From 8e64a8ac69c55f3c363f47f91bdc6860e7564fdb Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 15 Oct 2019 06:29:37 +0200 Subject: [PATCH] 5.3-stable patches added patches: blk-wbt-fix-performance-regression-in-wbt-scale_up-scale_down.patch cifs-force-reval-dentry-if-lookup_reval-flag-is-set.patch cifs-force-revalidate-inode-when-dentry-is-stale.patch cifs-gracefully-handle-queryinfo-errors-during-open.patch cifs-use-cifsinodeinfo-open_file_lock-while-iterating-to-avoid-a-panic.patch drm-i915-perform-ggtt-restore-much-earlier-during-resume.patch efi-tpm-don-t-access-event-count-when-it-isn-t-mapped.patch efi-tpm-don-t-traverse-an-event-log-with-no-events.patch efi-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch efivar-ssdt-don-t-iterate-over-efi-vars-if-no-ssdt-override-was-specified.patch ib-core-fix-wrong-iterating-on-ports.patch iio-accel-adxl372-fix-push-to-buffers-lost-samples.patch iio-accel-adxl372-fix-remove-limitation-for-fifo-samples.patch iio-accel-adxl372-perform-a-reset-at-start-up.patch iio-light-add-missing-vcnl4040-of_compatible.patch iio-light-opt3001-fix-mutex-unlock-race.patch io_uring-only-flush-workqueues-on-fileset-removal.patch kernel-sysctl.c-do-not-override-max_threads-provided-by-userspace.patch mm-page_alloc.c-fix-a-crash-in-free_pages_prepare.patch mm-vmpressure.c-fix-a-signedness-bug-in-vmpressure_register_event.patch mm-z3fold.c-claim-page-in-the-beginning-of-free.patch perf-inject-jit-fix-jit_code_move-filename.patch perf-llvm-don-t-access-out-of-scope-array.patch selinux-fix-context-string-corruption-in-convert_context.patch --- ...egression-in-wbt-scale_up-scale_down.patch | 117 ++++++++++++ ...l-dentry-if-lookup_reval-flag-is-set.patch | 53 ++++++ ...evalidate-inode-when-dentry-is-stale.patch | 61 +++++++ ...-handle-queryinfo-errors-during-open.patch | 45 +++++ ...ock-while-iterating-to-avoid-a-panic.patch | 167 ++++++++++++++++++ ...t-restore-much-earlier-during-resume.patch | 74 ++++++++ ...ess-event-count-when-it-isn-t-mapped.patch | 92 ++++++++++ ...traverse-an-event-log-with-no-events.patch | 68 +++++++ ...e-after-successful-event-log-parsing.patch | 96 ++++++++++ ...rs-if-no-ssdt-override-was-specified.patch | 59 +++++++ ...ib-core-fix-wrong-iterating-on-ports.patch | 41 +++++ ...372-fix-push-to-buffers-lost-samples.patch | 35 ++++ ...x-remove-limitation-for-fifo-samples.patch | 47 +++++ ...-adxl372-perform-a-reset-at-start-up.patch | 41 +++++ ...t-add-missing-vcnl4040-of_compatible.patch | 37 ++++ ...-light-opt3001-fix-mutex-unlock-race.patch | 56 ++++++ ...-flush-workqueues-on-fileset-removal.patch | 38 ++++ ...de-max_threads-provided-by-userspace.patch | 83 +++++++++ ....c-fix-a-crash-in-free_pages_prepare.patch | 87 +++++++++ ...ess-bug-in-vmpressure_register_event.patch | 91 ++++++++++ ...-claim-page-in-the-beginning-of-free.patch | 91 ++++++++++ ...nject-jit-fix-jit_code_move-filename.patch | 73 ++++++++ ...llvm-don-t-access-out-of-scope-array.patch | 55 ++++++ ...string-corruption-in-convert_context.patch | 59 +++++++ queue-5.3/series | 24 +++ 25 files changed, 1690 insertions(+) create mode 100644 queue-5.3/blk-wbt-fix-performance-regression-in-wbt-scale_up-scale_down.patch create mode 100644 queue-5.3/cifs-force-reval-dentry-if-lookup_reval-flag-is-set.patch create mode 100644 queue-5.3/cifs-force-revalidate-inode-when-dentry-is-stale.patch create mode 100644 queue-5.3/cifs-gracefully-handle-queryinfo-errors-during-open.patch create mode 100644 queue-5.3/cifs-use-cifsinodeinfo-open_file_lock-while-iterating-to-avoid-a-panic.patch create mode 100644 queue-5.3/drm-i915-perform-ggtt-restore-much-earlier-during-resume.patch create mode 100644 queue-5.3/efi-tpm-don-t-access-event-count-when-it-isn-t-mapped.patch create mode 100644 queue-5.3/efi-tpm-don-t-traverse-an-event-log-with-no-events.patch create mode 100644 queue-5.3/efi-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch create mode 100644 queue-5.3/efivar-ssdt-don-t-iterate-over-efi-vars-if-no-ssdt-override-was-specified.patch create mode 100644 queue-5.3/ib-core-fix-wrong-iterating-on-ports.patch create mode 100644 queue-5.3/iio-accel-adxl372-fix-push-to-buffers-lost-samples.patch create mode 100644 queue-5.3/iio-accel-adxl372-fix-remove-limitation-for-fifo-samples.patch create mode 100644 queue-5.3/iio-accel-adxl372-perform-a-reset-at-start-up.patch create mode 100644 queue-5.3/iio-light-add-missing-vcnl4040-of_compatible.patch create mode 100644 queue-5.3/iio-light-opt3001-fix-mutex-unlock-race.patch create mode 100644 queue-5.3/io_uring-only-flush-workqueues-on-fileset-removal.patch create mode 100644 queue-5.3/kernel-sysctl.c-do-not-override-max_threads-provided-by-userspace.patch create mode 100644 queue-5.3/mm-page_alloc.c-fix-a-crash-in-free_pages_prepare.patch create mode 100644 queue-5.3/mm-vmpressure.c-fix-a-signedness-bug-in-vmpressure_register_event.patch create mode 100644 queue-5.3/mm-z3fold.c-claim-page-in-the-beginning-of-free.patch create mode 100644 queue-5.3/perf-inject-jit-fix-jit_code_move-filename.patch create mode 100644 queue-5.3/perf-llvm-don-t-access-out-of-scope-array.patch create mode 100644 queue-5.3/selinux-fix-context-string-corruption-in-convert_context.patch diff --git a/queue-5.3/blk-wbt-fix-performance-regression-in-wbt-scale_up-scale_down.patch b/queue-5.3/blk-wbt-fix-performance-regression-in-wbt-scale_up-scale_down.patch new file mode 100644 index 00000000000..201167be760 --- /dev/null +++ b/queue-5.3/blk-wbt-fix-performance-regression-in-wbt-scale_up-scale_down.patch @@ -0,0 +1,117 @@ +From b84477d3ebb96294f87dc3161e53fa8fe22d9bfd Mon Sep 17 00:00:00 2001 +From: Harshad Shirwadkar +Date: Sat, 5 Oct 2019 11:59:27 -0700 +Subject: blk-wbt: fix performance regression in wbt scale_up/scale_down + +From: Harshad Shirwadkar + +commit b84477d3ebb96294f87dc3161e53fa8fe22d9bfd upstream. + +scale_up wakes up waiters after scaling up. But after scaling max, it +should not wake up more waiters as waiters will not have anything to +do. This patch fixes this by making scale_up (and also scale_down) +return when threshold is reached. + +This bug causes increased fdatasync latency when fdatasync and dd +conv=sync are performed in parallel on 4.19 compared to 4.14. This +bug was introduced during refactoring of blk-wbt code. + +Fixes: a79050434b45 ("blk-rq-qos: refactor out common elements of blk-wbt") +Cc: stable@vger.kernel.org +Cc: Josef Bacik +Signed-off-by: Harshad Shirwadkar +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-rq-qos.c | 14 +++++++++----- + block/blk-rq-qos.h | 4 ++-- + block/blk-wbt.c | 6 ++++-- + 3 files changed, 15 insertions(+), 9 deletions(-) + +--- a/block/blk-rq-qos.c ++++ b/block/blk-rq-qos.c +@@ -142,24 +142,27 @@ bool rq_depth_calc_max_depth(struct rq_d + return ret; + } + +-void rq_depth_scale_up(struct rq_depth *rqd) ++/* Returns true on success and false if scaling up wasn't possible */ ++bool rq_depth_scale_up(struct rq_depth *rqd) + { + /* + * Hit max in previous round, stop here + */ + if (rqd->scaled_max) +- return; ++ return false; + + rqd->scale_step--; + + rqd->scaled_max = rq_depth_calc_max_depth(rqd); ++ return true; + } + + /* + * Scale rwb down. If 'hard_throttle' is set, do it quicker, since we +- * had a latency violation. ++ * had a latency violation. Returns true on success and returns false if ++ * scaling down wasn't possible. + */ +-void rq_depth_scale_down(struct rq_depth *rqd, bool hard_throttle) ++bool rq_depth_scale_down(struct rq_depth *rqd, bool hard_throttle) + { + /* + * Stop scaling down when we've hit the limit. This also prevents +@@ -167,7 +170,7 @@ void rq_depth_scale_down(struct rq_depth + * keep up. + */ + if (rqd->max_depth == 1) +- return; ++ return false; + + if (rqd->scale_step < 0 && hard_throttle) + rqd->scale_step = 0; +@@ -176,6 +179,7 @@ void rq_depth_scale_down(struct rq_depth + + rqd->scaled_max = false; + rq_depth_calc_max_depth(rqd); ++ return true; + } + + struct rq_qos_wait_data { +--- a/block/blk-rq-qos.h ++++ b/block/blk-rq-qos.h +@@ -125,8 +125,8 @@ void rq_qos_wait(struct rq_wait *rqw, vo + acquire_inflight_cb_t *acquire_inflight_cb, + cleanup_cb_t *cleanup_cb); + bool rq_wait_inc_below(struct rq_wait *rq_wait, unsigned int limit); +-void rq_depth_scale_up(struct rq_depth *rqd); +-void rq_depth_scale_down(struct rq_depth *rqd, bool hard_throttle); ++bool rq_depth_scale_up(struct rq_depth *rqd); ++bool rq_depth_scale_down(struct rq_depth *rqd, bool hard_throttle); + bool rq_depth_calc_max_depth(struct rq_depth *rqd); + + void __rq_qos_cleanup(struct rq_qos *rqos, struct bio *bio); +--- a/block/blk-wbt.c ++++ b/block/blk-wbt.c +@@ -308,7 +308,8 @@ static void calc_wb_limits(struct rq_wb + + static void scale_up(struct rq_wb *rwb) + { +- rq_depth_scale_up(&rwb->rq_depth); ++ if (!rq_depth_scale_up(&rwb->rq_depth)) ++ return; + calc_wb_limits(rwb); + rwb->unknown_cnt = 0; + rwb_wake_all(rwb); +@@ -317,7 +318,8 @@ static void scale_up(struct rq_wb *rwb) + + static void scale_down(struct rq_wb *rwb, bool hard_throttle) + { +- rq_depth_scale_down(&rwb->rq_depth, hard_throttle); ++ if (!rq_depth_scale_down(&rwb->rq_depth, hard_throttle)) ++ return; + calc_wb_limits(rwb); + rwb->unknown_cnt = 0; + rwb_trace_step(rwb, "scale down"); diff --git a/queue-5.3/cifs-force-reval-dentry-if-lookup_reval-flag-is-set.patch b/queue-5.3/cifs-force-reval-dentry-if-lookup_reval-flag-is-set.patch new file mode 100644 index 00000000000..65f01a5a3ff --- /dev/null +++ b/queue-5.3/cifs-force-reval-dentry-if-lookup_reval-flag-is-set.patch @@ -0,0 +1,53 @@ +From 0b3d0ef9840f7be202393ca9116b857f6f793715 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Mon, 30 Sep 2019 10:06:20 -0700 +Subject: CIFS: Force reval dentry if LOOKUP_REVAL flag is set + +From: Pavel Shilovsky + +commit 0b3d0ef9840f7be202393ca9116b857f6f793715 upstream. + +Mark inode for force revalidation if LOOKUP_REVAL flag is set. +This tells the client to actually send a QueryInfo request to +the server to obtain the latest metadata in case a directory +or a file were changed remotely. Only do that if the client +doesn't have a lease for the file to avoid unneeded round +trips to the server. + +Cc: +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/dir.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -738,10 +738,16 @@ cifs_lookup(struct inode *parent_dir_ino + static int + cifs_d_revalidate(struct dentry *direntry, unsigned int flags) + { ++ struct inode *inode; ++ + if (flags & LOOKUP_RCU) + return -ECHILD; + + if (d_really_is_positive(direntry)) { ++ inode = d_inode(direntry); ++ if ((flags & LOOKUP_REVAL) && !CIFS_CACHE_READ(CIFS_I(inode))) ++ CIFS_I(inode)->time = 0; /* force reval */ ++ + if (cifs_revalidate_dentry(direntry)) + return 0; + else { +@@ -752,7 +758,7 @@ cifs_d_revalidate(struct dentry *direntr + * attributes will have been updated by + * cifs_revalidate_dentry(). + */ +- if (IS_AUTOMOUNT(d_inode(direntry)) && ++ if (IS_AUTOMOUNT(inode) && + !(direntry->d_flags & DCACHE_NEED_AUTOMOUNT)) { + spin_lock(&direntry->d_lock); + direntry->d_flags |= DCACHE_NEED_AUTOMOUNT; diff --git a/queue-5.3/cifs-force-revalidate-inode-when-dentry-is-stale.patch b/queue-5.3/cifs-force-revalidate-inode-when-dentry-is-stale.patch new file mode 100644 index 00000000000..1e16eeffe10 --- /dev/null +++ b/queue-5.3/cifs-force-revalidate-inode-when-dentry-is-stale.patch @@ -0,0 +1,61 @@ +From c82e5ac7fe3570a269c0929bf7899f62048e7dbc Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Mon, 30 Sep 2019 10:06:19 -0700 +Subject: CIFS: Force revalidate inode when dentry is stale + +From: Pavel Shilovsky + +commit c82e5ac7fe3570a269c0929bf7899f62048e7dbc upstream. + +Currently the client indicates that a dentry is stale when inode +numbers or type types between a local inode and a remote file +don't match. If this is the case attributes is not being copied +from remote to local, so, it is already known that the local copy +has stale metadata. That's why the inode needs to be marked for +revalidation in order to tell the VFS to lookup the dentry again +before openning a file. This prevents unexpected stale errors +to be returned to the user space when openning a file. + +Cc: +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -414,6 +414,7 @@ int cifs_get_inode_info_unix(struct inod + /* if uniqueid is different, return error */ + if (unlikely(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SERVER_INUM && + CIFS_I(*pinode)->uniqueid != fattr.cf_uniqueid)) { ++ CIFS_I(*pinode)->time = 0; /* force reval */ + rc = -ESTALE; + goto cgiiu_exit; + } +@@ -421,6 +422,7 @@ int cifs_get_inode_info_unix(struct inod + /* if filetype is different, return error */ + if (unlikely(((*pinode)->i_mode & S_IFMT) != + (fattr.cf_mode & S_IFMT))) { ++ CIFS_I(*pinode)->time = 0; /* force reval */ + rc = -ESTALE; + goto cgiiu_exit; + } +@@ -924,6 +926,7 @@ cifs_get_inode_info(struct inode **inode + /* if uniqueid is different, return error */ + if (unlikely(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SERVER_INUM && + CIFS_I(*inode)->uniqueid != fattr.cf_uniqueid)) { ++ CIFS_I(*inode)->time = 0; /* force reval */ + rc = -ESTALE; + goto cgii_exit; + } +@@ -931,6 +934,7 @@ cifs_get_inode_info(struct inode **inode + /* if filetype is different, return error */ + if (unlikely(((*inode)->i_mode & S_IFMT) != + (fattr.cf_mode & S_IFMT))) { ++ CIFS_I(*inode)->time = 0; /* force reval */ + rc = -ESTALE; + goto cgii_exit; + } diff --git a/queue-5.3/cifs-gracefully-handle-queryinfo-errors-during-open.patch b/queue-5.3/cifs-gracefully-handle-queryinfo-errors-during-open.patch new file mode 100644 index 00000000000..c013ce292b1 --- /dev/null +++ b/queue-5.3/cifs-gracefully-handle-queryinfo-errors-during-open.patch @@ -0,0 +1,45 @@ +From 30573a82fb179420b8aac30a3a3595aa96a93156 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Mon, 30 Sep 2019 10:06:18 -0700 +Subject: CIFS: Gracefully handle QueryInfo errors during open + +From: Pavel Shilovsky + +commit 30573a82fb179420b8aac30a3a3595aa96a93156 upstream. + +Currently if the client identifies problems when processing +metadata returned in CREATE response, the open handle is being +leaked. This causes multiple problems like a file missing a lease +break by that client which causes high latencies to other clients +accessing the file. Another side-effect of this is that the file +can't be deleted. + +Fix this by closing the file after the client hits an error after +the file was opened and the open descriptor wasn't returned to +the user space. Also convert -ESTALE to -EOPENSTALE to allow +the VFS to revalidate a dentry and retry the open. + +Cc: +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -253,6 +253,12 @@ cifs_nt_open(char *full_path, struct ino + rc = cifs_get_inode_info(&inode, full_path, buf, inode->i_sb, + xid, fid); + ++ if (rc) { ++ server->ops->close(xid, tcon, fid); ++ if (rc == -ESTALE) ++ rc = -EOPENSTALE; ++ } ++ + out: + kfree(buf); + return rc; diff --git a/queue-5.3/cifs-use-cifsinodeinfo-open_file_lock-while-iterating-to-avoid-a-panic.patch b/queue-5.3/cifs-use-cifsinodeinfo-open_file_lock-while-iterating-to-avoid-a-panic.patch new file mode 100644 index 00000000000..97747da5401 --- /dev/null +++ b/queue-5.3/cifs-use-cifsinodeinfo-open_file_lock-while-iterating-to-avoid-a-panic.patch @@ -0,0 +1,167 @@ +From cb248819d209d113e45fed459773991518e8e80b Mon Sep 17 00:00:00 2001 +From: Dave Wysochanski +Date: Thu, 3 Oct 2019 15:16:27 +1000 +Subject: cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic + +From: Dave Wysochanski + +commit cb248819d209d113e45fed459773991518e8e80b upstream. + +Commit 487317c99477 ("cifs: add spinlock for the openFileList to +cifsInodeInfo") added cifsInodeInfo->open_file_lock spin_lock to protect +the openFileList, but missed a few places where cifs_inode->openFileList +was enumerated. Change these remaining tcon->open_file_lock to +cifsInodeInfo->open_file_lock to avoid panic in is_size_safe_to_change. + +[17313.245641] RIP: 0010:is_size_safe_to_change+0x57/0xb0 [cifs] +[17313.245645] Code: 68 40 48 89 ef e8 19 67 b7 f1 48 8b 43 40 48 8d 4b 40 48 8d 50 f0 48 39 c1 75 0f eb 47 48 8b 42 10 48 8d 50 f0 48 39 c1 74 3a <8b> 80 88 00 00 00 83 c0 01 a8 02 74 e6 48 89 ef c6 07 00 0f 1f 40 +[17313.245649] RSP: 0018:ffff94ae1baefa30 EFLAGS: 00010202 +[17313.245654] RAX: dead000000000100 RBX: ffff88dc72243300 RCX: ffff88dc72243340 +[17313.245657] RDX: dead0000000000f0 RSI: 00000000098f7940 RDI: ffff88dd3102f040 +[17313.245659] RBP: ffff88dd3102f040 R08: 0000000000000000 R09: ffff94ae1baefc40 +[17313.245661] R10: ffffcdc8bb1c4e80 R11: ffffcdc8b50adb08 R12: 00000000098f7940 +[17313.245663] R13: ffff88dc72243300 R14: ffff88dbc8f19600 R15: ffff88dc72243428 +[17313.245667] FS: 00007fb145485700(0000) GS:ffff88dd3e000000(0000) knlGS:0000000000000000 +[17313.245670] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[17313.245672] CR2: 0000026bb46c6000 CR3: 0000004edb110003 CR4: 00000000007606e0 +[17313.245753] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[17313.245756] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[17313.245759] PKRU: 55555554 +[17313.245761] Call Trace: +[17313.245803] cifs_fattr_to_inode+0x16b/0x580 [cifs] +[17313.245838] cifs_get_inode_info+0x35c/0xa60 [cifs] +[17313.245852] ? kmem_cache_alloc_trace+0x151/0x1d0 +[17313.245885] cifs_open+0x38f/0x990 [cifs] +[17313.245921] ? cifs_revalidate_dentry_attr+0x3e/0x350 [cifs] +[17313.245953] ? cifsFileInfo_get+0x30/0x30 [cifs] +[17313.245960] ? do_dentry_open+0x132/0x330 +[17313.245963] do_dentry_open+0x132/0x330 +[17313.245969] path_openat+0x573/0x14d0 +[17313.245974] do_filp_open+0x93/0x100 +[17313.245979] ? __check_object_size+0xa3/0x181 +[17313.245986] ? audit_alloc_name+0x7e/0xd0 +[17313.245992] do_sys_open+0x184/0x220 +[17313.245999] do_syscall_64+0x5b/0x1b0 + +Fixes: 487317c99477 ("cifs: add spinlock for the openFileList to cifsInodeInfo") + +CC: Stable +Signed-off-by: Dave Wysochanski +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -1853,13 +1853,12 @@ struct cifsFileInfo *find_readable_file( + { + struct cifsFileInfo *open_file = NULL; + struct cifs_sb_info *cifs_sb = CIFS_SB(cifs_inode->vfs_inode.i_sb); +- struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb); + + /* only filter by fsuid on multiuser mounts */ + if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MULTIUSER)) + fsuid_only = false; + +- spin_lock(&tcon->open_file_lock); ++ spin_lock(&cifs_inode->open_file_lock); + /* we could simply get the first_list_entry since write-only entries + are always at the end of the list but since the first entry might + have a close pending, we go through the whole list */ +@@ -1871,7 +1870,7 @@ struct cifsFileInfo *find_readable_file( + /* found a good file */ + /* lock it so it will not be closed on us */ + cifsFileInfo_get(open_file); +- spin_unlock(&tcon->open_file_lock); ++ spin_unlock(&cifs_inode->open_file_lock); + return open_file; + } /* else might as well continue, and look for + another, or simply have the caller reopen it +@@ -1879,7 +1878,7 @@ struct cifsFileInfo *find_readable_file( + } else /* write only file */ + break; /* write only files are last so must be done */ + } +- spin_unlock(&tcon->open_file_lock); ++ spin_unlock(&cifs_inode->open_file_lock); + return NULL; + } + +@@ -1890,7 +1889,6 @@ cifs_get_writable_file(struct cifsInodeI + { + struct cifsFileInfo *open_file, *inv_file = NULL; + struct cifs_sb_info *cifs_sb; +- struct cifs_tcon *tcon; + bool any_available = false; + int rc = -EBADF; + unsigned int refind = 0; +@@ -1910,16 +1908,15 @@ cifs_get_writable_file(struct cifsInodeI + } + + cifs_sb = CIFS_SB(cifs_inode->vfs_inode.i_sb); +- tcon = cifs_sb_master_tcon(cifs_sb); + + /* only filter by fsuid on multiuser mounts */ + if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MULTIUSER)) + fsuid_only = false; + +- spin_lock(&tcon->open_file_lock); ++ spin_lock(&cifs_inode->open_file_lock); + refind_writable: + if (refind > MAX_REOPEN_ATT) { +- spin_unlock(&tcon->open_file_lock); ++ spin_unlock(&cifs_inode->open_file_lock); + return rc; + } + list_for_each_entry(open_file, &cifs_inode->openFileList, flist) { +@@ -1931,7 +1928,7 @@ refind_writable: + if (!open_file->invalidHandle) { + /* found a good writable file */ + cifsFileInfo_get(open_file); +- spin_unlock(&tcon->open_file_lock); ++ spin_unlock(&cifs_inode->open_file_lock); + *ret_file = open_file; + return 0; + } else { +@@ -1951,7 +1948,7 @@ refind_writable: + cifsFileInfo_get(inv_file); + } + +- spin_unlock(&tcon->open_file_lock); ++ spin_unlock(&cifs_inode->open_file_lock); + + if (inv_file) { + rc = cifs_reopen_file(inv_file, false); +@@ -1966,7 +1963,7 @@ refind_writable: + cifsFileInfo_put(inv_file); + ++refind; + inv_file = NULL; +- spin_lock(&tcon->open_file_lock); ++ spin_lock(&cifs_inode->open_file_lock); + goto refind_writable; + } + +@@ -4405,17 +4402,15 @@ static int cifs_readpage(struct file *fi + static int is_inode_writable(struct cifsInodeInfo *cifs_inode) + { + struct cifsFileInfo *open_file; +- struct cifs_tcon *tcon = +- cifs_sb_master_tcon(CIFS_SB(cifs_inode->vfs_inode.i_sb)); + +- spin_lock(&tcon->open_file_lock); ++ spin_lock(&cifs_inode->open_file_lock); + list_for_each_entry(open_file, &cifs_inode->openFileList, flist) { + if (OPEN_FMODE(open_file->f_flags) & FMODE_WRITE) { +- spin_unlock(&tcon->open_file_lock); ++ spin_unlock(&cifs_inode->open_file_lock); + return 1; + } + } +- spin_unlock(&tcon->open_file_lock); ++ spin_unlock(&cifs_inode->open_file_lock); + return 0; + } + diff --git a/queue-5.3/drm-i915-perform-ggtt-restore-much-earlier-during-resume.patch b/queue-5.3/drm-i915-perform-ggtt-restore-much-earlier-during-resume.patch new file mode 100644 index 00000000000..e5bd84bb55f --- /dev/null +++ b/queue-5.3/drm-i915-perform-ggtt-restore-much-earlier-during-resume.patch @@ -0,0 +1,74 @@ +From 6c76a93c453643e11a1063906c7c39168dd8d163 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Mon, 9 Sep 2019 12:00:08 +0100 +Subject: drm/i915: Perform GGTT restore much earlier during resume + +From: Chris Wilson + +commit 6c76a93c453643e11a1063906c7c39168dd8d163 upstream. + +As soon as we re-enable the various functions within the HW, they may go +off and read data via a GGTT offset. Hence, if we have not yet restored +the GGTT PTE before then, they may read and even *write* random locations +in memory. + +Detected by DMAR faults during resume. + +Signed-off-by: Chris Wilson +Cc: Mika Kuoppala +Cc: Martin Peres +Cc: Joonas Lahtinen +Cc: stable@vger.kernel.org +Reviewed-by: Mika Kuoppala +Link: https://patchwork.freedesktop.org/patch/msgid/20190909110011.8958-4-chris@chris-wilson.co.uk +(cherry picked from commit cec5ca08e36fd18d2939b98055346b3b06f56c6c) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gem/i915_gem_pm.c | 3 --- + drivers/gpu/drm/i915/i915_drv.c | 5 +++++ + drivers/gpu/drm/i915/selftests/i915_gem.c | 6 ++++++ + 3 files changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_pm.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_pm.c +@@ -250,9 +250,6 @@ void i915_gem_resume(struct drm_i915_pri + mutex_lock(&i915->drm.struct_mutex); + intel_uncore_forcewake_get(&i915->uncore, FORCEWAKE_ALL); + +- i915_gem_restore_gtt_mappings(i915); +- i915_gem_restore_fences(i915); +- + if (i915_gem_init_hw(i915)) + goto err_wedged; + +--- a/drivers/gpu/drm/i915/i915_drv.c ++++ b/drivers/gpu/drm/i915/i915_drv.c +@@ -2238,6 +2238,11 @@ static int i915_drm_resume(struct drm_de + if (ret) + DRM_ERROR("failed to re-enable GGTT\n"); + ++ mutex_lock(&dev_priv->drm.struct_mutex); ++ i915_gem_restore_gtt_mappings(dev_priv); ++ i915_gem_restore_fences(dev_priv); ++ mutex_unlock(&dev_priv->drm.struct_mutex); ++ + intel_csr_ucode_resume(dev_priv); + + i915_restore_state(dev_priv); +--- a/drivers/gpu/drm/i915/selftests/i915_gem.c ++++ b/drivers/gpu/drm/i915/selftests/i915_gem.c +@@ -117,6 +117,12 @@ static void pm_resume(struct drm_i915_pr + with_intel_runtime_pm(&i915->runtime_pm, wakeref) { + intel_gt_sanitize(i915, false); + i915_gem_sanitize(i915); ++ ++ mutex_lock(&i915->drm.struct_mutex); ++ i915_gem_restore_gtt_mappings(i915); ++ i915_gem_restore_fences(i915); ++ mutex_unlock(&i915->drm.struct_mutex); ++ + i915_gem_resume(i915); + } + } diff --git a/queue-5.3/efi-tpm-don-t-access-event-count-when-it-isn-t-mapped.patch b/queue-5.3/efi-tpm-don-t-access-event-count-when-it-isn-t-mapped.patch new file mode 100644 index 00000000000..78da610d0c4 --- /dev/null +++ b/queue-5.3/efi-tpm-don-t-access-event-count-when-it-isn-t-mapped.patch @@ -0,0 +1,92 @@ +From 047d50aee341d940350897c85799e56ae57c3849 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 2 Oct 2019 18:59:00 +0200 +Subject: efi/tpm: Don't access event->count when it isn't mapped + +From: Peter Jones + +commit 047d50aee341d940350897c85799e56ae57c3849 upstream. + +Some machines generate a lot of event log entries. When we're +iterating over them, the code removes the old mapping and adds a +new one, so once we cross the page boundary we're unmapping the page +with the count on it. Hilarity ensues. + +This patch keeps the info from the header in local variables so we don't +need to access that page again or keep track of if it's mapped. + +Tested-by: Lyude Paul +Signed-off-by: Peter Jones +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Ard Biesheuvel +Reviewed-by: Jarkko Sakkinen +Acked-by: Matthew Garrett +Acked-by: Ard Biesheuvel +Cc: Ben Dooks +Cc: Dave Young +Cc: Jerry Snitselaar +Cc: Linus Torvalds +Cc: Lukas Wunner +Cc: Octavian Purdila +Cc: Peter Zijlstra +Cc: Scott Talbert +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Cc: linux-integrity@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: 44038bc514a2 ("tpm: Abstract crypto agile event size calculations") +Link: https://lkml.kernel.org/r/20191002165904.8819-4-ard.biesheuvel@linaro.org +[ Minor edits. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/tpm_eventlog.h | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/include/linux/tpm_eventlog.h ++++ b/include/linux/tpm_eventlog.h +@@ -170,6 +170,7 @@ static inline int __calc_tpm2_event_size + u16 halg; + int i; + int j; ++ u32 count, event_type; + + marker = event; + marker_start = marker; +@@ -190,16 +191,22 @@ static inline int __calc_tpm2_event_size + } + + event = (struct tcg_pcr_event2_head *)mapping; ++ /* ++ * The loop below will unmap these fields if the log is larger than ++ * one page, so save them here for reference: ++ */ ++ count = READ_ONCE(event->count); ++ event_type = READ_ONCE(event->event_type); + + efispecid = (struct tcg_efi_specid_event_head *)event_header->event; + + /* Check if event is malformed. */ +- if (event->count > efispecid->num_algs) { ++ if (count > efispecid->num_algs) { + size = 0; + goto out; + } + +- for (i = 0; i < event->count; i++) { ++ for (i = 0; i < count; i++) { + halg_size = sizeof(event->digests[i].alg_id); + + /* Map the digest's algorithm identifier */ +@@ -256,8 +263,9 @@ static inline int __calc_tpm2_event_size + + event_field->event_size; + size = marker - marker_start; + +- if ((event->event_type == 0) && (event_field->event_size == 0)) ++ if (event_type == 0 && event_field->event_size == 0) + size = 0; ++ + out: + if (do_mapping) + TPM_MEMUNMAP(mapping, mapping_size); diff --git a/queue-5.3/efi-tpm-don-t-traverse-an-event-log-with-no-events.patch b/queue-5.3/efi-tpm-don-t-traverse-an-event-log-with-no-events.patch new file mode 100644 index 00000000000..53b52ca9e6d --- /dev/null +++ b/queue-5.3/efi-tpm-don-t-traverse-an-event-log-with-no-events.patch @@ -0,0 +1,68 @@ +From 05c8c1ff81ed2eb9bad7c27cf92e55c864c16df8 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 2 Oct 2019 18:59:01 +0200 +Subject: efi/tpm: Don't traverse an event log with no events + +From: Peter Jones + +commit 05c8c1ff81ed2eb9bad7c27cf92e55c864c16df8 upstream. + +When there are no entries to put into the final event log, some machines +will return the template they would have populated anyway. In this case +the nr_events field is 0, but the rest of the log is just garbage. + +This patch stops us from trying to iterate the table with +__calc_tpm2_event_size() when the number of events in the table is 0. + +Tested-by: Lyude Paul +Signed-off-by: Peter Jones +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Ard Biesheuvel +Reviewed-by: Jarkko Sakkinen +Acked-by: Matthew Garrett +Acked-by: Ard Biesheuvel +Cc: Ben Dooks +Cc: Dave Young +Cc: Jerry Snitselaar +Cc: Linus Torvalds +Cc: Lukas Wunner +Cc: Octavian Purdila +Cc: Peter Zijlstra +Cc: Scott Talbert +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Cc: linux-integrity@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: c46f3405692d ("tpm: Reserve the TPM final events table") +Link: https://lkml.kernel.org/r/20191002165904.8819-5-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efi/tpm.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/firmware/efi/tpm.c ++++ b/drivers/firmware/efi/tpm.c +@@ -75,11 +75,16 @@ int __init efi_tpm_eventlog_init(void) + goto out; + } + +- tbl_size = tpm2_calc_event_log_size((void *)efi.tpm_final_log +- + sizeof(final_tbl->version) +- + sizeof(final_tbl->nr_events), +- final_tbl->nr_events, +- log_tbl->log); ++ tbl_size = 0; ++ if (final_tbl->nr_events != 0) { ++ void *events = (void *)efi.tpm_final_log ++ + sizeof(final_tbl->version) ++ + sizeof(final_tbl->nr_events); ++ ++ tbl_size = tpm2_calc_event_log_size(events, ++ final_tbl->nr_events, ++ log_tbl->log); ++ } + memblock_reserve((unsigned long)final_tbl, + tbl_size + sizeof(*final_tbl)); + early_memunmap(final_tbl, sizeof(*final_tbl)); diff --git a/queue-5.3/efi-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch b/queue-5.3/efi-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch new file mode 100644 index 00000000000..1d9f4d665af --- /dev/null +++ b/queue-5.3/efi-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch @@ -0,0 +1,96 @@ +From e658c82be5561412c5e83b5e74e9da4830593f3e Mon Sep 17 00:00:00 2001 +From: Jerry Snitselaar +Date: Wed, 2 Oct 2019 18:59:02 +0200 +Subject: efi/tpm: Only set 'efi_tpm_final_log_size' after successful event log parsing + +From: Jerry Snitselaar + +commit e658c82be5561412c5e83b5e74e9da4830593f3e upstream. + +If __calc_tpm2_event_size() fails to parse an event it will return 0, +resulting tpm2_calc_event_log_size() returning -1. Currently there is +no check of this return value, and 'efi_tpm_final_log_size' can end up +being set to this negative value resulting in a crash like this one: + + BUG: unable to handle page fault for address: ffffbc8fc00866ad + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + + RIP: 0010:memcpy_erms+0x6/0x10 + Call Trace: + tpm_read_log_efi() + tpm_bios_log_setup() + tpm_chip_register() + tpm_tis_core_init.cold.9+0x28c/0x466 + tpm_tis_plat_probe() + platform_drv_probe() + ... + +Also __calc_tpm2_event_size() returns a size of 0 when it fails +to parse an event, so update function documentation to reflect this. + +The root cause of the issue that caused the failure of event parsing +in this case is resolved by Peter Jone's patchset dealing with large +event logs where crossing over a page boundary causes the page with +the event count to be unmapped. + +Signed-off-by: Jerry Snitselaar +Signed-off-by: Ard Biesheuvel +Cc: Ben Dooks +Cc: Dave Young +Cc: Jarkko Sakkinen +Cc: Linus Torvalds +Cc: Lukas Wunner +Cc: Lyude Paul +Cc: Matthew Garrett +Cc: Octavian Purdila +Cc: Peter Jones +Cc: Peter Zijlstra +Cc: Scott Talbert +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Cc: linux-integrity@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: c46f3405692de ("tpm: Reserve the TPM final events table") +Link: https://lkml.kernel.org/r/20191002165904.8819-6-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efi/tpm.c | 9 ++++++++- + include/linux/tpm_eventlog.h | 2 +- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/firmware/efi/tpm.c ++++ b/drivers/firmware/efi/tpm.c +@@ -85,11 +85,18 @@ int __init efi_tpm_eventlog_init(void) + final_tbl->nr_events, + log_tbl->log); + } ++ ++ if (tbl_size < 0) { ++ pr_err(FW_BUG "Failed to parse event in TPM Final Events Log\n"); ++ goto out_calc; ++ } ++ + memblock_reserve((unsigned long)final_tbl, + tbl_size + sizeof(*final_tbl)); +- early_memunmap(final_tbl, sizeof(*final_tbl)); + efi_tpm_final_log_size = tbl_size; + ++out_calc: ++ early_memunmap(final_tbl, sizeof(*final_tbl)); + out: + early_memunmap(log_tbl, sizeof(*log_tbl)); + return ret; +--- a/include/linux/tpm_eventlog.h ++++ b/include/linux/tpm_eventlog.h +@@ -152,7 +152,7 @@ struct tcg_algorithm_info { + * total. Once we've done this we know the offset of the data length field, + * and can calculate the total size of the event. + * +- * Return: size of the event on success, <0 on failure ++ * Return: size of the event on success, 0 on failure + */ + + static inline int __calc_tpm2_event_size(struct tcg_pcr_event2_head *event, diff --git a/queue-5.3/efivar-ssdt-don-t-iterate-over-efi-vars-if-no-ssdt-override-was-specified.patch b/queue-5.3/efivar-ssdt-don-t-iterate-over-efi-vars-if-no-ssdt-override-was-specified.patch new file mode 100644 index 00000000000..67c9f09c6be --- /dev/null +++ b/queue-5.3/efivar-ssdt-don-t-iterate-over-efi-vars-if-no-ssdt-override-was-specified.patch @@ -0,0 +1,59 @@ +From c05f8f92b701576b615f30aac31fabdc0648649b Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 2 Oct 2019 18:58:59 +0200 +Subject: efivar/ssdt: Don't iterate over EFI vars if no SSDT override was specified + +From: Ard Biesheuvel + +commit c05f8f92b701576b615f30aac31fabdc0648649b upstream. + +The kernel command line option efivar_ssdt= allows the name to be +specified of an EFI variable containing an ACPI SSDT table that should +be loaded into memory by the OS, and treated as if it was provided by +the firmware. + +Currently, that code will always iterate over the EFI variables and +compare each name with the provided name, even if the command line +option wasn't set to begin with. + +So bail early when no variable name was provided. This works around a +boot regression on the 2012 Mac Pro, as reported by Scott. + +Tested-by: Scott Talbert +Signed-off-by: Ard Biesheuvel +Cc: # v4.9+ +Cc: Ben Dooks +Cc: Dave Young +Cc: Jarkko Sakkinen +Cc: Jerry Snitselaar +Cc: Linus Torvalds +Cc: Lukas Wunner +Cc: Lyude Paul +Cc: Matthew Garrett +Cc: Octavian Purdila +Cc: Peter Jones +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Cc: linux-integrity@vger.kernel.org +Fixes: 475fb4e8b2f4 ("efi / ACPI: load SSTDs from EFI variables") +Link: https://lkml.kernel.org/r/20191002165904.8819-3-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efi/efi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -282,6 +282,9 @@ static __init int efivar_ssdt_load(void) + void *data; + int ret; + ++ if (!efivar_ssdt[0]) ++ return 0; ++ + ret = efivar_init(efivar_ssdt_iter, &entries, true, &entries); + + list_for_each_entry_safe(entry, aux, &entries, list) { diff --git a/queue-5.3/ib-core-fix-wrong-iterating-on-ports.patch b/queue-5.3/ib-core-fix-wrong-iterating-on-ports.patch new file mode 100644 index 00000000000..4a88d8f3d15 --- /dev/null +++ b/queue-5.3/ib-core-fix-wrong-iterating-on-ports.patch @@ -0,0 +1,41 @@ +From 1cbe866cbcb53338de33cf67262e73f9315a9725 Mon Sep 17 00:00:00 2001 +From: Mohamad Heib +Date: Wed, 2 Oct 2019 15:21:27 +0300 +Subject: IB/core: Fix wrong iterating on ports + +From: Mohamad Heib + +commit 1cbe866cbcb53338de33cf67262e73f9315a9725 upstream. + +rdma_for_each_port is already incrementing the iterator's value it +receives therefore, after the first iteration the iterator is increased by +2 which eventually causing wrong queries and possible traces. + +Fix the above by removing the old redundant incrementation that was used +before rdma_for_each_port() macro. + +Cc: +Fixes: ea1075edcbab ("RDMA: Add and use rdma_for_each_port") +Link: https://lore.kernel.org/r/20191002122127.17571-1-leon@kernel.org +Signed-off-by: Mohamad Heib +Reviewed-by: Erez Alfasi +Signed-off-by: Leon Romanovsky +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/security.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/security.c ++++ b/drivers/infiniband/core/security.c +@@ -426,7 +426,7 @@ int ib_create_qp_security(struct ib_qp * + int ret; + + rdma_for_each_port (dev, i) { +- is_ib = rdma_protocol_ib(dev, i++); ++ is_ib = rdma_protocol_ib(dev, i); + if (is_ib) + break; + } diff --git a/queue-5.3/iio-accel-adxl372-fix-push-to-buffers-lost-samples.patch b/queue-5.3/iio-accel-adxl372-fix-push-to-buffers-lost-samples.patch new file mode 100644 index 00000000000..3775d0245f3 --- /dev/null +++ b/queue-5.3/iio-accel-adxl372-fix-push-to-buffers-lost-samples.patch @@ -0,0 +1,35 @@ +From 62df81b74393079debf04961c48cb22268fc5fab Mon Sep 17 00:00:00 2001 +From: Stefan Popa +Date: Tue, 10 Sep 2019 17:44:21 +0300 +Subject: iio: accel: adxl372: Fix push to buffers lost samples + +From: Stefan Popa + +commit 62df81b74393079debf04961c48cb22268fc5fab upstream. + +One in two sample sets was lost by multiplying fifo_set_size with +sizeof(u16). Also, the double number of available samples were pushed to +the iio buffers. + +Signed-off-by: Stefan Popa +Fixes: f4f55ce38e5f ("iio:adxl372: Add FIFO and interrupts support") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/adxl372.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iio/accel/adxl372.c ++++ b/drivers/iio/accel/adxl372.c +@@ -553,8 +553,7 @@ static irqreturn_t adxl372_trigger_handl + goto err; + + /* Each sample is 2 bytes */ +- for (i = 0; i < fifo_entries * sizeof(u16); +- i += st->fifo_set_size * sizeof(u16)) ++ for (i = 0; i < fifo_entries; i += st->fifo_set_size) + iio_push_to_buffers(indio_dev, &st->fifo_buf[i]); + } + err: diff --git a/queue-5.3/iio-accel-adxl372-fix-remove-limitation-for-fifo-samples.patch b/queue-5.3/iio-accel-adxl372-fix-remove-limitation-for-fifo-samples.patch new file mode 100644 index 00000000000..34376d3afeb --- /dev/null +++ b/queue-5.3/iio-accel-adxl372-fix-remove-limitation-for-fifo-samples.patch @@ -0,0 +1,47 @@ +From d202ce4787e446556c6b9d01f84734c3f8174ba3 Mon Sep 17 00:00:00 2001 +From: Stefan Popa +Date: Tue, 10 Sep 2019 17:43:32 +0300 +Subject: iio: accel: adxl372: Fix/remove limitation for FIFO samples + +From: Stefan Popa + +commit d202ce4787e446556c6b9d01f84734c3f8174ba3 upstream. + +Currently, the driver sets the FIFO_SAMPLES register with the number of +sample sets (maximum of 170 for 3 axis data, 256 for 2-axis and 512 for +single axis). However, the FIFO_SAMPLES register should store the number +of samples, regardless of how the FIFO format is configured. + +Signed-off-by: Stefan Popa +Fixes: f4f55ce38e5f ("iio:adxl372: Add FIFO and interrupts support") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/adxl372.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/iio/accel/adxl372.c ++++ b/drivers/iio/accel/adxl372.c +@@ -474,12 +474,17 @@ static int adxl372_configure_fifo(struct + if (ret < 0) + return ret; + +- fifo_samples = st->watermark & 0xFF; ++ /* ++ * watermark stores the number of sets; we need to write the FIFO ++ * registers with the number of samples ++ */ ++ fifo_samples = (st->watermark * st->fifo_set_size); + fifo_ctl = ADXL372_FIFO_CTL_FORMAT_MODE(st->fifo_format) | + ADXL372_FIFO_CTL_MODE_MODE(st->fifo_mode) | +- ADXL372_FIFO_CTL_SAMPLES_MODE(st->watermark); ++ ADXL372_FIFO_CTL_SAMPLES_MODE(fifo_samples); + +- ret = regmap_write(st->regmap, ADXL372_FIFO_SAMPLES, fifo_samples); ++ ret = regmap_write(st->regmap, ++ ADXL372_FIFO_SAMPLES, fifo_samples & 0xFF); + if (ret < 0) + return ret; + diff --git a/queue-5.3/iio-accel-adxl372-perform-a-reset-at-start-up.patch b/queue-5.3/iio-accel-adxl372-perform-a-reset-at-start-up.patch new file mode 100644 index 00000000000..392c2d244df --- /dev/null +++ b/queue-5.3/iio-accel-adxl372-perform-a-reset-at-start-up.patch @@ -0,0 +1,41 @@ +From d9a997bd4d762d5bd8cc548d762902f58b5e0a74 Mon Sep 17 00:00:00 2001 +From: Stefan Popa +Date: Tue, 10 Sep 2019 17:44:46 +0300 +Subject: iio: accel: adxl372: Perform a reset at start up + +From: Stefan Popa + +commit d9a997bd4d762d5bd8cc548d762902f58b5e0a74 upstream. + +We need to perform a reset a start up to make sure that the chip is in a +consistent state. This reset also disables all the interrupts which +should only be enabled together with the iio buffer. Not doing this, was +sometimes causing unwanted interrupts to trigger. + +Signed-off-by: Stefan Popa +Fixes: f4f55ce38e5f ("iio:adxl372: Add FIFO and interrupts support") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/adxl372.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/iio/accel/adxl372.c ++++ b/drivers/iio/accel/adxl372.c +@@ -575,6 +575,14 @@ static int adxl372_setup(struct adxl372_ + return -ENODEV; + } + ++ /* ++ * Perform a software reset to make sure the device is in a consistent ++ * state after start up. ++ */ ++ ret = regmap_write(st->regmap, ADXL372_RESET, ADXL372_RESET_CODE); ++ if (ret < 0) ++ return ret; ++ + ret = adxl372_set_op_mode(st, ADXL372_STANDBY); + if (ret < 0) + return ret; diff --git a/queue-5.3/iio-light-add-missing-vcnl4040-of_compatible.patch b/queue-5.3/iio-light-add-missing-vcnl4040-of_compatible.patch new file mode 100644 index 00000000000..75868cb9619 --- /dev/null +++ b/queue-5.3/iio-light-add-missing-vcnl4040-of_compatible.patch @@ -0,0 +1,37 @@ +From 7fd1c2606508eb384992251e87d50591393a48d0 Mon Sep 17 00:00:00 2001 +From: Marco Felsch +Date: Tue, 17 Sep 2019 16:56:37 +0200 +Subject: iio: light: add missing vcnl4040 of_compatible + +From: Marco Felsch + +commit 7fd1c2606508eb384992251e87d50591393a48d0 upstream. + +Commit 5a441aade5b3 ("iio: light: vcnl4000 add support for the VCNL4040 +proximity and light sensor") added the support for the vcnl4040 but +forgot to add the of_compatible. Fix this by adding it now. + +Signed-off-by: Marco Felsch +Fixes: 5a441aade5b3 ("iio: light: vcnl4000 add support for the VCNL4040 proximity and light sensor") +Reviewed-by: Angus Ainslie (Purism) angus@akkea.ca +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/vcnl4000.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/iio/light/vcnl4000.c ++++ b/drivers/iio/light/vcnl4000.c +@@ -409,6 +409,10 @@ static const struct of_device_id vcnl_40 + .data = "VCNL4020", + }, + { ++ .compatible = "vishay,vcnl4040", ++ .data = (void *)VCNL4040, ++ }, ++ { + .compatible = "vishay,vcnl4200", + .data = "VCNL4200", + }, diff --git a/queue-5.3/iio-light-opt3001-fix-mutex-unlock-race.patch b/queue-5.3/iio-light-opt3001-fix-mutex-unlock-race.patch new file mode 100644 index 00000000000..a16795e18e9 --- /dev/null +++ b/queue-5.3/iio-light-opt3001-fix-mutex-unlock-race.patch @@ -0,0 +1,56 @@ +From 82f3015635249a8c8c45bac303fd84905066f04f Mon Sep 17 00:00:00 2001 +From: David Frey +Date: Thu, 19 Sep 2019 15:54:18 -0700 +Subject: iio: light: opt3001: fix mutex unlock race + +From: David Frey + +commit 82f3015635249a8c8c45bac303fd84905066f04f upstream. + +When an end-of-conversion interrupt is received after performing a +single-shot reading of the light sensor, the driver was waking up the +result ready queue before checking opt->ok_to_ignore_lock to determine +if it should unlock the mutex. The problem occurred in the case where +the other thread woke up and changed the value of opt->ok_to_ignore_lock +to false prior to the interrupt thread performing its read of the +variable. In this case, the mutex would be unlocked twice. + +Signed-off-by: David Frey +Reviewed-by: Andreas Dannenberg +Fixes: 94a9b7b1809f ("iio: light: add support for TI's opt3001 light sensor") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/opt3001.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/iio/light/opt3001.c ++++ b/drivers/iio/light/opt3001.c +@@ -686,6 +686,7 @@ static irqreturn_t opt3001_irq(int irq, + struct iio_dev *iio = _iio; + struct opt3001 *opt = iio_priv(iio); + int ret; ++ bool wake_result_ready_queue = false; + + if (!opt->ok_to_ignore_lock) + mutex_lock(&opt->lock); +@@ -720,13 +721,16 @@ static irqreturn_t opt3001_irq(int irq, + } + opt->result = ret; + opt->result_ready = true; +- wake_up(&opt->result_ready_queue); ++ wake_result_ready_queue = true; + } + + out: + if (!opt->ok_to_ignore_lock) + mutex_unlock(&opt->lock); + ++ if (wake_result_ready_queue) ++ wake_up(&opt->result_ready_queue); ++ + return IRQ_HANDLED; + } + diff --git a/queue-5.3/io_uring-only-flush-workqueues-on-fileset-removal.patch b/queue-5.3/io_uring-only-flush-workqueues-on-fileset-removal.patch new file mode 100644 index 00000000000..eef21813824 --- /dev/null +++ b/queue-5.3/io_uring-only-flush-workqueues-on-fileset-removal.patch @@ -0,0 +1,38 @@ +From 8a99734081775c012a4a6c442fdef0379fe52bdf Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 9 Oct 2019 14:40:13 -0600 +Subject: io_uring: only flush workqueues on fileset removal + +From: Jens Axboe + +commit 8a99734081775c012a4a6c442fdef0379fe52bdf upstream. + +We should not remove the workqueue, we just need to ensure that the +workqueues are synced. The workqueues are torn down on ctx removal. + +Cc: stable@vger.kernel.org +Fixes: 6b06314c47e1 ("io_uring: add file set registration") +Reported-by: Stefan Hajnoczi +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -2565,8 +2565,12 @@ static void io_finish_async(struct io_ri + static void io_destruct_skb(struct sk_buff *skb) + { + struct io_ring_ctx *ctx = skb->sk->sk_user_data; ++ int i; ++ ++ for (i = 0; i < ARRAY_SIZE(ctx->sqo_wq); i++) ++ if (ctx->sqo_wq[i]) ++ flush_workqueue(ctx->sqo_wq[i]); + +- io_finish_async(ctx); + unix_destruct_scm(skb); + } + diff --git a/queue-5.3/kernel-sysctl.c-do-not-override-max_threads-provided-by-userspace.patch b/queue-5.3/kernel-sysctl.c-do-not-override-max_threads-provided-by-userspace.patch new file mode 100644 index 00000000000..4e5ea20fad0 --- /dev/null +++ b/queue-5.3/kernel-sysctl.c-do-not-override-max_threads-provided-by-userspace.patch @@ -0,0 +1,83 @@ +From b0f53dbc4bc4c371f38b14c391095a3bb8a0bb40 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Sun, 6 Oct 2019 17:58:19 -0700 +Subject: kernel/sysctl.c: do not override max_threads provided by userspace + +From: Michal Hocko + +commit b0f53dbc4bc4c371f38b14c391095a3bb8a0bb40 upstream. + +Partially revert 16db3d3f1170 ("kernel/sysctl.c: threads-max observe +limits") because the patch is causing a regression to any workload which +needs to override the auto-tuning of the limit provided by kernel. + +set_max_threads is implementing a boot time guesstimate to provide a +sensible limit of the concurrently running threads so that runaways will +not deplete all the memory. This is a good thing in general but there +are workloads which might need to increase this limit for an application +to run (reportedly WebSpher MQ is affected) and that is simply not +possible after the mentioned change. It is also very dubious to +override an admin decision by an estimation that doesn't have any direct +relation to correctness of the kernel operation. + +Fix this by dropping set_max_threads from sysctl_max_threads so any +value is accepted as long as it fits into MAX_THREADS which is important +to check because allowing more threads could break internal robust futex +restriction. While at it, do not use MIN_THREADS as the lower boundary +because it is also only a heuristic for automatic estimation and admin +might have a good reason to stop new threads to be created even when +below this limit. + +This became more severe when we switched x86 from 4k to 8k kernel +stacks. Starting since 6538b8ea886e ("x86_64: expand kernel stack to +16K") (3.16) we use THREAD_SIZE_ORDER = 2 and that halved the auto-tuned +value. + +In the particular case + + 3.12 + kernel.threads-max = 515561 + + 4.4 + kernel.threads-max = 200000 + +Neither of the two values is really insane on 32GB machine. + +I am not sure we want/need to tune the max_thread value further. If +anything the tuning should be removed altogether if proven not useful in +general. But we definitely need a way to override this auto-tuning. + +Link: http://lkml.kernel.org/r/20190922065801.GB18814@dhcp22.suse.cz +Fixes: 16db3d3f1170 ("kernel/sysctl.c: threads-max observe limits") +Signed-off-by: Michal Hocko +Reviewed-by: "Eric W. Biederman" +Cc: Heinrich Schuchardt +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -2939,7 +2939,7 @@ int sysctl_max_threads(struct ctl_table + struct ctl_table t; + int ret; + int threads = max_threads; +- int min = MIN_THREADS; ++ int min = 1; + int max = MAX_THREADS; + + t = *table; +@@ -2951,7 +2951,7 @@ int sysctl_max_threads(struct ctl_table + if (ret || !write) + return ret; + +- set_max_threads(threads); ++ max_threads = threads; + + return 0; + } diff --git a/queue-5.3/mm-page_alloc.c-fix-a-crash-in-free_pages_prepare.patch b/queue-5.3/mm-page_alloc.c-fix-a-crash-in-free_pages_prepare.patch new file mode 100644 index 00000000000..4ed539cef2c --- /dev/null +++ b/queue-5.3/mm-page_alloc.c-fix-a-crash-in-free_pages_prepare.patch @@ -0,0 +1,87 @@ +From 234fdce892f905cbc2674349a9eb4873e288e5b3 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Sun, 6 Oct 2019 17:58:25 -0700 +Subject: mm/page_alloc.c: fix a crash in free_pages_prepare() + +From: Qian Cai + +commit 234fdce892f905cbc2674349a9eb4873e288e5b3 upstream. + +On architectures like s390, arch_free_page() could mark the page unused +(set_page_unused()) and any access later would trigger a kernel panic. +Fix it by moving arch_free_page() after all possible accessing calls. + + Hardware name: IBM 2964 N96 400 (z/VM 6.4.0) + Krnl PSW : 0404e00180000000 0000000026c2b96e (__free_pages_ok+0x34e/0x5d8) + R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 + Krnl GPRS: 0000000088d43af7 0000000000484000 000000000000007c 000000000000000f + 000003d080012100 000003d080013fc0 0000000000000000 0000000000100000 + 00000000275cca48 0000000000000100 0000000000000008 000003d080010000 + 00000000000001d0 000003d000000000 0000000026c2b78a 000000002717fdb0 + Krnl Code: 0000000026c2b95c: ec1100b30659 risbgn %r1,%r1,0,179,6 + 0000000026c2b962: e32014000036 pfd 2,1024(%r1) + #0000000026c2b968: d7ff10001000 xc 0(256,%r1),0(%r1) + >0000000026c2b96e: 41101100 la %r1,256(%r1) + 0000000026c2b972: a737fff8 brctg %r3,26c2b962 + 0000000026c2b976: d7ff10001000 xc 0(256,%r1),0(%r1) + 0000000026c2b97c: e31003400004 lg %r1,832 + 0000000026c2b982: ebff1430016a asi 5168(%r1),-1 + Call Trace: + __free_pages_ok+0x16a/0x5d8) + memblock_free_all+0x206/0x290 + mem_init+0x58/0x120 + start_kernel+0x2b0/0x570 + startup_continue+0x6a/0xc0 + INFO: lockdep is turned off. + Last Breaking-Event-Address: + __free_pages_ok+0x372/0x5d8 + Kernel panic - not syncing: Fatal exception: panic_on_oops + 00: HCPGIR450W CP entered; disabled wait PSW 00020001 80000000 00000000 26A2379C + +In the past, only kernel_poison_pages() would trigger this but it needs +"page_poison=on" kernel cmdline, and I suspect nobody tested that on +s390. Recently, kernel_init_free_pages() (commit 6471384af2a6 ("mm: +security: introduce init_on_alloc=1 and init_on_free=1 boot options")) +was added and could trigger this as well. + +[akpm@linux-foundation.org: add comment] +Link: http://lkml.kernel.org/r/1569613623-16820-1-git-send-email-cai@lca.pw +Fixes: 8823b1dbc05f ("mm/page_poison.c: enable PAGE_POISONING as a separate option") +Fixes: 6471384af2a6 ("mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options") +Signed-off-by: Qian Cai +Reviewed-by: Heiko Carstens +Acked-by: Christian Borntraeger +Acked-by: Michal Hocko +Cc: "Kirill A. Shutemov" +Cc: Vasily Gorbik +Cc: Alexander Duyck +Cc: [5.3+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1174,11 +1174,17 @@ static __always_inline bool free_pages_p + debug_check_no_obj_freed(page_address(page), + PAGE_SIZE << order); + } +- arch_free_page(page, order); + if (want_init_on_free()) + kernel_init_free_pages(page, 1 << order); + + kernel_poison_pages(page, 1 << order, 0); ++ /* ++ * arch_free_page() can make the page's contents inaccessible. s390 ++ * does this. So nothing which can access the page's contents should ++ * happen after this. ++ */ ++ arch_free_page(page, order); ++ + if (debug_pagealloc_enabled()) + kernel_map_pages(page, 1 << order, 0); + diff --git a/queue-5.3/mm-vmpressure.c-fix-a-signedness-bug-in-vmpressure_register_event.patch b/queue-5.3/mm-vmpressure.c-fix-a-signedness-bug-in-vmpressure_register_event.patch new file mode 100644 index 00000000000..0ede587fc49 --- /dev/null +++ b/queue-5.3/mm-vmpressure.c-fix-a-signedness-bug-in-vmpressure_register_event.patch @@ -0,0 +1,91 @@ +From 518a86713078168acd67cf50bc0b45d54b4cce6c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sun, 6 Oct 2019 17:58:28 -0700 +Subject: mm/vmpressure.c: fix a signedness bug in vmpressure_register_event() + +From: Dan Carpenter + +commit 518a86713078168acd67cf50bc0b45d54b4cce6c upstream. + +The "mode" and "level" variables are enums and in this context GCC will +treat them as unsigned ints so the error handling is never triggered. + +I also removed the bogus initializer because it isn't required any more +and it's sort of confusing. + +[akpm@linux-foundation.org: reduce implicit and explicit typecasting] +[akpm@linux-foundation.org: fix return value, add comment, per Matthew] +Link: http://lkml.kernel.org/r/20190925110449.GO3264@mwanda +Fixes: 3cadfa2b9497 ("mm/vmpressure.c: convert to use match_string() helper") +Signed-off-by: Dan Carpenter +Reviewed-by: Andy Shevchenko +Acked-by: David Rientjes +Reviewed-by: Matthew Wilcox +Cc: Greg Kroah-Hartman +Cc: Thomas Gleixner +Cc: Enrico Weigelt +Cc: Kate Stewart +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/vmpressure.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/mm/vmpressure.c ++++ b/mm/vmpressure.c +@@ -355,6 +355,9 @@ void vmpressure_prio(gfp_t gfp, struct m + * "hierarchy" or "local"). + * + * To be used as memcg event method. ++ * ++ * Return: 0 on success, -ENOMEM on memory failure or -EINVAL if @args could ++ * not be parsed. + */ + int vmpressure_register_event(struct mem_cgroup *memcg, + struct eventfd_ctx *eventfd, const char *args) +@@ -362,7 +365,7 @@ int vmpressure_register_event(struct mem + struct vmpressure *vmpr = memcg_to_vmpressure(memcg); + struct vmpressure_event *ev; + enum vmpressure_modes mode = VMPRESSURE_NO_PASSTHROUGH; +- enum vmpressure_levels level = -1; ++ enum vmpressure_levels level; + char *spec, *spec_orig; + char *token; + int ret = 0; +@@ -375,20 +378,18 @@ int vmpressure_register_event(struct mem + + /* Find required level */ + token = strsep(&spec, ","); +- level = match_string(vmpressure_str_levels, VMPRESSURE_NUM_LEVELS, token); +- if (level < 0) { +- ret = level; ++ ret = match_string(vmpressure_str_levels, VMPRESSURE_NUM_LEVELS, token); ++ if (ret < 0) + goto out; +- } ++ level = ret; + + /* Find optional mode */ + token = strsep(&spec, ","); + if (token) { +- mode = match_string(vmpressure_str_modes, VMPRESSURE_NUM_MODES, token); +- if (mode < 0) { +- ret = mode; ++ ret = match_string(vmpressure_str_modes, VMPRESSURE_NUM_MODES, token); ++ if (ret < 0) + goto out; +- } ++ mode = ret; + } + + ev = kzalloc(sizeof(*ev), GFP_KERNEL); +@@ -404,6 +405,7 @@ int vmpressure_register_event(struct mem + mutex_lock(&vmpr->events_lock); + list_add(&ev->node, &vmpr->events); + mutex_unlock(&vmpr->events_lock); ++ ret = 0; + out: + kfree(spec_orig); + return ret; diff --git a/queue-5.3/mm-z3fold.c-claim-page-in-the-beginning-of-free.patch b/queue-5.3/mm-z3fold.c-claim-page-in-the-beginning-of-free.patch new file mode 100644 index 00000000000..f346bc930fb --- /dev/null +++ b/queue-5.3/mm-z3fold.c-claim-page-in-the-beginning-of-free.patch @@ -0,0 +1,91 @@ +From 5b6807de11445c05b537df8324f5d7ab1c2782f9 Mon Sep 17 00:00:00 2001 +From: Vitaly Wool +Date: Sun, 6 Oct 2019 17:58:22 -0700 +Subject: mm/z3fold.c: claim page in the beginning of free + +From: Vitaly Wool + +commit 5b6807de11445c05b537df8324f5d7ab1c2782f9 upstream. + +There's a really hard to reproduce race in z3fold between z3fold_free() +and z3fold_reclaim_page(). z3fold_reclaim_page() can claim the page +after z3fold_free() has checked if the page was claimed and +z3fold_free() will then schedule this page for compaction which may in +turn lead to random page faults (since that page would have been +reclaimed by then). + +Fix that by claiming page in the beginning of z3fold_free() and not +forgetting to clear the claim in the end. + +[vitalywool@gmail.com: v2] + Link: http://lkml.kernel.org/r/20190928113456.152742cf@bigdell +Link: http://lkml.kernel.org/r/20190926104844.4f0c6efa1366b8f5741eaba9@gmail.com +Signed-off-by: Vitaly Wool +Reported-by: Markus Linnala +Cc: Dan Streetman +Cc: Vlastimil Babka +Cc: Henry Burns +Cc: Shakeel Butt +Cc: Markus Linnala +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/z3fold.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/mm/z3fold.c ++++ b/mm/z3fold.c +@@ -998,9 +998,11 @@ static void z3fold_free(struct z3fold_po + struct z3fold_header *zhdr; + struct page *page; + enum buddy bud; ++ bool page_claimed; + + zhdr = handle_to_z3fold_header(handle); + page = virt_to_page(zhdr); ++ page_claimed = test_and_set_bit(PAGE_CLAIMED, &page->private); + + if (test_bit(PAGE_HEADLESS, &page->private)) { + /* if a headless page is under reclaim, just leave. +@@ -1008,7 +1010,7 @@ static void z3fold_free(struct z3fold_po + * has not been set before, we release this page + * immediately so we don't care about its value any more. + */ +- if (!test_and_set_bit(PAGE_CLAIMED, &page->private)) { ++ if (!page_claimed) { + spin_lock(&pool->lock); + list_del(&page->lru); + spin_unlock(&pool->lock); +@@ -1044,13 +1046,15 @@ static void z3fold_free(struct z3fold_po + atomic64_dec(&pool->pages_nr); + return; + } +- if (test_bit(PAGE_CLAIMED, &page->private)) { ++ if (page_claimed) { ++ /* the page has not been claimed by us */ + z3fold_page_unlock(zhdr); + return; + } + if (unlikely(PageIsolated(page)) || + test_and_set_bit(NEEDS_COMPACTING, &page->private)) { + z3fold_page_unlock(zhdr); ++ clear_bit(PAGE_CLAIMED, &page->private); + return; + } + if (zhdr->cpu < 0 || !cpu_online(zhdr->cpu)) { +@@ -1060,10 +1064,12 @@ static void z3fold_free(struct z3fold_po + zhdr->cpu = -1; + kref_get(&zhdr->refcount); + do_compact_page(zhdr, true); ++ clear_bit(PAGE_CLAIMED, &page->private); + return; + } + kref_get(&zhdr->refcount); + queue_work_on(zhdr->cpu, pool->compact_wq, &zhdr->work); ++ clear_bit(PAGE_CLAIMED, &page->private); + z3fold_page_unlock(zhdr); + } + diff --git a/queue-5.3/perf-inject-jit-fix-jit_code_move-filename.patch b/queue-5.3/perf-inject-jit-fix-jit_code_move-filename.patch new file mode 100644 index 00000000000..68683bef3e4 --- /dev/null +++ b/queue-5.3/perf-inject-jit-fix-jit_code_move-filename.patch @@ -0,0 +1,73 @@ +From b59711e9b0d22fd47abfa00602fd8c365cdd3ab7 Mon Sep 17 00:00:00 2001 +From: Steve MacLean +Date: Sat, 28 Sep 2019 01:41:18 +0000 +Subject: perf inject jit: Fix JIT_CODE_MOVE filename + +From: Steve MacLean + +commit b59711e9b0d22fd47abfa00602fd8c365cdd3ab7 upstream. + +During perf inject --jit, JIT_CODE_MOVE records were injecting MMAP records +with an incorrect filename. Specifically it was missing the ".so" suffix. + +Further the JIT_CODE_LOAD record were silently truncating the +jr->load.code_index field to 32 bits before generating the filename. + +Make both records emit the same filename based on the full 64 bit +code_index field. + +Fixes: 9b07e27f88b9 ("perf inject: Add jitdump mmap injection support") +Cc: stable@vger.kernel.org # v4.6+ +Signed-off-by: Steve MacLean +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Brian Robbins +Cc: Davidlohr Bueso +Cc: Eric Saint-Etienne +Cc: John Keeping +Cc: John Salem +Cc: Leo Yan +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Song Liu +Cc: Stephane Eranian +Cc: Tom McDonald +Link: http://lore.kernel.org/lkml/BN8PR21MB1362FF8F127B31DBF4121528F7800@BN8PR21MB1362.namprd21.prod.outlook.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/jitdump.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/perf/util/jitdump.c ++++ b/tools/perf/util/jitdump.c +@@ -396,7 +396,7 @@ static int jit_repipe_code_load(struct j + size_t size; + u16 idr_size; + const char *sym; +- uint32_t count; ++ uint64_t count; + int ret, csize, usize; + pid_t pid, tid; + struct { +@@ -419,7 +419,7 @@ static int jit_repipe_code_load(struct j + return -1; + + filename = event->mmap2.filename; +- size = snprintf(filename, PATH_MAX, "%s/jitted-%d-%u.so", ++ size = snprintf(filename, PATH_MAX, "%s/jitted-%d-%" PRIu64 ".so", + jd->dir, + pid, + count); +@@ -530,7 +530,7 @@ static int jit_repipe_code_move(struct j + return -1; + + filename = event->mmap2.filename; +- size = snprintf(filename, PATH_MAX, "%s/jitted-%d-%"PRIu64, ++ size = snprintf(filename, PATH_MAX, "%s/jitted-%d-%" PRIu64 ".so", + jd->dir, + pid, + jr->move.code_index); diff --git a/queue-5.3/perf-llvm-don-t-access-out-of-scope-array.patch b/queue-5.3/perf-llvm-don-t-access-out-of-scope-array.patch new file mode 100644 index 00000000000..392134731ac --- /dev/null +++ b/queue-5.3/perf-llvm-don-t-access-out-of-scope-array.patch @@ -0,0 +1,55 @@ +From 7d4c85b7035eb2f9ab217ce649dcd1bfaf0cacd3 Mon Sep 17 00:00:00 2001 +From: Ian Rogers +Date: Thu, 26 Sep 2019 15:00:18 -0700 +Subject: perf llvm: Don't access out-of-scope array + +From: Ian Rogers + +commit 7d4c85b7035eb2f9ab217ce649dcd1bfaf0cacd3 upstream. + +The 'test_dir' variable is assigned to the 'release' array which is +out-of-scope 3 lines later. + +Extend the scope of the 'release' array so that an out-of-scope array +isn't accessed. + +Bug detected by clang's address sanitizer. + +Fixes: 07bc5c699a3d ("perf tools: Make fetch_kernel_version() publicly available") +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Ian Rogers +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Wang Nan +Link: http://lore.kernel.org/lkml/20190926220018.25402-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/llvm-utils.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/perf/util/llvm-utils.c ++++ b/tools/perf/util/llvm-utils.c +@@ -231,14 +231,14 @@ static int detect_kbuild_dir(char **kbui + const char *prefix_dir = ""; + const char *suffix_dir = ""; + ++ /* _UTSNAME_LENGTH is 65 */ ++ char release[128]; ++ + char *autoconf_path; + + int err; + + if (!test_dir) { +- /* _UTSNAME_LENGTH is 65 */ +- char release[128]; +- + err = fetch_kernel_version(NULL, release, + sizeof(release)); + if (err) diff --git a/queue-5.3/selinux-fix-context-string-corruption-in-convert_context.patch b/queue-5.3/selinux-fix-context-string-corruption-in-convert_context.patch new file mode 100644 index 00000000000..f56216c704f --- /dev/null +++ b/queue-5.3/selinux-fix-context-string-corruption-in-convert_context.patch @@ -0,0 +1,59 @@ +From 2a5243937c700ffe6a28e6557a4562a9ab0a17a4 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Thu, 3 Oct 2019 15:59:22 +0200 +Subject: selinux: fix context string corruption in convert_context() + +From: Ondrej Mosnacek + +commit 2a5243937c700ffe6a28e6557a4562a9ab0a17a4 upstream. + +string_to_context_struct() may garble the context string, so we need to +copy back the contents again from the old context struct to avoid +storing the corrupted context. + +Since string_to_context_struct() tokenizes (and therefore truncates) the +context string and we are later potentially copying it with kstrdup(), +this may eventually cause pieces of uninitialized kernel memory to be +disclosed to userspace (when copying to userspace based on the stored +length and not the null character). + +How to reproduce on Fedora and similar: + # dnf install -y memcached + # systemctl start memcached + # semodule -d memcached + # load_policy + # load_policy + # systemctl stop memcached + # ausearch -m AVC + type=AVC msg=audit(1570090572.648:313): avc: denied { signal } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon=73797374656D5F75007400000000000070BE6E847296FFFF726F6D000096FFFF76 + +Cc: stable@vger.kernel.org +Reported-by: Milos Malik +Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance") +Signed-off-by: Ondrej Mosnacek +Acked-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/ss/services.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -1946,7 +1946,14 @@ static int convert_context(struct contex + rc = string_to_context_struct(args->newp, NULL, s, + newc, SECSID_NULL); + if (rc == -EINVAL) { +- /* Retain string representation for later mapping. */ ++ /* ++ * Retain string representation for later mapping. ++ * ++ * IMPORTANT: We need to copy the contents of oldc->str ++ * back into s again because string_to_context_struct() ++ * may have garbled it. ++ */ ++ memcpy(s, oldc->str, oldc->len); + context_init(newc); + newc->str = s; + newc->len = oldc->len; diff --git a/queue-5.3/series b/queue-5.3/series index bed52f23130..40652ad3ae9 100644 --- a/queue-5.3/series +++ b/queue-5.3/series @@ -54,3 +54,27 @@ iio-adc-ad799x-fix-probe-error-handling.patch iio-adc-axp288-override-ts-pin-bias-current-for-some-models.patch iio-adc-stm32-adc-move-registers-definitions.patch iio-adc-stm32-adc-fix-a-race-when-using-several-adcs-with-dma-and-irq.patch +iio-light-opt3001-fix-mutex-unlock-race.patch +iio-light-add-missing-vcnl4040-of_compatible.patch +iio-accel-adxl372-fix-remove-limitation-for-fifo-samples.patch +iio-accel-adxl372-fix-push-to-buffers-lost-samples.patch +iio-accel-adxl372-perform-a-reset-at-start-up.patch +efivar-ssdt-don-t-iterate-over-efi-vars-if-no-ssdt-override-was-specified.patch +efi-tpm-don-t-access-event-count-when-it-isn-t-mapped.patch +efi-tpm-don-t-traverse-an-event-log-with-no-events.patch +efi-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch +perf-llvm-don-t-access-out-of-scope-array.patch +perf-inject-jit-fix-jit_code_move-filename.patch +drm-i915-perform-ggtt-restore-much-earlier-during-resume.patch +blk-wbt-fix-performance-regression-in-wbt-scale_up-scale_down.patch +selinux-fix-context-string-corruption-in-convert_context.patch +io_uring-only-flush-workqueues-on-fileset-removal.patch +cifs-gracefully-handle-queryinfo-errors-during-open.patch +cifs-force-revalidate-inode-when-dentry-is-stale.patch +cifs-force-reval-dentry-if-lookup_reval-flag-is-set.patch +cifs-use-cifsinodeinfo-open_file_lock-while-iterating-to-avoid-a-panic.patch +kernel-sysctl.c-do-not-override-max_threads-provided-by-userspace.patch +mm-z3fold.c-claim-page-in-the-beginning-of-free.patch +mm-page_alloc.c-fix-a-crash-in-free_pages_prepare.patch +mm-vmpressure.c-fix-a-signedness-bug-in-vmpressure_register_event.patch +ib-core-fix-wrong-iterating-on-ports.patch -- 2.47.2