From 962099336f48979a30a69d048eec2af92f71cce2 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 15 Jul 2019 10:53:04 -0400 Subject: [PATCH] fixes for 4.19 Signed-off-by: Sasha Levin --- ...lised-spinlock-afs_volume-cb_break_l.patch | 95 ++++++++++++ ...ini-fix-up-dns-313-compatible-string.patch | 32 ++++ ...rm-dts-imx6ul-fix-pwm-1-4-interrupts.patch | 66 ++++++++ ...2-remove-incorrect-__init-annotation.patch | 45 ++++++ ...k-failure-after-ethtool-offline-test.patch | 81 ++++++++++ ...trl-fix-returning-uninitialized-data.patch | 63 ++++++++ ...out-of-bounds-read-when-setting-fail.patch | 72 +++++++++ ...opy-from-a-null-pointer-in-realloc_a.patch | 51 ++++++ ...ssage-limit-for-data-block-corruptio.patch | 35 +++++ ...grt-status-field-reserved-bits-check.patch | 45 ++++++ ...y-add-another-quirk-for-pixart-mouse.patch | 52 +++++++ ...dd-pointstick-support-for-alps-touch.patch | 50 ++++++ ...ts-fix-command-queue-pointer-compari.patch | 146 ++++++++++++++++++ ....h-fix-overflow-for-div_round_up_ull.patch | 43 ++++++ ...e-fix-perf_sample_regs_user-mm-check.patch | 52 +++++++ ...-fix-add_data-and-irqchip_add_nested.patch | 70 +++++++++ ...-ignore-interrupts-that-are-wake-onl.patch | 75 +++++++++ ...tek-update-cur_mask-in-mask-mask-ops.patch | 99 ++++++++++++ queue-4.19/ppp-mppe-add-softdep-to-arc4.patch | 34 ++++ queue-4.19/series | 23 +++ queue-4.19/sis900-fix-tx-completion.patch | 117 ++++++++++++++ ...eger-overflow-on-10-bit-left-shift-o.patch | 41 +++++ ...missing-fixup_pointer-for-next_early.patch | 47 ++++++ ...crash-if-kernel-image-crosses-page-t.patch | 89 +++++++++++ 24 files changed, 1523 insertions(+) create mode 100644 queue-4.19/afs-fix-uninitialised-spinlock-afs_volume-cb_break_l.patch create mode 100644 queue-4.19/arm-dts-gemini-fix-up-dns-313-compatible-string.patch create mode 100644 queue-4.19/arm-dts-imx6ul-fix-pwm-1-4-interrupts.patch create mode 100644 queue-4.19/arm-omap2-remove-incorrect-__init-annotation.patch create mode 100644 queue-4.19/be2net-fix-link-failure-after-ethtool-offline-test.patch create mode 100644 queue-4.19/clk-ti-clkctrl-fix-returning-uninitialized-data.patch create mode 100644 queue-4.19/cpu-hotplug-fix-out-of-bounds-read-when-setting-fail.patch create mode 100644 queue-4.19/dm-table-don-t-copy-from-a-null-pointer-in-realloc_a.patch create mode 100644 queue-4.19/dm-verity-use-message-limit-for-data-block-corruptio.patch create mode 100644 queue-4.19/efi-bgrt-drop-bgrt-status-field-reserved-bits-check.patch create mode 100644 queue-4.19/hid-chicony-add-another-quirk-for-pixart-mouse.patch create mode 100644 queue-4.19/hid-multitouch-add-pointstick-support-for-alps-touch.patch create mode 100644 queue-4.19/irqchip-gic-v3-its-fix-command-queue-pointer-compari.patch create mode 100644 queue-4.19/linux-kernel.h-fix-overflow-for-div_round_up_ull.patch create mode 100644 queue-4.19/perf-core-fix-perf_sample_regs_user-mm-check.patch create mode 100644 queue-4.19/pinctrl-mcp23s08-fix-add_data-and-irqchip_add_nested.patch create mode 100644 queue-4.19/pinctrl-mediatek-ignore-interrupts-that-are-wake-onl.patch create mode 100644 queue-4.19/pinctrl-mediatek-update-cur_mask-in-mask-mask-ops.patch create mode 100644 queue-4.19/ppp-mppe-add-softdep-to-arc4.patch create mode 100644 queue-4.19/sis900-fix-tx-completion.patch create mode 100644 queue-4.19/x86-apic-fix-integer-overflow-on-10-bit-left-shift-o.patch create mode 100644 queue-4.19/x86-boot-64-add-missing-fixup_pointer-for-next_early.patch create mode 100644 queue-4.19/x86-boot-64-fix-crash-if-kernel-image-crosses-page-t.patch diff --git a/queue-4.19/afs-fix-uninitialised-spinlock-afs_volume-cb_break_l.patch b/queue-4.19/afs-fix-uninitialised-spinlock-afs_volume-cb_break_l.patch new file mode 100644 index 00000000000..c23e19614bd --- /dev/null +++ b/queue-4.19/afs-fix-uninitialised-spinlock-afs_volume-cb_break_l.patch @@ -0,0 +1,95 @@ +From 311da7a4b894422e02bed58fc828cfa54a7f6e06 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 20 Jun 2019 16:49:35 +0100 +Subject: afs: Fix uninitialised spinlock afs_volume::cb_break_lock + +[ Upstream commit 90fa9b64523a645a97edc0bdcf2d74759957eeee ] + +Fix the cb_break_lock spinlock in afs_volume struct by initialising it when +the volume record is allocated. + +Also rename the lock to cb_v_break_lock to distinguish it from the lock of +the same name in the afs_server struct. + +Without this, the following trace may be observed when a volume-break +callback is received: + + INFO: trying to register non-static key. + the code is fine but needs lockdep annotation. + turning off the locking correctness validator. + CPU: 2 PID: 50 Comm: kworker/2:1 Not tainted 5.2.0-rc1-fscache+ #3045 + Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 + Workqueue: afs SRXAFSCB_CallBack + Call Trace: + dump_stack+0x67/0x8e + register_lock_class+0x23b/0x421 + ? check_usage_forwards+0x13c/0x13c + __lock_acquire+0x89/0xf73 + lock_acquire+0x13b/0x166 + ? afs_break_callbacks+0x1b2/0x3dd + _raw_write_lock+0x2c/0x36 + ? afs_break_callbacks+0x1b2/0x3dd + afs_break_callbacks+0x1b2/0x3dd + ? trace_event_raw_event_afs_server+0x61/0xac + SRXAFSCB_CallBack+0x11f/0x16c + process_one_work+0x2c5/0x4ee + ? worker_thread+0x234/0x2ac + worker_thread+0x1d8/0x2ac + ? cancel_delayed_work_sync+0xf/0xf + kthread+0x11f/0x127 + ? kthread_park+0x76/0x76 + ret_from_fork+0x24/0x30 + +Fixes: 68251f0a6818 ("afs: Fix whole-volume callback handling") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/afs/callback.c | 4 ++-- + fs/afs/internal.h | 2 +- + fs/afs/volume.c | 1 + + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/afs/callback.c b/fs/afs/callback.c +index 5f261fbf2182..4ad701250299 100644 +--- a/fs/afs/callback.c ++++ b/fs/afs/callback.c +@@ -276,9 +276,9 @@ static void afs_break_one_callback(struct afs_server *server, + struct afs_super_info *as = AFS_FS_S(cbi->sb); + struct afs_volume *volume = as->volume; + +- write_lock(&volume->cb_break_lock); ++ write_lock(&volume->cb_v_break_lock); + volume->cb_v_break++; +- write_unlock(&volume->cb_break_lock); ++ write_unlock(&volume->cb_v_break_lock); + } else { + data.volume = NULL; + data.fid = *fid; +diff --git a/fs/afs/internal.h b/fs/afs/internal.h +index 34c02fdcc25f..aea19614c082 100644 +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -477,7 +477,7 @@ struct afs_volume { + unsigned int servers_seq; /* Incremented each time ->servers changes */ + + unsigned cb_v_break; /* Break-everything counter. */ +- rwlock_t cb_break_lock; ++ rwlock_t cb_v_break_lock; + + afs_voltype_t type; /* type of volume */ + short error; +diff --git a/fs/afs/volume.c b/fs/afs/volume.c +index 3037bd01f617..5ec186ec5651 100644 +--- a/fs/afs/volume.c ++++ b/fs/afs/volume.c +@@ -47,6 +47,7 @@ static struct afs_volume *afs_alloc_volume(struct afs_mount_params *params, + atomic_set(&volume->usage, 1); + INIT_LIST_HEAD(&volume->proc_link); + rwlock_init(&volume->servers_lock); ++ rwlock_init(&volume->cb_v_break_lock); + memcpy(volume->name, vldb->name, vldb->name_len + 1); + + slist = afs_alloc_server_list(params->cell, params->key, vldb, type_mask); +-- +2.20.1 + diff --git a/queue-4.19/arm-dts-gemini-fix-up-dns-313-compatible-string.patch b/queue-4.19/arm-dts-gemini-fix-up-dns-313-compatible-string.patch new file mode 100644 index 00000000000..82838353bb0 --- /dev/null +++ b/queue-4.19/arm-dts-gemini-fix-up-dns-313-compatible-string.patch @@ -0,0 +1,32 @@ +From 935471713b59c24bd874fc2a6327698da712b290 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Sun, 16 Jun 2019 23:40:13 +0200 +Subject: ARM: dts: gemini Fix up DNS-313 compatible string + +[ Upstream commit 36558020128b1a48b7bddd5792ee70e3f64b04b0 ] + +It's a simple typo in the DNS file, which was pretty serious. +No scripts were working properly. Fix it up. + +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/gemini-dlink-dns-313.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/gemini-dlink-dns-313.dts b/arch/arm/boot/dts/gemini-dlink-dns-313.dts +index d1329322b968..361dccd6c7ee 100644 +--- a/arch/arm/boot/dts/gemini-dlink-dns-313.dts ++++ b/arch/arm/boot/dts/gemini-dlink-dns-313.dts +@@ -11,7 +11,7 @@ + + / { + model = "D-Link DNS-313 1-Bay Network Storage Enclosure"; +- compatible = "dlink,dir-313", "cortina,gemini"; ++ compatible = "dlink,dns-313", "cortina,gemini"; + #address-cells = <1>; + #size-cells = <1>; + +-- +2.20.1 + diff --git a/queue-4.19/arm-dts-imx6ul-fix-pwm-1-4-interrupts.patch b/queue-4.19/arm-dts-imx6ul-fix-pwm-1-4-interrupts.patch new file mode 100644 index 00000000000..1fd631102c0 --- /dev/null +++ b/queue-4.19/arm-dts-imx6ul-fix-pwm-1-4-interrupts.patch @@ -0,0 +1,66 @@ +From ffb645f774de4e5456329fbb987ff81ca7930960 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?S=C3=A9bastien=20Szymanski?= + +Date: Tue, 18 Jun 2019 17:58:34 +0200 +Subject: ARM: dts: imx6ul: fix PWM[1-4] interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 3cf10132ac8d536565f2c02f60a3aeb315863a52 ] + +According to the i.MX6UL/L RM, table 3.1 "ARM Cortex A7 domain interrupt +summary", the interrupts for the PWM[1-4] go from 83 to 86. + +Fixes: b9901fe84f02 ("ARM: dts: imx6ul: add pwm[1-4] nodes") +Signed-off-by: Sébastien Szymanski +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6ul.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/boot/dts/imx6ul.dtsi b/arch/arm/boot/dts/imx6ul.dtsi +index 2366f093cc76..336cdead3da5 100644 +--- a/arch/arm/boot/dts/imx6ul.dtsi ++++ b/arch/arm/boot/dts/imx6ul.dtsi +@@ -359,7 +359,7 @@ + pwm1: pwm@2080000 { + compatible = "fsl,imx6ul-pwm", "fsl,imx27-pwm"; + reg = <0x02080000 0x4000>; +- interrupts = ; ++ interrupts = ; + clocks = <&clks IMX6UL_CLK_PWM1>, + <&clks IMX6UL_CLK_PWM1>; + clock-names = "ipg", "per"; +@@ -370,7 +370,7 @@ + pwm2: pwm@2084000 { + compatible = "fsl,imx6ul-pwm", "fsl,imx27-pwm"; + reg = <0x02084000 0x4000>; +- interrupts = ; ++ interrupts = ; + clocks = <&clks IMX6UL_CLK_PWM2>, + <&clks IMX6UL_CLK_PWM2>; + clock-names = "ipg", "per"; +@@ -381,7 +381,7 @@ + pwm3: pwm@2088000 { + compatible = "fsl,imx6ul-pwm", "fsl,imx27-pwm"; + reg = <0x02088000 0x4000>; +- interrupts = ; ++ interrupts = ; + clocks = <&clks IMX6UL_CLK_PWM3>, + <&clks IMX6UL_CLK_PWM3>; + clock-names = "ipg", "per"; +@@ -392,7 +392,7 @@ + pwm4: pwm@208c000 { + compatible = "fsl,imx6ul-pwm", "fsl,imx27-pwm"; + reg = <0x0208c000 0x4000>; +- interrupts = ; ++ interrupts = ; + clocks = <&clks IMX6UL_CLK_PWM4>, + <&clks IMX6UL_CLK_PWM4>; + clock-names = "ipg", "per"; +-- +2.20.1 + diff --git a/queue-4.19/arm-omap2-remove-incorrect-__init-annotation.patch b/queue-4.19/arm-omap2-remove-incorrect-__init-annotation.patch new file mode 100644 index 00000000000..824719be72c --- /dev/null +++ b/queue-4.19/arm-omap2-remove-incorrect-__init-annotation.patch @@ -0,0 +1,45 @@ +From bed89a390cba803f3a4b51da06966c6633a2c539 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 19 Jun 2019 15:04:54 +0200 +Subject: ARM: omap2: remove incorrect __init annotation + +[ Upstream commit 27e23d8975270df6999f8b5b3156fc0c04927451 ] + +omap3xxx_prm_enable_io_wakeup() is marked __init, but its caller is not, so +we get a warning with clang-8: + +WARNING: vmlinux.o(.text+0x343c8): Section mismatch in reference from the function omap3xxx_prm_late_init() to the function .init.text:omap3xxx_prm_enable_io_wakeup() +The function omap3xxx_prm_late_init() references +the function __init omap3xxx_prm_enable_io_wakeup(). +This is often because omap3xxx_prm_late_init lacks a __init +annotation or the annotation of omap3xxx_prm_enable_io_wakeup is wrong. + +When building with gcc, omap3xxx_prm_enable_io_wakeup() is always +inlined, so we never noticed in the past. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Acked-by: Tony Lindgren +Reviewed-by: Andrew Murray +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/prm3xxx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/prm3xxx.c b/arch/arm/mach-omap2/prm3xxx.c +index 05858f966f7d..dfa65fc2c82b 100644 +--- a/arch/arm/mach-omap2/prm3xxx.c ++++ b/arch/arm/mach-omap2/prm3xxx.c +@@ -433,7 +433,7 @@ static void omap3_prm_reconfigure_io_chain(void) + * registers, and omap3xxx_prm_reconfigure_io_chain() must be called. + * No return value. + */ +-static void __init omap3xxx_prm_enable_io_wakeup(void) ++static void omap3xxx_prm_enable_io_wakeup(void) + { + if (prm_features & PRM_HAS_IO_WAKEUP) + omap2_prm_set_mod_reg_bits(OMAP3430_EN_IO_MASK, WKUP_MOD, +-- +2.20.1 + diff --git a/queue-4.19/be2net-fix-link-failure-after-ethtool-offline-test.patch b/queue-4.19/be2net-fix-link-failure-after-ethtool-offline-test.patch new file mode 100644 index 00000000000..e3c7bffe2af --- /dev/null +++ b/queue-4.19/be2net-fix-link-failure-after-ethtool-offline-test.patch @@ -0,0 +1,81 @@ +From 6b28814f30c325dfd5e1e2153c6c8f35a10ae2a9 Mon Sep 17 00:00:00 2001 +From: Petr Oros +Date: Wed, 19 Jun 2019 14:29:42 +0200 +Subject: be2net: fix link failure after ethtool offline test + +[ Upstream commit 2e5db6eb3c23e5dc8171eb8f6af7a97ef9fcf3a9 ] + +Certain cards in conjunction with certain switches need a little more +time for link setup that results in ethtool link test failure after +offline test. Patch adds a loop that waits for a link setup finish. + +Changes in v2: +- added fixes header + +Fixes: 4276e47e2d1c ("be2net: Add link test to list of ethtool self tests.") +Signed-off-by: Petr Oros +Reviewed-by: Ivan Vecera +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/emulex/benet/be_ethtool.c | 28 +++++++++++++++---- + 1 file changed, 22 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_ethtool.c b/drivers/net/ethernet/emulex/benet/be_ethtool.c +index bfb16a474490..d1905d50c26c 100644 +--- a/drivers/net/ethernet/emulex/benet/be_ethtool.c ++++ b/drivers/net/ethernet/emulex/benet/be_ethtool.c +@@ -895,7 +895,7 @@ static void be_self_test(struct net_device *netdev, struct ethtool_test *test, + u64 *data) + { + struct be_adapter *adapter = netdev_priv(netdev); +- int status; ++ int status, cnt; + u8 link_status = 0; + + if (adapter->function_caps & BE_FUNCTION_CAPS_SUPER_NIC) { +@@ -906,6 +906,9 @@ static void be_self_test(struct net_device *netdev, struct ethtool_test *test, + + memset(data, 0, sizeof(u64) * ETHTOOL_TESTS_NUM); + ++ /* check link status before offline tests */ ++ link_status = netif_carrier_ok(netdev); ++ + if (test->flags & ETH_TEST_FL_OFFLINE) { + if (be_loopback_test(adapter, BE_MAC_LOOPBACK, &data[0]) != 0) + test->flags |= ETH_TEST_FL_FAILED; +@@ -926,13 +929,26 @@ static void be_self_test(struct net_device *netdev, struct ethtool_test *test, + test->flags |= ETH_TEST_FL_FAILED; + } + +- status = be_cmd_link_status_query(adapter, NULL, &link_status, 0); +- if (status) { +- test->flags |= ETH_TEST_FL_FAILED; +- data[4] = -1; +- } else if (!link_status) { ++ /* link status was down prior to test */ ++ if (!link_status) { + test->flags |= ETH_TEST_FL_FAILED; + data[4] = 1; ++ return; ++ } ++ ++ for (cnt = 10; cnt; cnt--) { ++ status = be_cmd_link_status_query(adapter, NULL, &link_status, ++ 0); ++ if (status) { ++ test->flags |= ETH_TEST_FL_FAILED; ++ data[4] = -1; ++ break; ++ } ++ ++ if (link_status) ++ break; ++ ++ msleep_interruptible(500); + } + } + +-- +2.20.1 + diff --git a/queue-4.19/clk-ti-clkctrl-fix-returning-uninitialized-data.patch b/queue-4.19/clk-ti-clkctrl-fix-returning-uninitialized-data.patch new file mode 100644 index 00000000000..7820939e881 --- /dev/null +++ b/queue-4.19/clk-ti-clkctrl-fix-returning-uninitialized-data.patch @@ -0,0 +1,63 @@ +From 2364e4e7e9deba70e860ee4326772e7daf095d72 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Wed, 29 May 2019 23:55:57 -0700 +Subject: clk: ti: clkctrl: Fix returning uninitialized data + +[ Upstream commit 41b3588dba6ef4b7995735a97e47ff0aeea6c276 ] + +If we do a clk_get() for a clock that does not exists, we have +_ti_omap4_clkctrl_xlate() return uninitialized data if no match +is found. This can be seen in some cases with SLAB_DEBUG enabled: + +Unable to handle kernel paging request at virtual address 5a5a5a5a +... +clk_hw_create_clk.part.33 +sysc_notifier_call +notifier_call_chain +blocking_notifier_call_chain +device_add + +Let's fix this by setting a found flag only when we find a match. + +Reported-by: Tomi Valkeinen +Fixes: 88a172526c32 ("clk: ti: add support for clkctrl clocks") +Signed-off-by: Tony Lindgren +Tested-by: Peter Ujfalusi +Tested-by: Tomi Valkeinen +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/clkctrl.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/ti/clkctrl.c b/drivers/clk/ti/clkctrl.c +index ca3218337fd7..dfaa5aad0692 100644 +--- a/drivers/clk/ti/clkctrl.c ++++ b/drivers/clk/ti/clkctrl.c +@@ -229,6 +229,7 @@ static struct clk_hw *_ti_omap4_clkctrl_xlate(struct of_phandle_args *clkspec, + { + struct omap_clkctrl_provider *provider = data; + struct omap_clkctrl_clk *entry; ++ bool found = false; + + if (clkspec->args_count != 2) + return ERR_PTR(-EINVAL); +@@ -238,11 +239,13 @@ static struct clk_hw *_ti_omap4_clkctrl_xlate(struct of_phandle_args *clkspec, + + list_for_each_entry(entry, &provider->clocks, node) { + if (entry->reg_offset == clkspec->args[0] && +- entry->bit_offset == clkspec->args[1]) ++ entry->bit_offset == clkspec->args[1]) { ++ found = true; + break; ++ } + } + +- if (!entry) ++ if (!found) + return ERR_PTR(-EINVAL); + + return entry->clk; +-- +2.20.1 + diff --git a/queue-4.19/cpu-hotplug-fix-out-of-bounds-read-when-setting-fail.patch b/queue-4.19/cpu-hotplug-fix-out-of-bounds-read-when-setting-fail.patch new file mode 100644 index 00000000000..801d7f4beea --- /dev/null +++ b/queue-4.19/cpu-hotplug-fix-out-of-bounds-read-when-setting-fail.patch @@ -0,0 +1,72 @@ +From a082ce644bf8510664fba1a21bf47a3944dbb866 Mon Sep 17 00:00:00 2001 +From: Eiichi Tsukata +Date: Thu, 27 Jun 2019 11:47:32 +0900 +Subject: cpu/hotplug: Fix out-of-bounds read when setting fail state + +[ Upstream commit 33d4a5a7a5b4d02915d765064b2319e90a11cbde ] + +Setting invalid value to /sys/devices/system/cpu/cpuX/hotplug/fail +can control `struct cpuhp_step *sp` address, results in the following +global-out-of-bounds read. + +Reproducer: + + # echo -2 > /sys/devices/system/cpu/cpu0/hotplug/fail + +KASAN report: + + BUG: KASAN: global-out-of-bounds in write_cpuhp_fail+0x2cd/0x2e0 + Read of size 8 at addr ffffffff89734438 by task bash/1941 + + CPU: 0 PID: 1941 Comm: bash Not tainted 5.2.0-rc6+ #31 + Call Trace: + write_cpuhp_fail+0x2cd/0x2e0 + dev_attr_store+0x58/0x80 + sysfs_kf_write+0x13d/0x1a0 + kernfs_fop_write+0x2bc/0x460 + vfs_write+0x1e1/0x560 + ksys_write+0x126/0x250 + do_syscall_64+0xc1/0x390 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7f05e4f4c970 + + The buggy address belongs to the variable: + cpu_hotplug_lock+0x98/0xa0 + + Memory state around the buggy address: + ffffffff89734300: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 + ffffffff89734380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 + >ffffffff89734400: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa + ^ + ffffffff89734480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffffffff89734500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +Add a sanity check for the value written from user space. + +Fixes: 1db49484f21ed ("smp/hotplug: Hotplug state fail injection") +Signed-off-by: Eiichi Tsukata +Signed-off-by: Thomas Gleixner +Cc: peterz@infradead.org +Link: https://lkml.kernel.org/r/20190627024732.31672-1-devel@etsukata.com +Signed-off-by: Sasha Levin +--- + kernel/cpu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/cpu.c b/kernel/cpu.c +index 46aefe5c0e35..d9f855cb9f6f 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -1925,6 +1925,9 @@ static ssize_t write_cpuhp_fail(struct device *dev, + if (ret) + return ret; + ++ if (fail < CPUHP_OFFLINE || fail > CPUHP_ONLINE) ++ return -EINVAL; ++ + /* + * Cannot fail STARTING/DYING callbacks. + */ +-- +2.20.1 + diff --git a/queue-4.19/dm-table-don-t-copy-from-a-null-pointer-in-realloc_a.patch b/queue-4.19/dm-table-don-t-copy-from-a-null-pointer-in-realloc_a.patch new file mode 100644 index 00000000000..15c76262b3a --- /dev/null +++ b/queue-4.19/dm-table-don-t-copy-from-a-null-pointer-in-realloc_a.patch @@ -0,0 +1,51 @@ +From da6a7eb0031f92173281fee7c21a462659d2368f Mon Sep 17 00:00:00 2001 +From: Jerome Marchand +Date: Wed, 12 Jun 2019 18:22:26 +0200 +Subject: dm table: don't copy from a NULL pointer in realloc_argv() + +[ Upstream commit a0651926553cfe7992166432e418987760882652 ] + +For the first call to realloc_argv() in dm_split_args(), old_argv is +NULL and size is zero. Then memcpy is called, with the NULL old_argv +as the source argument and a zero size argument. AFAIK, this is +undefined behavior and generates the following warning when compiled +with UBSAN on ppc64le: + +In file included from ./arch/powerpc/include/asm/paca.h:19, + from ./arch/powerpc/include/asm/current.h:16, + from ./include/linux/sched.h:12, + from ./include/linux/kthread.h:6, + from drivers/md/dm-core.h:12, + from drivers/md/dm-table.c:8: +In function 'memcpy', + inlined from 'realloc_argv' at drivers/md/dm-table.c:565:3, + inlined from 'dm_split_args' at drivers/md/dm-table.c:588:9: +./include/linux/string.h:345:9: error: argument 2 null where non-null expected [-Werror=nonnull] + return __builtin_memcpy(p, q, size); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/md/dm-table.c: In function 'dm_split_args': +./include/linux/string.h:345:9: note: in a call to built-in function '__builtin_memcpy' + +Signed-off-by: Jerome Marchand +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-table.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c +index c7fe4789c40e..34ab30dd5de9 100644 +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -562,7 +562,7 @@ static char **realloc_argv(unsigned *size, char **old_argv) + gfp = GFP_NOIO; + } + argv = kmalloc_array(new_size, sizeof(*argv), gfp); +- if (argv) { ++ if (argv && old_argv) { + memcpy(argv, old_argv, *size * sizeof(*argv)); + *size = new_size; + } +-- +2.20.1 + diff --git a/queue-4.19/dm-verity-use-message-limit-for-data-block-corruptio.patch b/queue-4.19/dm-verity-use-message-limit-for-data-block-corruptio.patch new file mode 100644 index 00000000000..6624e1f9a64 --- /dev/null +++ b/queue-4.19/dm-verity-use-message-limit-for-data-block-corruptio.patch @@ -0,0 +1,35 @@ +From 46fd64638ed91876c7ca030bdf89667edf94620b Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Thu, 20 Jun 2019 13:00:19 +0200 +Subject: dm verity: use message limit for data block corruption message + +[ Upstream commit 2eba4e640b2c4161e31ae20090a53ee02a518657 ] + +DM verity should also use DMERR_LIMIT to limit repeat data block +corruption messages. + +Signed-off-by: Milan Broz +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-verity-target.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c +index fc65f0dedf7f..e3599b43f9eb 100644 +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -236,8 +236,8 @@ static int verity_handle_err(struct dm_verity *v, enum verity_block_type type, + BUG(); + } + +- DMERR("%s: %s block %llu is corrupted", v->data_dev->name, type_str, +- block); ++ DMERR_LIMIT("%s: %s block %llu is corrupted", v->data_dev->name, ++ type_str, block); + + if (v->corrupted_errs == DM_VERITY_MAX_CORRUPTED_ERRS) + DMERR("%s: reached maximum errors", v->data_dev->name); +-- +2.20.1 + diff --git a/queue-4.19/efi-bgrt-drop-bgrt-status-field-reserved-bits-check.patch b/queue-4.19/efi-bgrt-drop-bgrt-status-field-reserved-bits-check.patch new file mode 100644 index 00000000000..f5410c76a27 --- /dev/null +++ b/queue-4.19/efi-bgrt-drop-bgrt-status-field-reserved-bits-check.patch @@ -0,0 +1,45 @@ +From 1c71c48e9bd7d4fc083e2f3d83bfe828190de668 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 29 May 2019 15:28:28 +0200 +Subject: efi/bgrt: Drop BGRT status field reserved bits check + +[ Upstream commit a483fcab38b43fb34a7f12ab1daadd3907f150e2 ] + +Starting with ACPI 6.2 bits 1 and 2 of the BGRT status field are no longer +reserved. These bits are now used to indicate if the image needs to be +rotated before being displayed. + +The first device using these bits has now shown up (the GPD MicroPC) and +the reserved bits check causes us to reject the valid BGRT table on this +device. + +Rather then changing the reserved bits check, allowing only the 2 new bits, +instead just completely remove it so that we do not end up with a similar +problem when more bits are added in the future. + +Signed-off-by: Hans de Goede +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/efi-bgrt.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/firmware/efi/efi-bgrt.c b/drivers/firmware/efi/efi-bgrt.c +index b22ccfb0c991..2bf4d31f4967 100644 +--- a/drivers/firmware/efi/efi-bgrt.c ++++ b/drivers/firmware/efi/efi-bgrt.c +@@ -50,11 +50,6 @@ void __init efi_bgrt_init(struct acpi_table_header *table) + bgrt->version); + goto out; + } +- if (bgrt->status & 0xfe) { +- pr_notice("Ignoring BGRT: reserved status bits are non-zero %u\n", +- bgrt->status); +- goto out; +- } + if (bgrt->image_type != 0) { + pr_notice("Ignoring BGRT: invalid image type %u (expected 0)\n", + bgrt->image_type); +-- +2.20.1 + diff --git a/queue-4.19/hid-chicony-add-another-quirk-for-pixart-mouse.patch b/queue-4.19/hid-chicony-add-another-quirk-for-pixart-mouse.patch new file mode 100644 index 00000000000..1f981d259aa --- /dev/null +++ b/queue-4.19/hid-chicony-add-another-quirk-for-pixart-mouse.patch @@ -0,0 +1,52 @@ +From 0c0c29a4e8e18c9b79dee9863c1e2d7963a56f58 Mon Sep 17 00:00:00 2001 +From: Oleksandr Natalenko +Date: Fri, 21 Jun 2019 11:17:36 +0200 +Subject: HID: chicony: add another quirk for PixArt mouse + +[ Upstream commit dcf768b0ac868630e7bdb6f2f1c9fe72788012fa ] + +I've spotted another Chicony PixArt mouse in the wild, which requires +HID_QUIRK_ALWAYS_POLL quirk, otherwise it disconnects each minute. + +USB ID of this device is 0x04f2:0x0939. + +We've introduced quirks like this for other models before, so lets add +this mouse too. + +Link: https://github.com/sriemer/fix-linux-mouse#usb-mouse-disconnectsreconnects-every-minute-on-linux +Signed-off-by: Oleksandr Natalenko +Acked-by: Sebastian Parschauer +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 92452992b368..97b4ecab7c12 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -265,6 +265,7 @@ + #define USB_DEVICE_ID_CHICONY_MULTI_TOUCH 0xb19d + #define USB_DEVICE_ID_CHICONY_WIRELESS 0x0618 + #define USB_DEVICE_ID_CHICONY_PIXART_USB_OPTICAL_MOUSE 0x1053 ++#define USB_DEVICE_ID_CHICONY_PIXART_USB_OPTICAL_MOUSE2 0x0939 + #define USB_DEVICE_ID_CHICONY_WIRELESS2 0x1123 + #define USB_DEVICE_ID_ASUS_AK1D 0x1125 + #define USB_DEVICE_ID_CHICONY_ACER_SWITCH12 0x1421 +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 5892f1bd037e..91e86af44a04 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -45,6 +45,7 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_UC100KM), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_MULTI_TOUCH), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_PIXART_USB_OPTICAL_MOUSE2), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_WIRELESS), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_CHIC, USB_DEVICE_ID_CHIC_GAMEPAD), HID_QUIRK_BADPAD }, + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_3AXIS_5BUTTON_STICK), HID_QUIRK_NOGET }, +-- +2.20.1 + diff --git a/queue-4.19/hid-multitouch-add-pointstick-support-for-alps-touch.patch b/queue-4.19/hid-multitouch-add-pointstick-support-for-alps-touch.patch new file mode 100644 index 00000000000..d074d034f58 --- /dev/null +++ b/queue-4.19/hid-multitouch-add-pointstick-support-for-alps-touch.patch @@ -0,0 +1,50 @@ +From aed493adb849ca7b2df4c50393534a62daa2d0be Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Fri, 14 Jun 2019 16:56:55 +0800 +Subject: HID: multitouch: Add pointstick support for ALPS Touchpad + +[ Upstream commit 0a95fc733da375de0688d0f1fd3a2869a1c1d499 ] + +There's a new ALPS touchpad/pointstick combo device that requires +MT_CLS_WIN_8_DUAL to make its pointsitck work as a mouse. + +The device can be found on HP ZBook 17 G5. + +Signed-off-by: Kai-Heng Feng +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-multitouch.c | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 97b4ecab7c12..50b3c0d89c9c 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -82,6 +82,7 @@ + #define HID_DEVICE_ID_ALPS_U1_DUAL_3BTN_PTP 0x1220 + #define HID_DEVICE_ID_ALPS_U1 0x1215 + #define HID_DEVICE_ID_ALPS_T4_BTNLESS 0x120C ++#define HID_DEVICE_ID_ALPS_1222 0x1222 + + + #define USB_VENDOR_ID_AMI 0x046b +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 184e49036e1d..f9167d0e095c 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1788,6 +1788,10 @@ static const struct hid_device_id mt_devices[] = { + HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, + USB_VENDOR_ID_ALPS_JP, + HID_DEVICE_ID_ALPS_U1_DUAL_3BTN_PTP) }, ++ { .driver_data = MT_CLS_WIN_8_DUAL, ++ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, ++ USB_VENDOR_ID_ALPS_JP, ++ HID_DEVICE_ID_ALPS_1222) }, + + /* Lenovo X1 TAB Gen 2 */ + { .driver_data = MT_CLS_WIN_8_DUAL, +-- +2.20.1 + diff --git a/queue-4.19/irqchip-gic-v3-its-fix-command-queue-pointer-compari.patch b/queue-4.19/irqchip-gic-v3-its-fix-command-queue-pointer-compari.patch new file mode 100644 index 00000000000..93f957ecd23 --- /dev/null +++ b/queue-4.19/irqchip-gic-v3-its-fix-command-queue-pointer-compari.patch @@ -0,0 +1,146 @@ +From 4f2839f5247534db85ac1e8a356d96117e2a0488 Mon Sep 17 00:00:00 2001 +From: Heyi Guo +Date: Mon, 13 May 2019 19:42:06 +0800 +Subject: irqchip/gic-v3-its: Fix command queue pointer comparison bug + +[ Upstream commit a050fa5476d418fc16b25abe168b3d38ba11e13c ] + +When we run several VMs with PCI passthrough and GICv4 enabled, not +pinning vCPUs, we will occasionally see below warnings in dmesg: + +ITS queue timeout (65440 65504 480) +ITS cmd its_build_vmovp_cmd failed + +The reason for the above issue is that in BUILD_SINGLE_CMD_FUNC: +1. Post the write command. +2. Release the lock. +3. Start to read GITS_CREADR to get the reader pointer. +4. Compare the reader pointer to the target pointer. +5. If reader pointer does not reach the target, sleep 1us and continue +to try. + +If we have several processors running the above concurrently, other +CPUs will post write commands while the 1st CPU is waiting the +completion. So we may have below issue: + +phase 1: +---rd_idx-----from_idx-----to_idx--0--------- + +wait 1us: + +phase 2: +--------------from_idx-----to_idx--0-rd_idx-- + +That is the rd_idx may fly ahead of to_idx, and if in case to_idx is +near the wrap point, rd_idx will wrap around. So the below condition +will not be met even after 1s: + +if (from_idx < to_idx && rd_idx >= to_idx) + +There is another theoretical issue. For a slow and busy ITS, the +initial rd_idx may fall behind from_idx a lot, just as below: + +---rd_idx---0--from_idx-----to_idx----------- + +This will cause the wait function exit too early. + +Actually, it does not make much sense to use from_idx to judge if +to_idx is wrapped, but we need a initial rd_idx when lock is still +acquired, and it can be used to judge whether to_idx is wrapped and +the current rd_idx is wrapped. + +We switch to a method of calculating the delta of two adjacent reads +and accumulating it to get the sum, so that we can get the real rd_idx +from the wrapped value even when the queue is almost full. + +Cc: Thomas Gleixner +Cc: Jason Cooper +Signed-off-by: Heyi Guo +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 35 ++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 11 deletions(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index 65ab2c80529c..ee30e8965d1b 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -740,32 +740,43 @@ static void its_flush_cmd(struct its_node *its, struct its_cmd_block *cmd) + } + + static int its_wait_for_range_completion(struct its_node *its, +- struct its_cmd_block *from, ++ u64 prev_idx, + struct its_cmd_block *to) + { +- u64 rd_idx, from_idx, to_idx; ++ u64 rd_idx, to_idx, linear_idx; + u32 count = 1000000; /* 1s! */ + +- from_idx = its_cmd_ptr_to_offset(its, from); ++ /* Linearize to_idx if the command set has wrapped around */ + to_idx = its_cmd_ptr_to_offset(its, to); ++ if (to_idx < prev_idx) ++ to_idx += ITS_CMD_QUEUE_SZ; ++ ++ linear_idx = prev_idx; + + while (1) { ++ s64 delta; ++ + rd_idx = readl_relaxed(its->base + GITS_CREADR); + +- /* Direct case */ +- if (from_idx < to_idx && rd_idx >= to_idx) +- break; ++ /* ++ * Compute the read pointer progress, taking the ++ * potential wrap-around into account. ++ */ ++ delta = rd_idx - prev_idx; ++ if (rd_idx < prev_idx) ++ delta += ITS_CMD_QUEUE_SZ; + +- /* Wrapped case */ +- if (from_idx >= to_idx && rd_idx >= to_idx && rd_idx < from_idx) ++ linear_idx += delta; ++ if (linear_idx >= to_idx) + break; + + count--; + if (!count) { +- pr_err_ratelimited("ITS queue timeout (%llu %llu %llu)\n", +- from_idx, to_idx, rd_idx); ++ pr_err_ratelimited("ITS queue timeout (%llu %llu)\n", ++ to_idx, linear_idx); + return -1; + } ++ prev_idx = rd_idx; + cpu_relax(); + udelay(1); + } +@@ -782,6 +793,7 @@ void name(struct its_node *its, \ + struct its_cmd_block *cmd, *sync_cmd, *next_cmd; \ + synctype *sync_obj; \ + unsigned long flags; \ ++ u64 rd_idx; \ + \ + raw_spin_lock_irqsave(&its->lock, flags); \ + \ +@@ -803,10 +815,11 @@ void name(struct its_node *its, \ + } \ + \ + post: \ ++ rd_idx = readl_relaxed(its->base + GITS_CREADR); \ + next_cmd = its_post_commands(its); \ + raw_spin_unlock_irqrestore(&its->lock, flags); \ + \ +- if (its_wait_for_range_completion(its, cmd, next_cmd)) \ ++ if (its_wait_for_range_completion(its, rd_idx, next_cmd)) \ + pr_err_ratelimited("ITS cmd %ps failed\n", builder); \ + } + +-- +2.20.1 + diff --git a/queue-4.19/linux-kernel.h-fix-overflow-for-div_round_up_ull.patch b/queue-4.19/linux-kernel.h-fix-overflow-for-div_round_up_ull.patch new file mode 100644 index 00000000000..6a5141c6d44 --- /dev/null +++ b/queue-4.19/linux-kernel.h-fix-overflow-for-div_round_up_ull.patch @@ -0,0 +1,43 @@ +From 119bc71617bc7646463bee4ff9ec2bec08b116b1 Mon Sep 17 00:00:00 2001 +From: Vinod Koul +Date: Fri, 28 Jun 2019 12:07:21 -0700 +Subject: linux/kernel.h: fix overflow for DIV_ROUND_UP_ULL + +[ Upstream commit 8f9fab480c7a87b10bb5440b5555f370272a5d59 ] + +DIV_ROUND_UP_ULL adds the two arguments and then invokes +DIV_ROUND_DOWN_ULL. But on a 32bit system the addition of two 32 bit +values can overflow. DIV_ROUND_DOWN_ULL does it correctly and stashes +the addition into a unsigned long long so cast the result to unsigned +long long here to avoid the overflow condition. + +[akpm@linux-foundation.org: DIV_ROUND_UP_ULL must be an rval] +Link: http://lkml.kernel.org/r/20190625100518.30753-1-vkoul@kernel.org +Signed-off-by: Vinod Koul +Reviewed-by: Andrew Morton +Cc: Bjorn Andersson +Cc: Randy Dunlap +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/kernel.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/kernel.h b/include/linux/kernel.h +index 3d83ebb302cf..f6f94e54ab96 100644 +--- a/include/linux/kernel.h ++++ b/include/linux/kernel.h +@@ -118,7 +118,8 @@ + #define DIV_ROUND_DOWN_ULL(ll, d) \ + ({ unsigned long long _tmp = (ll); do_div(_tmp, d); _tmp; }) + +-#define DIV_ROUND_UP_ULL(ll, d) DIV_ROUND_DOWN_ULL((ll) + (d) - 1, (d)) ++#define DIV_ROUND_UP_ULL(ll, d) \ ++ DIV_ROUND_DOWN_ULL((unsigned long long)(ll) + (d) - 1, (d)) + + #if BITS_PER_LONG == 32 + # define DIV_ROUND_UP_SECTOR_T(ll,d) DIV_ROUND_UP_ULL(ll, d) +-- +2.20.1 + diff --git a/queue-4.19/perf-core-fix-perf_sample_regs_user-mm-check.patch b/queue-4.19/perf-core-fix-perf_sample_regs_user-mm-check.patch new file mode 100644 index 00000000000..6871f461f70 --- /dev/null +++ b/queue-4.19/perf-core-fix-perf_sample_regs_user-mm-check.patch @@ -0,0 +1,52 @@ +From c40fc174b6bbe77e871e6433ac75a566293f1c75 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 29 May 2019 14:37:24 +0200 +Subject: perf/core: Fix perf_sample_regs_user() mm check + +[ Upstream commit 085ebfe937d7a7a5df1729f35a12d6d655fea68c ] + +perf_sample_regs_user() uses 'current->mm' to test for the presence of +userspace, but this is insufficient, consider use_mm(). + +A better test is: '!(current->flags & PF_KTHREAD)', exec() clears +PF_KTHREAD after it sets the new ->mm but before it drops to userspace +for the first time. + +Possibly obsoletes: bf05fc25f268 ("powerpc/perf: Fix oops when kthread execs user process") + +Reported-by: Ravi Bangoria +Reported-by: Young Xiao <92siuyang@gmail.com> +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Will Deacon +Cc: Arnaldo Carvalho de Melo +Cc: Frederic Weisbecker +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Michael Ellerman +Cc: Naveen N. Rao +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Fixes: 4018994f3d87 ("perf: Add ability to attach user level registers dump to sample") +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 171b83ebed4a..3b61ff40bfe2 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5906,7 +5906,7 @@ static void perf_sample_regs_user(struct perf_regs *regs_user, + if (user_mode(regs)) { + regs_user->abi = perf_reg_abi(current); + regs_user->regs = regs; +- } else if (current->mm) { ++ } else if (!(current->flags & PF_KTHREAD)) { + perf_get_regs_user(regs_user, regs, regs_user_copy); + } else { + regs_user->abi = PERF_SAMPLE_REGS_ABI_NONE; +-- +2.20.1 + diff --git a/queue-4.19/pinctrl-mcp23s08-fix-add_data-and-irqchip_add_nested.patch b/queue-4.19/pinctrl-mcp23s08-fix-add_data-and-irqchip_add_nested.patch new file mode 100644 index 00000000000..9ebb1b5eb51 --- /dev/null +++ b/queue-4.19/pinctrl-mcp23s08-fix-add_data-and-irqchip_add_nested.patch @@ -0,0 +1,70 @@ +From b55df59e6a397bb54ccf219516df5d09acf0d38d Mon Sep 17 00:00:00 2001 +From: Phil Reid +Date: Thu, 13 Jun 2019 12:10:23 +0800 +Subject: pinctrl: mcp23s08: Fix add_data and irqchip_add_nested call order + +[ Upstream commit 6dbc6e6f58556369bf999cd7d9793586f1b0e4b4 ] + +Currently probing of the mcp23s08 results in an error message +"detected irqchip that is shared with multiple gpiochips: +please fix the driver" + +This is due to the following: + +Call to mcp23s08_irqchip_setup() with call hierarchy: +mcp23s08_irqchip_setup() + gpiochip_irqchip_add_nested() + gpiochip_irqchip_add_key() + gpiochip_set_irq_hooks() + +Call to devm_gpiochip_add_data() with call hierarchy: +devm_gpiochip_add_data() + gpiochip_add_data_with_key() + gpiochip_add_irqchip() + gpiochip_set_irq_hooks() + +The gpiochip_add_irqchip() returns immediately if there isn't a irqchip +but we added a irqchip due to the previous mcp23s08_irqchip_setup() +call. So it calls gpiochip_set_irq_hooks() a second time. + +Fix this by moving the call to devm_gpiochip_add_data before +the call to mcp23s08_irqchip_setup + +Fixes: 02e389e63e35 ("pinctrl: mcp23s08: fix irq setup order") +Suggested-by: Marco Felsch +Signed-off-by: Phil Reid +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c +index cecbce21d01f..33c3eca0ece9 100644 +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -889,6 +889,10 @@ static int mcp23s08_probe_one(struct mcp23s08 *mcp, struct device *dev, + if (ret < 0) + goto fail; + ++ ret = devm_gpiochip_add_data(dev, &mcp->chip, mcp); ++ if (ret < 0) ++ goto fail; ++ + mcp->irq_controller = + device_property_read_bool(dev, "interrupt-controller"); + if (mcp->irq && mcp->irq_controller) { +@@ -930,10 +934,6 @@ static int mcp23s08_probe_one(struct mcp23s08 *mcp, struct device *dev, + goto fail; + } + +- ret = devm_gpiochip_add_data(dev, &mcp->chip, mcp); +- if (ret < 0) +- goto fail; +- + if (one_regmap_config) { + mcp->pinctrl_desc.name = devm_kasprintf(dev, GFP_KERNEL, + "mcp23xxx-pinctrl.%d", raw_chip_address); +-- +2.20.1 + diff --git a/queue-4.19/pinctrl-mediatek-ignore-interrupts-that-are-wake-onl.patch b/queue-4.19/pinctrl-mediatek-ignore-interrupts-that-are-wake-onl.patch new file mode 100644 index 00000000000..c015d152cc7 --- /dev/null +++ b/queue-4.19/pinctrl-mediatek-ignore-interrupts-that-are-wake-onl.patch @@ -0,0 +1,75 @@ +From 007987d6072d7ea41235ec1e9964ca8dfc1f524d Mon Sep 17 00:00:00 2001 +From: Nicolas Boichat +Date: Mon, 29 Apr 2019 11:55:14 +0800 +Subject: pinctrl: mediatek: Ignore interrupts that are wake only during resume + +[ Upstream commit 35594bc7cecf3a78504b590e350570e8f4d7779e ] + +Before suspending, mtk-eint would set the interrupt mask to the +one in wake_mask. However, some of these interrupts may not have a +corresponding interrupt handler, or the interrupt may be disabled. + +On resume, the eint irq handler would trigger nevertheless, +and irq/pm.c:irq_pm_check_wakeup would be called, which would +try to call irq_disable. However, if the interrupt is not enabled +(irqd_irq_disabled(&desc->irq_data) is true), the call does nothing, +and the interrupt is left enabled in the eint driver. + +Especially for level-sensitive interrupts, this will lead to an +interrupt storm on resume. + +If we detect that an interrupt is only in wake_mask, but not in +cur_mask, we can just mask it out immediately (as mtk_eint_resume +would do anyway at a later stage in the resume sequence, when +restoring cur_mask). + +Fixes: bf22ff45bed6 ("genirq: Avoid unnecessary low level irq function calls") +Signed-off-by: Nicolas Boichat +Acked-by: Sean Wang +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mediatek/mtk-eint.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/mediatek/mtk-eint.c b/drivers/pinctrl/mediatek/mtk-eint.c +index a613e546717a..b9f3c02ba59d 100644 +--- a/drivers/pinctrl/mediatek/mtk-eint.c ++++ b/drivers/pinctrl/mediatek/mtk-eint.c +@@ -318,7 +318,7 @@ static void mtk_eint_irq_handler(struct irq_desc *desc) + struct irq_chip *chip = irq_desc_get_chip(desc); + struct mtk_eint *eint = irq_desc_get_handler_data(desc); + unsigned int status, eint_num; +- int offset, index, virq; ++ int offset, mask_offset, index, virq; + void __iomem *reg = mtk_eint_get_offset(eint, 0, eint->regs->stat); + int dual_edge, start_level, curr_level; + +@@ -328,10 +328,24 @@ static void mtk_eint_irq_handler(struct irq_desc *desc) + status = readl(reg); + while (status) { + offset = __ffs(status); ++ mask_offset = eint_num >> 5; + index = eint_num + offset; + virq = irq_find_mapping(eint->domain, index); + status &= ~BIT(offset); + ++ /* ++ * If we get an interrupt on pin that was only required ++ * for wake (but no real interrupt requested), mask the ++ * interrupt (as would mtk_eint_resume do anyway later ++ * in the resume sequence). ++ */ ++ if (eint->wake_mask[mask_offset] & BIT(offset) && ++ !(eint->cur_mask[mask_offset] & BIT(offset))) { ++ writel_relaxed(BIT(offset), reg - ++ eint->regs->stat + ++ eint->regs->mask_set); ++ } ++ + dual_edge = eint->dual_edge[index]; + if (dual_edge) { + /* +-- +2.20.1 + diff --git a/queue-4.19/pinctrl-mediatek-update-cur_mask-in-mask-mask-ops.patch b/queue-4.19/pinctrl-mediatek-update-cur_mask-in-mask-mask-ops.patch new file mode 100644 index 00000000000..0804063652b --- /dev/null +++ b/queue-4.19/pinctrl-mediatek-update-cur_mask-in-mask-mask-ops.patch @@ -0,0 +1,99 @@ +From 78af18de80e972ebcc15758f75aabb249253f64d Mon Sep 17 00:00:00 2001 +From: Nicolas Boichat +Date: Wed, 26 Jun 2019 11:54:45 +0800 +Subject: pinctrl: mediatek: Update cur_mask in mask/mask ops + +[ Upstream commit 9d957a959bc8c3dfe37572ac8e99affb5a885965 ] + +During suspend/resume, mtk_eint_mask may be called while +wake_mask is active. For example, this happens if a wake-source +with an active interrupt handler wakes the system: +irq/pm.c:irq_pm_check_wakeup would disable the interrupt, so +that it can be handled later on in the resume flow. + +However, this may happen before mtk_eint_do_resume is called: +in this case, wake_mask is loaded, and cur_mask is restored +from an older copy, re-enabling the interrupt, and causing +an interrupt storm (especially for level interrupts). + +Step by step, for a line that has both wake and interrupt enabled: + 1. cur_mask[irq] = 1; wake_mask[irq] = 1; EINT_EN[irq] = 1 (interrupt + enabled at hardware level) + 2. System suspends, resumes due to that line (at this stage EINT_EN + == wake_mask) + 3. irq_pm_check_wakeup is called, and disables the interrupt => + EINT_EN[irq] = 0, but we still have cur_mask[irq] = 1 + 4. mtk_eint_do_resume is called, and restores EINT_EN = cur_mask, so + it reenables EINT_EN[irq] = 1 => interrupt storm as the driver + is not yet ready to handle the interrupt. + +This patch fixes the issue in step 3, by recording all mask/unmask +changes in cur_mask. This also avoids the need to read the current +mask in eint_do_suspend, and we can remove mtk_eint_chip_read_mask +function. + +The interrupt will be re-enabled properly later on, sometimes after +mtk_eint_do_resume, when the driver is ready to handle it. + +Fixes: 58a5e1b64bb0 ("pinctrl: mediatek: Implement wake handler and suspend resume") +Signed-off-by: Nicolas Boichat +Acked-by: Sean Wang +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mediatek/mtk-eint.c | 18 ++++-------------- + 1 file changed, 4 insertions(+), 14 deletions(-) + +diff --git a/drivers/pinctrl/mediatek/mtk-eint.c b/drivers/pinctrl/mediatek/mtk-eint.c +index b9f3c02ba59d..564cfaee129d 100644 +--- a/drivers/pinctrl/mediatek/mtk-eint.c ++++ b/drivers/pinctrl/mediatek/mtk-eint.c +@@ -113,6 +113,8 @@ static void mtk_eint_mask(struct irq_data *d) + void __iomem *reg = mtk_eint_get_offset(eint, d->hwirq, + eint->regs->mask_set); + ++ eint->cur_mask[d->hwirq >> 5] &= ~mask; ++ + writel(mask, reg); + } + +@@ -123,6 +125,8 @@ static void mtk_eint_unmask(struct irq_data *d) + void __iomem *reg = mtk_eint_get_offset(eint, d->hwirq, + eint->regs->mask_clr); + ++ eint->cur_mask[d->hwirq >> 5] |= mask; ++ + writel(mask, reg); + + if (eint->dual_edge[d->hwirq]) +@@ -217,19 +221,6 @@ static void mtk_eint_chip_write_mask(const struct mtk_eint *eint, + } + } + +-static void mtk_eint_chip_read_mask(const struct mtk_eint *eint, +- void __iomem *base, u32 *buf) +-{ +- int port; +- void __iomem *reg; +- +- for (port = 0; port < eint->hw->ports; port++) { +- reg = base + eint->regs->mask + (port << 2); +- buf[port] = ~readl_relaxed(reg); +- /* Mask is 0 when irq is enabled, and 1 when disabled. */ +- } +-} +- + static int mtk_eint_irq_request_resources(struct irq_data *d) + { + struct mtk_eint *eint = irq_data_get_irq_chip_data(d); +@@ -384,7 +375,6 @@ static void mtk_eint_irq_handler(struct irq_desc *desc) + + int mtk_eint_do_suspend(struct mtk_eint *eint) + { +- mtk_eint_chip_read_mask(eint, eint->base, eint->cur_mask); + mtk_eint_chip_write_mask(eint, eint->base, eint->wake_mask); + + return 0; +-- +2.20.1 + diff --git a/queue-4.19/ppp-mppe-add-softdep-to-arc4.patch b/queue-4.19/ppp-mppe-add-softdep-to-arc4.patch new file mode 100644 index 00000000000..c3bfbecfc73 --- /dev/null +++ b/queue-4.19/ppp-mppe-add-softdep-to-arc4.patch @@ -0,0 +1,34 @@ +From 16907457f7e08afd63b94593d99b4009c22c538b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 19 Jun 2019 15:34:07 +0200 +Subject: ppp: mppe: Add softdep to arc4 + +[ Upstream commit aad1dcc4f011ea409850e040363dff1e59aa4175 ] + +The arc4 crypto is mandatory at ppp_mppe probe time, so let's put a +softdep line, so that the corresponding module gets prepared +gracefully. Without this, a simple inclusion to initrd via dracut +failed due to the missing dependency, for example. + +Signed-off-by: Takashi Iwai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_mppe.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ppp/ppp_mppe.c b/drivers/net/ppp/ppp_mppe.c +index a205750b431b..8609c1a0777b 100644 +--- a/drivers/net/ppp/ppp_mppe.c ++++ b/drivers/net/ppp/ppp_mppe.c +@@ -63,6 +63,7 @@ MODULE_AUTHOR("Frank Cusack "); + MODULE_DESCRIPTION("Point-to-Point Protocol Microsoft Point-to-Point Encryption support"); + MODULE_LICENSE("Dual BSD/GPL"); + MODULE_ALIAS("ppp-compress-" __stringify(CI_MPPE)); ++MODULE_SOFTDEP("pre: arc4"); + MODULE_VERSION("1.0.2"); + + static unsigned int +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index c60dac706fd..d0ffe0c0416 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -4,3 +4,26 @@ input-synaptics-enable-smbus-on-t480-thinkpad-trackpad.patch nilfs2-do-not-use-unexported-cpu_to_le32-le32_to_cpu-in-uapi-header.patch drivers-base-cacheinfo-ensure-cpu-hotplug-work-is-done-before-intel-rdt.patch firmware-improve-lsm-ima-security-behaviour.patch +irqchip-gic-v3-its-fix-command-queue-pointer-compari.patch +clk-ti-clkctrl-fix-returning-uninitialized-data.patch +efi-bgrt-drop-bgrt-status-field-reserved-bits-check.patch +perf-core-fix-perf_sample_regs_user-mm-check.patch +arm-dts-gemini-fix-up-dns-313-compatible-string.patch +arm-omap2-remove-incorrect-__init-annotation.patch +afs-fix-uninitialised-spinlock-afs_volume-cb_break_l.patch +x86-apic-fix-integer-overflow-on-10-bit-left-shift-o.patch +be2net-fix-link-failure-after-ethtool-offline-test.patch +ppp-mppe-add-softdep-to-arc4.patch +sis900-fix-tx-completion.patch +arm-dts-imx6ul-fix-pwm-1-4-interrupts.patch +pinctrl-mcp23s08-fix-add_data-and-irqchip_add_nested.patch +dm-table-don-t-copy-from-a-null-pointer-in-realloc_a.patch +dm-verity-use-message-limit-for-data-block-corruptio.patch +x86-boot-64-fix-crash-if-kernel-image-crosses-page-t.patch +x86-boot-64-add-missing-fixup_pointer-for-next_early.patch +hid-chicony-add-another-quirk-for-pixart-mouse.patch +hid-multitouch-add-pointstick-support-for-alps-touch.patch +pinctrl-mediatek-ignore-interrupts-that-are-wake-onl.patch +cpu-hotplug-fix-out-of-bounds-read-when-setting-fail.patch +pinctrl-mediatek-update-cur_mask-in-mask-mask-ops.patch +linux-kernel.h-fix-overflow-for-div_round_up_ull.patch diff --git a/queue-4.19/sis900-fix-tx-completion.patch b/queue-4.19/sis900-fix-tx-completion.patch new file mode 100644 index 00000000000..5e3cee96b98 --- /dev/null +++ b/queue-4.19/sis900-fix-tx-completion.patch @@ -0,0 +1,117 @@ +From bc436ab983f089b6cb114bce997849c8cb20d368 Mon Sep 17 00:00:00 2001 +From: Sergej Benilov +Date: Thu, 20 Jun 2019 11:02:18 +0200 +Subject: sis900: fix TX completion + +[ Upstream commit 8ac8a01092b2added0749ef937037bf1912e13e3 ] + +Since commit 605ad7f184b60cfaacbc038aa6c55ee68dee3c89 "tcp: refine TSO autosizing", +outbound throughput is dramatically reduced for some connections, as sis900 +is doing TX completion within idle states only. + +Make TX completion happen after every transmitted packet. + +Test: +netperf + +before patch: +> netperf -H remote -l -2000000 -- -s 1000000 +MIGRATED TCP STREAM TEST from 0.0.0.0 () port 0 AF_INET to 95.223.112.76 () port 0 AF_INET : demo +Recv Send Send +Socket Socket Message Elapsed +Size Size Size Time Throughput +bytes bytes bytes secs. 10^6bits/sec + + 87380 327680 327680 253.44 0.06 + +after patch: +> netperf -H remote -l -10000000 -- -s 1000000 +MIGRATED TCP STREAM TEST from 0.0.0.0 () port 0 AF_INET to 95.223.112.76 () port 0 AF_INET : demo +Recv Send Send +Socket Socket Message Elapsed +Size Size Size Time Throughput +bytes bytes bytes secs. 10^6bits/sec + + 87380 327680 327680 5.38 14.89 + +Thx to Dave Miller and Eric Dumazet for helpful hints + +Signed-off-by: Sergej Benilov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sis/sis900.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/sis/sis900.c b/drivers/net/ethernet/sis/sis900.c +index 4bb89f74742c..d5bcbc40a55f 100644 +--- a/drivers/net/ethernet/sis/sis900.c ++++ b/drivers/net/ethernet/sis/sis900.c +@@ -1057,7 +1057,7 @@ sis900_open(struct net_device *net_dev) + sis900_set_mode(sis_priv, HW_SPEED_10_MBPS, FDX_CAPABLE_HALF_SELECTED); + + /* Enable all known interrupts by setting the interrupt mask. */ +- sw32(imr, RxSOVR | RxORN | RxERR | RxOK | TxURN | TxERR | TxIDLE); ++ sw32(imr, RxSOVR | RxORN | RxERR | RxOK | TxURN | TxERR | TxIDLE | TxDESC); + sw32(cr, RxENA | sr32(cr)); + sw32(ier, IE); + +@@ -1578,7 +1578,7 @@ static void sis900_tx_timeout(struct net_device *net_dev) + sw32(txdp, sis_priv->tx_ring_dma); + + /* Enable all known interrupts by setting the interrupt mask. */ +- sw32(imr, RxSOVR | RxORN | RxERR | RxOK | TxURN | TxERR | TxIDLE); ++ sw32(imr, RxSOVR | RxORN | RxERR | RxOK | TxURN | TxERR | TxIDLE | TxDESC); + } + + /** +@@ -1618,7 +1618,7 @@ sis900_start_xmit(struct sk_buff *skb, struct net_device *net_dev) + spin_unlock_irqrestore(&sis_priv->lock, flags); + return NETDEV_TX_OK; + } +- sis_priv->tx_ring[entry].cmdsts = (OWN | skb->len); ++ sis_priv->tx_ring[entry].cmdsts = (OWN | INTR | skb->len); + sw32(cr, TxENA | sr32(cr)); + + sis_priv->cur_tx ++; +@@ -1674,7 +1674,7 @@ static irqreturn_t sis900_interrupt(int irq, void *dev_instance) + do { + status = sr32(isr); + +- if ((status & (HIBERR|TxURN|TxERR|TxIDLE|RxORN|RxERR|RxOK)) == 0) ++ if ((status & (HIBERR|TxURN|TxERR|TxIDLE|TxDESC|RxORN|RxERR|RxOK)) == 0) + /* nothing intresting happened */ + break; + handled = 1; +@@ -1684,7 +1684,7 @@ static irqreturn_t sis900_interrupt(int irq, void *dev_instance) + /* Rx interrupt */ + sis900_rx(net_dev); + +- if (status & (TxURN | TxERR | TxIDLE)) ++ if (status & (TxURN | TxERR | TxIDLE | TxDESC)) + /* Tx interrupt */ + sis900_finish_xmit(net_dev); + +@@ -1896,8 +1896,8 @@ static void sis900_finish_xmit (struct net_device *net_dev) + + if (tx_status & OWN) { + /* The packet is not transmitted yet (owned by hardware) ! +- * Note: the interrupt is generated only when Tx Machine +- * is idle, so this is an almost impossible case */ ++ * Note: this is an almost impossible condition ++ * in case of TxDESC ('descriptor interrupt') */ + break; + } + +@@ -2473,7 +2473,7 @@ static int sis900_resume(struct pci_dev *pci_dev) + sis900_set_mode(sis_priv, HW_SPEED_10_MBPS, FDX_CAPABLE_HALF_SELECTED); + + /* Enable all known interrupts by setting the interrupt mask. */ +- sw32(imr, RxSOVR | RxORN | RxERR | RxOK | TxURN | TxERR | TxIDLE); ++ sw32(imr, RxSOVR | RxORN | RxERR | RxOK | TxURN | TxERR | TxIDLE | TxDESC); + sw32(cr, RxENA | sr32(cr)); + sw32(ier, IE); + +-- +2.20.1 + diff --git a/queue-4.19/x86-apic-fix-integer-overflow-on-10-bit-left-shift-o.patch b/queue-4.19/x86-apic-fix-integer-overflow-on-10-bit-left-shift-o.patch new file mode 100644 index 00000000000..6c4afbbc005 --- /dev/null +++ b/queue-4.19/x86-apic-fix-integer-overflow-on-10-bit-left-shift-o.patch @@ -0,0 +1,41 @@ +From c3b0b6c7f7325a2326335a95280230b4b6d59b99 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Wed, 19 Jun 2019 19:14:46 +0100 +Subject: x86/apic: Fix integer overflow on 10 bit left shift of cpu_khz + +[ Upstream commit ea136a112d89bade596314a1ae49f748902f4727 ] + +The left shift of unsigned int cpu_khz will overflow for large values of +cpu_khz, so cast it to a long long before shifting it to avoid overvlow. +For example, this can happen when cpu_khz is 4194305, i.e. ~4.2 GHz. + +Addresses-Coverity: ("Unintentional integer overflow") +Fixes: 8c3ba8d04924 ("x86, apic: ack all pending irqs when crashed/on kexec") +Signed-off-by: Colin Ian King +Signed-off-by: Thomas Gleixner +Cc: Borislav Petkov +Cc: "H . Peter Anvin" +Cc: kernel-janitors@vger.kernel.org +Link: https://lkml.kernel.org/r/20190619181446.13635-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apic/apic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 84132eddb5a8..2646234380cc 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1452,7 +1452,8 @@ static void apic_pending_intr_clear(void) + if (queued) { + if (boot_cpu_has(X86_FEATURE_TSC) && cpu_khz) { + ntsc = rdtsc(); +- max_loops = (cpu_khz << 10) - (ntsc - tsc); ++ max_loops = (long long)cpu_khz << 10; ++ max_loops -= ntsc - tsc; + } else { + max_loops--; + } +-- +2.20.1 + diff --git a/queue-4.19/x86-boot-64-add-missing-fixup_pointer-for-next_early.patch b/queue-4.19/x86-boot-64-add-missing-fixup_pointer-for-next_early.patch new file mode 100644 index 00000000000..4118969e0d6 --- /dev/null +++ b/queue-4.19/x86-boot-64-add-missing-fixup_pointer-for-next_early.patch @@ -0,0 +1,47 @@ +From 736261dd3410c68ca2613a2f8c8877dbdbaa0f68 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Thu, 20 Jun 2019 14:24:22 +0300 +Subject: x86/boot/64: Add missing fixup_pointer() for next_early_pgt access + +[ Upstream commit c1887159eb48ba40e775584cfb2a443962cf1a05 ] + +__startup_64() uses fixup_pointer() to access global variables in a +position-independent fashion. Access to next_early_pgt was wrapped into the +helper, but one instance in the 5-level paging branch was missed. + +GCC generates a R_X86_64_PC32 PC-relative relocation for the access which +doesn't trigger the issue, but Clang emmits a R_X86_64_32S which leads to +an invalid memory access and system reboot. + +Fixes: 187e91fe5e91 ("x86/boot/64/clang: Use fixup_pointer() to access 'next_early_pgt'") +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Thomas Gleixner +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Dave Hansen +Cc: Andy Lutomirski +Cc: Peter Zijlstra +Cc: Alexander Potapenko +Link: https://lkml.kernel.org/r/20190620112422.29264-1-kirill.shutemov@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/head64.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c +index cc5b519dc687..250cfa85b633 100644 +--- a/arch/x86/kernel/head64.c ++++ b/arch/x86/kernel/head64.c +@@ -184,7 +184,8 @@ unsigned long __head __startup_64(unsigned long physaddr, + pgtable_flags = _KERNPG_TABLE_NOENC + sme_get_me_mask(); + + if (la57) { +- p4d = fixup_pointer(early_dynamic_pgts[next_early_pgt++], physaddr); ++ p4d = fixup_pointer(early_dynamic_pgts[(*next_pgt_ptr)++], ++ physaddr); + + i = (physaddr >> PGDIR_SHIFT) % PTRS_PER_PGD; + pgd[i + 0] = (pgdval_t)p4d + pgtable_flags; +-- +2.20.1 + diff --git a/queue-4.19/x86-boot-64-fix-crash-if-kernel-image-crosses-page-t.patch b/queue-4.19/x86-boot-64-fix-crash-if-kernel-image-crosses-page-t.patch new file mode 100644 index 00000000000..355c49fafcf --- /dev/null +++ b/queue-4.19/x86-boot-64-fix-crash-if-kernel-image-crosses-page-t.patch @@ -0,0 +1,89 @@ +From a02a2e83ab164acd007c5a42656bb7c36a27dfdd Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Thu, 20 Jun 2019 14:23:45 +0300 +Subject: x86/boot/64: Fix crash if kernel image crosses page table boundary + +[ Upstream commit 81c7ed296dcd02bc0b4488246d040e03e633737a ] + +A kernel which boots in 5-level paging mode crashes in a small percentage +of cases if KASLR is enabled. + +This issue was tracked down to the case when the kernel image unpacks in a +way that it crosses an 1G boundary. The crash is caused by an overrun of +the PMD page table in __startup_64() and corruption of P4D page table +allocated next to it. This particular issue is not visible with 4-level +paging as P4D page tables are not used. + +But the P4D and the PUD calculation have similar problems. + +The PMD index calculation is wrong due to operator precedence, which fails +to confine the PMDs in the PMD array on wrap around. + +The P4D calculation for 5-level paging and the PUD calculation calculate +the first index correctly, but then blindly increment it which causes the +same issue when a kernel image is located across a 512G and for 5-level +paging across a 46T boundary. + +This wrap around mishandling was introduced when these parts moved from +assembly to C. + +Restore it to the correct behaviour. + +Fixes: c88d71508e36 ("x86/boot/64: Rewrite startup_64() in C") +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Thomas Gleixner +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Dave Hansen +Cc: Andy Lutomirski +Cc: Peter Zijlstra +Link: https://lkml.kernel.org/r/20190620112345.28833-1-kirill.shutemov@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/head64.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c +index ddee1f0870c4..cc5b519dc687 100644 +--- a/arch/x86/kernel/head64.c ++++ b/arch/x86/kernel/head64.c +@@ -190,18 +190,18 @@ unsigned long __head __startup_64(unsigned long physaddr, + pgd[i + 0] = (pgdval_t)p4d + pgtable_flags; + pgd[i + 1] = (pgdval_t)p4d + pgtable_flags; + +- i = (physaddr >> P4D_SHIFT) % PTRS_PER_P4D; +- p4d[i + 0] = (pgdval_t)pud + pgtable_flags; +- p4d[i + 1] = (pgdval_t)pud + pgtable_flags; ++ i = physaddr >> P4D_SHIFT; ++ p4d[(i + 0) % PTRS_PER_P4D] = (pgdval_t)pud + pgtable_flags; ++ p4d[(i + 1) % PTRS_PER_P4D] = (pgdval_t)pud + pgtable_flags; + } else { + i = (physaddr >> PGDIR_SHIFT) % PTRS_PER_PGD; + pgd[i + 0] = (pgdval_t)pud + pgtable_flags; + pgd[i + 1] = (pgdval_t)pud + pgtable_flags; + } + +- i = (physaddr >> PUD_SHIFT) % PTRS_PER_PUD; +- pud[i + 0] = (pudval_t)pmd + pgtable_flags; +- pud[i + 1] = (pudval_t)pmd + pgtable_flags; ++ i = physaddr >> PUD_SHIFT; ++ pud[(i + 0) % PTRS_PER_PUD] = (pudval_t)pmd + pgtable_flags; ++ pud[(i + 1) % PTRS_PER_PUD] = (pudval_t)pmd + pgtable_flags; + + pmd_entry = __PAGE_KERNEL_LARGE_EXEC & ~_PAGE_GLOBAL; + /* Filter out unsupported __PAGE_KERNEL_* bits: */ +@@ -211,8 +211,9 @@ unsigned long __head __startup_64(unsigned long physaddr, + pmd_entry += physaddr; + + for (i = 0; i < DIV_ROUND_UP(_end - _text, PMD_SIZE); i++) { +- int idx = i + (physaddr >> PMD_SHIFT) % PTRS_PER_PMD; +- pmd[idx] = pmd_entry + i * PMD_SIZE; ++ int idx = i + (physaddr >> PMD_SHIFT); ++ ++ pmd[idx % PTRS_PER_PMD] = pmd_entry + i * PMD_SIZE; + } + + /* +-- +2.20.1 + -- 2.47.3