ++++ b/drivers/staging/android/ion/ion_heap.c +@@ -97,12 +97,12 @@ int ion_heap_map_user(struct ion_heap *heap, struct ion_buffer *buffer, + + static int ion_heap_clear_pages(struct page **pages, int num, pgprot_t pgprot) + { +- void *addr = vm_map_ram(pages, num, -1, pgprot); ++ void *addr = vmap(pages, num, VM_MAP, pgprot); + + if (!addr) + return -ENOMEM; + memset(addr, 0, PAGE_SIZE * num); +- vm_unmap_ram(addr, num); ++ vunmap(addr); + + return 0; + } +-- +2.25.1 + diff --git a/queue-4.19/staging-greybus-sdio-respect-the-cmd-busy_timeout-fr.patch b/queue-4.19/staging-greybus-sdio-respect-the-cmd-busy_timeout-fr.patch new file mode 100644 index 00000000000..54dd496688d --- /dev/null +++ b/queue-4.19/staging-greybus-sdio-respect-the-cmd-busy_timeout-fr.patch @@ -0,0 +1,67 @@ +From f7c0e121ffa7215e07547c972497f82022bcc3f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Apr 2020 18:14:13 +0200 +Subject: staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc + core + +From: Ulf Hansson + +[ Upstream commit a389087ee9f195fcf2f31cd771e9ec5f02c16650 ] + +Using a fixed 1s timeout for all commands is a bit problematic. + +For some commands it means waiting longer than needed for the timeout to +expire, which may not a big issue, but still. For other commands, like for +an erase (CMD38) that uses a R1B response, may require longer timeouts than +1s. In these cases, we may end up treating the command as it failed, while +it just needed some more time to complete successfully. + +Fix the problem by respecting the cmd->busy_timeout, which is provided by +the mmc core. + +Cc: Rui Miguel Silva +Cc: Johan Hovold +Cc: Alex Elder +Cc: Greg Kroah-Hartman +Cc: greybus-dev@lists.linaro.org +Signed-off-by: Ulf Hansson +Acked-by: Rui Miguel Silva +Acked-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20200414161413.3036-20-ulf.hansson@linaro.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/staging/greybus/sdio.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/greybus/sdio.c b/drivers/staging/greybus/sdio.c +index 38e85033fc4b..afb2e5e5111a 100644 +--- a/drivers/staging/greybus/sdio.c ++++ b/drivers/staging/greybus/sdio.c +@@ -411,6 +411,7 @@ static int gb_sdio_command(struct gb_sdio_host *host, struct mmc_command *cmd) + struct gb_sdio_command_request request = {0}; + struct gb_sdio_command_response response; + struct mmc_data *data = host->mrq->data; ++ unsigned int timeout_ms; + u8 cmd_flags; + u8 cmd_type; + int i; +@@ -469,9 +470,12 @@ static int gb_sdio_command(struct gb_sdio_host *host, struct mmc_command *cmd) + request.data_blksz = cpu_to_le16(data->blksz); + } + +- ret = gb_operation_sync(host->connection, GB_SDIO_TYPE_COMMAND, +- &request, sizeof(request), &response, +- sizeof(response)); ++ timeout_ms = cmd->busy_timeout ? cmd->busy_timeout : ++ GB_OPERATION_TIMEOUT_DEFAULT; ++ ++ ret = gb_operation_sync_timeout(host->connection, GB_SDIO_TYPE_COMMAND, ++ &request, sizeof(request), &response, ++ sizeof(response), timeout_ms); + if (ret < 0) + goto out; + +-- +2.25.1 + diff --git a/queue-4.19/string.h-fix-incompatibility-between-fortify_source-.patch b/queue-4.19/string.h-fix-incompatibility-between-fortify_source-.patch new file mode 100644 index 00000000000..90b2a48173e --- /dev/null +++ b/queue-4.19/string.h-fix-incompatibility-between-fortify_source-.patch @@ -0,0 +1,308 @@ +From 3d5908da4b094ce3f7fcc471c9c31212c797ef48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2020 15:56:46 -0700 +Subject: string.h: fix incompatibility between FORTIFY_SOURCE and KASAN + +From: Daniel Axtens + +[ Upstream commit 47227d27e2fcb01a9e8f5958d8997cf47a820afc ] + +The memcmp KASAN self-test fails on a kernel with both KASAN and +FORTIFY_SOURCE. + +When FORTIFY_SOURCE is on, a number of functions are replaced with +fortified versions, which attempt to check the sizes of the operands. +However, these functions often directly invoke __builtin_foo() once they +have performed the fortify check. Using __builtins may bypass KASAN +checks if the compiler decides to inline it's own implementation as +sequence of instructions, rather than emit a function call that goes out +to a KASAN-instrumented implementation. + +Why is only memcmp affected? +============================ + +Of the string and string-like functions that kasan_test tests, only memcmp +is replaced by an inline sequence of instructions in my testing on x86 +with gcc version 9.2.1 20191008 (Ubuntu 9.2.1-9ubuntu2). + +I believe this is due to compiler heuristics. For example, if I annotate +kmalloc calls with the alloc_size annotation (and disable some fortify +compile-time checking!), the compiler will replace every memset except the +one in kmalloc_uaf_memset with inline instructions. (I have some WIP +patches to add this annotation.) + +Does this affect other functions in string.h? +============================================= + +Yes. Anything that uses __builtin_* rather than __real_* could be +affected. This looks like: + + - strncpy + - strcat + - strlen + - strlcpy maybe, under some circumstances? + - strncat under some circumstances + - memset + - memcpy + - memmove + - memcmp (as noted) + - memchr + - strcpy + +Whether a function call is emitted always depends on the compiler. Most +bugs should get caught by FORTIFY_SOURCE, but the missed memcmp test shows +that this is not always the case. + +Isn't FORTIFY_SOURCE disabled with KASAN? +========================================- + +The string headers on all arches supporting KASAN disable fortify with +kasan, but only when address sanitisation is _also_ disabled. For example +from x86: + + #if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__) + /* + * For files that are not instrumented (e.g. mm/slub.c) we + * should use not instrumented version of mem* functions. + */ + #define memcpy(dst, src, len) __memcpy(dst, src, len) + #define memmove(dst, src, len) __memmove(dst, src, len) + #define memset(s, c, n) __memset(s, c, n) + + #ifndef __NO_FORTIFY + #define __NO_FORTIFY /* FORTIFY_SOURCE uses __builtin_memcpy, etc. */ + #endif + + #endif + +This comes from commit 6974f0c4555e ("include/linux/string.h: add the +option of fortified string.h functions"), and doesn't work when KASAN is +enabled and the file is supposed to be sanitised - as with test_kasan.c + +I'm pretty sure this is not wrong, but not as expansive it should be: + + * we shouldn't use __builtin_memcpy etc in files where we don't have + instrumentation - it could devolve into a function call to memcpy, + which will be instrumented. Rather, we should use __memcpy which + by convention is not instrumented. + + * we also shouldn't be using __builtin_memcpy when we have a KASAN + instrumented file, because it could be replaced with inline asm + that will not be instrumented. + +What is correct behaviour? +========================== + +Firstly, there is some overlap between fortification and KASAN: both +provide some level of _runtime_ checking. Only fortify provides +compile-time checking. + +KASAN and fortify can pick up different things at runtime: + + - Some fortify functions, notably the string functions, could easily be + modified to consider sub-object sizes (e.g. members within a struct), + and I have some WIP patches to do this. KASAN cannot detect these + because it cannot insert poision between members of a struct. + + - KASAN can detect many over-reads/over-writes when the sizes of both + operands are unknown, which fortify cannot. + +So there are a couple of options: + + 1) Flip the test: disable fortify in santised files and enable it in + unsanitised files. This at least stops us missing KASAN checking, but + we lose the fortify checking. + + 2) Make the fortify code always call out to real versions. Do this only + for KASAN, for fear of losing the inlining opportunities we get from + __builtin_*. + +(We can't use kasan_check_{read,write}: because the fortify functions are +_extern inline_, you can't include _static_ inline functions without a +compiler warning. kasan_check_{read,write} are static inline so we can't +use them even when they would otherwise be suitable.) + +Take approach 2 and call out to real versions when KASAN is enabled. + +Use __underlying_foo to distinguish from __real_foo: __real_foo always +refers to the kernel's implementation of foo, __underlying_foo could be +either the kernel implementation or the __builtin_foo implementation. + +This is sometimes enough to make the memcmp test succeed with +FORTIFY_SOURCE enabled. It is at least enough to get the function call +into the module. One more fix is needed to make it reliable: see the next +patch. + +Fixes: 6974f0c4555e ("include/linux/string.h: add the option of fortified string.h functions") +Signed-off-by: Daniel Axtens +Signed-off-by: Andrew Morton +Tested-by: David Gow +Reviewed-by: Dmitry Vyukov +Cc: Daniel Micay +Cc: Andrey Ryabinin +Cc: Alexander Potapenko +Link: http://lkml.kernel.org/r/20200423154503.5103-3-dja@axtens.net +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/string.h | 60 +++++++++++++++++++++++++++++++++--------- + 1 file changed, 48 insertions(+), 12 deletions(-) + +diff --git a/include/linux/string.h b/include/linux/string.h +index f58e1ef76572..4db285b83f44 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -239,6 +239,31 @@ void __read_overflow3(void) __compiletime_error("detected read beyond size of ob + void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter"); + + #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) ++ ++#ifdef CONFIG_KASAN ++extern void *__underlying_memchr(const void *p, int c, __kernel_size_t size) __RENAME(memchr); ++extern int __underlying_memcmp(const void *p, const void *q, __kernel_size_t size) __RENAME(memcmp); ++extern void *__underlying_memcpy(void *p, const void *q, __kernel_size_t size) __RENAME(memcpy); ++extern void *__underlying_memmove(void *p, const void *q, __kernel_size_t size) __RENAME(memmove); ++extern void *__underlying_memset(void *p, int c, __kernel_size_t size) __RENAME(memset); ++extern char *__underlying_strcat(char *p, const char *q) __RENAME(strcat); ++extern char *__underlying_strcpy(char *p, const char *q) __RENAME(strcpy); ++extern __kernel_size_t __underlying_strlen(const char *p) __RENAME(strlen); ++extern char *__underlying_strncat(char *p, const char *q, __kernel_size_t count) __RENAME(strncat); ++extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) __RENAME(strncpy); ++#else ++#define __underlying_memchr __builtin_memchr ++#define __underlying_memcmp __builtin_memcmp ++#define __underlying_memcpy __builtin_memcpy ++#define __underlying_memmove __builtin_memmove ++#define __underlying_memset __builtin_memset ++#define __underlying_strcat __builtin_strcat ++#define __underlying_strcpy __builtin_strcpy ++#define __underlying_strlen __builtin_strlen ++#define __underlying_strncat __builtin_strncat ++#define __underlying_strncpy __builtin_strncpy ++#endif ++ + __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) + { + size_t p_size = __builtin_object_size(p, 0); +@@ -246,14 +271,14 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) + __write_overflow(); + if (p_size < size) + fortify_panic(__func__); +- return __builtin_strncpy(p, q, size); ++ return __underlying_strncpy(p, q, size); + } + + __FORTIFY_INLINE char *strcat(char *p, const char *q) + { + size_t p_size = __builtin_object_size(p, 0); + if (p_size == (size_t)-1) +- return __builtin_strcat(p, q); ++ return __underlying_strcat(p, q); + if (strlcat(p, q, p_size) >= p_size) + fortify_panic(__func__); + return p; +@@ -267,7 +292,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) + /* Work around gcc excess stack consumption issue */ + if (p_size == (size_t)-1 || + (__builtin_constant_p(p[p_size - 1]) && p[p_size - 1] == '\0')) +- return __builtin_strlen(p); ++ return __underlying_strlen(p); + ret = strnlen(p, p_size); + if (p_size <= ret) + fortify_panic(__func__); +@@ -300,7 +325,7 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) + __write_overflow(); + if (len >= p_size) + fortify_panic(__func__); +- __builtin_memcpy(p, q, len); ++ __underlying_memcpy(p, q, len); + p[len] = '\0'; + } + return ret; +@@ -313,12 +338,12 @@ __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count) + size_t p_size = __builtin_object_size(p, 0); + size_t q_size = __builtin_object_size(q, 0); + if (p_size == (size_t)-1 && q_size == (size_t)-1) +- return __builtin_strncat(p, q, count); ++ return __underlying_strncat(p, q, count); + p_len = strlen(p); + copy_len = strnlen(q, count); + if (p_size < p_len + copy_len + 1) + fortify_panic(__func__); +- __builtin_memcpy(p + p_len, q, copy_len); ++ __underlying_memcpy(p + p_len, q, copy_len); + p[p_len + copy_len] = '\0'; + return p; + } +@@ -330,7 +355,7 @@ __FORTIFY_INLINE void *memset(void *p, int c, __kernel_size_t size) + __write_overflow(); + if (p_size < size) + fortify_panic(__func__); +- return __builtin_memset(p, c, size); ++ return __underlying_memset(p, c, size); + } + + __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size) +@@ -345,7 +370,7 @@ __FORTIFY_INLINE void *memcpy(void *p, const void *q, __kernel_size_t size) + } + if (p_size < size || q_size < size) + fortify_panic(__func__); +- return __builtin_memcpy(p, q, size); ++ return __underlying_memcpy(p, q, size); + } + + __FORTIFY_INLINE void *memmove(void *p, const void *q, __kernel_size_t size) +@@ -360,7 +385,7 @@ __FORTIFY_INLINE void *memmove(void *p, const void *q, __kernel_size_t size) + } + if (p_size < size || q_size < size) + fortify_panic(__func__); +- return __builtin_memmove(p, q, size); ++ return __underlying_memmove(p, q, size); + } + + extern void *__real_memscan(void *, int, __kernel_size_t) __RENAME(memscan); +@@ -386,7 +411,7 @@ __FORTIFY_INLINE int memcmp(const void *p, const void *q, __kernel_size_t size) + } + if (p_size < size || q_size < size) + fortify_panic(__func__); +- return __builtin_memcmp(p, q, size); ++ return __underlying_memcmp(p, q, size); + } + + __FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size) +@@ -396,7 +421,7 @@ __FORTIFY_INLINE void *memchr(const void *p, int c, __kernel_size_t size) + __read_overflow(); + if (p_size < size) + fortify_panic(__func__); +- return __builtin_memchr(p, c, size); ++ return __underlying_memchr(p, c, size); + } + + void *__real_memchr_inv(const void *s, int c, size_t n) __RENAME(memchr_inv); +@@ -427,11 +452,22 @@ __FORTIFY_INLINE char *strcpy(char *p, const char *q) + size_t p_size = __builtin_object_size(p, 0); + size_t q_size = __builtin_object_size(q, 0); + if (p_size == (size_t)-1 && q_size == (size_t)-1) +- return __builtin_strcpy(p, q); ++ return __underlying_strcpy(p, q); + memcpy(p, q, strlen(q) + 1); + return p; + } + ++/* Don't use these outside the FORITFY_SOURCE implementation */ ++#undef __underlying_memchr ++#undef __underlying_memcmp ++#undef __underlying_memcpy ++#undef __underlying_memmove ++#undef __underlying_memset ++#undef __underlying_strcat ++#undef __underlying_strcpy ++#undef __underlying_strlen ++#undef __underlying_strncat ++#undef __underlying_strncpy + #endif + + /** +-- +2.25.1 + diff --git a/queue-4.19/tools-api-fs-make-xxx__mountpoint-more-scalable.patch b/queue-4.19/tools-api-fs-make-xxx__mountpoint-more-scalable.patch new file mode 100644 index 00000000000..f2ab77afd39 --- /dev/null +++ b/queue-4.19/tools-api-fs-make-xxx__mountpoint-more-scalable.patch @@ -0,0 +1,182 @@ +From 7b07c9584579bbb1085f49ba4147ed3d66bfc930 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Apr 2020 08:43:54 -0700 +Subject: tools api fs: Make xxx__mountpoint() more scalable + +From: Stephane Eranian + +[ Upstream commit c6fddb28bad26e5472cb7acf7b04cd5126f1a4ab ] + +The xxx_mountpoint() interface provided by fs.c finds mount points for +common pseudo filesystems. The first time xxx_mountpoint() is invoked, +it scans the mount table (/proc/mounts) looking for a match. If found, +it is cached. The price to scan /proc/mounts is paid once if the mount +is found. + +When the mount point is not found, subsequent calls to xxx_mountpoint() +scan /proc/mounts over and over again. There is no caching. + +This causes a scaling issue in perf record with hugeltbfs__mountpoint(). +The function is called for each process found in +synthesize__mmap_events(). If the machine has thousands of processes +and if the /proc/mounts has many entries this could cause major overhead +in perf record. We have observed multi-second slowdowns on some +configurations. + +As an example on a laptop: + +Before: + + $ sudo umount /dev/hugepages + $ strace -e trace=openat -o /tmp/tt perf record -a ls + $ fgrep mounts /tmp/tt + 285 + +After: + + $ sudo umount /dev/hugepages + $ strace -e trace=openat -o /tmp/tt perf record -a ls + $ fgrep mounts /tmp/tt + 1 + +One could argue that the non-caching in case the moint point is not +found is intentional. That way subsequent calls may discover a moint +point if the sysadmin mounts the filesystem. But the same argument could +be made against caching the mount point. It could be unmounted causing +errors. It all depends on the intent of the interface. This patch +assumes it is expected to scan /proc/mounts once. The patch documents +the caching behavior in the fs.h header file. + +An alternative would be to just fix perf record. But it would solve the +problem with hugetlbs__mountpoint() but there could be similar issues +(possibly down the line) with other xxx_mountpoint() calls in perf or +other tools. + +Signed-off-by: Stephane Eranian +Reviewed-by: Ian Rogers +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andrey Zhizhikin +Cc: Kan Liang +Cc: Kefeng Wang +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Petr Mladek +Cc: Thomas Gleixner +Link: http://lore.kernel.org/lkml/20200402154357.107873-3-irogers@google.com +Signed-off-by: Ian Rogers +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/api/fs/fs.c | 17 +++++++++++++++++ + tools/lib/api/fs/fs.h | 12 ++++++++++++ + 2 files changed, 29 insertions(+) + +diff --git a/tools/lib/api/fs/fs.c b/tools/lib/api/fs/fs.c +index bd021a0eeef8..4cc69675c2a9 100644 +--- a/tools/lib/api/fs/fs.c ++++ b/tools/lib/api/fs/fs.c +@@ -90,6 +90,7 @@ struct fs { + const char * const *mounts; + char path[PATH_MAX]; + bool found; ++ bool checked; + long magic; + }; + +@@ -111,31 +112,37 @@ static struct fs fs__entries[] = { + .name = "sysfs", + .mounts = sysfs__fs_known_mountpoints, + .magic = SYSFS_MAGIC, ++ .checked = false, + }, + [FS__PROCFS] = { + .name = "proc", + .mounts = procfs__known_mountpoints, + .magic = PROC_SUPER_MAGIC, ++ .checked = false, + }, + [FS__DEBUGFS] = { + .name = "debugfs", + .mounts = debugfs__known_mountpoints, + .magic = DEBUGFS_MAGIC, ++ .checked = false, + }, + [FS__TRACEFS] = { + .name = "tracefs", + .mounts = tracefs__known_mountpoints, + .magic = TRACEFS_MAGIC, ++ .checked = false, + }, + [FS__HUGETLBFS] = { + .name = "hugetlbfs", + .mounts = hugetlbfs__known_mountpoints, + .magic = HUGETLBFS_MAGIC, ++ .checked = false, + }, + [FS__BPF_FS] = { + .name = "bpf", + .mounts = bpf_fs__known_mountpoints, + .magic = BPF_FS_MAGIC, ++ .checked = false, + }, + }; + +@@ -158,6 +165,7 @@ static bool fs__read_mounts(struct fs *fs) + } + + fclose(fp); ++ fs->checked = true; + return fs->found = found; + } + +@@ -220,6 +228,7 @@ static bool fs__env_override(struct fs *fs) + return false; + + fs->found = true; ++ fs->checked = true; + strncpy(fs->path, override_path, sizeof(fs->path) - 1); + fs->path[sizeof(fs->path) - 1] = '\0'; + return true; +@@ -246,6 +255,14 @@ static const char *fs__mountpoint(int idx) + if (fs->found) + return (const char *)fs->path; + ++ /* the mount point was already checked for the mount point ++ * but and did not exist, so return NULL to avoid scanning again. ++ * This makes the found and not found paths cost equivalent ++ * in case of multiple calls. ++ */ ++ if (fs->checked) ++ return NULL; ++ + return fs__get_mountpoint(fs); + } + +diff --git a/tools/lib/api/fs/fs.h b/tools/lib/api/fs/fs.h +index 92d03b8396b1..3b70003e7cfb 100644 +--- a/tools/lib/api/fs/fs.h ++++ b/tools/lib/api/fs/fs.h +@@ -18,6 +18,18 @@ + const char *name##__mount(void); \ + bool name##__configured(void); \ + ++/* ++ * The xxxx__mountpoint() entry points find the first match mount point for each ++ * filesystems listed below, where xxxx is the filesystem type. ++ * ++ * The interface is as follows: ++ * ++ * - If a mount point is found on first call, it is cached and used for all ++ * subsequent calls. ++ * ++ * - If a mount point is not found, NULL is returned on first call and all ++ * subsequent calls. ++ */ + FS(sysfs) + FS(procfs) + FS(debugfs) +-- +2.25.1 + diff --git a/queue-4.19/veth-adjust-hard_start-offset-on-redirect-xdp-frames.patch b/queue-4.19/veth-adjust-hard_start-offset-on-redirect-xdp-frames.patch new file mode 100644 index 00000000000..478a25ec9e6 --- /dev/null +++ b/queue-4.19/veth-adjust-hard_start-offset-on-redirect-xdp-frames.patch @@ -0,0 +1,89 @@ +From f369592bf7d992dfae4738ab7eeef5629bcb64e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 May 2020 12:49:43 +0200 +Subject: veth: Adjust hard_start offset on redirect XDP frames +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jesper Dangaard Brouer + +[ Upstream commit 5c8572251fabc5bb49fd623c064e95a9daf6a3e3 ] + +When native XDP redirect into a veth device, the frame arrives in the +xdp_frame structure. It is then processed in veth_xdp_rcv_one(), +which can run a new XDP bpf_prog on the packet. Doing so requires +converting xdp_frame to xdp_buff, but the tricky part is that +xdp_frame memory area is located in the top (data_hard_start) memory +area that xdp_buff will point into. + +The current code tried to protect the xdp_frame area, by assigning +xdp_buff.data_hard_start past this memory. This results in 32 bytes +less headroom to expand into via BPF-helper bpf_xdp_adjust_head(). + +This protect step is actually not needed, because BPF-helper +bpf_xdp_adjust_head() already reserve this area, and don't allow +BPF-prog to expand into it. Thus, it is safe to point data_hard_start +directly at xdp_frame memory area. + +Fixes: 9fc8d518d9d5 ("veth: Handle xdp_frames in xdp napi ring") +Reported-by: Mao Wenan +Signed-off-by: Jesper Dangaard Brouer +Signed-off-by: Alexei Starovoitov +Acked-by: Toshiaki Makita +Acked-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/bpf/158945338331.97035.5923525383710752178.stgit@firesoul +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index 41a00cd76955..2abbad1abaf2 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -377,13 +377,15 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq, + unsigned int *xdp_xmit) + { + void *hard_start = frame->data - frame->headroom; +- void *head = hard_start - sizeof(struct xdp_frame); + int len = frame->len, delta = 0; + struct xdp_frame orig_frame; + struct bpf_prog *xdp_prog; + unsigned int headroom; + struct sk_buff *skb; + ++ /* bpf_xdp_adjust_head() assures BPF cannot access xdp_frame area */ ++ hard_start -= sizeof(struct xdp_frame); ++ + rcu_read_lock(); + xdp_prog = rcu_dereference(rq->xdp_prog); + if (likely(xdp_prog)) { +@@ -405,7 +407,6 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq, + break; + case XDP_TX: + orig_frame = *frame; +- xdp.data_hard_start = head; + xdp.rxq->mem = frame->mem; + if (unlikely(veth_xdp_tx(rq->dev, &xdp) < 0)) { + trace_xdp_exception(rq->dev, xdp_prog, act); +@@ -417,7 +418,6 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq, + goto xdp_xmit; + case XDP_REDIRECT: + orig_frame = *frame; +- xdp.data_hard_start = head; + xdp.rxq->mem = frame->mem; + if (xdp_do_redirect(rq->dev, &xdp, xdp_prog)) { + frame = &orig_frame; +@@ -437,7 +437,7 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq, + rcu_read_unlock(); + + headroom = sizeof(struct xdp_frame) + frame->headroom - delta; +- skb = veth_build_skb(head, headroom, len, 0); ++ skb = veth_build_skb(hard_start, headroom, len, 0); + if (!skb) { + xdp_return_frame(frame); + goto err; +-- +2.25.1 + diff --git a/queue-4.19/wcn36xx-fix-error-handling-path-in-wcn36xx_probe.patch b/queue-4.19/wcn36xx-fix-error-handling-path-in-wcn36xx_probe.patch new file mode 100644 index 00000000000..040427cdfd7 --- /dev/null +++ b/queue-4.19/wcn36xx-fix-error-handling-path-in-wcn36xx_probe.patch @@ -0,0 +1,56 @@ +From 52cc40ef2b47df3f3f3756962d3cab4b60e31ea1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 05:56:03 +0300 +Subject: wcn36xx: Fix error handling path in 'wcn36xx_probe()' + +From: Christophe JAILLET + +[ Upstream commit a86308fc534edeceaf64670c691e17485436a4f4 ] + +In case of error, 'qcom_wcnss_open_channel()' must be undone by a call to +'rpmsg_destroy_ept()', as already done in the remove function. + +Fixes: 5052de8deff5 ("soc: qcom: smd: Transition client drivers from smd to rpmsg") +Signed-off-by: Christophe JAILLET +Reviewed-by: Bjorn Andersson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200507043619.200051-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index 79998a3ddb7a..ad051f34e65b 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -1341,7 +1341,7 @@ static int wcn36xx_probe(struct platform_device *pdev) + if (addr && ret != ETH_ALEN) { + wcn36xx_err("invalid local-mac-address\n"); + ret = -EINVAL; +- goto out_wq; ++ goto out_destroy_ept; + } else if (addr) { + wcn36xx_info("mac address: %pM\n", addr); + SET_IEEE80211_PERM_ADDR(wcn->hw, addr); +@@ -1349,7 +1349,7 @@ static int wcn36xx_probe(struct platform_device *pdev) + + ret = wcn36xx_platform_get_resources(wcn, pdev); + if (ret) +- goto out_wq; ++ goto out_destroy_ept; + + wcn36xx_init_ieee80211(wcn); + ret = ieee80211_register_hw(wcn->hw); +@@ -1361,6 +1361,8 @@ static int wcn36xx_probe(struct platform_device *pdev) + out_unmap: + iounmap(wcn->ccu_base); + iounmap(wcn->dxe_base); ++out_destroy_ept: ++ rpmsg_destroy_ept(wcn->smd_channel); + out_wq: + ieee80211_free_hw(hw); + out_err: +-- +2.25.1 + diff --git a/queue-4.19/x86-boot-correct-relocation-destination-on-old-linke.patch b/queue-4.19/x86-boot-correct-relocation-destination-on-old-linke.patch new file mode 100644 index 00000000000..9e3e0810234 --- /dev/null +++ b/queue-4.19/x86-boot-correct-relocation-destination-on-old-linke.patch @@ -0,0 +1,114 @@ +From f07fdc1a8bec75c9f39cc1821f6814bfe0b3f2b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2020 16:49:26 -0500 +Subject: x86/boot: Correct relocation destination on old linkers + +From: Arvind Sankar + +[ Upstream commit 5214028dd89e49ba27007c3ee475279e584261f0 ] + +For the 32-bit kernel, as described in + + 6d92bc9d483a ("x86/build: Build compressed x86 kernels as PIE"), + +pre-2.26 binutils generates R_386_32 relocations in PIE mode. Since the +startup code does not perform relocation, any reloc entry with R_386_32 +will remain as 0 in the executing code. + +Commit + + 974f221c84b0 ("x86/boot: Move compressed kernel to the end of the + decompression buffer") + +added a new symbol _end but did not mark it hidden, which doesn't give +the correct offset on older linkers. This causes the compressed kernel +to be copied beyond the end of the decompression buffer, rather than +flush against it. This region of memory may be reserved or already +allocated for other purposes by the bootloader. + +Mark _end as hidden to fix. This changes the relocation from R_386_32 to +R_386_RELATIVE even on the pre-2.26 binutils. + +For 64-bit, this is not strictly necessary, as the 64-bit kernel is only +built as PIE if the linker supports -z noreloc-overflow, which implies +binutils-2.27+, but for consistency, mark _end as hidden here too. + +The below illustrates the before/after impact of the patch using +binutils-2.25 and gcc-4.6.4 (locally compiled from source) and QEMU. + + Disassembly before patch: + 48: 8b 86 60 02 00 00 mov 0x260(%esi),%eax + 4e: 2d 00 00 00 00 sub $0x0,%eax + 4f: R_386_32 _end + Disassembly after patch: + 48: 8b 86 60 02 00 00 mov 0x260(%esi),%eax + 4e: 2d 00 f0 76 00 sub $0x76f000,%eax + 4f: R_386_RELATIVE *ABS* + +Dump from extract_kernel before patch: + early console in extract_kernel + input_data: 0x0207c098 <--- this is at output + init_size + input_len: 0x0074fef1 + output: 0x01000000 + output_len: 0x00fa63d0 + kernel_total_size: 0x0107c000 + needed_size: 0x0107c000 + +Dump from extract_kernel after patch: + early console in extract_kernel + input_data: 0x0190d098 <--- this is at output + init_size - _end + input_len: 0x0074fef1 + output: 0x01000000 + output_len: 0x00fa63d0 + kernel_total_size: 0x0107c000 + needed_size: 0x0107c000 + +Fixes: 974f221c84b0 ("x86/boot: Move compressed kernel to the end of the decompression buffer") +Signed-off-by: Arvind Sankar +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200207214926.3564079-1-nivedita@alum.mit.edu +Signed-off-by: Sasha Levin +--- + arch/x86/boot/compressed/head_32.S | 5 +++-- + arch/x86/boot/compressed/head_64.S | 1 + + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S +index 01d628ea3402..c6c4b877f3d2 100644 +--- a/arch/x86/boot/compressed/head_32.S ++++ b/arch/x86/boot/compressed/head_32.S +@@ -49,16 +49,17 @@ + * Position Independent Executable (PIE) so that linker won't optimize + * R_386_GOT32X relocation to its fixed symbol address. Older + * linkers generate R_386_32 relocations against locally defined symbols, +- * _bss, _ebss, _got and _egot, in PIE. It isn't wrong, just less ++ * _bss, _ebss, _got, _egot and _end, in PIE. It isn't wrong, just less + * optimal than R_386_RELATIVE. But the x86 kernel fails to properly handle + * R_386_32 relocations when relocating the kernel. To generate +- * R_386_RELATIVE relocations, we mark _bss, _ebss, _got and _egot as ++ * R_386_RELATIVE relocations, we mark _bss, _ebss, _got, _egot and _end as + * hidden: + */ + .hidden _bss + .hidden _ebss + .hidden _got + .hidden _egot ++ .hidden _end + + __HEAD + ENTRY(startup_32) +diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S +index 9fa644c62839..474733f8b330 100644 +--- a/arch/x86/boot/compressed/head_64.S ++++ b/arch/x86/boot/compressed/head_64.S +@@ -42,6 +42,7 @@ + .hidden _ebss + .hidden _got + .hidden _egot ++ .hidden _end + + __HEAD + .code32 +-- +2.25.1 + diff --git a/queue-4.19/x86-kvm-hyper-v-explicitly-align-hcall-param-for-kvm.patch b/queue-4.19/x86-kvm-hyper-v-explicitly-align-hcall-param-for-kvm.patch new file mode 100644 index 00000000000..ed43e14ed50 --- /dev/null +++ b/queue-4.19/x86-kvm-hyper-v-explicitly-align-hcall-param-for-kvm.patch @@ -0,0 +1,75 @@ +From 244f1fa643e4fc29cd8c9a9749fdc686ec1252e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Apr 2020 14:37:40 +0300 +Subject: x86/kvm/hyper-v: Explicitly align hcall param for kvm_hyperv_exit + +From: Jon Doron + +[ Upstream commit f7d31e65368aeef973fab788aa22c4f1d5a6af66 ] + +The problem the patch is trying to address is the fact that 'struct +kvm_hyperv_exit' has different layout on when compiling in 32 and 64 bit +modes. + +In 64-bit mode the default alignment boundary is 64 bits thus +forcing extra gaps after 'type' and 'msr' but in 32-bit mode the +boundary is at 32 bits thus no extra gaps. + +This is an issue as even when the kernel is 64 bit, the userspace using +the interface can be both 32 and 64 bit but the same 32 bit userspace has +to work with 32 bit kernel. + +The issue is fixed by forcing the 64 bit layout, this leads to ABI +change for 32 bit builds and while we are obviously breaking '32 bit +userspace with 32 bit kernel' case, we're fixing the '32 bit userspace +with 64 bit kernel' one. + +As the interface has no (known) users and 32 bit KVM is rather baroque +nowadays, this seems like a reasonable decision. + +Reviewed-by: Vitaly Kuznetsov +Signed-off-by: Jon Doron +Message-Id: <20200424113746.3473563-2-arilou@gmail.com> +Reviewed-by: Roman Kagan +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + Documentation/virtual/kvm/api.txt | 2 ++ + include/uapi/linux/kvm.h | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt +index 8e16017ff397..d2f265a9dc0d 100644 +--- a/Documentation/virtual/kvm/api.txt ++++ b/Documentation/virtual/kvm/api.txt +@@ -3999,9 +3999,11 @@ EOI was received. + #define KVM_EXIT_HYPERV_SYNIC 1 + #define KVM_EXIT_HYPERV_HCALL 2 + __u32 type; ++ __u32 pad1; + union { + struct { + __u32 msr; ++ __u32 pad2; + __u64 control; + __u64 evt_page; + __u64 msg_page; +diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h +index 251be353f950..66ce6659ecb6 100644 +--- a/include/uapi/linux/kvm.h ++++ b/include/uapi/linux/kvm.h +@@ -189,9 +189,11 @@ struct kvm_hyperv_exit { + #define KVM_EXIT_HYPERV_SYNIC 1 + #define KVM_EXIT_HYPERV_HCALL 2 + __u32 type; ++ __u32 pad1; + union { + struct { + __u32 msr; ++ __u32 pad2; + __u64 control; + __u64 evt_page; + __u64 msg_page; +-- +2.25.1 + diff --git a/queue-4.19/x86-mm-stop-printing-brk-addresses.patch b/queue-4.19/x86-mm-stop-printing-brk-addresses.patch new file mode 100644 index 00000000000..a70bf959965 --- /dev/null +++ b/queue-4.19/x86-mm-stop-printing-brk-addresses.patch @@ -0,0 +1,37 @@ +From 3276efbb82e2299691c52c664390f4ce4f254eed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Feb 2020 18:11:20 -0500 +Subject: x86/mm: Stop printing BRK addresses + +From: Arvind Sankar + +[ Upstream commit 67d631b7c05eff955ccff4139327f0f92a5117e5 ] + +This currently leaks kernel physical addresses into userspace. + +Signed-off-by: Arvind Sankar +Signed-off-by: Borislav Petkov +Acked-by: Kees Cook +Acked-by: Dave Hansen +Link: https://lkml.kernel.org/r/20200229231120.1147527-1-nivedita@alum.mit.edu +Signed-off-by: Sasha Levin +--- + arch/x86/mm/init.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c +index fb5f29c60019..b1dba0987565 100644 +--- a/arch/x86/mm/init.c ++++ b/arch/x86/mm/init.c +@@ -120,8 +120,6 @@ __ref void *alloc_low_pages(unsigned int num) + } else { + pfn = pgt_buf_end; + pgt_buf_end += num; +- printk(KERN_DEBUG "BRK [%#010lx, %#010lx] PGTABLE\n", +- pfn << PAGE_SHIFT, (pgt_buf_end << PAGE_SHIFT) - 1); + } + + for (i = 0; i < num; i++) { +-- +2.25.1 + diff --git a/queue-4.19/xfs-clean-up-the-error-handling-in-xfs_swap_extents.patch b/queue-4.19/xfs-clean-up-the-error-handling-in-xfs_swap_extents.patch new file mode 100644 index 00000000000..3fd16484306 --- /dev/null +++ b/queue-4.19/xfs-clean-up-the-error-handling-in-xfs_swap_extents.patch @@ -0,0 +1,36 @@ +From 66e95873cf2d069684856a957c4e38ddb2bc93f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 May 2020 14:06:27 -0700 +Subject: xfs: clean up the error handling in xfs_swap_extents + +From: Darrick J. Wong + +[ Upstream commit 8bc3b5e4b70d28f8edcafc3c9e4de515998eea9e ] + +Make sure we release resources properly if we cannot clean out the COW +extents in preparation for an extent swap. + +Fixes: 96987eea537d6c ("xfs: cancel COW blocks before swapext") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_bmap_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c +index e638740f1681..3e1dd66bd676 100644 +--- a/fs/xfs/xfs_bmap_util.c ++++ b/fs/xfs/xfs_bmap_util.c +@@ -1823,7 +1823,7 @@ xfs_swap_extents( + if (xfs_inode_has_cow_data(tip)) { + error = xfs_reflink_cancel_cow_range(tip, 0, NULLFILEOFF, true); + if (error) +- return error; ++ goto out_unlock; + } + + /* +-- +2.25.1 + diff --git a/queue-4.19/xfs-fix-duplicate-verification-from-xfs_qm_dqflush.patch b/queue-4.19/xfs-fix-duplicate-verification-from-xfs_qm_dqflush.patch new file mode 100644 index 00000000000..c6995bd4dee --- /dev/null +++ b/queue-4.19/xfs-fix-duplicate-verification-from-xfs_qm_dqflush.patch @@ -0,0 +1,50 @@ +From d1ce60d86698491f9f6a084927c7bd715c7622af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 13:25:22 -0700 +Subject: xfs: fix duplicate verification from xfs_qm_dqflush() + +From: Brian Foster + +[ Upstream commit 629dcb38dc351947ed6a26a997d4b587f3bd5c7e ] + +The pre-flush dquot verification in xfs_qm_dqflush() duplicates the +read verifier by checking the dquot in the on-disk buffer. Instead, +verify the in-core variant before it is flushed to the buffer. + +Fixes: 7224fa482a6d ("xfs: add full xfs_dqblk verifier") +Signed-off-by: Brian Foster +Reviewed-by: Dave Chinner +Reviewed-by: Christoph Hellwig +Reviewed-by: Allison Collins +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_dquot.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/fs/xfs/xfs_dquot.c b/fs/xfs/xfs_dquot.c +index a1af984e4913..59b2b29542f4 100644 +--- a/fs/xfs/xfs_dquot.c ++++ b/fs/xfs/xfs_dquot.c +@@ -1120,13 +1120,12 @@ xfs_qm_dqflush( + dqb = bp->b_addr + dqp->q_bufoffset; + ddqp = &dqb->dd_diskdq; + +- /* +- * A simple sanity check in case we got a corrupted dquot. +- */ +- fa = xfs_dqblk_verify(mp, dqb, be32_to_cpu(ddqp->d_id), 0); ++ /* sanity check the in-core structure before we flush */ ++ fa = xfs_dquot_verify(mp, &dqp->q_core, be32_to_cpu(dqp->q_core.d_id), ++ 0); + if (fa) { + xfs_alert(mp, "corrupt dquot ID 0x%x in memory at %pS", +- be32_to_cpu(ddqp->d_id), fa); ++ be32_to_cpu(dqp->q_core.d_id), fa); + xfs_buf_relse(bp); + xfs_dqfunlock(dqp); + xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE); +-- +2.25.1 + diff --git a/queue-4.19/xfs-reset-buffer-write-failure-state-on-successful-c.patch b/queue-4.19/xfs-reset-buffer-write-failure-state-on-successful-c.patch new file mode 100644 index 00000000000..632be3cc00c --- /dev/null +++ b/queue-4.19/xfs-reset-buffer-write-failure-state-on-successful-c.patch @@ -0,0 +1,83 @@ +From 1046839b10354f3b4ca36dfd4344f6b0285ae236 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 13:25:20 -0700 +Subject: xfs: reset buffer write failure state on successful completion + +From: Brian Foster + +[ Upstream commit b6983e80b03bd4fd42de71993b3ac7403edac758 ] + +The buffer write failure flag is intended to control the internal +write retry that XFS has historically implemented to help mitigate +the severity of transient I/O errors. The flag is set when a buffer +is resubmitted from the I/O completion path due to a previous +failure. It is checked on subsequent I/O completions to skip the +internal retry and fall through to the higher level configurable +error handling mechanism. The flag is cleared in the synchronous and +delwri submission paths and also checked in various places to log +write failure messages. + +There are a couple minor problems with the current usage of this +flag. One is that we issue an internal retry after every submission +from xfsaild due to how delwri submission clears the flag. This +results in double the expected or configured number of write +attempts when under sustained failures. Another more subtle issue is +that the flag is never cleared on successful I/O completion. This +can cause xfs_wait_buftarg() to suggest that dirty buffers are being +thrown away due to the existence of the flag, when the reality is +that the flag might still be set because the write succeeded on the +retry. + +Clear the write failure flag on successful I/O completion to address +both of these problems. This means that the internal retry attempt +occurs once since the last time a buffer write failed and that +various other contexts only see the flag set when the immediately +previous write attempt has failed. + +Signed-off-by: Brian Foster +Reviewed-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Reviewed-by: Allison Collins +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_buf.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c +index c1f7c0d5d608..b33a9cd4fe94 100644 +--- a/fs/xfs/xfs_buf.c ++++ b/fs/xfs/xfs_buf.c +@@ -1202,8 +1202,10 @@ xfs_buf_ioend( + bp->b_ops->verify_read(bp); + } + +- if (!bp->b_error) ++ if (!bp->b_error) { ++ bp->b_flags &= ~XBF_WRITE_FAIL; + bp->b_flags |= XBF_DONE; ++ } + + if (bp->b_iodone) + (*(bp->b_iodone))(bp); +@@ -1263,7 +1265,7 @@ xfs_bwrite( + + bp->b_flags |= XBF_WRITE; + bp->b_flags &= ~(XBF_ASYNC | XBF_READ | _XBF_DELWRI_Q | +- XBF_WRITE_FAIL | XBF_DONE); ++ XBF_DONE); + + error = xfs_buf_submit(bp); + if (error) { +@@ -2000,7 +2002,7 @@ xfs_buf_delwri_submit_buffers( + * synchronously. Otherwise, drop the buffer from the delwri + * queue and submit async. + */ +- bp->b_flags &= ~(_XBF_DELWRI_Q | XBF_WRITE_FAIL); ++ bp->b_flags &= ~_XBF_DELWRI_Q; + bp->b_flags |= XBF_WRITE; + if (wait_list) { + bp->b_flags &= ~XBF_ASYNC; +-- +2.25.1 + -- 2.47.3