From c55ac56b3c20caba2af4689b18ba118fe15fcfac Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 10 Jul 2018 16:21:03 +0200 Subject: [PATCH] 4.4-stable patches added patches: dm-bufio-avoid-sleeping-while-holding-the-dm_bufio-lock.patch dm-bufio-don-t-take-the-lock-in-dm_bufio_shrink_count.patch dm-bufio-drop-the-lock-when-doing-gfp_noio-allocation.patch hid-debug-check-length-before-copy_to_user.patch hid-hiddev-fix-potential-spectre-v1.patch hid-i2c-hid-fix-incomplete-report-noise.patch media-cx25840-use-subdev-host-data-for-pll-override.patch mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch x86-mce-detect-local-mces-properly.patch x86-mce-fix-incorrect-machine-check-from-unknown-source-message.patch --- ...ping-while-holding-the-dm_bufio-lock.patch | 126 ++++++++++++++++++ ...ke-the-lock-in-dm_bufio_shrink_count.patch | 48 +++++++ ...-lock-when-doing-gfp_noio-allocation.patch | 51 +++++++ ...bug-check-length-before-copy_to_user.patch | 53 ++++++++ .../hid-hiddev-fix-potential-spectre-v1.patch | 90 +++++++++++++ ...-i2c-hid-fix-incomplete-report-noise.patch | 46 +++++++ ...se-subdev-host-data-for-pll-override.patch | 86 ++++++++++++ ...eak-__gfp_thisnode-by-zonelist-reset.patch | 76 +++++++++++ ...-spare-area-size-register-explicitly.patch | 65 +++++++++ queue-4.4/series | 11 ++ .../x86-mce-detect-local-mces-properly.patch | 95 +++++++++++++ ...ne-check-from-unknown-source-message.patch | 100 ++++++++++++++ 12 files changed, 847 insertions(+) create mode 100644 queue-4.4/dm-bufio-avoid-sleeping-while-holding-the-dm_bufio-lock.patch create mode 100644 queue-4.4/dm-bufio-don-t-take-the-lock-in-dm_bufio_shrink_count.patch create mode 100644 queue-4.4/dm-bufio-drop-the-lock-when-doing-gfp_noio-allocation.patch create mode 100644 queue-4.4/hid-debug-check-length-before-copy_to_user.patch create mode 100644 queue-4.4/hid-hiddev-fix-potential-spectre-v1.patch create mode 100644 queue-4.4/hid-i2c-hid-fix-incomplete-report-noise.patch create mode 100644 queue-4.4/media-cx25840-use-subdev-host-data-for-pll-override.patch create mode 100644 queue-4.4/mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch create mode 100644 queue-4.4/mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch create mode 100644 queue-4.4/x86-mce-detect-local-mces-properly.patch create mode 100644 queue-4.4/x86-mce-fix-incorrect-machine-check-from-unknown-source-message.patch diff --git a/queue-4.4/dm-bufio-avoid-sleeping-while-holding-the-dm_bufio-lock.patch b/queue-4.4/dm-bufio-avoid-sleeping-while-holding-the-dm_bufio-lock.patch new file mode 100644 index 00000000000..97400c4ec5a --- /dev/null +++ b/queue-4.4/dm-bufio-avoid-sleeping-while-holding-the-dm_bufio-lock.patch @@ -0,0 +1,126 @@ +From 9ea61cac0b1ad0c09022f39fd97e9b99a2cfc2dc Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Thu, 17 Nov 2016 11:24:20 -0800 +Subject: dm bufio: avoid sleeping while holding the dm_bufio lock + +From: Douglas Anderson + +commit 9ea61cac0b1ad0c09022f39fd97e9b99a2cfc2dc upstream. + +We've seen in-field reports showing _lots_ (18 in one case, 41 in +another) of tasks all sitting there blocked on: + + mutex_lock+0x4c/0x68 + dm_bufio_shrink_count+0x38/0x78 + shrink_slab.part.54.constprop.65+0x100/0x464 + shrink_zone+0xa8/0x198 + +In the two cases analyzed, we see one task that looks like this: + + Workqueue: kverityd verity_prefetch_io + + __switch_to+0x9c/0xa8 + __schedule+0x440/0x6d8 + schedule+0x94/0xb4 + schedule_timeout+0x204/0x27c + schedule_timeout_uninterruptible+0x44/0x50 + wait_iff_congested+0x9c/0x1f0 + shrink_inactive_list+0x3a0/0x4cc + shrink_lruvec+0x418/0x5cc + shrink_zone+0x88/0x198 + try_to_free_pages+0x51c/0x588 + __alloc_pages_nodemask+0x648/0xa88 + __get_free_pages+0x34/0x7c + alloc_buffer+0xa4/0x144 + __bufio_new+0x84/0x278 + dm_bufio_prefetch+0x9c/0x154 + verity_prefetch_io+0xe8/0x10c + process_one_work+0x240/0x424 + worker_thread+0x2fc/0x424 + kthread+0x10c/0x114 + +...and that looks to be the one holding the mutex. + +The problem has been reproduced on fairly easily: +0. Be running Chrome OS w/ verity enabled on the root filesystem +1. Pick test patch: http://crosreview.com/412360 +2. Install launchBalloons.sh and balloon.arm from + http://crbug.com/468342 + ...that's just a memory stress test app. +3. On a 4GB rk3399 machine, run + nice ./launchBalloons.sh 4 900 100000 + ...that tries to eat 4 * 900 MB of memory and keep accessing. +4. Login to the Chrome web browser and restore many tabs + +With that, I've seen printouts like: + DOUG: long bufio 90758 ms +...and stack trace always show's we're in dm_bufio_prefetch(). + +The problem is that we try to allocate memory with GFP_NOIO while +we're holding the dm_bufio lock. Instead we should be using +GFP_NOWAIT. Using GFP_NOIO can cause us to sleep while holding the +lock and that causes the above problems. + +The current behavior explained by David Rientjes: + + It will still try reclaim initially because __GFP_WAIT (or + __GFP_KSWAPD_RECLAIM) is set by GFP_NOIO. This is the cause of + contention on dm_bufio_lock() that the thread holds. You want to + pass GFP_NOWAIT instead of GFP_NOIO to alloc_buffer() when holding a + mutex that can be contended by a concurrent slab shrinker (if + count_objects didn't use a trylock, this pattern would trivially + deadlock). + +This change significantly increases responsiveness of the system while +in this state. It makes a real difference because it unblocks kswapd. +In the bug report analyzed, kswapd was hung: + + kswapd0 D ffffffc000204fd8 0 72 2 0x00000000 + Call trace: + [] __switch_to+0x9c/0xa8 + [] __schedule+0x440/0x6d8 + [] schedule+0x94/0xb4 + [] schedule_preempt_disabled+0x28/0x44 + [] __mutex_lock_slowpath+0x120/0x1ac + [] mutex_lock+0x4c/0x68 + [] dm_bufio_shrink_count+0x38/0x78 + [] shrink_slab.part.54.constprop.65+0x100/0x464 + [] shrink_zone+0xa8/0x198 + [] balance_pgdat+0x328/0x508 + [] kswapd+0x424/0x51c + [] kthread+0x10c/0x114 + [] ret_from_fork+0x10/0x40 + +By unblocking kswapd memory pressure should be reduced. + +Suggested-by: David Rientjes +Reviewed-by: Guenter Roeck +Signed-off-by: Douglas Anderson +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-bufio.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -818,7 +818,8 @@ static struct dm_buffer *__alloc_buffer_ + * dm-bufio is resistant to allocation failures (it just keeps + * one buffer reserved in cases all the allocations fail). + * So set flags to not try too hard: +- * GFP_NOIO: don't recurse into the I/O layer ++ * GFP_NOWAIT: don't wait; if we need to sleep we'll release our ++ * mutex and wait ourselves. + * __GFP_NORETRY: don't retry and rather return failure + * __GFP_NOMEMALLOC: don't use emergency reserves + * __GFP_NOWARN: don't print a warning in case of failure +@@ -828,7 +829,7 @@ static struct dm_buffer *__alloc_buffer_ + */ + while (1) { + if (dm_bufio_cache_size_latch != 1) { +- b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN); ++ b = alloc_buffer(c, GFP_NOWAIT | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN); + if (b) + return b; + } diff --git a/queue-4.4/dm-bufio-don-t-take-the-lock-in-dm_bufio_shrink_count.patch b/queue-4.4/dm-bufio-don-t-take-the-lock-in-dm_bufio_shrink_count.patch new file mode 100644 index 00000000000..de7d779d6be --- /dev/null +++ b/queue-4.4/dm-bufio-don-t-take-the-lock-in-dm_bufio_shrink_count.patch @@ -0,0 +1,48 @@ +From d12067f428c037b4575aaeb2be00847fc214c24a Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 23 Nov 2016 16:52:01 -0500 +Subject: dm bufio: don't take the lock in dm_bufio_shrink_count + +From: Mikulas Patocka + +commit d12067f428c037b4575aaeb2be00847fc214c24a upstream. + +dm_bufio_shrink_count() is called from do_shrink_slab to find out how many +freeable objects are there. The reported value doesn't have to be precise, +so we don't need to take the dm-bufio lock. + +Suggested-by: David Rientjes +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-bufio.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -1574,19 +1574,11 @@ dm_bufio_shrink_scan(struct shrinker *sh + static unsigned long + dm_bufio_shrink_count(struct shrinker *shrink, struct shrink_control *sc) + { +- struct dm_bufio_client *c; +- unsigned long count; +- unsigned long retain_target; ++ struct dm_bufio_client *c = container_of(shrink, struct dm_bufio_client, shrinker); ++ unsigned long count = READ_ONCE(c->n_buffers[LIST_CLEAN]) + ++ READ_ONCE(c->n_buffers[LIST_DIRTY]); ++ unsigned long retain_target = get_retain_buffers(c); + +- c = container_of(shrink, struct dm_bufio_client, shrinker); +- if (sc->gfp_mask & __GFP_FS) +- dm_bufio_lock(c); +- else if (!dm_bufio_trylock(c)) +- return 0; +- +- count = c->n_buffers[LIST_CLEAN] + c->n_buffers[LIST_DIRTY]; +- retain_target = get_retain_buffers(c); +- dm_bufio_unlock(c); + return (count < retain_target) ? 0 : (count - retain_target); + } + diff --git a/queue-4.4/dm-bufio-drop-the-lock-when-doing-gfp_noio-allocation.patch b/queue-4.4/dm-bufio-drop-the-lock-when-doing-gfp_noio-allocation.patch new file mode 100644 index 00000000000..45fbe170ac3 --- /dev/null +++ b/queue-4.4/dm-bufio-drop-the-lock-when-doing-gfp_noio-allocation.patch @@ -0,0 +1,51 @@ +From 41c73a49df31151f4ff868f28fe4f129f113fa2c Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 23 Nov 2016 17:04:00 -0500 +Subject: dm bufio: drop the lock when doing GFP_NOIO allocation + +From: Mikulas Patocka + +commit 41c73a49df31151f4ff868f28fe4f129f113fa2c upstream. + +If the first allocation attempt using GFP_NOWAIT fails, drop the lock +and retry using GFP_NOIO allocation (lock is dropped because the +allocation can take some time). + +Note that we won't do GFP_NOIO allocation when we loop for the second +time, because the lock shouldn't be dropped between __wait_for_free_buffer +and __get_unclaimed_buffer. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-bufio.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -813,6 +813,7 @@ enum new_flag { + static struct dm_buffer *__alloc_buffer_wait_no_callback(struct dm_bufio_client *c, enum new_flag nf) + { + struct dm_buffer *b; ++ bool tried_noio_alloc = false; + + /* + * dm-bufio is resistant to allocation failures (it just keeps +@@ -837,6 +838,15 @@ static struct dm_buffer *__alloc_buffer_ + if (nf == NF_PREFETCH) + return NULL; + ++ if (dm_bufio_cache_size_latch != 1 && !tried_noio_alloc) { ++ dm_bufio_unlock(c); ++ b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN); ++ dm_bufio_lock(c); ++ if (b) ++ return b; ++ tried_noio_alloc = true; ++ } ++ + if (!list_empty(&c->reserved_buffers)) { + b = list_entry(c->reserved_buffers.next, + struct dm_buffer, lru_list); diff --git a/queue-4.4/hid-debug-check-length-before-copy_to_user.patch b/queue-4.4/hid-debug-check-length-before-copy_to_user.patch new file mode 100644 index 00000000000..79200ad4d92 --- /dev/null +++ b/queue-4.4/hid-debug-check-length-before-copy_to_user.patch @@ -0,0 +1,53 @@ +From 717adfdaf14704fd3ec7fa2c04520c0723247eac Mon Sep 17 00:00:00 2001 +From: Daniel Rosenberg +Date: Mon, 2 Jul 2018 16:59:37 -0700 +Subject: HID: debug: check length before copy_to_user() + +From: Daniel Rosenberg + +commit 717adfdaf14704fd3ec7fa2c04520c0723247eac upstream. + +If our length is greater than the size of the buffer, we +overflow the buffer + +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Rosenberg +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-debug.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-debug.c ++++ b/drivers/hid/hid-debug.c +@@ -1152,6 +1152,8 @@ copy_rest: + goto out; + if (list->tail > list->head) { + len = list->tail - list->head; ++ if (len > count) ++ len = count; + + if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) { + ret = -EFAULT; +@@ -1161,6 +1163,8 @@ copy_rest: + list->head += len; + } else { + len = HID_DEBUG_BUFSIZE - list->head; ++ if (len > count) ++ len = count; + + if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) { + ret = -EFAULT; +@@ -1168,7 +1172,9 @@ copy_rest: + } + list->head = 0; + ret += len; +- goto copy_rest; ++ count -= len; ++ if (count > 0) ++ goto copy_rest; + } + + } diff --git a/queue-4.4/hid-hiddev-fix-potential-spectre-v1.patch b/queue-4.4/hid-hiddev-fix-potential-spectre-v1.patch new file mode 100644 index 00000000000..2ebf9849c32 --- /dev/null +++ b/queue-4.4/hid-hiddev-fix-potential-spectre-v1.patch @@ -0,0 +1,90 @@ +From 4f65245f2d178b9cba48350620d76faa4a098841 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Fri, 29 Jun 2018 17:08:44 -0500 +Subject: HID: hiddev: fix potential Spectre v1 + +From: Gustavo A. R. Silva + +commit 4f65245f2d178b9cba48350620d76faa4a098841 upstream. + +uref->field_index, uref->usage_index, finfo.field_index and cinfo.index can be +indirectly controlled by user-space, hence leading to a potential exploitation +of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/hid/usbhid/hiddev.c:473 hiddev_ioctl_usage() warn: potential spectre issue 'report->field' (local cap) +drivers/hid/usbhid/hiddev.c:477 hiddev_ioctl_usage() warn: potential spectre issue 'field->usage' (local cap) +drivers/hid/usbhid/hiddev.c:757 hiddev_ioctl() warn: potential spectre issue 'report->field' (local cap) +drivers/hid/usbhid/hiddev.c:801 hiddev_ioctl() warn: potential spectre issue 'hid->collection' (local cap) + +Fix this by sanitizing such structure fields before using them to index +report->field, field->usage and hid->collection + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/usbhid/hiddev.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include "usbhid.h" + + #ifdef CONFIG_USB_DYNAMIC_MINORS +@@ -478,10 +479,14 @@ static noinline int hiddev_ioctl_usage(s + + if (uref->field_index >= report->maxfield) + goto inval; ++ uref->field_index = array_index_nospec(uref->field_index, ++ report->maxfield); + + field = report->field[uref->field_index]; + if (uref->usage_index >= field->maxusage) + goto inval; ++ uref->usage_index = array_index_nospec(uref->usage_index, ++ field->maxusage); + + uref->usage_code = field->usage[uref->usage_index].hid; + +@@ -508,6 +513,8 @@ static noinline int hiddev_ioctl_usage(s + + if (uref->field_index >= report->maxfield) + goto inval; ++ uref->field_index = array_index_nospec(uref->field_index, ++ report->maxfield); + + field = report->field[uref->field_index]; + +@@ -761,6 +768,8 @@ static long hiddev_ioctl(struct file *fi + + if (finfo.field_index >= report->maxfield) + break; ++ finfo.field_index = array_index_nospec(finfo.field_index, ++ report->maxfield); + + field = report->field[finfo.field_index]; + memset(&finfo, 0, sizeof(finfo)); +@@ -801,6 +810,8 @@ static long hiddev_ioctl(struct file *fi + + if (cinfo.index >= hid->maxcollection) + break; ++ cinfo.index = array_index_nospec(cinfo.index, ++ hid->maxcollection); + + cinfo.type = hid->collection[cinfo.index].type; + cinfo.usage = hid->collection[cinfo.index].usage; diff --git a/queue-4.4/hid-i2c-hid-fix-incomplete-report-noise.patch b/queue-4.4/hid-i2c-hid-fix-incomplete-report-noise.patch new file mode 100644 index 00000000000..2ea019b7633 --- /dev/null +++ b/queue-4.4/hid-i2c-hid-fix-incomplete-report-noise.patch @@ -0,0 +1,46 @@ +From ef6eaf27274c0351f7059163918f3795da13199c Mon Sep 17 00:00:00 2001 +From: Jason Andryuk +Date: Fri, 22 Jun 2018 12:25:49 -0400 +Subject: HID: i2c-hid: Fix "incomplete report" noise + +From: Jason Andryuk + +commit ef6eaf27274c0351f7059163918f3795da13199c upstream. + +Commit ac75a041048b ("HID: i2c-hid: fix size check and type usage") started +writing messages when the ret_size is <= 2 from i2c_master_recv. However, my +device i2c-DLL07D1 returns 2 for a short period of time (~0.5s) after I stop +moving the pointing stick or touchpad. It varies, but you get ~50 messages +each time which spams the log hard. + +[ 95.925055] i2c_hid i2c-DLL07D1:01: i2c_hid_get_input: incomplete report (83/2) + +This has also been observed with a i2c-ALP0017. + +[ 1781.266353] i2c_hid i2c-ALP0017:00: i2c_hid_get_input: incomplete report (30/2) + +Only print the message when ret_size is totally invalid and less than 2 to cut +down on the log spam. + +Fixes: ac75a041048b ("HID: i2c-hid: fix size check and type usage") +Reported-by: John Smith +Cc: stable@vger.kernel.org +Signed-off-by: Jason Andryuk +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/i2c-hid/i2c-hid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -413,7 +413,7 @@ static void i2c_hid_get_input(struct i2c + return; + } + +- if ((ret_size > size) || (ret_size <= 2)) { ++ if ((ret_size > size) || (ret_size < 2)) { + dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n", + __func__, size, ret_size); + return; diff --git a/queue-4.4/media-cx25840-use-subdev-host-data-for-pll-override.patch b/queue-4.4/media-cx25840-use-subdev-host-data-for-pll-override.patch new file mode 100644 index 00000000000..a1f5756005d --- /dev/null +++ b/queue-4.4/media-cx25840-use-subdev-host-data-for-pll-override.patch @@ -0,0 +1,86 @@ +From 3ee9bc12342cf546313d300808ff47d7dbb8e7db Mon Sep 17 00:00:00 2001 +From: Brad Love +Date: Tue, 6 Mar 2018 14:15:34 -0500 +Subject: media: cx25840: Use subdev host data for PLL override + +From: Brad Love + +commit 3ee9bc12342cf546313d300808ff47d7dbb8e7db upstream. + +The cx25840 driver currently configures 885, 887, and 888 using +default divisors for each chip. This check to see if the cx23885 +driver has passed the cx25840 a non-default clock rate for a +specific chip. If a cx23885 board has left clk_freq at 0, the +clock default values will be used to configure the PLLs. + +This patch only has effect on 888 boards who set clk_freq to 25M. + +Signed-off-by: Brad Love +Signed-off-by: Mauro Carvalho Chehab +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/cx25840/cx25840-core.c | 28 ++++++++++++++++++++++------ + 1 file changed, 22 insertions(+), 6 deletions(-) + +--- a/drivers/media/i2c/cx25840/cx25840-core.c ++++ b/drivers/media/i2c/cx25840/cx25840-core.c +@@ -467,8 +467,13 @@ static void cx23885_initialize(struct i2 + { + DEFINE_WAIT(wait); + struct cx25840_state *state = to_state(i2c_get_clientdata(client)); ++ u32 clk_freq = 0; + struct workqueue_struct *q; + ++ /* cx23885 sets hostdata to clk_freq pointer */ ++ if (v4l2_get_subdev_hostdata(&state->sd)) ++ clk_freq = *((u32 *)v4l2_get_subdev_hostdata(&state->sd)); ++ + /* + * Come out of digital power down + * The CX23888, at least, needs this, otherwise registers aside from +@@ -504,8 +509,13 @@ static void cx23885_initialize(struct i2 + * 50.0 MHz * (0xb + 0xe8ba26/0x2000000)/4 = 5 * 28.636363 MHz + * 572.73 MHz before post divide + */ +- /* HVR1850 or 50MHz xtal */ +- cx25840_write(client, 0x2, 0x71); ++ if (clk_freq == 25000000) { ++ /* 888/ImpactVCBe or 25Mhz xtal */ ++ ; /* nothing to do */ ++ } else { ++ /* HVR1850 or 50MHz xtal */ ++ cx25840_write(client, 0x2, 0x71); ++ } + cx25840_write4(client, 0x11c, 0x01d1744c); + cx25840_write4(client, 0x118, 0x00000416); + cx25840_write4(client, 0x404, 0x0010253e); +@@ -548,9 +558,15 @@ static void cx23885_initialize(struct i2 + /* HVR1850 */ + switch (state->id) { + case CX23888_AV: +- /* 888/HVR1250 specific */ +- cx25840_write4(client, 0x10c, 0x13333333); +- cx25840_write4(client, 0x108, 0x00000515); ++ if (clk_freq == 25000000) { ++ /* 888/ImpactVCBe or 25MHz xtal */ ++ cx25840_write4(client, 0x10c, 0x01b6db7b); ++ cx25840_write4(client, 0x108, 0x00000512); ++ } else { ++ /* 888/HVR1250 or 50MHz xtal */ ++ cx25840_write4(client, 0x10c, 0x13333333); ++ cx25840_write4(client, 0x108, 0x00000515); ++ } + break; + default: + cx25840_write4(client, 0x10c, 0x002be2c9); +@@ -577,7 +593,7 @@ static void cx23885_initialize(struct i2 + * 368.64 MHz before post divide + * 122.88 MHz / 0xa = 12.288 MHz + */ +- /* HVR1850 or 50MHz xtal */ ++ /* HVR1850 or 50MHz xtal or 25MHz xtal */ + cx25840_write4(client, 0x114, 0x017dbf48); + cx25840_write4(client, 0x110, 0x000a030e); + break; diff --git a/queue-4.4/mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch b/queue-4.4/mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch new file mode 100644 index 00000000000..13fbef056f2 --- /dev/null +++ b/queue-4.4/mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch @@ -0,0 +1,76 @@ +From 7810e6781e0fcbca78b91cf65053f895bf59e85f Mon Sep 17 00:00:00 2001 +From: Vlastimil Babka +Date: Thu, 7 Jun 2018 17:09:29 -0700 +Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset + +From: Vlastimil Babka + +commit 7810e6781e0fcbca78b91cf65053f895bf59e85f upstream. + +In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for +allocations that can ignore memory policies. The zonelist is obtained +from current CPU's node. This is a problem for __GFP_THISNODE +allocations that want to allocate on a different node, e.g. because the +allocating thread has been migrated to a different CPU. + +This has been observed to break SLAB in our 4.4-based kernel, because +there it relies on __GFP_THISNODE working as intended. If a slab page +is put on wrong node's list, then further list manipulations may corrupt +the list because page_to_nid() is used to determine which node's +list_lock should be locked and thus we may take a wrong lock and race. + +Current SLAB implementation seems to be immune by luck thanks to commit +511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on +arbitrary node") but there may be others assuming that __GFP_THISNODE +works as promised. + +We can fix it by simply removing the zonelist reset completely. There +is actually no reason to reset it, because memory policies and cpusets +don't affect the zonelist choice in the first place. This was different +when commit 183f6371aac2 ("mm: ignore mempolicies when using +ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their +own restricted zonelists. + +We might consider this for 4.17 although I don't know if there's +anything currently broken. + +SLAB is currently not affected, but in kernels older than 4.7 that don't +yet have 511e3a058812 ("mm/slab: make cache_grow() handle the page +allocated on arbitrary node") it is. That's at least 4.4 LTS. Older +ones I'll have to check. + +So stable backports should be more important, but will have to be +reviewed carefully, as the code went through many changes. BTW I think +that also the ac->preferred_zoneref reset is currently useless if we +don't also reset ac->nodemask from a mempolicy to NULL first (which we +probably should for the OOM victims etc?), but I would leave that for a +separate patch. + +Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz +Signed-off-by: Vlastimil Babka +Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK") +Acked-by: Mel Gorman +Cc: Michal Hocko +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -3109,8 +3109,6 @@ retry: + * the allocation is high priority and these type of + * allocations are system rather than user orientated + */ +- ac->zonelist = node_zonelist(numa_node_id(), gfp_mask); +- + page = __alloc_pages_high_priority(gfp_mask, order, ac); + + if (page) { diff --git a/queue-4.4/mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch b/queue-4.4/mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch new file mode 100644 index 00000000000..990618f2379 --- /dev/null +++ b/queue-4.4/mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch @@ -0,0 +1,65 @@ +From 3f77f244d8ec28e3a0a81240ffac7d626390060c Mon Sep 17 00:00:00 2001 +From: Martin Kaiser +Date: Mon, 18 Jun 2018 22:41:03 +0200 +Subject: mtd: rawnand: mxc: set spare area size register explicitly + +From: Martin Kaiser + +commit 3f77f244d8ec28e3a0a81240ffac7d626390060c upstream. + +The v21 version of the NAND flash controller contains a Spare Area Size +Register (SPAS) at offset 0x10. Its setting defaults to the maximum +spare area size of 218 bytes. The size that is set in this register is +used by the controller when it calculates the ECC bytes internally in +hardware. + +Usually, this register is updated from settings in the IIM fuses when +the system is booting from NAND flash. For other boot media, however, +the SPAS register remains at the default setting, which may not work for +the particular flash chip on the board. The same goes for flash chips +whose configuration cannot be set in the IIM fuses (e.g. chips with 2k +sector size and 128 bytes spare area size can't be configured in the IIM +fuses on imx25 systems). + +Set the SPAS register explicitly during the preset operation. Derive the +register value from mtd->oobsize that was detected during probe by +decoding the flash chip's ID bytes. + +While at it, rename the define for the spare area register's offset to +NFC_V21_RSLTSPARE_AREA. The register at offset 0x10 on v1 controllers is +different from the register on v21 controllers. + +Fixes: d484018 ("mtd: mxc_nand: set NFC registers after reset") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Kaiser +Reviewed-by: Sascha Hauer +Reviewed-by: Miquel Raynal +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/mtd/nand/mxc_nand.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/mxc_nand.c ++++ b/drivers/mtd/nand/mxc_nand.c +@@ -49,7 +49,7 @@ + #define NFC_V1_V2_CONFIG (host->regs + 0x0a) + #define NFC_V1_V2_ECC_STATUS_RESULT (host->regs + 0x0c) + #define NFC_V1_V2_RSLTMAIN_AREA (host->regs + 0x0e) +-#define NFC_V1_V2_RSLTSPARE_AREA (host->regs + 0x10) ++#define NFC_V21_RSLTSPARE_AREA (host->regs + 0x10) + #define NFC_V1_V2_WRPROT (host->regs + 0x12) + #define NFC_V1_UNLOCKSTART_BLKADDR (host->regs + 0x14) + #define NFC_V1_UNLOCKEND_BLKADDR (host->regs + 0x16) +@@ -1034,6 +1034,9 @@ static void preset_v2(struct mtd_info *m + writew(config1, NFC_V1_V2_CONFIG1); + /* preset operation */ + ++ /* spare area size in 16-bit half-words */ ++ writew(mtd->oobsize / 2, NFC_V21_RSLTSPARE_AREA); ++ + /* Unlock the internal RAM Buffer */ + writew(0x2, NFC_V1_V2_CONFIG); + diff --git a/queue-4.4/series b/queue-4.4/series index 8972dc68696..15664bd1ceb 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -29,3 +29,14 @@ ext4-clear-i_data-in-ext4_inode_info-when-removing-inline-data.patch ext4-add-more-inode-number-paranoia-checks.patch ext4-add-more-mount-time-checks-of-the-superblock.patch ext4-check-superblock-mapped-prior-to-committing.patch +hid-i2c-hid-fix-incomplete-report-noise.patch +hid-hiddev-fix-potential-spectre-v1.patch +hid-debug-check-length-before-copy_to_user.patch +x86-mce-detect-local-mces-properly.patch +x86-mce-fix-incorrect-machine-check-from-unknown-source-message.patch +media-cx25840-use-subdev-host-data-for-pll-override.patch +mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch +dm-bufio-avoid-sleeping-while-holding-the-dm_bufio-lock.patch +dm-bufio-drop-the-lock-when-doing-gfp_noio-allocation.patch +mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch +dm-bufio-don-t-take-the-lock-in-dm_bufio_shrink_count.patch diff --git a/queue-4.4/x86-mce-detect-local-mces-properly.patch b/queue-4.4/x86-mce-detect-local-mces-properly.patch new file mode 100644 index 00000000000..f6010167221 --- /dev/null +++ b/queue-4.4/x86-mce-detect-local-mces-properly.patch @@ -0,0 +1,95 @@ +From fead35c68926682c90c995f22b48f1c8d78865c1 Mon Sep 17 00:00:00 2001 +From: Yazen Ghannam +Date: Sat, 30 Apr 2016 14:33:57 +0200 +Subject: x86/mce: Detect local MCEs properly + +From: Yazen Ghannam + +commit fead35c68926682c90c995f22b48f1c8d78865c1 upstream. + +Check the MCG_STATUS_LMCES bit on Intel to verify that current MCE is +local. It is always local on AMD. + +Signed-off-by: Yazen Ghannam +[ Massaged it a bit. Reflowed comments. Shut up -Wmaybe-uninitialized. ] +Signed-off-by: Borislav Petkov +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Tony Luck +Cc: linux-edac +Link: http://lkml.kernel.org/r/1462019637-16474-8-git-send-email-bp@alien8.de +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce.c | 33 ++++++++++++++++++++------------- + 1 file changed, 20 insertions(+), 13 deletions(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -980,11 +980,12 @@ void do_machine_check(struct pt_regs *re + int i; + int worst = 0; + int severity; ++ + /* + * Establish sequential order between the CPUs entering the machine + * check handler. + */ +- int order; ++ int order = -1; + /* + * If no_way_out gets set, there is no safe way to recover from this + * MCE. If mca_cfg.tolerant is cranked up, we'll try anyway. +@@ -1000,7 +1001,12 @@ void do_machine_check(struct pt_regs *re + char *msg = "Unknown"; + u64 recover_paddr = ~0ull; + int flags = MF_ACTION_REQUIRED; +- int lmce = 0; ++ ++ /* ++ * MCEs are always local on AMD. Same is determined by MCG_STATUS_LMCES ++ * on Intel. ++ */ ++ int lmce = 1; + + /* If this CPU is offline, just bail out. */ + if (cpu_is_offline(smp_processor_id())) { +@@ -1039,19 +1045,20 @@ void do_machine_check(struct pt_regs *re + kill_it = 1; + + /* +- * Check if this MCE is signaled to only this logical processor ++ * Check if this MCE is signaled to only this logical processor, ++ * on Intel only. + */ +- if (m.mcgstatus & MCG_STATUS_LMCES) +- lmce = 1; +- else { +- /* +- * Go through all the banks in exclusion of the other CPUs. +- * This way we don't report duplicated events on shared banks +- * because the first one to see it will clear it. +- * If this is a Local MCE, then no need to perform rendezvous. +- */ ++ if (m.cpuvendor == X86_VENDOR_INTEL) ++ lmce = m.mcgstatus & MCG_STATUS_LMCES; ++ ++ /* ++ * Go through all banks in exclusion of the other CPUs. This way we ++ * don't report duplicated events on shared banks because the first one ++ * to see it will clear it. If this is a Local MCE, then no need to ++ * perform rendezvous. ++ */ ++ if (!lmce) + order = mce_start(&no_way_out); +- } + + for (i = 0; i < cfg->banks; i++) { + __clear_bit(i, toclear); diff --git a/queue-4.4/x86-mce-fix-incorrect-machine-check-from-unknown-source-message.patch b/queue-4.4/x86-mce-fix-incorrect-machine-check-from-unknown-source-message.patch new file mode 100644 index 00000000000..613ca04aaff --- /dev/null +++ b/queue-4.4/x86-mce-fix-incorrect-machine-check-from-unknown-source-message.patch @@ -0,0 +1,100 @@ +From 40c36e2741d7fe1e66d6ec55477ba5fd19c9c5d2 Mon Sep 17 00:00:00 2001 +From: Tony Luck +Date: Fri, 22 Jun 2018 11:54:23 +0200 +Subject: x86/mce: Fix incorrect "Machine check from unknown source" message + +From: Tony Luck + +commit 40c36e2741d7fe1e66d6ec55477ba5fd19c9c5d2 upstream. + +Some injection testing resulted in the following console log: + + mce: [Hardware Error]: CPU 22: Machine Check Exception: f Bank 1: bd80000000100134 + mce: [Hardware Error]: RIP 10: {pmem_do_bvec+0x11d/0x330 [nd_pmem]} + mce: [Hardware Error]: TSC c51a63035d52 ADDR 3234bc4000 MISC 88 + mce: [Hardware Error]: PROCESSOR 0:50654 TIME 1526502199 SOCKET 0 APIC 38 microcode 2000043 + mce: [Hardware Error]: Run the above through 'mcelog --ascii' + Kernel panic - not syncing: Machine check from unknown source + +This confused everybody because the first line quite clearly shows +that we found a logged error in "Bank 1", while the last line says +"unknown source". + +The problem is that the Linux code doesn't do the right thing +for a local machine check that results in a fatal error. + +It turns out that we know very early in the handler whether the +machine check is fatal. The call to mce_no_way_out() has checked +all the banks for the CPU that took the local machine check. If +it says we must crash, we can do so right away with the right +messages. + +We do scan all the banks again. This means that we might initially +not see a problem, but during the second scan find something fatal. +If this happens we print a slightly different message (so I can +see if it actually every happens). + +[ bp: Remove unneeded severity assignment. ] + +Signed-off-by: Tony Luck +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Cc: Ashok Raj +Cc: Dan Williams +Cc: Qiuxu Zhuo +Cc: linux-edac +Cc: stable@vger.kernel.org # 4.2 +Link: http://lkml.kernel.org/r/52e049a497e86fd0b71c529651def8871c804df0.1527283897.git.tony.luck@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -1052,13 +1052,18 @@ void do_machine_check(struct pt_regs *re + lmce = m.mcgstatus & MCG_STATUS_LMCES; + + /* ++ * Local machine check may already know that we have to panic. ++ * Broadcast machine check begins rendezvous in mce_start() + * Go through all banks in exclusion of the other CPUs. This way we + * don't report duplicated events on shared banks because the first one +- * to see it will clear it. If this is a Local MCE, then no need to +- * perform rendezvous. ++ * to see it will clear it. + */ +- if (!lmce) ++ if (lmce) { ++ if (no_way_out) ++ mce_panic("Fatal local machine check", &m, msg); ++ } else { + order = mce_start(&no_way_out); ++ } + + for (i = 0; i < cfg->banks; i++) { + __clear_bit(i, toclear); +@@ -1135,12 +1140,17 @@ void do_machine_check(struct pt_regs *re + no_way_out = worst >= MCE_PANIC_SEVERITY; + } else { + /* +- * Local MCE skipped calling mce_reign() +- * If we found a fatal error, we need to panic here. ++ * If there was a fatal machine check we should have ++ * already called mce_panic earlier in this function. ++ * Since we re-read the banks, we might have found ++ * something new. Check again to see if we found a ++ * fatal error. We call "mce_severity()" again to ++ * make sure we have the right "msg". + */ +- if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3) +- mce_panic("Machine check from unknown source", +- NULL, NULL); ++ if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3) { ++ mce_severity(&m, cfg->tolerant, &msg, true); ++ mce_panic("Local fatal machine check!", &m, msg); ++ } + } + + /* -- 2.47.3