From c76b1eda0a5a146d4eee52e66e75a686a339da26 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 18 Aug 2019 07:49:03 -0400 Subject: [PATCH] fixes for 4.19 Signed-off-by: Sasha Levin --- ...efi-fix-variable-si-set-but-not-used.patch | 43 ++++ ...mm-fix-variable-pud-set-but-not-used.patch | 43 ++++ ...d-prohibit-probing-on-return_address.patch | 76 +++++++ ...c-fix-wtype-limits-compiler-warnings.patch | 132 +++++++++++ ...ot-complain-in-case-of-deferred-prob.patch | 36 +++ ...ck-between-fiemap-and-transaction-co.patch | 213 ++++++++++++++++++ ...ed-truncate-divisor-to-generated_max.patch | 39 ++++ ...mssr-fix-reset-control-race-conditio.patch | 109 +++++++++ ...-regmap_mmio-to-avoid-compile-errors.patch | 32 +++ ...-a-potential-information-leaking-bug.patch | 48 ++++ ...encoder-fix-build-error-while-config.patch | 40 ++++ ...x-missing-decrement-of-retry-counter.patch | 41 ++++ .../drm-msm-fix-add_gpu_components.patch | 42 ++++ ...t-make-setting-exit_state-consistent.patch | 51 +++++ ...b-core-add-mitigation-for-spectre-v1.patch | 52 +++++ ...fter-free-in-ib-mad-completion-handl.patch | 150 ++++++++++++ ...egistration-flow-to-use-umr-properly.patch | 108 +++++++++ ...ts-free-unused-vpt_page-when-alloc-v.patch | 38 ++++ ...imx-gpcv2-forward-irq-type-to-parent.patch | 33 +++ ...-unknown-options-with-cc-option-usag.patch | 66 ++++++ ...andle-kbuild_extra_symbols-only-for-.patch | 36 +++ ...-small-read-overflow-in-zpodd_get_me.patch | 50 ++++ ...-set-but-not-used-variable-last_hash.patch | 54 +++++ ...divide-by-zero-error-if-f_header.att.patch | 52 +++++ ...fix-use-of-unitialized-value-warning.patch | 68 ++++++ ...allow-to-coexist-with-fault-injectio.patch | 70 ++++++ ...t-scsi-command-status-issue-after-re.patch | 59 +++++ ...-possible-fcport-null-pointer-derefe.patch | 48 ++++ queue-4.19/series | 29 +++ ...ve-set-but-not-used-variable-old_sta.patch | 46 ++++ 30 files changed, 1904 insertions(+) create mode 100644 queue-4.19/arm64-efi-fix-variable-si-set-but-not-used.patch create mode 100644 queue-4.19/arm64-mm-fix-variable-pud-set-but-not-used.patch create mode 100644 queue-4.19/arm64-unwind-prohibit-probing-on-return_address.patch create mode 100644 queue-4.19/asm-generic-fix-wtype-limits-compiler-warnings.patch create mode 100644 queue-4.19/ata-libahci-do-not-complain-in-case-of-deferred-prob.patch create mode 100644 queue-4.19/btrfs-fix-deadlock-between-fiemap-and-transaction-co.patch create mode 100644 queue-4.19/clk-at91-generated-truncate-divisor-to-generated_max.patch create mode 100644 queue-4.19/clk-renesas-cpg-mssr-fix-reset-control-race-conditio.patch create mode 100644 queue-4.19/clk-sprd-select-regmap_mmio-to-avoid-compile-errors.patch create mode 100644 queue-4.19/drm-amdgpu-fix-a-potential-information-leaking-bug.patch create mode 100644 queue-4.19/drm-bridge-lvds-encoder-fix-build-error-while-config.patch create mode 100644 queue-4.19/drm-exynos-fix-missing-decrement-of-retry-counter.patch create mode 100644 queue-4.19/drm-msm-fix-add_gpu_components.patch create mode 100644 queue-4.19/exit-make-setting-exit_state-consistent.patch create mode 100644 queue-4.19/ib-core-add-mitigation-for-spectre-v1.patch create mode 100644 queue-4.19/ib-mad-fix-use-after-free-in-ib-mad-completion-handl.patch create mode 100644 queue-4.19/ib-mlx5-fix-mr-registration-flow-to-use-umr-properly.patch create mode 100644 queue-4.19/irqchip-gic-v3-its-free-unused-vpt_page-when-alloc-v.patch create mode 100644 queue-4.19/irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch create mode 100644 queue-4.19/kbuild-check-for-unknown-options-with-cc-option-usag.patch create mode 100644 queue-4.19/kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch create mode 100644 queue-4.19/libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch create mode 100644 queue-4.19/ocfs2-remove-set-but-not-used-variable-last_hash.patch create mode 100644 queue-4.19/perf-header-fix-divide-by-zero-error-if-f_header.att.patch create mode 100644 queue-4.19/perf-header-fix-use-of-unitialized-value-warning.patch create mode 100644 queue-4.19/revert-kmemleak-allow-to-coexist-with-fault-injectio.patch create mode 100644 queue-4.19/scsi-hpsa-correct-scsi-command-status-issue-after-re.patch create mode 100644 queue-4.19/scsi-qla2xxx-fix-possible-fcport-null-pointer-derefe.patch create mode 100644 queue-4.19/xen-pciback-remove-set-but-not-used-variable-old_sta.patch diff --git a/queue-4.19/arm64-efi-fix-variable-si-set-but-not-used.patch b/queue-4.19/arm64-efi-fix-variable-si-set-but-not-used.patch new file mode 100644 index 00000000000..4d8e4243543 --- /dev/null +++ b/queue-4.19/arm64-efi-fix-variable-si-set-but-not-used.patch @@ -0,0 +1,43 @@ +From ae8413191ca1369cd498e21c13cd195b5d430a00 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Tue, 30 Jul 2019 17:23:48 -0400 +Subject: arm64/efi: fix variable 'si' set but not used + +[ Upstream commit f1d4836201543e88ebe70237e67938168d5fab19 ] + +GCC throws out this warning on arm64. + +drivers/firmware/efi/libstub/arm-stub.c: In function 'efi_entry': +drivers/firmware/efi/libstub/arm-stub.c:132:22: warning: variable 'si' +set but not used [-Wunused-but-set-variable] + +Fix it by making free_screen_info() a static inline function. + +Acked-by: Will Deacon +Signed-off-by: Qian Cai +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/efi.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/efi.h b/arch/arm64/include/asm/efi.h +index 7ed320895d1f4..f52a2968a3b69 100644 +--- a/arch/arm64/include/asm/efi.h ++++ b/arch/arm64/include/asm/efi.h +@@ -94,7 +94,11 @@ static inline unsigned long efi_get_max_initrd_addr(unsigned long dram_base, + ((protocol##_t *)instance)->f(instance, ##__VA_ARGS__) + + #define alloc_screen_info(x...) &screen_info +-#define free_screen_info(x...) ++ ++static inline void free_screen_info(efi_system_table_t *sys_table_arg, ++ struct screen_info *si) ++{ ++} + + /* redeclare as 'hidden' so the compiler will generate relative references */ + extern struct screen_info screen_info __attribute__((__visibility__("hidden"))); +-- +2.20.1 + diff --git a/queue-4.19/arm64-mm-fix-variable-pud-set-but-not-used.patch b/queue-4.19/arm64-mm-fix-variable-pud-set-but-not-used.patch new file mode 100644 index 00000000000..b227d1c8c4d --- /dev/null +++ b/queue-4.19/arm64-mm-fix-variable-pud-set-but-not-used.patch @@ -0,0 +1,43 @@ +From 334ae484440ad89104eb7b202529d04f30c23a20 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Wed, 31 Jul 2019 16:05:45 -0400 +Subject: arm64/mm: fix variable 'pud' set but not used + +[ Upstream commit 7d4e2dcf311d3b98421d1f119efe5964cafa32fc ] + +GCC throws a warning, + +arch/arm64/mm/mmu.c: In function 'pud_free_pmd_page': +arch/arm64/mm/mmu.c:1033:8: warning: variable 'pud' set but not used +[-Wunused-but-set-variable] + pud_t pud; + ^~~ + +because pud_table() is a macro and compiled away. Fix it by making it a +static inline function and for pud_sect() as well. + +Signed-off-by: Qian Cai +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/pgtable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h +index ea423db393644..2214a403f39b9 100644 +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -419,8 +419,8 @@ extern pgprot_t phys_mem_access_prot(struct file *file, unsigned long pfn, + PMD_TYPE_SECT) + + #if defined(CONFIG_ARM64_64K_PAGES) || CONFIG_PGTABLE_LEVELS < 3 +-#define pud_sect(pud) (0) +-#define pud_table(pud) (1) ++static inline bool pud_sect(pud_t pud) { return false; } ++static inline bool pud_table(pud_t pud) { return true; } + #else + #define pud_sect(pud) ((pud_val(pud) & PUD_TYPE_MASK) == \ + PUD_TYPE_SECT) +-- +2.20.1 + diff --git a/queue-4.19/arm64-unwind-prohibit-probing-on-return_address.patch b/queue-4.19/arm64-unwind-prohibit-probing-on-return_address.patch new file mode 100644 index 00000000000..ebbeb101f0e --- /dev/null +++ b/queue-4.19/arm64-unwind-prohibit-probing-on-return_address.patch @@ -0,0 +1,76 @@ +From bc60eda03f3ee8730ed82bc3ff108a455a9e79cd Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Thu, 25 Jul 2019 17:16:05 +0900 +Subject: arm64: unwind: Prohibit probing on return_address() + +[ Upstream commit ee07b93e7721ccd5d5b9fa6f0c10cb3fe2f1f4f9 ] + +Prohibit probing on return_address() and subroutines which +is called from return_address(), since the it is invoked from +trace_hardirqs_off() which is also kprobe blacklisted. + +Reported-by: Naresh Kamboju +Signed-off-by: Masami Hiramatsu +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/return_address.c | 3 +++ + arch/arm64/kernel/stacktrace.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/arch/arm64/kernel/return_address.c b/arch/arm64/kernel/return_address.c +index 933adbc0f654d..0311fe52c8ffb 100644 +--- a/arch/arm64/kernel/return_address.c ++++ b/arch/arm64/kernel/return_address.c +@@ -11,6 +11,7 @@ + + #include + #include ++#include + + #include + #include +@@ -32,6 +33,7 @@ static int save_return_addr(struct stackframe *frame, void *d) + return 0; + } + } ++NOKPROBE_SYMBOL(save_return_addr); + + void *return_address(unsigned int level) + { +@@ -55,3 +57,4 @@ void *return_address(unsigned int level) + return NULL; + } + EXPORT_SYMBOL_GPL(return_address); ++NOKPROBE_SYMBOL(return_address); +diff --git a/arch/arm64/kernel/stacktrace.c b/arch/arm64/kernel/stacktrace.c +index 4989f7ea1e599..bb482ec044b61 100644 +--- a/arch/arm64/kernel/stacktrace.c ++++ b/arch/arm64/kernel/stacktrace.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -85,6 +86,7 @@ int notrace unwind_frame(struct task_struct *tsk, struct stackframe *frame) + + return 0; + } ++NOKPROBE_SYMBOL(unwind_frame); + + void notrace walk_stackframe(struct task_struct *tsk, struct stackframe *frame, + int (*fn)(struct stackframe *, void *), void *data) +@@ -99,6 +101,7 @@ void notrace walk_stackframe(struct task_struct *tsk, struct stackframe *frame, + break; + } + } ++NOKPROBE_SYMBOL(walk_stackframe); + + #ifdef CONFIG_STACKTRACE + struct stack_trace_data { +-- +2.20.1 + diff --git a/queue-4.19/asm-generic-fix-wtype-limits-compiler-warnings.patch b/queue-4.19/asm-generic-fix-wtype-limits-compiler-warnings.patch new file mode 100644 index 00000000000..39e4711700f --- /dev/null +++ b/queue-4.19/asm-generic-fix-wtype-limits-compiler-warnings.patch @@ -0,0 +1,132 @@ +From 853af149a5ca4fdbcdb87c367620f0d11e2f7d9b Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Fri, 2 Aug 2019 21:49:19 -0700 +Subject: asm-generic: fix -Wtype-limits compiler warnings + +[ Upstream commit cbedfe11347fe418621bd188d58a206beb676218 ] + +Commit d66acc39c7ce ("bitops: Optimise get_order()") introduced a +compilation warning because "rx_frag_size" is an "ushort" while +PAGE_SHIFT here is 16. + +The commit changed the get_order() to be a multi-line macro where +compilers insist to check all statements in the macro even when +__builtin_constant_p(rx_frag_size) will return false as "rx_frag_size" +is a module parameter. + +In file included from ./arch/powerpc/include/asm/page_64.h:107, + from ./arch/powerpc/include/asm/page.h:242, + from ./arch/powerpc/include/asm/mmu.h:132, + from ./arch/powerpc/include/asm/lppaca.h:47, + from ./arch/powerpc/include/asm/paca.h:17, + from ./arch/powerpc/include/asm/current.h:13, + from ./include/linux/thread_info.h:21, + from ./arch/powerpc/include/asm/processor.h:39, + from ./include/linux/prefetch.h:15, + from drivers/net/ethernet/emulex/benet/be_main.c:14: +drivers/net/ethernet/emulex/benet/be_main.c: In function 'be_rx_cqs_create': +./include/asm-generic/getorder.h:54:9: warning: comparison is always +true due to limited range of data type [-Wtype-limits] + (((n) < (1UL << PAGE_SHIFT)) ? 0 : \ + ^ +drivers/net/ethernet/emulex/benet/be_main.c:3138:33: note: in expansion +of macro 'get_order' + adapter->big_page_size = (1 << get_order(rx_frag_size)) * PAGE_SIZE; + ^~~~~~~~~ + +Fix it by moving all of this multi-line macro into a proper function, +and killing __get_order() off. + +[akpm@linux-foundation.org: remove __get_order() altogether] +[cai@lca.pw: v2] + Link: http://lkml.kernel.org/r/1564000166-31428-1-git-send-email-cai@lca.pw +Link: http://lkml.kernel.org/r/1563914986-26502-1-git-send-email-cai@lca.pw +Fixes: d66acc39c7ce ("bitops: Optimise get_order()") +Signed-off-by: Qian Cai +Reviewed-by: Nathan Chancellor +Cc: David S. Miller +Cc: Arnd Bergmann +Cc: David Howells +Cc: Jakub Jelinek +Cc: Nick Desaulniers +Cc: Bill Wendling +Cc: James Y Knight +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/asm-generic/getorder.h | 50 ++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 30 deletions(-) + +diff --git a/include/asm-generic/getorder.h b/include/asm-generic/getorder.h +index c64bea7a52beb..e9f20b813a699 100644 +--- a/include/asm-generic/getorder.h ++++ b/include/asm-generic/getorder.h +@@ -7,24 +7,6 @@ + #include + #include + +-/* +- * Runtime evaluation of get_order() +- */ +-static inline __attribute_const__ +-int __get_order(unsigned long size) +-{ +- int order; +- +- size--; +- size >>= PAGE_SHIFT; +-#if BITS_PER_LONG == 32 +- order = fls(size); +-#else +- order = fls64(size); +-#endif +- return order; +-} +- + /** + * get_order - Determine the allocation order of a memory size + * @size: The size for which to get the order +@@ -43,19 +25,27 @@ int __get_order(unsigned long size) + * to hold an object of the specified size. + * + * The result is undefined if the size is 0. +- * +- * This function may be used to initialise variables with compile time +- * evaluations of constants. + */ +-#define get_order(n) \ +-( \ +- __builtin_constant_p(n) ? ( \ +- ((n) == 0UL) ? BITS_PER_LONG - PAGE_SHIFT : \ +- (((n) < (1UL << PAGE_SHIFT)) ? 0 : \ +- ilog2((n) - 1) - PAGE_SHIFT + 1) \ +- ) : \ +- __get_order(n) \ +-) ++static inline __attribute_const__ int get_order(unsigned long size) ++{ ++ if (__builtin_constant_p(size)) { ++ if (!size) ++ return BITS_PER_LONG - PAGE_SHIFT; ++ ++ if (size < (1UL << PAGE_SHIFT)) ++ return 0; ++ ++ return ilog2((size) - 1) - PAGE_SHIFT + 1; ++ } ++ ++ size--; ++ size >>= PAGE_SHIFT; ++#if BITS_PER_LONG == 32 ++ return fls(size); ++#else ++ return fls64(size); ++#endif ++} + + #endif /* __ASSEMBLY__ */ + +-- +2.20.1 + diff --git a/queue-4.19/ata-libahci-do-not-complain-in-case-of-deferred-prob.patch b/queue-4.19/ata-libahci-do-not-complain-in-case-of-deferred-prob.patch new file mode 100644 index 00000000000..94fea13942a --- /dev/null +++ b/queue-4.19/ata-libahci-do-not-complain-in-case-of-deferred-prob.patch @@ -0,0 +1,36 @@ +From 97d941028e0fb6bd23f1a15963f216ee6922dae1 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 31 Jul 2019 14:26:51 +0200 +Subject: ata: libahci: do not complain in case of deferred probe + +[ Upstream commit 090bb803708198e5ab6b0046398c7ed9f4d12d6b ] + +Retrieving PHYs can defer the probe, do not spawn an error when +-EPROBE_DEFER is returned, it is normal behavior. + +Fixes: b1a9edbda040 ("ata: libahci: allow to use multiple PHYs") +Reviewed-by: Hans de Goede +Signed-off-by: Miquel Raynal +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libahci_platform.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c +index c92c10d553746..5bece9752ed68 100644 +--- a/drivers/ata/libahci_platform.c ++++ b/drivers/ata/libahci_platform.c +@@ -313,6 +313,9 @@ static int ahci_platform_get_phy(struct ahci_host_priv *hpriv, u32 port, + hpriv->phys[port] = NULL; + rc = 0; + break; ++ case -EPROBE_DEFER: ++ /* Do not complain yet */ ++ break; + + default: + dev_err(dev, +-- +2.20.1 + diff --git a/queue-4.19/btrfs-fix-deadlock-between-fiemap-and-transaction-co.patch b/queue-4.19/btrfs-fix-deadlock-between-fiemap-and-transaction-co.patch new file mode 100644 index 00000000000..ccf0cb0f783 --- /dev/null +++ b/queue-4.19/btrfs-fix-deadlock-between-fiemap-and-transaction-co.patch @@ -0,0 +1,213 @@ +From 21edac1ffc5ec52dc7f670166024681772003a98 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 29 Jul 2019 09:37:10 +0100 +Subject: Btrfs: fix deadlock between fiemap and transaction commits + +[ Upstream commit a6d155d2e363f26290ffd50591169cb96c2a609e ] + +The fiemap handler locks a file range that can have unflushed delalloc, +and after locking the range, it tries to attach to a running transaction. +If the running transaction started its commit, that is, it is in state +TRANS_STATE_COMMIT_START, and either the filesystem was mounted with the +flushoncommit option or the transaction is creating a snapshot for the +subvolume that contains the file that fiemap is operating on, we end up +deadlocking. This happens because fiemap is blocked on the transaction, +waiting for it to complete, and the transaction is waiting for the flushed +dealloc to complete, which requires locking the file range that the fiemap +task already locked. The following stack traces serve as an example of +when this deadlock happens: + + (...) + [404571.515510] Workqueue: btrfs-endio-write btrfs_endio_write_helper [btrfs] + [404571.515956] Call Trace: + [404571.516360] ? __schedule+0x3ae/0x7b0 + [404571.516730] schedule+0x3a/0xb0 + [404571.517104] lock_extent_bits+0x1ec/0x2a0 [btrfs] + [404571.517465] ? remove_wait_queue+0x60/0x60 + [404571.517832] btrfs_finish_ordered_io+0x292/0x800 [btrfs] + [404571.518202] normal_work_helper+0xea/0x530 [btrfs] + [404571.518566] process_one_work+0x21e/0x5c0 + [404571.518990] worker_thread+0x4f/0x3b0 + [404571.519413] ? process_one_work+0x5c0/0x5c0 + [404571.519829] kthread+0x103/0x140 + [404571.520191] ? kthread_create_worker_on_cpu+0x70/0x70 + [404571.520565] ret_from_fork+0x3a/0x50 + [404571.520915] kworker/u8:6 D 0 31651 2 0x80004000 + [404571.521290] Workqueue: btrfs-flush_delalloc btrfs_flush_delalloc_helper [btrfs] + (...) + [404571.537000] fsstress D 0 13117 13115 0x00004000 + [404571.537263] Call Trace: + [404571.537524] ? __schedule+0x3ae/0x7b0 + [404571.537788] schedule+0x3a/0xb0 + [404571.538066] wait_current_trans+0xc8/0x100 [btrfs] + [404571.538349] ? remove_wait_queue+0x60/0x60 + [404571.538680] start_transaction+0x33c/0x500 [btrfs] + [404571.539076] btrfs_check_shared+0xa3/0x1f0 [btrfs] + [404571.539513] ? extent_fiemap+0x2ce/0x650 [btrfs] + [404571.539866] extent_fiemap+0x2ce/0x650 [btrfs] + [404571.540170] do_vfs_ioctl+0x526/0x6f0 + [404571.540436] ksys_ioctl+0x70/0x80 + [404571.540734] __x64_sys_ioctl+0x16/0x20 + [404571.540997] do_syscall_64+0x60/0x1d0 + [404571.541279] entry_SYSCALL_64_after_hwframe+0x49/0xbe + (...) + [404571.543729] btrfs D 0 14210 14208 0x00004000 + [404571.544023] Call Trace: + [404571.544275] ? __schedule+0x3ae/0x7b0 + [404571.544526] ? wait_for_completion+0x112/0x1a0 + [404571.544795] schedule+0x3a/0xb0 + [404571.545064] schedule_timeout+0x1ff/0x390 + [404571.545351] ? lock_acquire+0xa6/0x190 + [404571.545638] ? wait_for_completion+0x49/0x1a0 + [404571.545890] ? wait_for_completion+0x112/0x1a0 + [404571.546228] wait_for_completion+0x131/0x1a0 + [404571.546503] ? wake_up_q+0x70/0x70 + [404571.546775] btrfs_wait_ordered_extents+0x27c/0x400 [btrfs] + [404571.547159] btrfs_commit_transaction+0x3b0/0xae0 [btrfs] + [404571.547449] ? btrfs_mksubvol+0x4a4/0x640 [btrfs] + [404571.547703] ? remove_wait_queue+0x60/0x60 + [404571.547969] btrfs_mksubvol+0x605/0x640 [btrfs] + [404571.548226] ? __sb_start_write+0xd4/0x1c0 + [404571.548512] ? mnt_want_write_file+0x24/0x50 + [404571.548789] btrfs_ioctl_snap_create_transid+0x169/0x1a0 [btrfs] + [404571.549048] btrfs_ioctl_snap_create_v2+0x11d/0x170 [btrfs] + [404571.549307] btrfs_ioctl+0x133f/0x3150 [btrfs] + [404571.549549] ? mem_cgroup_charge_statistics+0x4c/0xd0 + [404571.549792] ? mem_cgroup_commit_charge+0x84/0x4b0 + [404571.550064] ? __handle_mm_fault+0xe3e/0x11f0 + [404571.550306] ? do_raw_spin_unlock+0x49/0xc0 + [404571.550608] ? _raw_spin_unlock+0x24/0x30 + [404571.550976] ? __handle_mm_fault+0xedf/0x11f0 + [404571.551319] ? do_vfs_ioctl+0xa2/0x6f0 + [404571.551659] ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs] + [404571.552087] do_vfs_ioctl+0xa2/0x6f0 + [404571.552355] ksys_ioctl+0x70/0x80 + [404571.552621] __x64_sys_ioctl+0x16/0x20 + [404571.552864] do_syscall_64+0x60/0x1d0 + [404571.553104] entry_SYSCALL_64_after_hwframe+0x49/0xbe + (...) + +If we were joining the transaction instead of attaching to it, we would +not risk a deadlock because a join only blocks if the transaction is in a +state greater then or equals to TRANS_STATE_COMMIT_DOING, and the delalloc +flush performed by a transaction is done before it reaches that state, +when it is in the state TRANS_STATE_COMMIT_START. However a transaction +join is intended for use cases where we do modify the filesystem, and +fiemap only needs to peek at delayed references from the current +transaction in order to determine if extents are shared, and, besides +that, when there is no current transaction or when it blocks to wait for +a current committing transaction to complete, it creates a new transaction +without reserving any space. Such unnecessary transactions, besides doing +unnecessary IO, can cause transaction aborts (-ENOSPC) and unnecessary +rotation of the precious backup roots. + +So fix this by adding a new transaction join variant, named join_nostart, +which behaves like the regular join, but it does not create a transaction +when none currently exists or after waiting for a committing transaction +to complete. + +Fixes: 03628cdbc64db6 ("Btrfs: do not start a transaction during fiemap") +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/backref.c | 2 +- + fs/btrfs/transaction.c | 22 ++++++++++++++++++---- + fs/btrfs/transaction.h | 3 +++ + 3 files changed, 22 insertions(+), 5 deletions(-) + +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c +index ac6c383d63140..19855659f6503 100644 +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -1485,7 +1485,7 @@ int btrfs_check_shared(struct btrfs_root *root, u64 inum, u64 bytenr) + goto out; + } + +- trans = btrfs_attach_transaction(root); ++ trans = btrfs_join_transaction_nostart(root); + if (IS_ERR(trans)) { + if (PTR_ERR(trans) != -ENOENT && PTR_ERR(trans) != -EROFS) { + ret = PTR_ERR(trans); +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index f1ca53a3ff0bf..26317bca56499 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -28,15 +28,18 @@ static const unsigned int btrfs_blocked_trans_types[TRANS_STATE_MAX] = { + [TRANS_STATE_COMMIT_START] = (__TRANS_START | __TRANS_ATTACH), + [TRANS_STATE_COMMIT_DOING] = (__TRANS_START | + __TRANS_ATTACH | +- __TRANS_JOIN), ++ __TRANS_JOIN | ++ __TRANS_JOIN_NOSTART), + [TRANS_STATE_UNBLOCKED] = (__TRANS_START | + __TRANS_ATTACH | + __TRANS_JOIN | +- __TRANS_JOIN_NOLOCK), ++ __TRANS_JOIN_NOLOCK | ++ __TRANS_JOIN_NOSTART), + [TRANS_STATE_COMPLETED] = (__TRANS_START | + __TRANS_ATTACH | + __TRANS_JOIN | +- __TRANS_JOIN_NOLOCK), ++ __TRANS_JOIN_NOLOCK | ++ __TRANS_JOIN_NOSTART), + }; + + void btrfs_put_transaction(struct btrfs_transaction *transaction) +@@ -531,7 +534,8 @@ again: + ret = join_transaction(fs_info, type); + if (ret == -EBUSY) { + wait_current_trans(fs_info); +- if (unlikely(type == TRANS_ATTACH)) ++ if (unlikely(type == TRANS_ATTACH || ++ type == TRANS_JOIN_NOSTART)) + ret = -ENOENT; + } + } while (ret == -EBUSY); +@@ -647,6 +651,16 @@ struct btrfs_trans_handle *btrfs_join_transaction_nolock(struct btrfs_root *root + BTRFS_RESERVE_NO_FLUSH, true); + } + ++/* ++ * Similar to regular join but it never starts a transaction when none is ++ * running or after waiting for the current one to finish. ++ */ ++struct btrfs_trans_handle *btrfs_join_transaction_nostart(struct btrfs_root *root) ++{ ++ return start_transaction(root, 0, TRANS_JOIN_NOSTART, ++ BTRFS_RESERVE_NO_FLUSH, true); ++} ++ + /* + * btrfs_attach_transaction() - catch the running transaction + * +diff --git a/fs/btrfs/transaction.h b/fs/btrfs/transaction.h +index 4cbb1b55387dc..c1d34cc704722 100644 +--- a/fs/btrfs/transaction.h ++++ b/fs/btrfs/transaction.h +@@ -97,11 +97,13 @@ struct btrfs_transaction { + #define __TRANS_JOIN (1U << 11) + #define __TRANS_JOIN_NOLOCK (1U << 12) + #define __TRANS_DUMMY (1U << 13) ++#define __TRANS_JOIN_NOSTART (1U << 14) + + #define TRANS_START (__TRANS_START | __TRANS_FREEZABLE) + #define TRANS_ATTACH (__TRANS_ATTACH) + #define TRANS_JOIN (__TRANS_JOIN | __TRANS_FREEZABLE) + #define TRANS_JOIN_NOLOCK (__TRANS_JOIN_NOLOCK) ++#define TRANS_JOIN_NOSTART (__TRANS_JOIN_NOSTART) + + #define TRANS_EXTWRITERS (__TRANS_START | __TRANS_ATTACH) + +@@ -187,6 +189,7 @@ struct btrfs_trans_handle *btrfs_start_transaction_fallback_global_rsv( + int min_factor); + struct btrfs_trans_handle *btrfs_join_transaction(struct btrfs_root *root); + struct btrfs_trans_handle *btrfs_join_transaction_nolock(struct btrfs_root *root); ++struct btrfs_trans_handle *btrfs_join_transaction_nostart(struct btrfs_root *root); + struct btrfs_trans_handle *btrfs_attach_transaction(struct btrfs_root *root); + struct btrfs_trans_handle *btrfs_attach_transaction_barrier( + struct btrfs_root *root); +-- +2.20.1 + diff --git a/queue-4.19/clk-at91-generated-truncate-divisor-to-generated_max.patch b/queue-4.19/clk-at91-generated-truncate-divisor-to-generated_max.patch new file mode 100644 index 00000000000..5f9d30b8bdb --- /dev/null +++ b/queue-4.19/clk-at91-generated-truncate-divisor-to-generated_max.patch @@ -0,0 +1,39 @@ +From 4f0ca8d939d3c8de2adef2b81ef8a021d8cffd8d Mon Sep 17 00:00:00 2001 +From: Codrin Ciubotariu +Date: Tue, 25 Jun 2019 12:10:02 +0300 +Subject: clk: at91: generated: Truncate divisor to GENERATED_MAX_DIV + 1 + +[ Upstream commit 1573eebeaa8055777eb753f9b4d1cbe653380c38 ] + +In clk_generated_determine_rate(), if the divisor is greater than +GENERATED_MAX_DIV + 1, then the wrong best_rate will be returned. +If clk_generated_set_rate() will be called later with this wrong +rate, it will return -EINVAL, so the generated clock won't change +its value. Do no let the divisor be greater than GENERATED_MAX_DIV + 1. + +Fixes: 8c7aa6328947 ("clk: at91: clk-generated: remove useless divisor loop") +Signed-off-by: Codrin Ciubotariu +Acked-by: Nicolas Ferre +Acked-by: Ludovic Desroches +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-generated.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/at91/clk-generated.c b/drivers/clk/at91/clk-generated.c +index 33481368740e7..113152425a95d 100644 +--- a/drivers/clk/at91/clk-generated.c ++++ b/drivers/clk/at91/clk-generated.c +@@ -153,6 +153,8 @@ static int clk_generated_determine_rate(struct clk_hw *hw, + continue; + + div = DIV_ROUND_CLOSEST(parent_rate, req->rate); ++ if (div > GENERATED_MAX_DIV + 1) ++ div = GENERATED_MAX_DIV + 1; + + clk_generated_best_diff(req, parent, parent_rate, div, + &best_diff, &best_rate); +-- +2.20.1 + diff --git a/queue-4.19/clk-renesas-cpg-mssr-fix-reset-control-race-conditio.patch b/queue-4.19/clk-renesas-cpg-mssr-fix-reset-control-race-conditio.patch new file mode 100644 index 00000000000..cab529c420d --- /dev/null +++ b/queue-4.19/clk-renesas-cpg-mssr-fix-reset-control-race-conditio.patch @@ -0,0 +1,109 @@ +From be4472c63d676c1c6c2edc713b56da4992d49d97 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 11 Jul 2019 15:03:59 +0200 +Subject: clk: renesas: cpg-mssr: Fix reset control race condition + +[ Upstream commit e1f1ae8002e4b06addc52443fcd975bbf554ae92 ] + +The module reset code in the Renesas CPG/MSSR driver uses +read-modify-write (RMW) operations to write to a Software Reset Register +(SRCRn), and simple writes to write to a Software Reset Clearing +Register (SRSTCLRn), as was mandated by the R-Car Gen2 and Gen3 Hardware +User's Manuals. + +However, this may cause a race condition when two devices are reset in +parallel: if the reset for device A completes in the middle of the RMW +operation for device B, device A may be reset again, causing subtle +failures (e.g. i2c timeouts): + + thread A thread B + -------- -------- + + val = SRCRn + val |= bit A + SRCRn = val + + delay + + val = SRCRn (bit A is set) + + SRSTCLRn = bit A + (bit A in SRCRn is cleared) + + val |= bit B + SRCRn = val (bit A and B are set) + +This can be reproduced on e.g. Salvator-XS using: + + $ while true; do i2cdump -f -y 4 0x6A b > /dev/null; done & + $ while true; do i2cdump -f -y 2 0x10 b > /dev/null; done & + + i2c-rcar e6510000.i2c: error -110 : 40000002 + i2c-rcar e66d8000.i2c: error -110 : 40000002 + +According to the R-Car Gen3 Hardware Manual Errata for Rev. +0.80 of Feb 28, 2018, reflected in Rev. 1.00 of the R-Car Gen3 Hardware +User's Manual, writes to SRCRn do not require read-modify-write cycles. + +Note that the R-Car Gen2 Hardware User's Manual has not been updated +yet, and still says a read-modify-write sequence is required. According +to the hardware team, the reset hardware block is the same on both R-Car +Gen2 and Gen3, though. + +Hence fix the issue by replacing the read-modify-write operations on +SRCRn by simple writes. + +Reported-by: Yao Lihua +Fixes: 6197aa65c4905532 ("clk: renesas: cpg-mssr: Add support for reset control") +Signed-off-by: Geert Uytterhoeven +Tested-by: Linh Phung +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/renesas-cpg-mssr.c | 16 ++-------------- + 1 file changed, 2 insertions(+), 14 deletions(-) + +diff --git a/drivers/clk/renesas/renesas-cpg-mssr.c b/drivers/clk/renesas/renesas-cpg-mssr.c +index f4b013e9352d9..24485bee9b49e 100644 +--- a/drivers/clk/renesas/renesas-cpg-mssr.c ++++ b/drivers/clk/renesas/renesas-cpg-mssr.c +@@ -535,17 +535,11 @@ static int cpg_mssr_reset(struct reset_controller_dev *rcdev, + unsigned int reg = id / 32; + unsigned int bit = id % 32; + u32 bitmask = BIT(bit); +- unsigned long flags; +- u32 value; + + dev_dbg(priv->dev, "reset %u%02u\n", reg, bit); + + /* Reset module */ +- spin_lock_irqsave(&priv->rmw_lock, flags); +- value = readl(priv->base + SRCR(reg)); +- value |= bitmask; +- writel(value, priv->base + SRCR(reg)); +- spin_unlock_irqrestore(&priv->rmw_lock, flags); ++ writel(bitmask, priv->base + SRCR(reg)); + + /* Wait for at least one cycle of the RCLK clock (@ ca. 32 kHz) */ + udelay(35); +@@ -562,16 +556,10 @@ static int cpg_mssr_assert(struct reset_controller_dev *rcdev, unsigned long id) + unsigned int reg = id / 32; + unsigned int bit = id % 32; + u32 bitmask = BIT(bit); +- unsigned long flags; +- u32 value; + + dev_dbg(priv->dev, "assert %u%02u\n", reg, bit); + +- spin_lock_irqsave(&priv->rmw_lock, flags); +- value = readl(priv->base + SRCR(reg)); +- value |= bitmask; +- writel(value, priv->base + SRCR(reg)); +- spin_unlock_irqrestore(&priv->rmw_lock, flags); ++ writel(bitmask, priv->base + SRCR(reg)); + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.19/clk-sprd-select-regmap_mmio-to-avoid-compile-errors.patch b/queue-4.19/clk-sprd-select-regmap_mmio-to-avoid-compile-errors.patch new file mode 100644 index 00000000000..a07bda99791 --- /dev/null +++ b/queue-4.19/clk-sprd-select-regmap_mmio-to-avoid-compile-errors.patch @@ -0,0 +1,32 @@ +From fa8b8eb152d60086901164a386a98b584d923f0b Mon Sep 17 00:00:00 2001 +From: Chunyan Zhang +Date: Thu, 18 Jul 2019 13:36:16 +0800 +Subject: clk: sprd: Select REGMAP_MMIO to avoid compile errors + +[ Upstream commit c9a67cbb5189e966c70451562b2ca4c3876ab546 ] + +Make REGMAP_MMIO selected to avoid undefined reference to regmap symbols. + +Fixes: d41f59fd92f2 ("clk: sprd: Add common infrastructure") +Signed-off-by: Chunyan Zhang +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/sprd/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/sprd/Kconfig b/drivers/clk/sprd/Kconfig +index 87892471eb96c..bad8099832d48 100644 +--- a/drivers/clk/sprd/Kconfig ++++ b/drivers/clk/sprd/Kconfig +@@ -2,6 +2,7 @@ config SPRD_COMMON_CLK + tristate "Clock support for Spreadtrum SoCs" + depends on ARCH_SPRD || COMPILE_TEST + default ARCH_SPRD ++ select REGMAP_MMIO + + if SPRD_COMMON_CLK + +-- +2.20.1 + diff --git a/queue-4.19/drm-amdgpu-fix-a-potential-information-leaking-bug.patch b/queue-4.19/drm-amdgpu-fix-a-potential-information-leaking-bug.patch new file mode 100644 index 00000000000..6a79b93ec84 --- /dev/null +++ b/queue-4.19/drm-amdgpu-fix-a-potential-information-leaking-bug.patch @@ -0,0 +1,48 @@ +From dc1f574fd1cfa146336edd1989099e0f224a8df9 Mon Sep 17 00:00:00 2001 +From: Wang Xiayang +Date: Sat, 27 Jul 2019 17:30:30 +0800 +Subject: drm/amdgpu: fix a potential information leaking bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 929e571c04c285861e0bb049a396a2bdaea63282 ] + +Coccinelle reports a path that the array "data" is never initialized. +The path skips the checks in the conditional branches when either +of callback functions, read_wave_vgprs and read_wave_sgprs, is not +registered. Later, the uninitialized "data" array is read +in the while-loop below and passed to put_user(). + +Fix the path by allocating the array with kcalloc(). + +The patch is simplier than adding a fall-back branch that explicitly +calls memset(data, 0, ...). Also it does not need the multiplication +1024*sizeof(*data) as the size parameter for memset() though there is +no risk of integer overflow. + +Signed-off-by: Wang Xiayang +Reviewed-by: Chunming Zhou +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +index f5fb93795a69a..65cecfdd9b454 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +@@ -707,7 +707,7 @@ static ssize_t amdgpu_debugfs_gpr_read(struct file *f, char __user *buf, + thread = (*pos & GENMASK_ULL(59, 52)) >> 52; + bank = (*pos & GENMASK_ULL(61, 60)) >> 60; + +- data = kmalloc_array(1024, sizeof(*data), GFP_KERNEL); ++ data = kcalloc(1024, sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + +-- +2.20.1 + diff --git a/queue-4.19/drm-bridge-lvds-encoder-fix-build-error-while-config.patch b/queue-4.19/drm-bridge-lvds-encoder-fix-build-error-while-config.patch new file mode 100644 index 00000000000..286e42e99fc --- /dev/null +++ b/queue-4.19/drm-bridge-lvds-encoder-fix-build-error-while-config.patch @@ -0,0 +1,40 @@ +From bcafd68523ba9503f07c09e0dddc0ee243787ddd Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Mon, 29 Jul 2019 15:12:16 +0800 +Subject: drm/bridge: lvds-encoder: Fix build error while + CONFIG_DRM_KMS_HELPER=m + +[ Upstream commit f4cc743a98136df3c3763050a0e8223b52d9a960 ] + +If DRM_LVDS_ENCODER=y but CONFIG_DRM_KMS_HELPER=m, +build fails: + +drivers/gpu/drm/bridge/lvds-encoder.o: In function `lvds_encoder_probe': +lvds-encoder.c:(.text+0x155): undefined reference to `devm_drm_panel_bridge_add' + +Reported-by: Hulk Robot +Fixes: dbb58bfd9ae6 ("drm/bridge: Fix lvds-encoder since the panel_bridge rework.") +Signed-off-by: YueHaibing +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20190729071216.27488-1-yuehaibing@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/bridge/Kconfig b/drivers/gpu/drm/bridge/Kconfig +index bf6cad6c9178b..7a3e5a8f6439b 100644 +--- a/drivers/gpu/drm/bridge/Kconfig ++++ b/drivers/gpu/drm/bridge/Kconfig +@@ -46,6 +46,7 @@ config DRM_DUMB_VGA_DAC + config DRM_LVDS_ENCODER + tristate "Transparent parallel to LVDS encoder support" + depends on OF ++ select DRM_KMS_HELPER + select DRM_PANEL_BRIDGE + help + Support for transparent parallel to LVDS encoders that don't require +-- +2.20.1 + diff --git a/queue-4.19/drm-exynos-fix-missing-decrement-of-retry-counter.patch b/queue-4.19/drm-exynos-fix-missing-decrement-of-retry-counter.patch new file mode 100644 index 00000000000..dc7afc8b953 --- /dev/null +++ b/queue-4.19/drm-exynos-fix-missing-decrement-of-retry-counter.patch @@ -0,0 +1,41 @@ +From e341ac1fdcfaa90cca7c0498aaf43b7ee854b7f7 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Mon, 22 Jul 2019 23:25:35 +0100 +Subject: drm/exynos: fix missing decrement of retry counter + +[ Upstream commit 1bbbab097a05276e312dd2462791d32b21ceb1ee ] + +Currently the retry counter is not being decremented, leading to a +potential infinite spin if the scalar_reads don't change state. + +Addresses-Coverity: ("Infinite loop") +Fixes: 280e54c9f614 ("drm/exynos: scaler: Reset hardware before starting the operation") +Signed-off-by: Colin Ian King +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_scaler.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_scaler.c b/drivers/gpu/drm/exynos/exynos_drm_scaler.c +index 0ddb6eec7b113..df228436a03d9 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_scaler.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_scaler.c +@@ -108,12 +108,12 @@ static inline int scaler_reset(struct scaler_context *scaler) + scaler_write(SCALER_CFG_SOFT_RESET, SCALER_CFG); + do { + cpu_relax(); +- } while (retry > 1 && ++ } while (--retry > 1 && + scaler_read(SCALER_CFG) & SCALER_CFG_SOFT_RESET); + do { + cpu_relax(); + scaler_write(1, SCALER_INT_EN); +- } while (retry > 0 && scaler_read(SCALER_INT_EN) != 1); ++ } while (--retry > 0 && scaler_read(SCALER_INT_EN) != 1); + + return retry ? 0 : -EIO; + } +-- +2.20.1 + diff --git a/queue-4.19/drm-msm-fix-add_gpu_components.patch b/queue-4.19/drm-msm-fix-add_gpu_components.patch new file mode 100644 index 00000000000..6dbf04e9d77 --- /dev/null +++ b/queue-4.19/drm-msm-fix-add_gpu_components.patch @@ -0,0 +1,42 @@ +From 9cda6791568e042c84e867e8d10bc8df116cb184 Mon Sep 17 00:00:00 2001 +From: Jeffrey Hugo +Date: Wed, 26 Jun 2019 11:00:15 -0700 +Subject: drm: msm: Fix add_gpu_components + +[ Upstream commit 9ca7ad6c7706edeae331c1632d0c63897418ebad ] + +add_gpu_components() adds found GPU nodes from the DT to the match list, +regardless of the status of the nodes. This is a problem, because if the +nodes are disabled, they should not be on the match list because they will +not be matched. This prevents display from initing if a GPU node is +defined, but it's status is disabled. + +Fix this by checking the node's status before adding it to the match list. + +Fixes: dc3ea265b856 (drm/msm: Drop the gpu binding) +Reviewed-by: Rob Clark +Signed-off-by: Jeffrey Hugo +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20190626180015.45242-1-jeffrey.l.hugo@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c +index ed9a3a1e50efb..dbfd2c006f740 100644 +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -1284,7 +1284,8 @@ static int add_gpu_components(struct device *dev, + if (!np) + return 0; + +- drm_of_component_match_add(dev, matchptr, compare_of, np); ++ if (of_device_is_available(np)) ++ drm_of_component_match_add(dev, matchptr, compare_of, np); + + of_node_put(np); + +-- +2.20.1 + diff --git a/queue-4.19/exit-make-setting-exit_state-consistent.patch b/queue-4.19/exit-make-setting-exit_state-consistent.patch new file mode 100644 index 00000000000..9b3d7befca1 --- /dev/null +++ b/queue-4.19/exit-make-setting-exit_state-consistent.patch @@ -0,0 +1,51 @@ +From 06935f1b34141c8581abc5751744e43133fe5d57 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 29 Jul 2019 17:48:24 +0200 +Subject: exit: make setting exit_state consistent + +[ Upstream commit 30b692d3b390c6fe78a5064be0c4bbd44a41be59 ] + +Since commit b191d6491be6 ("pidfd: fix a poll race when setting exit_state") +we unconditionally set exit_state to EXIT_ZOMBIE before calling into +do_notify_parent(). This was done to eliminate a race when querying +exit_state in do_notify_pidfd(). +Back then we decided to do the absolute minimal thing to fix this and +not touch the rest of the exit_notify() function where exit_state is +set. +Since this fix has not caused any issues change the setting of +exit_state to EXIT_DEAD in the autoreap case to account for the fact hat +exit_state is set to EXIT_ZOMBIE unconditionally. This fix was planned +but also explicitly requested in [1] and makes the whole code more +consistent. + +/* References */ +[1]: https://lore.kernel.org/lkml/CAHk-=wigcxGFR2szue4wavJtH5cYTTeNES=toUBVGsmX0rzX+g@mail.gmail.com + +Signed-off-by: Christian Brauner +Acked-by: Oleg Nesterov +Cc: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/exit.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/exit.c b/kernel/exit.c +index e10de9836dd77..1c1633cc197e6 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -732,9 +732,10 @@ static void exit_notify(struct task_struct *tsk, int group_dead) + autoreap = true; + } + +- tsk->exit_state = autoreap ? EXIT_DEAD : EXIT_ZOMBIE; +- if (tsk->exit_state == EXIT_DEAD) ++ if (autoreap) { ++ tsk->exit_state = EXIT_DEAD; + list_add(&tsk->ptrace_entry, &dead); ++ } + + /* mt-exec, de_thread() is waiting for group leader */ + if (unlikely(tsk->signal->notify_count < 0)) +-- +2.20.1 + diff --git a/queue-4.19/ib-core-add-mitigation-for-spectre-v1.patch b/queue-4.19/ib-core-add-mitigation-for-spectre-v1.patch new file mode 100644 index 00000000000..d90157bdee7 --- /dev/null +++ b/queue-4.19/ib-core-add-mitigation-for-spectre-v1.patch @@ -0,0 +1,52 @@ +From 93d36161124f08bc359fa761d90ed3028954db78 Mon Sep 17 00:00:00 2001 +From: "Luck, Tony" +Date: Tue, 30 Jul 2019 21:39:57 -0700 +Subject: IB/core: Add mitigation for Spectre V1 + +[ Upstream commit 61f259821dd3306e49b7d42a3f90fb5a4ff3351b ] + +Some processors may mispredict an array bounds check and +speculatively access memory that they should not. With +a user supplied array index we like to play things safe +by masking the value with the array size before it is +used as an index. + +Signed-off-by: Tony Luck +Link: https://lore.kernel.org/r/20190731043957.GA1600@agluck-desk2.amr.corp.intel.com +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/user_mad.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c +index c34a6852d691f..a18f3f8ad77fe 100644 +--- a/drivers/infiniband/core/user_mad.c ++++ b/drivers/infiniband/core/user_mad.c +@@ -49,6 +49,7 @@ + #include + #include + #include ++#include + + #include + +@@ -868,11 +869,14 @@ static int ib_umad_unreg_agent(struct ib_umad_file *file, u32 __user *arg) + + if (get_user(id, arg)) + return -EFAULT; ++ if (id >= IB_UMAD_MAX_AGENTS) ++ return -EINVAL; + + mutex_lock(&file->port->file_mutex); + mutex_lock(&file->mutex); + +- if (id >= IB_UMAD_MAX_AGENTS || !__get_agent(file, id)) { ++ id = array_index_nospec(id, IB_UMAD_MAX_AGENTS); ++ if (!__get_agent(file, id)) { + ret = -EINVAL; + goto out; + } +-- +2.20.1 + diff --git a/queue-4.19/ib-mad-fix-use-after-free-in-ib-mad-completion-handl.patch b/queue-4.19/ib-mad-fix-use-after-free-in-ib-mad-completion-handl.patch new file mode 100644 index 00000000000..b0bc53d7800 --- /dev/null +++ b/queue-4.19/ib-mad-fix-use-after-free-in-ib-mad-completion-handl.patch @@ -0,0 +1,150 @@ +From a2a22cbe81ade2b7f5417df2d1b6ef0446ab895f Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Thu, 1 Aug 2019 15:14:49 +0300 +Subject: IB/mad: Fix use-after-free in ib mad completion handling + +[ Upstream commit 770b7d96cfff6a8bf6c9f261ba6f135dc9edf484 ] + +We encountered a use-after-free bug when unloading the driver: + +[ 3562.116059] BUG: KASAN: use-after-free in ib_mad_post_receive_mads+0xddc/0xed0 [ib_core] +[ 3562.117233] Read of size 4 at addr ffff8882ca5aa868 by task kworker/u13:2/23862 +[ 3562.118385] +[ 3562.119519] CPU: 2 PID: 23862 Comm: kworker/u13:2 Tainted: G OE 5.1.0-for-upstream-dbg-2019-05-19_16-44-30-13 #1 +[ 3562.121806] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu2 04/01/2014 +[ 3562.123075] Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core] +[ 3562.124383] Call Trace: +[ 3562.125640] dump_stack+0x9a/0xeb +[ 3562.126911] print_address_description+0xe3/0x2e0 +[ 3562.128223] ? ib_mad_post_receive_mads+0xddc/0xed0 [ib_core] +[ 3562.129545] __kasan_report+0x15c/0x1df +[ 3562.130866] ? ib_mad_post_receive_mads+0xddc/0xed0 [ib_core] +[ 3562.132174] kasan_report+0xe/0x20 +[ 3562.133514] ib_mad_post_receive_mads+0xddc/0xed0 [ib_core] +[ 3562.134835] ? find_mad_agent+0xa00/0xa00 [ib_core] +[ 3562.136158] ? qlist_free_all+0x51/0xb0 +[ 3562.137498] ? mlx4_ib_sqp_comp_worker+0x1970/0x1970 [mlx4_ib] +[ 3562.138833] ? quarantine_reduce+0x1fa/0x270 +[ 3562.140171] ? kasan_unpoison_shadow+0x30/0x40 +[ 3562.141522] ib_mad_recv_done+0xdf6/0x3000 [ib_core] +[ 3562.142880] ? _raw_spin_unlock_irqrestore+0x46/0x70 +[ 3562.144277] ? ib_mad_send_done+0x1810/0x1810 [ib_core] +[ 3562.145649] ? mlx4_ib_destroy_cq+0x2a0/0x2a0 [mlx4_ib] +[ 3562.147008] ? _raw_spin_unlock_irqrestore+0x46/0x70 +[ 3562.148380] ? debug_object_deactivate+0x2b9/0x4a0 +[ 3562.149814] __ib_process_cq+0xe2/0x1d0 [ib_core] +[ 3562.151195] ib_cq_poll_work+0x45/0xf0 [ib_core] +[ 3562.152577] process_one_work+0x90c/0x1860 +[ 3562.153959] ? pwq_dec_nr_in_flight+0x320/0x320 +[ 3562.155320] worker_thread+0x87/0xbb0 +[ 3562.156687] ? __kthread_parkme+0xb6/0x180 +[ 3562.158058] ? process_one_work+0x1860/0x1860 +[ 3562.159429] kthread+0x320/0x3e0 +[ 3562.161391] ? kthread_park+0x120/0x120 +[ 3562.162744] ret_from_fork+0x24/0x30 +... +[ 3562.187615] Freed by task 31682: +[ 3562.188602] save_stack+0x19/0x80 +[ 3562.189586] __kasan_slab_free+0x11d/0x160 +[ 3562.190571] kfree+0xf5/0x2f0 +[ 3562.191552] ib_mad_port_close+0x200/0x380 [ib_core] +[ 3562.192538] ib_mad_remove_device+0xf0/0x230 [ib_core] +[ 3562.193538] remove_client_context+0xa6/0xe0 [ib_core] +[ 3562.194514] disable_device+0x14e/0x260 [ib_core] +[ 3562.195488] __ib_unregister_device+0x79/0x150 [ib_core] +[ 3562.196462] ib_unregister_device+0x21/0x30 [ib_core] +[ 3562.197439] mlx4_ib_remove+0x162/0x690 [mlx4_ib] +[ 3562.198408] mlx4_remove_device+0x204/0x2c0 [mlx4_core] +[ 3562.199381] mlx4_unregister_interface+0x49/0x1d0 [mlx4_core] +[ 3562.200356] mlx4_ib_cleanup+0xc/0x1d [mlx4_ib] +[ 3562.201329] __x64_sys_delete_module+0x2d2/0x400 +[ 3562.202288] do_syscall_64+0x95/0x470 +[ 3562.203277] entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The problem was that the MAD PD was deallocated before the MAD CQ. +There was completion work pending for the CQ when the PD got deallocated. +When the mad completion handling reached procedure +ib_mad_post_receive_mads(), we got a use-after-free bug in the following +line of code in that procedure: + sg_list.lkey = qp_info->port_priv->pd->local_dma_lkey; +(the pd pointer in the above line is no longer valid, because the +pd has been deallocated). + +We fix this by allocating the PD before the CQ in procedure +ib_mad_port_open(), and deallocating the PD after freeing the CQ +in procedure ib_mad_port_close(). + +Since the CQ completion work queue is flushed during ib_free_cq(), +no completions will be pending for that CQ when the PD is later +deallocated. + +Note that freeing the CQ before deallocating the PD is the practice +in the ULPs. + +Fixes: 4be90bc60df4 ("IB/mad: Remove ib_get_dma_mr calls") +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20190801121449.24973-1-leon@kernel.org +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/mad.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c +index ef459f2f2eeb8..7586c1dd73f19 100644 +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -3182,18 +3182,18 @@ static int ib_mad_port_open(struct ib_device *device, + if (has_smi) + cq_size *= 2; + ++ port_priv->pd = ib_alloc_pd(device, 0); ++ if (IS_ERR(port_priv->pd)) { ++ dev_err(&device->dev, "Couldn't create ib_mad PD\n"); ++ ret = PTR_ERR(port_priv->pd); ++ goto error3; ++ } ++ + port_priv->cq = ib_alloc_cq(port_priv->device, port_priv, cq_size, 0, + IB_POLL_WORKQUEUE); + if (IS_ERR(port_priv->cq)) { + dev_err(&device->dev, "Couldn't create ib_mad CQ\n"); + ret = PTR_ERR(port_priv->cq); +- goto error3; +- } +- +- port_priv->pd = ib_alloc_pd(device, 0); +- if (IS_ERR(port_priv->pd)) { +- dev_err(&device->dev, "Couldn't create ib_mad PD\n"); +- ret = PTR_ERR(port_priv->pd); + goto error4; + } + +@@ -3236,11 +3236,11 @@ error8: + error7: + destroy_mad_qp(&port_priv->qp_info[0]); + error6: +- ib_dealloc_pd(port_priv->pd); +-error4: + ib_free_cq(port_priv->cq); + cleanup_recv_queue(&port_priv->qp_info[1]); + cleanup_recv_queue(&port_priv->qp_info[0]); ++error4: ++ ib_dealloc_pd(port_priv->pd); + error3: + kfree(port_priv); + +@@ -3270,8 +3270,8 @@ static int ib_mad_port_close(struct ib_device *device, int port_num) + destroy_workqueue(port_priv->wq); + destroy_mad_qp(&port_priv->qp_info[1]); + destroy_mad_qp(&port_priv->qp_info[0]); +- ib_dealloc_pd(port_priv->pd); + ib_free_cq(port_priv->cq); ++ ib_dealloc_pd(port_priv->pd); + cleanup_recv_queue(&port_priv->qp_info[1]); + cleanup_recv_queue(&port_priv->qp_info[0]); + /* XXX: Handle deallocation of MAD registration tables */ +-- +2.20.1 + diff --git a/queue-4.19/ib-mlx5-fix-mr-registration-flow-to-use-umr-properly.patch b/queue-4.19/ib-mlx5-fix-mr-registration-flow-to-use-umr-properly.patch new file mode 100644 index 00000000000..c5054421cd5 --- /dev/null +++ b/queue-4.19/ib-mlx5-fix-mr-registration-flow-to-use-umr-properly.patch @@ -0,0 +1,108 @@ +From 17ca65d269f9ae7aedc3726dc424e36b788fd850 Mon Sep 17 00:00:00 2001 +From: Guy Levi +Date: Wed, 31 Jul 2019 11:19:29 +0300 +Subject: IB/mlx5: Fix MR registration flow to use UMR properly + +[ Upstream commit e5366d309a772fef264ec85e858f9ea46f939848 ] + +Driver shouldn't allow to use UMR to register a MR when +umr_modify_atomic_disabled is set. Otherwise it will always end up with a +failure in the post send flow which sets the UMR WQE to modify atomic access +right. + +Fixes: c8d75a980fab ("IB/mlx5: Respect new UMR capabilities") +Signed-off-by: Guy Levi +Reviewed-by: Moni Shoua +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20190731081929.32559-1-leon@kernel.org +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mr.c | 27 +++++++++------------------ + 1 file changed, 9 insertions(+), 18 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c +index 9bab4fb65c688..bd1fdadf7ba01 100644 +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -51,22 +51,12 @@ static void clean_mr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr); + static void dereg_mr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr); + static int mr_cache_max_order(struct mlx5_ib_dev *dev); + static int unreg_umr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr); +-static bool umr_can_modify_entity_size(struct mlx5_ib_dev *dev) +-{ +- return !MLX5_CAP_GEN(dev->mdev, umr_modify_entity_size_disabled); +-} + + static bool umr_can_use_indirect_mkey(struct mlx5_ib_dev *dev) + { + return !MLX5_CAP_GEN(dev->mdev, umr_indirect_mkey_disabled); + } + +-static bool use_umr(struct mlx5_ib_dev *dev, int order) +-{ +- return order <= mr_cache_max_order(dev) && +- umr_can_modify_entity_size(dev); +-} +- + static int destroy_mkey(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr) + { + int err = mlx5_core_destroy_mkey(dev->mdev, &mr->mmkey); +@@ -1305,7 +1295,7 @@ struct ib_mr *mlx5_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length, + { + struct mlx5_ib_dev *dev = to_mdev(pd->device); + struct mlx5_ib_mr *mr = NULL; +- bool populate_mtts = false; ++ bool use_umr; + struct ib_umem *umem; + int page_shift; + int npages; +@@ -1338,29 +1328,30 @@ struct ib_mr *mlx5_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length, + if (err < 0) + return ERR_PTR(err); + +- if (use_umr(dev, order)) { ++ use_umr = !MLX5_CAP_GEN(dev->mdev, umr_modify_entity_size_disabled) && ++ (!MLX5_CAP_GEN(dev->mdev, umr_modify_atomic_disabled) || ++ !MLX5_CAP_GEN(dev->mdev, atomic)); ++ ++ if (order <= mr_cache_max_order(dev) && use_umr) { + mr = alloc_mr_from_cache(pd, umem, virt_addr, length, ncont, + page_shift, order, access_flags); + if (PTR_ERR(mr) == -EAGAIN) { + mlx5_ib_dbg(dev, "cache empty for order %d\n", order); + mr = NULL; + } +- populate_mtts = false; + } else if (!MLX5_CAP_GEN(dev->mdev, umr_extended_translation_offset)) { + if (access_flags & IB_ACCESS_ON_DEMAND) { + err = -EINVAL; + pr_err("Got MR registration for ODP MR > 512MB, not supported for Connect-IB\n"); + goto error; + } +- populate_mtts = true; ++ use_umr = false; + } + + if (!mr) { +- if (!umr_can_modify_entity_size(dev)) +- populate_mtts = true; + mutex_lock(&dev->slow_path_mutex); + mr = reg_create(NULL, pd, virt_addr, length, umem, ncont, +- page_shift, access_flags, populate_mtts); ++ page_shift, access_flags, !use_umr); + mutex_unlock(&dev->slow_path_mutex); + } + +@@ -1378,7 +1369,7 @@ struct ib_mr *mlx5_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length, + update_odp_mr(mr); + #endif + +- if (!populate_mtts) { ++ if (use_umr) { + int update_xlt_flags = MLX5_IB_UPD_XLT_ENABLE; + + if (access_flags & IB_ACCESS_ON_DEMAND) +-- +2.20.1 + diff --git a/queue-4.19/irqchip-gic-v3-its-free-unused-vpt_page-when-alloc-v.patch b/queue-4.19/irqchip-gic-v3-its-free-unused-vpt_page-when-alloc-v.patch new file mode 100644 index 00000000000..04c1d7a59c3 --- /dev/null +++ b/queue-4.19/irqchip-gic-v3-its-free-unused-vpt_page-when-alloc-v.patch @@ -0,0 +1,38 @@ +From 407774078446ff6406276d704569a55939f3e0d3 Mon Sep 17 00:00:00 2001 +From: Nianyao Tang +Date: Fri, 26 Jul 2019 17:32:57 +0800 +Subject: irqchip/gic-v3-its: Free unused vpt_page when alloc vpe table fail + +[ Upstream commit 34f8eb92ca053cbba2887bb7e4dbf2b2cd6eb733 ] + +In its_vpe_init, when its_alloc_vpe_table fails, we should free +vpt_page allocated just before, instead of vpe->vpt_page. +Let's fix it. + +Cc: Thomas Gleixner +Cc: Jason Cooper +Cc: Marc Zyngier +Signed-off-by: Nianyao Tang +Signed-off-by: Shaokun Zhang +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index ee30e8965d1be..9ba73e11757d9 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -2883,7 +2883,7 @@ static int its_vpe_init(struct its_vpe *vpe) + + if (!its_alloc_vpe_table(vpe_id)) { + its_vpe_id_free(vpe_id); +- its_free_pending_table(vpe->vpt_page); ++ its_free_pending_table(vpt_page); + return -ENOMEM; + } + +-- +2.20.1 + diff --git a/queue-4.19/irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch b/queue-4.19/irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch new file mode 100644 index 00000000000..609b2964b4a --- /dev/null +++ b/queue-4.19/irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch @@ -0,0 +1,33 @@ +From 2d2e877d3399bf666a78f194d2709095ce3f31cb Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Fri, 12 Jul 2019 15:29:05 +0200 +Subject: irqchip/irq-imx-gpcv2: Forward irq type to parent + +[ Upstream commit 9a446ef08f3bfc0c3deb9c6be840af2528ef8cf8 ] + +The GPCv2 is a stacked IRQ controller below the ARM GIC. It doesn't +care about the IRQ type itself, but needs to forward the type to the +parent IRQ controller, so this one can be configured correctly. + +Signed-off-by: Lucas Stach +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-imx-gpcv2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/irq-imx-gpcv2.c b/drivers/irqchip/irq-imx-gpcv2.c +index 4760307ab43fc..cef8f5e2e8fce 100644 +--- a/drivers/irqchip/irq-imx-gpcv2.c ++++ b/drivers/irqchip/irq-imx-gpcv2.c +@@ -131,6 +131,7 @@ static struct irq_chip gpcv2_irqchip_data_chip = { + .irq_unmask = imx_gpcv2_irq_unmask, + .irq_set_wake = imx_gpcv2_irq_set_wake, + .irq_retrigger = irq_chip_retrigger_hierarchy, ++ .irq_set_type = irq_chip_set_type_parent, + #ifdef CONFIG_SMP + .irq_set_affinity = irq_chip_set_affinity_parent, + #endif +-- +2.20.1 + diff --git a/queue-4.19/kbuild-check-for-unknown-options-with-cc-option-usag.patch b/queue-4.19/kbuild-check-for-unknown-options-with-cc-option-usag.patch new file mode 100644 index 00000000000..f7e398d0c2f --- /dev/null +++ b/queue-4.19/kbuild-check-for-unknown-options-with-cc-option-usag.patch @@ -0,0 +1,66 @@ +From 191e93f8ca46672712ca45462d45f5c5566e97e4 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Tue, 30 Jul 2019 09:48:03 -0700 +Subject: kbuild: Check for unknown options with cc-option usage in Kconfig and + clang + +[ Upstream commit e8de12fb7cde2c85bc31097cd098da79a4818305 ] + +If the particular version of clang a user has doesn't enable +-Werror=unknown-warning-option by default, even though it is the +default[1], then make sure to pass the option to the Kconfig cc-option +command so that testing options from Kconfig files works properly. +Otherwise, depending on the default values setup in the clang toolchain +we will silently assume options such as -Wmaybe-uninitialized are +supported by clang, when they really aren't. + +A compilation issue only started happening for me once commit +589834b3a009 ("kbuild: Add -Werror=unknown-warning-option to +CLANG_FLAGS") was applied on top of commit b303c6df80c9 ("kbuild: +compute false-positive -Wmaybe-uninitialized cases in Kconfig"). This +leads kbuild to try and test for the existence of the +-Wmaybe-uninitialized flag with the cc-option command in +scripts/Kconfig.include, and it doesn't see an error returned from the +option test so it sets the config value to Y. Then the Makefile tries to +pass the unknown option on the command line and +-Werror=unknown-warning-option catches the invalid option and breaks the +build. Before commit 589834b3a009 ("kbuild: Add +-Werror=unknown-warning-option to CLANG_FLAGS") the build works fine, +but any cc-option test of a warning option in Kconfig files silently +evaluates to true, even if the warning option flag isn't supported on +clang. + +Note: This doesn't change cc-option usages in Makefiles because those +use a different rule that includes KBUILD_CFLAGS by default (see the +__cc-option command in scripts/Kbuild.incluide). The KBUILD_CFLAGS +variable already has the -Werror=unknown-warning-option flag set. Thanks +to Doug for pointing out the different rule. + +[1] https://clang.llvm.org/docs/DiagnosticsReference.html#wunknown-warning-option +Cc: Peter Smith +Cc: Nick Desaulniers +Cc: Douglas Anderson +Signed-off-by: Stephen Boyd +Reviewed-by: Nathan Chancellor +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/Kconfig.include | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/Kconfig.include b/scripts/Kconfig.include +index dad5583451afb..3b2861f47709b 100644 +--- a/scripts/Kconfig.include ++++ b/scripts/Kconfig.include +@@ -20,7 +20,7 @@ success = $(if-success,$(1),y,n) + + # $(cc-option,) + # Return y if the compiler supports , n otherwise +-cc-option = $(success,$(CC) -Werror $(1) -E -x c /dev/null -o /dev/null) ++cc-option = $(success,$(CC) -Werror $(CLANG_FLAGS) $(1) -E -x c /dev/null -o /dev/null) + + # $(ld-option,) + # Return y if the linker supports , n otherwise +-- +2.20.1 + diff --git a/queue-4.19/kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch b/queue-4.19/kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch new file mode 100644 index 00000000000..a0173304318 --- /dev/null +++ b/queue-4.19/kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch @@ -0,0 +1,36 @@ +From 58086ce60298e7a68a641816506370d45b1f56c4 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Wed, 31 Jul 2019 00:59:00 +0900 +Subject: kbuild: modpost: handle KBUILD_EXTRA_SYMBOLS only for external + modules + +[ Upstream commit cb4819934a7f9b87876f11ed05b8624c0114551b ] + +KBUILD_EXTRA_SYMBOLS makes sense only when building external modules. +Moreover, the modpost sets 'external_module' if the -e option is given. + +I replaced $(patsubst %, -e %,...) with simpler $(addprefix -e,...) +while I was here. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/Makefile.modpost | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost +index 7d4af0d0accb3..51884c7b80697 100644 +--- a/scripts/Makefile.modpost ++++ b/scripts/Makefile.modpost +@@ -75,7 +75,7 @@ modpost = scripts/mod/modpost \ + $(if $(CONFIG_MODULE_SRCVERSION_ALL),-a,) \ + $(if $(KBUILD_EXTMOD),-i,-o) $(kernelsymfile) \ + $(if $(KBUILD_EXTMOD),-I $(modulesymfile)) \ +- $(if $(KBUILD_EXTRA_SYMBOLS), $(patsubst %, -e %,$(KBUILD_EXTRA_SYMBOLS))) \ ++ $(if $(KBUILD_EXTMOD),$(addprefix -e ,$(KBUILD_EXTRA_SYMBOLS))) \ + $(if $(KBUILD_EXTMOD),-o $(modulesymfile)) \ + $(if $(CONFIG_DEBUG_SECTION_MISMATCH),,-S) \ + $(if $(CONFIG_SECTION_MISMATCH_WARN_ONLY),,-E) \ +-- +2.20.1 + diff --git a/queue-4.19/libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch b/queue-4.19/libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch new file mode 100644 index 00000000000..9c821c96bef --- /dev/null +++ b/queue-4.19/libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch @@ -0,0 +1,50 @@ +From 06fc556522809a3f6a612a41b0079f092fe18ed9 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 29 Jul 2019 14:47:22 -0700 +Subject: libata: zpodd: Fix small read overflow in zpodd_get_mech_type() + +[ Upstream commit 71d6c505b4d9e6f76586350450e785e3d452b346 ] + +Jeffrin reported a KASAN issue: + + BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70 + Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149 + ... + The buggy address belongs to the variable: + cdb.48319+0x0/0x40 + +Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in +eject_tray()"), this fixes a cdb[] buffer length, this time in +zpodd_get_mech_type(): + +We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be +ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes. + +Reported-by: Jeffrin Jose T +Fixes: afe759511808c ("libata: identify and init ZPODD devices") +Link: https://lore.kernel.org/lkml/201907181423.E808958@keescook/ +Tested-by: Jeffrin Jose T +Reviewed-by: Nick Desaulniers +Signed-off-by: Kees Cook +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-zpodd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c +index 173e6f2dd9af0..eefda51f97d35 100644 +--- a/drivers/ata/libata-zpodd.c ++++ b/drivers/ata/libata-zpodd.c +@@ -56,7 +56,7 @@ static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev) + unsigned int ret; + struct rm_feature_desc *desc; + struct ata_taskfile tf; +- static const char cdb[] = { GPCMD_GET_CONFIGURATION, ++ static const char cdb[ATAPI_CDB_LEN] = { GPCMD_GET_CONFIGURATION, + 2, /* only 1 feature descriptor requested */ + 0, 3, /* 3, removable medium feature */ + 0, 0, 0,/* reserved */ +-- +2.20.1 + diff --git a/queue-4.19/ocfs2-remove-set-but-not-used-variable-last_hash.patch b/queue-4.19/ocfs2-remove-set-but-not-used-variable-last_hash.patch new file mode 100644 index 00000000000..7abf10a2988 --- /dev/null +++ b/queue-4.19/ocfs2-remove-set-but-not-used-variable-last_hash.patch @@ -0,0 +1,54 @@ +From 876331a01ac1d7d36340344131fe6e0e00db4022 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Fri, 2 Aug 2019 21:48:40 -0700 +Subject: ocfs2: remove set but not used variable 'last_hash' + +[ Upstream commit 7bc36e3ce91471b6377c8eadc0a2f220a2280083 ] + +Fixes gcc '-Wunused-but-set-variable' warning: + + fs/ocfs2/xattr.c: In function ocfs2_xattr_bucket_find: + fs/ocfs2/xattr.c:3828:6: warning: variable last_hash set but not used [-Wunused-but-set-variable] + +It's never used and can be removed. + +Link: http://lkml.kernel.org/r/20190716132110.34836-1-yuehaibing@huawei.com +Signed-off-by: YueHaibing +Acked-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/xattr.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c +index 3a24ce3deb013..c146e12a8601f 100644 +--- a/fs/ocfs2/xattr.c ++++ b/fs/ocfs2/xattr.c +@@ -3833,7 +3833,6 @@ static int ocfs2_xattr_bucket_find(struct inode *inode, + u16 blk_per_bucket = ocfs2_blocks_per_xattr_bucket(inode->i_sb); + int low_bucket = 0, bucket, high_bucket; + struct ocfs2_xattr_bucket *search; +- u32 last_hash; + u64 blkno, lower_blkno = 0; + + search = ocfs2_xattr_bucket_new(inode); +@@ -3877,8 +3876,6 @@ static int ocfs2_xattr_bucket_find(struct inode *inode, + if (xh->xh_count) + xe = &xh->xh_entries[le16_to_cpu(xh->xh_count) - 1]; + +- last_hash = le32_to_cpu(xe->xe_name_hash); +- + /* record lower_blkno which may be the insert place. */ + lower_blkno = blkno; + +-- +2.20.1 + diff --git a/queue-4.19/perf-header-fix-divide-by-zero-error-if-f_header.att.patch b/queue-4.19/perf-header-fix-divide-by-zero-error-if-f_header.att.patch new file mode 100644 index 00000000000..5f852e44c2a --- /dev/null +++ b/queue-4.19/perf-header-fix-divide-by-zero-error-if-f_header.att.patch @@ -0,0 +1,52 @@ +From 3b9822a11a9bea1ee5e5f40e0e208d58f57cea76 Mon Sep 17 00:00:00 2001 +From: Vince Weaver +Date: Tue, 23 Jul 2019 11:06:01 -0400 +Subject: perf header: Fix divide by zero error if f_header.attr_size==0 + +[ Upstream commit 7622236ceb167aa3857395f9bdaf871442aa467e ] + +So I have been having lots of trouble with hand-crafted perf.data files +causing segfaults and the like, so I have started fuzzing the perf tool. + +First issue found: + +If f_header.attr_size is 0 in the perf.data file, then perf will crash +with a divide-by-zero error. + +Committer note: + +Added a pr_err() to tell the user why the command failed. + +Signed-off-by: Vince Weaver +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1907231100440.14532@macbook-air +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/header.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index a94bd6850a0b2..4a5e1907a7ab3 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -3285,6 +3285,13 @@ int perf_session__read_header(struct perf_session *session) + data->file.path); + } + ++ if (f_header.attr_size == 0) { ++ pr_err("ERROR: The %s file's attr size field is 0 which is unexpected.\n" ++ "Was the 'perf record' command properly terminated?\n", ++ data->file.path); ++ return -EINVAL; ++ } ++ + nr_attrs = f_header.attrs.size / f_header.attr_size; + lseek(fd, f_header.attrs.offset, SEEK_SET); + +-- +2.20.1 + diff --git a/queue-4.19/perf-header-fix-use-of-unitialized-value-warning.patch b/queue-4.19/perf-header-fix-use-of-unitialized-value-warning.patch new file mode 100644 index 00000000000..a463b1d53c1 --- /dev/null +++ b/queue-4.19/perf-header-fix-use-of-unitialized-value-warning.patch @@ -0,0 +1,68 @@ +From e8d0180d5aa66effccb43b02f003c4edaa6d2341 Mon Sep 17 00:00:00 2001 +From: Numfor Mbiziwo-Tiapo +Date: Wed, 24 Jul 2019 16:44:58 -0700 +Subject: perf header: Fix use of unitialized value warning + +[ Upstream commit 20f9781f491360e7459c589705a2e4b1f136bee9 ] + +When building our local version of perf with MSAN (Memory Sanitizer) and +running the perf record command, MSAN throws a use of uninitialized +value warning in "tools/perf/util/util.c:333:6". + +This warning stems from the "buf" variable being passed into "write". +It originated as the variable "ev" with the type union perf_event* +defined in the "perf_event__synthesize_attr" function in +"tools/perf/util/header.c". + +In the "perf_event__synthesize_attr" function they allocate space with a malloc +call using ev, then go on to only assign some of the member variables before +passing "ev" on as a parameter to the "process" function therefore "ev" +contains uninitialized memory. Changing the malloc call to zalloc to initialize +all the members of "ev" which gets rid of the warning. + +To reproduce this warning, build perf by running: +make -C tools/perf CLANG=1 CC=clang EXTRA_CFLAGS="-fsanitize=memory\ + -fsanitize-memory-track-origins" + +(Additionally, llvm might have to be installed and clang might have to +be specified as the compiler - export CC=/usr/bin/clang) + +then running: +tools/perf/perf record -o - ls / | tools/perf/perf --no-pager annotate\ + -i - --stdio + +Please see the cover letter for why false positive warnings may be +generated. + +Signed-off-by: Numfor Mbiziwo-Tiapo +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Drayton +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Song Liu +Cc: Stephane Eranian +Link: http://lkml.kernel.org/r/20190724234500.253358-2-nums@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/header.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index 4a5e1907a7ab3..54c34c107cab5 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -3372,7 +3372,7 @@ int perf_event__synthesize_attr(struct perf_tool *tool, + size += sizeof(struct perf_event_header); + size += ids * sizeof(u64); + +- ev = malloc(size); ++ ev = zalloc(size); + + if (ev == NULL) + return -ENOMEM; +-- +2.20.1 + diff --git a/queue-4.19/revert-kmemleak-allow-to-coexist-with-fault-injectio.patch b/queue-4.19/revert-kmemleak-allow-to-coexist-with-fault-injectio.patch new file mode 100644 index 00000000000..4927dcbf025 --- /dev/null +++ b/queue-4.19/revert-kmemleak-allow-to-coexist-with-fault-injectio.patch @@ -0,0 +1,70 @@ +From 1c95a5bdfd068840bbc959c79968fa004fc2edfe Mon Sep 17 00:00:00 2001 +From: Yang Shi +Date: Fri, 2 Aug 2019 21:48:37 -0700 +Subject: Revert "kmemleak: allow to coexist with fault injection" + +[ Upstream commit df9576def004d2cd5beedc00cb6e8901427634b9 ] + +When running ltp's oom test with kmemleak enabled, the below warning was +triggerred since kernel detects __GFP_NOFAIL & ~__GFP_DIRECT_RECLAIM is +passed in: + + WARNING: CPU: 105 PID: 2138 at mm/page_alloc.c:4608 __alloc_pages_nodemask+0x1c31/0x1d50 + Modules linked in: loop dax_pmem dax_pmem_core ip_tables x_tables xfs virtio_net net_failover virtio_blk failover ata_generic virtio_pci virtio_ring virtio libata + CPU: 105 PID: 2138 Comm: oom01 Not tainted 5.2.0-next-20190710+ #7 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014 + RIP: 0010:__alloc_pages_nodemask+0x1c31/0x1d50 + ... + kmemleak_alloc+0x4e/0xb0 + kmem_cache_alloc+0x2a7/0x3e0 + mempool_alloc_slab+0x2d/0x40 + mempool_alloc+0x118/0x2b0 + bio_alloc_bioset+0x19d/0x350 + get_swap_bio+0x80/0x230 + __swap_writepage+0x5ff/0xb20 + +The mempool_alloc_slab() clears __GFP_DIRECT_RECLAIM, however kmemleak +has __GFP_NOFAIL set all the time due to d9570ee3bd1d4f2 ("kmemleak: +allow to coexist with fault injection"). But, it doesn't make any sense +to have __GFP_NOFAIL and ~__GFP_DIRECT_RECLAIM specified at the same +time. + +According to the discussion on the mailing list, the commit should be +reverted for short term solution. Catalin Marinas would follow up with +a better solution for longer term. + +The failure rate of kmemleak metadata allocation may increase in some +circumstances, but this should be expected side effect. + +Link: http://lkml.kernel.org/r/1563299431-111710-1-git-send-email-yang.shi@linux.alibaba.com +Fixes: d9570ee3bd1d4f2 ("kmemleak: allow to coexist with fault injection") +Signed-off-by: Yang Shi +Suggested-by: Catalin Marinas +Acked-by: Michal Hocko +Cc: Dmitry Vyukov +Cc: David Rientjes +Cc: Matthew Wilcox +Cc: Qian Cai +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/kmemleak.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/kmemleak.c b/mm/kmemleak.c +index 6c94b6865ac22..5eeabece0c178 100644 +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -126,7 +126,7 @@ + /* GFP bitmask for kmemleak internal allocations */ + #define gfp_kmemleak_mask(gfp) (((gfp) & (GFP_KERNEL | GFP_ATOMIC)) | \ + __GFP_NORETRY | __GFP_NOMEMALLOC | \ +- __GFP_NOWARN | __GFP_NOFAIL) ++ __GFP_NOWARN) + + /* scanning area inside a memory block */ + struct kmemleak_scan_area { +-- +2.20.1 + diff --git a/queue-4.19/scsi-hpsa-correct-scsi-command-status-issue-after-re.patch b/queue-4.19/scsi-hpsa-correct-scsi-command-status-issue-after-re.patch new file mode 100644 index 00000000000..5f29d3269e2 --- /dev/null +++ b/queue-4.19/scsi-hpsa-correct-scsi-command-status-issue-after-re.patch @@ -0,0 +1,59 @@ +From e4c2cd80e5dd48e89d65684b2c986b4c36d2b23e Mon Sep 17 00:00:00 2001 +From: Don Brace +Date: Wed, 24 Jul 2019 17:08:06 -0500 +Subject: scsi: hpsa: correct scsi command status issue after reset + +[ Upstream commit eeebce1862970653cdf5c01e98bc669edd8f529a ] + +Reviewed-by: Bader Ali - Saleh +Reviewed-by: Scott Teel +Reviewed-by: Scott Benesh +Reviewed-by: Kevin Barnett +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hpsa.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index c43eccdea65d2..f570b8c5d857c 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -2320,6 +2320,8 @@ static int handle_ioaccel_mode2_error(struct ctlr_info *h, + case IOACCEL2_SERV_RESPONSE_COMPLETE: + switch (c2->error_data.status) { + case IOACCEL2_STATUS_SR_TASK_COMP_GOOD: ++ if (cmd) ++ cmd->result = 0; + break; + case IOACCEL2_STATUS_SR_TASK_COMP_CHK_COND: + cmd->result |= SAM_STAT_CHECK_CONDITION; +@@ -2479,8 +2481,10 @@ static void process_ioaccel2_completion(struct ctlr_info *h, + + /* check for good status */ + if (likely(c2->error_data.serv_response == 0 && +- c2->error_data.status == 0)) ++ c2->error_data.status == 0)) { ++ cmd->result = 0; + return hpsa_cmd_free_and_done(h, c, cmd); ++ } + + /* + * Any RAID offload error results in retry which will use +@@ -5617,6 +5621,12 @@ static int hpsa_scsi_queue_command(struct Scsi_Host *sh, struct scsi_cmnd *cmd) + } + c = cmd_tagged_alloc(h, cmd); + ++ /* ++ * This is necessary because the SML doesn't zero out this field during ++ * error recovery. ++ */ ++ cmd->result = 0; ++ + /* + * Call alternate submit routine for I/O accelerated commands. + * Retries always go down the normal I/O path. +-- +2.20.1 + diff --git a/queue-4.19/scsi-qla2xxx-fix-possible-fcport-null-pointer-derefe.patch b/queue-4.19/scsi-qla2xxx-fix-possible-fcport-null-pointer-derefe.patch new file mode 100644 index 00000000000..53f4961d510 --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-possible-fcport-null-pointer-derefe.patch @@ -0,0 +1,48 @@ +From 4fd10cafd4d0516ba532494b76f23d6e884bc7f3 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Mon, 29 Jul 2019 16:44:51 +0800 +Subject: scsi: qla2xxx: Fix possible fcport null-pointer dereferences + +[ Upstream commit e82f04ec6ba91065fd33a6201ffd7cab840e1475 ] + +In qla2x00_alloc_fcport(), fcport is assigned to NULL in the error +handling code on line 4880: + fcport = NULL; + +Then fcport is used on lines 4883-4886: + INIT_WORK(&fcport->del_work, qla24xx_delete_sess_fn); + INIT_WORK(&fcport->reg_work, qla_register_fcport_fn); + INIT_LIST_HEAD(&fcport->gnl_entry); + INIT_LIST_HEAD(&fcport->list); + +Thus, possible null-pointer dereferences may occur. + +To fix these bugs, qla2x00_alloc_fcport() directly returns NULL +in the error handling code. + +These bugs are found by a static analysis tool STCheck written by us. + +Signed-off-by: Jia-Ju Bai +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index f84f9bf150278..ddce32fe0513a 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -4732,7 +4732,7 @@ qla2x00_alloc_fcport(scsi_qla_host_t *vha, gfp_t flags) + ql_log(ql_log_warn, vha, 0xd049, + "Failed to allocate ct_sns request.\n"); + kfree(fcport); +- fcport = NULL; ++ return NULL; + } + INIT_WORK(&fcport->del_work, qla24xx_delete_sess_fn); + INIT_LIST_HEAD(&fcport->gnl_entry); +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index bd4b463b185..1fac37f527e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -22,3 +22,32 @@ input-kbtab-sanity-check-for-endpoint-type.patch input-iforce-add-sanity-checks.patch net-usb-pegasus-fix-improper-read-if-get_registers-fail.patch netfilter-ebtables-also-count-base-chain-policies.patch +clk-at91-generated-truncate-divisor-to-generated_max.patch +clk-sprd-select-regmap_mmio-to-avoid-compile-errors.patch +clk-renesas-cpg-mssr-fix-reset-control-race-conditio.patch +xen-pciback-remove-set-but-not-used-variable-old_sta.patch +irqchip-gic-v3-its-free-unused-vpt_page-when-alloc-v.patch +irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch +perf-header-fix-divide-by-zero-error-if-f_header.att.patch +perf-header-fix-use-of-unitialized-value-warning.patch +libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch +drm-bridge-lvds-encoder-fix-build-error-while-config.patch +btrfs-fix-deadlock-between-fiemap-and-transaction-co.patch +scsi-hpsa-correct-scsi-command-status-issue-after-re.patch +scsi-qla2xxx-fix-possible-fcport-null-pointer-derefe.patch +exit-make-setting-exit_state-consistent.patch +drm-amdgpu-fix-a-potential-information-leaking-bug.patch +ata-libahci-do-not-complain-in-case-of-deferred-prob.patch +kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch +kbuild-check-for-unknown-options-with-cc-option-usag.patch +arm64-efi-fix-variable-si-set-but-not-used.patch +arm64-unwind-prohibit-probing-on-return_address.patch +arm64-mm-fix-variable-pud-set-but-not-used.patch +ib-core-add-mitigation-for-spectre-v1.patch +ib-mlx5-fix-mr-registration-flow-to-use-umr-properly.patch +ib-mad-fix-use-after-free-in-ib-mad-completion-handl.patch +drm-msm-fix-add_gpu_components.patch +drm-exynos-fix-missing-decrement-of-retry-counter.patch +revert-kmemleak-allow-to-coexist-with-fault-injectio.patch +ocfs2-remove-set-but-not-used-variable-last_hash.patch +asm-generic-fix-wtype-limits-compiler-warnings.patch diff --git a/queue-4.19/xen-pciback-remove-set-but-not-used-variable-old_sta.patch b/queue-4.19/xen-pciback-remove-set-but-not-used-variable-old_sta.patch new file mode 100644 index 00000000000..feeca569d5e --- /dev/null +++ b/queue-4.19/xen-pciback-remove-set-but-not-used-variable-old_sta.patch @@ -0,0 +1,46 @@ +From 828752ec6b835a0188c57dc6188335447519f67b Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 24 Jul 2019 22:08:50 +0800 +Subject: xen/pciback: remove set but not used variable 'old_state' + +[ Upstream commit 09e088a4903bd0dd911b4f1732b250130cdaffed ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +drivers/xen/xen-pciback/conf_space_capability.c: In function pm_ctrl_write: +drivers/xen/xen-pciback/conf_space_capability.c:119:25: warning: + variable old_state set but not used [-Wunused-but-set-variable] + +It is never used so can be removed. + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/xen-pciback/conf_space_capability.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/xen/xen-pciback/conf_space_capability.c b/drivers/xen/xen-pciback/conf_space_capability.c +index 73427d8e01161..e5694133ebe57 100644 +--- a/drivers/xen/xen-pciback/conf_space_capability.c ++++ b/drivers/xen/xen-pciback/conf_space_capability.c +@@ -116,13 +116,12 @@ static int pm_ctrl_write(struct pci_dev *dev, int offset, u16 new_value, + { + int err; + u16 old_value; +- pci_power_t new_state, old_state; ++ pci_power_t new_state; + + err = pci_read_config_word(dev, offset, &old_value); + if (err) + goto out; + +- old_state = (pci_power_t)(old_value & PCI_PM_CTRL_STATE_MASK); + new_state = (pci_power_t)(new_value & PCI_PM_CTRL_STATE_MASK); + + new_value &= PM_OK_BITS; +-- +2.20.1 + -- 2.47.3