From bb104d9ef859ed01e760512e1cb5485c02749b7a Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 11 Jun 2019 13:35:56 -0400 Subject: [PATCH] fixes for 4.9 Signed-off-by: Sasha Levin --- ...r-irq-handler-after-the-chip-initial.patch | 63 ++++ ...ect-in-kernel-ioctl-calls-with-mutex.patch | 53 ++++ ...lways-enable-necessary-apio_1v8-and-.patch | 52 ++++ ...specify-imx6qdl_clk_ipg-as-ipg-clock.patch | 48 +++ ...pecify-imx6sx_clk_ipg-as-ahb-clock-t.patch | 45 +++ ...pecify-imx6sx_clk_ipg-as-ipg-clock-t.patch | 45 +++ ...pecify-imx6ul_clk_ipg-as-ipg-clock-t.patch | 45 +++ ...ecify-imx7d_clk_ipg-as-ipg-clock-to-.patch | 47 +++ ...ndefined-instruction-during-exynos54.patch | 88 ++++++ ...rm-prevent-tracing-ipi_cpu_backtrace.patch | 106 +++++++ ...n-on-aclk_dmac1-for-suspend-on-rk328.patch | 89 ++++++ ...sible-use-after-free-in-configfs_reg.patch | 135 +++++++++ ...-use-actual-device-for-dma-transfers.patch | 131 +++++++++ ...tsens-don-t-print-error-message-on-e.patch | 41 +++ ...v7511-fix-low-refresh-rate-selection.patch | 49 ++++ ...ix-to-avoid-panic-in-do_recover_data.patch | 78 +++++ ...r-dirty-inode-in-error-path-of-f2fs_.patch | 69 +++++ ...anity-check-on-valid-block-count-of-.patch | 93 ++++++ ...sue-flush-after-the-writeback-of-fat.patch | 54 ++++ ...-fuse-reads-to-have-enough-buffer-ca.patch | 82 ++++++ ...p-requested-size-to-negotiated-max_w.patch | 66 +++++ ...add-check-for-off-wake-capable-gpios.patch | 82 ++++++ ...tore-reserve-error-path-retain-subpo.patch | 80 +++++ ...set-intel_iommu_gfx_mapped-correctly.patch | 54 ++++ ...ent-lockup-on-alloc_msg-and-free_msg.patch | 159 ++++++++++ ...tl-fix-false-positive-in-validate_pr.patch | 54 ++++ ...node-spanned-pages-when-we-have-a-no.patch | 112 +++++++ ...et-the-device-in-reset-state-when-in.patch | 70 +++++ ...pi-add-missing-of-table-registration.patch | 43 +++ ...device-init-errors-for-accctl-regist.patch | 62 ++++ ...ake-sure-dt-memory-regions-are-valid.patch | 69 +++++ ...sh-on-cma-allocation-if-bitmap-alloc.patch | 44 +++ ...ix-the-break-condition-in-cma_maxchu.patch | 44 +++ ...c-fix-an-infinite-loop-in-leaks_show.patch | 85 ++++++ ...low-fh_want_write-to-be-called-twice.patch | 51 ++++ ...low-tai-utc-offset-to-be-set-to-zero.patch | 46 +++ .../nvmem-core-fix-read-buffer-in-place.patch | 63 ++++ ...don-t-use-ignore-flag-for-fake-jumps.patch | 70 +++++ ...x-64bit-msi-message-address-handling.patch | 76 +++++ ...a-potential-null-pointer-dereference.patch | 39 +++ ...-leaked-device_node-references-in-ad.patch | 63 ++++ ...x-check-for-__get_free_pages-failure.patch | 66 +++++ ...llow-pebs-multi-entry-in-watermark-m.patch | 47 +++ ...cros_ec_proto-check-for-null-transfe.patch | 51 ++++ ...-intel_pmc_ipc-adding-error-handling.patch | 47 +++ ...ock-warning-when-removing-pwm-device.patch | 275 ++++++++++++++++++ ...e-spin-lock-only-to-protect-register.patch | 142 +++++++++ ...ate-shadow-register-for-disabling-pw.patch | 47 +++ ...ll-pointer-dereference-when-create_w.patch | 42 +++ queue-4.9/series | 58 ++++ ...ap-zero-initialize-rdata-in-pwrap_in.patch | 44 +++ ...return-einval-if-val-violates-minmax.patch | 53 ++++ ...a-boot-splat-wrt-use-of-cpu_all_mask.patch | 87 ++++++ ...x-potential-null-pointer-dereference.patch | 36 +++ ...x-potential-null-pointer-dereference.patch | 41 +++ ...pile-time-error-of-pretimeout-govern.patch | 50 ++++ ...t-fix-set_timeout-for-big-timeout-va.patch | 41 +++ ...ends-instead-of-select-for-pretimeou.patch | 94 ++++++ ...ix-pci-irq-routing-table-memory-leak.patch | 67 +++++ 59 files changed, 4133 insertions(+) create mode 100644 queue-4.9/alsa-hda-register-irq-handler-after-the-chip-initial.patch create mode 100644 queue-4.9/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch create mode 100644 queue-4.9/arm-dts-exynos-always-enable-necessary-apio_1v8-and-.patch create mode 100644 queue-4.9/arm-dts-imx6qdl-specify-imx6qdl_clk_ipg-as-ipg-clock.patch create mode 100644 queue-4.9/arm-dts-imx6sx-specify-imx6sx_clk_ipg-as-ahb-clock-t.patch create mode 100644 queue-4.9/arm-dts-imx6sx-specify-imx6sx_clk_ipg-as-ipg-clock-t.patch create mode 100644 queue-4.9/arm-dts-imx6ul-specify-imx6ul_clk_ipg-as-ipg-clock-t.patch create mode 100644 queue-4.9/arm-dts-imx7d-specify-imx7d_clk_ipg-as-ipg-clock-to-.patch create mode 100644 queue-4.9/arm-exynos-fix-undefined-instruction-during-exynos54.patch create mode 100644 queue-4.9/arm-prevent-tracing-ipi_cpu_backtrace.patch create mode 100644 queue-4.9/clk-rockchip-turn-on-aclk_dmac1-for-suspend-on-rk328.patch create mode 100644 queue-4.9/configfs-fix-possible-use-after-free-in-configfs_reg.patch create mode 100644 queue-4.9/dmaengine-idma64-use-actual-device-for-dma-transfers.patch create mode 100644 queue-4.9/drivers-thermal-tsens-don-t-print-error-message-on-e.patch create mode 100644 queue-4.9/drm-bridge-adv7511-fix-low-refresh-rate-selection.patch create mode 100644 queue-4.9/f2fs-fix-to-avoid-panic-in-do_recover_data.patch create mode 100644 queue-4.9/f2fs-fix-to-clear-dirty-inode-in-error-path-of-f2fs_.patch create mode 100644 queue-4.9/f2fs-fix-to-do-sanity-check-on-valid-block-count-of-.patch create mode 100644 queue-4.9/fs-fat-file.c-issue-flush-after-the-writeback-of-fat.patch create mode 100644 queue-4.9/fuse-require-dev-fuse-reads-to-have-enough-buffer-ca.patch create mode 100644 queue-4.9/fuse-retrieve-cap-requested-size-to-negotiated-max_w.patch create mode 100644 queue-4.9/gpio-gpio-omap-add-check-for-off-wake-capable-gpios.patch create mode 100644 queue-4.9/hugetlbfs-on-restore-reserve-error-path-retain-subpo.patch create mode 100644 queue-4.9/iommu-vt-d-set-intel_iommu_gfx_mapped-correctly.patch create mode 100644 queue-4.9/ipc-prevent-lockup-on-alloc_msg-and-free_msg.patch create mode 100644 queue-4.9/kernel-sys.c-prctl-fix-false-positive-in-validate_pr.patch create mode 100644 queue-4.9/mem-hotplug-fix-node-spanned-pages-when-we-have-a-no.patch create mode 100644 queue-4.9/mfd-intel-lpss-set-the-device-in-reset-state-when-in.patch create mode 100644 queue-4.9/mfd-tps65912-spi-add-missing-of-table-registration.patch create mode 100644 queue-4.9/mfd-twl6040-fix-device-init-errors-for-accctl-regist.patch create mode 100644 queue-4.9/mips-make-sure-dt-memory-regions-are-valid.patch create mode 100644 queue-4.9/mm-cma.c-fix-crash-on-cma-allocation-if-bitmap-alloc.patch create mode 100644 queue-4.9/mm-cma_debug.c-fix-the-break-condition-in-cma_maxchu.patch create mode 100644 queue-4.9/mm-slab.c-fix-an-infinite-loop-in-leaks_show.patch create mode 100644 queue-4.9/nfsd-allow-fh_want_write-to-be-called-twice.patch create mode 100644 queue-4.9/ntp-allow-tai-utc-offset-to-be-set-to-zero.patch create mode 100644 queue-4.9/nvmem-core-fix-read-buffer-in-place.patch create mode 100644 queue-4.9/objtool-don-t-use-ignore-flag-for-fake-jumps.patch create mode 100644 queue-4.9/pci-rcar-fix-64bit-msi-message-address-handling.patch create mode 100644 queue-4.9/pci-rcar-fix-a-potential-null-pointer-dereference.patch create mode 100644 queue-4.9/pci-rpadlpar-fix-leaked-device_node-references-in-ad.patch create mode 100644 queue-4.9/pci-xilinx-check-for-__get_free_pages-failure.patch create mode 100644 queue-4.9/perf-x86-intel-allow-pebs-multi-entry-in-watermark-m.patch create mode 100644 queue-4.9/platform-chrome-cros_ec_proto-check-for-null-transfe.patch create mode 100644 queue-4.9/platform-x86-intel_pmc_ipc-adding-error-handling.patch create mode 100644 queue-4.9/pwm-fix-deadlock-warning-when-removing-pwm-device.patch create mode 100644 queue-4.9/pwm-meson-use-the-spin-lock-only-to-protect-register.patch create mode 100644 queue-4.9/pwm-tiehrpwm-update-shadow-register-for-disabling-pw.patch create mode 100644 queue-4.9/rapidio-fix-a-null-pointer-dereference-when-create_w.patch create mode 100644 queue-4.9/series create mode 100644 queue-4.9/soc-mediatek-pwrap-zero-initialize-rdata-in-pwrap_in.patch create mode 100644 queue-4.9/sysctl-return-einval-if-val-violates-minmax.patch create mode 100644 queue-4.9/uml-fix-a-boot-splat-wrt-use-of-cpu_all_mask.patch create mode 100644 queue-4.9/video-hgafb-fix-potential-null-pointer-dereference.patch create mode 100644 queue-4.9/video-imsttfb-fix-potential-null-pointer-dereference.patch create mode 100644 queue-4.9/watchdog-fix-compile-time-error-of-pretimeout-govern.patch create mode 100644 queue-4.9/watchdog-imx2_wdt-fix-set_timeout-for-big-timeout-va.patch create mode 100644 queue-4.9/watchdog-use-depends-instead-of-select-for-pretimeou.patch create mode 100644 queue-4.9/x86-pci-fix-pci-irq-routing-table-memory-leak.patch diff --git a/queue-4.9/alsa-hda-register-irq-handler-after-the-chip-initial.patch b/queue-4.9/alsa-hda-register-irq-handler-after-the-chip-initial.patch new file mode 100644 index 00000000000..40f88059b85 --- /dev/null +++ b/queue-4.9/alsa-hda-register-irq-handler-after-the-chip-initial.patch @@ -0,0 +1,63 @@ +From add7295bdf594000486225e2fbe42b15191241bf Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 30 Apr 2019 12:18:28 +0200 +Subject: ALSA: hda - Register irq handler after the chip initialization + +[ Upstream commit f495222e28275222ab6fd93813bd3d462e16d340 ] + +Currently the IRQ handler in HD-audio controller driver is registered +before the chip initialization. That is, we have some window opened +between the azx_acquire_irq() call and the CORB/RIRB setup. If an +interrupt is triggered in this small window, the IRQ handler may +access to the uninitialized RIRB buffer, which leads to a NULL +dereference Oops. + +This is usually no big problem since most of Intel chips do register +the IRQ via MSI, and we've already fixed the order of the IRQ +enablement and the CORB/RIRB setup in the former commit b61749a89f82 +("sound: enable interrupt after dma buffer initialization"), hence the +IRQ won't be triggered in that room. However, some platforms use a +shared IRQ, and this may allow the IRQ trigger by another source. + +Another possibility is the kdump environment: a stale interrupt might +be present in there, the IRQ handler can be falsely triggered as well. + +For covering this small race, let's move the azx_acquire_irq() call +after hda_intel_init_chip() call. Although this is a bit radical +change, it can cover more widely than checking the CORB/RIRB setup +locally in the callee side. + +Reported-by: Liwei Song +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 789eca17fc60..f2f1d9fd848c 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -1700,9 +1700,6 @@ static int azx_first_init(struct azx *chip) + chip->msi = 0; + } + +- if (azx_acquire_irq(chip, 0) < 0) +- return -EBUSY; +- + pci_set_master(pci); + synchronize_irq(bus->irq); + +@@ -1809,6 +1806,9 @@ static int azx_first_init(struct azx *chip) + return -ENODEV; + } + ++ if (azx_acquire_irq(chip, 0) < 0) ++ return -EBUSY; ++ + strcpy(card->driver, "HDA-Intel"); + strlcpy(card->shortname, driver_short_names[chip->driver_type], + sizeof(card->shortname)); +-- +2.20.1 + diff --git a/queue-4.9/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch b/queue-4.9/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch new file mode 100644 index 00000000000..c086c8dbc39 --- /dev/null +++ b/queue-4.9/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch @@ -0,0 +1,53 @@ +From 92f88c2772ca91b85e854e7d5b628fe251942efd Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 9 Apr 2019 17:35:22 +0200 +Subject: ALSA: seq: Protect in-kernel ioctl calls with mutex + +[ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ] + +ALSA OSS sequencer calls the ioctl function indirectly via +snd_seq_kernel_client_ctl(). While we already applied the protection +against races between the normal ioctls and writes via the client's +ioctl_mutex, this code path was left untouched. And this seems to be +the cause of still remaining some rare UAF as spontaneously triggered +by syzkaller. + +For the sake of robustness, wrap the ioctl_mutex also for the call via +snd_seq_kernel_client_ctl(), too. + +Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_clientmgr.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 09491b27092e..3b1b2e9fb33e 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -2354,14 +2354,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) + { + const struct ioctl_handler *handler; + struct snd_seq_client *client; ++ int err; + + client = clientptr(clientid); + if (client == NULL) + return -ENXIO; + + for (handler = ioctl_handlers; handler->cmd > 0; ++handler) { +- if (handler->cmd == cmd) +- return handler->func(client, arg); ++ if (handler->cmd == cmd) { ++ mutex_lock(&client->ioctl_mutex); ++ err = handler->func(client, arg); ++ mutex_unlock(&client->ioctl_mutex); ++ return err; ++ } + } + + pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", +-- +2.20.1 + diff --git a/queue-4.9/arm-dts-exynos-always-enable-necessary-apio_1v8-and-.patch b/queue-4.9/arm-dts-exynos-always-enable-necessary-apio_1v8-and-.patch new file mode 100644 index 00000000000..e625be43f79 --- /dev/null +++ b/queue-4.9/arm-dts-exynos-always-enable-necessary-apio_1v8-and-.patch @@ -0,0 +1,52 @@ +From d0236dda0d91a6aa934ca709198ad49d339dd82e Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 14 Mar 2019 21:02:17 +0100 +Subject: ARM: dts: exynos: Always enable necessary APIO_1V8 and ABB_1V8 + regulators on Arndale Octa + +[ Upstream commit 5ab99cf7d5e96e3b727c30e7a8524c976bd3723d ] + +The PVDD_APIO_1V8 (LDO2) and PVDD_ABB_1V8 (LDO8) regulators were turned +off by Linux kernel as unused. However they supply critical parts of +SoC so they should be always on: + +1. PVDD_APIO_1V8 supplies SYS pins (gpx[0-3], PSHOLD), HDMI level shift, + RTC, VDD1_12 (DRAM internal 1.8 V logic), pull-up for PMIC interrupt + lines, TTL/UARTR level shift, reset pins and SW-TACT1 button. + It also supplies unused blocks like VDDQ_SRAM (for SROM controller) and + VDDQ_GPIO (gpm7, gpy7). + The LDO2 cannot be turned off (S2MPS11 keeps it on anyway) so + marking it "always-on" only reflects its real status. + +2. PVDD_ABB_1V8 supplies Adaptive Body Bias Generator for ARM cores, + memory and Mali (G3D). + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos5420-arndale-octa.dts | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/boot/dts/exynos5420-arndale-octa.dts b/arch/arm/boot/dts/exynos5420-arndale-octa.dts +index 9cc83c51c925..e664c33c3c64 100644 +--- a/arch/arm/boot/dts/exynos5420-arndale-octa.dts ++++ b/arch/arm/boot/dts/exynos5420-arndale-octa.dts +@@ -110,6 +110,7 @@ + regulator-name = "PVDD_APIO_1V8"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; ++ regulator-always-on; + }; + + ldo3_reg: LDO3 { +@@ -148,6 +149,7 @@ + regulator-name = "PVDD_ABB_1V8"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; ++ regulator-always-on; + }; + + ldo9_reg: LDO9 { +-- +2.20.1 + diff --git a/queue-4.9/arm-dts-imx6qdl-specify-imx6qdl_clk_ipg-as-ipg-clock.patch b/queue-4.9/arm-dts-imx6qdl-specify-imx6qdl_clk_ipg-as-ipg-clock.patch new file mode 100644 index 00000000000..ba633ef3c38 --- /dev/null +++ b/queue-4.9/arm-dts-imx6qdl-specify-imx6qdl_clk_ipg-as-ipg-clock.patch @@ -0,0 +1,48 @@ +From ea236030a7ed68eeb65ce0b41b374b70c2ae0003 Mon Sep 17 00:00:00 2001 +From: Andrey Smirnov +Date: Thu, 28 Mar 2019 23:49:16 -0700 +Subject: ARM: dts: imx6qdl: Specify IMX6QDL_CLK_IPG as "ipg" clock to SDMA + +[ Upstream commit b14c872eebc501b9640b04f4a152df51d6eaf2fc ] + +Since 25aaa75df1e6 SDMA driver uses clock rates of "ipg" and "ahb" +clock to determine if it needs to configure the IP block as operating +at 1:1 or 1:2 clock ratio (ACR bit in SDMAARM_CONFIG). Specifying both +clocks as IMX6QDL_CLK_SDMA results in driver incorrectly thinking that +ratio is 1:1 which results in broken SDMA funtionality(this at least +breaks RAVE SP serdev driver on RDU2). Fix the code to specify +IMX6QDL_CLK_IPG as "ipg" clock for SDMA, to avoid detecting incorrect +clock ratio. + +Signed-off-by: Andrey Smirnov +Reviewed-by: Lucas Stach +Cc: Angus Ainslie (Purism) +Cc: Chris Healy +Cc: Lucas Stach +Cc: Fabio Estevam +Cc: Shawn Guo +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Tested-by: Adam Ford +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qdl.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6qdl.dtsi b/arch/arm/boot/dts/imx6qdl.dtsi +index b13b0b2db881..8ccafdfbe87c 100644 +--- a/arch/arm/boot/dts/imx6qdl.dtsi ++++ b/arch/arm/boot/dts/imx6qdl.dtsi +@@ -875,7 +875,7 @@ + compatible = "fsl,imx6q-sdma", "fsl,imx35-sdma"; + reg = <0x020ec000 0x4000>; + interrupts = <0 2 IRQ_TYPE_LEVEL_HIGH>; +- clocks = <&clks IMX6QDL_CLK_SDMA>, ++ clocks = <&clks IMX6QDL_CLK_IPG>, + <&clks IMX6QDL_CLK_SDMA>; + clock-names = "ipg", "ahb"; + #dma-cells = <3>; +-- +2.20.1 + diff --git a/queue-4.9/arm-dts-imx6sx-specify-imx6sx_clk_ipg-as-ahb-clock-t.patch b/queue-4.9/arm-dts-imx6sx-specify-imx6sx_clk_ipg-as-ahb-clock-t.patch new file mode 100644 index 00000000000..2b938cd0e3f --- /dev/null +++ b/queue-4.9/arm-dts-imx6sx-specify-imx6sx_clk_ipg-as-ahb-clock-t.patch @@ -0,0 +1,45 @@ +From c0c39be41f73b6c4e22a0cf11189c902181cf0e3 Mon Sep 17 00:00:00 2001 +From: Andrey Smirnov +Date: Thu, 28 Mar 2019 23:49:21 -0700 +Subject: ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ahb" clock to SDMA + +[ Upstream commit cc839d0f8c284fcb7591780b568f13415bbb737c ] + +Since 25aaa75df1e6 SDMA driver uses clock rates of "ipg" and "ahb" +clock to determine if it needs to configure the IP block as operating +at 1:1 or 1:2 clock ratio (ACR bit in SDMAARM_CONFIG). Specifying both +clocks as IMX6SL_CLK_SDMA results in driver incorrectly thinking that +ratio is 1:1 which results in broken SDMA funtionality. Fix the code +to specify IMX6SL_CLK_AHB as "ahb" clock for SDMA, to avoid detecting +incorrect clock ratio. + +Signed-off-by: Andrey Smirnov +Cc: Angus Ainslie (Purism) +Cc: Chris Healy +Cc: Lucas Stach +Cc: Fabio Estevam +Cc: Shawn Guo +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sl.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6sl.dtsi b/arch/arm/boot/dts/imx6sl.dtsi +index 02378db3f5fc..a2c76797e871 100644 +--- a/arch/arm/boot/dts/imx6sl.dtsi ++++ b/arch/arm/boot/dts/imx6sl.dtsi +@@ -704,7 +704,7 @@ + reg = <0x020ec000 0x4000>; + interrupts = <0 2 IRQ_TYPE_LEVEL_HIGH>; + clocks = <&clks IMX6SL_CLK_SDMA>, +- <&clks IMX6SL_CLK_SDMA>; ++ <&clks IMX6SL_CLK_AHB>; + clock-names = "ipg", "ahb"; + #dma-cells = <3>; + /* imx6sl reuses imx6q sdma firmware */ +-- +2.20.1 + diff --git a/queue-4.9/arm-dts-imx6sx-specify-imx6sx_clk_ipg-as-ipg-clock-t.patch b/queue-4.9/arm-dts-imx6sx-specify-imx6sx_clk_ipg-as-ipg-clock-t.patch new file mode 100644 index 00000000000..7a2c634b9e2 --- /dev/null +++ b/queue-4.9/arm-dts-imx6sx-specify-imx6sx_clk_ipg-as-ipg-clock-t.patch @@ -0,0 +1,45 @@ +From 2deb80fad87718e72d17b60a747dd27f69d75fcc Mon Sep 17 00:00:00 2001 +From: Andrey Smirnov +Date: Thu, 28 Mar 2019 23:49:17 -0700 +Subject: ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ipg" clock to SDMA + +[ Upstream commit 8979117765c19edc3b01cc0ef853537bf93eea4b ] + +Since 25aaa75df1e6 SDMA driver uses clock rates of "ipg" and "ahb" +clock to determine if it needs to configure the IP block as operating +at 1:1 or 1:2 clock ratio (ACR bit in SDMAARM_CONFIG). Specifying both +clocks as IMX6SX_CLK_SDMA results in driver incorrectly thinking that +ratio is 1:1 which results in broken SDMA funtionality. Fix the code +to specify IMX6SX_CLK_IPG as "ipg" clock for SDMA, to avoid detecting +incorrect clock ratio. + +Signed-off-by: Andrey Smirnov +Cc: Angus Ainslie (Purism) +Cc: Chris Healy +Cc: Lucas Stach +Cc: Fabio Estevam +Cc: Shawn Guo +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6sx.dtsi b/arch/arm/boot/dts/imx6sx.dtsi +index a885052157f0..5834194b62e1 100644 +--- a/arch/arm/boot/dts/imx6sx.dtsi ++++ b/arch/arm/boot/dts/imx6sx.dtsi +@@ -751,7 +751,7 @@ + compatible = "fsl,imx6sx-sdma", "fsl,imx6q-sdma"; + reg = <0x020ec000 0x4000>; + interrupts = ; +- clocks = <&clks IMX6SX_CLK_SDMA>, ++ clocks = <&clks IMX6SX_CLK_IPG>, + <&clks IMX6SX_CLK_SDMA>; + clock-names = "ipg", "ahb"; + #dma-cells = <3>; +-- +2.20.1 + diff --git a/queue-4.9/arm-dts-imx6ul-specify-imx6ul_clk_ipg-as-ipg-clock-t.patch b/queue-4.9/arm-dts-imx6ul-specify-imx6ul_clk_ipg-as-ipg-clock-t.patch new file mode 100644 index 00000000000..f7faec1205f --- /dev/null +++ b/queue-4.9/arm-dts-imx6ul-specify-imx6ul_clk_ipg-as-ipg-clock-t.patch @@ -0,0 +1,45 @@ +From 5f00131bd25db111b2feec6c67b877c3f1829870 Mon Sep 17 00:00:00 2001 +From: Andrey Smirnov +Date: Thu, 28 Mar 2019 23:49:19 -0700 +Subject: ARM: dts: imx6ul: Specify IMX6UL_CLK_IPG as "ipg" clock to SDMA + +[ Upstream commit 7b3132ecefdd1fcdf6b86e62021d0e55ea8034db ] + +Since 25aaa75df1e6 SDMA driver uses clock rates of "ipg" and "ahb" +clock to determine if it needs to configure the IP block as operating +at 1:1 or 1:2 clock ratio (ACR bit in SDMAARM_CONFIG). Specifying both +clocks as IMX6UL_CLK_SDMA results in driver incorrectly thinking that +ratio is 1:1 which results in broken SDMA funtionality. Fix the code +to specify IMX6UL_CLK_IPG as "ipg" clock for SDMA, to avoid detecting +incorrect clock ratio. + +Signed-off-by: Andrey Smirnov +Cc: Angus Ainslie (Purism) +Cc: Chris Healy +Cc: Lucas Stach +Cc: Fabio Estevam +Cc: Shawn Guo +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6ul.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6ul.dtsi b/arch/arm/boot/dts/imx6ul.dtsi +index c5c05fdccc78..7839300fe46b 100644 +--- a/arch/arm/boot/dts/imx6ul.dtsi ++++ b/arch/arm/boot/dts/imx6ul.dtsi +@@ -669,7 +669,7 @@ + "fsl,imx35-sdma"; + reg = <0x020ec000 0x4000>; + interrupts = ; +- clocks = <&clks IMX6UL_CLK_SDMA>, ++ clocks = <&clks IMX6UL_CLK_IPG>, + <&clks IMX6UL_CLK_SDMA>; + clock-names = "ipg", "ahb"; + #dma-cells = <3>; +-- +2.20.1 + diff --git a/queue-4.9/arm-dts-imx7d-specify-imx7d_clk_ipg-as-ipg-clock-to-.patch b/queue-4.9/arm-dts-imx7d-specify-imx7d_clk_ipg-as-ipg-clock-to-.patch new file mode 100644 index 00000000000..90d221d4d6a --- /dev/null +++ b/queue-4.9/arm-dts-imx7d-specify-imx7d_clk_ipg-as-ipg-clock-to-.patch @@ -0,0 +1,47 @@ +From 78abee9a2fac71a493f0ce64611feffaced075ab Mon Sep 17 00:00:00 2001 +From: Andrey Smirnov +Date: Thu, 28 Mar 2019 23:49:18 -0700 +Subject: ARM: dts: imx7d: Specify IMX7D_CLK_IPG as "ipg" clock to SDMA + +[ Upstream commit 412b032a1dc72fc9d1c258800355efa6671b6315 ] + +Since 25aaa75df1e6 SDMA driver uses clock rates of "ipg" and "ahb" +clock to determine if it needs to configure the IP block as operating +at 1:1 or 1:2 clock ratio (ACR bit in SDMAARM_CONFIG). Specifying both +clocks as IMX7D_CLK_SDMA results in driver incorrectly thinking that +ratio is 1:1 which results in broken SDMA funtionality. Fix the code +to specify IMX7D_CLK_IPG as "ipg" clock for SDMA, to avoid detecting +incorrect clock ratio. + +Signed-off-by: Andrey Smirnov +Cc: Angus Ainslie (Purism) +Cc: Chris Healy +Cc: Lucas Stach +Cc: Fabio Estevam +Cc: Shawn Guo +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7s.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi +index 2b6cb05bc01a..edc5ddeb851a 100644 +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -962,8 +962,8 @@ + compatible = "fsl,imx7d-sdma", "fsl,imx35-sdma"; + reg = <0x30bd0000 0x10000>; + interrupts = ; +- clocks = <&clks IMX7D_SDMA_CORE_CLK>, +- <&clks IMX7D_AHB_CHANNEL_ROOT_CLK>; ++ clocks = <&clks IMX7D_IPG_ROOT_CLK>, ++ <&clks IMX7D_SDMA_CORE_CLK>; + clock-names = "ipg", "ahb"; + #dma-cells = <3>; + fsl,sdma-ram-script-name = "imx/sdma/sdma-imx7d.bin"; +-- +2.20.1 + diff --git a/queue-4.9/arm-exynos-fix-undefined-instruction-during-exynos54.patch b/queue-4.9/arm-exynos-fix-undefined-instruction-during-exynos54.patch new file mode 100644 index 00000000000..249d77fbe66 --- /dev/null +++ b/queue-4.9/arm-exynos-fix-undefined-instruction-during-exynos54.patch @@ -0,0 +1,88 @@ +From a8771be5956aae0a8dfb287614a876b966bcf1d3 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Mon, 18 Feb 2019 15:34:12 +0100 +Subject: ARM: exynos: Fix undefined instruction during Exynos5422 resume + +[ Upstream commit 4d8e3e951a856777720272ce27f2c738a3eeef8c ] + +During early system resume on Exynos5422 with performance counters enabled +the following kernel oops happens: + + Internal error: Oops - undefined instruction: 0 [#1] PREEMPT SMP ARM + Modules linked in: + CPU: 0 PID: 1433 Comm: bash Tainted: G W 5.0.0-rc5-next-20190208-00023-gd5fb5a8a13e6-dirty #5480 + Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) + ... + Flags: nZCv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none + Control: 10c5387d Table: 4451006a DAC: 00000051 + Process bash (pid: 1433, stack limit = 0xb7e0e22f) + ... + (reset_ctrl_regs) from [] (dbg_cpu_pm_notify+0x1c/0x24) + (dbg_cpu_pm_notify) from [] (notifier_call_chain+0x44/0x84) + (notifier_call_chain) from [] (__atomic_notifier_call_chain+0x7c/0x128) + (__atomic_notifier_call_chain) from [] (cpu_pm_notify+0x30/0x54) + (cpu_pm_notify) from [] (syscore_resume+0x98/0x3f4) + (syscore_resume) from [] (suspend_devices_and_enter+0x97c/0xe74) + (suspend_devices_and_enter) from [] (pm_suspend+0x770/0xc04) + (pm_suspend) from [] (state_store+0x6c/0xcc) + (state_store) from [] (kobj_attr_store+0x14/0x20) + (kobj_attr_store) from [] (sysfs_kf_write+0x4c/0x50) + (sysfs_kf_write) from [] (kernfs_fop_write+0xfc/0x1e0) + (kernfs_fop_write) from [] (__vfs_write+0x2c/0x160) + (__vfs_write) from [] (vfs_write+0xa4/0x16c) + (vfs_write) from [] (ksys_write+0x40/0x8c) + (ksys_write) from [] (ret_fast_syscall+0x0/0x28) + +Undefined instruction is triggered during CP14 reset, because bits: #16 +(Secure privileged invasive debug disabled) and #17 (Secure privileged +noninvasive debug disable) are set in DSCR. Those bits depend on SPNIDEN +and SPIDEN lines, which are provided by Secure JTAG hardware block. That +block in turn is powered from cluster 0 (big/Eagle), but the Exynos5422 +boots on cluster 1 (LITTLE/KFC). + +To fix this issue it is enough to turn on the power on the cluster 0 for +a while. This lets the Secure JTAG block to propagate the needed signals +to LITTLE/KFC cores and change their DSCR. + +Signed-off-by: Marek Szyprowski +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/mach-exynos/suspend.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/arch/arm/mach-exynos/suspend.c b/arch/arm/mach-exynos/suspend.c +index 81c935ce089b..b406c12077b9 100644 +--- a/arch/arm/mach-exynos/suspend.c ++++ b/arch/arm/mach-exynos/suspend.c +@@ -500,8 +500,27 @@ early_wakeup: + + static void exynos5420_prepare_pm_resume(void) + { ++ unsigned int mpidr, cluster; ++ ++ mpidr = read_cpuid_mpidr(); ++ cluster = MPIDR_AFFINITY_LEVEL(mpidr, 1); ++ + if (IS_ENABLED(CONFIG_EXYNOS5420_MCPM)) + WARN_ON(mcpm_cpu_powered_up()); ++ ++ if (IS_ENABLED(CONFIG_HW_PERF_EVENTS) && cluster != 0) { ++ /* ++ * When system is resumed on the LITTLE/KFC core (cluster 1), ++ * the DSCR is not properly updated until the power is turned ++ * on also for the cluster 0. Enable it for a while to ++ * propagate the SPNIDEN and SPIDEN signals from Secure JTAG ++ * block and avoid undefined instruction issue on CP14 reset. ++ */ ++ pmu_raw_writel(S5P_CORE_LOCAL_PWR_EN, ++ EXYNOS_COMMON_CONFIGURATION(0)); ++ pmu_raw_writel(0, ++ EXYNOS_COMMON_CONFIGURATION(0)); ++ } + } + + static void exynos5420_pm_resume(void) +-- +2.20.1 + diff --git a/queue-4.9/arm-prevent-tracing-ipi_cpu_backtrace.patch b/queue-4.9/arm-prevent-tracing-ipi_cpu_backtrace.patch new file mode 100644 index 00000000000..74f1025b088 --- /dev/null +++ b/queue-4.9/arm-prevent-tracing-ipi_cpu_backtrace.patch @@ -0,0 +1,106 @@ +From a53c84200d253de48122d34d4d6b94bccd64c3cb Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 14 May 2019 15:41:48 -0700 +Subject: ARM: prevent tracing IPI_CPU_BACKTRACE + +[ Upstream commit be167862ae7dd85c56d385209a4890678e1b0488 ] + +Patch series "compiler: allow all arches to enable +CONFIG_OPTIMIZE_INLINING", v3. + +This patch (of 11): + +When function tracing for IPIs is enabled, we get a warning for an +overflow of the ipi_types array with the IPI_CPU_BACKTRACE type as +triggered by raise_nmi(): + + arch/arm/kernel/smp.c: In function 'raise_nmi': + arch/arm/kernel/smp.c:489:2: error: array subscript is above array bounds [-Werror=array-bounds] + trace_ipi_raise(target, ipi_types[ipinr]); + +This is a correct warning as we actually overflow the array here. + +This patch raise_nmi() to call __smp_cross_call() instead of +smp_cross_call(), to avoid calling into ftrace. For clarification, I'm +also adding a two new code comments describing how this one is special. + +The warning appears to have shown up after commit e7273ff49acf ("ARM: +8488/1: Make IPI_CPU_BACKTRACE a "non-secure" SGI"), which changed the +number assignment from '15' to '8', but as far as I can tell has existed +since the IPI tracepoints were first introduced. If we decide to +backport this patch to stable kernels, we probably need to backport +e7273ff49acf as well. + +[yamada.masahiro@socionext.com: rebase on v5.1-rc1] +Link: http://lkml.kernel.org/r/20190423034959.13525-2-yamada.masahiro@socionext.com +Fixes: e7273ff49acf ("ARM: 8488/1: Make IPI_CPU_BACKTRACE a "non-secure" SGI") +Fixes: 365ec7b17327 ("ARM: add IPI tracepoints") # v3.17 +Signed-off-by: Arnd Bergmann +Signed-off-by: Masahiro Yamada +Cc: Heiko Carstens +Cc: Arnd Bergmann +Cc: Ingo Molnar +Cc: Christophe Leroy +Cc: Mathieu Malaterre +Cc: "H. Peter Anvin" +Cc: Thomas Gleixner +Cc: Benjamin Herrenschmidt +Cc: Paul Mackerras +Cc: Ralf Baechle +Cc: Stefan Agner +Cc: Boris Brezillon +Cc: Miquel Raynal +Cc: Richard Weinberger +Cc: David Woodhouse +Cc: Brian Norris +Cc: Marek Vasut +Cc: Russell King +Cc: Borislav Petkov +Cc: Mark Rutland +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/hardirq.h | 1 + + arch/arm/kernel/smp.c | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/include/asm/hardirq.h b/arch/arm/include/asm/hardirq.h +index 3d7351c844aa..2fd0a2619b0b 100644 +--- a/arch/arm/include/asm/hardirq.h ++++ b/arch/arm/include/asm/hardirq.h +@@ -5,6 +5,7 @@ + #include + #include + ++/* number of IPIS _not_ including IPI_CPU_BACKTRACE */ + #define NR_IPI 7 + + typedef struct { +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index 7a5dc011c523..deea60f01d24 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -75,6 +75,10 @@ enum ipi_msg_type { + IPI_CPU_STOP, + IPI_IRQ_WORK, + IPI_COMPLETION, ++ /* ++ * CPU_BACKTRACE is special and not included in NR_IPI ++ * or tracable with trace_ipi_* ++ */ + IPI_CPU_BACKTRACE, + /* + * SGI8-15 can be reserved by secure firmware, and thus may +@@ -801,7 +805,7 @@ core_initcall(register_cpufreq_notifier); + + static void raise_nmi(cpumask_t *mask) + { +- smp_cross_call(mask, IPI_CPU_BACKTRACE); ++ __smp_cross_call(mask, IPI_CPU_BACKTRACE); + } + + void arch_trigger_cpumask_backtrace(const cpumask_t *mask, bool exclude_self) +-- +2.20.1 + diff --git a/queue-4.9/clk-rockchip-turn-on-aclk_dmac1-for-suspend-on-rk328.patch b/queue-4.9/clk-rockchip-turn-on-aclk_dmac1-for-suspend-on-rk328.patch new file mode 100644 index 00000000000..5910780bab7 --- /dev/null +++ b/queue-4.9/clk-rockchip-turn-on-aclk_dmac1-for-suspend-on-rk328.patch @@ -0,0 +1,89 @@ +From 34b4e04baf100ea5be7d9bff05c49f3059c98283 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Thu, 11 Apr 2019 16:21:53 -0700 +Subject: clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288 + +[ Upstream commit 57a20248ef3e429dc822f0774bc4e00136c46c83 ] + +Experimentally it can be seen that going into deep sleep (specifically +setting PMU_CLR_DMA and PMU_CLR_BUS in RK3288_PMU_PWRMODE_CON1) +appears to fail unless "aclk_dmac1" is on. The failure is that the +system never signals that it made it into suspend on the GLOBAL_PWROFF +pin and it just hangs. + +NOTE that it's confirmed that it's the actual suspend that fails, not +one of the earlier calls to read/write registers. Specifically if you +comment out the "PMU_GLOBAL_INT_DISABLE" setting in +rk3288_slp_mode_set() and then comment out the "cpu_do_idle()" call in +rockchip_lpmode_enter() then you can exercise the whole suspend path +without any crashing. + +This is currently not a problem with suspend upstream because there is +no current way to exercise the deep suspend code. However, anyone +trying to make it work will run into this issue. + +This was not a problem on shipping rk3288-based Chromebooks because +those devices all ran on an old kernel based on 3.14. On that kernel +"aclk_dmac1" appears to be left on all the time. + +There are several ways to skin this problem. + +A) We could add "aclk_dmac1" to the list of critical clocks and that +apperas to work, but presumably that wastes power. + +B) We could keep a list of "struct clk" objects to enable at suspend +time in clk-rk3288.c and use the standard clock APIs. + +C) We could make the rk3288-pmu driver keep a list of clocks to enable +at suspend time. Presumably this would require a dts and bindings +change. + +D) We could just whack the clock on in the existing syscore suspend +function where we whack a bunch of other clocks. This is particularly +easy because we know for sure that the clock's only parent +("aclk_cpu") is a critical clock so we don't need to do anything more +than ungate it. + +In this case I have chosen D) because it seemed like the least work, +but any of the other options would presumably also work fine. + +Signed-off-by: Douglas Anderson +Reviewed-by: Elaine Zhang +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3288.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/clk/rockchip/clk-rk3288.c b/drivers/clk/rockchip/clk-rk3288.c +index 39af05a589b3..32b130c53ff9 100644 +--- a/drivers/clk/rockchip/clk-rk3288.c ++++ b/drivers/clk/rockchip/clk-rk3288.c +@@ -826,6 +826,9 @@ static const int rk3288_saved_cru_reg_ids[] = { + RK3288_CLKSEL_CON(10), + RK3288_CLKSEL_CON(33), + RK3288_CLKSEL_CON(37), ++ ++ /* We turn aclk_dmac1 on for suspend; this will restore it */ ++ RK3288_CLKGATE_CON(10), + }; + + static u32 rk3288_saved_cru_regs[ARRAY_SIZE(rk3288_saved_cru_reg_ids)]; +@@ -841,6 +844,14 @@ static int rk3288_clk_suspend(void) + readl_relaxed(rk3288_cru_base + reg_id); + } + ++ /* ++ * Going into deep sleep (specifically setting PMU_CLR_DMA in ++ * RK3288_PMU_PWRMODE_CON1) appears to fail unless ++ * "aclk_dmac1" is on. ++ */ ++ writel_relaxed(1 << (12 + 16), ++ rk3288_cru_base + RK3288_CLKGATE_CON(10)); ++ + /* + * Switch PLLs other than DPLL (for SDRAM) to slow mode to + * avoid crashes on resume. The Mask ROM on the system will +-- +2.20.1 + diff --git a/queue-4.9/configfs-fix-possible-use-after-free-in-configfs_reg.patch b/queue-4.9/configfs-fix-possible-use-after-free-in-configfs_reg.patch new file mode 100644 index 00000000000..7f8a26cc9dd --- /dev/null +++ b/queue-4.9/configfs-fix-possible-use-after-free-in-configfs_reg.patch @@ -0,0 +1,135 @@ +From 3ab266b055ca16ebcabe8c5644424d720998e2cd Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sun, 5 May 2019 11:03:12 +0800 +Subject: configfs: fix possible use-after-free in configfs_register_group + +[ Upstream commit 35399f87e271f7cf3048eab00a421a6519ac8441 ] + +In configfs_register_group(), if create_default_group() failed, we +forget to unlink the group. It will left a invalid item in the parent list, +which may trigger the use-after-free issue seen below: + +BUG: KASAN: use-after-free in __list_add_valid+0xd4/0xe0 lib/list_debug.c:26 +Read of size 8 at addr ffff8881ef61ae20 by task syz-executor.0/5996 + +CPU: 1 PID: 5996 Comm: syz-executor.0 Tainted: G C 5.0.0+ #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xa9/0x10e lib/dump_stack.c:113 + print_address_description+0x65/0x270 mm/kasan/report.c:187 + kasan_report+0x149/0x18d mm/kasan/report.c:317 + __list_add_valid+0xd4/0xe0 lib/list_debug.c:26 + __list_add include/linux/list.h:60 [inline] + list_add_tail include/linux/list.h:93 [inline] + link_obj+0xb0/0x190 fs/configfs/dir.c:759 + link_group+0x1c/0x130 fs/configfs/dir.c:784 + configfs_register_group+0x56/0x1e0 fs/configfs/dir.c:1751 + configfs_register_default_group+0x72/0xc0 fs/configfs/dir.c:1834 + ? 0xffffffffc1be0000 + iio_sw_trigger_init+0x23/0x1000 [industrialio_sw_trigger] + do_one_initcall+0xbc/0x47d init/main.c:887 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f494ecbcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 +RBP: 00007f494ecbcc70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f494ecbd6bc +R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004 + +Allocated by task 5987: + set_track mm/kasan/common.c:87 [inline] + __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497 + kmalloc include/linux/slab.h:545 [inline] + kzalloc include/linux/slab.h:740 [inline] + configfs_register_default_group+0x4c/0xc0 fs/configfs/dir.c:1829 + 0xffffffffc1bd0023 + do_one_initcall+0xbc/0x47d init/main.c:887 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 5987: + set_track mm/kasan/common.c:87 [inline] + __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459 + slab_free_hook mm/slub.c:1429 [inline] + slab_free_freelist_hook mm/slub.c:1456 [inline] + slab_free mm/slub.c:3003 [inline] + kfree+0xe1/0x270 mm/slub.c:3955 + configfs_register_default_group+0x9a/0xc0 fs/configfs/dir.c:1836 + 0xffffffffc1bd0023 + do_one_initcall+0xbc/0x47d init/main.c:887 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8881ef61ae00 + which belongs to the cache kmalloc-192 of size 192 +The buggy address is located 32 bytes inside of + 192-byte region [ffff8881ef61ae00, ffff8881ef61aec0) +The buggy address belongs to the page: +page:ffffea0007bd8680 count:1 mapcount:0 mapping:ffff8881f6c03000 index:0xffff8881ef61a700 +flags: 0x2fffc0000000200(slab) +raw: 02fffc0000000200 ffffea0007ca4740 0000000500000005 ffff8881f6c03000 +raw: ffff8881ef61a700 000000008010000c 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8881ef61ad00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8881ef61ad80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc +>ffff8881ef61ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8881ef61ae80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff8881ef61af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: 5cf6a51e6062 ("configfs: allow dynamic group creation") +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/configfs/dir.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c +index d2a1a79fa324..d7955dc56737 100644 +--- a/fs/configfs/dir.c ++++ b/fs/configfs/dir.c +@@ -1755,12 +1755,19 @@ int configfs_register_group(struct config_group *parent_group, + + inode_lock_nested(d_inode(parent), I_MUTEX_PARENT); + ret = create_default_group(parent_group, group); +- if (!ret) { +- spin_lock(&configfs_dirent_lock); +- configfs_dir_set_ready(group->cg_item.ci_dentry->d_fsdata); +- spin_unlock(&configfs_dirent_lock); +- } ++ if (ret) ++ goto err_out; ++ ++ spin_lock(&configfs_dirent_lock); ++ configfs_dir_set_ready(group->cg_item.ci_dentry->d_fsdata); ++ spin_unlock(&configfs_dirent_lock); ++ inode_unlock(d_inode(parent)); ++ return 0; ++err_out: + inode_unlock(d_inode(parent)); ++ mutex_lock(&subsys->su_mutex); ++ unlink_group(group); ++ mutex_unlock(&subsys->su_mutex); + return ret; + } + EXPORT_SYMBOL(configfs_register_group); +-- +2.20.1 + diff --git a/queue-4.9/dmaengine-idma64-use-actual-device-for-dma-transfers.patch b/queue-4.9/dmaengine-idma64-use-actual-device-for-dma-transfers.patch new file mode 100644 index 00000000000..82bce14dbdd --- /dev/null +++ b/queue-4.9/dmaengine-idma64-use-actual-device-for-dma-transfers.patch @@ -0,0 +1,131 @@ +From 83d6b450e7592bed1bbabf6066ca4268e53c4023 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Mon, 18 Mar 2019 18:39:30 +0300 +Subject: dmaengine: idma64: Use actual device for DMA transfers + +[ Upstream commit 5ba846b1ee0792f5a596b9b0b86d6e8cdebfab06 ] + +Intel IOMMU, when enabled, tries to find the domain of the device, +assuming it's a PCI one, during DMA operations, such as mapping or +unmapping. Since we are splitting the actual PCI device to couple of +children via MFD framework (see drivers/mfd/intel-lpss.c for details), +the DMA device appears to be a platform one, and thus not an actual one +that performs DMA. In a such situation IOMMU can't find or allocate +a proper domain for its operations. As a result, all DMA operations are +failed. + +In order to fix this, supply parent of the platform device +to the DMA engine framework and fix filter functions accordingly. + +We may rely on the fact that parent is a real PCI device, because no +other configuration is present in the wild. + +Signed-off-by: Andy Shevchenko +Acked-by: Mark Brown +Acked-by: Greg Kroah-Hartman [for tty parts] +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idma64.c | 6 ++++-- + drivers/dma/idma64.h | 2 ++ + drivers/spi/spi-pxa2xx.c | 7 +------ + drivers/tty/serial/8250/8250_dw.c | 4 ++-- + 4 files changed, 9 insertions(+), 10 deletions(-) + +diff --git a/drivers/dma/idma64.c b/drivers/dma/idma64.c +index 1953e57505f4..f17a4c7a1781 100644 +--- a/drivers/dma/idma64.c ++++ b/drivers/dma/idma64.c +@@ -589,7 +589,7 @@ static int idma64_probe(struct idma64_chip *chip) + idma64->dma.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV); + idma64->dma.residue_granularity = DMA_RESIDUE_GRANULARITY_BURST; + +- idma64->dma.dev = chip->dev; ++ idma64->dma.dev = chip->sysdev; + + dma_set_max_seg_size(idma64->dma.dev, IDMA64C_CTLH_BLOCK_TS_MASK); + +@@ -629,6 +629,7 @@ static int idma64_platform_probe(struct platform_device *pdev) + { + struct idma64_chip *chip; + struct device *dev = &pdev->dev; ++ struct device *sysdev = dev->parent; + struct resource *mem; + int ret; + +@@ -645,11 +646,12 @@ static int idma64_platform_probe(struct platform_device *pdev) + if (IS_ERR(chip->regs)) + return PTR_ERR(chip->regs); + +- ret = dma_coerce_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64)); ++ ret = dma_coerce_mask_and_coherent(sysdev, DMA_BIT_MASK(64)); + if (ret) + return ret; + + chip->dev = dev; ++ chip->sysdev = sysdev; + + ret = idma64_probe(chip); + if (ret) +diff --git a/drivers/dma/idma64.h b/drivers/dma/idma64.h +index 6b816878e5e7..baa32e1425de 100644 +--- a/drivers/dma/idma64.h ++++ b/drivers/dma/idma64.h +@@ -216,12 +216,14 @@ static inline void idma64_writel(struct idma64 *idma64, int offset, u32 value) + /** + * struct idma64_chip - representation of iDMA 64-bit controller hardware + * @dev: struct device of the DMA controller ++ * @sysdev: struct device of the physical device that does DMA + * @irq: irq line + * @regs: memory mapped I/O space + * @idma64: struct idma64 that is filed by idma64_probe() + */ + struct idma64_chip { + struct device *dev; ++ struct device *sysdev; + int irq; + void __iomem *regs; + struct idma64 *idma64; +diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c +index 8b618f0fa459..6dd195b94c57 100644 +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -1475,12 +1475,7 @@ static const struct pci_device_id pxa2xx_spi_pci_compound_match[] = { + + static bool pxa2xx_spi_idma_filter(struct dma_chan *chan, void *param) + { +- struct device *dev = param; +- +- if (dev != chan->device->dev->parent) +- return false; +- +- return true; ++ return param == chan->device->dev; + } + + static struct pxa2xx_spi_master * +diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c +index 3177264a1166..22d65a33059e 100644 +--- a/drivers/tty/serial/8250/8250_dw.c ++++ b/drivers/tty/serial/8250/8250_dw.c +@@ -269,7 +269,7 @@ static bool dw8250_fallback_dma_filter(struct dma_chan *chan, void *param) + + static bool dw8250_idma_filter(struct dma_chan *chan, void *param) + { +- return param == chan->device->dev->parent; ++ return param == chan->device->dev; + } + + static void dw8250_quirks(struct uart_port *p, struct dw8250_data *data) +@@ -311,7 +311,7 @@ static void dw8250_quirks(struct uart_port *p, struct dw8250_data *data) + p->set_termios = dw8250_set_termios; + } + +- /* Platforms with iDMA */ ++ /* Platforms with iDMA 64-bit */ + if (platform_get_resource_byname(to_platform_device(p->dev), + IORESOURCE_MEM, "lpss_priv")) { + p->set_termios = dw8250_set_termios; +-- +2.20.1 + diff --git a/queue-4.9/drivers-thermal-tsens-don-t-print-error-message-on-e.patch b/queue-4.9/drivers-thermal-tsens-don-t-print-error-message-on-e.patch new file mode 100644 index 00000000000..23da7f3d63b --- /dev/null +++ b/queue-4.9/drivers-thermal-tsens-don-t-print-error-message-on-e.patch @@ -0,0 +1,41 @@ +From 8e59ad1f64e61240207ba103960929aa699fe876 Mon Sep 17 00:00:00 2001 +From: Amit Kucheria +Date: Wed, 20 Mar 2019 18:47:52 +0530 +Subject: drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER + +[ Upstream commit fc7d18cf6a923cde7f5e7ba2c1105bb106d3e29a ] + +We print a calibration failure message on -EPROBE_DEFER from +nvmem/qfprom as follows: +[ 3.003090] qcom-tsens 4a9000.thermal-sensor: version: 1.4 +[ 3.005376] qcom-tsens 4a9000.thermal-sensor: tsens calibration failed +[ 3.113248] qcom-tsens 4a9000.thermal-sensor: version: 1.4 + +This confuses people when, in fact, calibration succeeds later when +nvmem/qfprom device is available. Don't print this message on a +-EPROBE_DEFER. + +Signed-off-by: Amit Kucheria +Signed-off-by: Eduardo Valentin +Signed-off-by: Sasha Levin +--- + drivers/thermal/qcom/tsens.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/thermal/qcom/tsens.c b/drivers/thermal/qcom/tsens.c +index 3f9fe6aa51cc..ebbe1ec7b9e8 100644 +--- a/drivers/thermal/qcom/tsens.c ++++ b/drivers/thermal/qcom/tsens.c +@@ -162,7 +162,8 @@ static int tsens_probe(struct platform_device *pdev) + if (tmdev->ops->calibrate) { + ret = tmdev->ops->calibrate(tmdev); + if (ret < 0) { +- dev_err(dev, "tsens calibration failed\n"); ++ if (ret != -EPROBE_DEFER) ++ dev_err(dev, "tsens calibration failed\n"); + return ret; + } + } +-- +2.20.1 + diff --git a/queue-4.9/drm-bridge-adv7511-fix-low-refresh-rate-selection.patch b/queue-4.9/drm-bridge-adv7511-fix-low-refresh-rate-selection.patch new file mode 100644 index 00000000000..f4ade69c44c --- /dev/null +++ b/queue-4.9/drm-bridge-adv7511-fix-low-refresh-rate-selection.patch @@ -0,0 +1,49 @@ +From 338758b28a27bdc4bf446b10dca953f0e4380a38 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Wed, 24 Apr 2019 13:22:27 +0000 +Subject: drm/bridge: adv7511: Fix low refresh rate selection + +[ Upstream commit 67793bd3b3948dc8c8384b6430e036a30a0ecb43 ] + +The driver currently sets register 0xfb (Low Refresh Rate) based on the +value of mode->vrefresh. Firstly, this field is specified to be in Hz, +but the magic numbers used by the code are Hz * 1000. This essentially +leads to the low refresh rate always being set to 0x01, since the +vrefresh value will always be less than 24000. Fix the magic numbers to +be in Hz. +Secondly, according to the comment in drm_modes.h, the field is not +supposed to be used in a functional way anyway. Instead, use the helper +function drm_mode_vrefresh(). + +Fixes: 9c8af882bf12 ("drm: Add adv7511 encoder driver") +Reviewed-by: Laurent Pinchart +Signed-off-by: Matt Redfearn +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20190424132210.26338-1-matt.redfearn@thinci.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +index 32ab5c32834b..1b2fae915ecc 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +@@ -735,11 +735,11 @@ static void adv7511_mode_set(struct adv7511 *adv7511, + vsync_polarity = 1; + } + +- if (mode->vrefresh <= 24000) ++ if (drm_mode_vrefresh(mode) <= 24) + low_refresh_rate = ADV7511_LOW_REFRESH_RATE_24HZ; +- else if (mode->vrefresh <= 25000) ++ else if (drm_mode_vrefresh(mode) <= 25) + low_refresh_rate = ADV7511_LOW_REFRESH_RATE_25HZ; +- else if (mode->vrefresh <= 30000) ++ else if (drm_mode_vrefresh(mode) <= 30) + low_refresh_rate = ADV7511_LOW_REFRESH_RATE_30HZ; + else + low_refresh_rate = ADV7511_LOW_REFRESH_RATE_NONE; +-- +2.20.1 + diff --git a/queue-4.9/f2fs-fix-to-avoid-panic-in-do_recover_data.patch b/queue-4.9/f2fs-fix-to-avoid-panic-in-do_recover_data.patch new file mode 100644 index 00000000000..941fa18cd52 --- /dev/null +++ b/queue-4.9/f2fs-fix-to-avoid-panic-in-do_recover_data.patch @@ -0,0 +1,78 @@ +From c597dd5028b428972f47cc28041ed45cd9dcf1a0 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 15 Apr 2019 15:28:37 +0800 +Subject: f2fs: fix to avoid panic in do_recover_data() + +[ Upstream commit 22d61e286e2d9097dae36f75ed48801056b77cac ] + +As Jungyeon reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=203227 + +- Overview +When mounting the attached crafted image, following errors are reported. +Additionally, it hangs on sync after trying to mount it. + +The image is intentionally fuzzed from a normal f2fs image for testing. +Compile options for F2FS are as follows. +CONFIG_F2FS_FS=y +CONFIG_F2FS_STAT_FS=y +CONFIG_F2FS_FS_XATTR=y +CONFIG_F2FS_FS_POSIX_ACL=y +CONFIG_F2FS_CHECK_FS=y + +- Reproduces +mkdir test +mount -t f2fs tmp.img test +sync + +- Messages + kernel BUG at fs/f2fs/recovery.c:549! + RIP: 0010:recover_data+0x167a/0x1780 + Call Trace: + f2fs_recover_fsync_data+0x613/0x710 + f2fs_fill_super+0x1043/0x1aa0 + mount_bdev+0x16d/0x1a0 + mount_fs+0x4a/0x170 + vfs_kern_mount+0x5d/0x100 + do_mount+0x200/0xcf0 + ksys_mount+0x79/0xc0 + __x64_sys_mount+0x1c/0x20 + do_syscall_64+0x43/0xf0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +During recovery, if ofs_of_node is inconsistent in between recovered +node page and original checkpointed node page, let's just fail recovery +instead of making kernel panic. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/recovery.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c +index e59eeaf02eaa..9de1480a86bd 100644 +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -407,7 +407,15 @@ retry_dn: + + get_node_info(sbi, dn.nid, &ni); + f2fs_bug_on(sbi, ni.ino != ino_of_node(page)); +- f2fs_bug_on(sbi, ofs_of_node(dn.node_page) != ofs_of_node(page)); ++ ++ if (ofs_of_node(dn.node_page) != ofs_of_node(page)) { ++ f2fs_msg(sbi->sb, KERN_WARNING, ++ "Inconsistent ofs_of_node, ino:%lu, ofs:%u, %u", ++ inode->i_ino, ofs_of_node(dn.node_page), ++ ofs_of_node(page)); ++ err = -EFAULT; ++ goto err; ++ } + + for (; start < end; start++, dn.ofs_in_node++) { + block_t src, dest; +-- +2.20.1 + diff --git a/queue-4.9/f2fs-fix-to-clear-dirty-inode-in-error-path-of-f2fs_.patch b/queue-4.9/f2fs-fix-to-clear-dirty-inode-in-error-path-of-f2fs_.patch new file mode 100644 index 00000000000..325179ba2d2 --- /dev/null +++ b/queue-4.9/f2fs-fix-to-clear-dirty-inode-in-error-path-of-f2fs_.patch @@ -0,0 +1,69 @@ +From a29afd78ec6a338108f0af9ce14481e454ed2ac6 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 15 Apr 2019 15:28:33 +0800 +Subject: f2fs: fix to clear dirty inode in error path of f2fs_iget() + +[ Upstream commit 546d22f070d64a7b96f57c93333772085d3a5e6d ] + +As Jungyeon reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=203217 + +- Overview +When mounting the attached crafted image and running program, I got this error. +Additionally, it hangs on sync after running the program. + +The image is intentionally fuzzed from a normal f2fs image for testing and I enabled option CONFIG_F2FS_CHECK_FS on. + +- Reproduces +cc poc_test_05.c +mkdir test +mount -t f2fs tmp.img test +sudo ./a.out +sync + +- Messages + kernel BUG at fs/f2fs/inode.c:707! + RIP: 0010:f2fs_evict_inode+0x33f/0x3a0 + Call Trace: + evict+0xba/0x180 + f2fs_iget+0x598/0xdf0 + f2fs_lookup+0x136/0x320 + __lookup_slow+0x92/0x140 + lookup_slow+0x30/0x50 + walk_component+0x1c1/0x350 + path_lookupat+0x62/0x200 + filename_lookup+0xb3/0x1a0 + do_readlinkat+0x56/0x110 + __x64_sys_readlink+0x16/0x20 + do_syscall_64+0x43/0xf0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +During inode loading, __recover_inline_status() can recovery inode status +and set inode dirty, once we failed in following process, it will fail +the check in f2fs_evict_inode, result in trigger BUG_ON(). + +Let's clear dirty inode in error path of f2fs_iget() to avoid panic. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/inode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index 1de02c31756b..c56d04ec45dc 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -288,6 +288,7 @@ make_now: + return inode; + + bad_inode: ++ f2fs_inode_synced(inode); + iget_failed(inode); + trace_f2fs_iget_exit(inode, ret); + return ERR_PTR(ret); +-- +2.20.1 + diff --git a/queue-4.9/f2fs-fix-to-do-sanity-check-on-valid-block-count-of-.patch b/queue-4.9/f2fs-fix-to-do-sanity-check-on-valid-block-count-of-.patch new file mode 100644 index 00000000000..bdfef1956cb --- /dev/null +++ b/queue-4.9/f2fs-fix-to-do-sanity-check-on-valid-block-count-of-.patch @@ -0,0 +1,93 @@ +From a623478dc7f1e90a67118dbcc58e9aedae48d68f Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 15 Apr 2019 15:30:51 +0800 +Subject: f2fs: fix to do sanity check on valid block count of segment + +[ Upstream commit e95bcdb2fefa129f37bd9035af1d234ca92ee4ef ] + +As Jungyeon reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=203233 + +- Overview +When mounting the attached crafted image and running program, following errors are reported. +Additionally, it hangs on sync after running program. + +The image is intentionally fuzzed from a normal f2fs image for testing. +Compile options for F2FS are as follows. +CONFIG_F2FS_FS=y +CONFIG_F2FS_STAT_FS=y +CONFIG_F2FS_FS_XATTR=y +CONFIG_F2FS_FS_POSIX_ACL=y +CONFIG_F2FS_CHECK_FS=y + +- Reproduces +cc poc_13.c +mkdir test +mount -t f2fs tmp.img test +cp a.out test +cd test +sudo ./a.out +sync + +- Kernel messages + F2FS-fs (sdb): Bitmap was wrongly set, blk:4608 + kernel BUG at fs/f2fs/segment.c:2102! + RIP: 0010:update_sit_entry+0x394/0x410 + Call Trace: + f2fs_allocate_data_block+0x16f/0x660 + do_write_page+0x62/0x170 + f2fs_do_write_node_page+0x33/0xa0 + __write_node_page+0x270/0x4e0 + f2fs_sync_node_pages+0x5df/0x670 + f2fs_write_checkpoint+0x372/0x1400 + f2fs_sync_fs+0xa3/0x130 + f2fs_do_sync_file+0x1a6/0x810 + do_fsync+0x33/0x60 + __x64_sys_fsync+0xb/0x10 + do_syscall_64+0x43/0xf0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +sit.vblocks and sum valid block count in sit.valid_map may be +inconsistent, segment w/ zero vblocks will be treated as free +segment, while allocating in free segment, we may allocate a +free block, if its bitmap is valid previously, it can cause +kernel crash due to bitmap verification failure. + +Anyway, to avoid further serious metadata inconsistence and +corruption, it is necessary and worth to detect SIT +inconsistence. So let's enable check_block_count() to verify +vblocks and valid_map all the time rather than do it only +CONFIG_F2FS_CHECK_FS is enabled. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index 893723978f5e..faca7fdb54b0 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -613,7 +613,6 @@ static inline void verify_block_addr(struct f2fs_io_info *fio, block_t blk_addr) + static inline int check_block_count(struct f2fs_sb_info *sbi, + int segno, struct f2fs_sit_entry *raw_sit) + { +-#ifdef CONFIG_F2FS_CHECK_FS + bool is_valid = test_bit_le(0, raw_sit->valid_map) ? true : false; + int valid_blocks = 0; + int cur_pos = 0, next_pos; +@@ -640,7 +639,7 @@ static inline int check_block_count(struct f2fs_sb_info *sbi, + set_sbi_flag(sbi, SBI_NEED_FSCK); + return -EINVAL; + } +-#endif ++ + /* check segment usage, and check boundary of a given segment number */ + if (unlikely(GET_SIT_VBLOCKS(raw_sit) > sbi->blocks_per_seg + || segno > TOTAL_SEGS(sbi) - 1)) { +-- +2.20.1 + diff --git a/queue-4.9/fs-fat-file.c-issue-flush-after-the-writeback-of-fat.patch b/queue-4.9/fs-fat-file.c-issue-flush-after-the-writeback-of-fat.patch new file mode 100644 index 00000000000..7e2942476c3 --- /dev/null +++ b/queue-4.9/fs-fat-file.c-issue-flush-after-the-writeback-of-fat.patch @@ -0,0 +1,54 @@ +From 48b8b4d4b0fd99306863f120fee3057d40c52d0f Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Tue, 14 May 2019 15:44:32 -0700 +Subject: fs/fat/file.c: issue flush after the writeback of FAT + +[ Upstream commit bd8309de0d60838eef6fb575b0c4c7e95841cf73 ] + +fsync() needs to make sure the data & meta-data of file are persistent +after the return of fsync(), even when a power-failure occurs later. In +the case of fat-fs, the FAT belongs to the meta-data of file, so we need +to issue a flush after the writeback of FAT instead before. + +Also bail out early when any stage of fsync fails. + +Link: http://lkml.kernel.org/r/20190409030158.136316-1-houtao1@huawei.com +Signed-off-by: Hou Tao +Acked-by: OGAWA Hirofumi +Cc: Al Viro +Cc: Jan Kara +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/fat/file.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/fat/file.c b/fs/fat/file.c +index 3d04b124bce0..392ec5641f38 100644 +--- a/fs/fat/file.c ++++ b/fs/fat/file.c +@@ -160,12 +160,17 @@ static int fat_file_release(struct inode *inode, struct file *filp) + int fat_file_fsync(struct file *filp, loff_t start, loff_t end, int datasync) + { + struct inode *inode = filp->f_mapping->host; +- int res, err; ++ int err; ++ ++ err = __generic_file_fsync(filp, start, end, datasync); ++ if (err) ++ return err; + +- res = generic_file_fsync(filp, start, end, datasync); + err = sync_mapping_buffers(MSDOS_SB(inode->i_sb)->fat_inode->i_mapping); ++ if (err) ++ return err; + +- return res ? res : err; ++ return blkdev_issue_flush(inode->i_sb->s_bdev, GFP_KERNEL, NULL); + } + + +-- +2.20.1 + diff --git a/queue-4.9/fuse-require-dev-fuse-reads-to-have-enough-buffer-ca.patch b/queue-4.9/fuse-require-dev-fuse-reads-to-have-enough-buffer-ca.patch new file mode 100644 index 00000000000..f6c4add7e59 --- /dev/null +++ b/queue-4.9/fuse-require-dev-fuse-reads-to-have-enough-buffer-ca.patch @@ -0,0 +1,82 @@ +From a021f455ad30040d0a816711b3586b51bdaae988 Mon Sep 17 00:00:00 2001 +From: Kirill Smelkov +Date: Wed, 27 Mar 2019 10:15:15 +0000 +Subject: fuse: require /dev/fuse reads to have enough buffer capacity + +[ Upstream commit d4b13963f217dd947da5c0cabd1569e914d21699 ] + +A FUSE filesystem server queues /dev/fuse sys_read calls to get +filesystem requests to handle. It does not know in advance what would be +that request as it can be anything that client issues - LOOKUP, READ, +WRITE, ... Many requests are short and retrieve data from the +filesystem. However WRITE and NOTIFY_REPLY write data into filesystem. + +Before getting into operation phase, FUSE filesystem server and kernel +client negotiate what should be the maximum write size the client will +ever issue. After negotiation the contract in between server/client is +that the filesystem server then should queue /dev/fuse sys_read calls with +enough buffer capacity to receive any client request - WRITE in +particular, while FUSE client should not, in particular, send WRITE +requests with > negotiated max_write payload. FUSE client in kernel and +libfuse historically reserve 4K for request header. This way the +contract is that filesystem server should queue sys_reads with +4K+max_write buffer. + +If the filesystem server does not follow this contract, what can happen +is that fuse_dev_do_read will see that request size is > buffer size, +and then it will return EIO to client who issued the request but won't +indicate in any way that there is a problem to filesystem server. +This can be hard to diagnose because for some requests, e.g. for +NOTIFY_REPLY which mimics WRITE, there is no client thread that is +waiting for request completion and that EIO goes nowhere, while on +filesystem server side things look like the kernel is not replying back +after successful NOTIFY_RETRIEVE request made by the server. + +We can make the problem easy to diagnose if we indicate via error return to +filesystem server when it is violating the contract. This should not +practically cause problems because if a filesystem server is using shorter +buffer, writes to it were already very likely to cause EIO, and if the +filesystem is read-only it should be too following FUSE_MIN_READ_BUFFER +minimum buffer size. + +Please see [1] for context where the problem of stuck filesystem was hit +for real (because kernel client was incorrectly sending more than +max_write data with NOTIFY_REPLY; see also previous patch), how the +situation was traced and for more involving patch that did not make it +into the tree. + +[1] https://marc.info/?l=linux-fsdevel&m=155057023600853&w=2 + +Signed-off-by: Kirill Smelkov +Cc: Han-Wen Nienhuys +Cc: Jakob Unterwurzacher +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/fuse/dev.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index eaedbc1a3e95..bc2d4832f02b 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -1240,6 +1240,16 @@ static ssize_t fuse_dev_do_read(struct fuse_dev *fud, struct file *file, + struct fuse_in *in; + unsigned reqsize; + ++ /* ++ * Require sane minimum read buffer - that has capacity for fixed part ++ * of any request header + negotated max_write room for data. If the ++ * requirement is not satisfied return EINVAL to the filesystem server ++ * to indicate that it is not following FUSE server/client contract. ++ * Don't dequeue / abort any request. ++ */ ++ if (nbytes < max_t(size_t, FUSE_MIN_READ_BUFFER, 4096 + fc->max_write)) ++ return -EINVAL; ++ + restart: + spin_lock(&fiq->waitq.lock); + err = -EAGAIN; +-- +2.20.1 + diff --git a/queue-4.9/fuse-retrieve-cap-requested-size-to-negotiated-max_w.patch b/queue-4.9/fuse-retrieve-cap-requested-size-to-negotiated-max_w.patch new file mode 100644 index 00000000000..0dd3b3ad1e4 --- /dev/null +++ b/queue-4.9/fuse-retrieve-cap-requested-size-to-negotiated-max_w.patch @@ -0,0 +1,66 @@ +From bbbf611adc1d62e80d1d32ac3e9aa77d37e52847 Mon Sep 17 00:00:00 2001 +From: Kirill Smelkov +Date: Wed, 27 Mar 2019 10:15:19 +0000 +Subject: fuse: retrieve: cap requested size to negotiated max_write + +[ Upstream commit 7640682e67b33cab8628729afec8ca92b851394f ] + +FUSE filesystem server and kernel client negotiate during initialization +phase, what should be the maximum write size the client will ever issue. +Correspondingly the filesystem server then queues sys_read calls to read +requests with buffer capacity large enough to carry request header + that +max_write bytes. A filesystem server is free to set its max_write in +anywhere in the range between [1*page, fc->max_pages*page]. In particular +go-fuse[2] sets max_write by default as 64K, wheres default fc->max_pages +corresponds to 128K. Libfuse also allows users to configure max_write, but +by default presets it to possible maximum. + +If max_write is < fc->max_pages*page, and in NOTIFY_RETRIEVE handler we +allow to retrieve more than max_write bytes, corresponding prepared +NOTIFY_REPLY will be thrown away by fuse_dev_do_read, because the +filesystem server, in full correspondence with server/client contract, will +be only queuing sys_read with ~max_write buffer capacity, and +fuse_dev_do_read throws away requests that cannot fit into server request +buffer. In turn the filesystem server could get stuck waiting indefinitely +for NOTIFY_REPLY since NOTIFY_RETRIEVE handler returned OK which is +understood by clients as that NOTIFY_REPLY was queued and will be sent +back. + +Cap requested size to negotiate max_write to avoid the problem. This +aligns with the way NOTIFY_RETRIEVE handler works, which already +unconditionally caps requested retrieve size to fuse_conn->max_pages. This +way it should not hurt NOTIFY_RETRIEVE semantic if we return less data than +was originally requested. + +Please see [1] for context where the problem of stuck filesystem was hit +for real, how the situation was traced and for more involving patch that +did not make it into the tree. + +[1] https://marc.info/?l=linux-fsdevel&m=155057023600853&w=2 +[2] https://github.com/hanwen/go-fuse + +Signed-off-by: Kirill Smelkov +Cc: Han-Wen Nienhuys +Cc: Jakob Unterwurzacher +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/fuse/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index bc2d4832f02b..3331a5aae49a 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -1678,7 +1678,7 @@ static int fuse_retrieve(struct fuse_conn *fc, struct inode *inode, + offset = outarg->offset & ~PAGE_MASK; + file_size = i_size_read(inode); + +- num = outarg->size; ++ num = min(outarg->size, fc->max_write); + if (outarg->offset > file_size) + num = 0; + else if (outarg->offset + num > file_size) +-- +2.20.1 + diff --git a/queue-4.9/gpio-gpio-omap-add-check-for-off-wake-capable-gpios.patch b/queue-4.9/gpio-gpio-omap-add-check-for-off-wake-capable-gpios.patch new file mode 100644 index 00000000000..87b03a2defc --- /dev/null +++ b/queue-4.9/gpio-gpio-omap-add-check-for-off-wake-capable-gpios.patch @@ -0,0 +1,82 @@ +From 91de0e7622eac10f4905731d68e97331ccbd66ae Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Mon, 25 Mar 2019 15:43:18 -0700 +Subject: gpio: gpio-omap: add check for off wake capable gpios + +[ Upstream commit da38ef3ed10a09248e13ae16530c2c6d448dc47d ] + +We are currently assuming all GPIOs are non-wakeup capable GPIOs as we +not configuring the bank->non_wakeup_gpios like we used to earlier with +platform_data. + +Let's add omap_gpio_is_off_wakeup_capable() to make the handling clearer +while considering that later patches may want to configure SoC specific +bank->non_wakeup_gpios for the GPIOs in wakeup domain. + +Cc: Aaro Koskinen +Cc: Grygorii Strashko +Cc: Keerthy +Cc: Peter Ujfalusi +Cc: Russell King +Cc: Tero Kristo +Reported-by: Grygorii Strashko +Signed-off-by: Tony Lindgren +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-omap.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c +index 75f30a0c418a..038882183bdf 100644 +--- a/drivers/gpio/gpio-omap.c ++++ b/drivers/gpio/gpio-omap.c +@@ -296,6 +296,22 @@ static void omap_clear_gpio_debounce(struct gpio_bank *bank, unsigned offset) + } + } + ++/* ++ * Off mode wake-up capable GPIOs in bank(s) that are in the wakeup domain. ++ * See TRM section for GPIO for "Wake-Up Generation" for the list of GPIOs ++ * in wakeup domain. If bank->non_wakeup_gpios is not configured, assume none ++ * are capable waking up the system from off mode. ++ */ ++static bool omap_gpio_is_off_wakeup_capable(struct gpio_bank *bank, u32 gpio_mask) ++{ ++ u32 no_wake = bank->non_wakeup_gpios; ++ ++ if (no_wake) ++ return !!(~no_wake & gpio_mask); ++ ++ return false; ++} ++ + static inline void omap_set_gpio_trigger(struct gpio_bank *bank, int gpio, + unsigned trigger) + { +@@ -327,13 +343,7 @@ static inline void omap_set_gpio_trigger(struct gpio_bank *bank, int gpio, + } + + /* This part needs to be executed always for OMAP{34xx, 44xx} */ +- if (!bank->regs->irqctrl) { +- /* On omap24xx proceed only when valid GPIO bit is set */ +- if (bank->non_wakeup_gpios) { +- if (!(bank->non_wakeup_gpios & gpio_bit)) +- goto exit; +- } +- ++ if (!bank->regs->irqctrl && !omap_gpio_is_off_wakeup_capable(bank, gpio)) { + /* + * Log the edge gpio and manually trigger the IRQ + * after resume if the input level changes +@@ -346,7 +356,6 @@ static inline void omap_set_gpio_trigger(struct gpio_bank *bank, int gpio, + bank->enabled_non_wakeup_gpios &= ~gpio_bit; + } + +-exit: + bank->level_mask = + readl_relaxed(bank->base + bank->regs->leveldetect0) | + readl_relaxed(bank->base + bank->regs->leveldetect1); +-- +2.20.1 + diff --git a/queue-4.9/hugetlbfs-on-restore-reserve-error-path-retain-subpo.patch b/queue-4.9/hugetlbfs-on-restore-reserve-error-path-retain-subpo.patch new file mode 100644 index 00000000000..040ea3988a6 --- /dev/null +++ b/queue-4.9/hugetlbfs-on-restore-reserve-error-path-retain-subpo.patch @@ -0,0 +1,80 @@ +From 7c050dfc7ecea20d385df944a625f27ccca29604 Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Mon, 13 May 2019 17:19:38 -0700 +Subject: hugetlbfs: on restore reserve error path retain subpool reservation + +[ Upstream commit 0919e1b69ab459e06df45d3ba6658d281962db80 ] + +When a huge page is allocated, PagePrivate() is set if the allocation +consumed a reservation. When freeing a huge page, PagePrivate is checked. +If set, it indicates the reservation should be restored. PagePrivate +being set at free huge page time mostly happens on error paths. + +When huge page reservations are created, a check is made to determine if +the mapping is associated with an explicitly mounted filesystem. If so, +pages are also reserved within the filesystem. The default action when +freeing a huge page is to decrement the usage count in any associated +explicitly mounted filesystem. However, if the reservation is to be +restored the reservation/use count within the filesystem should not be +decrementd. Otherwise, a subsequent page allocation and free for the same +mapping location will cause the file filesystem usage to go 'negative'. + +Filesystem Size Used Avail Use% Mounted on +nodev 4.0G -4.0M 4.1G - /opt/hugepool + +To fix, when freeing a huge page do not adjust filesystem usage if +PagePrivate() is set to indicate the reservation should be restored. + +I did not cc stable as the problem has been around since reserves were +added to hugetlbfs and nobody has noticed. + +Link: http://lkml.kernel.org/r/20190328234704.27083-2-mike.kravetz@oracle.com +Signed-off-by: Mike Kravetz +Reviewed-by: Naoya Horiguchi +Cc: Davidlohr Bueso +Cc: Joonsoo Kim +Cc: Michal Hocko +Cc: "Kirill A . Shutemov" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/hugetlb.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 6b03cd9b6d37..9914da93069e 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -1247,12 +1247,23 @@ void free_huge_page(struct page *page) + ClearPagePrivate(page); + + /* +- * A return code of zero implies that the subpool will be under its +- * minimum size if the reservation is not restored after page is free. +- * Therefore, force restore_reserve operation. ++ * If PagePrivate() was set on page, page allocation consumed a ++ * reservation. If the page was associated with a subpool, there ++ * would have been a page reserved in the subpool before allocation ++ * via hugepage_subpool_get_pages(). Since we are 'restoring' the ++ * reservtion, do not call hugepage_subpool_put_pages() as this will ++ * remove the reserved page from the subpool. + */ +- if (hugepage_subpool_put_pages(spool, 1) == 0) +- restore_reserve = true; ++ if (!restore_reserve) { ++ /* ++ * A return code of zero implies that the subpool will be ++ * under its minimum size if the reservation is not restored ++ * after page is free. Therefore, force restore_reserve ++ * operation. ++ */ ++ if (hugepage_subpool_put_pages(spool, 1) == 0) ++ restore_reserve = true; ++ } + + spin_lock(&hugetlb_lock); + clear_page_huge_active(page); +-- +2.20.1 + diff --git a/queue-4.9/iommu-vt-d-set-intel_iommu_gfx_mapped-correctly.patch b/queue-4.9/iommu-vt-d-set-intel_iommu_gfx_mapped-correctly.patch new file mode 100644 index 00000000000..0ee1bac03cb --- /dev/null +++ b/queue-4.9/iommu-vt-d-set-intel_iommu_gfx_mapped-correctly.patch @@ -0,0 +1,54 @@ +From 1e77f44c4825fc69ed0782e3e1351fa723354399 Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Thu, 2 May 2019 09:34:25 +0800 +Subject: iommu/vt-d: Set intel_iommu_gfx_mapped correctly + +[ Upstream commit cf1ec4539a50bdfe688caad4615ca47646884316 ] + +The intel_iommu_gfx_mapped flag is exported by the Intel +IOMMU driver to indicate whether an IOMMU is used for the +graphic device. In a virtualized IOMMU environment (e.g. +QEMU), an include-all IOMMU is used for graphic device. +This flag is found to be clear even the IOMMU is used. + +Cc: Ashok Raj +Cc: Jacob Pan +Cc: Kevin Tian +Reported-by: Zhenyu Wang +Fixes: c0771df8d5297 ("intel-iommu: Export a flag indicating that the IOMMU is used for iGFX.") +Suggested-by: Kevin Tian +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel-iommu.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index 28feb1744710..25cc6ae87039 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -4119,9 +4119,7 @@ static void __init init_no_remapping_devices(void) + + /* This IOMMU has *only* gfx devices. Either bypass it or + set the gfx_mapped flag, as appropriate */ +- if (dmar_map_gfx) { +- intel_iommu_gfx_mapped = 1; +- } else { ++ if (!dmar_map_gfx) { + drhd->ignored = 1; + for_each_active_dev_scope(drhd->devices, + drhd->devices_cnt, i, dev) +@@ -4870,6 +4868,9 @@ int __init intel_iommu_init(void) + goto out_free_reserved_range; + } + ++ if (dmar_map_gfx) ++ intel_iommu_gfx_mapped = 1; ++ + init_no_remapping_devices(); + + ret = init_dmars(); +-- +2.20.1 + diff --git a/queue-4.9/ipc-prevent-lockup-on-alloc_msg-and-free_msg.patch b/queue-4.9/ipc-prevent-lockup-on-alloc_msg-and-free_msg.patch new file mode 100644 index 00000000000..c10a11d2230 --- /dev/null +++ b/queue-4.9/ipc-prevent-lockup-on-alloc_msg-and-free_msg.patch @@ -0,0 +1,159 @@ +From 3ebdc639c0cc49608fb17627d070a3fb44743ef4 Mon Sep 17 00:00:00 2001 +From: Li Rongqing +Date: Tue, 14 May 2019 15:46:20 -0700 +Subject: ipc: prevent lockup on alloc_msg and free_msg + +[ Upstream commit d6a2946a88f524a47cc9b79279667137899db807 ] + +msgctl10 of ltp triggers the following lockup When CONFIG_KASAN is +enabled on large memory SMP systems, the pages initialization can take a +long time, if msgctl10 requests a huge block memory, and it will block +rcu scheduler, so release cpu actively. + +After adding schedule() in free_msg, free_msg can not be called when +holding spinlock, so adding msg to a tmp list, and free it out of +spinlock + + rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: + rcu: Tasks blocked on level-1 rcu_node (CPUs 16-31): P32505 + rcu: Tasks blocked on level-1 rcu_node (CPUs 48-63): P34978 + rcu: (detected by 11, t=35024 jiffies, g=44237529, q=16542267) + msgctl10 R running task 21608 32505 2794 0x00000082 + Call Trace: + preempt_schedule_irq+0x4c/0xb0 + retint_kernel+0x1b/0x2d + RIP: 0010:__is_insn_slot_addr+0xfb/0x250 + Code: 82 1d 00 48 8b 9b 90 00 00 00 4c 89 f7 49 c1 ee 03 e8 59 83 1d 00 48 b8 00 00 00 00 00 fc ff df 4c 39 eb 48 89 9d 58 ff ff ff <41> c6 04 06 f8 74 66 4c 8d 75 98 4c 89 f1 48 c1 e9 03 48 01 c8 48 + RSP: 0018:ffff88bce041f758 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 + RAX: dffffc0000000000 RBX: ffffffff8471bc50 RCX: ffffffff828a2a57 + RDX: dffffc0000000000 RSI: dffffc0000000000 RDI: ffff88bce041f780 + RBP: ffff88bce041f828 R08: ffffed15f3f4c5b3 R09: ffffed15f3f4c5b3 + R10: 0000000000000001 R11: ffffed15f3f4c5b2 R12: 000000318aee9b73 + R13: ffffffff8471bc50 R14: 1ffff1179c083ef0 R15: 1ffff1179c083eec + kernel_text_address+0xc1/0x100 + __kernel_text_address+0xe/0x30 + unwind_get_return_address+0x2f/0x50 + __save_stack_trace+0x92/0x100 + create_object+0x380/0x650 + __kmalloc+0x14c/0x2b0 + load_msg+0x38/0x1a0 + do_msgsnd+0x19e/0xcf0 + do_syscall_64+0x117/0x400 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: + rcu: Tasks blocked on level-1 rcu_node (CPUs 0-15): P32170 + rcu: (detected by 14, t=35016 jiffies, g=44237525, q=12423063) + msgctl10 R running task 21608 32170 32155 0x00000082 + Call Trace: + preempt_schedule_irq+0x4c/0xb0 + retint_kernel+0x1b/0x2d + RIP: 0010:lock_acquire+0x4d/0x340 + Code: 48 81 ec c0 00 00 00 45 89 c6 4d 89 cf 48 8d 6c 24 20 48 89 3c 24 48 8d bb e4 0c 00 00 89 74 24 0c 48 c7 44 24 20 b3 8a b5 41 <48> c1 ed 03 48 c7 44 24 28 b4 25 18 84 48 c7 44 24 30 d0 54 7a 82 + RSP: 0018:ffff88af83417738 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 + RAX: dffffc0000000000 RBX: ffff88bd335f3080 RCX: 0000000000000002 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88bd335f3d64 + RBP: ffff88af83417758 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000001 R11: ffffed13f3f745b2 R12: 0000000000000000 + R13: 0000000000000002 R14: 0000000000000000 R15: 0000000000000000 + is_bpf_text_address+0x32/0xe0 + kernel_text_address+0xec/0x100 + __kernel_text_address+0xe/0x30 + unwind_get_return_address+0x2f/0x50 + __save_stack_trace+0x92/0x100 + save_stack+0x32/0xb0 + __kasan_slab_free+0x130/0x180 + kfree+0xfa/0x2d0 + free_msg+0x24/0x50 + do_msgrcv+0x508/0xe60 + do_syscall_64+0x117/0x400 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Davidlohr said: + "So after releasing the lock, the msg rbtree/list is empty and new + calls will not see those in the newly populated tmp_msg list, and + therefore they cannot access the delayed msg freeing pointers, which + is good. Also the fact that the node_cache is now freed before the + actual messages seems to be harmless as this is wanted for + msg_insert() avoiding GFP_ATOMIC allocations, and after releasing the + info->lock the thing is freed anyway so it should not change things" + +Link: http://lkml.kernel.org/r/1552029161-4957-1-git-send-email-lirongqing@baidu.com +Signed-off-by: Li RongQing +Signed-off-by: Zhang Yu +Reviewed-by: Davidlohr Bueso +Cc: Manfred Spraul +Cc: Arnd Bergmann +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + ipc/mqueue.c | 10 ++++++++-- + ipc/msgutil.c | 6 ++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/ipc/mqueue.c b/ipc/mqueue.c +index 28a142f1be36..d5491a880751 100644 +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -371,7 +371,8 @@ static void mqueue_evict_inode(struct inode *inode) + struct user_struct *user; + unsigned long mq_bytes, mq_treesize; + struct ipc_namespace *ipc_ns; +- struct msg_msg *msg; ++ struct msg_msg *msg, *nmsg; ++ LIST_HEAD(tmp_msg); + + clear_inode(inode); + +@@ -382,10 +383,15 @@ static void mqueue_evict_inode(struct inode *inode) + info = MQUEUE_I(inode); + spin_lock(&info->lock); + while ((msg = msg_get(info)) != NULL) +- free_msg(msg); ++ list_add_tail(&msg->m_list, &tmp_msg); + kfree(info->node_cache); + spin_unlock(&info->lock); + ++ list_for_each_entry_safe(msg, nmsg, &tmp_msg, m_list) { ++ list_del(&msg->m_list); ++ free_msg(msg); ++ } ++ + /* Total amount of bytes accounted for the mqueue */ + mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + + min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * +diff --git a/ipc/msgutil.c b/ipc/msgutil.c +index bf74eaa5c39f..6d90b191c638 100644 +--- a/ipc/msgutil.c ++++ b/ipc/msgutil.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #include "util.h" + +@@ -64,6 +65,9 @@ static struct msg_msg *alloc_msg(size_t len) + pseg = &msg->next; + while (len > 0) { + struct msg_msgseg *seg; ++ ++ cond_resched(); ++ + alen = min(len, DATALEN_SEG); + seg = kmalloc(sizeof(*seg) + alen, GFP_KERNEL_ACCOUNT); + if (seg == NULL) +@@ -176,6 +180,8 @@ void free_msg(struct msg_msg *msg) + kfree(msg); + while (seg != NULL) { + struct msg_msgseg *tmp = seg->next; ++ ++ cond_resched(); + kfree(seg); + seg = tmp; + } +-- +2.20.1 + diff --git a/queue-4.9/kernel-sys.c-prctl-fix-false-positive-in-validate_pr.patch b/queue-4.9/kernel-sys.c-prctl-fix-false-positive-in-validate_pr.patch new file mode 100644 index 00000000000..7af07d64a3d --- /dev/null +++ b/queue-4.9/kernel-sys.c-prctl-fix-false-positive-in-validate_pr.patch @@ -0,0 +1,54 @@ +From 3f97ddf2a33230ac7f21f785a229945b90dfac11 Mon Sep 17 00:00:00 2001 +From: Cyrill Gorcunov +Date: Mon, 13 May 2019 17:15:40 -0700 +Subject: kernel/sys.c: prctl: fix false positive in validate_prctl_map() + +[ Upstream commit a9e73998f9d705c94a8dca9687633adc0f24a19a ] + +While validating new map we require the @start_data to be strictly less +than @end_data, which is fine for regular applications (this is why this +nit didn't trigger for that long). These members are set from executable +loaders such as elf handers, still it is pretty valid to have a loadable +data section with zero size in file, in such case the start_data is equal +to end_data once kernel loader finishes. + +As a result when we're trying to restore such programs the procedure fails +and the kernel returns -EINVAL. From the image dump of a program: + + | "mm_start_code": "0x400000", + | "mm_end_code": "0x8f5fb4", + | "mm_start_data": "0xf1bfb0", + | "mm_end_data": "0xf1bfb0", + +Thus we need to change validate_prctl_map from strictly less to less or +equal operator use. + +Link: http://lkml.kernel.org/r/20190408143554.GY1421@uranus.lan +Fixes: f606b77f1a9e3 ("prctl: PR_SET_MM -- introduce PR_SET_MM_MAP operation") +Signed-off-by: Cyrill Gorcunov +Cc: Andrey Vagin +Cc: Dmitry Safonov <0x7f454c46@gmail.com> +Cc: Pavel Emelyanov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/sys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sys.c b/kernel/sys.c +index 6c4e9b533258..157277cbf83a 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1762,7 +1762,7 @@ static int validate_prctl_map(struct prctl_mm_map *prctl_map) + ((unsigned long)prctl_map->__m1 __op \ + (unsigned long)prctl_map->__m2) ? 0 : -EINVAL + error = __prctl_check_order(start_code, <, end_code); +- error |= __prctl_check_order(start_data, <, end_data); ++ error |= __prctl_check_order(start_data,<=, end_data); + error |= __prctl_check_order(start_brk, <=, brk); + error |= __prctl_check_order(arg_start, <=, arg_end); + error |= __prctl_check_order(env_start, <=, env_end); +-- +2.20.1 + diff --git a/queue-4.9/mem-hotplug-fix-node-spanned-pages-when-we-have-a-no.patch b/queue-4.9/mem-hotplug-fix-node-spanned-pages-when-we-have-a-no.patch new file mode 100644 index 00000000000..70b411327f9 --- /dev/null +++ b/queue-4.9/mem-hotplug-fix-node-spanned-pages-when-we-have-a-no.patch @@ -0,0 +1,112 @@ +From 2afb7b9f548c1226440179714378707e36c1f7f2 Mon Sep 17 00:00:00 2001 +From: Linxu Fang +Date: Mon, 13 May 2019 17:19:17 -0700 +Subject: mem-hotplug: fix node spanned pages when we have a node with only + ZONE_MOVABLE + +[ Upstream commit 299c83dce9ea3a79bb4b5511d2cb996b6b8e5111 ] + +342332e6a925 ("mm/page_alloc.c: introduce kernelcore=mirror option") and +later patches rewrote the calculation of node spanned pages. + +e506b99696a2 ("mem-hotplug: fix node spanned pages when we have a movable +node"), but the current code still has problems, + +When we have a node with only zone_movable and the node id is not zero, +the size of node spanned pages is double added. + +That's because we have an empty normal zone, and zone_start_pfn or +zone_end_pfn is not between arch_zone_lowest_possible_pfn and +arch_zone_highest_possible_pfn, so we need to use clamp to constrain the +range just like the commit <96e907d13602> (bootmem: Reimplement +__absent_pages_in_range() using for_each_mem_pfn_range()). + +e.g. +Zone ranges: + DMA [mem 0x0000000000001000-0x0000000000ffffff] + DMA32 [mem 0x0000000001000000-0x00000000ffffffff] + Normal [mem 0x0000000100000000-0x000000023fffffff] +Movable zone start for each node + Node 0: 0x0000000100000000 + Node 1: 0x0000000140000000 +Early memory node ranges + node 0: [mem 0x0000000000001000-0x000000000009efff] + node 0: [mem 0x0000000000100000-0x00000000bffdffff] + node 0: [mem 0x0000000100000000-0x000000013fffffff] + node 1: [mem 0x0000000140000000-0x000000023fffffff] + +node 0 DMA spanned:0xfff present:0xf9e absent:0x61 +node 0 DMA32 spanned:0xff000 present:0xbefe0 absent:0x40020 +node 0 Normal spanned:0 present:0 absent:0 +node 0 Movable spanned:0x40000 present:0x40000 absent:0 +On node 0 totalpages(node_present_pages): 1048446 +node_spanned_pages:1310719 +node 1 DMA spanned:0 present:0 absent:0 +node 1 DMA32 spanned:0 present:0 absent:0 +node 1 Normal spanned:0x100000 present:0x100000 absent:0 +node 1 Movable spanned:0x100000 present:0x100000 absent:0 +On node 1 totalpages(node_present_pages): 2097152 +node_spanned_pages:2097152 +Memory: 6967796K/12582392K available (16388K kernel code, 3686K rwdata, +4468K rodata, 2160K init, 10444K bss, 5614596K reserved, 0K +cma-reserved) + +It shows that the current memory of node 1 is double added. +After this patch, the problem is fixed. + +node 0 DMA spanned:0xfff present:0xf9e absent:0x61 +node 0 DMA32 spanned:0xff000 present:0xbefe0 absent:0x40020 +node 0 Normal spanned:0 present:0 absent:0 +node 0 Movable spanned:0x40000 present:0x40000 absent:0 +On node 0 totalpages(node_present_pages): 1048446 +node_spanned_pages:1310719 +node 1 DMA spanned:0 present:0 absent:0 +node 1 DMA32 spanned:0 present:0 absent:0 +node 1 Normal spanned:0 present:0 absent:0 +node 1 Movable spanned:0x100000 present:0x100000 absent:0 +On node 1 totalpages(node_present_pages): 1048576 +node_spanned_pages:1048576 +memory: 6967796K/8388088K available (16388K kernel code, 3686K rwdata, +4468K rodata, 2160K init, 10444K bss, 1420292K reserved, 0K +cma-reserved) + +Link: http://lkml.kernel.org/r/1554178276-10372-1-git-send-email-fanglinxu@huawei.com +Signed-off-by: Linxu Fang +Cc: Taku Izumi +Cc: Xishi Qiu +Cc: Michal Hocko +Cc: Vlastimil Babka +Cc: Pavel Tatashin +Cc: Oscar Salvador +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/page_alloc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 05f141e39ac1..13a642192e12 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -5491,13 +5491,15 @@ static unsigned long __meminit zone_spanned_pages_in_node(int nid, + unsigned long *zone_end_pfn, + unsigned long *ignored) + { ++ unsigned long zone_low = arch_zone_lowest_possible_pfn[zone_type]; ++ unsigned long zone_high = arch_zone_highest_possible_pfn[zone_type]; + /* When hotadd a new node from cpu_up(), the node should be empty */ + if (!node_start_pfn && !node_end_pfn) + return 0; + + /* Get the start and end of the zone */ +- *zone_start_pfn = arch_zone_lowest_possible_pfn[zone_type]; +- *zone_end_pfn = arch_zone_highest_possible_pfn[zone_type]; ++ *zone_start_pfn = clamp(node_start_pfn, zone_low, zone_high); ++ *zone_end_pfn = clamp(node_end_pfn, zone_low, zone_high); + adjust_zone_range_for_zone_movable(nid, zone_type, + node_start_pfn, node_end_pfn, + zone_start_pfn, zone_end_pfn); +-- +2.20.1 + diff --git a/queue-4.9/mfd-intel-lpss-set-the-device-in-reset-state-when-in.patch b/queue-4.9/mfd-intel-lpss-set-the-device-in-reset-state-when-in.patch new file mode 100644 index 00000000000..09da5a0f0f8 --- /dev/null +++ b/queue-4.9/mfd-intel-lpss-set-the-device-in-reset-state-when-in.patch @@ -0,0 +1,70 @@ +From 1cea832ae3c8172ea39994ec95dc81b14f9960cb Mon Sep 17 00:00:00 2001 +From: Binbin Wu +Date: Mon, 8 Apr 2019 16:09:10 +0800 +Subject: mfd: intel-lpss: Set the device in reset state when init + +[ Upstream commit dad06532292d77f37fbe831a02948a593500f682 ] + +In virtualized setup, when system reboots due to warm +reset interrupt storm is seen. + +Call Trace: + +dump_stack+0x70/0xa5 +__report_bad_irq+0x2e/0xc0 +note_interrupt+0x248/0x290 +? add_interrupt_randomness+0x30/0x220 +handle_irq_event_percpu+0x54/0x80 +handle_irq_event+0x39/0x60 +handle_fasteoi_irq+0x91/0x150 +handle_irq+0x108/0x180 +do_IRQ+0x52/0xf0 +common_interrupt+0xf/0xf + +RIP: 0033:0x76fc2cfabc1d +Code: 24 28 bf 03 00 00 00 31 c0 48 8d 35 63 77 0e 00 48 8d 15 2e +94 0e 00 4c 89 f9 49 89 d9 4c 89 d3 e8 b8 e2 01 00 48 8b 54 24 18 +<48> 89 ef 48 89 de 4c 89 e1 e8 d5 97 01 00 84 c0 74 2d 48 8b 04 +24 +RSP: 002b:00007ffd247c1fc0 EFLAGS: 00000293 ORIG_RAX: ffffffffffffffda +RAX: 0000000000000000 RBX: 00007ffd247c1ff0 RCX: 000000000003d3ce +RDX: 0000000000000000 RSI: 00007ffd247c1ff0 RDI: 000076fc2cbb6010 +RBP: 000076fc2cded010 R08: 00007ffd247c2210 R09: 00007ffd247c22a0 +R10: 000076fc29465470 R11: 0000000000000000 R12: 00007ffd247c1fc0 +R13: 000076fc2ce8e470 R14: 000076fc27ec9960 R15: 0000000000000414 +handlers: +[<000000000d3fa913>] idma64_irq +Disabling IRQ #27 + +To avoid interrupt storm, set the device in reset state +before bringing out the device from reset state. + +Changelog v2: +- correct the subject line by adding "mfd: " + +Signed-off-by: Binbin Wu +Acked-by: Mika Westerberg +Reviewed-by: Andy Shevchenko +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/intel-lpss.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mfd/intel-lpss.c b/drivers/mfd/intel-lpss.c +index 19ac8bc8e7ea..22dd8c055048 100644 +--- a/drivers/mfd/intel-lpss.c ++++ b/drivers/mfd/intel-lpss.c +@@ -273,6 +273,9 @@ static void intel_lpss_init_dev(const struct intel_lpss *lpss) + { + u32 value = LPSS_PRIV_SSP_REG_DIS_DMA_FIN; + ++ /* Set the device in reset state */ ++ writel(0, lpss->priv + LPSS_PRIV_RESETS); ++ + intel_lpss_deassert_reset(lpss); + + intel_lpss_set_remap_addr(lpss); +-- +2.20.1 + diff --git a/queue-4.9/mfd-tps65912-spi-add-missing-of-table-registration.patch b/queue-4.9/mfd-tps65912-spi-add-missing-of-table-registration.patch new file mode 100644 index 00000000000..b454567bdc0 --- /dev/null +++ b/queue-4.9/mfd-tps65912-spi-add-missing-of-table-registration.patch @@ -0,0 +1,43 @@ +From 9b76ac0f136920864cd1a5f8d84db075835b903a Mon Sep 17 00:00:00 2001 +From: Daniel Gomez +Date: Mon, 22 Apr 2019 21:09:50 +0200 +Subject: mfd: tps65912-spi: Add missing of table registration + +[ Upstream commit 9e364e87ad7f2c636276c773d718cda29d62b741 ] + +MODULE_DEVICE_TABLE(of, should be called to complete DT +OF mathing mechanism and register it. + +Before this patch: +modinfo drivers/mfd/tps65912-spi.ko | grep alias +alias: spi:tps65912 + +After this patch: +modinfo drivers/mfd/tps65912-spi.ko | grep alias +alias: of:N*T*Cti,tps65912C* +alias: of:N*T*Cti,tps65912 +alias: spi:tps65912 + +Reported-by: Javier Martinez Canillas +Signed-off-by: Daniel Gomez +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/tps65912-spi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/tps65912-spi.c b/drivers/mfd/tps65912-spi.c +index 4aeba9b6942a..ec37cfe32ca3 100644 +--- a/drivers/mfd/tps65912-spi.c ++++ b/drivers/mfd/tps65912-spi.c +@@ -27,6 +27,7 @@ static const struct of_device_id tps65912_spi_of_match_table[] = { + { .compatible = "ti,tps65912", }, + { /* sentinel */ } + }; ++MODULE_DEVICE_TABLE(of, tps65912_spi_of_match_table); + + static int tps65912_spi_probe(struct spi_device *spi) + { +-- +2.20.1 + diff --git a/queue-4.9/mfd-twl6040-fix-device-init-errors-for-accctl-regist.patch b/queue-4.9/mfd-twl6040-fix-device-init-errors-for-accctl-regist.patch new file mode 100644 index 00000000000..08628e95683 --- /dev/null +++ b/queue-4.9/mfd-twl6040-fix-device-init-errors-for-accctl-regist.patch @@ -0,0 +1,62 @@ +From 13e0e29076587350c46d29f77d244b839d934903 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Thu, 14 Feb 2019 08:03:45 -0800 +Subject: mfd: twl6040: Fix device init errors for ACCCTL register + +[ Upstream commit 48171d0ea7caccf21c9ee3ae75eb370f2a756062 ] + +I noticed that we can get a -EREMOTEIO errors on at least omap4 duovero: + +twl6040 0-004b: Failed to write 2d = 19: -121 + +And then any following register access will produce errors. + +There 2d offset above is register ACCCTL that gets written on twl6040 +powerup. With error checking added to the related regcache_sync() call, +the -EREMOTEIO error is reproducable on twl6040 powerup at least +duovero. + +To fix the error, we need to wait until twl6040 is accessible after the +powerup. Based on tests on omap4 duovero, we need to wait over 8ms after +powerup before register write will complete without failures. Let's also +make sure we warn about possible errors too. + +Note that we have twl6040_patch[] reg_sequence with the ACCCTL register +configuration and regcache_sync() will write the new value to ACCCTL. + +Signed-off-by: Tony Lindgren +Acked-by: Peter Ujfalusi +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/twl6040.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/twl6040.c b/drivers/mfd/twl6040.c +index dd19f17a1b63..2b8c479dbfa6 100644 +--- a/drivers/mfd/twl6040.c ++++ b/drivers/mfd/twl6040.c +@@ -322,8 +322,19 @@ int twl6040_power(struct twl6040 *twl6040, int on) + } + } + ++ /* ++ * Register access can produce errors after power-up unless we ++ * wait at least 8ms based on measurements on duovero. ++ */ ++ usleep_range(10000, 12000); ++ + /* Sync with the HW */ +- regcache_sync(twl6040->regmap); ++ ret = regcache_sync(twl6040->regmap); ++ if (ret) { ++ dev_err(twl6040->dev, "Failed to sync with the HW: %i\n", ++ ret); ++ goto out; ++ } + + /* Default PLL configuration after power up */ + twl6040->pll = TWL6040_SYSCLK_SEL_LPPLL; +-- +2.20.1 + diff --git a/queue-4.9/mips-make-sure-dt-memory-regions-are-valid.patch b/queue-4.9/mips-make-sure-dt-memory-regions-are-valid.patch new file mode 100644 index 00000000000..a74fa8f3895 --- /dev/null +++ b/queue-4.9/mips-make-sure-dt-memory-regions-are-valid.patch @@ -0,0 +1,69 @@ +From b99c2ea6c0df78df201abe3d1a882fd1a5d23380 Mon Sep 17 00:00:00 2001 +From: Serge Semin +Date: Fri, 3 May 2019 20:50:40 +0300 +Subject: mips: Make sure dt memory regions are valid + +[ Upstream commit 93fa5b280761a4dbb14c5330f260380385ab2b49 ] + +There are situations when memory regions coming from dts may be +too big for the platform physical address space. This especially +concerns XPA-capable systems. Bootloader may determine more than 4GB +memory available and pass it to the kernel over dts memory node, while +kernel is built without XPA/64BIT support. In this case the region +may either simply be truncated by add_memory_region() method +or by u64->phys_addr_t type casting. But in worst case the method +can even drop the memory region if it exceeds PHYS_ADDR_MAX size. +So lets make sure the retrieved from dts memory regions are valid, +and if some of them aren't, just manually truncate them with a warning +printed out. + +Signed-off-by: Serge Semin +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: James Hogan +Cc: Mike Rapoport +Cc: Andrew Morton +Cc: Michal Hocko +Cc: Greg Kroah-Hartman +Cc: Thomas Bogendoerfer +Cc: Huacai Chen +Cc: Stefan Agner +Cc: Stephen Rothwell +Cc: Alexandre Belloni +Cc: Juergen Gross +Cc: Serge Semin +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/prom.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/kernel/prom.c b/arch/mips/kernel/prom.c +index 5fcec3032f38..6131807799b4 100644 +--- a/arch/mips/kernel/prom.c ++++ b/arch/mips/kernel/prom.c +@@ -41,7 +41,19 @@ char *mips_get_machine_name(void) + #ifdef CONFIG_USE_OF + void __init early_init_dt_add_memory_arch(u64 base, u64 size) + { +- return add_memory_region(base, size, BOOT_MEM_RAM); ++ if (base >= PHYS_ADDR_MAX) { ++ pr_warn("Trying to add an invalid memory region, skipped\n"); ++ return; ++ } ++ ++ /* Truncate the passed memory region instead of type casting */ ++ if (base + size - 1 >= PHYS_ADDR_MAX || base + size < base) { ++ pr_warn("Truncate memory region %llx @ %llx to size %llx\n", ++ size, base, PHYS_ADDR_MAX - base); ++ size = PHYS_ADDR_MAX - base; ++ } ++ ++ add_memory_region(base, size, BOOT_MEM_RAM); + } + + void * __init early_init_dt_alloc_memory_arch(u64 size, u64 align) +-- +2.20.1 + diff --git a/queue-4.9/mm-cma.c-fix-crash-on-cma-allocation-if-bitmap-alloc.patch b/queue-4.9/mm-cma.c-fix-crash-on-cma-allocation-if-bitmap-alloc.patch new file mode 100644 index 00000000000..00a3e5acd6c --- /dev/null +++ b/queue-4.9/mm-cma.c-fix-crash-on-cma-allocation-if-bitmap-alloc.patch @@ -0,0 +1,44 @@ +From b24636bc0ce9926ccf55d96f1001377d3b3fd46f Mon Sep 17 00:00:00 2001 +From: Yue Hu +Date: Mon, 13 May 2019 17:18:14 -0700 +Subject: mm/cma.c: fix crash on CMA allocation if bitmap allocation fails + +[ Upstream commit 1df3a339074e31db95c4790ea9236874b13ccd87 ] + +f022d8cb7ec7 ("mm: cma: Don't crash on allocation if CMA area can't be +activated") fixes the crash issue when activation fails via setting +cma->count as 0, same logic exists if bitmap allocation fails. + +Link: http://lkml.kernel.org/r/20190325081309.6004-1-zbestahu@gmail.com +Signed-off-by: Yue Hu +Reviewed-by: Anshuman Khandual +Cc: Joonsoo Kim +Cc: Laura Abbott +Cc: Mike Rapoport +Cc: Randy Dunlap +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/cma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/mm/cma.c b/mm/cma.c +index b5d8847497a3..4ea0f32761c1 100644 +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -100,8 +100,10 @@ static int __init cma_activate_area(struct cma *cma) + + cma->bitmap = kzalloc(bitmap_size, GFP_KERNEL); + +- if (!cma->bitmap) ++ if (!cma->bitmap) { ++ cma->count = 0; + return -ENOMEM; ++ } + + WARN_ON_ONCE(!pfn_valid(pfn)); + zone = page_zone(pfn_to_page(pfn)); +-- +2.20.1 + diff --git a/queue-4.9/mm-cma_debug.c-fix-the-break-condition-in-cma_maxchu.patch b/queue-4.9/mm-cma_debug.c-fix-the-break-condition-in-cma_maxchu.patch new file mode 100644 index 00000000000..a9566250680 --- /dev/null +++ b/queue-4.9/mm-cma_debug.c-fix-the-break-condition-in-cma_maxchu.patch @@ -0,0 +1,44 @@ +From d462f304b6579a406e0556b4a2c1a3598d0cf71e Mon Sep 17 00:00:00 2001 +From: Yue Hu +Date: Mon, 13 May 2019 17:16:37 -0700 +Subject: mm/cma_debug.c: fix the break condition in cma_maxchunk_get() + +[ Upstream commit f0fd50504a54f5548eb666dc16ddf8394e44e4b7 ] + +If not find zero bit in find_next_zero_bit(), it will return the size +parameter passed in, so the start bit should be compared with bitmap_maxno +rather than cma->count. Although getting maxchunk is working fine due to +zero value of order_per_bit currently, the operation will be stuck if +order_per_bit is set as non-zero. + +Link: http://lkml.kernel.org/r/20190319092734.276-1-zbestahu@gmail.com +Signed-off-by: Yue Hu +Reviewed-by: Andrew Morton +Cc: Michal Hocko +Cc: Joe Perches +Cc: David Rientjes +Cc: Dmitry Safonov +Cc: Joonsoo Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/cma_debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/cma_debug.c b/mm/cma_debug.c +index f8e4b60db167..da50dab56b70 100644 +--- a/mm/cma_debug.c ++++ b/mm/cma_debug.c +@@ -57,7 +57,7 @@ static int cma_maxchunk_get(void *data, u64 *val) + mutex_lock(&cma->lock); + for (;;) { + start = find_next_zero_bit(cma->bitmap, bitmap_maxno, end); +- if (start >= cma->count) ++ if (start >= bitmap_maxno) + break; + end = find_next_bit(cma->bitmap, bitmap_maxno, start); + maxchunk = max(end - start, maxchunk); +-- +2.20.1 + diff --git a/queue-4.9/mm-slab.c-fix-an-infinite-loop-in-leaks_show.patch b/queue-4.9/mm-slab.c-fix-an-infinite-loop-in-leaks_show.patch new file mode 100644 index 00000000000..9c72e8c57a1 --- /dev/null +++ b/queue-4.9/mm-slab.c-fix-an-infinite-loop-in-leaks_show.patch @@ -0,0 +1,85 @@ +From 0914fc7b7ebaa2f16bb93c10025648cd02fe8d87 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Mon, 13 May 2019 17:16:31 -0700 +Subject: mm/slab.c: fix an infinite loop in leaks_show() + +[ Upstream commit 745e10146c31b1c6ed3326286704ae251b17f663 ] + +"cat /proc/slab_allocators" could hang forever on SMP machines with +kmemleak or object debugging enabled due to other CPUs running do_drain() +will keep making kmemleak_object or debug_objects_cache dirty and unable +to escape the first loop in leaks_show(), + +do { + set_store_user_clean(cachep); + drain_cpu_caches(cachep); + ... + +} while (!is_store_user_clean(cachep)); + +For example, + +do_drain + slabs_destroy + slab_destroy + kmem_cache_free + __cache_free + ___cache_free + kmemleak_free_recursive + delete_object_full + __delete_object + put_object + free_object_rcu + kmem_cache_free + cache_free_debugcheck --> dirty kmemleak_object + +One approach is to check cachep->name and skip both kmemleak_object and +debug_objects_cache in leaks_show(). The other is to set store_user_clean +after drain_cpu_caches() which leaves a small window between +drain_cpu_caches() and set_store_user_clean() where per-CPU caches could +be dirty again lead to slightly wrong information has been stored but +could also speed up things significantly which sounds like a good +compromise. For example, + + # cat /proc/slab_allocators + 0m42.778s # 1st approach + 0m0.737s # 2nd approach + +[akpm@linux-foundation.org: tweak comment] +Link: http://lkml.kernel.org/r/20190411032635.10325-1-cai@lca.pw +Fixes: d31676dfde25 ("mm/slab: alternative implementation for DEBUG_SLAB_LEAK") +Signed-off-by: Qian Cai +Reviewed-by: Andrew Morton +Cc: Vlastimil Babka +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/slab.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/mm/slab.c b/mm/slab.c +index d2c0499c6b15..9547f02b4af9 100644 +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -4365,8 +4365,12 @@ static int leaks_show(struct seq_file *m, void *p) + * whole processing. + */ + do { +- set_store_user_clean(cachep); + drain_cpu_caches(cachep); ++ /* ++ * drain_cpu_caches() could make kmemleak_object and ++ * debug_objects_cache dirty, so reset afterwards. ++ */ ++ set_store_user_clean(cachep); + + x[1] = 0; + +-- +2.20.1 + diff --git a/queue-4.9/nfsd-allow-fh_want_write-to-be-called-twice.patch b/queue-4.9/nfsd-allow-fh_want_write-to-be-called-twice.patch new file mode 100644 index 00000000000..0574d11b25f --- /dev/null +++ b/queue-4.9/nfsd-allow-fh_want_write-to-be-called-twice.patch @@ -0,0 +1,51 @@ +From 46fb0350f66e4fbd82a6fa473a86dc4477608f84 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Fri, 12 Apr 2019 16:37:30 -0400 +Subject: nfsd: allow fh_want_write to be called twice + +[ Upstream commit 0b8f62625dc309651d0efcb6a6247c933acd8b45 ] + +A fuzzer recently triggered lockdep warnings about potential sb_writers +deadlocks caused by fh_want_write(). + +Looks like we aren't careful to pair each fh_want_write() with an +fh_drop_write(). + +It's not normally a problem since fh_put() will call fh_drop_write() for +us. And was OK for NFSv3 where we'd do one operation that might call +fh_want_write(), and then put the filehandle. + +But an NFSv4 protocol fuzzer can do weird things like call unlink twice +in a compound, and then we get into trouble. + +I'm a little worried about this approach of just leaving everything to +fh_put(). But I think there are probably a lot of +fh_want_write()/fh_drop_write() imbalances so for now I think we need it +to be more forgiving. + +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfsd/vfs.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/nfsd/vfs.h b/fs/nfsd/vfs.h +index 0bf9e7bf5800..9140b9cf3870 100644 +--- a/fs/nfsd/vfs.h ++++ b/fs/nfsd/vfs.h +@@ -116,8 +116,11 @@ void nfsd_put_raparams(struct file *file, struct raparms *ra); + + static inline int fh_want_write(struct svc_fh *fh) + { +- int ret = mnt_want_write(fh->fh_export->ex_path.mnt); ++ int ret; + ++ if (fh->fh_want_write) ++ return 0; ++ ret = mnt_want_write(fh->fh_export->ex_path.mnt); + if (!ret) + fh->fh_want_write = true; + return ret; +-- +2.20.1 + diff --git a/queue-4.9/ntp-allow-tai-utc-offset-to-be-set-to-zero.patch b/queue-4.9/ntp-allow-tai-utc-offset-to-be-set-to-zero.patch new file mode 100644 index 00000000000..91772dae1bc --- /dev/null +++ b/queue-4.9/ntp-allow-tai-utc-offset-to-be-set-to-zero.patch @@ -0,0 +1,46 @@ +From 9681e8461eba5a60a058737a6ea19a46a95dc42a Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Wed, 17 Apr 2019 10:48:33 +0200 +Subject: ntp: Allow TAI-UTC offset to be set to zero + +[ Upstream commit fdc6bae940ee9eb869e493990540098b8c0fd6ab ] + +The ADJ_TAI adjtimex mode sets the TAI-UTC offset of the system clock. +It is typically set by NTP/PTP implementations and it is automatically +updated by the kernel on leap seconds. The initial value is zero (which +applications may interpret as unknown), but this value cannot be set by +adjtimex. This limitation seems to go back to the original "nanokernel" +implementation by David Mills. + +Change the ADJ_TAI check to accept zero as a valid TAI-UTC offset in +order to allow setting it back to the initial value. + +Fixes: 153b5d054ac2 ("ntp: support for TAI") +Suggested-by: Ondrej Mosnacek +Signed-off-by: Miroslav Lichvar +Signed-off-by: Thomas Gleixner +Cc: John Stultz +Cc: Richard Cochran +Cc: Prarit Bhargava +Link: https://lkml.kernel.org/r/20190417084833.7401-1-mlichvar@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/time/ntp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c +index 6df8927c58a5..0a16419006f3 100644 +--- a/kernel/time/ntp.c ++++ b/kernel/time/ntp.c +@@ -639,7 +639,7 @@ static inline void process_adjtimex_modes(struct timex *txc, + time_constant = max(time_constant, 0l); + } + +- if (txc->modes & ADJ_TAI && txc->constant > 0) ++ if (txc->modes & ADJ_TAI && txc->constant >= 0) + *time_tai = txc->constant; + + if (txc->modes & ADJ_OFFSET) +-- +2.20.1 + diff --git a/queue-4.9/nvmem-core-fix-read-buffer-in-place.patch b/queue-4.9/nvmem-core-fix-read-buffer-in-place.patch new file mode 100644 index 00000000000..46b7890fd77 --- /dev/null +++ b/queue-4.9/nvmem-core-fix-read-buffer-in-place.patch @@ -0,0 +1,63 @@ +From 58276aeaee017e6ae22cc91095363e027c7a0c61 Mon Sep 17 00:00:00 2001 +From: Jorge Ramirez-Ortiz +Date: Sat, 13 Apr 2019 11:32:58 +0100 +Subject: nvmem: core: fix read buffer in place + +[ Upstream commit 2fe518fecb3a4727393be286db9804cd82ee2d91 ] + +When the bit_offset in the cell is zero, the pointer to the msb will +not be properly initialized (ie, will still be pointing to the first +byte in the buffer). + +This being the case, if there are bits to clear in the msb, those will +be left untouched while the mask will incorrectly clear bit positions +on the first byte. + +This commit also makes sure that any byte unused in the cell is +cleared. + +Signed-off-by: Jorge Ramirez-Ortiz +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/nvmem/core.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c +index 824e282cd80e..bb2f79933b17 100644 +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -934,7 +934,7 @@ static inline void nvmem_shift_read_buffer_in_place(struct nvmem_cell *cell, + void *buf) + { + u8 *p, *b; +- int i, bit_offset = cell->bit_offset; ++ int i, extra, bit_offset = cell->bit_offset; + + p = b = buf; + if (bit_offset) { +@@ -949,11 +949,16 @@ static inline void nvmem_shift_read_buffer_in_place(struct nvmem_cell *cell, + p = b; + *b++ >>= bit_offset; + } +- +- /* result fits in less bytes */ +- if (cell->bytes != DIV_ROUND_UP(cell->nbits, BITS_PER_BYTE)) +- *p-- = 0; ++ } else { ++ /* point to the msb */ ++ p += cell->bytes - 1; + } ++ ++ /* result fits in less bytes */ ++ extra = cell->bytes - DIV_ROUND_UP(cell->nbits, BITS_PER_BYTE); ++ while (--extra >= 0) ++ *p-- = 0; ++ + /* clear msb bits if any leftover in the last byte */ + *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0); + } +-- +2.20.1 + diff --git a/queue-4.9/objtool-don-t-use-ignore-flag-for-fake-jumps.patch b/queue-4.9/objtool-don-t-use-ignore-flag-for-fake-jumps.patch new file mode 100644 index 00000000000..da2a7d8bbd0 --- /dev/null +++ b/queue-4.9/objtool-don-t-use-ignore-flag-for-fake-jumps.patch @@ -0,0 +1,70 @@ +From e2da1a86864b1748754411150ab1b2288f965267 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Mon, 13 May 2019 12:01:31 -0500 +Subject: objtool: Don't use ignore flag for fake jumps + +[ Upstream commit e6da9567959e164f82bc81967e0d5b10dee870b4 ] + +The ignore flag is set on fake jumps in order to keep +add_jump_destinations() from setting their jump_dest, since it already +got set when the fake jump was created. + +But using the ignore flag is a bit of a hack. It's normally used to +skip validation of an instruction, which doesn't really make sense for +fake jumps. + +Also, after the next patch, using the ignore flag for fake jumps can +trigger a false "why am I validating an ignored function?" warning. + +Instead just add an explicit check in add_jump_destinations() to skip +fake jumps. + +Signed-off-by: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/71abc072ff48b2feccc197723a9c52859476c068.1557766718.git.jpoimboe@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + tools/objtool/check.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index ae3446768181..95326c6a7a24 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -28,6 +28,8 @@ + #include + #include + ++#define FAKE_JUMP_OFFSET -1 ++ + struct alternative { + struct list_head list; + struct instruction *insn; +@@ -498,7 +500,7 @@ static int add_jump_destinations(struct objtool_file *file) + insn->type != INSN_JUMP_UNCONDITIONAL) + continue; + +- if (insn->ignore) ++ if (insn->ignore || insn->offset == FAKE_JUMP_OFFSET) + continue; + + rela = find_rela_by_dest_range(insn->sec, insn->offset, +@@ -645,10 +647,10 @@ static int handle_group_alt(struct objtool_file *file, + clear_insn_state(&fake_jump->state); + + fake_jump->sec = special_alt->new_sec; +- fake_jump->offset = -1; ++ fake_jump->offset = FAKE_JUMP_OFFSET; + fake_jump->type = INSN_JUMP_UNCONDITIONAL; + fake_jump->jump_dest = list_next_entry(last_orig_insn, list); +- fake_jump->ignore = true; ++ fake_jump->func = orig_insn->func; + } + + if (!special_alt->new_len) { +-- +2.20.1 + diff --git a/queue-4.9/pci-rcar-fix-64bit-msi-message-address-handling.patch b/queue-4.9/pci-rcar-fix-64bit-msi-message-address-handling.patch new file mode 100644 index 00000000000..91de22b93e7 --- /dev/null +++ b/queue-4.9/pci-rcar-fix-64bit-msi-message-address-handling.patch @@ -0,0 +1,76 @@ +From d2e11daade9f949dd1cfdfa5e8c61e83972395bc Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Mon, 25 Mar 2019 12:41:01 +0100 +Subject: PCI: rcar: Fix 64bit MSI message address handling + +[ Upstream commit 954b4b752a4c4e963b017ed8cef4c453c5ed308d ] + +The MSI message address in the RC address space can be 64 bit. The +R-Car PCIe RC supports such a 64bit MSI message address as well. +The code currently uses virt_to_phys(__get_free_pages()) to obtain +a reserved page for the MSI message address, and the return value +of which can be a 64 bit physical address on 64 bit system. + +However, the driver only programs PCIEMSIALR register with the bottom +32 bits of the virt_to_phys(__get_free_pages()) return value and does +not program the top 32 bits into PCIEMSIAUR, but rather programs the +PCIEMSIAUR register with 0x0. This worked fine on older 32 bit R-Car +SoCs, however may fail on new 64 bit R-Car SoCs. + +Since from a PCIe controller perspective, an inbound MSI is a memory +write to a special address (in case of this controller, defined by +the value in PCIEMSIAUR:PCIEMSIALR), which triggers an interrupt, but +never hits the DRAM _and_ because allocation of an MSI by a PCIe card +driver obtains the MSI message address by reading PCIEMSIAUR:PCIEMSIALR +in rcar_msi_setup_irqs(), incorrectly programmed PCIEMSIAUR cannot +cause memory corruption or other issues. + +There is however the possibility that if virt_to_phys(__get_free_pages()) +returned address above the 32bit boundary _and_ PCIEMSIAUR was programmed +to 0x0 _and_ if the system had physical RAM at the address matching the +value of PCIEMSIALR, a PCIe card driver could allocate a buffer with a +physical address matching the value of PCIEMSIALR and a remote write to +such a buffer by a PCIe card would trigger a spurious MSI. + +Fixes: e015f88c368d ("PCI: rcar: Add support for R-Car H3 to pcie-rcar") +Signed-off-by: Marek Vasut +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Simon Horman +Reviewed-by: Geert Uytterhoeven +Cc: Geert Uytterhoeven +Cc: Phil Edworthy +Cc: Simon Horman +Cc: Wolfram Sang +Cc: linux-renesas-soc@vger.kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/host/pcie-rcar.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/host/pcie-rcar.c b/drivers/pci/host/pcie-rcar.c +index 77d931178178..7f6b454bca65 100644 +--- a/drivers/pci/host/pcie-rcar.c ++++ b/drivers/pci/host/pcie-rcar.c +@@ -847,7 +847,7 @@ static int rcar_pcie_enable_msi(struct rcar_pcie *pcie) + { + struct device *dev = pcie->dev; + struct rcar_msi *msi = &pcie->msi; +- unsigned long base; ++ phys_addr_t base; + int err, i; + + mutex_init(&msi->lock); +@@ -892,8 +892,8 @@ static int rcar_pcie_enable_msi(struct rcar_pcie *pcie) + } + base = virt_to_phys((void *)msi->pages); + +- rcar_pci_write_reg(pcie, base | MSIFE, PCIEMSIALR); +- rcar_pci_write_reg(pcie, 0, PCIEMSIAUR); ++ rcar_pci_write_reg(pcie, lower_32_bits(base) | MSIFE, PCIEMSIALR); ++ rcar_pci_write_reg(pcie, upper_32_bits(base), PCIEMSIAUR); + + /* enable all MSI interrupts */ + rcar_pci_write_reg(pcie, 0xffffffff, PCIEMSIIER); +-- +2.20.1 + diff --git a/queue-4.9/pci-rcar-fix-a-potential-null-pointer-dereference.patch b/queue-4.9/pci-rcar-fix-a-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..2e3e9988b9b --- /dev/null +++ b/queue-4.9/pci-rcar-fix-a-potential-null-pointer-dereference.patch @@ -0,0 +1,39 @@ +From 881cd77e24bf5682ba6a67591fb17d301316f848 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Fri, 15 Mar 2019 02:29:43 -0500 +Subject: PCI: rcar: Fix a potential NULL pointer dereference + +[ Upstream commit f0d14edd2ba43b995bef4dd5da5ffe0ae19321a1 ] + +In case __get_free_pages() fails and returns NULL, fix the return +value to -ENOMEM and release resources to avoid dereferencing a +NULL pointer. + +Signed-off-by: Kangjie Lu +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Ulrich Hecht +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Simon Horman +Signed-off-by: Sasha Levin +--- + drivers/pci/host/pcie-rcar.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/pci/host/pcie-rcar.c b/drivers/pci/host/pcie-rcar.c +index d6196f7b1d58..77d931178178 100644 +--- a/drivers/pci/host/pcie-rcar.c ++++ b/drivers/pci/host/pcie-rcar.c +@@ -886,6 +886,10 @@ static int rcar_pcie_enable_msi(struct rcar_pcie *pcie) + + /* setup MSI data target */ + msi->pages = __get_free_pages(GFP_KERNEL, 0); ++ if (!msi->pages) { ++ err = -ENOMEM; ++ goto err; ++ } + base = virt_to_phys((void *)msi->pages); + + rcar_pci_write_reg(pcie, base | MSIFE, PCIEMSIALR); +-- +2.20.1 + diff --git a/queue-4.9/pci-rpadlpar-fix-leaked-device_node-references-in-ad.patch b/queue-4.9/pci-rpadlpar-fix-leaked-device_node-references-in-ad.patch new file mode 100644 index 00000000000..590e4bd488b --- /dev/null +++ b/queue-4.9/pci-rpadlpar-fix-leaked-device_node-references-in-ad.patch @@ -0,0 +1,63 @@ +From 2af8a1d4a30e7c2405e80ed6c6f6c2f8764fd823 Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Fri, 22 Mar 2019 13:27:21 -0500 +Subject: PCI: rpadlpar: Fix leaked device_node references in add/remove paths + +[ Upstream commit fb26228bfc4ce3951544848555c0278e2832e618 ] + +The find_dlpar_node() helper returns a device node with its reference +incremented. Both the add and remove paths use this helper for find the +appropriate node, but fail to release the reference when done. + +Annotate the find_dlpar_node() helper with a comment about the incremented +reference count and call of_node_put() on the obtained device_node in the +add and remove paths. Also, fixup a reference leak in the find_vio_slot() +helper where we fail to call of_node_put() on the vdevice node after we +iterate over its children. + +Signed-off-by: Tyrel Datwyler +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/rpadlpar_core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/pci/hotplug/rpadlpar_core.c b/drivers/pci/hotplug/rpadlpar_core.c +index c614ff7c3bc3..d3562df64456 100644 +--- a/drivers/pci/hotplug/rpadlpar_core.c ++++ b/drivers/pci/hotplug/rpadlpar_core.c +@@ -55,6 +55,7 @@ static struct device_node *find_vio_slot_node(char *drc_name) + if ((rc == 0) && (!strcmp(drc_name, name))) + break; + } ++ of_node_put(parent); + + return dn; + } +@@ -78,6 +79,7 @@ static struct device_node *find_php_slot_pci_node(char *drc_name, + return np; + } + ++/* Returns a device_node with its reference count incremented */ + static struct device_node *find_dlpar_node(char *drc_name, int *node_type) + { + struct device_node *dn; +@@ -313,6 +315,7 @@ int dlpar_add_slot(char *drc_name) + rc = dlpar_add_phb(drc_name, dn); + break; + } ++ of_node_put(dn); + + printk(KERN_INFO "%s: slot %s added\n", DLPAR_MODULE_NAME, drc_name); + exit: +@@ -446,6 +449,7 @@ int dlpar_remove_slot(char *drc_name) + rc = dlpar_remove_pci_slot(drc_name, dn); + break; + } ++ of_node_put(dn); + vm_unmap_aliases(); + + printk(KERN_INFO "%s: slot %s removed\n", DLPAR_MODULE_NAME, drc_name); +-- +2.20.1 + diff --git a/queue-4.9/pci-xilinx-check-for-__get_free_pages-failure.patch b/queue-4.9/pci-xilinx-check-for-__get_free_pages-failure.patch new file mode 100644 index 00000000000..396139ad25b --- /dev/null +++ b/queue-4.9/pci-xilinx-check-for-__get_free_pages-failure.patch @@ -0,0 +1,66 @@ +From 5beea4f7eaf98c304889664ae67b81ce2d3123b3 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Mon, 25 Mar 2019 17:19:09 -0500 +Subject: PCI: xilinx: Check for __get_free_pages() failure + +[ Upstream commit 699ca30162686bf305cdf94861be02eb0cf9bda2 ] + +If __get_free_pages() fails, return -ENOMEM to avoid a NULL pointer +dereference. + +Signed-off-by: Kangjie Lu +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Steven Price +Reviewed-by: Mukesh Ojha +Signed-off-by: Sasha Levin +--- + drivers/pci/host/pcie-xilinx.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/host/pcie-xilinx.c b/drivers/pci/host/pcie-xilinx.c +index 61332f4d51c3..c3964fca57b0 100644 +--- a/drivers/pci/host/pcie-xilinx.c ++++ b/drivers/pci/host/pcie-xilinx.c +@@ -337,14 +337,19 @@ static const struct irq_domain_ops msi_domain_ops = { + * xilinx_pcie_enable_msi - Enable MSI support + * @port: PCIe port information + */ +-static void xilinx_pcie_enable_msi(struct xilinx_pcie_port *port) ++static int xilinx_pcie_enable_msi(struct xilinx_pcie_port *port) + { + phys_addr_t msg_addr; + + port->msi_pages = __get_free_pages(GFP_KERNEL, 0); ++ if (!port->msi_pages) ++ return -ENOMEM; ++ + msg_addr = virt_to_phys((void *)port->msi_pages); + pcie_write(port, 0x0, XILINX_PCIE_REG_MSIBASE1); + pcie_write(port, msg_addr, XILINX_PCIE_REG_MSIBASE2); ++ ++ return 0; + } + + /* INTx Functions */ +@@ -516,6 +521,7 @@ static int xilinx_pcie_init_irq_domain(struct xilinx_pcie_port *port) + struct device *dev = port->dev; + struct device_node *node = dev->of_node; + struct device_node *pcie_intc_node; ++ int ret; + + /* Setup INTx */ + pcie_intc_node = of_get_next_child(node, NULL); +@@ -544,7 +550,9 @@ static int xilinx_pcie_init_irq_domain(struct xilinx_pcie_port *port) + return -ENODEV; + } + +- xilinx_pcie_enable_msi(port); ++ ret = xilinx_pcie_enable_msi(port); ++ if (ret) ++ return ret; + } + + return 0; +-- +2.20.1 + diff --git a/queue-4.9/perf-x86-intel-allow-pebs-multi-entry-in-watermark-m.patch b/queue-4.9/perf-x86-intel-allow-pebs-multi-entry-in-watermark-m.patch new file mode 100644 index 00000000000..716eaa39dae --- /dev/null +++ b/queue-4.9/perf-x86-intel-allow-pebs-multi-entry-in-watermark-m.patch @@ -0,0 +1,47 @@ +From 64c754c2c4ee52320884e38e2e97af3f1ba066a1 Mon Sep 17 00:00:00 2001 +From: Stephane Eranian +Date: Mon, 13 May 2019 17:34:00 -0700 +Subject: perf/x86/intel: Allow PEBS multi-entry in watermark mode + +[ Upstream commit c7a286577d7592720c2f179aadfb325a1ff48c95 ] + +This patch fixes a restriction/bug introduced by: + + 583feb08e7f7 ("perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS") + +The original patch prevented using multi-entry PEBS when wakeup_events != 0. +However given that wakeup_events is part of a union with wakeup_watermark, it +means that in watermark mode, PEBS multi-entry is also disabled which is not the +intent. This patch fixes this by checking is watermark mode is enabled. + +Signed-off-by: Stephane Eranian +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: jolsa@redhat.com +Cc: kan.liang@intel.com +Cc: vincent.weaver@maine.edu +Fixes: 583feb08e7f7 ("perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS") +Link: http://lkml.kernel.org/r/20190514003400.224340-1-eranian@google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index cb8178a2783a..e98e238d3775 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -2867,7 +2867,7 @@ static int intel_pmu_hw_config(struct perf_event *event) + return ret; + + if (event->attr.precise_ip) { +- if (!(event->attr.freq || event->attr.wakeup_events)) { ++ if (!(event->attr.freq || (event->attr.wakeup_events && !event->attr.watermark))) { + event->hw.flags |= PERF_X86_EVENT_AUTO_RELOAD; + if (!(event->attr.sample_type & + ~intel_pmu_free_running_flags(event))) +-- +2.20.1 + diff --git a/queue-4.9/platform-chrome-cros_ec_proto-check-for-null-transfe.patch b/queue-4.9/platform-chrome-cros_ec_proto-check-for-null-transfe.patch new file mode 100644 index 00000000000..66cc89951ca --- /dev/null +++ b/queue-4.9/platform-chrome-cros_ec_proto-check-for-null-transfe.patch @@ -0,0 +1,51 @@ +From 37aa9550021ae617ea7e7364c854a578a7078906 Mon Sep 17 00:00:00 2001 +From: Enrico Granata +Date: Wed, 3 Apr 2019 15:40:36 -0700 +Subject: platform/chrome: cros_ec_proto: check for NULL transfer function + +[ Upstream commit 94d4e7af14a1170e34cf082d92e4c02de9e9fb88 ] + +As new transfer mechanisms are added to the EC codebase, they may +not support v2 of the EC protocol. + +If the v3 initial handshake transfer fails, the kernel will try +and call cmd_xfer as a fallback. If v2 is not supported, cmd_xfer +will be NULL, and the code will end up causing a kernel panic. + +Add a check for NULL before calling the transfer function, along +with a helpful comment explaining how one might end up in this +situation. + +Signed-off-by: Enrico Granata +Reviewed-by: Jett Rink +Signed-off-by: Enric Balletbo i Serra +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/cros_ec_proto.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/platform/chrome/cros_ec_proto.c b/drivers/platform/chrome/cros_ec_proto.c +index cfa3e850c49f..d225a835a64c 100644 +--- a/drivers/platform/chrome/cros_ec_proto.c ++++ b/drivers/platform/chrome/cros_ec_proto.c +@@ -67,6 +67,17 @@ static int send_command(struct cros_ec_device *ec_dev, + else + xfer_fxn = ec_dev->cmd_xfer; + ++ if (!xfer_fxn) { ++ /* ++ * This error can happen if a communication error happened and ++ * the EC is trying to use protocol v2, on an underlying ++ * communication mechanism that does not support v2. ++ */ ++ dev_err_once(ec_dev->dev, ++ "missing EC transfer API, cannot send command\n"); ++ return -EIO; ++ } ++ + ret = (*xfer_fxn)(ec_dev, msg); + if (msg->result == EC_RES_IN_PROGRESS) { + int i; +-- +2.20.1 + diff --git a/queue-4.9/platform-x86-intel_pmc_ipc-adding-error-handling.patch b/queue-4.9/platform-x86-intel_pmc_ipc-adding-error-handling.patch new file mode 100644 index 00000000000..a14c53b574d --- /dev/null +++ b/queue-4.9/platform-x86-intel_pmc_ipc-adding-error-handling.patch @@ -0,0 +1,47 @@ +From e2fd973c6bc2a6bc51dae88b102ff1b172274fe2 Mon Sep 17 00:00:00 2001 +From: Junxiao Chang +Date: Mon, 8 Apr 2019 17:40:22 +0800 +Subject: platform/x86: intel_pmc_ipc: adding error handling + +[ Upstream commit e61985d0550df8c2078310202aaad9b41049c36c ] + +If punit or telemetry device initialization fails, pmc driver should +unregister and return failure. + +This change is to fix a kernel panic when removing kernel module +intel_pmc_ipc. + +Fixes: 48c1917088ba ("platform:x86: Add Intel telemetry platform device") +Signed-off-by: Junxiao Chang +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_pmc_ipc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel_pmc_ipc.c b/drivers/platform/x86/intel_pmc_ipc.c +index 0bf51d574fa9..f2b9dd82128f 100644 +--- a/drivers/platform/x86/intel_pmc_ipc.c ++++ b/drivers/platform/x86/intel_pmc_ipc.c +@@ -620,13 +620,17 @@ static int ipc_create_pmc_devices(void) + if (ret) { + dev_err(ipcdev.dev, "Failed to add punit platform device\n"); + platform_device_unregister(ipcdev.tco_dev); ++ return ret; + } + + if (!ipcdev.telem_res_inval) { + ret = ipc_create_telemetry_device(); +- if (ret) ++ if (ret) { + dev_warn(ipcdev.dev, + "Failed to add telemetry platform device\n"); ++ platform_device_unregister(ipcdev.punit_dev); ++ platform_device_unregister(ipcdev.tco_dev); ++ } + } + + return ret; +-- +2.20.1 + diff --git a/queue-4.9/pwm-fix-deadlock-warning-when-removing-pwm-device.patch b/queue-4.9/pwm-fix-deadlock-warning-when-removing-pwm-device.patch new file mode 100644 index 00000000000..5d8e543c001 --- /dev/null +++ b/queue-4.9/pwm-fix-deadlock-warning-when-removing-pwm-device.patch @@ -0,0 +1,275 @@ +From 83b6e6685126eba62f78a2fcff68328fe73610c4 Mon Sep 17 00:00:00 2001 +From: Phong Hoang +Date: Tue, 19 Mar 2019 19:40:08 +0900 +Subject: pwm: Fix deadlock warning when removing PWM device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 347ab9480313737c0f1aaa08e8f2e1a791235535 ] + +This patch fixes deadlock warning if removing PWM device +when CONFIG_PROVE_LOCKING is enabled. + +This issue can be reproceduced by the following steps on +the R-Car H3 Salvator-X board if the backlight is disabled: + + # cd /sys/class/pwm/pwmchip0 + # echo 0 > export + # ls + device export npwm power pwm0 subsystem uevent unexport + # cd device/driver + # ls + bind e6e31000.pwm uevent unbind + # echo e6e31000.pwm > unbind + +[ 87.659974] ====================================================== +[ 87.666149] WARNING: possible circular locking dependency detected +[ 87.672327] 5.0.0 #7 Not tainted +[ 87.675549] ------------------------------------------------------ +[ 87.681723] bash/2986 is trying to acquire lock: +[ 87.686337] 000000005ea0e178 (kn->count#58){++++}, at: kernfs_remove_by_name_ns+0x50/0xa0 +[ 87.694528] +[ 87.694528] but task is already holding lock: +[ 87.700353] 000000006313b17c (pwm_lock){+.+.}, at: pwmchip_remove+0x28/0x13c +[ 87.707405] +[ 87.707405] which lock already depends on the new lock. +[ 87.707405] +[ 87.715574] +[ 87.715574] the existing dependency chain (in reverse order) is: +[ 87.723048] +[ 87.723048] -> #1 (pwm_lock){+.+.}: +[ 87.728017] __mutex_lock+0x70/0x7e4 +[ 87.732108] mutex_lock_nested+0x1c/0x24 +[ 87.736547] pwm_request_from_chip.part.6+0x34/0x74 +[ 87.741940] pwm_request_from_chip+0x20/0x40 +[ 87.746725] export_store+0x6c/0x1f4 +[ 87.750820] dev_attr_store+0x18/0x28 +[ 87.754998] sysfs_kf_write+0x54/0x64 +[ 87.759175] kernfs_fop_write+0xe4/0x1e8 +[ 87.763615] __vfs_write+0x40/0x184 +[ 87.767619] vfs_write+0xa8/0x19c +[ 87.771448] ksys_write+0x58/0xbc +[ 87.775278] __arm64_sys_write+0x18/0x20 +[ 87.779721] el0_svc_common+0xd0/0x124 +[ 87.783986] el0_svc_compat_handler+0x1c/0x24 +[ 87.788858] el0_svc_compat+0x8/0x18 +[ 87.792947] +[ 87.792947] -> #0 (kn->count#58){++++}: +[ 87.798260] lock_acquire+0xc4/0x22c +[ 87.802353] __kernfs_remove+0x258/0x2c4 +[ 87.806790] kernfs_remove_by_name_ns+0x50/0xa0 +[ 87.811836] remove_files.isra.1+0x38/0x78 +[ 87.816447] sysfs_remove_group+0x48/0x98 +[ 87.820971] sysfs_remove_groups+0x34/0x4c +[ 87.825583] device_remove_attrs+0x6c/0x7c +[ 87.830197] device_del+0x11c/0x33c +[ 87.834201] device_unregister+0x14/0x2c +[ 87.838638] pwmchip_sysfs_unexport+0x40/0x4c +[ 87.843509] pwmchip_remove+0xf4/0x13c +[ 87.847773] rcar_pwm_remove+0x28/0x34 +[ 87.852039] platform_drv_remove+0x24/0x64 +[ 87.856651] device_release_driver_internal+0x18c/0x21c +[ 87.862391] device_release_driver+0x14/0x1c +[ 87.867175] unbind_store+0xe0/0x124 +[ 87.871265] drv_attr_store+0x20/0x30 +[ 87.875442] sysfs_kf_write+0x54/0x64 +[ 87.879618] kernfs_fop_write+0xe4/0x1e8 +[ 87.884055] __vfs_write+0x40/0x184 +[ 87.888057] vfs_write+0xa8/0x19c +[ 87.891887] ksys_write+0x58/0xbc +[ 87.895716] __arm64_sys_write+0x18/0x20 +[ 87.900154] el0_svc_common+0xd0/0x124 +[ 87.904417] el0_svc_compat_handler+0x1c/0x24 +[ 87.909289] el0_svc_compat+0x8/0x18 +[ 87.913378] +[ 87.913378] other info that might help us debug this: +[ 87.913378] +[ 87.921374] Possible unsafe locking scenario: +[ 87.921374] +[ 87.927286] CPU0 CPU1 +[ 87.931808] ---- ---- +[ 87.936331] lock(pwm_lock); +[ 87.939293] lock(kn->count#58); +[ 87.945120] lock(pwm_lock); +[ 87.950599] lock(kn->count#58); +[ 87.953908] +[ 87.953908] *** DEADLOCK *** +[ 87.953908] +[ 87.959821] 4 locks held by bash/2986: +[ 87.963563] #0: 00000000ace7bc30 (sb_writers#6){.+.+}, at: vfs_write+0x188/0x19c +[ 87.971044] #1: 00000000287991b2 (&of->mutex){+.+.}, at: kernfs_fop_write+0xb4/0x1e8 +[ 87.978872] #2: 00000000f739d016 (&dev->mutex){....}, at: device_release_driver_internal+0x40/0x21c +[ 87.988001] #3: 000000006313b17c (pwm_lock){+.+.}, at: pwmchip_remove+0x28/0x13c +[ 87.995481] +[ 87.995481] stack backtrace: +[ 87.999836] CPU: 0 PID: 2986 Comm: bash Not tainted 5.0.0 #7 +[ 88.005489] Hardware name: Renesas Salvator-X board based on r8a7795 ES1.x (DT) +[ 88.012791] Call trace: +[ 88.015235] dump_backtrace+0x0/0x190 +[ 88.018891] show_stack+0x14/0x1c +[ 88.022204] dump_stack+0xb0/0xec +[ 88.025514] print_circular_bug.isra.32+0x1d0/0x2e0 +[ 88.030385] __lock_acquire+0x1318/0x1864 +[ 88.034388] lock_acquire+0xc4/0x22c +[ 88.037958] __kernfs_remove+0x258/0x2c4 +[ 88.041874] kernfs_remove_by_name_ns+0x50/0xa0 +[ 88.046398] remove_files.isra.1+0x38/0x78 +[ 88.050487] sysfs_remove_group+0x48/0x98 +[ 88.054490] sysfs_remove_groups+0x34/0x4c +[ 88.058580] device_remove_attrs+0x6c/0x7c +[ 88.062671] device_del+0x11c/0x33c +[ 88.066154] device_unregister+0x14/0x2c +[ 88.070070] pwmchip_sysfs_unexport+0x40/0x4c +[ 88.074421] pwmchip_remove+0xf4/0x13c +[ 88.078163] rcar_pwm_remove+0x28/0x34 +[ 88.081906] platform_drv_remove+0x24/0x64 +[ 88.085996] device_release_driver_internal+0x18c/0x21c +[ 88.091215] device_release_driver+0x14/0x1c +[ 88.095478] unbind_store+0xe0/0x124 +[ 88.099048] drv_attr_store+0x20/0x30 +[ 88.102704] sysfs_kf_write+0x54/0x64 +[ 88.106359] kernfs_fop_write+0xe4/0x1e8 +[ 88.110275] __vfs_write+0x40/0x184 +[ 88.113757] vfs_write+0xa8/0x19c +[ 88.117065] ksys_write+0x58/0xbc +[ 88.120374] __arm64_sys_write+0x18/0x20 +[ 88.124291] el0_svc_common+0xd0/0x124 +[ 88.128034] el0_svc_compat_handler+0x1c/0x24 +[ 88.132384] el0_svc_compat+0x8/0x18 + +The sysfs unexport in pwmchip_remove() is completely asymmetric +to what we do in pwmchip_add_with_polarity() and commit 0733424c9ba9 +("pwm: Unexport children before chip removal") is a strong indication +that this was wrong to begin with. We should just move +pwmchip_sysfs_unexport() where it belongs, which is right after +pwmchip_sysfs_unexport_children(). In that case, we do not need +separate functions anymore either. + +We also really want to remove sysfs irrespective of whether or not +the chip will be removed as a result of pwmchip_remove(). We can only +assume that the driver will be gone after that, so we shouldn't leave +any dangling sysfs files around. + +This warning disappears if we move pwmchip_sysfs_unexport() to +the top of pwmchip_remove(), pwmchip_sysfs_unexport_children(). +That way it is also outside of the pwm_lock section, which indeed +doesn't seem to be needed. + +Moving the pwmchip_sysfs_export() call outside of that section also +seems fine and it'd be perfectly symmetric with pwmchip_remove() again. + +So, this patch fixes them. + +Signed-off-by: Phong Hoang +[shimoda: revise the commit log and code] +Fixes: 76abbdde2d95 ("pwm: Add sysfs interface") +Fixes: 0733424c9ba9 ("pwm: Unexport children before chip removal") +Signed-off-by: Yoshihiro Shimoda +Tested-by: Hoan Nguyen An +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Simon Horman +Reviewed-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/core.c | 10 +++++----- + drivers/pwm/sysfs.c | 14 +------------- + include/linux/pwm.h | 5 ----- + 3 files changed, 6 insertions(+), 23 deletions(-) + +diff --git a/drivers/pwm/core.c b/drivers/pwm/core.c +index 172ef8245811..a19246455c13 100644 +--- a/drivers/pwm/core.c ++++ b/drivers/pwm/core.c +@@ -302,10 +302,12 @@ int pwmchip_add_with_polarity(struct pwm_chip *chip, + if (IS_ENABLED(CONFIG_OF)) + of_pwmchip_add(chip); + +- pwmchip_sysfs_export(chip); +- + out: + mutex_unlock(&pwm_lock); ++ ++ if (!ret) ++ pwmchip_sysfs_export(chip); ++ + return ret; + } + EXPORT_SYMBOL_GPL(pwmchip_add_with_polarity); +@@ -339,7 +341,7 @@ int pwmchip_remove(struct pwm_chip *chip) + unsigned int i; + int ret = 0; + +- pwmchip_sysfs_unexport_children(chip); ++ pwmchip_sysfs_unexport(chip); + + mutex_lock(&pwm_lock); + +@@ -359,8 +361,6 @@ int pwmchip_remove(struct pwm_chip *chip) + + free_pwms(chip); + +- pwmchip_sysfs_unexport(chip); +- + out: + mutex_unlock(&pwm_lock); + return ret; +diff --git a/drivers/pwm/sysfs.c b/drivers/pwm/sysfs.c +index a813239300c3..0850b11dfd83 100644 +--- a/drivers/pwm/sysfs.c ++++ b/drivers/pwm/sysfs.c +@@ -397,19 +397,6 @@ void pwmchip_sysfs_export(struct pwm_chip *chip) + } + + void pwmchip_sysfs_unexport(struct pwm_chip *chip) +-{ +- struct device *parent; +- +- parent = class_find_device(&pwm_class, NULL, chip, +- pwmchip_sysfs_match); +- if (parent) { +- /* for class_find_device() */ +- put_device(parent); +- device_unregister(parent); +- } +-} +- +-void pwmchip_sysfs_unexport_children(struct pwm_chip *chip) + { + struct device *parent; + unsigned int i; +@@ -427,6 +414,7 @@ void pwmchip_sysfs_unexport_children(struct pwm_chip *chip) + } + + put_device(parent); ++ device_unregister(parent); + } + + static int __init pwm_sysfs_init(void) +diff --git a/include/linux/pwm.h b/include/linux/pwm.h +index 2c6c5114c089..f1bbae014889 100644 +--- a/include/linux/pwm.h ++++ b/include/linux/pwm.h +@@ -641,7 +641,6 @@ static inline void pwm_remove_table(struct pwm_lookup *table, size_t num) + #ifdef CONFIG_PWM_SYSFS + void pwmchip_sysfs_export(struct pwm_chip *chip); + void pwmchip_sysfs_unexport(struct pwm_chip *chip); +-void pwmchip_sysfs_unexport_children(struct pwm_chip *chip); + #else + static inline void pwmchip_sysfs_export(struct pwm_chip *chip) + { +@@ -650,10 +649,6 @@ static inline void pwmchip_sysfs_export(struct pwm_chip *chip) + static inline void pwmchip_sysfs_unexport(struct pwm_chip *chip) + { + } +- +-static inline void pwmchip_sysfs_unexport_children(struct pwm_chip *chip) +-{ +-} + #endif /* CONFIG_PWM_SYSFS */ + + #endif /* __LINUX_PWM_H */ +-- +2.20.1 + diff --git a/queue-4.9/pwm-meson-use-the-spin-lock-only-to-protect-register.patch b/queue-4.9/pwm-meson-use-the-spin-lock-only-to-protect-register.patch new file mode 100644 index 00000000000..8b20d2ace57 --- /dev/null +++ b/queue-4.9/pwm-meson-use-the-spin-lock-only-to-protect-register.patch @@ -0,0 +1,142 @@ +From febff77872fcfb9f7781a0105a1b7ee3fffc5fc0 Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Mon, 1 Apr 2019 19:57:48 +0200 +Subject: pwm: meson: Use the spin-lock only to protect register modifications +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit f173747fffdf037c791405ab4f1ec0eb392fc48e ] + +Holding the spin-lock for all of the code in meson_pwm_apply() can +result in a "BUG: scheduling while atomic". This can happen because +clk_get_rate() (which is called from meson_pwm_calc()) may sleep. +Only hold the spin-lock when modifying registers to solve this. + +The reason why we need a spin-lock in the driver is because the +REG_MISC_AB register is shared between the two channels provided by one +PWM controller. The only functions where REG_MISC_AB is modified are +meson_pwm_enable() and meson_pwm_disable() so the register reads/writes +in there need to be protected by the spin-lock. + +The original code also used the spin-lock to protect the values in +struct meson_pwm_channel. This could be necessary if two consumers can +use the same PWM channel. However, PWM core doesn't allow this so we +don't need to protect the values in struct meson_pwm_channel with a +lock. + +Fixes: 211ed630753d2f ("pwm: Add support for Meson PWM Controller") +Signed-off-by: Martin Blumenstingl +Reviewed-by: Uwe Kleine-König +Reviewed-by: Neil Armstrong +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-meson.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/pwm/pwm-meson.c b/drivers/pwm/pwm-meson.c +index 9d5bd7d5c610..f58a4867b519 100644 +--- a/drivers/pwm/pwm-meson.c ++++ b/drivers/pwm/pwm-meson.c +@@ -110,6 +110,10 @@ struct meson_pwm { + const struct meson_pwm_data *data; + void __iomem *base; + u8 inverter_mask; ++ /* ++ * Protects register (write) access to the REG_MISC_AB register ++ * that is shared between the two PWMs. ++ */ + spinlock_t lock; + }; + +@@ -230,6 +234,7 @@ static void meson_pwm_enable(struct meson_pwm *meson, + { + u32 value, clk_shift, clk_enable, enable; + unsigned int offset; ++ unsigned long flags; + + switch (id) { + case 0: +@@ -250,6 +255,8 @@ static void meson_pwm_enable(struct meson_pwm *meson, + return; + } + ++ spin_lock_irqsave(&meson->lock, flags); ++ + value = readl(meson->base + REG_MISC_AB); + value &= ~(MISC_CLK_DIV_MASK << clk_shift); + value |= channel->pre_div << clk_shift; +@@ -262,11 +269,14 @@ static void meson_pwm_enable(struct meson_pwm *meson, + value = readl(meson->base + REG_MISC_AB); + value |= enable; + writel(value, meson->base + REG_MISC_AB); ++ ++ spin_unlock_irqrestore(&meson->lock, flags); + } + + static void meson_pwm_disable(struct meson_pwm *meson, unsigned int id) + { + u32 value, enable; ++ unsigned long flags; + + switch (id) { + case 0: +@@ -281,9 +291,13 @@ static void meson_pwm_disable(struct meson_pwm *meson, unsigned int id) + return; + } + ++ spin_lock_irqsave(&meson->lock, flags); ++ + value = readl(meson->base + REG_MISC_AB); + value &= ~enable; + writel(value, meson->base + REG_MISC_AB); ++ ++ spin_unlock_irqrestore(&meson->lock, flags); + } + + static int meson_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, +@@ -291,19 +305,16 @@ static int meson_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, + { + struct meson_pwm_channel *channel = pwm_get_chip_data(pwm); + struct meson_pwm *meson = to_meson_pwm(chip); +- unsigned long flags; + int err = 0; + + if (!state) + return -EINVAL; + +- spin_lock_irqsave(&meson->lock, flags); +- + if (!state->enabled) { + meson_pwm_disable(meson, pwm->hwpwm); + channel->state.enabled = false; + +- goto unlock; ++ return 0; + } + + if (state->period != channel->state.period || +@@ -324,7 +335,7 @@ static int meson_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, + err = meson_pwm_calc(meson, channel, pwm->hwpwm, + state->duty_cycle, state->period); + if (err < 0) +- goto unlock; ++ return err; + + channel->state.polarity = state->polarity; + channel->state.period = state->period; +@@ -336,9 +347,7 @@ static int meson_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, + channel->state.enabled = true; + } + +-unlock: +- spin_unlock_irqrestore(&meson->lock, flags); +- return err; ++ return 0; + } + + static void meson_pwm_get_state(struct pwm_chip *chip, struct pwm_device *pwm, +-- +2.20.1 + diff --git a/queue-4.9/pwm-tiehrpwm-update-shadow-register-for-disabling-pw.patch b/queue-4.9/pwm-tiehrpwm-update-shadow-register-for-disabling-pw.patch new file mode 100644 index 00000000000..9b992b828de --- /dev/null +++ b/queue-4.9/pwm-tiehrpwm-update-shadow-register-for-disabling-pw.patch @@ -0,0 +1,47 @@ +From 6f1a8ffffc4940e07babe63f76f0ac3f5981d518 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christoph=20Vogtl=C3=A4nder?= + +Date: Tue, 12 Mar 2019 14:38:46 +0530 +Subject: pwm: tiehrpwm: Update shadow register for disabling PWMs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit b00ef53053191d3025c15e8041699f8c9d132daf ] + +It must be made sure that immediate mode is not already set, when +modifying shadow register value in ehrpwm_pwm_disable(). Otherwise +modifications to the action-qualifier continuous S/W force +register(AQSFRC) will be done in the active register. +This may happen when both channels are being disabled. In this case, +only the first channel state will be recorded as disabled in the shadow +register. Later, when enabling the first channel again, the second +channel would be enabled as well. Setting RLDCSF to zero, first, ensures +that the shadow register is updated as desired. + +Fixes: 38dabd91ff0b ("pwm: tiehrpwm: Fix disabling of output of PWMs") +Signed-off-by: Christoph Vogtländer +[vigneshr@ti.com: Improve commit message] +Signed-off-by: Vignesh Raghavendra +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-tiehrpwm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pwm/pwm-tiehrpwm.c b/drivers/pwm/pwm-tiehrpwm.c +index c0e06f0c19d1..9a232ebbbf96 100644 +--- a/drivers/pwm/pwm-tiehrpwm.c ++++ b/drivers/pwm/pwm-tiehrpwm.c +@@ -383,6 +383,8 @@ static void ehrpwm_pwm_disable(struct pwm_chip *chip, struct pwm_device *pwm) + } + + /* Update shadow register first before modifying active register */ ++ ehrpwm_modify(pc->mmio_base, AQSFRC, AQSFRC_RLDCSF_MASK, ++ AQSFRC_RLDCSF_ZRO); + ehrpwm_modify(pc->mmio_base, AQCSFRC, aqcsfrc_mask, aqcsfrc_val); + /* + * Changes to immediate action on Action Qualifier. This puts +-- +2.20.1 + diff --git a/queue-4.9/rapidio-fix-a-null-pointer-dereference-when-create_w.patch b/queue-4.9/rapidio-fix-a-null-pointer-dereference-when-create_w.patch new file mode 100644 index 00000000000..757b4fb6a02 --- /dev/null +++ b/queue-4.9/rapidio-fix-a-null-pointer-dereference-when-create_w.patch @@ -0,0 +1,42 @@ +From c249b118240058cd23879d4091671ae99297a738 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 14 May 2019 15:44:49 -0700 +Subject: rapidio: fix a NULL pointer dereference when create_workqueue() fails + +[ Upstream commit 23015b22e47c5409620b1726a677d69e5cd032ba ] + +In case create_workqueue fails, the fix releases resources and returns +-ENOMEM to avoid NULL pointer dereference. + +Signed-off-by: Kangjie Lu +Acked-by: Alexandre Bounine +Cc: Matt Porter +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/rapidio/rio_cm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/rapidio/rio_cm.c b/drivers/rapidio/rio_cm.c +index bad0e0ea4f30..ef989a15aefc 100644 +--- a/drivers/rapidio/rio_cm.c ++++ b/drivers/rapidio/rio_cm.c +@@ -2145,6 +2145,14 @@ static int riocm_add_mport(struct device *dev, + mutex_init(&cm->rx_lock); + riocm_rx_fill(cm, RIOCM_RX_RING_SIZE); + cm->rx_wq = create_workqueue(DRV_NAME "/rxq"); ++ if (!cm->rx_wq) { ++ riocm_error("failed to allocate IBMBOX_%d on %s", ++ cmbox, mport->name); ++ rio_release_outb_mbox(mport, cmbox); ++ kfree(cm); ++ return -ENOMEM; ++ } ++ + INIT_WORK(&cm->rx_work, rio_ibmsg_handler); + + cm->tx_slot = 0; +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..7c86dd362ea --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,58 @@ +rapidio-fix-a-null-pointer-dereference-when-create_w.patch +fs-fat-file.c-issue-flush-after-the-writeback-of-fat.patch +sysctl-return-einval-if-val-violates-minmax.patch +ipc-prevent-lockup-on-alloc_msg-and-free_msg.patch +arm-prevent-tracing-ipi_cpu_backtrace.patch +hugetlbfs-on-restore-reserve-error-path-retain-subpo.patch +mem-hotplug-fix-node-spanned-pages-when-we-have-a-no.patch +mm-cma.c-fix-crash-on-cma-allocation-if-bitmap-alloc.patch +mm-cma_debug.c-fix-the-break-condition-in-cma_maxchu.patch +mm-slab.c-fix-an-infinite-loop-in-leaks_show.patch +kernel-sys.c-prctl-fix-false-positive-in-validate_pr.patch +drivers-thermal-tsens-don-t-print-error-message-on-e.patch +mfd-tps65912-spi-add-missing-of-table-registration.patch +mfd-intel-lpss-set-the-device-in-reset-state-when-in.patch +mfd-twl6040-fix-device-init-errors-for-accctl-regist.patch +perf-x86-intel-allow-pebs-multi-entry-in-watermark-m.patch +drm-bridge-adv7511-fix-low-refresh-rate-selection.patch +objtool-don-t-use-ignore-flag-for-fake-jumps.patch +pwm-meson-use-the-spin-lock-only-to-protect-register.patch +ntp-allow-tai-utc-offset-to-be-set-to-zero.patch +f2fs-fix-to-avoid-panic-in-do_recover_data.patch +f2fs-fix-to-clear-dirty-inode-in-error-path-of-f2fs_.patch +f2fs-fix-to-do-sanity-check-on-valid-block-count-of-.patch +configfs-fix-possible-use-after-free-in-configfs_reg.patch +uml-fix-a-boot-splat-wrt-use-of-cpu_all_mask.patch +mips-make-sure-dt-memory-regions-are-valid.patch +watchdog-use-depends-instead-of-select-for-pretimeou.patch +watchdog-imx2_wdt-fix-set_timeout-for-big-timeout-va.patch +watchdog-fix-compile-time-error-of-pretimeout-govern.patch +iommu-vt-d-set-intel_iommu_gfx_mapped-correctly.patch +alsa-hda-register-irq-handler-after-the-chip-initial.patch +nvmem-core-fix-read-buffer-in-place.patch +fuse-require-dev-fuse-reads-to-have-enough-buffer-ca.patch +fuse-retrieve-cap-requested-size-to-negotiated-max_w.patch +nfsd-allow-fh_want_write-to-be-called-twice.patch +x86-pci-fix-pci-irq-routing-table-memory-leak.patch +platform-chrome-cros_ec_proto-check-for-null-transfe.patch +soc-mediatek-pwrap-zero-initialize-rdata-in-pwrap_in.patch +clk-rockchip-turn-on-aclk_dmac1-for-suspend-on-rk328.patch +arm-dts-imx6sx-specify-imx6sx_clk_ipg-as-ahb-clock-t.patch +arm-dts-imx7d-specify-imx7d_clk_ipg-as-ipg-clock-to-.patch +arm-dts-imx6ul-specify-imx6ul_clk_ipg-as-ipg-clock-t.patch +arm-dts-imx6sx-specify-imx6sx_clk_ipg-as-ipg-clock-t.patch +arm-dts-imx6qdl-specify-imx6qdl_clk_ipg-as-ipg-clock.patch +pci-rpadlpar-fix-leaked-device_node-references-in-ad.patch +alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch +platform-x86-intel_pmc_ipc-adding-error-handling.patch +pci-rcar-fix-a-potential-null-pointer-dereference.patch +pci-rcar-fix-64bit-msi-message-address-handling.patch +video-hgafb-fix-potential-null-pointer-dereference.patch +video-imsttfb-fix-potential-null-pointer-dereference.patch +pci-xilinx-check-for-__get_free_pages-failure.patch +gpio-gpio-omap-add-check-for-off-wake-capable-gpios.patch +dmaengine-idma64-use-actual-device-for-dma-transfers.patch +pwm-tiehrpwm-update-shadow-register-for-disabling-pw.patch +arm-dts-exynos-always-enable-necessary-apio_1v8-and-.patch +pwm-fix-deadlock-warning-when-removing-pwm-device.patch +arm-exynos-fix-undefined-instruction-during-exynos54.patch diff --git a/queue-4.9/soc-mediatek-pwrap-zero-initialize-rdata-in-pwrap_in.patch b/queue-4.9/soc-mediatek-pwrap-zero-initialize-rdata-in-pwrap_in.patch new file mode 100644 index 00000000000..e3ab0d5578d --- /dev/null +++ b/queue-4.9/soc-mediatek-pwrap-zero-initialize-rdata-in-pwrap_in.patch @@ -0,0 +1,44 @@ +From 7a8109d5e352a052b658f8052eebff2e92464b77 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 7 Mar 2019 15:56:51 -0700 +Subject: soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher + +[ Upstream commit 89e28da82836530f1ac7a3a32fecc31f22d79b3e ] + +When building with -Wsometimes-uninitialized, Clang warns: + +drivers/soc/mediatek/mtk-pmic-wrap.c:1358:6: error: variable 'rdata' is +used uninitialized whenever '||' condition is true +[-Werror,-Wsometimes-uninitialized] + +If pwrap_write returns non-zero, pwrap_read will not be called to +initialize rdata, meaning that we will use some random uninitialized +stack value in our print statement. Zero initialize rdata in case this +happens. + +Link: https://github.com/ClangBuiltLinux/linux/issues/401 +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Reviewed-by: Arnd Bergmann +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + drivers/soc/mediatek/mtk-pmic-wrap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/mediatek/mtk-pmic-wrap.c b/drivers/soc/mediatek/mtk-pmic-wrap.c +index e929f5142862..36226976773f 100644 +--- a/drivers/soc/mediatek/mtk-pmic-wrap.c ++++ b/drivers/soc/mediatek/mtk-pmic-wrap.c +@@ -778,7 +778,7 @@ static bool pwrap_is_pmic_cipher_ready(struct pmic_wrapper *wrp) + static int pwrap_init_cipher(struct pmic_wrapper *wrp) + { + int ret; +- u32 rdata; ++ u32 rdata = 0; + + pwrap_writel(wrp, 0x1, PWRAP_CIPHER_SWRST); + pwrap_writel(wrp, 0x0, PWRAP_CIPHER_SWRST); +-- +2.20.1 + diff --git a/queue-4.9/sysctl-return-einval-if-val-violates-minmax.patch b/queue-4.9/sysctl-return-einval-if-val-violates-minmax.patch new file mode 100644 index 00000000000..91f2cfc297b --- /dev/null +++ b/queue-4.9/sysctl-return-einval-if-val-violates-minmax.patch @@ -0,0 +1,53 @@ +From 8b021e8b8ebd7221766f63f6aa532699eb6bfe5a Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 14 May 2019 15:44:55 -0700 +Subject: sysctl: return -EINVAL if val violates minmax + +[ Upstream commit e260ad01f0aa9e96b5386d5cd7184afd949dc457 ] + +Currently when userspace gives us a values that overflow e.g. file-max +and other callers of __do_proc_doulongvec_minmax() we simply ignore the +new value and leave the current value untouched. + +This can be problematic as it gives the illusion that the limit has +indeed be bumped when in fact it failed. This commit makes sure to +return EINVAL when an overflow is detected. Please note that this is a +userspace facing change. + +Link: http://lkml.kernel.org/r/20190210203943.8227-4-christian@brauner.io +Signed-off-by: Christian Brauner +Acked-by: Luis Chamberlain +Cc: Kees Cook +Cc: Alexey Dobriyan +Cc: Al Viro +Cc: Dominik Brodowski +Cc: "Eric W. Biederman" +Cc: Joe Lawrence +Cc: Waiman Long +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/sysctl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index cf0aeaae567e..6af1ac551ea3 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2527,8 +2527,10 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int + if (neg) + continue; + val = convmul * val / convdiv; +- if ((min && val < *min) || (max && val > *max)) +- continue; ++ if ((min && val < *min) || (max && val > *max)) { ++ err = -EINVAL; ++ break; ++ } + *i = val; + } else { + val = convdiv * (*i) / convmul; +-- +2.20.1 + diff --git a/queue-4.9/uml-fix-a-boot-splat-wrt-use-of-cpu_all_mask.patch b/queue-4.9/uml-fix-a-boot-splat-wrt-use-of-cpu_all_mask.patch new file mode 100644 index 00000000000..a43f7a09a39 --- /dev/null +++ b/queue-4.9/uml-fix-a-boot-splat-wrt-use-of-cpu_all_mask.patch @@ -0,0 +1,87 @@ +From 11c08d673a10a2fd65345af4f1a8ae588e2fd2fc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= +Date: Wed, 10 Apr 2019 11:11:23 -0700 +Subject: uml: fix a boot splat wrt use of cpu_all_mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 689a58605b63173acb0a8cf954af6a8f60440c93 ] + +Memory: 509108K/542612K available (3835K kernel code, 919K rwdata, 1028K rodata, 129K init, 211K bss, 33504K reserved, 0K cma-reserved) +NR_IRQS: 15 +clocksource: timer: mask: 0xffffffffffffffff max_cycles: 0x1cd42e205, max_idle_ns: 881590404426 ns +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 0 at kernel/time/clockevents.c:458 clockevents_register_device+0x72/0x140 +posix-timer cpumask == cpu_all_mask, using cpu_possible_mask instead +Modules linked in: +CPU: 0 PID: 0 Comm: swapper Not tainted 5.1.0-rc4-00048-ged79cc87302b #4 +Stack: + 604ebda0 603c5370 604ebe20 6046fd17 + 00000000 6006fcbb 604ebdb0 603c53b5 + 604ebe10 6003bfc4 604ebdd0 9000001ca +Call Trace: + [<6006fcbb>] ? printk+0x0/0x94 + [<60083160>] ? clockevents_register_device+0x72/0x140 + [<6001f16e>] show_stack+0x13b/0x155 + [<603c5370>] ? dump_stack_print_info+0xe2/0xeb + [<6006fcbb>] ? printk+0x0/0x94 + [<603c53b5>] dump_stack+0x2a/0x2c + [<6003bfc4>] __warn+0x10e/0x13e + [<60070320>] ? vprintk_func+0xc8/0xcf + [<60030fd6>] ? block_signals+0x0/0x16 + [<6006fcbb>] ? printk+0x0/0x94 + [<6003c08b>] warn_slowpath_fmt+0x97/0x99 + [<600311a1>] ? set_signals+0x0/0x3f + [<6003bff4>] ? warn_slowpath_fmt+0x0/0x99 + [<600842cb>] ? tick_oneshot_mode_active+0x44/0x4f + [<60030fd6>] ? block_signals+0x0/0x16 + [<6006fcbb>] ? printk+0x0/0x94 + [<6007d2d5>] ? __clocksource_select+0x20/0x1b1 + [<60030fd6>] ? block_signals+0x0/0x16 + [<6006fcbb>] ? printk+0x0/0x94 + [<60083160>] clockevents_register_device+0x72/0x140 + [<60031192>] ? get_signals+0x0/0xf + [<60030fd6>] ? block_signals+0x0/0x16 + [<6006fcbb>] ? printk+0x0/0x94 + [<60002eec>] um_timer_setup+0xc8/0xca + [<60001b59>] start_kernel+0x47f/0x57e + [<600035bc>] start_kernel_proc+0x49/0x4d + [<6006c483>] ? kmsg_dump_register+0x82/0x8a + [<6001de62>] new_thread_handler+0x81/0xb2 + [<60003571>] ? kmsg_dumper_stdout_init+0x1a/0x1c + [<60020c75>] uml_finishsetup+0x54/0x59 + +random: get_random_bytes called from init_oops_id+0x27/0x34 with crng_init=0 +---[ end trace 00173d0117a88acb ]--- +Calibrating delay loop... 6941.90 BogoMIPS (lpj=34709504) + +Signed-off-by: Maciej Żenczykowski +Cc: Jeff Dike +Cc: Richard Weinberger +Cc: Anton Ivanov +Cc: linux-um@lists.infradead.org +Cc: linux-kernel@vger.kernel.org + +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/kernel/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/um/kernel/time.c b/arch/um/kernel/time.c +index 25c23666d592..040e3efdc9a6 100644 +--- a/arch/um/kernel/time.c ++++ b/arch/um/kernel/time.c +@@ -56,7 +56,7 @@ static int itimer_one_shot(struct clock_event_device *evt) + static struct clock_event_device timer_clockevent = { + .name = "posix-timer", + .rating = 250, +- .cpumask = cpu_all_mask, ++ .cpumask = cpu_possible_mask, + .features = CLOCK_EVT_FEAT_PERIODIC | + CLOCK_EVT_FEAT_ONESHOT, + .set_state_shutdown = itimer_shutdown, +-- +2.20.1 + diff --git a/queue-4.9/video-hgafb-fix-potential-null-pointer-dereference.patch b/queue-4.9/video-hgafb-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..c46bcd74f82 --- /dev/null +++ b/queue-4.9/video-hgafb-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,36 @@ +From 6eee8144c824ce993d6439a02f1148242d60a1e4 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Mon, 1 Apr 2019 17:46:58 +0200 +Subject: video: hgafb: fix potential NULL pointer dereference + +[ Upstream commit ec7f6aad57ad29e4e66cc2e18e1e1599ddb02542 ] + +When ioremap fails, hga_vram should not be dereferenced. The fix +check the failure to avoid NULL pointer dereference. + +Signed-off-by: Kangjie Lu +Cc: Aditya Pakki +Cc: Ferenc Bakonyi +[b.zolnierkie: minor patch summary fixup] +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/hgafb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/hgafb.c b/drivers/video/fbdev/hgafb.c +index 463028543173..59e1cae57948 100644 +--- a/drivers/video/fbdev/hgafb.c ++++ b/drivers/video/fbdev/hgafb.c +@@ -285,6 +285,8 @@ static int hga_card_detect(void) + hga_vram_len = 0x08000; + + hga_vram = ioremap(0xb0000, hga_vram_len); ++ if (!hga_vram) ++ goto error; + + if (request_region(0x3b0, 12, "hgafb")) + release_io_ports = 1; +-- +2.20.1 + diff --git a/queue-4.9/video-imsttfb-fix-potential-null-pointer-dereference.patch b/queue-4.9/video-imsttfb-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..d8cee4ee3c3 --- /dev/null +++ b/queue-4.9/video-imsttfb-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,41 @@ +From c0ff205b6ddf785ac5295e1790e87d72c58ac33f Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Mon, 1 Apr 2019 17:46:58 +0200 +Subject: video: imsttfb: fix potential NULL pointer dereferences + +[ Upstream commit 1d84353d205a953e2381044953b7fa31c8c9702d ] + +In case ioremap fails, the fix releases resources and returns +-ENOMEM to avoid NULL pointer dereferences. + +Signed-off-by: Kangjie Lu +Cc: Aditya Pakki +Cc: Finn Thain +Cc: Rob Herring +Cc: Greg Kroah-Hartman +[b.zolnierkie: minor patch summary fixup] +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imsttfb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/video/fbdev/imsttfb.c b/drivers/video/fbdev/imsttfb.c +index 4363c64d74e8..4ef9dc94e813 100644 +--- a/drivers/video/fbdev/imsttfb.c ++++ b/drivers/video/fbdev/imsttfb.c +@@ -1516,6 +1516,11 @@ static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + info->fix.smem_start = addr; + info->screen_base = (__u8 *)ioremap(addr, par->ramdac == IBM ? + 0x400000 : 0x800000); ++ if (!info->screen_base) { ++ release_mem_region(addr, size); ++ framebuffer_release(info); ++ return -ENOMEM; ++ } + info->fix.mmio_start = addr + 0x800000; + par->dc_regs = ioremap(addr + 0x800000, 0x1000); + par->cmap_regs_phys = addr + 0x840000; +-- +2.20.1 + diff --git a/queue-4.9/watchdog-fix-compile-time-error-of-pretimeout-govern.patch b/queue-4.9/watchdog-fix-compile-time-error-of-pretimeout-govern.patch new file mode 100644 index 00000000000..3b5a2c0cb96 --- /dev/null +++ b/queue-4.9/watchdog-fix-compile-time-error-of-pretimeout-govern.patch @@ -0,0 +1,50 @@ +From 58e9df7f15ce510f02596a50f514f4cd4418c32c Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy +Date: Tue, 12 Mar 2019 01:54:25 +0200 +Subject: watchdog: fix compile time error of pretimeout governors + +[ Upstream commit a223770bfa7b6647f3a70983257bd89f9cafce46 ] + +CONFIG_WATCHDOG_PRETIMEOUT_GOV build symbol adds watchdog_pretimeout.o +object to watchdog.o, the latter is compiled only if CONFIG_WATCHDOG_CORE +is selected, so it rightfully makes sense to add it as a dependency. + +The change fixes the next compilation errors, if CONFIG_WATCHDOG_CORE=n +and CONFIG_WATCHDOG_PRETIMEOUT_GOV=y are selected: + + drivers/watchdog/pretimeout_noop.o: In function `watchdog_gov_noop_register': + drivers/watchdog/pretimeout_noop.c:35: undefined reference to `watchdog_register_governor' + drivers/watchdog/pretimeout_noop.o: In function `watchdog_gov_noop_unregister': + drivers/watchdog/pretimeout_noop.c:40: undefined reference to `watchdog_unregister_governor' + + drivers/watchdog/pretimeout_panic.o: In function `watchdog_gov_panic_register': + drivers/watchdog/pretimeout_panic.c:35: undefined reference to `watchdog_register_governor' + drivers/watchdog/pretimeout_panic.o: In function `watchdog_gov_panic_unregister': + drivers/watchdog/pretimeout_panic.c:40: undefined reference to `watchdog_unregister_governor' + +Reported-by: Kuo, Hsuan-Chi +Fixes: ff84136cb6a4 ("watchdog: add watchdog pretimeout governor framework") +Signed-off-by: Vladimir Zapolskiy +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/watchdog/Kconfig b/drivers/watchdog/Kconfig +index 15c01830799a..d65c220d8175 100644 +--- a/drivers/watchdog/Kconfig ++++ b/drivers/watchdog/Kconfig +@@ -1850,6 +1850,7 @@ comment "Watchdog Pretimeout Governors" + + config WATCHDOG_PRETIMEOUT_GOV + bool "Enable watchdog pretimeout governors" ++ depends on WATCHDOG_CORE + help + The option allows to select watchdog pretimeout governors. + +-- +2.20.1 + diff --git a/queue-4.9/watchdog-imx2_wdt-fix-set_timeout-for-big-timeout-va.patch b/queue-4.9/watchdog-imx2_wdt-fix-set_timeout-for-big-timeout-va.patch new file mode 100644 index 00000000000..c7a4952294b --- /dev/null +++ b/queue-4.9/watchdog-imx2_wdt-fix-set_timeout-for-big-timeout-va.patch @@ -0,0 +1,41 @@ +From 84d83fc13cb8ea50ed2516a2d82b59f46898c15b Mon Sep 17 00:00:00 2001 +From: Georg Hofmann +Date: Mon, 8 Apr 2019 21:25:54 +0200 +Subject: watchdog: imx2_wdt: Fix set_timeout for big timeout values + +[ Upstream commit b07e228eee69601addba98b47b1a3850569e5013 ] + +The documentated behavior is: if max_hw_heartbeat_ms is implemented, the +minimum of the set_timeout argument and max_hw_heartbeat_ms should be used. +This patch implements this behavior. +Previously only the first 7bits were used and the input argument was +returned. + +Signed-off-by: Georg Hofmann +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/imx2_wdt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/watchdog/imx2_wdt.c b/drivers/watchdog/imx2_wdt.c +index 518dfa1047cb..5098982e1a58 100644 +--- a/drivers/watchdog/imx2_wdt.c ++++ b/drivers/watchdog/imx2_wdt.c +@@ -181,8 +181,10 @@ static void __imx2_wdt_set_timeout(struct watchdog_device *wdog, + static int imx2_wdt_set_timeout(struct watchdog_device *wdog, + unsigned int new_timeout) + { +- __imx2_wdt_set_timeout(wdog, new_timeout); ++ unsigned int actual; + ++ actual = min(new_timeout, wdog->max_hw_heartbeat_ms * 1000); ++ __imx2_wdt_set_timeout(wdog, actual); + wdog->timeout = new_timeout; + return 0; + } +-- +2.20.1 + diff --git a/queue-4.9/watchdog-use-depends-instead-of-select-for-pretimeou.patch b/queue-4.9/watchdog-use-depends-instead-of-select-for-pretimeou.patch new file mode 100644 index 00000000000..7c2b6a3f392 --- /dev/null +++ b/queue-4.9/watchdog-use-depends-instead-of-select-for-pretimeou.patch @@ -0,0 +1,94 @@ +From 3f0b7169d2ea3509b479c35e5d7f48d0af04c4d3 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Mon, 29 Apr 2019 12:28:27 -0700 +Subject: watchdog: Use depends instead of select for pretimeout governors + +[ Upstream commit f627ac0e12cd2736e60b9f5782ecec1d97251f77 ] + +Watchdog pretimeout governors were enabled from the default governor +selection using "select". As a result, the default governor was always +built into the kernel, even if no watchdog driver was loaded. By using +"depends on" instead of "select", we are in better control, and the +governors can all be built as modules. At the same time, set the default +configuration option for pretimeout governors to match WATCHDOG_CORE +(meaning all pretimeout governors are by default enabled if pretimeout +support is enabled). + +The practical impact of this change is minimal. Previously, selecting +a default governor automatically enabled that governor. Now, a default +governor can only be selected if that governor has been enabled. +Consequently, the order of governor selection is now reversed: The +governor selection is now first, followed by default governor selection. + +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/Kconfig | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +diff --git a/drivers/watchdog/Kconfig b/drivers/watchdog/Kconfig +index 8f8909a668d7..15c01830799a 100644 +--- a/drivers/watchdog/Kconfig ++++ b/drivers/watchdog/Kconfig +@@ -1855,6 +1855,20 @@ config WATCHDOG_PRETIMEOUT_GOV + + if WATCHDOG_PRETIMEOUT_GOV + ++config WATCHDOG_PRETIMEOUT_GOV_NOOP ++ tristate "Noop watchdog pretimeout governor" ++ default WATCHDOG_CORE ++ help ++ Noop watchdog pretimeout governor, only an informational ++ message is added to kernel log buffer. ++ ++config WATCHDOG_PRETIMEOUT_GOV_PANIC ++ tristate "Panic watchdog pretimeout governor" ++ default WATCHDOG_CORE ++ help ++ Panic watchdog pretimeout governor, on watchdog pretimeout ++ event put the kernel into panic. ++ + choice + prompt "Default Watchdog Pretimeout Governor" + default WATCHDOG_PRETIMEOUT_DEFAULT_GOV_PANIC +@@ -1865,7 +1879,7 @@ choice + + config WATCHDOG_PRETIMEOUT_DEFAULT_GOV_NOOP + bool "noop" +- select WATCHDOG_PRETIMEOUT_GOV_NOOP ++ depends on WATCHDOG_PRETIMEOUT_GOV_NOOP + help + Use noop watchdog pretimeout governor by default. If noop + governor is selected by a user, write a short message to +@@ -1873,7 +1887,7 @@ config WATCHDOG_PRETIMEOUT_DEFAULT_GOV_NOOP + + config WATCHDOG_PRETIMEOUT_DEFAULT_GOV_PANIC + bool "panic" +- select WATCHDOG_PRETIMEOUT_GOV_PANIC ++ depends on WATCHDOG_PRETIMEOUT_GOV_PANIC + help + Use panic watchdog pretimeout governor by default, if + a watchdog pretimeout event happens, consider that +@@ -1881,18 +1895,6 @@ config WATCHDOG_PRETIMEOUT_DEFAULT_GOV_PANIC + + endchoice + +-config WATCHDOG_PRETIMEOUT_GOV_NOOP +- tristate "Noop watchdog pretimeout governor" +- help +- Noop watchdog pretimeout governor, only an informational +- message is added to kernel log buffer. +- +-config WATCHDOG_PRETIMEOUT_GOV_PANIC +- tristate "Panic watchdog pretimeout governor" +- help +- Panic watchdog pretimeout governor, on watchdog pretimeout +- event put the kernel into panic. +- + endif # WATCHDOG_PRETIMEOUT_GOV + + endif # WATCHDOG +-- +2.20.1 + diff --git a/queue-4.9/x86-pci-fix-pci-irq-routing-table-memory-leak.patch b/queue-4.9/x86-pci-fix-pci-irq-routing-table-memory-leak.patch new file mode 100644 index 00000000000..536cb85634a --- /dev/null +++ b/queue-4.9/x86-pci-fix-pci-irq-routing-table-memory-leak.patch @@ -0,0 +1,67 @@ +From 5e8f89f58bcb658f2d97883289ea1c773c81c139 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 17 Apr 2019 09:18:50 -0500 +Subject: x86/PCI: Fix PCI IRQ routing table memory leak + +[ Upstream commit ea094d53580f40c2124cef3d072b73b2425e7bfd ] + +In pcibios_irq_init(), the PCI IRQ routing table 'pirq_table' is first +found through pirq_find_routing_table(). If the table is not found and +CONFIG_PCI_BIOS is defined, the table is then allocated in +pcibios_get_irq_routing_table() using kmalloc(). Later, if the I/O APIC is +used, this table is actually not used. In that case, the allocated table +is not freed, which is a memory leak. + +Free the allocated table if it is not used. + +Signed-off-by: Wenwen Wang +[bhelgaas: added Ingo's reviewed-by, since the only change since v1 was to +use the irq_routing_table local variable name he suggested] +Signed-off-by: Bjorn Helgaas +Reviewed-by: Ingo Molnar +Acked-by: Thomas Gleixner +Signed-off-by: Sasha Levin +--- + arch/x86/pci/irq.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/pci/irq.c b/arch/x86/pci/irq.c +index 9bd115484745..5f0e596b0519 100644 +--- a/arch/x86/pci/irq.c ++++ b/arch/x86/pci/irq.c +@@ -1117,6 +1117,8 @@ static struct dmi_system_id __initdata pciirq_dmi_table[] = { + + void __init pcibios_irq_init(void) + { ++ struct irq_routing_table *rtable = NULL; ++ + DBG(KERN_DEBUG "PCI: IRQ init\n"); + + if (raw_pci_ops == NULL) +@@ -1127,8 +1129,10 @@ void __init pcibios_irq_init(void) + pirq_table = pirq_find_routing_table(); + + #ifdef CONFIG_PCI_BIOS +- if (!pirq_table && (pci_probe & PCI_BIOS_IRQ_SCAN)) ++ if (!pirq_table && (pci_probe & PCI_BIOS_IRQ_SCAN)) { + pirq_table = pcibios_get_irq_routing_table(); ++ rtable = pirq_table; ++ } + #endif + if (pirq_table) { + pirq_peer_trick(); +@@ -1143,8 +1147,10 @@ void __init pcibios_irq_init(void) + * If we're using the I/O APIC, avoid using the PCI IRQ + * routing table + */ +- if (io_apic_assign_pci_irqs) ++ if (io_apic_assign_pci_irqs) { ++ kfree(rtable); + pirq_table = NULL; ++ } + } + + x86_init.pci.fixup_irqs(); +-- +2.20.1 + -- 2.47.2