From a284af4303cf34b9df51794eba967b14df89a168 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 19 Aug 2020 14:54:21 +0200 Subject: [PATCH] 5.8-stable patches added patches: appletalk-fix-atalk_proc_init-return-path.patch bcache-allocate-meta-data-pages-as-compound-pages.patch bcache-avoid-nr_stripes-overflow-in-bcache_device_init.patch bcache-fix-bio_-start-end-_io_acct-with-proper-device.patch bcache-fix-overflow-in-offset_to_stripe.patch bcache-use-disk_-start-end-_io_acct-to-count-i-o-for-bcache-device.patch ceph-handle-zero-length-feature-mask-in-session-messages.patch ceph-set-sec_context-xattr-on-symlink-creation.patch cma-don-t-quit-at-first-error-when-activating-reserved-areas.patch driver-core-avoid-binding-drivers-to-dead-devices.patch ext2-fix-missing-percpu_counter_inc.patch ftrace-setup-correct-ftrace_fl_regs-flags-for-module.patch hugetlbfs-remove-call-to-huge_pte_alloc-without-i_mmap_rwsem.patch irqchip-gic-v4.1-ensure-accessing-the-correct-rd-when-writing-invallr.patch irqchip-loongson-liointc-fix-misuse-of-gc-mask_cache.patch khugepaged-collapse_pte_mapped_thp-flush-the-right-range.patch khugepaged-collapse_pte_mapped_thp-protect-the-pmd-lock.patch khugepaged-khugepaged_test_exit-check-mmget_still_valid.patch khugepaged-retract_page_tables-remember-to-test-exit.patch kprobes-fix-null-pointer-dereference-at-kprobe_ftrace_handler.patch mac80211-fix-misplaced-while-instead-of-if.patch md-raid5-fix-force-reconstruct-write-io-stuck-in-degraded-raid5.patch mips-cpu-0-is-not-hotpluggable.patch mips-qi_lb60-fix-routing-to-audio-amplifier.patch mips-sgi-ip27-always-enable-numa-in-kconfig.patch mm-fix-kthread_use_mm-vs-tlb-invalidate.patch mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sharing_possible.patch mm-memory_hotplug-fix-unpaired-mem_hotplug_begin-done.patch mm-page_counter.c-fix-protection-usage-propagation.patch mm-shuffle-don-t-move-pages-between-zones-and-don-t-read-garbage-memmaps.patch net-compat-add-missing-sock-updates-for-scm_rights.patch net-ethernet-stmmac-disable-hardware-multicast-filter.patch net-stmmac-dwmac1000-provide-multicast-filter-fallback.patch ocfs2-change-slot-number-type-s16-to-u16.patch pidfd-add-missing-sock-updates-for-pidfd_getfd.patch pseries-fix-64-bit-logical-memory-block-panic.patch selftests-seccomp-set-nnp-for-tsync-esrch-flag-test.patch tracing-hwlat-honor-the-tracing_cpumask.patch tracing-use-trace_sched_process_free-instead-of-exit-for-pid-tracing.patch watchdog-f71808e_wdt-clear-watchdog-timeout-occurred-flag.patch watchdog-f71808e_wdt-indicate-wdiof_cardreset-support-in-watchdog_info.options.patch watchdog-f71808e_wdt-remove-use-of-wrong-watchdog_info-option.patch --- ...talk-fix-atalk_proc_init-return-path.patch | 40 +++++ ...te-meta-data-pages-as-compound-pages.patch | 80 +++++++++ ...ripes-overflow-in-bcache_device_init.patch | 58 ++++++ ...tart-end-_io_acct-with-proper-device.patch | 105 +++++++++++ ...che-fix-overflow-in-offset_to_stripe.patch | 136 ++++++++++++++ ..._acct-to-count-i-o-for-bcache-device.patch | 101 +++++++++++ ...gth-feature-mask-in-session-messages.patch | 47 +++++ ...ec_context-xattr-on-symlink-creation.patch | 38 ++++ ...error-when-activating-reserved-areas.patch | 130 ++++++++++++++ ...void-binding-drivers-to-dead-devices.patch | 57 ++++++ .../ext2-fix-missing-percpu_counter_inc.patch | 46 +++++ ...rect-ftrace_fl_regs-flags-for-module.patch | 58 ++++++ ...-huge_pte_alloc-without-i_mmap_rwsem.patch | 166 ++++++++++++++++++ ...-the-correct-rd-when-writing-invallr.patch | 58 ++++++ ...-liointc-fix-misuse-of-gc-mask_cache.patch | 60 +++++++ ...pte_mapped_thp-flush-the-right-range.patch | 50 ++++++ ..._pte_mapped_thp-protect-the-pmd-lock.patch | 132 ++++++++++++++ ...ed_test_exit-check-mmget_still_valid.patch | 56 ++++++ ...ct_page_tables-remember-to-test-exit.patch | 99 +++++++++++ ...dereference-at-kprobe_ftrace_handler.patch | 94 ++++++++++ ...11-fix-misplaced-while-instead-of-if.patch | 37 ++++ ...uct-write-io-stuck-in-degraded-raid5.patch | 55 ++++++ .../mips-cpu-0-is-not-hotpluggable.patch | 32 ++++ ..._lb60-fix-routing-to-audio-amplifier.patch | 34 ++++ ...i-ip27-always-enable-numa-in-kconfig.patch | 76 ++++++++ ...fix-kthread_use_mm-vs-tlb-invalidate.patch | 103 +++++++++++ ...adjust_range_if_pmd_sharing_possible.patch | 91 ++++++++++ ...-fix-unpaired-mem_hotplug_begin-done.patch | 92 ++++++++++ ...r.c-fix-protection-usage-propagation.patch | 78 ++++++++ ...zones-and-don-t-read-garbage-memmaps.patch | 102 +++++++++++ ...-missing-sock-updates-for-scm_rights.patch | 89 ++++++++++ ...ac-disable-hardware-multicast-filter.patch | 39 ++++ ...00-provide-multicast-filter-fallback.patch | 35 ++++ ...2-change-slot-number-type-s16-to-u16.patch | 87 +++++++++ ...missing-sock-updates-for-pidfd_getfd.patch | 53 ++++++ ...ix-64-bit-logical-memory-block-panic.patch | 37 ++++ ...mp-set-nnp-for-tsync-esrch-flag-test.patch | 36 ++++ queue-5.8/series | 42 +++++ ...cing-hwlat-honor-the-tracing_cpumask.patch | 54 ++++++ ...free-instead-of-exit-for-pid-tracing.patch | 72 ++++++++ ...clear-watchdog-timeout-occurred-flag.patch | 51 ++++++ ...set-support-in-watchdog_info.options.patch | 38 ++++ ...ve-use-of-wrong-watchdog_info-option.patch | 48 +++++ 43 files changed, 2992 insertions(+) create mode 100644 queue-5.8/appletalk-fix-atalk_proc_init-return-path.patch create mode 100644 queue-5.8/bcache-allocate-meta-data-pages-as-compound-pages.patch create mode 100644 queue-5.8/bcache-avoid-nr_stripes-overflow-in-bcache_device_init.patch create mode 100644 queue-5.8/bcache-fix-bio_-start-end-_io_acct-with-proper-device.patch create mode 100644 queue-5.8/bcache-fix-overflow-in-offset_to_stripe.patch create mode 100644 queue-5.8/bcache-use-disk_-start-end-_io_acct-to-count-i-o-for-bcache-device.patch create mode 100644 queue-5.8/ceph-handle-zero-length-feature-mask-in-session-messages.patch create mode 100644 queue-5.8/ceph-set-sec_context-xattr-on-symlink-creation.patch create mode 100644 queue-5.8/cma-don-t-quit-at-first-error-when-activating-reserved-areas.patch create mode 100644 queue-5.8/driver-core-avoid-binding-drivers-to-dead-devices.patch create mode 100644 queue-5.8/ext2-fix-missing-percpu_counter_inc.patch create mode 100644 queue-5.8/ftrace-setup-correct-ftrace_fl_regs-flags-for-module.patch create mode 100644 queue-5.8/hugetlbfs-remove-call-to-huge_pte_alloc-without-i_mmap_rwsem.patch create mode 100644 queue-5.8/irqchip-gic-v4.1-ensure-accessing-the-correct-rd-when-writing-invallr.patch create mode 100644 queue-5.8/irqchip-loongson-liointc-fix-misuse-of-gc-mask_cache.patch create mode 100644 queue-5.8/khugepaged-collapse_pte_mapped_thp-flush-the-right-range.patch create mode 100644 queue-5.8/khugepaged-collapse_pte_mapped_thp-protect-the-pmd-lock.patch create mode 100644 queue-5.8/khugepaged-khugepaged_test_exit-check-mmget_still_valid.patch create mode 100644 queue-5.8/khugepaged-retract_page_tables-remember-to-test-exit.patch create mode 100644 queue-5.8/kprobes-fix-null-pointer-dereference-at-kprobe_ftrace_handler.patch create mode 100644 queue-5.8/mac80211-fix-misplaced-while-instead-of-if.patch create mode 100644 queue-5.8/md-raid5-fix-force-reconstruct-write-io-stuck-in-degraded-raid5.patch create mode 100644 queue-5.8/mips-cpu-0-is-not-hotpluggable.patch create mode 100644 queue-5.8/mips-qi_lb60-fix-routing-to-audio-amplifier.patch create mode 100644 queue-5.8/mips-sgi-ip27-always-enable-numa-in-kconfig.patch create mode 100644 queue-5.8/mm-fix-kthread_use_mm-vs-tlb-invalidate.patch create mode 100644 queue-5.8/mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sharing_possible.patch create mode 100644 queue-5.8/mm-memory_hotplug-fix-unpaired-mem_hotplug_begin-done.patch create mode 100644 queue-5.8/mm-page_counter.c-fix-protection-usage-propagation.patch create mode 100644 queue-5.8/mm-shuffle-don-t-move-pages-between-zones-and-don-t-read-garbage-memmaps.patch create mode 100644 queue-5.8/net-compat-add-missing-sock-updates-for-scm_rights.patch create mode 100644 queue-5.8/net-ethernet-stmmac-disable-hardware-multicast-filter.patch create mode 100644 queue-5.8/net-stmmac-dwmac1000-provide-multicast-filter-fallback.patch create mode 100644 queue-5.8/ocfs2-change-slot-number-type-s16-to-u16.patch create mode 100644 queue-5.8/pidfd-add-missing-sock-updates-for-pidfd_getfd.patch create mode 100644 queue-5.8/pseries-fix-64-bit-logical-memory-block-panic.patch create mode 100644 queue-5.8/selftests-seccomp-set-nnp-for-tsync-esrch-flag-test.patch create mode 100644 queue-5.8/tracing-hwlat-honor-the-tracing_cpumask.patch create mode 100644 queue-5.8/tracing-use-trace_sched_process_free-instead-of-exit-for-pid-tracing.patch create mode 100644 queue-5.8/watchdog-f71808e_wdt-clear-watchdog-timeout-occurred-flag.patch create mode 100644 queue-5.8/watchdog-f71808e_wdt-indicate-wdiof_cardreset-support-in-watchdog_info.options.patch create mode 100644 queue-5.8/watchdog-f71808e_wdt-remove-use-of-wrong-watchdog_info-option.patch diff --git a/queue-5.8/appletalk-fix-atalk_proc_init-return-path.patch b/queue-5.8/appletalk-fix-atalk_proc_init-return-path.patch new file mode 100644 index 00000000000..4103f488d6e --- /dev/null +++ b/queue-5.8/appletalk-fix-atalk_proc_init-return-path.patch @@ -0,0 +1,40 @@ +From d0f6ba2ef2c1c95069509e71402e7d6d43452512 Mon Sep 17 00:00:00 2001 +From: Vincent Duvert +Date: Sun, 2 Aug 2020 07:06:51 +0200 +Subject: appletalk: Fix atalk_proc_init() return path + +From: Vincent Duvert + +commit d0f6ba2ef2c1c95069509e71402e7d6d43452512 upstream. + +Add a missing return statement to atalk_proc_init so it doesn't return +-ENOMEM when successful. This allows the appletalk module to load +properly. + +Fixes: e2bcd8b0ce6e ("appletalk: use remove_proc_subtree to simplify procfs code") +Link: https://www.downtowndougbrown.com/2020/08/hacking-up-a-fix-for-the-broken-appletalk-kernel-module-in-linux-5-1-and-newer/ +Reported-by: Christopher KOBAYASHI +Reported-by: Doug Brown +Signed-off-by: Vincent Duvert +[lukas: add missing tags] +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v5.1+ +Cc: Yue Haibing +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/appletalk/atalk_proc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/appletalk/atalk_proc.c ++++ b/net/appletalk/atalk_proc.c +@@ -229,6 +229,8 @@ int __init atalk_proc_init(void) + sizeof(struct aarp_iter_state), NULL)) + goto out; + ++ return 0; ++ + out: + remove_proc_subtree("atalk", init_net.proc_net); + return -ENOMEM; diff --git a/queue-5.8/bcache-allocate-meta-data-pages-as-compound-pages.patch b/queue-5.8/bcache-allocate-meta-data-pages-as-compound-pages.patch new file mode 100644 index 00000000000..e4c6a68ae24 --- /dev/null +++ b/queue-5.8/bcache-allocate-meta-data-pages-as-compound-pages.patch @@ -0,0 +1,80 @@ +From 5fe48867856367142d91a82f2cbf7a57a24cbb70 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 25 Jul 2020 20:00:16 +0800 +Subject: bcache: allocate meta data pages as compound pages + +From: Coly Li + +commit 5fe48867856367142d91a82f2cbf7a57a24cbb70 upstream. + +There are some meta data of bcache are allocated by multiple pages, +and they are used as bio bv_page for I/Os to the cache device. for +example cache_set->uuids, cache->disk_buckets, journal_write->data, +bset_tree->data. + +For such meta data memory, all the allocated pages should be treated +as a single memory block. Then the memory management and underlying I/O +code can treat them more clearly. + +This patch adds __GFP_COMP flag to all the location allocating >0 order +pages for the above mentioned meta data. Then their pages are treated +as compound pages now. + +Signed-off-by: Coly Li +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/bset.c | 2 +- + drivers/md/bcache/btree.c | 2 +- + drivers/md/bcache/journal.c | 4 ++-- + drivers/md/bcache/super.c | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/md/bcache/bset.c ++++ b/drivers/md/bcache/bset.c +@@ -322,7 +322,7 @@ int bch_btree_keys_alloc(struct btree_ke + + b->page_order = page_order; + +- t->data = (void *) __get_free_pages(gfp, b->page_order); ++ t->data = (void *) __get_free_pages(__GFP_COMP|gfp, b->page_order); + if (!t->data) + goto err; + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -785,7 +785,7 @@ int bch_btree_cache_alloc(struct cache_s + mutex_init(&c->verify_lock); + + c->verify_ondisk = (void *) +- __get_free_pages(GFP_KERNEL, ilog2(bucket_pages(c))); ++ __get_free_pages(GFP_KERNEL|__GFP_COMP, ilog2(bucket_pages(c))); + + c->verify_data = mca_bucket_alloc(c, &ZERO_KEY, GFP_KERNEL); + +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -999,8 +999,8 @@ int bch_journal_alloc(struct cache_set * + j->w[1].c = c; + + if (!(init_fifo(&j->pin, JOURNAL_PIN, GFP_KERNEL)) || +- !(j->w[0].data = (void *) __get_free_pages(GFP_KERNEL, JSET_BITS)) || +- !(j->w[1].data = (void *) __get_free_pages(GFP_KERNEL, JSET_BITS))) ++ !(j->w[0].data = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP, JSET_BITS)) || ++ !(j->w[1].data = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP, JSET_BITS))) + return -ENOMEM; + + return 0; +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1776,7 +1776,7 @@ void bch_cache_set_unregister(struct cac + } + + #define alloc_bucket_pages(gfp, c) \ +- ((void *) __get_free_pages(__GFP_ZERO|gfp, ilog2(bucket_pages(c)))) ++ ((void *) __get_free_pages(__GFP_ZERO|__GFP_COMP|gfp, ilog2(bucket_pages(c)))) + + struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) + { diff --git a/queue-5.8/bcache-avoid-nr_stripes-overflow-in-bcache_device_init.patch b/queue-5.8/bcache-avoid-nr_stripes-overflow-in-bcache_device_init.patch new file mode 100644 index 00000000000..f5e97618989 --- /dev/null +++ b/queue-5.8/bcache-avoid-nr_stripes-overflow-in-bcache_device_init.patch @@ -0,0 +1,58 @@ +From 65f0f017e7be8c70330372df23bcb2a407ecf02d Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 25 Jul 2020 20:00:21 +0800 +Subject: bcache: avoid nr_stripes overflow in bcache_device_init() + +From: Coly Li + +commit 65f0f017e7be8c70330372df23bcb2a407ecf02d upstream. + +For some block devices which large capacity (e.g. 8TB) but small io_opt +size (e.g. 8 sectors), in bcache_device_init() the stripes number calcu- +lated by, + DIV_ROUND_UP_ULL(sectors, d->stripe_size); +might be overflow to the unsigned int bcache_device->nr_stripes. + +This patch uses the uint64_t variable to store DIV_ROUND_UP_ULL() +and after the value is checked to be available in unsigned int range, +sets it to bache_device->nr_stripes. Then the overflow is avoided. + +Reported-and-tested-by: Ken Raeburn +Signed-off-by: Coly Li +Cc: stable@vger.kernel.org +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1783075 +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/super.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -826,19 +826,19 @@ static int bcache_device_init(struct bca + struct request_queue *q; + const size_t max_stripes = min_t(size_t, INT_MAX, + SIZE_MAX / sizeof(atomic_t)); +- size_t n; ++ uint64_t n; + int idx; + + if (!d->stripe_size) + d->stripe_size = 1 << 31; + +- d->nr_stripes = DIV_ROUND_UP_ULL(sectors, d->stripe_size); +- +- if (!d->nr_stripes || d->nr_stripes > max_stripes) { +- pr_err("nr_stripes too large or invalid: %u (start sector beyond end of disk?)\n", +- (unsigned int)d->nr_stripes); ++ n = DIV_ROUND_UP_ULL(sectors, d->stripe_size); ++ if (!n || n > max_stripes) { ++ pr_err("nr_stripes too large or invalid: %llu (start sector beyond end of disk?)\n", ++ n); + return -ENOMEM; + } ++ d->nr_stripes = n; + + n = d->nr_stripes * sizeof(atomic_t); + d->stripe_sectors_dirty = kvzalloc(n, GFP_KERNEL); diff --git a/queue-5.8/bcache-fix-bio_-start-end-_io_acct-with-proper-device.patch b/queue-5.8/bcache-fix-bio_-start-end-_io_acct-with-proper-device.patch new file mode 100644 index 00000000000..20cf18b0e59 --- /dev/null +++ b/queue-5.8/bcache-fix-bio_-start-end-_io_acct-with-proper-device.patch @@ -0,0 +1,105 @@ +From a2f32ee8fd853cec8860f883d98afc3a339546de Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 25 Jul 2020 20:00:39 +0800 +Subject: bcache: fix bio_{start,end}_io_acct with proper device + +From: Coly Li + +commit a2f32ee8fd853cec8860f883d98afc3a339546de upstream. + +Commit 85750aeb748f ("bcache: use bio_{start,end}_io_acct") moves the +io account code to the location after bio_set_dev(bio, dc->bdev) in +cached_dev_make_request(). Then the account is performed incorrectly on +backing device, indeed the I/O should be counted to bcache device like +/dev/bcache0. + +With the mistaken I/O account, iostat does not display I/O counts for +bcache device and all the numbers go to backing device. In writeback +mode, the hard drive may have 340K+ IOPS which is impossible and wrong +for spinning disk. + +This patch introduces bch_bio_start_io_acct() and bch_bio_end_io_acct(), +which switches bio->bi_disk to bcache device before calling +bio_start_io_acct() or bio_end_io_acct(). Now the I/Os are counted to +bcache device, and bcache device, cache device and backing device have +their correct I/O count information back. + +Fixes: 85750aeb748f ("bcache: use bio_{start,end}_io_acct") +Signed-off-by: Coly Li +Cc: Christoph Hellwig +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/request.c | 31 +++++++++++++++++++++++++++---- + 1 file changed, 27 insertions(+), 4 deletions(-) + +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -617,6 +617,28 @@ static void cache_lookup(struct closure + + /* Common code for the make_request functions */ + ++static inline void bch_bio_start_io_acct(struct gendisk *acct_bi_disk, ++ struct bio *bio, ++ unsigned long *start_time) ++{ ++ struct gendisk *saved_bi_disk = bio->bi_disk; ++ ++ bio->bi_disk = acct_bi_disk; ++ *start_time = bio_start_io_acct(bio); ++ bio->bi_disk = saved_bi_disk; ++} ++ ++static inline void bch_bio_end_io_acct(struct gendisk *acct_bi_disk, ++ struct bio *bio, ++ unsigned long start_time) ++{ ++ struct gendisk *saved_bi_disk = bio->bi_disk; ++ ++ bio->bi_disk = acct_bi_disk; ++ bio_end_io_acct(bio, start_time); ++ bio->bi_disk = saved_bi_disk; ++} ++ + static void request_endio(struct bio *bio) + { + struct closure *cl = bio->bi_private; +@@ -668,7 +690,7 @@ static void backing_request_endio(struct + static void bio_complete(struct search *s) + { + if (s->orig_bio) { +- bio_end_io_acct(s->orig_bio, s->start_time); ++ bch_bio_end_io_acct(s->d->disk, s->orig_bio, s->start_time); + trace_bcache_request_end(s->d, s->orig_bio); + s->orig_bio->bi_status = s->iop.status; + bio_endio(s->orig_bio); +@@ -728,7 +750,7 @@ static inline struct search *search_allo + s->recoverable = 1; + s->write = op_is_write(bio_op(bio)); + s->read_dirty_data = 0; +- s->start_time = bio_start_io_acct(bio); ++ bch_bio_start_io_acct(d->disk, bio, &s->start_time); + + s->iop.c = d->c; + s->iop.bio = NULL; +@@ -1080,7 +1102,7 @@ static void detached_dev_end_io(struct b + bio->bi_end_io = ddip->bi_end_io; + bio->bi_private = ddip->bi_private; + +- bio_end_io_acct(bio, ddip->start_time); ++ bch_bio_end_io_acct(ddip->d->disk, bio, ddip->start_time); + + if (bio->bi_status) { + struct cached_dev *dc = container_of(ddip->d, +@@ -1105,7 +1127,8 @@ static void detached_dev_do_request(stru + */ + ddip = kzalloc(sizeof(struct detached_dev_io_private), GFP_NOIO); + ddip->d = d; +- ddip->start_time = bio_start_io_acct(bio); ++ bch_bio_start_io_acct(d->disk, bio, &ddip->start_time); ++ + ddip->bi_end_io = bio->bi_end_io; + ddip->bi_private = bio->bi_private; + bio->bi_end_io = detached_dev_end_io; diff --git a/queue-5.8/bcache-fix-overflow-in-offset_to_stripe.patch b/queue-5.8/bcache-fix-overflow-in-offset_to_stripe.patch new file mode 100644 index 00000000000..577bec49c0d --- /dev/null +++ b/queue-5.8/bcache-fix-overflow-in-offset_to_stripe.patch @@ -0,0 +1,136 @@ +From 7a1481267999c02abf4a624515c1b5c7c1fccbd6 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 25 Jul 2020 20:00:22 +0800 +Subject: bcache: fix overflow in offset_to_stripe() + +From: Coly Li + +commit 7a1481267999c02abf4a624515c1b5c7c1fccbd6 upstream. + +offset_to_stripe() returns the stripe number (in type unsigned int) from +an offset (in type uint64_t) by the following calculation, + do_div(offset, d->stripe_size); +For large capacity backing device (e.g. 18TB) with small stripe size +(e.g. 4KB), the result is 4831838208 and exceeds UINT_MAX. The actual +returned value which caller receives is 536870912, due to the overflow. + +Indeed in bcache_device_init(), bcache_device->nr_stripes is limited in +range [1, INT_MAX]. Therefore all valid stripe numbers in bcache are +in range [0, bcache_dev->nr_stripes - 1]. + +This patch adds a upper limition check in offset_to_stripe(): the max +valid stripe number should be less than bcache_device->nr_stripes. If +the calculated stripe number from do_div() is equal to or larger than +bcache_device->nr_stripe, -EINVAL will be returned. (Normally nr_stripes +is less than INT_MAX, exceeding upper limitation doesn't mean overflow, +therefore -EOVERFLOW is not used as error code.) + +This patch also changes nr_stripes' type of struct bcache_device from +'unsigned int' to 'int', and return value type of offset_to_stripe() +from 'unsigned int' to 'int', to match their exact data ranges. + +All locations where bcache_device->nr_stripes and offset_to_stripe() are +referenced also get updated for the above type change. + +Reported-and-tested-by: Ken Raeburn +Signed-off-by: Coly Li +Cc: stable@vger.kernel.org +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1783075 +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/bcache.h | 2 +- + drivers/md/bcache/writeback.c | 14 +++++++++----- + drivers/md/bcache/writeback.h | 19 +++++++++++++++++-- + 3 files changed, 27 insertions(+), 8 deletions(-) + +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -264,7 +264,7 @@ struct bcache_device { + #define BCACHE_DEV_UNLINK_DONE 2 + #define BCACHE_DEV_WB_RUNNING 3 + #define BCACHE_DEV_RATE_DW_RUNNING 4 +- unsigned int nr_stripes; ++ int nr_stripes; + unsigned int stripe_size; + atomic_t *stripe_sectors_dirty; + unsigned long *full_dirty_stripes; +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -523,15 +523,19 @@ void bcache_dev_sectors_dirty_add(struct + uint64_t offset, int nr_sectors) + { + struct bcache_device *d = c->devices[inode]; +- unsigned int stripe_offset, stripe, sectors_dirty; ++ unsigned int stripe_offset, sectors_dirty; ++ int stripe; + + if (!d) + return; + ++ stripe = offset_to_stripe(d, offset); ++ if (stripe < 0) ++ return; ++ + if (UUID_FLASH_ONLY(&c->uuids[inode])) + atomic_long_add(nr_sectors, &c->flash_dev_dirty_sectors); + +- stripe = offset_to_stripe(d, offset); + stripe_offset = offset & (d->stripe_size - 1); + + while (nr_sectors) { +@@ -571,12 +575,12 @@ static bool dirty_pred(struct keybuf *bu + static void refill_full_stripes(struct cached_dev *dc) + { + struct keybuf *buf = &dc->writeback_keys; +- unsigned int start_stripe, stripe, next_stripe; ++ unsigned int start_stripe, next_stripe; ++ int stripe; + bool wrapped = false; + + stripe = offset_to_stripe(&dc->disk, KEY_OFFSET(&buf->last_scanned)); +- +- if (stripe >= dc->disk.nr_stripes) ++ if (stripe < 0) + stripe = 0; + + start_stripe = stripe; +--- a/drivers/md/bcache/writeback.h ++++ b/drivers/md/bcache/writeback.h +@@ -52,10 +52,22 @@ static inline uint64_t bcache_dev_sector + return ret; + } + +-static inline unsigned int offset_to_stripe(struct bcache_device *d, ++static inline int offset_to_stripe(struct bcache_device *d, + uint64_t offset) + { + do_div(offset, d->stripe_size); ++ ++ /* d->nr_stripes is in range [1, INT_MAX] */ ++ if (unlikely(offset >= d->nr_stripes)) { ++ pr_err("Invalid stripe %llu (>= nr_stripes %d).\n", ++ offset, d->nr_stripes); ++ return -EINVAL; ++ } ++ ++ /* ++ * Here offset is definitly smaller than INT_MAX, ++ * return it as int will never overflow. ++ */ + return offset; + } + +@@ -63,7 +75,10 @@ static inline bool bcache_dev_stripe_dir + uint64_t offset, + unsigned int nr_sectors) + { +- unsigned int stripe = offset_to_stripe(&dc->disk, offset); ++ int stripe = offset_to_stripe(&dc->disk, offset); ++ ++ if (stripe < 0) ++ return false; + + while (1) { + if (atomic_read(dc->disk.stripe_sectors_dirty + stripe)) diff --git a/queue-5.8/bcache-use-disk_-start-end-_io_acct-to-count-i-o-for-bcache-device.patch b/queue-5.8/bcache-use-disk_-start-end-_io_acct-to-count-i-o-for-bcache-device.patch new file mode 100644 index 00000000000..1d8d64d5ca0 --- /dev/null +++ b/queue-5.8/bcache-use-disk_-start-end-_io_acct-to-count-i-o-for-bcache-device.patch @@ -0,0 +1,101 @@ +From c5be1f2c5bab1538aa29cd42e226d6b80391e3ff Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Tue, 28 Jul 2020 21:59:20 +0800 +Subject: bcache: use disk_{start,end}_io_acct() to count I/O for bcache device + +From: Coly Li + +commit c5be1f2c5bab1538aa29cd42e226d6b80391e3ff upstream. + +This patch is a fix to patch "bcache: fix bio_{start,end}_io_acct with +proper device". The previous patch uses a hack to temporarily set +bi_disk to bcache device, which is mistaken too. + +As Christoph suggests, this patch uses disk_{start,end}_io_acct() to +count I/O for bcache device in the correct way. + +Fixes: 85750aeb748f ("bcache: use bio_{start,end}_io_acct") +Signed-off-by: Coly Li +Cc: Christoph Hellwig +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/request.c | 37 +++++++++---------------------------- + 1 file changed, 9 insertions(+), 28 deletions(-) + +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -617,28 +617,6 @@ static void cache_lookup(struct closure + + /* Common code for the make_request functions */ + +-static inline void bch_bio_start_io_acct(struct gendisk *acct_bi_disk, +- struct bio *bio, +- unsigned long *start_time) +-{ +- struct gendisk *saved_bi_disk = bio->bi_disk; +- +- bio->bi_disk = acct_bi_disk; +- *start_time = bio_start_io_acct(bio); +- bio->bi_disk = saved_bi_disk; +-} +- +-static inline void bch_bio_end_io_acct(struct gendisk *acct_bi_disk, +- struct bio *bio, +- unsigned long start_time) +-{ +- struct gendisk *saved_bi_disk = bio->bi_disk; +- +- bio->bi_disk = acct_bi_disk; +- bio_end_io_acct(bio, start_time); +- bio->bi_disk = saved_bi_disk; +-} +- + static void request_endio(struct bio *bio) + { + struct closure *cl = bio->bi_private; +@@ -690,7 +668,9 @@ static void backing_request_endio(struct + static void bio_complete(struct search *s) + { + if (s->orig_bio) { +- bch_bio_end_io_acct(s->d->disk, s->orig_bio, s->start_time); ++ /* Count on bcache device */ ++ disk_end_io_acct(s->d->disk, bio_op(s->orig_bio), s->start_time); ++ + trace_bcache_request_end(s->d, s->orig_bio); + s->orig_bio->bi_status = s->iop.status; + bio_endio(s->orig_bio); +@@ -750,8 +730,8 @@ static inline struct search *search_allo + s->recoverable = 1; + s->write = op_is_write(bio_op(bio)); + s->read_dirty_data = 0; +- bch_bio_start_io_acct(d->disk, bio, &s->start_time); +- ++ /* Count on the bcache device */ ++ s->start_time = disk_start_io_acct(d->disk, bio_sectors(bio), bio_op(bio)); + s->iop.c = d->c; + s->iop.bio = NULL; + s->iop.inode = d->id; +@@ -1102,7 +1082,8 @@ static void detached_dev_end_io(struct b + bio->bi_end_io = ddip->bi_end_io; + bio->bi_private = ddip->bi_private; + +- bch_bio_end_io_acct(ddip->d->disk, bio, ddip->start_time); ++ /* Count on the bcache device */ ++ disk_end_io_acct(ddip->d->disk, bio_op(bio), ddip->start_time); + + if (bio->bi_status) { + struct cached_dev *dc = container_of(ddip->d, +@@ -1127,8 +1108,8 @@ static void detached_dev_do_request(stru + */ + ddip = kzalloc(sizeof(struct detached_dev_io_private), GFP_NOIO); + ddip->d = d; +- bch_bio_start_io_acct(d->disk, bio, &ddip->start_time); +- ++ /* Count on the bcache device */ ++ ddip->start_time = disk_start_io_acct(d->disk, bio_sectors(bio), bio_op(bio)); + ddip->bi_end_io = bio->bi_end_io; + ddip->bi_private = bio->bi_private; + bio->bi_end_io = detached_dev_end_io; diff --git a/queue-5.8/ceph-handle-zero-length-feature-mask-in-session-messages.patch b/queue-5.8/ceph-handle-zero-length-feature-mask-in-session-messages.patch new file mode 100644 index 00000000000..b7f5ee334ab --- /dev/null +++ b/queue-5.8/ceph-handle-zero-length-feature-mask-in-session-messages.patch @@ -0,0 +1,47 @@ +From 02e37571f9e79022498fd0525c073b07e9d9ac69 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Tue, 4 Aug 2020 12:31:56 -0400 +Subject: ceph: handle zero-length feature mask in session messages + +From: Jeff Layton + +commit 02e37571f9e79022498fd0525c073b07e9d9ac69 upstream. + +Most session messages contain a feature mask, but the MDS will +routinely send a REJECT message with one that is zero-length. + +Commit 0fa8263367db ("ceph: fix endianness bug when handling MDS +session feature bits") fixed the decoding of the feature mask, +but failed to account for the MDS sending a zero-length feature +mask. This causes REJECT message decoding to fail. + +Skip trying to decode a feature mask if the word count is zero. + +Cc: stable@vger.kernel.org +URL: https://tracker.ceph.com/issues/46823 +Fixes: 0fa8263367db ("ceph: fix endianness bug when handling MDS session feature bits") +Signed-off-by: Jeff Layton +Reviewed-by: Ilya Dryomov +Tested-by: Patrick Donnelly +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/mds_client.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -3279,8 +3279,10 @@ static void handle_session(struct ceph_m + goto bad; + /* version >= 3, feature bits */ + ceph_decode_32_safe(&p, end, len, bad); +- ceph_decode_64_safe(&p, end, features, bad); +- p += len - sizeof(features); ++ if (len) { ++ ceph_decode_64_safe(&p, end, features, bad); ++ p += len - sizeof(features); ++ } + } + + mutex_lock(&mdsc->mutex); diff --git a/queue-5.8/ceph-set-sec_context-xattr-on-symlink-creation.patch b/queue-5.8/ceph-set-sec_context-xattr-on-symlink-creation.patch new file mode 100644 index 00000000000..f20acf1be6a --- /dev/null +++ b/queue-5.8/ceph-set-sec_context-xattr-on-symlink-creation.patch @@ -0,0 +1,38 @@ +From b748fc7a8763a5b3f8149f12c45711cd73ef8176 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Tue, 28 Jul 2020 10:34:20 -0400 +Subject: ceph: set sec_context xattr on symlink creation + +From: Jeff Layton + +commit b748fc7a8763a5b3f8149f12c45711cd73ef8176 upstream. + +Symlink inodes should have the security context set in their xattrs on +creation. We already set the context on creation, but we don't attach +the pagelist. The effect is that symlink inodes don't get an SELinux +context set on them at creation, so they end up unlabeled instead of +inheriting the proper context. Make it do so. + +Cc: stable@vger.kernel.org +Signed-off-by: Jeff Layton +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/dir.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ceph/dir.c ++++ b/fs/ceph/dir.c +@@ -930,6 +930,10 @@ static int ceph_symlink(struct inode *di + req->r_num_caps = 2; + req->r_dentry_drop = CEPH_CAP_FILE_SHARED | CEPH_CAP_AUTH_EXCL; + req->r_dentry_unless = CEPH_CAP_FILE_EXCL; ++ if (as_ctx.pagelist) { ++ req->r_pagelist = as_ctx.pagelist; ++ as_ctx.pagelist = NULL; ++ } + err = ceph_mdsc_do_request(mdsc, dir, req); + if (!err && !req->r_reply_info.head->is_dentry) + err = ceph_handle_notrace_create(dir, dentry); diff --git a/queue-5.8/cma-don-t-quit-at-first-error-when-activating-reserved-areas.patch b/queue-5.8/cma-don-t-quit-at-first-error-when-activating-reserved-areas.patch new file mode 100644 index 00000000000..1455d91f225 --- /dev/null +++ b/queue-5.8/cma-don-t-quit-at-first-error-when-activating-reserved-areas.patch @@ -0,0 +1,130 @@ +From 3a5139f1c5bb76d69756fb8f13fffa173e261153 Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Tue, 11 Aug 2020 18:32:03 -0700 +Subject: cma: don't quit at first error when activating reserved areas + +From: Mike Kravetz + +commit 3a5139f1c5bb76d69756fb8f13fffa173e261153 upstream. + +The routine cma_init_reserved_areas is designed to activate all +reserved cma areas. It quits when it first encounters an error. +This can leave some areas in a state where they are reserved but +not activated. There is no feedback to code which performed the +reservation. Attempting to allocate memory from areas in such a +state will result in a BUG. + +Modify cma_init_reserved_areas to always attempt to activate all +areas. The called routine, cma_activate_area is responsible for +leaving the area in a valid state. No one is making active use +of returned error codes, so change the routine to void. + +How to reproduce: This example uses kernelcore, hugetlb and cma +as an easy way to reproduce. However, this is a more general cma +issue. + +Two node x86 VM 16GB total, 8GB per node +Kernel command line parameters, kernelcore=4G hugetlb_cma=8G +Related boot time messages, + hugetlb_cma: reserve 8192 MiB, up to 4096 MiB per node + cma: Reserved 4096 MiB at 0x0000000100000000 + hugetlb_cma: reserved 4096 MiB on node 0 + cma: Reserved 4096 MiB at 0x0000000300000000 + hugetlb_cma: reserved 4096 MiB on node 1 + cma: CMA area hugetlb could not be activated + + # echo 8 > /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] SMP PTI + ... + Call Trace: + bitmap_find_next_zero_area_off+0x51/0x90 + cma_alloc+0x1a5/0x310 + alloc_fresh_huge_page+0x78/0x1a0 + alloc_pool_huge_page+0x6f/0xf0 + set_max_huge_pages+0x10c/0x250 + nr_hugepages_store_common+0x92/0x120 + ? __kmalloc+0x171/0x270 + kernfs_fop_write+0xc1/0x1a0 + vfs_write+0xc7/0x1f0 + ksys_write+0x5f/0xe0 + do_syscall_64+0x4d/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: c64be2bb1c6e ("drivers: add Contiguous Memory Allocator") +Signed-off-by: Mike Kravetz +Signed-off-by: Andrew Morton +Reviewed-by: Roman Gushchin +Acked-by: Barry Song +Cc: Marek Szyprowski +Cc: Michal Nazarewicz +Cc: Kyungmin Park +Cc: Joonsoo Kim +Cc: +Link: http://lkml.kernel.org/r/20200730163123.6451-1-mike.kravetz@oracle.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/cma.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -93,17 +93,15 @@ static void cma_clear_bitmap(struct cma + mutex_unlock(&cma->lock); + } + +-static int __init cma_activate_area(struct cma *cma) ++static void __init cma_activate_area(struct cma *cma) + { + unsigned long base_pfn = cma->base_pfn, pfn = base_pfn; + unsigned i = cma->count >> pageblock_order; + struct zone *zone; + + cma->bitmap = bitmap_zalloc(cma_bitmap_maxno(cma), GFP_KERNEL); +- if (!cma->bitmap) { +- cma->count = 0; +- return -ENOMEM; +- } ++ if (!cma->bitmap) ++ goto out_error; + + WARN_ON_ONCE(!pfn_valid(pfn)); + zone = page_zone(pfn_to_page(pfn)); +@@ -133,25 +131,22 @@ static int __init cma_activate_area(stru + spin_lock_init(&cma->mem_head_lock); + #endif + +- return 0; ++ return; + + not_in_zone: +- pr_err("CMA area %s could not be activated\n", cma->name); + bitmap_free(cma->bitmap); ++out_error: + cma->count = 0; +- return -EINVAL; ++ pr_err("CMA area %s could not be activated\n", cma->name); ++ return; + } + + static int __init cma_init_reserved_areas(void) + { + int i; + +- for (i = 0; i < cma_area_count; i++) { +- int ret = cma_activate_area(&cma_areas[i]); +- +- if (ret) +- return ret; +- } ++ for (i = 0; i < cma_area_count; i++) ++ cma_activate_area(&cma_areas[i]); + + return 0; + } diff --git a/queue-5.8/driver-core-avoid-binding-drivers-to-dead-devices.patch b/queue-5.8/driver-core-avoid-binding-drivers-to-dead-devices.patch new file mode 100644 index 00000000000..f7e04b2a162 --- /dev/null +++ b/queue-5.8/driver-core-avoid-binding-drivers-to-dead-devices.patch @@ -0,0 +1,57 @@ +From 654888327e9f655a9d55ad477a9583e90e8c9b5c Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 8 Jul 2020 15:27:01 +0200 +Subject: driver core: Avoid binding drivers to dead devices + +From: Lukas Wunner + +commit 654888327e9f655a9d55ad477a9583e90e8c9b5c upstream. + +Commit 3451a495ef24 ("driver core: Establish order of operations for +device_add and device_del via bitflag") sought to prevent asynchronous +driver binding to a device which is being removed. It added a +per-device "dead" flag which is checked in the following code paths: + +* asynchronous binding in __driver_attach_async_helper() +* synchronous binding in device_driver_attach() +* asynchronous binding in __device_attach_async_helper() + +It did *not* check the flag upon: + +* synchronous binding in __device_attach() + +However __device_attach() may also be called asynchronously from: + +deferred_probe_work_func() + bus_probe_device() + device_initial_probe() + __device_attach() + +So if the commit's intention was to check the "dead" flag in all +asynchronous code paths, then a check is also necessary in +__device_attach(). Add the missing check. + +Fixes: 3451a495ef24 ("driver core: Establish order of operations for device_add and device_del via bitflag") +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v5.1+ +Cc: Alexander Duyck +Link: https://lore.kernel.org/r/de88a23a6fe0ef70f7cfd13c8aea9ab51b4edab6.1594214103.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/dd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -844,7 +844,9 @@ static int __device_attach(struct device + int ret = 0; + + device_lock(dev); +- if (dev->driver) { ++ if (dev->p->dead) { ++ goto out_unlock; ++ } else if (dev->driver) { + if (device_is_bound(dev)) { + ret = 1; + goto out_unlock; diff --git a/queue-5.8/ext2-fix-missing-percpu_counter_inc.patch b/queue-5.8/ext2-fix-missing-percpu_counter_inc.patch new file mode 100644 index 00000000000..8501a47315a --- /dev/null +++ b/queue-5.8/ext2-fix-missing-percpu_counter_inc.patch @@ -0,0 +1,46 @@ +From bc2fbaa4d3808aef82dd1064a8e61c16549fe956 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 20 Apr 2020 16:02:21 -0400 +Subject: ext2: fix missing percpu_counter_inc + +From: Mikulas Patocka + +commit bc2fbaa4d3808aef82dd1064a8e61c16549fe956 upstream. + +sbi->s_freeinodes_counter is only decreased by the ext2 code, it is never +increased. This patch fixes it. + +Note that sbi->s_freeinodes_counter is only used in the algorithm that +tries to find the group for new allocations, so this bug is not easily +visible (the only visibility is that the group finding algorithm selects +inoptinal result). + +Link: https://lore.kernel.org/r/alpine.LRH.2.02.2004201538300.19436@file01.intranet.prod.int.rdu2.redhat.com +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext2/ialloc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ext2/ialloc.c ++++ b/fs/ext2/ialloc.c +@@ -80,6 +80,7 @@ static void ext2_release_inode(struct su + if (dir) + le16_add_cpu(&desc->bg_used_dirs_count, -1); + spin_unlock(sb_bgl_lock(EXT2_SB(sb), group)); ++ percpu_counter_inc(&EXT2_SB(sb)->s_freeinodes_counter); + if (dir) + percpu_counter_dec(&EXT2_SB(sb)->s_dirs_counter); + mark_buffer_dirty(bh); +@@ -528,7 +529,7 @@ got: + goto fail; + } + +- percpu_counter_add(&sbi->s_freeinodes_counter, -1); ++ percpu_counter_dec(&sbi->s_freeinodes_counter); + if (S_ISDIR(mode)) + percpu_counter_inc(&sbi->s_dirs_counter); + diff --git a/queue-5.8/ftrace-setup-correct-ftrace_fl_regs-flags-for-module.patch b/queue-5.8/ftrace-setup-correct-ftrace_fl_regs-flags-for-module.patch new file mode 100644 index 00000000000..7526a58212c --- /dev/null +++ b/queue-5.8/ftrace-setup-correct-ftrace_fl_regs-flags-for-module.patch @@ -0,0 +1,58 @@ +From 8a224ffb3f52b0027f6b7279854c71a31c48fc97 Mon Sep 17 00:00:00 2001 +From: Chengming Zhou +Date: Wed, 29 Jul 2020 02:05:53 +0800 +Subject: ftrace: Setup correct FTRACE_FL_REGS flags for module + +From: Chengming Zhou + +commit 8a224ffb3f52b0027f6b7279854c71a31c48fc97 upstream. + +When module loaded and enabled, we will use __ftrace_replace_code +for module if any ftrace_ops referenced it found. But we will get +wrong ftrace_addr for module rec in ftrace_get_addr_new, because +rec->flags has not been setup correctly. It can cause the callback +function of a ftrace_ops has FTRACE_OPS_FL_SAVE_REGS to be called +with pt_regs set to NULL. +So setup correct FTRACE_FL_REGS flags for rec when we call +referenced_filters to find ftrace_ops references it. + +Link: https://lkml.kernel.org/r/20200728180554.65203-1-zhouchengming@bytedance.com + +Cc: stable@vger.kernel.org +Fixes: 8c4f3c3fa9681 ("ftrace: Check module functions being traced on reload") +Signed-off-by: Chengming Zhou +Signed-off-by: Muchun Song +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -6187,8 +6187,11 @@ static int referenced_filters(struct dyn + int cnt = 0; + + for (ops = ftrace_ops_list; ops != &ftrace_list_end; ops = ops->next) { +- if (ops_references_rec(ops, rec)) +- cnt++; ++ if (ops_references_rec(ops, rec)) { ++ cnt++; ++ if (ops->flags & FTRACE_OPS_FL_SAVE_REGS) ++ rec->flags |= FTRACE_FL_REGS; ++ } + } + + return cnt; +@@ -6367,8 +6370,8 @@ void ftrace_module_enable(struct module + if (ftrace_start_up) + cnt += referenced_filters(rec); + +- /* This clears FTRACE_FL_DISABLED */ +- rec->flags = cnt; ++ rec->flags &= ~FTRACE_FL_DISABLED; ++ rec->flags += cnt; + + if (ftrace_start_up && cnt) { + int failed = __ftrace_replace_code(rec, 1); diff --git a/queue-5.8/hugetlbfs-remove-call-to-huge_pte_alloc-without-i_mmap_rwsem.patch b/queue-5.8/hugetlbfs-remove-call-to-huge_pte_alloc-without-i_mmap_rwsem.patch new file mode 100644 index 00000000000..1ca1684f637 --- /dev/null +++ b/queue-5.8/hugetlbfs-remove-call-to-huge_pte_alloc-without-i_mmap_rwsem.patch @@ -0,0 +1,166 @@ +From 34ae204f18519f0920bd50a644abd6fefc8dbfcf Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Tue, 11 Aug 2020 18:31:38 -0700 +Subject: hugetlbfs: remove call to huge_pte_alloc without i_mmap_rwsem + +From: Mike Kravetz + +commit 34ae204f18519f0920bd50a644abd6fefc8dbfcf upstream. + +Commit c0d0381ade79 ("hugetlbfs: use i_mmap_rwsem for more pmd sharing +synchronization") requires callers of huge_pte_alloc to hold i_mmap_rwsem +in at least read mode. This is because the explicit locking in +huge_pmd_share (called by huge_pte_alloc) was removed. When restructuring +the code, the call to huge_pte_alloc in the else block at the beginning of +hugetlb_fault was missed. + +Unfortunately, that else clause is exercised when there is no page table +entry. This will likely lead to a call to huge_pmd_share. If +huge_pmd_share thinks pmd sharing is possible, it will traverse the +mapping tree (i_mmap) without holding i_mmap_rwsem. If someone else is +modifying the tree, bad things such as addressing exceptions or worse +could happen. + +Simply remove the else clause. It should have been removed previously. +The code following the else will call huge_pte_alloc with the appropriate +locking. + +To prevent this type of issue in the future, add routines to assert that +i_mmap_rwsem is held, and call these routines in huge pmd sharing +routines. + +Fixes: c0d0381ade79 ("hugetlbfs: use i_mmap_rwsem for more pmd sharing synchronization") +Suggested-by: Matthew Wilcox +Signed-off-by: Mike Kravetz +Signed-off-by: Andrew Morton +Cc: Michal Hocko +Cc: Hugh Dickins +Cc: Naoya Horiguchi +Cc: "Aneesh Kumar K.V" +Cc: Andrea Arcangeli +Cc: "Kirill A.Shutemov" +Cc: Davidlohr Bueso +Cc: Prakash Sangappa +Cc: +Link: http://lkml.kernel.org/r/e670f327-5cf9-1959-96e4-6dc7cc30d3d5@oracle.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/fs.h | 10 ++++++++++ + include/linux/hugetlb.h | 8 +++++--- + mm/hugetlb.c | 15 +++++++-------- + mm/rmap.c | 2 +- + 4 files changed, 23 insertions(+), 12 deletions(-) + +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -549,6 +549,16 @@ static inline void i_mmap_unlock_read(st + up_read(&mapping->i_mmap_rwsem); + } + ++static inline void i_mmap_assert_locked(struct address_space *mapping) ++{ ++ lockdep_assert_held(&mapping->i_mmap_rwsem); ++} ++ ++static inline void i_mmap_assert_write_locked(struct address_space *mapping) ++{ ++ lockdep_assert_held_write(&mapping->i_mmap_rwsem); ++} ++ + /* + * Might pages of this file be mapped into userspace? + */ +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -164,7 +164,8 @@ pte_t *huge_pte_alloc(struct mm_struct * + unsigned long addr, unsigned long sz); + pte_t *huge_pte_offset(struct mm_struct *mm, + unsigned long addr, unsigned long sz); +-int huge_pmd_unshare(struct mm_struct *mm, unsigned long *addr, pte_t *ptep); ++int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, ++ unsigned long *addr, pte_t *ptep); + void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma, + unsigned long *start, unsigned long *end); + struct page *follow_huge_addr(struct mm_struct *mm, unsigned long address, +@@ -203,8 +204,9 @@ static inline struct address_space *huge + return NULL; + } + +-static inline int huge_pmd_unshare(struct mm_struct *mm, unsigned long *addr, +- pte_t *ptep) ++static inline int huge_pmd_unshare(struct mm_struct *mm, ++ struct vm_area_struct *vma, ++ unsigned long *addr, pte_t *ptep) + { + return 0; + } +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3952,7 +3952,7 @@ void __unmap_hugepage_range(struct mmu_g + continue; + + ptl = huge_pte_lock(h, mm, ptep); +- if (huge_pmd_unshare(mm, &address, ptep)) { ++ if (huge_pmd_unshare(mm, vma, &address, ptep)) { + spin_unlock(ptl); + /* + * We just unmapped a page of PMDs by clearing a PUD. +@@ -4539,10 +4539,6 @@ vm_fault_t hugetlb_fault(struct mm_struc + } else if (unlikely(is_hugetlb_entry_hwpoisoned(entry))) + return VM_FAULT_HWPOISON_LARGE | + VM_FAULT_SET_HINDEX(hstate_index(h)); +- } else { +- ptep = huge_pte_alloc(mm, haddr, huge_page_size(h)); +- if (!ptep) +- return VM_FAULT_OOM; + } + + /* +@@ -5019,7 +5015,7 @@ unsigned long hugetlb_change_protection( + if (!ptep) + continue; + ptl = huge_pte_lock(h, mm, ptep); +- if (huge_pmd_unshare(mm, &address, ptep)) { ++ if (huge_pmd_unshare(mm, vma, &address, ptep)) { + pages++; + spin_unlock(ptl); + shared_pmd = true; +@@ -5400,12 +5396,14 @@ out: + * returns: 1 successfully unmapped a shared pte page + * 0 the underlying pte page is not shared, or it is the last user + */ +-int huge_pmd_unshare(struct mm_struct *mm, unsigned long *addr, pte_t *ptep) ++int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, ++ unsigned long *addr, pte_t *ptep) + { + pgd_t *pgd = pgd_offset(mm, *addr); + p4d_t *p4d = p4d_offset(pgd, *addr); + pud_t *pud = pud_offset(p4d, *addr); + ++ i_mmap_assert_write_locked(vma->vm_file->f_mapping); + BUG_ON(page_count(virt_to_page(ptep)) == 0); + if (page_count(virt_to_page(ptep)) == 1) + return 0; +@@ -5423,7 +5421,8 @@ pte_t *huge_pmd_share(struct mm_struct * + return NULL; + } + +-int huge_pmd_unshare(struct mm_struct *mm, unsigned long *addr, pte_t *ptep) ++int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, ++ unsigned long *addr, pte_t *ptep) + { + return 0; + } +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -1469,7 +1469,7 @@ static bool try_to_unmap_one(struct page + * do this outside rmap routines. + */ + VM_BUG_ON(!(flags & TTU_RMAP_LOCKED)); +- if (huge_pmd_unshare(mm, &address, pvmw.pte)) { ++ if (huge_pmd_unshare(mm, vma, &address, pvmw.pte)) { + /* + * huge_pmd_unshare unmapped an entire PMD + * page. There is no way of knowing exactly diff --git a/queue-5.8/irqchip-gic-v4.1-ensure-accessing-the-correct-rd-when-writing-invallr.patch b/queue-5.8/irqchip-gic-v4.1-ensure-accessing-the-correct-rd-when-writing-invallr.patch new file mode 100644 index 00000000000..b8e37b12c46 --- /dev/null +++ b/queue-5.8/irqchip-gic-v4.1-ensure-accessing-the-correct-rd-when-writing-invallr.patch @@ -0,0 +1,58 @@ +From 3af9571cd585efafc2facbd8dbd407317ff898cf Mon Sep 17 00:00:00 2001 +From: Zenghui Yu +Date: Mon, 20 Jul 2020 17:23:28 +0800 +Subject: irqchip/gic-v4.1: Ensure accessing the correct RD when writing INVALLR + +From: Zenghui Yu + +commit 3af9571cd585efafc2facbd8dbd407317ff898cf upstream. + +The GICv4.1 spec tells us that it's CONSTRAINED UNPREDICTABLE to issue a +register-based invalidation operation for a vPEID not mapped to that RD, +or another RD within the same CommonLPIAff group. + +To follow this rule, commit f3a059219bc7 ("irqchip/gic-v4.1: Ensure mutual +exclusion between vPE affinity change and RD access") tried to address the +race between the RD accesses and the vPE affinity change, but somehow +forgot to take GICR_INVALLR into account. Let's take the vpe_lock before +evaluating vpe->col_idx to fix it. + +Fixes: f3a059219bc7 ("irqchip/gic-v4.1: Ensure mutual exclusion between vPE affinity change and RD access") +Signed-off-by: Zenghui Yu +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200720092328.708-1-yuzenghui@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-gic-v3-its.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -4090,18 +4090,22 @@ static void its_vpe_4_1_deschedule(struc + static void its_vpe_4_1_invall(struct its_vpe *vpe) + { + void __iomem *rdbase; ++ unsigned long flags; + u64 val; ++ int cpu; + + val = GICR_INVALLR_V; + val |= FIELD_PREP(GICR_INVALLR_VPEID, vpe->vpe_id); + + /* Target the redistributor this vPE is currently known on */ +- raw_spin_lock(&gic_data_rdist_cpu(vpe->col_idx)->rd_lock); +- rdbase = per_cpu_ptr(gic_rdists->rdist, vpe->col_idx)->rd_base; ++ cpu = vpe_to_cpuid_lock(vpe, &flags); ++ raw_spin_lock(&gic_data_rdist_cpu(cpu)->rd_lock); ++ rdbase = per_cpu_ptr(gic_rdists->rdist, cpu)->rd_base; + gic_write_lpir(val, rdbase + GICR_INVALLR); + + wait_for_syncr(rdbase); +- raw_spin_unlock(&gic_data_rdist_cpu(vpe->col_idx)->rd_lock); ++ raw_spin_unlock(&gic_data_rdist_cpu(cpu)->rd_lock); ++ vpe_to_cpuid_unlock(vpe, flags); + } + + static int its_vpe_4_1_set_vcpu_affinity(struct irq_data *d, void *vcpu_info) diff --git a/queue-5.8/irqchip-loongson-liointc-fix-misuse-of-gc-mask_cache.patch b/queue-5.8/irqchip-loongson-liointc-fix-misuse-of-gc-mask_cache.patch new file mode 100644 index 00000000000..182550c17c4 --- /dev/null +++ b/queue-5.8/irqchip-loongson-liointc-fix-misuse-of-gc-mask_cache.patch @@ -0,0 +1,60 @@ +From c9c73a05413ea4a465cae1cb3593b01b190a233f Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 30 Jul 2020 16:51:28 +0800 +Subject: irqchip/loongson-liointc: Fix misuse of gc->mask_cache + +From: Huacai Chen + +commit c9c73a05413ea4a465cae1cb3593b01b190a233f upstream. + +In gc->mask_cache bits, 1 means enabled and 0 means disabled, but in the +loongson-liointc driver mask_cache is misused by reverting its meaning. +This patch fix the bug and update the comments as well. + +Fixes: dbb152267908c4b2c3639492a ("irqchip: Add driver for Loongson I/O Local Interrupt Controller") +Signed-off-by: Huacai Chen +Signed-off-by: Marc Zyngier +Reviewed-by: Jiaxun Yang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/1596099090-23516-4-git-send-email-chenhc@lemote.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-loongson-liointc.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/irqchip/irq-loongson-liointc.c ++++ b/drivers/irqchip/irq-loongson-liointc.c +@@ -60,7 +60,7 @@ static void liointc_chained_handle_irq(s + if (!pending) { + /* Always blame LPC IRQ if we have that bug */ + if (handler->priv->has_lpc_irq_errata && +- (handler->parent_int_map & ~gc->mask_cache & ++ (handler->parent_int_map & gc->mask_cache & + BIT(LIOINTC_ERRATA_IRQ))) + pending = BIT(LIOINTC_ERRATA_IRQ); + else +@@ -132,11 +132,11 @@ static void liointc_resume(struct irq_ch + irq_gc_lock_irqsave(gc, flags); + /* Disable all at first */ + writel(0xffffffff, gc->reg_base + LIOINTC_REG_INTC_DISABLE); +- /* Revert map cache */ ++ /* Restore map cache */ + for (i = 0; i < LIOINTC_CHIP_IRQ; i++) + writeb(priv->map_cache[i], gc->reg_base + i); +- /* Revert mask cache */ +- writel(~gc->mask_cache, gc->reg_base + LIOINTC_REG_INTC_ENABLE); ++ /* Restore mask cache */ ++ writel(gc->mask_cache, gc->reg_base + LIOINTC_REG_INTC_ENABLE); + irq_gc_unlock_irqrestore(gc, flags); + } + +@@ -244,7 +244,7 @@ int __init liointc_of_init(struct device + ct->chip.irq_mask_ack = irq_gc_mask_disable_reg; + ct->chip.irq_set_type = liointc_set_type; + +- gc->mask_cache = 0xffffffff; ++ gc->mask_cache = 0; + priv->gc = gc; + + for (i = 0; i < LIOINTC_NUM_PARENT; i++) { diff --git a/queue-5.8/khugepaged-collapse_pte_mapped_thp-flush-the-right-range.patch b/queue-5.8/khugepaged-collapse_pte_mapped_thp-flush-the-right-range.patch new file mode 100644 index 00000000000..212cb3ca183 --- /dev/null +++ b/queue-5.8/khugepaged-collapse_pte_mapped_thp-flush-the-right-range.patch @@ -0,0 +1,50 @@ +From 723a80dafed5c95889d48baab9aa433a6ffa0b4e Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Thu, 6 Aug 2020 23:26:15 -0700 +Subject: khugepaged: collapse_pte_mapped_thp() flush the right range + +From: Hugh Dickins + +commit 723a80dafed5c95889d48baab9aa433a6ffa0b4e upstream. + +pmdp_collapse_flush() should be given the start address at which the huge +page is mapped, haddr: it was given addr, which at that point has been +used as a local variable, incremented to the end address of the extent. + +Found by source inspection while chasing a hugepage locking bug, which I +then could not explain by this. At first I thought this was very bad; +then saw that all of the page translations that were not flushed would +actually still point to the right pages afterwards, so harmless; then +realized that I know nothing of how different architectures and models +cache intermediate paging structures, so maybe it matters after all - +particularly since the page table concerned is immediately freed. + +Much easier to fix than to think about. + +Fixes: 27e1f8273113 ("khugepaged: enable collapse pmd for pte-mapped THP") +Signed-off-by: Hugh Dickins +Signed-off-by: Andrew Morton +Acked-by: Kirill A. Shutemov +Cc: Andrea Arcangeli +Cc: Mike Kravetz +Cc: Song Liu +Cc: [5.4+] +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021204390.27773@eggly.anvils +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/khugepaged.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -1502,7 +1502,7 @@ void collapse_pte_mapped_thp(struct mm_s + + /* step 4: collapse pmd */ + ptl = pmd_lock(vma->vm_mm, pmd); +- _pmd = pmdp_collapse_flush(vma, addr, pmd); ++ _pmd = pmdp_collapse_flush(vma, haddr, pmd); + spin_unlock(ptl); + mm_dec_nr_ptes(mm); + pte_free(mm, pmd_pgtable(_pmd)); diff --git a/queue-5.8/khugepaged-collapse_pte_mapped_thp-protect-the-pmd-lock.patch b/queue-5.8/khugepaged-collapse_pte_mapped_thp-protect-the-pmd-lock.patch new file mode 100644 index 00000000000..20eeb801e99 --- /dev/null +++ b/queue-5.8/khugepaged-collapse_pte_mapped_thp-protect-the-pmd-lock.patch @@ -0,0 +1,132 @@ +From 119a5fc16105b2b9383a6e2a7800b2ef861b2975 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Thu, 6 Aug 2020 23:26:18 -0700 +Subject: khugepaged: collapse_pte_mapped_thp() protect the pmd lock + +From: Hugh Dickins + +commit 119a5fc16105b2b9383a6e2a7800b2ef861b2975 upstream. + +When retract_page_tables() removes a page table to make way for a huge +pmd, it holds huge page lock, i_mmap_lock_write, mmap_write_trylock and +pmd lock; but when collapse_pte_mapped_thp() does the same (to handle the +case when the original mmap_write_trylock had failed), only +mmap_write_trylock and pmd lock are held. + +That's not enough. One machine has twice crashed under load, with "BUG: +spinlock bad magic" and GPF on 6b6b6b6b6b6b6b6b. Examining the second +crash, page_vma_mapped_walk_done()'s spin_unlock of pvmw->ptl (serving +page_referenced() on a file THP, that had found a page table at *pmd) +discovers that the page table page and its lock have already been freed by +the time it comes to unlock. + +Follow the example of retract_page_tables(), but we only need one of huge +page lock or i_mmap_lock_write to secure against this: because it's the +narrower lock, and because it simplifies collapse_pte_mapped_thp() to know +the hpage earlier, choose to rely on huge page lock here. + +Fixes: 27e1f8273113 ("khugepaged: enable collapse pmd for pte-mapped THP") +Signed-off-by: Hugh Dickins +Signed-off-by: Andrew Morton +Acked-by: Kirill A. Shutemov +Cc: Andrea Arcangeli +Cc: Mike Kravetz +Cc: Song Liu +Cc: [5.4+] +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021213070.27773@eggly.anvils +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/khugepaged.c | 44 +++++++++++++++++++------------------------- + 1 file changed, 19 insertions(+), 25 deletions(-) + +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -1412,7 +1412,7 @@ void collapse_pte_mapped_thp(struct mm_s + { + unsigned long haddr = addr & HPAGE_PMD_MASK; + struct vm_area_struct *vma = find_vma(mm, haddr); +- struct page *hpage = NULL; ++ struct page *hpage; + pte_t *start_pte, *pte; + pmd_t *pmd, _pmd; + spinlock_t *ptl; +@@ -1432,9 +1432,17 @@ void collapse_pte_mapped_thp(struct mm_s + if (!hugepage_vma_check(vma, vma->vm_flags | VM_HUGEPAGE)) + return; + ++ hpage = find_lock_page(vma->vm_file->f_mapping, ++ linear_page_index(vma, haddr)); ++ if (!hpage) ++ return; ++ ++ if (!PageHead(hpage)) ++ goto drop_hpage; ++ + pmd = mm_find_pmd(mm, haddr); + if (!pmd) +- return; ++ goto drop_hpage; + + start_pte = pte_offset_map_lock(mm, pmd, haddr, &ptl); + +@@ -1453,30 +1461,11 @@ void collapse_pte_mapped_thp(struct mm_s + + page = vm_normal_page(vma, addr, *pte); + +- if (!page || !PageCompound(page)) +- goto abort; +- +- if (!hpage) { +- hpage = compound_head(page); +- /* +- * The mapping of the THP should not change. +- * +- * Note that uprobe, debugger, or MAP_PRIVATE may +- * change the page table, but the new page will +- * not pass PageCompound() check. +- */ +- if (WARN_ON(hpage->mapping != vma->vm_file->f_mapping)) +- goto abort; +- } +- + /* +- * Confirm the page maps to the correct subpage. +- * +- * Note that uprobe, debugger, or MAP_PRIVATE may change +- * the page table, but the new page will not pass +- * PageCompound() check. ++ * Note that uprobe, debugger, or MAP_PRIVATE may change the ++ * page table, but the new page will not be a subpage of hpage. + */ +- if (WARN_ON(hpage + i != page)) ++ if (hpage + i != page) + goto abort; + count++; + } +@@ -1495,7 +1484,7 @@ void collapse_pte_mapped_thp(struct mm_s + pte_unmap_unlock(start_pte, ptl); + + /* step 3: set proper refcount and mm_counters. */ +- if (hpage) { ++ if (count) { + page_ref_sub(hpage, count); + add_mm_counter(vma->vm_mm, mm_counter_file(hpage), -count); + } +@@ -1506,10 +1495,15 @@ void collapse_pte_mapped_thp(struct mm_s + spin_unlock(ptl); + mm_dec_nr_ptes(mm); + pte_free(mm, pmd_pgtable(_pmd)); ++ ++drop_hpage: ++ unlock_page(hpage); ++ put_page(hpage); + return; + + abort: + pte_unmap_unlock(start_pte, ptl); ++ goto drop_hpage; + } + + static int khugepaged_collapse_pte_mapped_thps(struct mm_slot *mm_slot) diff --git a/queue-5.8/khugepaged-khugepaged_test_exit-check-mmget_still_valid.patch b/queue-5.8/khugepaged-khugepaged_test_exit-check-mmget_still_valid.patch new file mode 100644 index 00000000000..0829e5dbde5 --- /dev/null +++ b/queue-5.8/khugepaged-khugepaged_test_exit-check-mmget_still_valid.patch @@ -0,0 +1,56 @@ +From bbe98f9cadff58cdd6a4acaeba0efa8565dabe65 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Thu, 6 Aug 2020 23:26:25 -0700 +Subject: khugepaged: khugepaged_test_exit() check mmget_still_valid() + +From: Hugh Dickins + +commit bbe98f9cadff58cdd6a4acaeba0efa8565dabe65 upstream. + +Move collapse_huge_page()'s mmget_still_valid() check into +khugepaged_test_exit() itself. collapse_huge_page() is used for anon THP +only, and earned its mmget_still_valid() check because it inserts a huge +pmd entry in place of the page table's pmd entry; whereas +collapse_file()'s retract_page_tables() or collapse_pte_mapped_thp() +merely clears the page table's pmd entry. But core dumping without mmap +lock must have been as open to mistaking a racily cleared pmd entry for a +page table at physical page 0, as exit_mmap() was. And we certainly have +no interest in mapping as a THP once dumping core. + +Fixes: 59ea6d06cfa9 ("coredump: fix race condition between collapse_huge_page() and core dumping") +Signed-off-by: Hugh Dickins +Signed-off-by: Andrew Morton +Cc: Andrea Arcangeli +Cc: Song Liu +Cc: Mike Kravetz +Cc: Kirill A. Shutemov +Cc: [4.8+] +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021217020.27773@eggly.anvils +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/khugepaged.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -431,7 +431,7 @@ static void insert_to_mm_slots_hash(stru + + static inline int khugepaged_test_exit(struct mm_struct *mm) + { +- return atomic_read(&mm->mm_users) == 0; ++ return atomic_read(&mm->mm_users) == 0 || !mmget_still_valid(mm); + } + + static bool hugepage_vma_check(struct vm_area_struct *vma, +@@ -1100,9 +1100,6 @@ static void collapse_huge_page(struct mm + * handled by the anon_vma lock + PG_lock. + */ + mmap_write_lock(mm); +- result = SCAN_ANY_PROCESS; +- if (!mmget_still_valid(mm)) +- goto out; + result = hugepage_vma_revalidate(mm, address, &vma); + if (result) + goto out; diff --git a/queue-5.8/khugepaged-retract_page_tables-remember-to-test-exit.patch b/queue-5.8/khugepaged-retract_page_tables-remember-to-test-exit.patch new file mode 100644 index 00000000000..5e8ecd0022b --- /dev/null +++ b/queue-5.8/khugepaged-retract_page_tables-remember-to-test-exit.patch @@ -0,0 +1,99 @@ +From 18e77600f7a1ed69f8ce46c9e11cad0985712dfa Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Thu, 6 Aug 2020 23:26:22 -0700 +Subject: khugepaged: retract_page_tables() remember to test exit + +From: Hugh Dickins + +commit 18e77600f7a1ed69f8ce46c9e11cad0985712dfa upstream. + +Only once have I seen this scenario (and forgot even to notice what forced +the eventual crash): a sequence of "BUG: Bad page map" alerts from +vm_normal_page(), from zap_pte_range() servicing exit_mmap(); +pmd:00000000, pte values corresponding to data in physical page 0. + +The pte mappings being zapped in this case were supposed to be from a huge +page of ext4 text (but could as well have been shmem): my belief is that +it was racing with collapse_file()'s retract_page_tables(), found *pmd +pointing to a page table, locked it, but *pmd had become 0 by the time +start_pte was decided. + +In most cases, that possibility is excluded by holding mmap lock; but +exit_mmap() proceeds without mmap lock. Most of what's run by khugepaged +checks khugepaged_test_exit() after acquiring mmap lock: +khugepaged_collapse_pte_mapped_thps() and hugepage_vma_revalidate() do so, +for example. But retract_page_tables() did not: fix that. + +The fix is for retract_page_tables() to check khugepaged_test_exit(), +after acquiring mmap lock, before doing anything to the page table. +Getting the mmap lock serializes with __mmput(), which briefly takes and +drops it in __khugepaged_exit(); then the khugepaged_test_exit() check on +mm_users makes sure we don't touch the page table once exit_mmap() might +reach it, since exit_mmap() will be proceeding without mmap lock, not +expecting anyone to be racing with it. + +Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages") +Signed-off-by: Hugh Dickins +Signed-off-by: Andrew Morton +Acked-by: Kirill A. Shutemov +Cc: Andrea Arcangeli +Cc: Mike Kravetz +Cc: Song Liu +Cc: [4.8+] +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021215400.27773@eggly.anvils +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/khugepaged.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -1532,6 +1532,7 @@ out: + static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) + { + struct vm_area_struct *vma; ++ struct mm_struct *mm; + unsigned long addr; + pmd_t *pmd, _pmd; + +@@ -1560,7 +1561,8 @@ static void retract_page_tables(struct a + continue; + if (vma->vm_end < addr + HPAGE_PMD_SIZE) + continue; +- pmd = mm_find_pmd(vma->vm_mm, addr); ++ mm = vma->vm_mm; ++ pmd = mm_find_pmd(mm, addr); + if (!pmd) + continue; + /* +@@ -1570,17 +1572,19 @@ static void retract_page_tables(struct a + * mmap_lock while holding page lock. Fault path does it in + * reverse order. Trylock is a way to avoid deadlock. + */ +- if (mmap_write_trylock(vma->vm_mm)) { +- spinlock_t *ptl = pmd_lock(vma->vm_mm, pmd); +- /* assume page table is clear */ +- _pmd = pmdp_collapse_flush(vma, addr, pmd); +- spin_unlock(ptl); +- mmap_write_unlock(vma->vm_mm); +- mm_dec_nr_ptes(vma->vm_mm); +- pte_free(vma->vm_mm, pmd_pgtable(_pmd)); ++ if (mmap_write_trylock(mm)) { ++ if (!khugepaged_test_exit(mm)) { ++ spinlock_t *ptl = pmd_lock(mm, pmd); ++ /* assume page table is clear */ ++ _pmd = pmdp_collapse_flush(vma, addr, pmd); ++ spin_unlock(ptl); ++ mm_dec_nr_ptes(mm); ++ pte_free(mm, pmd_pgtable(_pmd)); ++ } ++ mmap_write_unlock(mm); + } else { + /* Try again later */ +- khugepaged_add_pte_mapped_thp(vma->vm_mm, addr); ++ khugepaged_add_pte_mapped_thp(mm, addr); + } + } + i_mmap_unlock_write(mapping); diff --git a/queue-5.8/kprobes-fix-null-pointer-dereference-at-kprobe_ftrace_handler.patch b/queue-5.8/kprobes-fix-null-pointer-dereference-at-kprobe_ftrace_handler.patch new file mode 100644 index 00000000000..fa10e0a403c --- /dev/null +++ b/queue-5.8/kprobes-fix-null-pointer-dereference-at-kprobe_ftrace_handler.patch @@ -0,0 +1,94 @@ +From 0cb2f1372baa60af8456388a574af6133edd7d80 Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Tue, 28 Jul 2020 14:45:36 +0800 +Subject: kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler + +From: Muchun Song + +commit 0cb2f1372baa60af8456388a574af6133edd7d80 upstream. + +We found a case of kernel panic on our server. The stack trace is as +follows(omit some irrelevant information): + + BUG: kernel NULL pointer dereference, address: 0000000000000080 + RIP: 0010:kprobe_ftrace_handler+0x5e/0xe0 + RSP: 0018:ffffb512c6550998 EFLAGS: 00010282 + RAX: 0000000000000000 RBX: ffff8e9d16eea018 RCX: 0000000000000000 + RDX: ffffffffbe1179c0 RSI: ffffffffc0535564 RDI: ffffffffc0534ec0 + RBP: ffffffffc0534ec1 R08: ffff8e9d1bbb0f00 R09: 0000000000000004 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: ffff8e9d1f797060 R14: 000000000000bacc R15: ffff8e9ce13eca00 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000080 CR3: 00000008453d0005 CR4: 00000000003606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + ftrace_ops_assist_func+0x56/0xe0 + ftrace_call+0x5/0x34 + tcpa_statistic_send+0x5/0x130 [ttcp_engine] + +The tcpa_statistic_send is the function being kprobed. After analysis, +the root cause is that the fourth parameter regs of kprobe_ftrace_handler +is NULL. Why regs is NULL? We use the crash tool to analyze the kdump. + + crash> dis tcpa_statistic_send -r + : callq 0xffffffffbd8018c0 + +The tcpa_statistic_send calls ftrace_caller instead of ftrace_regs_caller. +So it is reasonable that the fourth parameter regs of kprobe_ftrace_handler +is NULL. In theory, we should call the ftrace_regs_caller instead of the +ftrace_caller. After in-depth analysis, we found a reproducible path. + + Writing a simple kernel module which starts a periodic timer. The + timer's handler is named 'kprobe_test_timer_handler'. The module + name is kprobe_test.ko. + + 1) insmod kprobe_test.ko + 2) bpftrace -e 'kretprobe:kprobe_test_timer_handler {}' + 3) echo 0 > /proc/sys/kernel/ftrace_enabled + 4) rmmod kprobe_test + 5) stop step 2) kprobe + 6) insmod kprobe_test.ko + 7) bpftrace -e 'kretprobe:kprobe_test_timer_handler {}' + +We mark the kprobe as GONE but not disarm the kprobe in the step 4). +The step 5) also do not disarm the kprobe when unregister kprobe. So +we do not remove the ip from the filter. In this case, when the module +loads again in the step 6), we will replace the code to ftrace_caller +via the ftrace_module_enable(). When we register kprobe again, we will +not replace ftrace_caller to ftrace_regs_caller because the ftrace is +disabled in the step 3). So the step 7) will trigger kernel panic. Fix +this problem by disarming the kprobe when the module is going away. + +Link: https://lkml.kernel.org/r/20200728064536.24405-1-songmuchun@bytedance.com + +Cc: stable@vger.kernel.org +Fixes: ae6aa16fdc16 ("kprobes: introduce ftrace based optimization") +Acked-by: Masami Hiramatsu +Signed-off-by: Muchun Song +Co-developed-by: Chengming Zhou +Signed-off-by: Chengming Zhou +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kprobes.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -2113,6 +2113,13 @@ static void kill_kprobe(struct kprobe *p + * the original probed function (which will be freed soon) any more. + */ + arch_remove_kprobe(p); ++ ++ /* ++ * The module is going away. We should disarm the kprobe which ++ * is using ftrace. ++ */ ++ if (kprobe_ftrace(p)) ++ disarm_kprobe_ftrace(p); + } + + /* Disable one kprobe */ diff --git a/queue-5.8/mac80211-fix-misplaced-while-instead-of-if.patch b/queue-5.8/mac80211-fix-misplaced-while-instead-of-if.patch new file mode 100644 index 00000000000..721a14e7ac8 --- /dev/null +++ b/queue-5.8/mac80211-fix-misplaced-while-instead-of-if.patch @@ -0,0 +1,37 @@ +From 5981fe5b0529ba25d95f37d7faa434183ad618c5 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 3 Aug 2020 11:02:10 +0200 +Subject: mac80211: fix misplaced while instead of if + +From: Johannes Berg + +commit 5981fe5b0529ba25d95f37d7faa434183ad618c5 upstream. + +This never was intended to be a 'while' loop, it should've +just been an 'if' instead of 'while'. Fix this. + +I noticed this while applying another patch from Ben that +intended to fix a busy loop at this spot. + +Cc: stable@vger.kernel.org +Fixes: b16798f5b907 ("mac80211: mark station unauthorized before key removal") +Reported-by: Ben Greear +Link: https://lore.kernel.org/r/20200803110209.253009ae41ff.I3522aad099392b31d5cf2dcca34cbac7e5832dde@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/sta_info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1050,7 +1050,7 @@ static void __sta_info_destroy_part2(str + might_sleep(); + lockdep_assert_held(&local->sta_mtx); + +- while (sta->sta_state == IEEE80211_STA_AUTHORIZED) { ++ if (sta->sta_state == IEEE80211_STA_AUTHORIZED) { + ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC); + WARN_ON_ONCE(ret); + } diff --git a/queue-5.8/md-raid5-fix-force-reconstruct-write-io-stuck-in-degraded-raid5.patch b/queue-5.8/md-raid5-fix-force-reconstruct-write-io-stuck-in-degraded-raid5.patch new file mode 100644 index 00000000000..d77ff7b4621 --- /dev/null +++ b/queue-5.8/md-raid5-fix-force-reconstruct-write-io-stuck-in-degraded-raid5.patch @@ -0,0 +1,55 @@ +From a1c6ae3d9f3dd6aa5981a332a6f700cf1c25edef Mon Sep 17 00:00:00 2001 +From: ChangSyun Peng +Date: Fri, 31 Jul 2020 17:50:17 +0800 +Subject: md/raid5: Fix Force reconstruct-write io stuck in degraded raid5 + +From: ChangSyun Peng + +commit a1c6ae3d9f3dd6aa5981a332a6f700cf1c25edef upstream. + +In degraded raid5, we need to read parity to do reconstruct-write when +data disks fail. However, we can not read parity from +handle_stripe_dirtying() in force reconstruct-write mode. + +Reproducible Steps: + +1. Create degraded raid5 +mdadm -C /dev/md2 --assume-clean -l5 -n3 /dev/sda2 /dev/sdb2 missing +2. Set rmw_level to 0 +echo 0 > /sys/block/md2/md/rmw_level +3. IO to raid5 + +Now some io may be stuck in raid5. We can use handle_stripe_fill() to read +the parity in this situation. + +Cc: # v4.4+ +Reviewed-by: Alex Wu +Reviewed-by: BingJing Chang +Reviewed-by: Danny Shih +Signed-off-by: ChangSyun Peng +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -3607,6 +3607,7 @@ static int need_this_block(struct stripe + * is missing/faulty, then we need to read everything we can. + */ + if (sh->raid_conf->level != 6 && ++ sh->raid_conf->rmw_level != PARITY_DISABLE_RMW && + sh->sector < sh->raid_conf->mddev->recovery_cp) + /* reconstruct-write isn't being forced */ + return 0; +@@ -4842,7 +4843,7 @@ static void handle_stripe(struct stripe_ + * or to load a block that is being partially written. + */ + if (s.to_read || s.non_overwrite +- || (conf->level == 6 && s.to_write && s.failed) ++ || (s.to_write && s.failed) + || (s.syncing && (s.uptodate + s.compute < disks)) + || s.replacing + || s.expanding) diff --git a/queue-5.8/mips-cpu-0-is-not-hotpluggable.patch b/queue-5.8/mips-cpu-0-is-not-hotpluggable.patch new file mode 100644 index 00000000000..f58ea01fc47 --- /dev/null +++ b/queue-5.8/mips-cpu-0-is-not-hotpluggable.patch @@ -0,0 +1,32 @@ +From 9cce844abf07b683cff5f0273977d5f8d0af94c7 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 16 Jul 2020 18:40:23 +0800 +Subject: MIPS: CPU#0 is not hotpluggable + +From: Huacai Chen + +commit 9cce844abf07b683cff5f0273977d5f8d0af94c7 upstream. + +Now CPU#0 is not hotpluggable on MIPS, so prevent to create /sys/devices +/system/cpu/cpu0/online which confuses some user-space tools. + +Cc: stable@vger.kernel.org +Signed-off-by: Huacai Chen +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/topology.c ++++ b/arch/mips/kernel/topology.c +@@ -20,7 +20,7 @@ static int __init topology_init(void) + for_each_present_cpu(i) { + struct cpu *c = &per_cpu(cpu_devices, i); + +- c->hotpluggable = 1; ++ c->hotpluggable = !!i; + ret = register_cpu(c, i); + if (ret) + printk(KERN_WARNING "topology_init: register_cpu %d " diff --git a/queue-5.8/mips-qi_lb60-fix-routing-to-audio-amplifier.patch b/queue-5.8/mips-qi_lb60-fix-routing-to-audio-amplifier.patch new file mode 100644 index 00000000000..26a1e8fb113 --- /dev/null +++ b/queue-5.8/mips-qi_lb60-fix-routing-to-audio-amplifier.patch @@ -0,0 +1,34 @@ +From 0889a67a9e7a56ba39af223d536630b20b877fda Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Mon, 27 Jul 2020 20:11:28 +0200 +Subject: MIPS: qi_lb60: Fix routing to audio amplifier + +From: Paul Cercueil + +commit 0889a67a9e7a56ba39af223d536630b20b877fda upstream. + +The ROUT (right channel output of audio codec) was connected to INL +(left channel of audio amplifier) instead of INR (right channel of audio +amplifier). + +Fixes: 8ddebad15e9b ("MIPS: qi_lb60: Migrate to devicetree") +Cc: stable@vger.kernel.org # v5.3 +Signed-off-by: Paul Cercueil +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/boot/dts/ingenic/qi_lb60.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/boot/dts/ingenic/qi_lb60.dts ++++ b/arch/mips/boot/dts/ingenic/qi_lb60.dts +@@ -69,7 +69,7 @@ + "Speaker", "OUTL", + "Speaker", "OUTR", + "INL", "LOUT", +- "INL", "ROUT"; ++ "INR", "ROUT"; + + simple-audio-card,aux-devs = <&>; + diff --git a/queue-5.8/mips-sgi-ip27-always-enable-numa-in-kconfig.patch b/queue-5.8/mips-sgi-ip27-always-enable-numa-in-kconfig.patch new file mode 100644 index 00000000000..3b4b13bc896 --- /dev/null +++ b/queue-5.8/mips-sgi-ip27-always-enable-numa-in-kconfig.patch @@ -0,0 +1,76 @@ +From 6c86a3029ce3b44597526909f2e39a77a497f640 Mon Sep 17 00:00:00 2001 +From: Mike Rapoport +Date: Wed, 5 Aug 2020 15:51:41 +0300 +Subject: MIPS: SGI-IP27: always enable NUMA in Kconfig + +From: Mike Rapoport + +commit 6c86a3029ce3b44597526909f2e39a77a497f640 upstream. + +When a configuration has NUMA disabled and SGI_IP27 enabled, the build +fails: + + CC kernel/bounds.s + CC arch/mips/kernel/asm-offsets.s +In file included from arch/mips/include/asm/topology.h:11, + from include/linux/topology.h:36, + from include/linux/gfp.h:9, + from include/linux/slab.h:15, + from include/linux/crypto.h:19, + from include/crypto/hash.h:11, + from include/linux/uio.h:10, + from include/linux/socket.h:8, + from include/linux/compat.h:15, + from arch/mips/kernel/asm-offsets.c:12: +include/linux/topology.h: In function 'numa_node_id': +arch/mips/include/asm/mach-ip27/topology.h:16:27: error: implicit declaration of function 'cputonasid'; did you mean 'cpu_vpe_id'? [-Werror=implicit-function-declaration] + #define cpu_to_node(cpu) (cputonasid(cpu)) + ^~~~~~~~~~ +include/linux/topology.h:119:9: note: in expansion of macro 'cpu_to_node' + return cpu_to_node(raw_smp_processor_id()); + ^~~~~~~~~~~ +include/linux/topology.h: In function 'cpu_cpu_mask': +arch/mips/include/asm/mach-ip27/topology.h:19:7: error: implicit declaration of function 'hub_data' [-Werror=implicit-function-declaration] + &hub_data(node)->h_cpus) + ^~~~~~~~ +include/linux/topology.h:210:9: note: in expansion of macro 'cpumask_of_node' + return cpumask_of_node(cpu_to_node(cpu)); + ^~~~~~~~~~~~~~~ +arch/mips/include/asm/mach-ip27/topology.h:19:21: error: invalid type argument of '->' (have 'int') + &hub_data(node)->h_cpus) + ^~ +include/linux/topology.h:210:9: note: in expansion of macro 'cpumask_of_node' + return cpumask_of_node(cpu_to_node(cpu)); + ^~~~~~~~~~~~~~~ + +Before switch from discontigmem to sparsemem, there always was +CONFIG_NEED_MULTIPLE_NODES=y because it was selected by DISCONTIGMEM. +Without DISCONTIGMEM it is possible to have SPARSEMEM without NUMA for +SGI_IP27 and as many things there rely on custom node definition, the +build breaks. + +As Thomas noted "... there are right now too many places in IP27 code, +which assumes NUMA enabled", the simplest solution would be to always +enable NUMA for SGI-IP27 builds. + +Reported-by: kernel test robot +Fixes: 397dc00e249e ("mips: sgi-ip27: switch from DISCONTIGMEM to SPARSEMEM") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Rapoport +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -678,6 +678,7 @@ config SGI_IP27 + select SYS_SUPPORTS_NUMA + select SYS_SUPPORTS_SMP + select MIPS_L1_CACHE_SHIFT_7 ++ select NUMA + help + This are the SGI Origin 200, Origin 2000 and Onyx 2 Graphics + workstations. To compile a Linux kernel that runs on these, say Y diff --git a/queue-5.8/mm-fix-kthread_use_mm-vs-tlb-invalidate.patch b/queue-5.8/mm-fix-kthread_use_mm-vs-tlb-invalidate.patch new file mode 100644 index 00000000000..9b432620977 --- /dev/null +++ b/queue-5.8/mm-fix-kthread_use_mm-vs-tlb-invalidate.patch @@ -0,0 +1,103 @@ +From 38cf307c1f2011d413750c5acb725456f47d9172 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 6 Aug 2020 23:17:16 -0700 +Subject: mm: fix kthread_use_mm() vs TLB invalidate + +From: Peter Zijlstra + +commit 38cf307c1f2011d413750c5acb725456f47d9172 upstream. + +For SMP systems using IPI based TLB invalidation, looking at +current->active_mm is entirely reasonable. This then presents the +following race condition: + + CPU0 CPU1 + + flush_tlb_mm(mm) use_mm(mm) + + tsk->active_mm = mm; + + if (tsk->active_mm == mm) + // flush TLBs + + switch_mm(old_mm,mm,tsk); + +Where it is possible the IPI flushed the TLBs for @old_mm, not @mm, +because the IPI lands before we actually switched. + +Avoid this by disabling IRQs across changing ->active_mm and +switch_mm(). + +Of the (SMP) architectures that have IPI based TLB invalidate: + + Alpha - checks active_mm + ARC - ASID specific + IA64 - checks active_mm + MIPS - ASID specific flush + OpenRISC - shoots down world + PARISC - shoots down world + SH - ASID specific + SPARC - ASID specific + x86 - N/A + xtensa - checks active_mm + +So at the very least Alpha, IA64 and Xtensa are suspect. + +On top of this, for scheduler consistency we need at least preemption +disabled across changing tsk->mm and doing switch_mm(), which is +currently provided by task_lock(), but that's not sufficient for +PREEMPT_RT. + +[akpm@linux-foundation.org: add comment] + +Reported-by: Andy Lutomirski +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Andrew Morton +Cc: Nicholas Piggin +Cc: Jens Axboe +Cc: Kees Cook +Cc: Jann Horn +Cc: Will Deacon +Cc: Christoph Hellwig +Cc: Mathieu Desnoyers +Cc: +Link: http://lkml.kernel.org/r/20200721154106.GE10769@hirez.programming.kicks-ass.net +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kthread.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/kernel/kthread.c ++++ b/kernel/kthread.c +@@ -1239,13 +1239,16 @@ void kthread_use_mm(struct mm_struct *mm + WARN_ON_ONCE(tsk->mm); + + task_lock(tsk); ++ /* Hold off tlb flush IPIs while switching mm's */ ++ local_irq_disable(); + active_mm = tsk->active_mm; + if (active_mm != mm) { + mmgrab(mm); + tsk->active_mm = mm; + } + tsk->mm = mm; +- switch_mm(active_mm, mm, tsk); ++ switch_mm_irqs_off(active_mm, mm, tsk); ++ local_irq_enable(); + task_unlock(tsk); + #ifdef finish_arch_post_lock_switch + finish_arch_post_lock_switch(); +@@ -1274,9 +1277,11 @@ void kthread_unuse_mm(struct mm_struct * + + task_lock(tsk); + sync_mm_rss(mm); ++ local_irq_disable(); + tsk->mm = NULL; + /* active_mm is still 'mm' */ + enter_lazy_tlb(mm, tsk); ++ local_irq_enable(); + task_unlock(tsk); + } + EXPORT_SYMBOL_GPL(kthread_unuse_mm); diff --git a/queue-5.8/mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sharing_possible.patch b/queue-5.8/mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sharing_possible.patch new file mode 100644 index 00000000000..2ff5ab4e5ec --- /dev/null +++ b/queue-5.8/mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sharing_possible.patch @@ -0,0 +1,91 @@ +From 75802ca66354a39ab8e35822747cd08b3384a99a Mon Sep 17 00:00:00 2001 +From: Peter Xu +Date: Thu, 6 Aug 2020 23:26:11 -0700 +Subject: mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible + +From: Peter Xu + +commit 75802ca66354a39ab8e35822747cd08b3384a99a upstream. + +This is found by code observation only. + +Firstly, the worst case scenario should assume the whole range was covered +by pmd sharing. The old algorithm might not work as expected for ranges +like (1g-2m, 1g+2m), where the adjusted range should be (0, 1g+2m) but the +expected range should be (0, 2g). + +Since at it, remove the loop since it should not be required. With that, +the new code should be faster too when the invalidating range is huge. + +Mike said: + +: With range (1g-2m, 1g+2m) within a vma (0, 2g) the existing code will only +: adjust to (0, 1g+2m) which is incorrect. +: +: We should cc stable. The original reason for adjusting the range was to +: prevent data corruption (getting wrong page). Since the range is not +: always adjusted correctly, the potential for corruption still exists. +: +: However, I am fairly confident that adjust_range_if_pmd_sharing_possible +: is only gong to be called in two cases: +: +: 1) for a single page +: 2) for range == entire vma +: +: In those cases, the current code should produce the correct results. +: +: To be safe, let's just cc stable. + +Fixes: 017b1660df89 ("mm: migration: fix migration of huge PMD shared pages") +Signed-off-by: Peter Xu +Signed-off-by: Andrew Morton +Reviewed-by: Mike Kravetz +Cc: Andrea Arcangeli +Cc: Matthew Wilcox +Cc: +Link: http://lkml.kernel.org/r/20200730201636.74778-1-peterx@redhat.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 24 ++++++++++-------------- + 1 file changed, 10 insertions(+), 14 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -5313,25 +5313,21 @@ static bool vma_shareable(struct vm_area + void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma, + unsigned long *start, unsigned long *end) + { +- unsigned long check_addr; ++ unsigned long a_start, a_end; + + if (!(vma->vm_flags & VM_MAYSHARE)) + return; + +- for (check_addr = *start; check_addr < *end; check_addr += PUD_SIZE) { +- unsigned long a_start = check_addr & PUD_MASK; +- unsigned long a_end = a_start + PUD_SIZE; ++ /* Extend the range to be PUD aligned for a worst case scenario */ ++ a_start = ALIGN_DOWN(*start, PUD_SIZE); ++ a_end = ALIGN(*end, PUD_SIZE); + +- /* +- * If sharing is possible, adjust start/end if necessary. +- */ +- if (range_in_vma(vma, a_start, a_end)) { +- if (a_start < *start) +- *start = a_start; +- if (a_end > *end) +- *end = a_end; +- } +- } ++ /* ++ * Intersect the range with the vma range, since pmd sharing won't be ++ * across vma after all ++ */ ++ *start = max(vma->vm_start, a_start); ++ *end = min(vma->vm_end, a_end); + } + + /* diff --git a/queue-5.8/mm-memory_hotplug-fix-unpaired-mem_hotplug_begin-done.patch b/queue-5.8/mm-memory_hotplug-fix-unpaired-mem_hotplug_begin-done.patch new file mode 100644 index 00000000000..214395cea31 --- /dev/null +++ b/queue-5.8/mm-memory_hotplug-fix-unpaired-mem_hotplug_begin-done.patch @@ -0,0 +1,92 @@ +From b4223a510e2ab1bf0f971d50af7c1431014b25ad Mon Sep 17 00:00:00 2001 +From: Jia He +Date: Tue, 11 Aug 2020 18:32:20 -0700 +Subject: mm/memory_hotplug: fix unpaired mem_hotplug_begin/done + +From: Jia He + +commit b4223a510e2ab1bf0f971d50af7c1431014b25ad upstream. + +When check_memblock_offlined_cb() returns failed rc(e.g. the memblock is +online at that time), mem_hotplug_begin/done is unpaired in such case. + +Therefore a warning: + Call Trace: + percpu_up_write+0x33/0x40 + try_remove_memory+0x66/0x120 + ? _cond_resched+0x19/0x30 + remove_memory+0x2b/0x40 + dev_dax_kmem_remove+0x36/0x72 [kmem] + device_release_driver_internal+0xf0/0x1c0 + device_release_driver+0x12/0x20 + bus_remove_device+0xe1/0x150 + device_del+0x17b/0x3e0 + unregister_dev_dax+0x29/0x60 + devm_action_release+0x15/0x20 + release_nodes+0x19a/0x1e0 + devres_release_all+0x3f/0x50 + device_release_driver_internal+0x100/0x1c0 + driver_detach+0x4c/0x8f + bus_remove_driver+0x5c/0xd0 + driver_unregister+0x31/0x50 + dax_pmem_exit+0x10/0xfe0 [dax_pmem] + +Fixes: f1037ec0cc8a ("mm/memory_hotplug: fix remove_memory() lockdep splat") +Signed-off-by: Jia He +Signed-off-by: Andrew Morton +Reviewed-by: David Hildenbrand +Acked-by: Michal Hocko +Acked-by: Dan Williams +Cc: [5.6+] +Cc: Andy Lutomirski +Cc: Baoquan He +Cc: Borislav Petkov +Cc: Catalin Marinas +Cc: Chuhong Yuan +Cc: Dave Hansen +Cc: Dave Jiang +Cc: Fenghua Yu +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Jonathan Cameron +Cc: Kaly Xin +Cc: Logan Gunthorpe +Cc: Masahiro Yamada +Cc: Mike Rapoport +Cc: Peter Zijlstra +Cc: Rich Felker +Cc: Thomas Gleixner +Cc: Tony Luck +Cc: Vishal Verma +Cc: Will Deacon +Cc: Yoshinori Sato +Link: http://lkml.kernel.org/r/20200710031619.18762-3-justin.he@arm.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory_hotplug.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1742,7 +1742,7 @@ static int __ref try_remove_memory(int n + */ + rc = walk_memory_blocks(start, size, NULL, check_memblock_offlined_cb); + if (rc) +- goto done; ++ return rc; + + /* remove memmap entry */ + firmware_map_remove(start, start + size, "System RAM"); +@@ -1766,9 +1766,8 @@ static int __ref try_remove_memory(int n + + try_offline_node(nid); + +-done: + mem_hotplug_done(); +- return rc; ++ return 0; + } + + /** diff --git a/queue-5.8/mm-page_counter.c-fix-protection-usage-propagation.patch b/queue-5.8/mm-page_counter.c-fix-protection-usage-propagation.patch new file mode 100644 index 00000000000..b19223fa529 --- /dev/null +++ b/queue-5.8/mm-page_counter.c-fix-protection-usage-propagation.patch @@ -0,0 +1,78 @@ +From a6f23d14ec7d7d02220ad8bb2774be3322b9aeec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= +Date: Thu, 6 Aug 2020 23:22:18 -0700 +Subject: mm/page_counter.c: fix protection usage propagation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Koutný + +commit a6f23d14ec7d7d02220ad8bb2774be3322b9aeec upstream. + +When workload runs in cgroups that aren't directly below root cgroup and +their parent specifies reclaim protection, it may end up ineffective. + +The reason is that propagate_protected_usage() is not called in all +hierarchy up. All the protected usage is incorrectly accumulated in the +workload's parent. This means that siblings_low_usage is overestimated +and effective protection underestimated. Even though it is transitional +phenomenon (uncharge path does correct propagation and fixes the wrong +children_low_usage), it can undermine the intended protection +unexpectedly. + +We have noticed this problem while seeing a swap out in a descendant of a +protected memcg (intermediate node) while the parent was conveniently +under its protection limit and the memory pressure was external to that +hierarchy. Michal has pinpointed this down to the wrong +siblings_low_usage which led to the unwanted reclaim. + +The fix is simply updating children_low_usage in respective ancestors also +in the charging path. + +Fixes: 230671533d64 ("mm: memory.low hierarchical behavior") +Signed-off-by: Michal Koutný +Signed-off-by: Michal Hocko +Signed-off-by: Andrew Morton +Acked-by: Michal Hocko +Acked-by: Roman Gushchin +Cc: Johannes Weiner +Cc: Tejun Heo +Cc: [4.18+] +Link: http://lkml.kernel.org/r/20200803153231.15477-1-mhocko@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_counter.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/mm/page_counter.c ++++ b/mm/page_counter.c +@@ -72,7 +72,7 @@ void page_counter_charge(struct page_cou + long new; + + new = atomic_long_add_return(nr_pages, &c->usage); +- propagate_protected_usage(counter, new); ++ propagate_protected_usage(c, new); + /* + * This is indeed racy, but we can live with some + * inaccuracy in the watermark. +@@ -116,7 +116,7 @@ bool page_counter_try_charge(struct page + new = atomic_long_add_return(nr_pages, &c->usage); + if (new > c->max) { + atomic_long_sub(nr_pages, &c->usage); +- propagate_protected_usage(counter, new); ++ propagate_protected_usage(c, new); + /* + * This is racy, but we can live with some + * inaccuracy in the failcnt. +@@ -125,7 +125,7 @@ bool page_counter_try_charge(struct page + *fail = c; + goto failed; + } +- propagate_protected_usage(counter, new); ++ propagate_protected_usage(c, new); + /* + * Just like with failcnt, we can live with some + * inaccuracy in the watermark. diff --git a/queue-5.8/mm-shuffle-don-t-move-pages-between-zones-and-don-t-read-garbage-memmaps.patch b/queue-5.8/mm-shuffle-don-t-move-pages-between-zones-and-don-t-read-garbage-memmaps.patch new file mode 100644 index 00000000000..0470b5bffac --- /dev/null +++ b/queue-5.8/mm-shuffle-don-t-move-pages-between-zones-and-don-t-read-garbage-memmaps.patch @@ -0,0 +1,102 @@ +From 4a93025cbe4a0b19d1a25a2d763a3d2018bad0d9 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 6 Aug 2020 23:17:13 -0700 +Subject: mm/shuffle: don't move pages between zones and don't read garbage memmaps + +From: David Hildenbrand + +commit 4a93025cbe4a0b19d1a25a2d763a3d2018bad0d9 upstream. + +Especially with memory hotplug, we can have offline sections (with a +garbage memmap) and overlapping zones. We have to make sure to only touch +initialized memmaps (online sections managed by the buddy) and that the +zone matches, to not move pages between zones. + +To test if this can actually happen, I added a simple + + BUG_ON(page_zone(page_i) != page_zone(page_j)); + +right before the swap. When hotplugging a 256M DIMM to a 4G x86-64 VM and +onlining the first memory block "online_movable" and the second memory +block "online_kernel", it will trigger the BUG, as both zones (NORMAL and +MOVABLE) overlap. + +This might result in all kinds of weird situations (e.g., double +allocations, list corruptions, unmovable allocations ending up in the +movable zone). + +Fixes: e900a918b098 ("mm: shuffle initial free memory to improve memory-side-cache utilization") +Signed-off-by: David Hildenbrand +Signed-off-by: Andrew Morton +Reviewed-by: Wei Yang +Acked-by: Michal Hocko +Acked-by: Dan Williams +Cc: Andrew Morton +Cc: Johannes Weiner +Cc: Michal Hocko +Cc: Minchan Kim +Cc: Huang Ying +Cc: Wei Yang +Cc: Mel Gorman +Cc: [5.2+] +Link: http://lkml.kernel.org/r/20200624094741.9918-2-david@redhat.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/shuffle.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/mm/shuffle.c ++++ b/mm/shuffle.c +@@ -58,25 +58,25 @@ module_param_call(shuffle, shuffle_store + * For two pages to be swapped in the shuffle, they must be free (on a + * 'free_area' lru), have the same order, and have the same migratetype. + */ +-static struct page * __meminit shuffle_valid_page(unsigned long pfn, int order) ++static struct page * __meminit shuffle_valid_page(struct zone *zone, ++ unsigned long pfn, int order) + { +- struct page *page; ++ struct page *page = pfn_to_online_page(pfn); + + /* + * Given we're dealing with randomly selected pfns in a zone we + * need to ask questions like... + */ + +- /* ...is the pfn even in the memmap? */ +- if (!pfn_valid_within(pfn)) ++ /* ... is the page managed by the buddy? */ ++ if (!page) + return NULL; + +- /* ...is the pfn in a present section or a hole? */ +- if (!pfn_in_present_section(pfn)) ++ /* ... is the page assigned to the same zone? */ ++ if (page_zone(page) != zone) + return NULL; + + /* ...is the page free and currently on a free_area list? */ +- page = pfn_to_page(pfn); + if (!PageBuddy(page)) + return NULL; + +@@ -123,7 +123,7 @@ void __meminit __shuffle_zone(struct zon + * page_j randomly selected in the span @zone_start_pfn to + * @spanned_pages. + */ +- page_i = shuffle_valid_page(i, order); ++ page_i = shuffle_valid_page(z, i, order); + if (!page_i) + continue; + +@@ -137,7 +137,7 @@ void __meminit __shuffle_zone(struct zon + j = z->zone_start_pfn + + ALIGN_DOWN(get_random_long() % z->spanned_pages, + order_pages); +- page_j = shuffle_valid_page(j, order); ++ page_j = shuffle_valid_page(z, j, order); + if (page_j && page_j != page_i) + break; + } diff --git a/queue-5.8/net-compat-add-missing-sock-updates-for-scm_rights.patch b/queue-5.8/net-compat-add-missing-sock-updates-for-scm_rights.patch new file mode 100644 index 00000000000..c10cbac312a --- /dev/null +++ b/queue-5.8/net-compat-add-missing-sock-updates-for-scm_rights.patch @@ -0,0 +1,89 @@ +From d9539752d23283db4692384a634034f451261e29 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 9 Jun 2020 16:11:29 -0700 +Subject: net/compat: Add missing sock updates for SCM_RIGHTS + +From: Kees Cook + +commit d9539752d23283db4692384a634034f451261e29 upstream. + +Add missed sock updates to compat path via a new helper, which will be +used more in coming patches. (The net/core/scm.c code is left as-is here +to assist with -stable backports for the compat path.) + +Cc: Christoph Hellwig +Cc: Sargun Dhillon +Cc: Jakub Kicinski +Cc: stable@vger.kernel.org +Fixes: 48a87cc26c13 ("net: netprio: fd passed in SCM_RIGHTS datagram not set correctly") +Fixes: d84295067fc7 ("net: net_cls: fd passed in SCM_RIGHTS datagram not set correctly") +Acked-by: Christian Brauner +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/sock.h | 4 ++++ + net/compat.c | 1 + + net/core/sock.c | 21 +++++++++++++++++++++ + 3 files changed, 26 insertions(+) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -891,6 +891,8 @@ static inline int sk_memalloc_socks(void + { + return static_branch_unlikely(&memalloc_socks_key); + } ++ ++void __receive_sock(struct file *file); + #else + + static inline int sk_memalloc_socks(void) +@@ -898,6 +900,8 @@ static inline int sk_memalloc_socks(void + return 0; + } + ++static inline void __receive_sock(struct file *file) ++{ } + #endif + + static inline gfp_t sk_gfp_mask(const struct sock *sk, gfp_t gfp_mask) +--- a/net/compat.c ++++ b/net/compat.c +@@ -309,6 +309,7 @@ void scm_detach_fds_compat(struct msghdr + break; + } + /* Bump the usage count and install the file. */ ++ __receive_sock(fp[i]); + fd_install(new_fd, get_file(fp[i])); + } + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2842,6 +2842,27 @@ int sock_no_mmap(struct file *file, stru + } + EXPORT_SYMBOL(sock_no_mmap); + ++/* ++ * When a file is received (via SCM_RIGHTS, etc), we must bump the ++ * various sock-based usage counts. ++ */ ++void __receive_sock(struct file *file) ++{ ++ struct socket *sock; ++ int error; ++ ++ /* ++ * The resulting value of "error" is ignored here since we only ++ * need to take action when the file is a socket and testing ++ * "sock" for NULL is sufficient. ++ */ ++ sock = sock_from_file(file, &error); ++ if (sock) { ++ sock_update_netprioidx(&sock->sk->sk_cgrp_data); ++ sock_update_classid(&sock->sk->sk_cgrp_data); ++ } ++} ++ + ssize_t sock_no_sendpage(struct socket *sock, struct page *page, int offset, size_t size, int flags) + { + ssize_t res; diff --git a/queue-5.8/net-ethernet-stmmac-disable-hardware-multicast-filter.patch b/queue-5.8/net-ethernet-stmmac-disable-hardware-multicast-filter.patch new file mode 100644 index 00000000000..001356834aa --- /dev/null +++ b/queue-5.8/net-ethernet-stmmac-disable-hardware-multicast-filter.patch @@ -0,0 +1,39 @@ +From df43dd526e6609769ae513a81443c7aa727c8ca3 Mon Sep 17 00:00:00 2001 +From: Jonathan McDowell +Date: Wed, 12 Aug 2020 20:37:23 +0100 +Subject: net: ethernet: stmmac: Disable hardware multicast filter + +From: Jonathan McDowell + +commit df43dd526e6609769ae513a81443c7aa727c8ca3 upstream. + +The IPQ806x does not appear to have a functional multicast ethernet +address filter. This was observed as a failure to correctly receive IPv6 +packets on a LAN to the all stations address. Checking the vendor driver +shows that it does not attempt to enable the multicast filter and +instead falls back to receiving all multicast packets, internally +setting ALLMULTI. + +Use the new fallback support in the dwmac1000 driver to correctly +achieve the same with the mainline IPQ806x driver. Confirmed to fix IPv6 +functionality on an RB3011 router. + +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan McDowell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c +@@ -351,6 +351,7 @@ static int ipq806x_gmac_probe(struct pla + plat_dat->has_gmac = true; + plat_dat->bsp_priv = gmac; + plat_dat->fix_mac_speed = ipq806x_gmac_fix_mac_speed; ++ plat_dat->multicast_filter_bins = 0; + + err = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res); + if (err) diff --git a/queue-5.8/net-stmmac-dwmac1000-provide-multicast-filter-fallback.patch b/queue-5.8/net-stmmac-dwmac1000-provide-multicast-filter-fallback.patch new file mode 100644 index 00000000000..61a0e26f335 --- /dev/null +++ b/queue-5.8/net-stmmac-dwmac1000-provide-multicast-filter-fallback.patch @@ -0,0 +1,35 @@ +From 592d751c1e174df5ff219946908b005eb48934b3 Mon Sep 17 00:00:00 2001 +From: Jonathan McDowell +Date: Wed, 12 Aug 2020 20:37:01 +0100 +Subject: net: stmmac: dwmac1000: provide multicast filter fallback + +From: Jonathan McDowell + +commit 592d751c1e174df5ff219946908b005eb48934b3 upstream. + +If we don't have a hardware multicast filter available then instead of +silently failing to listen for the requested ethernet broadcast +addresses fall back to receiving all multicast packets, in a similar +fashion to other drivers with no multicast filter. + +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan McDowell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +@@ -164,6 +164,9 @@ static void dwmac1000_set_filter(struct + value = GMAC_FRAME_FILTER_PR | GMAC_FRAME_FILTER_PCF; + } else if (dev->flags & IFF_ALLMULTI) { + value = GMAC_FRAME_FILTER_PM; /* pass all multi */ ++ } else if (!netdev_mc_empty(dev) && (mcbitslog2 == 0)) { ++ /* Fall back to all multicast if we've no filter */ ++ value = GMAC_FRAME_FILTER_PM; + } else if (!netdev_mc_empty(dev)) { + struct netdev_hw_addr *ha; + diff --git a/queue-5.8/ocfs2-change-slot-number-type-s16-to-u16.patch b/queue-5.8/ocfs2-change-slot-number-type-s16-to-u16.patch new file mode 100644 index 00000000000..59675b1abcb --- /dev/null +++ b/queue-5.8/ocfs2-change-slot-number-type-s16-to-u16.patch @@ -0,0 +1,87 @@ +From 38d51b2dd171ad973afc1f5faab825ed05a2d5e9 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Thu, 6 Aug 2020 23:18:02 -0700 +Subject: ocfs2: change slot number type s16 to u16 + +From: Junxiao Bi + +commit 38d51b2dd171ad973afc1f5faab825ed05a2d5e9 upstream. + +Dan Carpenter reported the following static checker warning. + + fs/ocfs2/super.c:1269 ocfs2_parse_options() warn: '(-1)' 65535 can't fit into 32767 'mopt->slot' + fs/ocfs2/suballoc.c:859 ocfs2_init_inode_steal_slot() warn: '(-1)' 65535 can't fit into 32767 'osb->s_inode_steal_slot' + fs/ocfs2/suballoc.c:867 ocfs2_init_meta_steal_slot() warn: '(-1)' 65535 can't fit into 32767 'osb->s_meta_steal_slot' + +That's because OCFS2_INVALID_SLOT is (u16)-1. Slot number in ocfs2 can be +never negative, so change s16 to u16. + +Fixes: 9277f8334ffc ("ocfs2: fix value of OCFS2_INVALID_SLOT") +Reported-by: Dan Carpenter +Signed-off-by: Junxiao Bi +Signed-off-by: Andrew Morton +Reviewed-by: Joseph Qi +Reviewed-by: Gang He +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Link: http://lkml.kernel.org/r/20200627001259.19757-1-junxiao.bi@oracle.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/ocfs2.h | 4 ++-- + fs/ocfs2/suballoc.c | 4 ++-- + fs/ocfs2/super.c | 4 ++-- + 3 files changed, 6 insertions(+), 6 deletions(-) + +--- a/fs/ocfs2/ocfs2.h ++++ b/fs/ocfs2/ocfs2.h +@@ -327,8 +327,8 @@ struct ocfs2_super + spinlock_t osb_lock; + u32 s_next_generation; + unsigned long osb_flags; +- s16 s_inode_steal_slot; +- s16 s_meta_steal_slot; ++ u16 s_inode_steal_slot; ++ u16 s_meta_steal_slot; + atomic_t s_num_inodes_stolen; + atomic_t s_num_meta_stolen; + +--- a/fs/ocfs2/suballoc.c ++++ b/fs/ocfs2/suballoc.c +@@ -879,9 +879,9 @@ static void __ocfs2_set_steal_slot(struc + { + spin_lock(&osb->osb_lock); + if (type == INODE_ALLOC_SYSTEM_INODE) +- osb->s_inode_steal_slot = slot; ++ osb->s_inode_steal_slot = (u16)slot; + else if (type == EXTENT_ALLOC_SYSTEM_INODE) +- osb->s_meta_steal_slot = slot; ++ osb->s_meta_steal_slot = (u16)slot; + spin_unlock(&osb->osb_lock); + } + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -78,7 +78,7 @@ struct mount_options + unsigned long commit_interval; + unsigned long mount_opt; + unsigned int atime_quantum; +- signed short slot; ++ unsigned short slot; + int localalloc_opt; + unsigned int resv_level; + int dir_resv_level; +@@ -1349,7 +1349,7 @@ static int ocfs2_parse_options(struct su + goto bail; + } + if (option) +- mopt->slot = (s16)option; ++ mopt->slot = (u16)option; + break; + case Opt_commit: + if (match_int(&args[0], &option)) { diff --git a/queue-5.8/pidfd-add-missing-sock-updates-for-pidfd_getfd.patch b/queue-5.8/pidfd-add-missing-sock-updates-for-pidfd_getfd.patch new file mode 100644 index 00000000000..bd51ae8d2eb --- /dev/null +++ b/queue-5.8/pidfd-add-missing-sock-updates-for-pidfd_getfd.patch @@ -0,0 +1,53 @@ +From 4969f8a073977123504609d7310b42a588297aa4 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 9 Jun 2020 16:21:38 -0700 +Subject: pidfd: Add missing sock updates for pidfd_getfd() + +From: Kees Cook + +commit 4969f8a073977123504609d7310b42a588297aa4 upstream. + +The sock counting (sock_update_netprioidx() and sock_update_classid()) +was missing from pidfd's implementation of received fd installation. Add +a call to the new __receive_sock() helper. + +Cc: Christian Brauner +Cc: Christoph Hellwig +Cc: Sargun Dhillon +Cc: Jakub Kicinski +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall") +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/pid.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/kernel/pid.c ++++ b/kernel/pid.c +@@ -42,6 +42,7 @@ + #include + #include + #include ++#include + + struct pid init_struct_pid = { + .count = REFCOUNT_INIT(1), +@@ -642,10 +643,12 @@ static int pidfd_getfd(struct pid *pid, + } + + ret = get_unused_fd_flags(O_CLOEXEC); +- if (ret < 0) ++ if (ret < 0) { + fput(file); +- else ++ } else { ++ __receive_sock(file); + fd_install(ret, file); ++ } + + return ret; + } diff --git a/queue-5.8/pseries-fix-64-bit-logical-memory-block-panic.patch b/queue-5.8/pseries-fix-64-bit-logical-memory-block-panic.patch new file mode 100644 index 00000000000..fbe509d6cbf --- /dev/null +++ b/queue-5.8/pseries-fix-64-bit-logical-memory-block-panic.patch @@ -0,0 +1,37 @@ +From 89c140bbaeee7a55ed0360a88f294ead2b95201b Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Wed, 15 Jul 2020 10:08:20 +1000 +Subject: pseries: Fix 64 bit logical memory block panic + +From: Anton Blanchard + +commit 89c140bbaeee7a55ed0360a88f294ead2b95201b upstream. + +Booting with a 4GB LMB size causes us to panic: + + qemu-system-ppc64: OS terminated: OS panic: + Memory block size not suitable: 0x0 + +Fix pseries_memory_block_size() to handle 64 bit LMBs. + +Cc: stable@vger.kernel.org +Signed-off-by: Anton Blanchard +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200715000820.1255764-1-anton@ozlabs.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/hotplug-memory.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -27,7 +27,7 @@ static bool rtas_hp_event; + unsigned long pseries_memory_block_size(void) + { + struct device_node *np; +- unsigned int memblock_size = MIN_MEMORY_BLOCK_SIZE; ++ u64 memblock_size = MIN_MEMORY_BLOCK_SIZE; + struct resource r; + + np = of_find_node_by_path("/ibm,dynamic-reconfiguration-memory"); diff --git a/queue-5.8/selftests-seccomp-set-nnp-for-tsync-esrch-flag-test.patch b/queue-5.8/selftests-seccomp-set-nnp-for-tsync-esrch-flag-test.patch new file mode 100644 index 00000000000..09d5e425ec6 --- /dev/null +++ b/queue-5.8/selftests-seccomp-set-nnp-for-tsync-esrch-flag-test.patch @@ -0,0 +1,36 @@ +From e4d05028a07f505a08802a6d1b11674c149df2b3 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 10 Jul 2020 10:29:41 -0700 +Subject: selftests/seccomp: Set NNP for TSYNC ESRCH flag test + +From: Kees Cook + +commit e4d05028a07f505a08802a6d1b11674c149df2b3 upstream. + +The TSYNC ESRCH flag test will fail for regular users because NNP was +not set yet. Add NNP setting. + +Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together") +Cc: stable@vger.kernel.org +Reviewed-by: Tycho Andersen +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -3258,6 +3258,11 @@ TEST(user_notification_with_tsync) + int ret; + unsigned int flags; + ++ ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); ++ ASSERT_EQ(0, ret) { ++ TH_LOG("Kernel does not support PR_SET_NO_NEW_PRIVS!"); ++ } ++ + /* these were exclusive */ + flags = SECCOMP_FILTER_FLAG_NEW_LISTENER | + SECCOMP_FILTER_FLAG_TSYNC; diff --git a/queue-5.8/series b/queue-5.8/series index c917e8ae253..25ff3449fdc 100644 --- a/queue-5.8/series +++ b/queue-5.8/series @@ -54,3 +54,45 @@ pinctrl-ingenic-enhance-support-for-irq_type_edge_both.patch pinctrl-ingenic-properly-detect-gpio-direction-when-configured-for-irq.patch media-venus-fix-multiple-encoder-crash.patch media-vsp1-dl-fix-null-pointer-dereference-on-unbind.patch +net-ethernet-stmmac-disable-hardware-multicast-filter.patch +net-stmmac-dwmac1000-provide-multicast-filter-fallback.patch +irqchip-loongson-liointc-fix-misuse-of-gc-mask_cache.patch +irqchip-gic-v4.1-ensure-accessing-the-correct-rd-when-writing-invallr.patch +pidfd-add-missing-sock-updates-for-pidfd_getfd.patch +net-compat-add-missing-sock-updates-for-scm_rights.patch +selftests-seccomp-set-nnp-for-tsync-esrch-flag-test.patch +md-raid5-fix-force-reconstruct-write-io-stuck-in-degraded-raid5.patch +bcache-allocate-meta-data-pages-as-compound-pages.patch +bcache-fix-overflow-in-offset_to_stripe.patch +bcache-avoid-nr_stripes-overflow-in-bcache_device_init.patch +bcache-fix-bio_-start-end-_io_acct-with-proper-device.patch +bcache-use-disk_-start-end-_io_acct-to-count-i-o-for-bcache-device.patch +mac80211-fix-misplaced-while-instead-of-if.patch +appletalk-fix-atalk_proc_init-return-path.patch +driver-core-avoid-binding-drivers-to-dead-devices.patch +mips-cpu-0-is-not-hotpluggable.patch +mips-qi_lb60-fix-routing-to-audio-amplifier.patch +mips-sgi-ip27-always-enable-numa-in-kconfig.patch +ext2-fix-missing-percpu_counter_inc.patch +khugepaged-collapse_pte_mapped_thp-flush-the-right-range.patch +mm-hugetlb-fix-calculation-of-adjust_range_if_pmd_sharing_possible.patch +khugepaged-collapse_pte_mapped_thp-protect-the-pmd-lock.patch +khugepaged-retract_page_tables-remember-to-test-exit.patch +khugepaged-khugepaged_test_exit-check-mmget_still_valid.patch +hugetlbfs-remove-call-to-huge_pte_alloc-without-i_mmap_rwsem.patch +mm-shuffle-don-t-move-pages-between-zones-and-don-t-read-garbage-memmaps.patch +mm-fix-kthread_use_mm-vs-tlb-invalidate.patch +ocfs2-change-slot-number-type-s16-to-u16.patch +mm-page_counter.c-fix-protection-usage-propagation.patch +cma-don-t-quit-at-first-error-when-activating-reserved-areas.patch +mm-memory_hotplug-fix-unpaired-mem_hotplug_begin-done.patch +ftrace-setup-correct-ftrace_fl_regs-flags-for-module.patch +kprobes-fix-null-pointer-dereference-at-kprobe_ftrace_handler.patch +tracing-hwlat-honor-the-tracing_cpumask.patch +tracing-use-trace_sched_process_free-instead-of-exit-for-pid-tracing.patch +watchdog-f71808e_wdt-indicate-wdiof_cardreset-support-in-watchdog_info.options.patch +watchdog-f71808e_wdt-remove-use-of-wrong-watchdog_info-option.patch +watchdog-f71808e_wdt-clear-watchdog-timeout-occurred-flag.patch +ceph-set-sec_context-xattr-on-symlink-creation.patch +ceph-handle-zero-length-feature-mask-in-session-messages.patch +pseries-fix-64-bit-logical-memory-block-panic.patch diff --git a/queue-5.8/tracing-hwlat-honor-the-tracing_cpumask.patch b/queue-5.8/tracing-hwlat-honor-the-tracing_cpumask.patch new file mode 100644 index 00000000000..3b842e34d42 --- /dev/null +++ b/queue-5.8/tracing-hwlat-honor-the-tracing_cpumask.patch @@ -0,0 +1,54 @@ +From 96b4833b6827a62c295b149213c68b559514c929 Mon Sep 17 00:00:00 2001 +From: Kevin Hao +Date: Thu, 30 Jul 2020 16:23:18 +0800 +Subject: tracing/hwlat: Honor the tracing_cpumask + +From: Kevin Hao + +commit 96b4833b6827a62c295b149213c68b559514c929 upstream. + +In calculation of the cpu mask for the hwlat kernel thread, the wrong +cpu mask is used instead of the tracing_cpumask, this causes the +tracing/tracing_cpumask useless for hwlat tracer. Fixes it. + +Link: https://lkml.kernel.org/r/20200730082318.42584-2-haokexin@gmail.com + +Cc: Ingo Molnar +Cc: stable@vger.kernel.org +Fixes: 0330f7aa8ee6 ("tracing: Have hwlat trace migrate across tracing_cpumask CPUs") +Signed-off-by: Kevin Hao +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_hwlat.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace_hwlat.c ++++ b/kernel/trace/trace_hwlat.c +@@ -283,6 +283,7 @@ static bool disable_migrate; + static void move_to_next_cpu(void) + { + struct cpumask *current_mask = &save_cpumask; ++ struct trace_array *tr = hwlat_trace; + int next_cpu; + + if (disable_migrate) +@@ -296,7 +297,7 @@ static void move_to_next_cpu(void) + goto disable; + + get_online_cpus(); +- cpumask_and(current_mask, cpu_online_mask, tracing_buffer_mask); ++ cpumask_and(current_mask, cpu_online_mask, tr->tracing_cpumask); + next_cpu = cpumask_next(smp_processor_id(), current_mask); + put_online_cpus(); + +@@ -373,7 +374,7 @@ static int start_kthread(struct trace_ar + /* Just pick the first CPU on first iteration */ + current_mask = &save_cpumask; + get_online_cpus(); +- cpumask_and(current_mask, cpu_online_mask, tracing_buffer_mask); ++ cpumask_and(current_mask, cpu_online_mask, tr->tracing_cpumask); + put_online_cpus(); + next_cpu = cpumask_first(current_mask); + diff --git a/queue-5.8/tracing-use-trace_sched_process_free-instead-of-exit-for-pid-tracing.patch b/queue-5.8/tracing-use-trace_sched_process_free-instead-of-exit-for-pid-tracing.patch new file mode 100644 index 00000000000..30c22ad3ce0 --- /dev/null +++ b/queue-5.8/tracing-use-trace_sched_process_free-instead-of-exit-for-pid-tracing.patch @@ -0,0 +1,72 @@ +From afcab636657421f7ebfa0783a91f90256bba0091 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Tue, 4 Aug 2020 20:00:02 -0400 +Subject: tracing: Use trace_sched_process_free() instead of exit() for pid tracing + +From: Steven Rostedt (VMware) + +commit afcab636657421f7ebfa0783a91f90256bba0091 upstream. + +On exit, if a process is preempted after the trace_sched_process_exit() +tracepoint but before the process is done exiting, then when it gets +scheduled in, the function tracers will not filter it properly against the +function tracing pid filters. + +That is because the function tracing pid filters hooks to the +sched_process_exit() tracepoint to remove the exiting task's pid from the +filter list. Because the filtering happens at the sched_switch tracepoint, +when the exiting task schedules back in to finish up the exit, it will no +longer be in the function pid filtering tables. + +This was noticeable in the notrace self tests on a preemptable kernel, as +the tests would fail as it exits and preempted after being taken off the +notrace filter table and on scheduling back in it would not be in the +notrace list, and then the ending of the exit function would trace. The test +detected this and would fail. + +Cc: stable@vger.kernel.org +Cc: Namhyung Kim +Fixes: 1e10486ffee0a ("ftrace: Add 'function-fork' trace option") +Fixes: c37775d57830a ("tracing: Add infrastructure to allow set_event_pid to follow children" +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 4 ++-- + kernel/trace/trace_events.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -6969,12 +6969,12 @@ void ftrace_pid_follow_fork(struct trace + if (enable) { + register_trace_sched_process_fork(ftrace_pid_follow_sched_process_fork, + tr); +- register_trace_sched_process_exit(ftrace_pid_follow_sched_process_exit, ++ register_trace_sched_process_free(ftrace_pid_follow_sched_process_exit, + tr); + } else { + unregister_trace_sched_process_fork(ftrace_pid_follow_sched_process_fork, + tr); +- unregister_trace_sched_process_exit(ftrace_pid_follow_sched_process_exit, ++ unregister_trace_sched_process_free(ftrace_pid_follow_sched_process_exit, + tr); + } + } +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -538,12 +538,12 @@ void trace_event_follow_fork(struct trac + if (enable) { + register_trace_prio_sched_process_fork(event_filter_pid_sched_process_fork, + tr, INT_MIN); +- register_trace_prio_sched_process_exit(event_filter_pid_sched_process_exit, ++ register_trace_prio_sched_process_free(event_filter_pid_sched_process_exit, + tr, INT_MAX); + } else { + unregister_trace_sched_process_fork(event_filter_pid_sched_process_fork, + tr); +- unregister_trace_sched_process_exit(event_filter_pid_sched_process_exit, ++ unregister_trace_sched_process_free(event_filter_pid_sched_process_exit, + tr); + } + } diff --git a/queue-5.8/watchdog-f71808e_wdt-clear-watchdog-timeout-occurred-flag.patch b/queue-5.8/watchdog-f71808e_wdt-clear-watchdog-timeout-occurred-flag.patch new file mode 100644 index 00000000000..4704bb90f41 --- /dev/null +++ b/queue-5.8/watchdog-f71808e_wdt-clear-watchdog-timeout-occurred-flag.patch @@ -0,0 +1,51 @@ +From 4f39d575844148fbf3081571a1f3b4ae04150958 Mon Sep 17 00:00:00 2001 +From: Ahmad Fatoum +Date: Thu, 11 Jun 2020 21:17:45 +0200 +Subject: watchdog: f71808e_wdt: clear watchdog timeout occurred flag + +From: Ahmad Fatoum + +commit 4f39d575844148fbf3081571a1f3b4ae04150958 upstream. + +The flag indicating a watchdog timeout having occurred normally persists +till Power-On Reset of the Fintek Super I/O chip. The user can clear it +by writing a `1' to the bit. + +The driver doesn't offer a restart method, so regular system reboot +might not reset the Super I/O and if the watchdog isn't enabled, we +won't touch the register containing the bit on the next boot. +In this case all subsequent regular reboots will be wrongly flagged +by the driver as being caused by the watchdog. + +Fix this by having the flag cleared after read. This is also done by +other drivers like those for the i6300esb and mpc8xxx_wdt. + +Fixes: b97cb21a4634 ("watchdog: f71808e_wdt: Fix WDTMOUT_STS register read") +Cc: stable@vger.kernel.org +Signed-off-by: Ahmad Fatoum +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20200611191750.28096-5-a.fatoum@pengutronix.de +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/watchdog/f71808e_wdt.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -706,6 +706,13 @@ static int __init watchdog_init(int sioa + wdt_conf = superio_inb(sioaddr, F71808FG_REG_WDT_CONF); + watchdog.caused_reboot = wdt_conf & BIT(F71808FG_FLAG_WDTMOUT_STS); + ++ /* ++ * We don't want WDTMOUT_STS to stick around till regular reboot. ++ * Write 1 to the bit to clear it to zero. ++ */ ++ superio_outb(sioaddr, F71808FG_REG_WDT_CONF, ++ wdt_conf | BIT(F71808FG_FLAG_WDTMOUT_STS)); ++ + superio_exit(sioaddr); + + err = watchdog_set_timeout(timeout); diff --git a/queue-5.8/watchdog-f71808e_wdt-indicate-wdiof_cardreset-support-in-watchdog_info.options.patch b/queue-5.8/watchdog-f71808e_wdt-indicate-wdiof_cardreset-support-in-watchdog_info.options.patch new file mode 100644 index 00000000000..0cfd0b0271b --- /dev/null +++ b/queue-5.8/watchdog-f71808e_wdt-indicate-wdiof_cardreset-support-in-watchdog_info.options.patch @@ -0,0 +1,38 @@ +From e871e93fb08a619dfc015974a05768ed6880fd82 Mon Sep 17 00:00:00 2001 +From: Ahmad Fatoum +Date: Thu, 11 Jun 2020 21:17:43 +0200 +Subject: watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in watchdog_info.options + +From: Ahmad Fatoum + +commit e871e93fb08a619dfc015974a05768ed6880fd82 upstream. + +The driver supports populating bootstatus with WDIOF_CARDRESET, but so +far userspace couldn't portably determine whether absence of this flag +meant no watchdog reset or no driver support. Or-in the bit to fix this. + +Fixes: b97cb21a4634 ("watchdog: f71808e_wdt: Fix WDTMOUT_STS register read") +Cc: stable@vger.kernel.org +Signed-off-by: Ahmad Fatoum +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20200611191750.28096-3-a.fatoum@pengutronix.de +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/watchdog/f71808e_wdt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -692,7 +692,8 @@ static int __init watchdog_init(int sioa + watchdog.sioaddr = sioaddr; + watchdog.ident.options = WDIOC_SETTIMEOUT + | WDIOF_MAGICCLOSE +- | WDIOF_KEEPALIVEPING; ++ | WDIOF_KEEPALIVEPING ++ | WDIOF_CARDRESET; + + snprintf(watchdog.ident.identity, + sizeof(watchdog.ident.identity), "%s watchdog", diff --git a/queue-5.8/watchdog-f71808e_wdt-remove-use-of-wrong-watchdog_info-option.patch b/queue-5.8/watchdog-f71808e_wdt-remove-use-of-wrong-watchdog_info-option.patch new file mode 100644 index 00000000000..09c1c10e43a --- /dev/null +++ b/queue-5.8/watchdog-f71808e_wdt-remove-use-of-wrong-watchdog_info-option.patch @@ -0,0 +1,48 @@ +From 802141462d844f2e6a4d63a12260d79b7afc4c34 Mon Sep 17 00:00:00 2001 +From: Ahmad Fatoum +Date: Thu, 11 Jun 2020 21:17:44 +0200 +Subject: watchdog: f71808e_wdt: remove use of wrong watchdog_info option + +From: Ahmad Fatoum + +commit 802141462d844f2e6a4d63a12260d79b7afc4c34 upstream. + +The flags that should be or-ed into the watchdog_info.options by drivers +all start with WDIOF_, e.g. WDIOF_SETTIMEOUT, which indicates that the +driver's watchdog_ops has a usable set_timeout. + +WDIOC_SETTIMEOUT was used instead, which expands to 0xc0045706, which +equals: + + WDIOF_FANFAULT | WDIOF_EXTERN1 | WDIOF_PRETIMEOUT | WDIOF_ALARMONLY | + WDIOF_MAGICCLOSE | 0xc0045000 + +These were so far indicated to userspace on WDIOC_GETSUPPORT. +As the driver has not yet been migrated to the new watchdog kernel API, +the constant can just be dropped without substitute. + +Fixes: 96cb4eb019ce ("watchdog: f71808e_wdt: new watchdog driver for Fintek F71808E and F71882FG") +Cc: stable@vger.kernel.org +Signed-off-by: Ahmad Fatoum +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20200611191750.28096-4-a.fatoum@pengutronix.de +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/watchdog/f71808e_wdt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -690,8 +690,7 @@ static int __init watchdog_init(int sioa + * into the module have been registered yet. + */ + watchdog.sioaddr = sioaddr; +- watchdog.ident.options = WDIOC_SETTIMEOUT +- | WDIOF_MAGICCLOSE ++ watchdog.ident.options = WDIOF_MAGICCLOSE + | WDIOF_KEEPALIVEPING + | WDIOF_CARDRESET; + -- 2.47.3