From 97a17bb5331e2183517ba2f789dbe1c498780059 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 17 Dec 2019 10:29:47 -0500 Subject: [PATCH] fixes for 4.19 Signed-off-by: Sasha Levin --- ...al-softlockups-while-refreshing-dfs-.patch | 106 +++++++++++++++ ...scmi-avoid-double-free-in-error-flow.patch | 53 ++++++++ ...eference-problem-in-gfs2_trans_remov.patch | 93 +++++++++++++ ...-terra-pad-1061-to-the-run_edge_even.patch | 67 +++++++++ ...an-header-from-skb-data-after-pskb_m.patch | 46 +++++++ ...idr_get_next_ul-race-with-idr_remove.patch | 97 +++++++++++++ ...050-add-missing-available-scan-masks.patch | 99 ++++++++++++++ ...wakeup-processes-in-module_wq-on-mod.patch | 61 +++++++++ ...dev-fix-handling-on-interface-rename.patch | 60 +++++++++ ...net-mlx5e-fix-sff-8472-eeprom-length.patch | 37 +++++ ...y-add_changeset_property-memory-leak.patch | 108 +++++++++++++++ ...memory-leak-in-attach_node_and_child.patch | 47 +++++++ ...sing-macctlr-register-setting-in-ini.patch | 78 +++++++++++ ...ix-segfault-in-thread__resolve_callc.patch | 42 ++++++ ...-to-set-stripe_handle-for-batch-head.patch | 45 +++++++ ...-change-discovery-state-before-plogi.patch | 44 ++++++ ...imit-dma-transfers-to-65536-bytes-ex.patch | 70 ++++++++++ queue-4.19/series | 18 +++ ...-when-cache_head-become-valid-before.patch | 127 ++++++++++++++++++ 19 files changed, 1298 insertions(+) create mode 100644 queue-4.19/cifs-fix-potential-softlockups-while-refreshing-dfs-.patch create mode 100644 queue-4.19/firmware-arm_scmi-avoid-double-free-in-error-flow.patch create mode 100644 queue-4.19/gfs2-fix-glock-reference-problem-in-gfs2_trans_remov.patch create mode 100644 queue-4.19/gpiolib-acpi-add-terra-pad-1061-to-the-run_edge_even.patch create mode 100644 queue-4.19/gre-refetch-erspan-header-from-skb-data-after-pskb_m.patch create mode 100644 queue-4.19/idr-fix-idr_get_next_ul-race-with-idr_remove.patch create mode 100644 queue-4.19/iio-imu-mpu6050-add-missing-available-scan-masks.patch create mode 100644 queue-4.19/kernel-module.c-wakeup-processes-in-module_wq-on-mod.patch create mode 100644 queue-4.19/leds-trigger-netdev-fix-handling-on-interface-rename.patch create mode 100644 queue-4.19/net-mlx5e-fix-sff-8472-eeprom-length.patch create mode 100644 queue-4.19/of-overlay-add_changeset_property-memory-leak.patch create mode 100644 queue-4.19/of-unittest-fix-memory-leak-in-attach_node_and_child.patch create mode 100644 queue-4.19/pci-rcar-fix-missing-macctlr-register-setting-in-ini.patch create mode 100644 queue-4.19/perf-callchain-fix-segfault-in-thread__resolve_callc.patch create mode 100644 queue-4.19/raid5-need-to-set-stripe_handle-for-batch-head.patch create mode 100644 queue-4.19/scsi-qla2xxx-change-discovery-state-before-plogi.patch create mode 100644 queue-4.19/scsi-zorro_esp-limit-dma-transfers-to-65536-bytes-ex.patch create mode 100644 queue-4.19/sunrpc-fix-crash-when-cache_head-become-valid-before.patch diff --git a/queue-4.19/cifs-fix-potential-softlockups-while-refreshing-dfs-.patch b/queue-4.19/cifs-fix-potential-softlockups-while-refreshing-dfs-.patch new file mode 100644 index 00000000000..4b5baa2f1f3 --- /dev/null +++ b/queue-4.19/cifs-fix-potential-softlockups-while-refreshing-dfs-.patch @@ -0,0 +1,106 @@ +From 99a20a7771fc136525683a3ed27a5ea9f0b887ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2019 12:30:53 -0300 +Subject: cifs: Fix potential softlockups while refreshing DFS cache + +From: Paulo Alcantara (SUSE) + +[ Upstream commit 84a1f5b1cc6fd7f6cd99fc5630c36f631b19fa60 ] + +We used to skip reconnects on all SMB2_IOCTL commands due to SMB3+ +FSCTL_VALIDATE_NEGOTIATE_INFO - which made sense since we're still +establishing a SMB session. + +However, when refresh_cache_worker() calls smb2_get_dfs_refer() and +we're under reconnect, SMB2_ioctl() will not be able to get a proper +status error (e.g. -EHOSTDOWN in case we failed to reconnect) but an +-EAGAIN from cifs_send_recv() thus looping forever in +refresh_cache_worker(). + +Fixes: e99c63e4d86d ("SMB3: Fix deadlock in validate negotiate hits reconnect") +Signed-off-by: Paulo Alcantara (SUSE) +Suggested-by: Aurelien Aptel +Reviewed-by: Aurelien Aptel +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2pdu.c | 41 +++++++++++++++++++++++++++++------------ + 1 file changed, 29 insertions(+), 12 deletions(-) + +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 9194f17675c89..4563699bbe6ce 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -168,7 +168,7 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon) + if (tcon == NULL) + return 0; + +- if (smb2_command == SMB2_TREE_CONNECT || smb2_command == SMB2_IOCTL) ++ if (smb2_command == SMB2_TREE_CONNECT) + return 0; + + if (tcon->tidStatus == CifsExiting) { +@@ -335,16 +335,9 @@ fill_small_buf(__le16 smb2_command, struct cifs_tcon *tcon, void *buf, + * SMB information in the SMB header. If the return code is zero, this + * function must have filled in request_buf pointer. + */ +-static int +-smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon, +- void **request_buf, unsigned int *total_len) ++static int __smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon, ++ void **request_buf, unsigned int *total_len) + { +- int rc; +- +- rc = smb2_reconnect(smb2_command, tcon); +- if (rc) +- return rc; +- + /* BB eventually switch this to SMB2 specific small buf size */ + if (smb2_command == SMB2_SET_INFO) + *request_buf = cifs_buf_get(); +@@ -365,7 +358,31 @@ smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon, + cifs_stats_inc(&tcon->num_smbs_sent); + } + +- return rc; ++ return 0; ++} ++ ++static int smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon, ++ void **request_buf, unsigned int *total_len) ++{ ++ int rc; ++ ++ rc = smb2_reconnect(smb2_command, tcon); ++ if (rc) ++ return rc; ++ ++ return __smb2_plain_req_init(smb2_command, tcon, request_buf, ++ total_len); ++} ++ ++static int smb2_ioctl_req_init(u32 opcode, struct cifs_tcon *tcon, ++ void **request_buf, unsigned int *total_len) ++{ ++ /* Skip reconnect only for FSCTL_VALIDATE_NEGOTIATE_INFO IOCTLs */ ++ if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO) { ++ return __smb2_plain_req_init(SMB2_IOCTL, tcon, request_buf, ++ total_len); ++ } ++ return smb2_plain_req_init(SMB2_IOCTL, tcon, request_buf, total_len); + } + + +@@ -2386,7 +2403,7 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, + if (!ses || !(ses->server)) + return -EIO; + +- rc = smb2_plain_req_init(SMB2_IOCTL, tcon, (void **) &req, &total_len); ++ rc = smb2_ioctl_req_init(opcode, tcon, (void **) &req, &total_len); + if (rc) + return rc; + +-- +2.20.1 + diff --git a/queue-4.19/firmware-arm_scmi-avoid-double-free-in-error-flow.patch b/queue-4.19/firmware-arm_scmi-avoid-double-free-in-error-flow.patch new file mode 100644 index 00000000000..972ae8fcd1b --- /dev/null +++ b/queue-4.19/firmware-arm_scmi-avoid-double-free-in-error-flow.patch @@ -0,0 +1,53 @@ +From f045c89b687b8672a234a758d7a8ba3bb6b94628 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 23:54:09 +0800 +Subject: firmware: arm_scmi: Avoid double free in error flow + +From: Wen Yang + +[ Upstream commit 8305e90a894f82c278c17e51a28459deee78b263 ] + +If device_register() fails, both put_device() and kfree() are called, +ending with a double free of the scmi_dev. + +Calling kfree() is needed only when a failure happens between the +allocation of the scmi_dev and its registration, so move it to there +and remove it from the error flow. + +Fixes: 46edb8d1322c ("firmware: arm_scmi: provide the mandatory device release callback") +Signed-off-by: Wen Yang +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/bus.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/bus.c b/drivers/firmware/arm_scmi/bus.c +index 92f843eaf1e01..7a30952b463d5 100644 +--- a/drivers/firmware/arm_scmi/bus.c ++++ b/drivers/firmware/arm_scmi/bus.c +@@ -135,8 +135,10 @@ scmi_device_create(struct device_node *np, struct device *parent, int protocol) + return NULL; + + id = ida_simple_get(&scmi_bus_id, 1, 0, GFP_KERNEL); +- if (id < 0) +- goto free_mem; ++ if (id < 0) { ++ kfree(scmi_dev); ++ return NULL; ++ } + + scmi_dev->id = id; + scmi_dev->protocol_id = protocol; +@@ -154,8 +156,6 @@ scmi_device_create(struct device_node *np, struct device *parent, int protocol) + put_dev: + put_device(&scmi_dev->dev); + ida_simple_remove(&scmi_bus_id, id); +-free_mem: +- kfree(scmi_dev); + return NULL; + } + +-- +2.20.1 + diff --git a/queue-4.19/gfs2-fix-glock-reference-problem-in-gfs2_trans_remov.patch b/queue-4.19/gfs2-fix-glock-reference-problem-in-gfs2_trans_remov.patch new file mode 100644 index 00000000000..ffe1f157855 --- /dev/null +++ b/queue-4.19/gfs2-fix-glock-reference-problem-in-gfs2_trans_remov.patch @@ -0,0 +1,93 @@ +From 03239042c96899e5e6e0c17ebcfa5db56e2b828f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 09:49:11 -0500 +Subject: gfs2: fix glock reference problem in gfs2_trans_remove_revoke + +From: Bob Peterson + +[ Upstream commit fe5e7ba11fcf1d75af8173836309e8562aefedef ] + +Commit 9287c6452d2b fixed a situation in which gfs2 could use a glock +after it had been freed. To do that, it temporarily added a new glock +reference by calling gfs2_glock_hold in function gfs2_add_revoke. +However, if the bd element was removed by gfs2_trans_remove_revoke, it +failed to drop the additional reference. + +This patch adds logic to gfs2_trans_remove_revoke to properly drop the +additional glock reference. + +Fixes: 9287c6452d2b ("gfs2: Fix occasional glock use-after-free") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/log.c | 8 ++++++++ + fs/gfs2/log.h | 1 + + fs/gfs2/lops.c | 5 +---- + fs/gfs2/trans.c | 2 ++ + 4 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c +index 90b5c8d0c56ac..d3f0612e33471 100644 +--- a/fs/gfs2/log.c ++++ b/fs/gfs2/log.c +@@ -613,6 +613,14 @@ void gfs2_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd) + list_add(&bd->bd_list, &sdp->sd_log_le_revoke); + } + ++void gfs2_glock_remove_revoke(struct gfs2_glock *gl) ++{ ++ if (atomic_dec_return(&gl->gl_revokes) == 0) { ++ clear_bit(GLF_LFLUSH, &gl->gl_flags); ++ gfs2_glock_queue_put(gl); ++ } ++} ++ + void gfs2_write_revokes(struct gfs2_sbd *sdp) + { + struct gfs2_trans *tr; +diff --git a/fs/gfs2/log.h b/fs/gfs2/log.h +index 20241436126da..015766cd1f5d7 100644 +--- a/fs/gfs2/log.h ++++ b/fs/gfs2/log.h +@@ -80,6 +80,7 @@ extern void gfs2_ail1_flush(struct gfs2_sbd *sdp, struct writeback_control *wbc) + extern void gfs2_log_shutdown(struct gfs2_sbd *sdp); + extern int gfs2_logd(void *data); + extern void gfs2_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd); ++extern void gfs2_glock_remove_revoke(struct gfs2_glock *gl); + extern void gfs2_write_revokes(struct gfs2_sbd *sdp); + + #endif /* __LOG_DOT_H__ */ +diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c +index 8f99b395d7bf6..2b3b755ee34cd 100644 +--- a/fs/gfs2/lops.c ++++ b/fs/gfs2/lops.c +@@ -662,10 +662,7 @@ static void revoke_lo_after_commit(struct gfs2_sbd *sdp, struct gfs2_trans *tr) + bd = list_entry(head->next, struct gfs2_bufdata, bd_list); + list_del_init(&bd->bd_list); + gl = bd->bd_gl; +- if (atomic_dec_return(&gl->gl_revokes) == 0) { +- clear_bit(GLF_LFLUSH, &gl->gl_flags); +- gfs2_glock_queue_put(gl); +- } ++ gfs2_glock_remove_revoke(gl); + kmem_cache_free(gfs2_bufdata_cachep, bd); + } + } +diff --git a/fs/gfs2/trans.c b/fs/gfs2/trans.c +index 064c9a0ef0460..812b5d5978b27 100644 +--- a/fs/gfs2/trans.c ++++ b/fs/gfs2/trans.c +@@ -266,6 +266,8 @@ void gfs2_trans_add_unrevoke(struct gfs2_sbd *sdp, u64 blkno, unsigned int len) + list_del_init(&bd->bd_list); + gfs2_assert_withdraw(sdp, sdp->sd_log_num_revoke); + sdp->sd_log_num_revoke--; ++ if (bd->bd_gl) ++ gfs2_glock_remove_revoke(bd->bd_gl); + kmem_cache_free(gfs2_bufdata_cachep, bd); + tr->tr_num_revoke_rm++; + if (--n == 0) +-- +2.20.1 + diff --git a/queue-4.19/gpiolib-acpi-add-terra-pad-1061-to-the-run_edge_even.patch b/queue-4.19/gpiolib-acpi-add-terra-pad-1061-to-the-run_edge_even.patch new file mode 100644 index 00000000000..baca93c530a --- /dev/null +++ b/queue-4.19/gpiolib-acpi-add-terra-pad-1061-to-the-run_edge_even.patch @@ -0,0 +1,67 @@ +From 0baf1ab8aefb7df86d3b7c11c336bca4ea911b07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2019 12:51:09 +0100 +Subject: gpiolib: acpi: Add Terra Pad 1061 to the + run_edge_events_on_boot_blacklist + +From: Hans de Goede + +[ Upstream commit 2727315df3f5ffbebcb174eed3153944a858b66f ] + +The Terra Pad 1061 has the usual micro-USB-B id-pin handler, but instead +of controlling the actual micro-USB-B it turns the 5V boost for the +tablet's USB-A connector and its keyboard-cover connector off. + +The actual micro-USB-B connector on the tablet is wired for charging only, +and its id pin is *not* connected to the GPIO which is used for the +(broken) id-pin event handler in the DSDT. + +While at it not only add a comment why the Terra Pad 1061 is on the +blacklist, but also fix the missing comment for the Minix Neo Z83-4 entry. + +Fixes: 61f7f7c8f978 ("gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist") +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Acked-by: Mika Westerberg +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-acpi.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c +index cf2604e635999..8edbb3f0c1013 100644 +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -1265,11 +1265,28 @@ late_initcall_sync(acpi_gpio_handle_deferred_request_irqs); + + static const struct dmi_system_id run_edge_events_on_boot_blacklist[] = { + { ++ /* ++ * The Minix Neo Z83-4 has a micro-USB-B id-pin handler for ++ * a non existing micro-USB-B connector which puts the HDMI ++ * DDC pins in GPIO mode, breaking HDMI support. ++ */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "MINIX"), + DMI_MATCH(DMI_PRODUCT_NAME, "Z83-4"), + } + }, ++ { ++ /* ++ * The Terra Pad 1061 has a micro-USB-B id-pin handler, which ++ * instead of controlling the actual micro-USB-B turns the 5V ++ * boost for its USB-A connector off. The actual micro-USB-B ++ * connector is wired for charging only. ++ */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Wortmann_AG"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "TERRA_PAD_1061"), ++ } ++ }, + {} /* Terminating entry */ + }; + +-- +2.20.1 + diff --git a/queue-4.19/gre-refetch-erspan-header-from-skb-data-after-pskb_m.patch b/queue-4.19/gre-refetch-erspan-header-from-skb-data-after-pskb_m.patch new file mode 100644 index 00000000000..7d27c4e3d1c --- /dev/null +++ b/queue-4.19/gre-refetch-erspan-header-from-skb-data-after-pskb_m.patch @@ -0,0 +1,46 @@ +From 88af704c585690dd04570439c8444e7933734287 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 19:39:02 -0800 +Subject: gre: refetch erspan header from skb->data after pskb_may_pull() + +From: Cong Wang + +[ Upstream commit 0e4940928c26527ce8f97237fef4c8a91cd34207 ] + +After pskb_may_pull() we should always refetch the header +pointers from the skb->data in case it got reallocated. + +In gre_parse_header(), the erspan header is still fetched +from the 'options' pointer which is fetched before +pskb_may_pull(). + +Found this during code review of a KMSAN bug report. + +Fixes: cb73ee40b1b3 ("net: ip_gre: use erspan key field for tunnel lookup") +Cc: Lorenzo Bianconi +Signed-off-by: Cong Wang +Acked-by: Lorenzo Bianconi +Acked-by: William Tu +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/gre_demux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/gre_demux.c b/net/ipv4/gre_demux.c +index 511b32ea25331..0eb4bfa2332ca 100644 +--- a/net/ipv4/gre_demux.c ++++ b/net/ipv4/gre_demux.c +@@ -132,7 +132,7 @@ int gre_parse_header(struct sk_buff *skb, struct tnl_ptk_info *tpi, + if (!pskb_may_pull(skb, nhs + hdr_len + sizeof(*ershdr))) + return -EINVAL; + +- ershdr = (struct erspan_base_hdr *)options; ++ ershdr = (struct erspan_base_hdr *)(skb->data + nhs + hdr_len); + tpi->key = cpu_to_be32(get_session_id(ershdr)); + } + +-- +2.20.1 + diff --git a/queue-4.19/idr-fix-idr_get_next_ul-race-with-idr_remove.patch b/queue-4.19/idr-fix-idr_get_next_ul-race-with-idr_remove.patch new file mode 100644 index 00000000000..c3d75809be8 --- /dev/null +++ b/queue-4.19/idr-fix-idr_get_next_ul-race-with-idr_remove.patch @@ -0,0 +1,97 @@ +From 00d0d3af213b96bdd29a3cbda6b8bb9f66563a23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Nov 2019 21:36:39 -0400 +Subject: idr: Fix idr_get_next_ul race with idr_remove + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 5a74ac4c4a97bd8b7dba054304d598e2a882fea6 ] + +Commit 5c089fd0c734 ("idr: Fix idr_get_next race with idr_remove") +neglected to fix idr_get_next_ul(). As far as I can tell, nobody's +actually using this interface under the RCU read lock, but fix it now +before anybody decides to use it. + +Fixes: 5c089fd0c734 ("idr: Fix idr_get_next race with idr_remove") +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Sasha Levin +--- + lib/idr.c | 31 +++++++++++-------------------- + 1 file changed, 11 insertions(+), 20 deletions(-) + +diff --git a/lib/idr.c b/lib/idr.c +index 61383564a6c54..6ff3b1c36e0a5 100644 +--- a/lib/idr.c ++++ b/lib/idr.c +@@ -218,7 +218,7 @@ int idr_for_each(const struct idr *idr, + EXPORT_SYMBOL(idr_for_each); + + /** +- * idr_get_next() - Find next populated entry. ++ * idr_get_next_ul() - Find next populated entry. + * @idr: IDR handle. + * @nextid: Pointer to an ID. + * +@@ -227,7 +227,7 @@ EXPORT_SYMBOL(idr_for_each); + * to the ID of the found value. To use in a loop, the value pointed to by + * nextid must be incremented by the user. + */ +-void *idr_get_next(struct idr *idr, int *nextid) ++void *idr_get_next_ul(struct idr *idr, unsigned long *nextid) + { + struct radix_tree_iter iter; + void __rcu **slot; +@@ -249,18 +249,14 @@ void *idr_get_next(struct idr *idr, int *nextid) + } + if (!slot) + return NULL; +- id = iter.index + base; +- +- if (WARN_ON_ONCE(id > INT_MAX)) +- return NULL; + +- *nextid = id; ++ *nextid = iter.index + base; + return entry; + } +-EXPORT_SYMBOL(idr_get_next); ++EXPORT_SYMBOL(idr_get_next_ul); + + /** +- * idr_get_next_ul() - Find next populated entry. ++ * idr_get_next() - Find next populated entry. + * @idr: IDR handle. + * @nextid: Pointer to an ID. + * +@@ -269,22 +265,17 @@ EXPORT_SYMBOL(idr_get_next); + * to the ID of the found value. To use in a loop, the value pointed to by + * nextid must be incremented by the user. + */ +-void *idr_get_next_ul(struct idr *idr, unsigned long *nextid) ++void *idr_get_next(struct idr *idr, int *nextid) + { +- struct radix_tree_iter iter; +- void __rcu **slot; +- unsigned long base = idr->idr_base; + unsigned long id = *nextid; ++ void *entry = idr_get_next_ul(idr, &id); + +- id = (id < base) ? 0 : id - base; +- slot = radix_tree_iter_find(&idr->idr_rt, &iter, id); +- if (!slot) ++ if (WARN_ON_ONCE(id > INT_MAX)) + return NULL; +- +- *nextid = iter.index + base; +- return rcu_dereference_raw(*slot); ++ *nextid = id; ++ return entry; + } +-EXPORT_SYMBOL(idr_get_next_ul); ++EXPORT_SYMBOL(idr_get_next); + + /** + * idr_replace() - replace pointer for given ID. +-- +2.20.1 + diff --git a/queue-4.19/iio-imu-mpu6050-add-missing-available-scan-masks.patch b/queue-4.19/iio-imu-mpu6050-add-missing-available-scan-masks.patch new file mode 100644 index 00000000000..a980ac9a6fa --- /dev/null +++ b/queue-4.19/iio-imu-mpu6050-add-missing-available-scan-masks.patch @@ -0,0 +1,99 @@ +From beb7262f8dd7b8cd7b34e6b9f053a897e8015df7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jun 2019 13:19:53 +0000 +Subject: iio: imu: mpu6050: add missing available scan masks + +From: Jean-Baptiste Maneyrol + +[ Upstream commit 1244a720572fd1680ac8d6b8a4235f2e8557b810 ] + +Driver only supports 3-axis gyro and/or 3-axis accel. +For icm20602, temp data is mandatory for all configurations. + +Fix all single and double axis configurations (almost never used) and more +importantly fix 3-axis gyro and 6-axis accel+gyro buffer on icm20602 when +temp data is not enabled. + +Signed-off-by: Jean-Baptiste Maneyrol +Fixes: 1615fe41a195 ("iio: imu: mpu6050: Fix FIFO layout for ICM20602") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 43 ++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + +diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c +index f965026f9a746..6b560d99f3851 100644 +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c +@@ -860,6 +860,25 @@ static const struct iio_chan_spec inv_mpu_channels[] = { + INV_MPU6050_CHAN(IIO_ACCEL, IIO_MOD_Z, INV_MPU6050_SCAN_ACCL_Z), + }; + ++static const unsigned long inv_mpu_scan_masks[] = { ++ /* 3-axis accel */ ++ BIT(INV_MPU6050_SCAN_ACCL_X) ++ | BIT(INV_MPU6050_SCAN_ACCL_Y) ++ | BIT(INV_MPU6050_SCAN_ACCL_Z), ++ /* 3-axis gyro */ ++ BIT(INV_MPU6050_SCAN_GYRO_X) ++ | BIT(INV_MPU6050_SCAN_GYRO_Y) ++ | BIT(INV_MPU6050_SCAN_GYRO_Z), ++ /* 6-axis accel + gyro */ ++ BIT(INV_MPU6050_SCAN_ACCL_X) ++ | BIT(INV_MPU6050_SCAN_ACCL_Y) ++ | BIT(INV_MPU6050_SCAN_ACCL_Z) ++ | BIT(INV_MPU6050_SCAN_GYRO_X) ++ | BIT(INV_MPU6050_SCAN_GYRO_Y) ++ | BIT(INV_MPU6050_SCAN_GYRO_Z), ++ 0, ++}; ++ + static const struct iio_chan_spec inv_icm20602_channels[] = { + IIO_CHAN_SOFT_TIMESTAMP(INV_ICM20602_SCAN_TIMESTAMP), + { +@@ -886,6 +905,28 @@ static const struct iio_chan_spec inv_icm20602_channels[] = { + INV_MPU6050_CHAN(IIO_ACCEL, IIO_MOD_Z, INV_ICM20602_SCAN_ACCL_Z), + }; + ++static const unsigned long inv_icm20602_scan_masks[] = { ++ /* 3-axis accel + temp (mandatory) */ ++ BIT(INV_ICM20602_SCAN_ACCL_X) ++ | BIT(INV_ICM20602_SCAN_ACCL_Y) ++ | BIT(INV_ICM20602_SCAN_ACCL_Z) ++ | BIT(INV_ICM20602_SCAN_TEMP), ++ /* 3-axis gyro + temp (mandatory) */ ++ BIT(INV_ICM20602_SCAN_GYRO_X) ++ | BIT(INV_ICM20602_SCAN_GYRO_Y) ++ | BIT(INV_ICM20602_SCAN_GYRO_Z) ++ | BIT(INV_ICM20602_SCAN_TEMP), ++ /* 6-axis accel + gyro + temp (mandatory) */ ++ BIT(INV_ICM20602_SCAN_ACCL_X) ++ | BIT(INV_ICM20602_SCAN_ACCL_Y) ++ | BIT(INV_ICM20602_SCAN_ACCL_Z) ++ | BIT(INV_ICM20602_SCAN_GYRO_X) ++ | BIT(INV_ICM20602_SCAN_GYRO_Y) ++ | BIT(INV_ICM20602_SCAN_GYRO_Z) ++ | BIT(INV_ICM20602_SCAN_TEMP), ++ 0, ++}; ++ + /* + * The user can choose any frequency between INV_MPU6050_MIN_FIFO_RATE and + * INV_MPU6050_MAX_FIFO_RATE, but only these frequencies are matched by the +@@ -1090,9 +1131,11 @@ int inv_mpu_core_probe(struct regmap *regmap, int irq, const char *name, + if (chip_type == INV_ICM20602) { + indio_dev->channels = inv_icm20602_channels; + indio_dev->num_channels = ARRAY_SIZE(inv_icm20602_channels); ++ indio_dev->available_scan_masks = inv_icm20602_scan_masks; + } else { + indio_dev->channels = inv_mpu_channels; + indio_dev->num_channels = ARRAY_SIZE(inv_mpu_channels); ++ indio_dev->available_scan_masks = inv_mpu_scan_masks; + } + + indio_dev->info = &mpu_info; +-- +2.20.1 + diff --git a/queue-4.19/kernel-module.c-wakeup-processes-in-module_wq-on-mod.patch b/queue-4.19/kernel-module.c-wakeup-processes-in-module_wq-on-mod.patch new file mode 100644 index 00000000000..aa833bd38ab --- /dev/null +++ b/queue-4.19/kernel-module.c-wakeup-processes-in-module_wq-on-mod.patch @@ -0,0 +1,61 @@ +From b25fb643080e4679ee49fc9be1f07cd567748839 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 12:29:50 +0300 +Subject: kernel/module.c: wakeup processes in module_wq on module unload + +From: Konstantin Khorenko + +[ Upstream commit 5d603311615f612320bb77bd2a82553ef1ced5b7 ] + +Fix the race between load and unload a kernel module. + +sys_delete_module() + try_stop_module() + mod->state = _GOING + add_unformed_module() + old = find_module_all() + (old->state == _GOING => + wait_event_interruptible()) + + During pre-condition + finished_loading() rets 0 + schedule() + (never gets waken up later) + free_module() + mod->state = _UNFORMED + list_del_rcu(&mod->list) + (dels mod from "modules" list) + +return + +The race above leads to modprobe hanging forever on loading +a module. + +Error paths on loading module call wake_up_all(&module_wq) after +freeing module, so let's do the same on straight module unload. + +Fixes: 6e6de3dee51a ("kernel/module.c: Only return -EEXIST for modules that have finished loading") +Reviewed-by: Prarit Bhargava +Signed-off-by: Konstantin Khorenko +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +--- + kernel/module.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/module.c b/kernel/module.c +index 8257110bf599c..d3aaec62c1423 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -1021,6 +1021,8 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user, + strlcpy(last_unloaded_module, mod->name, sizeof(last_unloaded_module)); + + free_module(mod); ++ /* someone could wait for the module in add_unformed_module() */ ++ wake_up_all(&module_wq); + return 0; + out: + mutex_unlock(&module_mutex); +-- +2.20.1 + diff --git a/queue-4.19/leds-trigger-netdev-fix-handling-on-interface-rename.patch b/queue-4.19/leds-trigger-netdev-fix-handling-on-interface-rename.patch new file mode 100644 index 00000000000..2473273a46c --- /dev/null +++ b/queue-4.19/leds-trigger-netdev-fix-handling-on-interface-rename.patch @@ -0,0 +1,60 @@ +From de8ec7f7a0d0081ce67fe95292394c307e1e8e7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 09:01:42 +0200 +Subject: leds: trigger: netdev: fix handling on interface rename + +From: Martin Schiller + +[ Upstream commit 5f820ed52371b4f5d8c43c93f03408d0dbc01e5b ] + +The NETDEV_CHANGENAME code is not "unneeded" like it is stated in commit +4cb6560514fa ("leds: trigger: netdev: fix refcnt leak on interface +rename"). + +The event was accidentally misinterpreted equivalent to +NETDEV_UNREGISTER, but should be equivalent to NETDEV_REGISTER. + +This was the case in the original code from the openwrt project. + +Otherwise, you are unable to set netdev led triggers for (non-existent) +netdevices, which has to be renamed. This is the case, for example, for +ppp interfaces in openwrt. + +Fixes: 06f502f57d0d ("leds: trigger: Introduce a NETDEV trigger") +Fixes: 4cb6560514fa ("leds: trigger: netdev: fix refcnt leak on interface rename") +Signed-off-by: Martin Schiller +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + drivers/leds/trigger/ledtrig-netdev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/leds/trigger/ledtrig-netdev.c b/drivers/leds/trigger/ledtrig-netdev.c +index 136f86a1627d1..d5e774d830215 100644 +--- a/drivers/leds/trigger/ledtrig-netdev.c ++++ b/drivers/leds/trigger/ledtrig-netdev.c +@@ -302,10 +302,12 @@ static int netdev_trig_notify(struct notifier_block *nb, + container_of(nb, struct led_netdev_data, notifier); + + if (evt != NETDEV_UP && evt != NETDEV_DOWN && evt != NETDEV_CHANGE +- && evt != NETDEV_REGISTER && evt != NETDEV_UNREGISTER) ++ && evt != NETDEV_REGISTER && evt != NETDEV_UNREGISTER ++ && evt != NETDEV_CHANGENAME) + return NOTIFY_DONE; + + if (!(dev == trigger_data->net_dev || ++ (evt == NETDEV_CHANGENAME && !strcmp(dev->name, trigger_data->device_name)) || + (evt == NETDEV_REGISTER && !strcmp(dev->name, trigger_data->device_name)))) + return NOTIFY_DONE; + +@@ -315,6 +317,7 @@ static int netdev_trig_notify(struct notifier_block *nb, + + clear_bit(NETDEV_LED_MODE_LINKUP, &trigger_data->mode); + switch (evt) { ++ case NETDEV_CHANGENAME: + case NETDEV_REGISTER: + if (trigger_data->net_dev) + dev_put(trigger_data->net_dev); +-- +2.20.1 + diff --git a/queue-4.19/net-mlx5e-fix-sff-8472-eeprom-length.patch b/queue-4.19/net-mlx5e-fix-sff-8472-eeprom-length.patch new file mode 100644 index 00000000000..edae54b66e8 --- /dev/null +++ b/queue-4.19/net-mlx5e-fix-sff-8472-eeprom-length.patch @@ -0,0 +1,37 @@ +From 25c4ea990f08c80561e2c320695fe6d589cbe511 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 10:30:22 +0200 +Subject: net/mlx5e: Fix SFF 8472 eeprom length + +From: Eran Ben Elisha + +[ Upstream commit c431f8597863a91eea6024926e0c1b179cfa4852 ] + +SFF 8472 eeprom length is 512 bytes. Fix module info return value to +support 512 bytes read. + +Fixes: ace329f4ab3b ("net/mlx5e: ethtool, Remove unsupported SFP EEPROM high pages query") +Signed-off-by: Eran Ben Elisha +Reviewed-by: Aya Levin +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 10d72c83714db..a383276eb816a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1320,7 +1320,7 @@ static int mlx5e_get_module_info(struct net_device *netdev, + break; + case MLX5_MODULE_ID_SFP: + modinfo->type = ETH_MODULE_SFF_8472; +- modinfo->eeprom_len = MLX5_EEPROM_PAGE_LENGTH; ++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN; + break; + default: + netdev_err(priv->netdev, "%s: cable type not recognized:0x%x\n", +-- +2.20.1 + diff --git a/queue-4.19/of-overlay-add_changeset_property-memory-leak.patch b/queue-4.19/of-overlay-add_changeset_property-memory-leak.patch new file mode 100644 index 00000000000..b0cd25c53bb --- /dev/null +++ b/queue-4.19/of-overlay-add_changeset_property-memory-leak.patch @@ -0,0 +1,108 @@ +From 5b65239660b6402faf86ebef957a574106e276c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2019 13:16:56 -0600 +Subject: of: overlay: add_changeset_property() memory leak + +From: Frank Rowand + +[ Upstream commit 637392a8506a3a7dd24ab9094a14f7522adb73b4 ] + +No changeset entries are created for #address-cells and #size-cells +properties, but the duplicated properties are never freed. This +results in a memory leak which is detected by kmemleak: + + unreferenced object 0x85887180 (size 64): + backtrace: + kmem_cache_alloc_trace+0x1fb/0x1fc + __of_prop_dup+0x25/0x7c + add_changeset_property+0x17f/0x370 + build_changeset_next_level+0x29/0x20c + of_overlay_fdt_apply+0x32b/0x6b4 + ... + +Fixes: 6f75118800ac ("of: overlay: validate overlay properties #address-cells and #size-cells") +Reported-by: Vincent Whitchurch +Signed-off-by: Frank Rowand +Tested-by: Vincent Whitchurch +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/overlay.c | 37 ++++++++++++++++++++----------------- + 1 file changed, 20 insertions(+), 17 deletions(-) + +diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c +index 2edb59039b5f5..514528b3566ff 100644 +--- a/drivers/of/overlay.c ++++ b/drivers/of/overlay.c +@@ -305,7 +305,6 @@ static int add_changeset_property(struct overlay_changeset *ovcs, + { + struct property *new_prop = NULL, *prop; + int ret = 0; +- bool check_for_non_overlay_node = false; + + if (target->in_livetree) + if (!of_prop_cmp(overlay_prop->name, "name") || +@@ -318,6 +317,25 @@ static int add_changeset_property(struct overlay_changeset *ovcs, + else + prop = NULL; + ++ if (prop) { ++ if (!of_prop_cmp(prop->name, "#address-cells")) { ++ if (!of_prop_val_eq(prop, overlay_prop)) { ++ pr_err("ERROR: changing value of #address-cells is not allowed in %pOF\n", ++ target->np); ++ ret = -EINVAL; ++ } ++ return ret; ++ ++ } else if (!of_prop_cmp(prop->name, "#size-cells")) { ++ if (!of_prop_val_eq(prop, overlay_prop)) { ++ pr_err("ERROR: changing value of #size-cells is not allowed in %pOF\n", ++ target->np); ++ ret = -EINVAL; ++ } ++ return ret; ++ } ++ } ++ + if (is_symbols_prop) { + if (prop) + return -EINVAL; +@@ -330,33 +348,18 @@ static int add_changeset_property(struct overlay_changeset *ovcs, + return -ENOMEM; + + if (!prop) { +- check_for_non_overlay_node = true; + if (!target->in_livetree) { + new_prop->next = target->np->deadprops; + target->np->deadprops = new_prop; + } + ret = of_changeset_add_property(&ovcs->cset, target->np, + new_prop); +- } else if (!of_prop_cmp(prop->name, "#address-cells")) { +- if (!of_prop_val_eq(prop, new_prop)) { +- pr_err("ERROR: changing value of #address-cells is not allowed in %pOF\n", +- target->np); +- ret = -EINVAL; +- } +- } else if (!of_prop_cmp(prop->name, "#size-cells")) { +- if (!of_prop_val_eq(prop, new_prop)) { +- pr_err("ERROR: changing value of #size-cells is not allowed in %pOF\n", +- target->np); +- ret = -EINVAL; +- } + } else { +- check_for_non_overlay_node = true; + ret = of_changeset_update_property(&ovcs->cset, target->np, + new_prop); + } + +- if (check_for_non_overlay_node && +- !of_node_check_flag(target->np, OF_OVERLAY)) ++ if (!of_node_check_flag(target->np, OF_OVERLAY)) + pr_err("WARNING: memory leak will occur if overlay removed, property: %pOF/%s\n", + target->np, new_prop->name); + +-- +2.20.1 + diff --git a/queue-4.19/of-unittest-fix-memory-leak-in-attach_node_and_child.patch b/queue-4.19/of-unittest-fix-memory-leak-in-attach_node_and_child.patch new file mode 100644 index 00000000000..965ec5e3805 --- /dev/null +++ b/queue-4.19/of-unittest-fix-memory-leak-in-attach_node_and_child.patch @@ -0,0 +1,47 @@ +From f065b5bcb66814cc3d43fd3d7717c8c0335be5c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Nov 2019 02:48:04 +0100 +Subject: of: unittest: fix memory leak in attach_node_and_children + +From: Erhard Furtner + +[ Upstream commit 2aacace6dbbb6b6ce4e177e6c7ea901f389c0472 ] + +In attach_node_and_children memory is allocated for full_name via +kasprintf. If the condition of the 1st if is not met the function +returns early without freeing the memory. Add a kfree() to fix that. + +This has been detected with kmemleak: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=205327 + +It looks like the leak was introduced by this commit: +Fixes: 5babefb7f7ab ("of: unittest: allow base devicetree to have symbol metadata") + +Signed-off-by: Erhard Furtner +Reviewed-by: Michael Ellerman +Reviewed-by: Tyrel Datwyler +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 68f52966bbc04..808571f7f6ef9 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -1133,8 +1133,10 @@ static void attach_node_and_children(struct device_node *np) + full_name = kasprintf(GFP_KERNEL, "%pOF", np); + + if (!strcmp(full_name, "/__local_fixups__") || +- !strcmp(full_name, "/__fixups__")) ++ !strcmp(full_name, "/__fixups__")) { ++ kfree(full_name); + return; ++ } + + dup = of_find_node_by_path(full_name); + kfree(full_name); +-- +2.20.1 + diff --git a/queue-4.19/pci-rcar-fix-missing-macctlr-register-setting-in-ini.patch b/queue-4.19/pci-rcar-fix-missing-macctlr-register-setting-in-ini.patch new file mode 100644 index 00000000000..e5fc61867d8 --- /dev/null +++ b/queue-4.19/pci-rcar-fix-missing-macctlr-register-setting-in-ini.patch @@ -0,0 +1,78 @@ +From 3758aa76caa7f0bac620582e7cf68f30856edb02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2019 19:51:29 +0900 +Subject: PCI: rcar: Fix missing MACCTLR register setting in initialization + sequence + +From: Yoshihiro Shimoda + +[ Upstream commit 7c7e53e1c93df14690bd12c1f84730fef927a6f1 ] + +The R-Car Gen2/3 manual - available at: + +https://www.renesas.com/eu/en/products/microcontrollers-microprocessors/rz/rzg/rzg1m.html#documents + +"RZ/G Series User's Manual: Hardware" section + +strictly enforces the MACCTLR inizialization value - 39.3.1 - "Initial +Setting of PCI Express": + +"Be sure to write the initial value (= H'80FF 0000) to MACCTLR before +enabling PCIETCTLR.CFINIT". + +To avoid unexpected behavior and to match the SW initialization sequence +guidelines, this patch programs the MACCTLR with the correct value. + +Note that the MACCTLR.SPCHG bit in the MACCTLR register description +reports that "Only writing 1 is valid and writing 0 is invalid" but this +"invalid" has to be interpreted as a write-ignore aka "ignored", not +"prohibited". + +Reported-by: Eugeniu Rosca +Fixes: c25da4778803 ("PCI: rcar: Add Renesas R-Car PCIe driver") +Fixes: be20bbcb0a8c ("PCI: rcar: Add the initialization of PCIe link in resume_noirq()") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Geert Uytterhoeven +Cc: # v5.2+ +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-rcar.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/pci/controller/pcie-rcar.c b/drivers/pci/controller/pcie-rcar.c +index 9b9c677ad3a0b..333ab6092f174 100644 +--- a/drivers/pci/controller/pcie-rcar.c ++++ b/drivers/pci/controller/pcie-rcar.c +@@ -93,8 +93,11 @@ + #define LINK_SPEED_2_5GTS (1 << 16) + #define LINK_SPEED_5_0GTS (2 << 16) + #define MACCTLR 0x011058 ++#define MACCTLR_NFTS_MASK GENMASK(23, 16) /* The name is from SH7786 */ + #define SPEED_CHANGE BIT(24) + #define SCRAMBLE_DISABLE BIT(27) ++#define LTSMDIS BIT(31) ++#define MACCTLR_INIT_VAL (LTSMDIS | MACCTLR_NFTS_MASK) + #define PMSR 0x01105c + #define MACS2R 0x011078 + #define MACCGSPSETR 0x011084 +@@ -615,6 +618,8 @@ static int rcar_pcie_hw_init(struct rcar_pcie *pcie) + if (IS_ENABLED(CONFIG_PCI_MSI)) + rcar_pci_write_reg(pcie, 0x801f0000, PCIEMSITXR); + ++ rcar_pci_write_reg(pcie, MACCTLR_INIT_VAL, MACCTLR); ++ + /* Finish initialization - establish a PCI Express link */ + rcar_pci_write_reg(pcie, CFINIT, PCIETCTLR); + +@@ -1237,6 +1242,7 @@ static int rcar_pcie_resume_noirq(struct device *dev) + return 0; + + /* Re-establish the PCIe link */ ++ rcar_pci_write_reg(pcie, MACCTLR_INIT_VAL, MACCTLR); + rcar_pci_write_reg(pcie, CFINIT, PCIETCTLR); + return rcar_pcie_wait_for_dl(pcie); + } +-- +2.20.1 + diff --git a/queue-4.19/perf-callchain-fix-segfault-in-thread__resolve_callc.patch b/queue-4.19/perf-callchain-fix-segfault-in-thread__resolve_callc.patch new file mode 100644 index 00000000000..ef2110a729a --- /dev/null +++ b/queue-4.19/perf-callchain-fix-segfault-in-thread__resolve_callc.patch @@ -0,0 +1,42 @@ +From b07955b8d3876f9cb70b8a99e70a44aee0f1dc7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 16:25:38 +0200 +Subject: perf callchain: Fix segfault in thread__resolve_callchain_sample() + +From: Adrian Hunter + +[ Upstream commit aceb98261ea7d9fe38f9c140c5531f0b13623832 ] + +Do not dereference 'chain' when it is NULL. + + $ perf record -e intel_pt//u -e branch-misses:u uname + $ perf report --itrace=l --branch-history + perf: Segmentation fault + +Fixes: e9024d519d89 ("perf callchain: Honour the ordering of PERF_CONTEXT_{USER,KERNEL,etc}") +Signed-off-by: Adrian Hunter +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Link: http://lore.kernel.org/lkml/20191114142538.4097-1-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/machine.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c +index 003b70daf0bfc..21f867a543e02 100644 +--- a/tools/perf/util/machine.c ++++ b/tools/perf/util/machine.c +@@ -2276,7 +2276,7 @@ static int thread__resolve_callchain_sample(struct thread *thread, + } + + check_calls: +- if (callchain_param.order != ORDER_CALLEE) { ++ if (chain && callchain_param.order != ORDER_CALLEE) { + err = find_prev_cpumode(chain, thread, cursor, parent, root_al, + &cpumode, chain->nr - first_call); + if (err) +-- +2.20.1 + diff --git a/queue-4.19/raid5-need-to-set-stripe_handle-for-batch-head.patch b/queue-4.19/raid5-need-to-set-stripe_handle-for-batch-head.patch new file mode 100644 index 00000000000..119a7f62c9d --- /dev/null +++ b/queue-4.19/raid5-need-to-set-stripe_handle-for-batch-head.patch @@ -0,0 +1,45 @@ +From 902b5aed85af1061682ca007ed5f6caf0c06633c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 17:57:50 +0100 +Subject: raid5: need to set STRIPE_HANDLE for batch head + +From: Guoqing Jiang + +[ Upstream commit a7ede3d16808b8f3915c8572d783530a82b2f027 ] + +With commit 6ce220dd2f8ea71d6afc29b9a7524c12e39f374a ("raid5: don't set +STRIPE_HANDLE to stripe which is in batch list"), we don't want to set +STRIPE_HANDLE flag for sh which is already in batch list. + +However, the stripe which is the head of batch list should set this flag, +otherwise panic could happen inside init_stripe at BUG_ON(sh->batch_head), +it is reproducible with raid5 on top of nvdimm devices per Xiao oberserved. + +Thanks for Xiao's effort to verify the change. + +Fixes: 6ce220dd2f8ea ("raid5: don't set STRIPE_HANDLE to stripe which is in batch list") +Reported-by: Xiao Ni +Tested-by: Xiao Ni +Signed-off-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 53c6434beda91..01021382131bc 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -5724,7 +5724,7 @@ static bool raid5_make_request(struct mddev *mddev, struct bio * bi) + do_flush = false; + } + +- if (!sh->batch_head) ++ if (!sh->batch_head || sh == sh->batch_head) + set_bit(STRIPE_HANDLE, &sh->state); + clear_bit(STRIPE_DELAYED, &sh->state); + if ((!sh->batch_head || sh == sh->batch_head) && +-- +2.20.1 + diff --git a/queue-4.19/scsi-qla2xxx-change-discovery-state-before-plogi.patch b/queue-4.19/scsi-qla2xxx-change-discovery-state-before-plogi.patch new file mode 100644 index 00000000000..594e630705c --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-change-discovery-state-before-plogi.patch @@ -0,0 +1,44 @@ +From cf2ddcbd09f8058d70cd52f5af93c451770fb014 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 19:56:54 +0300 +Subject: scsi: qla2xxx: Change discovery state before PLOGI + +From: Roman Bolshakov + +[ Upstream commit 58e39a2ce4be08162c0368030cdc405f7fd849aa ] + +When a port sends PLOGI, discovery state should be changed to login +pending, otherwise RELOGIN_NEEDED bit is set in +qla24xx_handle_plogi_done_event(). RELOGIN_NEEDED triggers another PLOGI, +and it never goes out of the loop until login timer expires. + +Fixes: 8777e4314d397 ("scsi: qla2xxx: Migrate NVME N2N handling into state machine") +Fixes: 8b5292bcfcacf ("scsi: qla2xxx: Fix Relogin to prevent modifying scan_state flag") +Cc: Quinn Tran +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191125165702.1013-6-r.bolshakov@yadro.com +Acked-by: Himanshu Madhani +Reviewed-by: Hannes Reinecke +Tested-by: Hannes Reinecke +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index e6f3a0f5188c4..d734dcf517b92 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -433,6 +433,7 @@ int qla_post_els_plogi_work(struct scsi_qla_host *vha, fc_port_t *fcport) + + e->u.fcport.fcport = fcport; + fcport->flags |= FCF_ASYNC_ACTIVE; ++ fcport->disc_state = DSC_LOGIN_PEND; + return qla2x00_post_work(vha, e); + } + +-- +2.20.1 + diff --git a/queue-4.19/scsi-zorro_esp-limit-dma-transfers-to-65536-bytes-ex.patch b/queue-4.19/scsi-zorro_esp-limit-dma-transfers-to-65536-bytes-ex.patch new file mode 100644 index 00000000000..d0d0b275d08 --- /dev/null +++ b/queue-4.19/scsi-zorro_esp-limit-dma-transfers-to-65536-bytes-ex.patch @@ -0,0 +1,70 @@ +From 120e85375641d58c3a4edbc96d079d4caa53855b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2019 18:55:23 +0100 +Subject: scsi: zorro_esp: Limit DMA transfers to 65536 bytes (except on + Fastlane) + +From: Kars de Jong + +[ Upstream commit 02f7e9f351a9de95577eafdc3bd413ed1c3b589f ] + +When using this driver on a Blizzard 1260, there were failures whenever DMA +transfers from the SCSI bus to memory of 65535 bytes were followed by a DMA +transfer of 1 byte. This caused the byte at offset 65535 to be overwritten +with 0xff. The Blizzard hardware can't handle single byte DMA transfers. + +Besides this issue, limiting the DMA length to something that is not a +multiple of the page size is very inefficient on most file systems. + +It seems this limit was chosen because the DMA transfer counter of the ESP +by default is 16 bits wide, thus limiting the length to 65535 bytes. +However, the value 0 means 65536 bytes, which is handled by the ESP and the +Blizzard just fine. It is also the default maximum used by esp_scsi when +drivers don't provide their own dma_length_limit() function. + +The limit of 65536 bytes can be used by all boards except the Fastlane. The +old driver used a limit of 65532 bytes (0xfffc), which is reintroduced in +this patch. + +Fixes: b7ded0e8b0d1 ("scsi: zorro_esp: Limit DMA transfers to 65535 bytes") +Link: https://lore.kernel.org/r/20191112175523.23145-1-jongk@linux-m68k.org +Signed-off-by: Kars de Jong +Reviewed-by: Finn Thain +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/zorro_esp.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/zorro_esp.c b/drivers/scsi/zorro_esp.c +index be79127db5946..6a5b547eae590 100644 +--- a/drivers/scsi/zorro_esp.c ++++ b/drivers/scsi/zorro_esp.c +@@ -245,7 +245,14 @@ static int fastlane_esp_irq_pending(struct esp *esp) + static u32 zorro_esp_dma_length_limit(struct esp *esp, u32 dma_addr, + u32 dma_len) + { +- return dma_len > 0xFFFF ? 0xFFFF : dma_len; ++ return dma_len > (1U << 16) ? (1U << 16) : dma_len; ++} ++ ++static u32 fastlane_esp_dma_length_limit(struct esp *esp, u32 dma_addr, ++ u32 dma_len) ++{ ++ /* The old driver used 0xfffc as limit, so do that here too */ ++ return dma_len > 0xfffc ? 0xfffc : dma_len; + } + + static void zorro_esp_reset_dma(struct esp *esp) +@@ -818,7 +825,7 @@ static const struct esp_driver_ops fastlane_esp_ops = { + .unmap_single = zorro_esp_unmap_single, + .unmap_sg = zorro_esp_unmap_sg, + .irq_pending = fastlane_esp_irq_pending, +- .dma_length_limit = zorro_esp_dma_length_limit, ++ .dma_length_limit = fastlane_esp_dma_length_limit, + .reset_dma = zorro_esp_reset_dma, + .dma_drain = zorro_esp_dma_drain, + .dma_invalidate = fastlane_esp_dma_invalidate, +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index ac60d9bae34..2912981d423 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -139,3 +139,21 @@ mm-thp-proc-report-thp-eligibility-for-each-vma.patch s390-smp-vdso-fix-asce-handling.patch blk-mq-make-sure-that-line-break-can-be-printed.patch workqueue-fix-missing-kfree-rescuer-in-destroy_workqueue.patch +perf-callchain-fix-segfault-in-thread__resolve_callc.patch +gre-refetch-erspan-header-from-skb-data-after-pskb_m.patch +firmware-arm_scmi-avoid-double-free-in-error-flow.patch +sunrpc-fix-crash-when-cache_head-become-valid-before.patch +net-mlx5e-fix-sff-8472-eeprom-length.patch +leds-trigger-netdev-fix-handling-on-interface-rename.patch +pci-rcar-fix-missing-macctlr-register-setting-in-ini.patch +gfs2-fix-glock-reference-problem-in-gfs2_trans_remov.patch +of-overlay-add_changeset_property-memory-leak.patch +kernel-module.c-wakeup-processes-in-module_wq-on-mod.patch +cifs-fix-potential-softlockups-while-refreshing-dfs-.patch +gpiolib-acpi-add-terra-pad-1061-to-the-run_edge_even.patch +raid5-need-to-set-stripe_handle-for-batch-head.patch +scsi-qla2xxx-change-discovery-state-before-plogi.patch +iio-imu-mpu6050-add-missing-available-scan-masks.patch +idr-fix-idr_get_next_ul-race-with-idr_remove.patch +scsi-zorro_esp-limit-dma-transfers-to-65536-bytes-ex.patch +of-unittest-fix-memory-leak-in-attach_node_and_child.patch diff --git a/queue-4.19/sunrpc-fix-crash-when-cache_head-become-valid-before.patch b/queue-4.19/sunrpc-fix-crash-when-cache_head-become-valid-before.patch new file mode 100644 index 00000000000..1c97c22eb7e --- /dev/null +++ b/queue-4.19/sunrpc-fix-crash-when-cache_head-become-valid-before.patch @@ -0,0 +1,127 @@ +From 226f98b71d629247d39a4006c4cb5086d008ee22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2019 11:03:59 +0300 +Subject: sunrpc: fix crash when cache_head become valid before update + +From: Pavel Tikhomirov + +[ Upstream commit 5fcaf6982d1167f1cd9b264704f6d1ef4c505d54 ] + +I was investigating a crash in our Virtuozzo7 kernel which happened in +in svcauth_unix_set_client. I found out that we access m_client field +in ip_map structure, which was received from sunrpc_cache_lookup (we +have a bit older kernel, now the code is in sunrpc_cache_add_entry), and +these field looks uninitialized (m_client == 0x74 don't look like a +pointer) but in the cache_head in flags we see 0x1 which is CACHE_VALID. + +It looks like the problem appeared from our previous fix to sunrpc (1): +commit 4ecd55ea0742 ("sunrpc: fix cache_head leak due to queued +request") + +And we've also found a patch already fixing our patch (2): +commit d58431eacb22 ("sunrpc: don't mark uninitialised items as VALID.") + +Though the crash is eliminated, I think the core of the problem is not +completely fixed: + +Neil in the patch (2) makes cache_head CACHE_NEGATIVE, before +cache_fresh_locked which was added in (1) to fix crash. These way +cache_is_valid won't say the cache is valid anymore and in +svcauth_unix_set_client the function cache_check will return error +instead of 0, and we don't count entry as initialized. + +But it looks like we need to remove cache_fresh_locked completely in +sunrpc_cache_lookup: + +In (1) we've only wanted to make cache_fresh_unlocked->cache_dequeue so +that cache_requests with no readers also release corresponding +cache_head, to fix their leak. We with Vasily were not sure if +cache_fresh_locked and cache_fresh_unlocked should be used in pair or +not, so we've guessed to use them in pair. + +Now we see that we don't want the CACHE_VALID bit set here by +cache_fresh_locked, as "valid" means "initialized" and there is no +initialization in sunrpc_cache_add_entry. Both expiry_time and +last_refresh are not used in cache_fresh_unlocked code-path and also not +required for the initial fix. + +So to conclude cache_fresh_locked was called by mistake, and we can just +safely remove it instead of crutching it with CACHE_NEGATIVE. It looks +ideologically better for me. Hope I don't miss something here. + +Here is our crash backtrace: +[13108726.326291] BUG: unable to handle kernel NULL pointer dereference at 0000000000000074 +[13108726.326365] IP: [] svcauth_unix_set_client+0x2ab/0x520 [sunrpc] +[13108726.326448] PGD 0 +[13108726.326468] Oops: 0002 [#1] SMP +[13108726.326497] Modules linked in: nbd isofs xfs loop kpatch_cumulative_81_0_r1(O) xt_physdev nfnetlink_queue bluetooth rfkill ip6table_nat nf_nat_ipv6 ip_vs_wrr ip_vs_wlc ip_vs_sh nf_conntrack_netlink ip_vs_sed ip_vs_pe_sip nf_conntrack_sip ip_vs_nq ip_vs_lc ip_vs_lblcr ip_vs_lblc ip_vs_ftp ip_vs_dh nf_nat_ftp nf_conntrack_ftp iptable_raw xt_recent nf_log_ipv6 xt_hl ip6t_rt nf_log_ipv4 nf_log_common xt_LOG xt_limit xt_TCPMSS xt_tcpmss vxlan ip6_udp_tunnel udp_tunnel xt_statistic xt_NFLOG nfnetlink_log dummy xt_mark xt_REDIRECT nf_nat_redirect raw_diag udp_diag tcp_diag inet_diag netlink_diag af_packet_diag unix_diag rpcsec_gss_krb5 xt_addrtype ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 ebtable_nat ebtable_broute nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle ip6table_raw nfsv4 +[13108726.327173] dns_resolver cls_u32 binfmt_misc arptable_filter arp_tables ip6table_filter ip6_tables devlink fuse_kio_pcs ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_nat iptable_nat nf_nat_ipv4 xt_comment nf_conntrack_ipv4 nf_defrag_ipv4 xt_wdog_tmo xt_multiport bonding xt_set xt_conntrack iptable_filter iptable_mangle kpatch(O) ebtable_filter ebt_among ebtables ip_set_hash_ip ip_set nfnetlink vfat fat skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass fuse pcspkr ses enclosure joydev sg mei_me hpwdt hpilo lpc_ich mei ipmi_si shpchp ipmi_devintf ipmi_msghandler xt_ipvs acpi_power_meter ip_vs_rr nfsv3 nfsd auth_rpcgss nfs_acl nfs lockd grace fscache nf_nat cls_fw sch_htb sch_cbq sch_sfq ip_vs em_u32 nf_conntrack tun br_netfilter veth overlay ip6_vzprivnet ip6_vznetstat ip_vznetstat +[13108726.327817] ip_vzprivnet vziolimit vzevent vzlist vzstat vznetstat vznetdev vzmon vzdev bridge pio_kaio pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper scsi_transport_iscsi 8021q syscopyarea sysfillrect garp sysimgblt fb_sys_fops mrp stp ttm llc bnx2x crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel drm dm_multipath ghash_clmulni_intel uas aesni_intel lrw gf128mul glue_helper ablk_helper cryptd tg3 smartpqi scsi_transport_sas mdio libcrc32c i2c_core usb_storage ptp pps_core wmi sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: kpatch_cumulative_82_0_r1] +[13108726.328403] CPU: 35 PID: 63742 Comm: nfsd ve: 51332 Kdump: loaded Tainted: G W O ------------ 3.10.0-862.20.2.vz7.73.29 #1 73.29 +[13108726.328491] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 10/02/2018 +[13108726.328554] task: ffffa0a6a41b1160 ti: ffffa0c2a74bc000 task.ti: ffffa0c2a74bc000 +[13108726.328610] RIP: 0010:[] [] svcauth_unix_set_client+0x2ab/0x520 [sunrpc] +[13108726.328706] RSP: 0018:ffffa0c2a74bfd80 EFLAGS: 00010246 +[13108726.328750] RAX: 0000000000000001 RBX: ffffa0a6183ae000 RCX: 0000000000000000 +[13108726.328811] RDX: 0000000000000074 RSI: 0000000000000286 RDI: ffffa0c2a74bfcf0 +[13108726.328864] RBP: ffffa0c2a74bfe00 R08: ffffa0bab8c22960 R09: 0000000000000001 +[13108726.328916] R10: 0000000000000001 R11: 0000000000000001 R12: ffffa0a32aa7f000 +[13108726.328969] R13: ffffa0a6183afac0 R14: ffffa0c233d88d00 R15: ffffa0c2a74bfdb4 +[13108726.329022] FS: 0000000000000000(0000) GS:ffffa0e17f9c0000(0000) knlGS:0000000000000000 +[13108726.329081] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[13108726.332311] CR2: 0000000000000074 CR3: 00000026a1b28000 CR4: 00000000007607e0 +[13108726.334606] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[13108726.336754] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[13108726.338908] PKRU: 00000000 +[13108726.341047] Call Trace: +[13108726.343074] [] ? groups_alloc+0x34/0x110 +[13108726.344837] [] svc_set_client+0x24/0x30 [sunrpc] +[13108726.346631] [] svc_process_common+0x241/0x710 [sunrpc] +[13108726.348332] [] svc_process+0x103/0x190 [sunrpc] +[13108726.350016] [] nfsd+0xdf/0x150 [nfsd] +[13108726.351735] [] ? nfsd_destroy+0x80/0x80 [nfsd] +[13108726.353459] [] kthread+0xd1/0xe0 +[13108726.355195] [] ? create_kthread+0x60/0x60 +[13108726.356896] [] ret_from_fork_nospec_begin+0x7/0x21 +[13108726.358577] [] ? create_kthread+0x60/0x60 +[13108726.360240] Code: 4c 8b 45 98 0f 8e 2e 01 00 00 83 f8 fe 0f 84 76 fe ff ff 85 c0 0f 85 2b 01 00 00 49 8b 50 40 b8 01 00 00 00 48 89 93 d0 1a 00 00 0f c1 02 83 c0 01 83 f8 01 0f 8e 53 02 00 00 49 8b 44 24 38 +[13108726.363769] RIP [] svcauth_unix_set_client+0x2ab/0x520 [sunrpc] +[13108726.365530] RSP +[13108726.367179] CR2: 0000000000000074 + +Fixes: d58431eacb22 ("sunrpc: don't mark uninitialised items as VALID.") +Signed-off-by: Pavel Tikhomirov +Acked-by: NeilBrown +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + net/sunrpc/cache.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c +index 214440c5b14ef..3a28e150b2dcd 100644 +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -54,9 +54,6 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail) + h->last_refresh = now; + } + +-static inline int cache_is_valid(struct cache_head *h); +-static void cache_fresh_locked(struct cache_head *head, time_t expiry, +- struct cache_detail *detail); + static void cache_fresh_unlocked(struct cache_head *head, + struct cache_detail *detail); + +@@ -101,9 +98,6 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail, + if (cache_is_expired(detail, tmp)) { + hlist_del_init(&tmp->cache_list); + detail->entries --; +- if (cache_is_valid(tmp) == -EAGAIN) +- set_bit(CACHE_NEGATIVE, &tmp->flags); +- cache_fresh_locked(tmp, 0, detail); + freeme = tmp; + break; + } +-- +2.20.1 + -- 2.47.3