From a9ce90892dd3d80629c5e6cb073143da91812d33 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 8 Oct 2019 19:39:23 +0200 Subject: [PATCH] 4.19-stable patches added patches: cfg80211-initialize-on-stack-chandefs.patch drm-i915-gvt-update-vgpu-workload-head-pointer-correctly.patch drm-msm-dsi-fix-return-value-check-for-clk_get_parent.patch drm-nouveau-kms-nv50-don-t-create-mstms-for-edp-connectors.patch drm-omap-fix-max-fclk-divider-for-omap36xx.patch ieee802154-atusb-fix-use-after-free-at-disconnect.patch mmc-sdhci-improve-adma-error-reporting.patch mmc-sdhci-of-esdhc-set-dma-snooping-based-on-dma-coherence.patch pci-restore-resizable-bar-size-bits-correctly-for-1mb-bars.patch pci-vmd-fix-shadow-offsets-to-reflect-spec-changes.patch perf-stat-fix-a-segmentation-fault-when-using-repeat-forever.patch revert-locking-pvqspinlock-don-t-wait-if-vcpu-is-preempted.patch watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_set_timeout.patch xen-xenbus-fix-self-deadlock-after-killing-user-process.patch --- ...fg80211-initialize-on-stack-chandefs.patch | 72 +++++++++++ ...vgpu-workload-head-pointer-correctly.patch | 80 +++++++++++++ ...eturn-value-check-for-clk_get_parent.patch | 48 ++++++++ ...on-t-create-mstms-for-edp-connectors.patch | 49 ++++++++ ...ap-fix-max-fclk-divider-for-omap36xx.patch | 42 +++++++ ...usb-fix-use-after-free-at-disconnect.patch | 39 ++++++ ...c-sdhci-improve-adma-error-reporting.patch | 80 +++++++++++++ ...-dma-snooping-based-on-dma-coherence.patch | 74 ++++++++++++ ...bar-size-bits-correctly-for-1mb-bars.patch | 53 +++++++++ ...adow-offsets-to-reflect-spec-changes.patch | 55 +++++++++ ...tion-fault-when-using-repeat-forever.patch | 104 ++++++++++++++++ ...lock-don-t-wait-if-vcpu-is-preempted.patch | 68 +++++++++++ queue-4.19/series | 14 +++ ...-calculation-in-imx2_wdt_set_timeout.patch | 53 +++++++++ ...-deadlock-after-killing-user-process.patch | 112 ++++++++++++++++++ 15 files changed, 943 insertions(+) create mode 100644 queue-4.19/cfg80211-initialize-on-stack-chandefs.patch create mode 100644 queue-4.19/drm-i915-gvt-update-vgpu-workload-head-pointer-correctly.patch create mode 100644 queue-4.19/drm-msm-dsi-fix-return-value-check-for-clk_get_parent.patch create mode 100644 queue-4.19/drm-nouveau-kms-nv50-don-t-create-mstms-for-edp-connectors.patch create mode 100644 queue-4.19/drm-omap-fix-max-fclk-divider-for-omap36xx.patch create mode 100644 queue-4.19/ieee802154-atusb-fix-use-after-free-at-disconnect.patch create mode 100644 queue-4.19/mmc-sdhci-improve-adma-error-reporting.patch create mode 100644 queue-4.19/mmc-sdhci-of-esdhc-set-dma-snooping-based-on-dma-coherence.patch create mode 100644 queue-4.19/pci-restore-resizable-bar-size-bits-correctly-for-1mb-bars.patch create mode 100644 queue-4.19/pci-vmd-fix-shadow-offsets-to-reflect-spec-changes.patch create mode 100644 queue-4.19/perf-stat-fix-a-segmentation-fault-when-using-repeat-forever.patch create mode 100644 queue-4.19/revert-locking-pvqspinlock-don-t-wait-if-vcpu-is-preempted.patch create mode 100644 queue-4.19/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_set_timeout.patch create mode 100644 queue-4.19/xen-xenbus-fix-self-deadlock-after-killing-user-process.patch diff --git a/queue-4.19/cfg80211-initialize-on-stack-chandefs.patch b/queue-4.19/cfg80211-initialize-on-stack-chandefs.patch new file mode 100644 index 00000000000..f7eef9924b8 --- /dev/null +++ b/queue-4.19/cfg80211-initialize-on-stack-chandefs.patch @@ -0,0 +1,72 @@ +From f43e5210c739fe76a4b0ed851559d6902f20ceb1 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 23 Sep 2019 13:51:16 +0200 +Subject: cfg80211: initialize on-stack chandefs + +From: Johannes Berg + +commit f43e5210c739fe76a4b0ed851559d6902f20ceb1 upstream. + +In a few places we don't properly initialize on-stack chandefs, +resulting in EDMG data to be non-zero, which broke things. + +Additionally, in a few places we rely on the driver to init the +data completely, but perhaps we shouldn't as non-EDMG drivers +may not initialize the EDMG data, also initialize it there. + +Cc: stable@vger.kernel.org +Fixes: 2a38075cd0be ("nl80211: Add support for EDMG channels") +Reported-by: Dmitry Osipenko +Tested-by: Dmitry Osipenko +Link: https://lore.kernel.org/r/1569239475-I2dcce394ecf873376c386a78f31c2ec8b538fa25@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 4 +++- + net/wireless/reg.c | 2 +- + net/wireless/wext-compat.c | 2 +- + 3 files changed, 5 insertions(+), 3 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -2299,6 +2299,8 @@ static int nl80211_parse_chandef(struct + + control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]); + ++ memset(chandef, 0, sizeof(*chandef)); ++ + chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq); + chandef->width = NL80211_CHAN_WIDTH_20_NOHT; + chandef->center_freq1 = control_freq; +@@ -2819,7 +2821,7 @@ static int nl80211_send_iface(struct sk_ + + if (rdev->ops->get_channel) { + int ret; +- struct cfg80211_chan_def chandef; ++ struct cfg80211_chan_def chandef = {}; + + ret = rdev_get_channel(rdev, wdev, &chandef); + if (ret == 0) { +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2095,7 +2095,7 @@ static void reg_call_notifier(struct wip + + static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev) + { +- struct cfg80211_chan_def chandef; ++ struct cfg80211_chan_def chandef = {}; + struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy); + enum nl80211_iftype iftype; + +--- a/net/wireless/wext-compat.c ++++ b/net/wireless/wext-compat.c +@@ -800,7 +800,7 @@ static int cfg80211_wext_giwfreq(struct + { + struct wireless_dev *wdev = dev->ieee80211_ptr; + struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); +- struct cfg80211_chan_def chandef; ++ struct cfg80211_chan_def chandef = {}; + int ret; + + switch (wdev->iftype) { diff --git a/queue-4.19/drm-i915-gvt-update-vgpu-workload-head-pointer-correctly.patch b/queue-4.19/drm-i915-gvt-update-vgpu-workload-head-pointer-correctly.patch new file mode 100644 index 00000000000..60cde08c9c4 --- /dev/null +++ b/queue-4.19/drm-i915-gvt-update-vgpu-workload-head-pointer-correctly.patch @@ -0,0 +1,80 @@ +From 0a3242bdb47713e09cb004a0ba4947d3edf82d8a Mon Sep 17 00:00:00 2001 +From: Xiaolin Zhang +Date: Tue, 27 Aug 2019 16:39:23 +0800 +Subject: drm/i915/gvt: update vgpu workload head pointer correctly + +From: Xiaolin Zhang + +commit 0a3242bdb47713e09cb004a0ba4947d3edf82d8a upstream. + +when creating a vGPU workload, the guest context head pointer should +be updated correctly by comparing with the exsiting workload in the +guest worklod queue including the current running context. + +in some situation, there is a running context A and then received 2 new +vGPU workload context B and A. in the new workload context A, it's head +pointer should be updated with the running context A's tail. + +v2: walk through guest workload list in backward way. + +Cc: stable@vger.kernel.org +Signed-off-by: Xiaolin Zhang +Reviewed-by: Zhenyu Wang +Signed-off-by: Zhenyu Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gvt/scheduler.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +--- a/drivers/gpu/drm/i915/gvt/scheduler.c ++++ b/drivers/gpu/drm/i915/gvt/scheduler.c +@@ -1276,9 +1276,6 @@ static int prepare_mm(struct intel_vgpu_ + #define same_context(a, b) (((a)->context_id == (b)->context_id) && \ + ((a)->lrca == (b)->lrca)) + +-#define get_last_workload(q) \ +- (list_empty(q) ? NULL : container_of(q->prev, \ +- struct intel_vgpu_workload, list)) + /** + * intel_vgpu_create_workload - create a vGPU workload + * @vgpu: a vGPU +@@ -1297,7 +1294,7 @@ intel_vgpu_create_workload(struct intel_ + { + struct intel_vgpu_submission *s = &vgpu->submission; + struct list_head *q = workload_q_head(vgpu, ring_id); +- struct intel_vgpu_workload *last_workload = get_last_workload(q); ++ struct intel_vgpu_workload *last_workload = NULL; + struct intel_vgpu_workload *workload = NULL; + struct drm_i915_private *dev_priv = vgpu->gvt->dev_priv; + u64 ring_context_gpa; +@@ -1320,15 +1317,20 @@ intel_vgpu_create_workload(struct intel_ + head &= RB_HEAD_OFF_MASK; + tail &= RB_TAIL_OFF_MASK; + +- if (last_workload && same_context(&last_workload->ctx_desc, desc)) { +- gvt_dbg_el("ring id %d cur workload == last\n", ring_id); +- gvt_dbg_el("ctx head %x real head %lx\n", head, +- last_workload->rb_tail); +- /* +- * cannot use guest context head pointer here, +- * as it might not be updated at this time +- */ +- head = last_workload->rb_tail; ++ list_for_each_entry_reverse(last_workload, q, list) { ++ ++ if (same_context(&last_workload->ctx_desc, desc)) { ++ gvt_dbg_el("ring id %d cur workload == last\n", ++ ring_id); ++ gvt_dbg_el("ctx head %x real head %lx\n", head, ++ last_workload->rb_tail); ++ /* ++ * cannot use guest context head pointer here, ++ * as it might not be updated at this time ++ */ ++ head = last_workload->rb_tail; ++ break; ++ } + } + + gvt_dbg_el("ring id %d begin a new workload\n", ring_id); diff --git a/queue-4.19/drm-msm-dsi-fix-return-value-check-for-clk_get_parent.patch b/queue-4.19/drm-msm-dsi-fix-return-value-check-for-clk_get_parent.patch new file mode 100644 index 00000000000..243b92f834b --- /dev/null +++ b/queue-4.19/drm-msm-dsi-fix-return-value-check-for-clk_get_parent.patch @@ -0,0 +1,48 @@ +From 5fb9b797d5ccf311ae4aba69e86080d47668b5f7 Mon Sep 17 00:00:00 2001 +From: Sean Paul +Date: Wed, 7 Aug 2019 14:51:50 -0400 +Subject: drm/msm/dsi: Fix return value check for clk_get_parent + +From: Sean Paul + +commit 5fb9b797d5ccf311ae4aba69e86080d47668b5f7 upstream. + +clk_get_parent returns an error pointer upon failure, not NULL. So the +checks as they exist won't catch a failure. This patch changes the +checks and the return values to properly handle an error pointer. + +Fixes: c4d8cfe516dc ("drm/msm/dsi: add implementation for helper functions") +Cc: Sibi Sankar +Cc: Sean Paul +Cc: Rob Clark +Cc: # v4.19+ +Signed-off-by: Sean Paul +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -429,15 +429,15 @@ static int dsi_clk_init(struct msm_dsi_h + } + + msm_host->byte_clk_src = clk_get_parent(msm_host->byte_clk); +- if (!msm_host->byte_clk_src) { +- ret = -ENODEV; ++ if (IS_ERR(msm_host->byte_clk_src)) { ++ ret = PTR_ERR(msm_host->byte_clk_src); + pr_err("%s: can't find byte_clk clock. ret=%d\n", __func__, ret); + goto exit; + } + + msm_host->pixel_clk_src = clk_get_parent(msm_host->pixel_clk); +- if (!msm_host->pixel_clk_src) { +- ret = -ENODEV; ++ if (IS_ERR(msm_host->pixel_clk_src)) { ++ ret = PTR_ERR(msm_host->pixel_clk_src); + pr_err("%s: can't find pixel_clk clock. ret=%d\n", __func__, ret); + goto exit; + } diff --git a/queue-4.19/drm-nouveau-kms-nv50-don-t-create-mstms-for-edp-connectors.patch b/queue-4.19/drm-nouveau-kms-nv50-don-t-create-mstms-for-edp-connectors.patch new file mode 100644 index 00000000000..a8b30cf633c --- /dev/null +++ b/queue-4.19/drm-nouveau-kms-nv50-don-t-create-mstms-for-edp-connectors.patch @@ -0,0 +1,49 @@ +From 698c1aa9f83b618de79e9e5e19a58f70a4a6ae0f Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Fri, 13 Sep 2019 18:03:50 -0400 +Subject: drm/nouveau/kms/nv50-: Don't create MSTMs for eDP connectors + +From: Lyude Paul + +commit 698c1aa9f83b618de79e9e5e19a58f70a4a6ae0f upstream. + +On the ThinkPad P71, we have one eDP connector exposed along with 5 DP +connectors, resulting in a total of 11 TMDS encoders. Since the GPU on +this system is also capable of MST, we create an additional 4 fake MST +encoders for each DP port. Unfortunately, we also do this for the eDP +port as well, resulting in: + + 1 eDP port: +1 TMDS encoder + +4 DPMST encoders + 5 DP ports: +2 TMDS encoders + +4 DPMST encoders + *5 ports + == 35 encoders + +Which breaks things, since DRM has a hard coded limit of 32 encoders. +So, fix this by not creating MSTMs for any eDP connectors. This brings +us down to 31 encoders, although we can do better. + +This fixes driver probing for nouveau on the ThinkPad P71. + +Signed-off-by: Lyude Paul +Cc: stable@vger.kernel.org +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/dispnv50/disp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c ++++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c +@@ -1517,7 +1517,8 @@ nv50_sor_create(struct drm_connector *co + nv_encoder->aux = aux; + } + +- if ((data = nvbios_dp_table(bios, &ver, &hdr, &cnt, &len)) && ++ if (nv_connector->type != DCB_CONNECTOR_eDP && ++ (data = nvbios_dp_table(bios, &ver, &hdr, &cnt, &len)) && + ver >= 0x40 && (nvbios_rd08(bios, data + 0x08) & 0x04)) { + ret = nv50_mstm_new(nv_encoder, &nv_connector->aux, 16, + nv_connector->base.base.id, diff --git a/queue-4.19/drm-omap-fix-max-fclk-divider-for-omap36xx.patch b/queue-4.19/drm-omap-fix-max-fclk-divider-for-omap36xx.patch new file mode 100644 index 00000000000..e60ebd44f81 --- /dev/null +++ b/queue-4.19/drm-omap-fix-max-fclk-divider-for-omap36xx.patch @@ -0,0 +1,42 @@ +From e2c4ed148cf3ec8669a1d90dc66966028e5fad70 Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Wed, 2 Oct 2019 15:25:42 +0300 +Subject: drm/omap: fix max fclk divider for omap36xx + +From: Tomi Valkeinen + +commit e2c4ed148cf3ec8669a1d90dc66966028e5fad70 upstream. + +The OMAP36xx and AM/DM37x TRMs say that the maximum divider for DSS fclk +(in CM_CLKSEL_DSS) is 32. Experimentation shows that this is not +correct, and using divider of 32 breaks DSS with a flood or underflows +and sync losts. Dividers up to 31 seem to work fine. + +There is another patch to the DT files to limit the divider correctly, +but as the DSS driver also needs to know the maximum divider to be able +to iteratively find good rates, we also need to do the fix in the DSS +driver. + +Signed-off-by: Tomi Valkeinen +Cc: Adam Ford +Cc: stable@vger.kernel.org +Link: https://patchwork.freedesktop.org/patch/msgid/20191002122542.8449-1-tomi.valkeinen@ti.com +Tested-by: Adam Ford +Reviewed-by: Jyri Sarha +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/omapdrm/dss/dss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/omapdrm/dss/dss.c ++++ b/drivers/gpu/drm/omapdrm/dss/dss.c +@@ -1110,7 +1110,7 @@ static const struct dss_features omap34x + + static const struct dss_features omap3630_dss_feats = { + .model = DSS_MODEL_OMAP3, +- .fck_div_max = 32, ++ .fck_div_max = 31, + .fck_freq_max = 173000000, + .dss_fck_multiplier = 1, + .parent_clk_name = "dpll4_ck", diff --git a/queue-4.19/ieee802154-atusb-fix-use-after-free-at-disconnect.patch b/queue-4.19/ieee802154-atusb-fix-use-after-free-at-disconnect.patch new file mode 100644 index 00000000000..cbc18cdefbf --- /dev/null +++ b/queue-4.19/ieee802154-atusb-fix-use-after-free-at-disconnect.patch @@ -0,0 +1,39 @@ +From 7fd25e6fc035f4b04b75bca6d7e8daa069603a76 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Sep 2019 14:12:34 +0200 +Subject: ieee802154: atusb: fix use-after-free at disconnect + +From: Johan Hovold + +commit 7fd25e6fc035f4b04b75bca6d7e8daa069603a76 upstream. + +The disconnect callback was accessing the hardware-descriptor private +data after having having freed it. + +Fixes: 7490b008d123 ("ieee802154: add support for atusb transceiver") +Cc: stable # 4.2 +Cc: Alexander Aring +Reported-by: syzbot+f4509a9138a1472e7e80@syzkaller.appspotmail.com +Signed-off-by: Johan Hovold +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ieee802154/atusb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ieee802154/atusb.c ++++ b/drivers/net/ieee802154/atusb.c +@@ -1140,10 +1140,11 @@ static void atusb_disconnect(struct usb_ + + ieee802154_unregister_hw(atusb->hw); + ++ usb_put_dev(atusb->usb_dev); ++ + ieee802154_free_hw(atusb->hw); + + usb_set_intfdata(interface, NULL); +- usb_put_dev(atusb->usb_dev); + + pr_debug("%s done\n", __func__); + } diff --git a/queue-4.19/mmc-sdhci-improve-adma-error-reporting.patch b/queue-4.19/mmc-sdhci-improve-adma-error-reporting.patch new file mode 100644 index 00000000000..90d3563a5de --- /dev/null +++ b/queue-4.19/mmc-sdhci-improve-adma-error-reporting.patch @@ -0,0 +1,80 @@ +From d1c536e3177390da43d99f20143b810c35433d1f Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Sun, 22 Sep 2019 11:26:53 +0100 +Subject: mmc: sdhci: improve ADMA error reporting + +From: Russell King + +commit d1c536e3177390da43d99f20143b810c35433d1f upstream. + +ADMA errors are potentially data corrupting events; although we print +the register state, we do not usefully print the ADMA descriptors. +Worse than that, we print them by referencing their virtual address +which is meaningless when the register state gives us the DMA address +of the failing descriptor. + +Print the ADMA descriptors giving their DMA addresses rather than their +virtual addresses, and print them using SDHCI_DUMP() rather than DBG(). + +We also do not show the correct value of the interrupt status register; +the register dump shows the current value, after we have cleared the +pending interrupts we are going to service. What is more useful is to +print the interrupts that _were_ pending at the time the ADMA error was +encountered. Fix that too. + +Signed-off-by: Russell King +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -2720,6 +2720,7 @@ static void sdhci_cmd_irq(struct sdhci_h + static void sdhci_adma_show_error(struct sdhci_host *host) + { + void *desc = host->adma_table; ++ dma_addr_t dma = host->adma_addr; + + sdhci_dumpregs(host); + +@@ -2727,18 +2728,21 @@ static void sdhci_adma_show_error(struct + struct sdhci_adma2_64_desc *dma_desc = desc; + + if (host->flags & SDHCI_USE_64_BIT_DMA) +- DBG("%p: DMA 0x%08x%08x, LEN 0x%04x, Attr=0x%02x\n", +- desc, le32_to_cpu(dma_desc->addr_hi), ++ SDHCI_DUMP("%08llx: DMA 0x%08x%08x, LEN 0x%04x, Attr=0x%02x\n", ++ (unsigned long long)dma, ++ le32_to_cpu(dma_desc->addr_hi), + le32_to_cpu(dma_desc->addr_lo), + le16_to_cpu(dma_desc->len), + le16_to_cpu(dma_desc->cmd)); + else +- DBG("%p: DMA 0x%08x, LEN 0x%04x, Attr=0x%02x\n", +- desc, le32_to_cpu(dma_desc->addr_lo), ++ SDHCI_DUMP("%08llx: DMA 0x%08x, LEN 0x%04x, Attr=0x%02x\n", ++ (unsigned long long)dma, ++ le32_to_cpu(dma_desc->addr_lo), + le16_to_cpu(dma_desc->len), + le16_to_cpu(dma_desc->cmd)); + + desc += host->desc_sz; ++ dma += host->desc_sz; + + if (dma_desc->cmd & cpu_to_le16(ADMA2_END)) + break; +@@ -2814,7 +2818,8 @@ static void sdhci_data_irq(struct sdhci_ + != MMC_BUS_TEST_R) + host->data->error = -EILSEQ; + else if (intmask & SDHCI_INT_ADMA_ERROR) { +- pr_err("%s: ADMA error\n", mmc_hostname(host->mmc)); ++ pr_err("%s: ADMA error: 0x%08x\n", mmc_hostname(host->mmc), ++ intmask); + sdhci_adma_show_error(host); + host->data->error = -EIO; + if (host->ops->adma_workaround) diff --git a/queue-4.19/mmc-sdhci-of-esdhc-set-dma-snooping-based-on-dma-coherence.patch b/queue-4.19/mmc-sdhci-of-esdhc-set-dma-snooping-based-on-dma-coherence.patch new file mode 100644 index 00000000000..c0937290e94 --- /dev/null +++ b/queue-4.19/mmc-sdhci-of-esdhc-set-dma-snooping-based-on-dma-coherence.patch @@ -0,0 +1,74 @@ +From 121bd08b029e03404c451bb237729cdff76eafed Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Sun, 22 Sep 2019 11:26:58 +0100 +Subject: mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence + +From: Russell King + +commit 121bd08b029e03404c451bb237729cdff76eafed upstream. + +We must not unconditionally set the DMA snoop bit; if the DMA API is +assuming that the device is not DMA coherent, and the device snoops the +CPU caches, the device can see stale cache lines brought in by +speculative prefetch. + +This leads to the device seeing stale data, potentially resulting in +corrupted data transfers. Commonly, this results in a descriptor fetch +error such as: + +mmc0: ADMA error +mmc0: sdhci: ============ SDHCI REGISTER DUMP =========== +mmc0: sdhci: Sys addr: 0x00000000 | Version: 0x00002202 +mmc0: sdhci: Blk size: 0x00000008 | Blk cnt: 0x00000001 +mmc0: sdhci: Argument: 0x00000000 | Trn mode: 0x00000013 +mmc0: sdhci: Present: 0x01f50008 | Host ctl: 0x00000038 +mmc0: sdhci: Power: 0x00000003 | Blk gap: 0x00000000 +mmc0: sdhci: Wake-up: 0x00000000 | Clock: 0x000040d8 +mmc0: sdhci: Timeout: 0x00000003 | Int stat: 0x00000001 +mmc0: sdhci: Int enab: 0x037f108f | Sig enab: 0x037f108b +mmc0: sdhci: ACmd stat: 0x00000000 | Slot int: 0x00002202 +mmc0: sdhci: Caps: 0x35fa0000 | Caps_1: 0x0000af00 +mmc0: sdhci: Cmd: 0x0000333a | Max curr: 0x00000000 +mmc0: sdhci: Resp[0]: 0x00000920 | Resp[1]: 0x001d8a33 +mmc0: sdhci: Resp[2]: 0x325b5900 | Resp[3]: 0x3f400e00 +mmc0: sdhci: Host ctl2: 0x00000000 +mmc0: sdhci: ADMA Err: 0x00000009 | ADMA Ptr: 0x000000236d43820c +mmc0: sdhci: ============================================ +mmc0: error -5 whilst initialising SD card + +but can lead to other errors, and potentially direct the SDHCI +controller to read/write data to other memory locations (e.g. if a valid +descriptor is visible to the device in a stale cache line.) + +Fix this by ensuring that the DMA snoop bit corresponds with the +behaviour of the DMA API. Since the driver currently only supports DT, +use of_dma_is_coherent(). Note that device_get_dma_attr() can not be +used as that risks re-introducing this bug if/when the driver is +converted to ACPI. + +Signed-off-by: Russell King +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-of-esdhc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-of-esdhc.c ++++ b/drivers/mmc/host/sdhci-of-esdhc.c +@@ -480,7 +480,12 @@ static int esdhc_of_enable_dma(struct sd + dma_set_mask_and_coherent(dev, DMA_BIT_MASK(40)); + + value = sdhci_readl(host, ESDHC_DMA_SYSCTL); +- value |= ESDHC_DMA_SNOOP; ++ ++ if (of_dma_is_coherent(dev->of_node)) ++ value |= ESDHC_DMA_SNOOP; ++ else ++ value &= ~ESDHC_DMA_SNOOP; ++ + sdhci_writel(host, value, ESDHC_DMA_SYSCTL); + return 0; + } diff --git a/queue-4.19/pci-restore-resizable-bar-size-bits-correctly-for-1mb-bars.patch b/queue-4.19/pci-restore-resizable-bar-size-bits-correctly-for-1mb-bars.patch new file mode 100644 index 00000000000..8a118a164b0 --- /dev/null +++ b/queue-4.19/pci-restore-resizable-bar-size-bits-correctly-for-1mb-bars.patch @@ -0,0 +1,53 @@ +From d2182b2d4b71ff0549a07f414d921525fade707b Mon Sep 17 00:00:00 2001 +From: Sumit Saxena +Date: Fri, 26 Jul 2019 00:55:52 +0530 +Subject: PCI: Restore Resizable BAR size bits correctly for 1MB BARs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sumit Saxena + +commit d2182b2d4b71ff0549a07f414d921525fade707b upstream. + +In a Resizable BAR Control Register, bits 13:8 control the size of the BAR. +The encoded values of these bits are as follows (see PCIe r5.0, sec +7.8.6.3): + + Value BAR size + 0 1 MB (2^20 bytes) + 1 2 MB (2^21 bytes) + 2 4 MB (2^22 bytes) + ... + 43 8 EB (2^63 bytes) + +Previously we incorrectly set the BAR size bits for a 1 MB BAR to 0x1f +instead of 0, so devices that support that size, e.g., new megaraid_sas and +mpt3sas adapters, fail to initialize during resume from S3 sleep. + +Correctly calculate the BAR size bits for Resizable BAR control registers. + +Link: https://lore.kernel.org/r/20190725192552.24295-1-sumit.saxena@broadcom.com +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203939 +Fixes: d3252ace0bc6 ("PCI: Restore resized BAR state on resume") +Signed-off-by: Sumit Saxena +Signed-off-by: Bjorn Helgaas +Reviewed-by: Christian König +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -1366,7 +1366,7 @@ static void pci_restore_rebar_state(stru + pci_read_config_dword(pdev, pos + PCI_REBAR_CTRL, &ctrl); + bar_idx = ctrl & PCI_REBAR_CTRL_BAR_IDX; + res = pdev->resource + bar_idx; +- size = order_base_2((resource_size(res) >> 20) | 1) - 1; ++ size = ilog2(resource_size(res)) - 20; + ctrl &= ~PCI_REBAR_CTRL_BAR_SIZE; + ctrl |= size << PCI_REBAR_CTRL_BAR_SHIFT; + pci_write_config_dword(pdev, pos + PCI_REBAR_CTRL, ctrl); diff --git a/queue-4.19/pci-vmd-fix-shadow-offsets-to-reflect-spec-changes.patch b/queue-4.19/pci-vmd-fix-shadow-offsets-to-reflect-spec-changes.patch new file mode 100644 index 00000000000..1ede5aff2ba --- /dev/null +++ b/queue-4.19/pci-vmd-fix-shadow-offsets-to-reflect-spec-changes.patch @@ -0,0 +1,55 @@ +From a1a30170138c9c5157bd514ccd4d76b47060f29b Mon Sep 17 00:00:00 2001 +From: Jon Derrick +Date: Mon, 16 Sep 2019 07:54:35 -0600 +Subject: PCI: vmd: Fix shadow offsets to reflect spec changes + +From: Jon Derrick + +commit a1a30170138c9c5157bd514ccd4d76b47060f29b upstream. + +The shadow offset scratchpad was moved to 0x2000-0x2010. Update the +location to get the correct shadow offset. + +Fixes: 6788958e4f3c ("PCI: vmd: Assign membar addresses from shadow registers") +Signed-off-by: Jon Derrick +Signed-off-by: Lorenzo Pieralisi +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/controller/vmd.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/pci/controller/vmd.c ++++ b/drivers/pci/controller/vmd.c +@@ -31,6 +31,9 @@ + #define PCI_REG_VMLOCK 0x70 + #define MB2_SHADOW_EN(vmlock) (vmlock & 0x2) + ++#define MB2_SHADOW_OFFSET 0x2000 ++#define MB2_SHADOW_SIZE 16 ++ + enum vmd_features { + /* + * Device may contain registers which hint the physical location of the +@@ -600,7 +603,7 @@ static int vmd_enable_domain(struct vmd_ + u32 vmlock; + int ret; + +- membar2_offset = 0x2018; ++ membar2_offset = MB2_SHADOW_OFFSET + MB2_SHADOW_SIZE; + ret = pci_read_config_dword(vmd->dev, PCI_REG_VMLOCK, &vmlock); + if (ret || vmlock == ~0) + return -ENODEV; +@@ -612,9 +615,9 @@ static int vmd_enable_domain(struct vmd_ + if (!membar2) + return -ENOMEM; + offset[0] = vmd->dev->resource[VMD_MEMBAR1].start - +- readq(membar2 + 0x2008); ++ readq(membar2 + MB2_SHADOW_OFFSET); + offset[1] = vmd->dev->resource[VMD_MEMBAR2].start - +- readq(membar2 + 0x2010); ++ readq(membar2 + MB2_SHADOW_OFFSET + 8); + pci_iounmap(vmd->dev, membar2); + } + } diff --git a/queue-4.19/perf-stat-fix-a-segmentation-fault-when-using-repeat-forever.patch b/queue-4.19/perf-stat-fix-a-segmentation-fault-when-using-repeat-forever.patch new file mode 100644 index 00000000000..ab474331b8c --- /dev/null +++ b/queue-4.19/perf-stat-fix-a-segmentation-fault-when-using-repeat-forever.patch @@ -0,0 +1,104 @@ +From 443f2d5ba13d65ccfd879460f77941875159d154 Mon Sep 17 00:00:00 2001 +From: Srikar Dronamraju +Date: Wed, 4 Sep 2019 15:17:38 +0530 +Subject: perf stat: Fix a segmentation fault when using repeat forever + +From: Srikar Dronamraju + +commit 443f2d5ba13d65ccfd879460f77941875159d154 upstream. + +Observe a segmentation fault when 'perf stat' is asked to repeat forever +with the interval option. + +Without fix: + + # perf stat -r 0 -I 5000 -e cycles -a sleep 10 + # time counts unit events + 5.000211692 3,13,89,82,34,157 cycles + 10.000380119 1,53,98,52,22,294 cycles + 10.040467280 17,16,79,265 cycles + Segmentation fault + +This problem was only observed when we use forever option aka -r 0 and +works with limited repeats. Calling print_counter with ts being set to +NULL, is not a correct option when interval is set. Hence avoid +print_counter(NULL,..) if interval is set. + +With fix: + + # perf stat -r 0 -I 5000 -e cycles -a sleep 10 + # time counts unit events + 5.019866622 3,15,14,43,08,697 cycles + 10.039865756 3,15,16,31,95,261 cycles + 10.059950628 1,26,05,47,158 cycles + 5.009902655 3,14,52,62,33,932 cycles + 10.019880228 3,14,52,22,89,154 cycles + 10.030543876 66,90,18,333 cycles + 5.009848281 3,14,51,98,25,437 cycles + 10.029854402 3,15,14,93,04,918 cycles + 5.009834177 3,14,51,95,92,316 cycles + +Committer notes: + +Did the 'git bisect' to find the cset introducing the problem to add the +Fixes tag below, and at that time the problem reproduced as: + + (gdb) run stat -r0 -I500 sleep 1 + + Program received signal SIGSEGV, Segmentation fault. + print_interval (prefix=prefix@entry=0x7fffffffc8d0 "", ts=ts@entry=0x0) at builtin-stat.c:866 + 866 sprintf(prefix, "%6lu.%09lu%s", ts->tv_sec, ts->tv_nsec, csv_sep); + (gdb) bt + #0 print_interval (prefix=prefix@entry=0x7fffffffc8d0 "", ts=ts@entry=0x0) at builtin-stat.c:866 + #1 0x000000000041860a in print_counters (ts=ts@entry=0x0, argc=argc@entry=2, argv=argv@entry=0x7fffffffd640) at builtin-stat.c:938 + #2 0x0000000000419a7f in cmd_stat (argc=2, argv=0x7fffffffd640, prefix=) at builtin-stat.c:1411 + #3 0x000000000045c65a in run_builtin (p=p@entry=0x6291b8 , argc=argc@entry=5, argv=argv@entry=0x7fffffffd640) at perf.c:370 + #4 0x000000000045c893 in handle_internal_command (argc=5, argv=0x7fffffffd640) at perf.c:429 + #5 0x000000000045c8f1 in run_argv (argcp=argcp@entry=0x7fffffffd4ac, argv=argv@entry=0x7fffffffd4a0) at perf.c:473 + #6 0x000000000045cac9 in main (argc=, argv=) at perf.c:588 + (gdb) + +Mostly the same as just before this patch: + + Program received signal SIGSEGV, Segmentation fault. + 0x00000000005874a7 in print_interval (config=0xa1f2a0 , evlist=0xbc9b90, prefix=0x7fffffffd1c0 "`", ts=0x0) at util/stat-display.c:964 + 964 sprintf(prefix, "%6lu.%09lu%s", ts->tv_sec, ts->tv_nsec, config->csv_sep); + (gdb) bt + #0 0x00000000005874a7 in print_interval (config=0xa1f2a0 , evlist=0xbc9b90, prefix=0x7fffffffd1c0 "`", ts=0x0) at util/stat-display.c:964 + #1 0x0000000000588047 in perf_evlist__print_counters (evlist=0xbc9b90, config=0xa1f2a0 , _target=0xa1f0c0 , ts=0x0, argc=2, argv=0x7fffffffd670) + at util/stat-display.c:1172 + #2 0x000000000045390f in print_counters (ts=0x0, argc=2, argv=0x7fffffffd670) at builtin-stat.c:656 + #3 0x0000000000456bb5 in cmd_stat (argc=2, argv=0x7fffffffd670) at builtin-stat.c:1960 + #4 0x00000000004dd2e0 in run_builtin (p=0xa30e00 , argc=5, argv=0x7fffffffd670) at perf.c:310 + #5 0x00000000004dd54d in handle_internal_command (argc=5, argv=0x7fffffffd670) at perf.c:362 + #6 0x00000000004dd694 in run_argv (argcp=0x7fffffffd4cc, argv=0x7fffffffd4c0) at perf.c:406 + #7 0x00000000004dda11 in main (argc=5, argv=0x7fffffffd670) at perf.c:531 + (gdb) + +Fixes: d4f63a4741a8 ("perf stat: Introduce print_counters function") +Signed-off-by: Srikar Dronamraju +Acked-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Tested-by: Ravi Bangoria +Cc: Namhyung Kim +Cc: Naveen N. Rao +Cc: stable@vger.kernel.org # v4.2+ +Link: http://lore.kernel.org/lkml/20190904094738.9558-3-srikar@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/builtin-stat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/builtin-stat.c ++++ b/tools/perf/builtin-stat.c +@@ -3091,7 +3091,7 @@ int cmd_stat(int argc, const char **argv + run_idx + 1); + + status = run_perf_stat(argc, argv, run_idx); +- if (forever && status != -1) { ++ if (forever && status != -1 && !interval) { + print_counters(NULL, argc, argv); + perf_stat__reset_stats(); + } diff --git a/queue-4.19/revert-locking-pvqspinlock-don-t-wait-if-vcpu-is-preempted.patch b/queue-4.19/revert-locking-pvqspinlock-don-t-wait-if-vcpu-is-preempted.patch new file mode 100644 index 00000000000..e9b19d2529f --- /dev/null +++ b/queue-4.19/revert-locking-pvqspinlock-don-t-wait-if-vcpu-is-preempted.patch @@ -0,0 +1,68 @@ +From 89340d0935c9296c7b8222b6eab30e67cb57ab82 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Mon, 9 Sep 2019 09:40:28 +0800 +Subject: Revert "locking/pvqspinlock: Don't wait if vCPU is preempted" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit 89340d0935c9296c7b8222b6eab30e67cb57ab82 upstream. + +This patch reverts commit 75437bb304b20 (locking/pvqspinlock: Don't +wait if vCPU is preempted). A large performance regression was caused +by this commit. on over-subscription scenarios. + +The test was run on a Xeon Skylake box, 2 sockets, 40 cores, 80 threads, +with three VMs of 80 vCPUs each. The score of ebizzy -M is reduced from +13000-14000 records/s to 1700-1800 records/s: + + Host Guest score + +vanilla w/o kvm optimizations upstream 1700-1800 records/s +vanilla w/o kvm optimizations revert 13000-14000 records/s +vanilla w/ kvm optimizations upstream 4500-5000 records/s +vanilla w/ kvm optimizations revert 14000-15500 records/s + +Exit from aggressive wait-early mechanism can result in premature yield +and extra scheduling latency. + +Actually, only 6% of wait_early events are caused by vcpu_is_preempted() +being true. However, when one vCPU voluntarily releases its vCPU, all +the subsequently waiters in the queue will do the same and the cascading +effect leads to bad performance. + +kvm optimizations: +[1] commit d73eb57b80b (KVM: Boost vCPUs that are delivering interrupts) +[2] commit 266e85a5ec9 (KVM: X86: Boost queue head vCPU to mitigate lock waiter preemption) + +Tested-by: loobinliu@tencent.com +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Waiman Long +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: loobinliu@tencent.com +Cc: stable@vger.kernel.org +Fixes: 75437bb304b20 (locking/pvqspinlock: Don't wait if vCPU is preempted) +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/locking/qspinlock_paravirt.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/locking/qspinlock_paravirt.h ++++ b/kernel/locking/qspinlock_paravirt.h +@@ -271,7 +271,7 @@ pv_wait_early(struct pv_node *prev, int + if ((loop & PV_PREV_CHECK_MASK) != 0) + return false; + +- return READ_ONCE(prev->state) != vcpu_running || vcpu_is_preempted(prev->cpu); ++ return READ_ONCE(prev->state) != vcpu_running; + } + + /* diff --git a/queue-4.19/series b/queue-4.19/series index 6f48e6c627d..f6773bf57b1 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -30,4 +30,18 @@ power-supply-sbs-battery-only-return-health-when-battery-present.patch tracing-make-sure-variable-reference-alias-has-correct-var_ref_idx.patch usercopy-avoid-highmem-pfn-warning.patch timer-read-jiffies-once-when-forwarding-base-clk.patch +pci-vmd-fix-shadow-offsets-to-reflect-spec-changes.patch +pci-restore-resizable-bar-size-bits-correctly-for-1mb-bars.patch +watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_set_timeout.patch +perf-stat-fix-a-segmentation-fault-when-using-repeat-forever.patch +drm-omap-fix-max-fclk-divider-for-omap36xx.patch +drm-msm-dsi-fix-return-value-check-for-clk_get_parent.patch +drm-nouveau-kms-nv50-don-t-create-mstms-for-edp-connectors.patch +drm-i915-gvt-update-vgpu-workload-head-pointer-correctly.patch +mmc-sdhci-improve-adma-error-reporting.patch +mmc-sdhci-of-esdhc-set-dma-snooping-based-on-dma-coherence.patch +revert-locking-pvqspinlock-don-t-wait-if-vcpu-is-preempted.patch +xen-xenbus-fix-self-deadlock-after-killing-user-process.patch +ieee802154-atusb-fix-use-after-free-at-disconnect.patch s390-cio-avoid-calling-strlen-on-null-pointer.patch +cfg80211-initialize-on-stack-chandefs.patch diff --git a/queue-4.19/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_set_timeout.patch b/queue-4.19/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_set_timeout.patch new file mode 100644 index 00000000000..25fa4b8da7e --- /dev/null +++ b/queue-4.19/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_set_timeout.patch @@ -0,0 +1,53 @@ +From 144783a80cd2cbc45c6ce17db649140b65f203dd Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Mon, 12 Aug 2019 15:13:56 +0200 +Subject: watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout + +From: Rasmus Villemoes + +commit 144783a80cd2cbc45c6ce17db649140b65f203dd upstream. + +Converting from ms to s requires dividing by 1000, not multiplying. So +this is currently taking the smaller of new_timeout and 1.28e8, +i.e. effectively new_timeout. + +The driver knows what it set max_hw_heartbeat_ms to, so use that +value instead of doing a division at run-time. + +FWIW, this can easily be tested by booting into a busybox shell and +doing "watchdog -t 5 -T 130 /dev/watchdog" - without this patch, the +watchdog fires after 130&127 == 2 seconds. + +Fixes: b07e228eee69 "watchdog: imx2_wdt: Fix set_timeout for big timeout values" +Cc: stable@vger.kernel.org # 5.2 plus anything the above got backported to +Signed-off-by: Rasmus Villemoes +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20190812131356.23039-1-linux@rasmusvillemoes.dk +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/watchdog/imx2_wdt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/watchdog/imx2_wdt.c ++++ b/drivers/watchdog/imx2_wdt.c +@@ -55,7 +55,7 @@ + + #define IMX2_WDT_WMCR 0x08 /* Misc Register */ + +-#define IMX2_WDT_MAX_TIME 128 ++#define IMX2_WDT_MAX_TIME 128U + #define IMX2_WDT_DEFAULT_TIME 60 /* in seconds */ + + #define WDOG_SEC_TO_COUNT(s) ((s * 2 - 1) << 8) +@@ -180,7 +180,7 @@ static int imx2_wdt_set_timeout(struct w + { + unsigned int actual; + +- actual = min(new_timeout, wdog->max_hw_heartbeat_ms * 1000); ++ actual = min(new_timeout, IMX2_WDT_MAX_TIME); + __imx2_wdt_set_timeout(wdog, actual); + wdog->timeout = new_timeout; + return 0; diff --git a/queue-4.19/xen-xenbus-fix-self-deadlock-after-killing-user-process.patch b/queue-4.19/xen-xenbus-fix-self-deadlock-after-killing-user-process.patch new file mode 100644 index 00000000000..e8e175df18b --- /dev/null +++ b/queue-4.19/xen-xenbus-fix-self-deadlock-after-killing-user-process.patch @@ -0,0 +1,112 @@ +From a8fabb38525c51a094607768bac3ba46b3f4a9d5 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Tue, 1 Oct 2019 17:03:55 +0200 +Subject: xen/xenbus: fix self-deadlock after killing user process + +From: Juergen Gross + +commit a8fabb38525c51a094607768bac3ba46b3f4a9d5 upstream. + +In case a user process using xenbus has open transactions and is killed +e.g. via ctrl-C the following cleanup of the allocated resources might +result in a deadlock due to trying to end a transaction in the xenbus +worker thread: + +[ 2551.474706] INFO: task xenbus:37 blocked for more than 120 seconds. +[ 2551.492215] Tainted: P OE 5.0.0-29-generic #5 +[ 2551.510263] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 2551.528585] xenbus D 0 37 2 0x80000080 +[ 2551.528590] Call Trace: +[ 2551.528603] __schedule+0x2c0/0x870 +[ 2551.528606] ? _cond_resched+0x19/0x40 +[ 2551.528632] schedule+0x2c/0x70 +[ 2551.528637] xs_talkv+0x1ec/0x2b0 +[ 2551.528642] ? wait_woken+0x80/0x80 +[ 2551.528645] xs_single+0x53/0x80 +[ 2551.528648] xenbus_transaction_end+0x3b/0x70 +[ 2551.528651] xenbus_file_free+0x5a/0x160 +[ 2551.528654] xenbus_dev_queue_reply+0xc4/0x220 +[ 2551.528657] xenbus_thread+0x7de/0x880 +[ 2551.528660] ? wait_woken+0x80/0x80 +[ 2551.528665] kthread+0x121/0x140 +[ 2551.528667] ? xb_read+0x1d0/0x1d0 +[ 2551.528670] ? kthread_park+0x90/0x90 +[ 2551.528673] ret_from_fork+0x35/0x40 + +Fix this by doing the cleanup via a workqueue instead. + +Reported-by: James Dingwall +Fixes: fd8aa9095a95c ("xen: optimize xenbus driver for multiple concurrent xenstore accesses") +Cc: # 4.11 +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Signed-off-by: Boris Ostrovsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xenbus/xenbus_dev_frontend.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/drivers/xen/xenbus/xenbus_dev_frontend.c ++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c +@@ -55,6 +55,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -116,6 +117,8 @@ struct xenbus_file_priv { + wait_queue_head_t read_waitq; + + struct kref kref; ++ ++ struct work_struct wq; + }; + + /* Read out any raw xenbus messages queued up. */ +@@ -300,14 +303,14 @@ static void watch_fired(struct xenbus_wa + mutex_unlock(&adap->dev_data->reply_mutex); + } + +-static void xenbus_file_free(struct kref *kref) ++static void xenbus_worker(struct work_struct *wq) + { + struct xenbus_file_priv *u; + struct xenbus_transaction_holder *trans, *tmp; + struct watch_adapter *watch, *tmp_watch; + struct read_buffer *rb, *tmp_rb; + +- u = container_of(kref, struct xenbus_file_priv, kref); ++ u = container_of(wq, struct xenbus_file_priv, wq); + + /* + * No need for locking here because there are no other users, +@@ -333,6 +336,18 @@ static void xenbus_file_free(struct kref + kfree(u); + } + ++static void xenbus_file_free(struct kref *kref) ++{ ++ struct xenbus_file_priv *u; ++ ++ /* ++ * We might be called in xenbus_thread(). ++ * Use workqueue to avoid deadlock. ++ */ ++ u = container_of(kref, struct xenbus_file_priv, kref); ++ schedule_work(&u->wq); ++} ++ + static struct xenbus_transaction_holder *xenbus_get_transaction( + struct xenbus_file_priv *u, uint32_t tx_id) + { +@@ -652,6 +667,7 @@ static int xenbus_file_open(struct inode + INIT_LIST_HEAD(&u->watches); + INIT_LIST_HEAD(&u->read_buffers); + init_waitqueue_head(&u->read_waitq); ++ INIT_WORK(&u->wq, xenbus_worker); + + mutex_init(&u->reply_mutex); + mutex_init(&u->msgbuffer_mutex); -- 2.47.2