From cc4eb9cad30bcc21d00da3696431995b4aee376b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 29 Apr 2019 11:52:39 +0200 Subject: [PATCH] 5.0-stable patches added patches: arm-8857-1-efi-enable-cp15-dmb-instructions-before-cleaning-the-cache.patch ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch ceph-fix-ci-i_head_snapc-leak.patch ceph-only-use-d_name-directly-when-parent-is-locked.patch dmaengine-mediatek-cqdma-fix-wrong-register-usage-in-mtk_cqdma_start.patch dmaengine-sh-rcar-dmac-fix-glitch-in-dmaengine_tx_status.patch dmaengine-sh-rcar-dmac-with-cyclic-dma-residue-0-is-valid.patch drm-ttm-fix-re-init-of-global-structures.patch drm-vc4-fix-compilation-error-reported-by-kbuild-test-bot.patch drm-vc4-fix-memory-leak-during-gpu-reset.patch ext4-fix-some-error-pointer-dereferences.patch input-synaptics-rmi4-write-config-register-values-to-the-right-offset.patch nfsd-don-t-release-the-callback-slot-unless-it-was-actually-held.patch nfsd-wake-blocked-file-lock-waiters-before-sending-callback.patch nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch perf-x86-intel-update-kbl-package-c-state-events-to-also-include-pc8-pc9-pc10-counters.patch powerpc-mm-radix-make-radix-require-hugetlb_page.patch revert-drm-i915-fbdev-actually-configure-untiled-displays.patch sunrpc-don-t-mark-uninitialised-items-as-valid.patch usb-add-new-usb-lpm-helpers.patch usb-consolidate-lpm-checks-to-avoid-enabling-lpm-twice.patch vfio-type1-limit-dma-mappings-per-container.patch --- ...structions-before-cleaning-the-cache.patch | 60 +++++++ ...d_name-stability-in-ceph_dentry_hash.patch | 44 +++++ queue-5.0/ceph-fix-ci-i_head_snapc-leak.patch | 59 +++++++ ..._name-directly-when-parent-is-locked.patch | 165 ++++++++++++++++++ ...ng-register-usage-in-mtk_cqdma_start.patch | 33 ++++ ...ac-fix-glitch-in-dmaengine_tx_status.patch | 82 +++++++++ ...c-with-cyclic-dma-residue-0-is-valid.patch | 51 ++++++ ...ttm-fix-re-init-of-global-structures.patch | 104 +++++++++++ ...on-error-reported-by-kbuild-test-bot.patch | 39 +++++ ...vc4-fix-memory-leak-during-gpu-reset.patch | 35 ++++ ...-fix-some-error-pointer-dereferences.patch | 47 +++++ ...-register-values-to-the-right-offset.patch | 35 ++++ ...ack-slot-unless-it-was-actually-held.patch | 82 +++++++++ ...lock-waiters-before-sending-callback.patch | 56 ++++++ ...cked-on-file_lock-before-deleting-it.patch | 58 ++++++ ...o-also-include-pc8-pc9-pc10-counters.patch | 70 ++++++++ ...adix-make-radix-require-hugetlb_page.patch | 99 +++++++++++ ...-actually-configure-untiled-displays.patch | 72 ++++++++ queue-5.0/series | 22 +++ ...-t-mark-uninitialised-items-as-valid.patch | 57 ++++++ queue-5.0/usb-add-new-usb-lpm-helpers.patch | 160 +++++++++++++++++ ...m-checks-to-avoid-enabling-lpm-twice.patch | 125 +++++++++++++ ...pe1-limit-dma-mappings-per-container.patch | 94 ++++++++++ 23 files changed, 1649 insertions(+) create mode 100644 queue-5.0/arm-8857-1-efi-enable-cp15-dmb-instructions-before-cleaning-the-cache.patch create mode 100644 queue-5.0/ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch create mode 100644 queue-5.0/ceph-fix-ci-i_head_snapc-leak.patch create mode 100644 queue-5.0/ceph-only-use-d_name-directly-when-parent-is-locked.patch create mode 100644 queue-5.0/dmaengine-mediatek-cqdma-fix-wrong-register-usage-in-mtk_cqdma_start.patch create mode 100644 queue-5.0/dmaengine-sh-rcar-dmac-fix-glitch-in-dmaengine_tx_status.patch create mode 100644 queue-5.0/dmaengine-sh-rcar-dmac-with-cyclic-dma-residue-0-is-valid.patch create mode 100644 queue-5.0/drm-ttm-fix-re-init-of-global-structures.patch create mode 100644 queue-5.0/drm-vc4-fix-compilation-error-reported-by-kbuild-test-bot.patch create mode 100644 queue-5.0/drm-vc4-fix-memory-leak-during-gpu-reset.patch create mode 100644 queue-5.0/ext4-fix-some-error-pointer-dereferences.patch create mode 100644 queue-5.0/input-synaptics-rmi4-write-config-register-values-to-the-right-offset.patch create mode 100644 queue-5.0/nfsd-don-t-release-the-callback-slot-unless-it-was-actually-held.patch create mode 100644 queue-5.0/nfsd-wake-blocked-file-lock-waiters-before-sending-callback.patch create mode 100644 queue-5.0/nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch create mode 100644 queue-5.0/perf-x86-intel-update-kbl-package-c-state-events-to-also-include-pc8-pc9-pc10-counters.patch create mode 100644 queue-5.0/powerpc-mm-radix-make-radix-require-hugetlb_page.patch create mode 100644 queue-5.0/revert-drm-i915-fbdev-actually-configure-untiled-displays.patch create mode 100644 queue-5.0/sunrpc-don-t-mark-uninitialised-items-as-valid.patch create mode 100644 queue-5.0/usb-add-new-usb-lpm-helpers.patch create mode 100644 queue-5.0/usb-consolidate-lpm-checks-to-avoid-enabling-lpm-twice.patch create mode 100644 queue-5.0/vfio-type1-limit-dma-mappings-per-container.patch diff --git a/queue-5.0/arm-8857-1-efi-enable-cp15-dmb-instructions-before-cleaning-the-cache.patch b/queue-5.0/arm-8857-1-efi-enable-cp15-dmb-instructions-before-cleaning-the-cache.patch new file mode 100644 index 00000000000..f91903eaae7 --- /dev/null +++ b/queue-5.0/arm-8857-1-efi-enable-cp15-dmb-instructions-before-cleaning-the-cache.patch @@ -0,0 +1,60 @@ +From e17b1af96b2afc38e684aa2f1033387e2ed10029 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 12 Apr 2019 22:34:18 +0100 +Subject: ARM: 8857/1: efi: enable CP15 DMB instructions before cleaning the cache + +From: Ard Biesheuvel + +commit e17b1af96b2afc38e684aa2f1033387e2ed10029 upstream. + +The EFI stub is entered with the caches and MMU enabled by the +firmware, and once the stub is ready to hand over to the decompressor, +we clean and disable the caches. + +The cache clean routines use CP15 barrier instructions, which can be +disabled via SCTLR. Normally, when using the provided cache handling +routines to enable the caches and MMU, this bit is enabled as well. +However, but since we entered the stub with the caches already enabled, +this routine is not executed before we call the cache clean routines, +resulting in undefined instruction exceptions if the firmware never +enabled this bit. + +So set the bit explicitly in the EFI entry code, but do so in a way that +guarantees that the resulting code can still run on v6 cores as well +(which are guaranteed to have CP15 barriers enabled) + +Cc: # v4.9+ +Acked-by: Marc Zyngier +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/compressed/head.S | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -1438,7 +1438,21 @@ ENTRY(efi_stub_entry) + + @ Preserve return value of efi_entry() in r4 + mov r4, r0 +- bl cache_clean_flush ++ ++ @ our cache maintenance code relies on CP15 barrier instructions ++ @ but since we arrived here with the MMU and caches configured ++ @ by UEFI, we must check that the CP15BEN bit is set in SCTLR. ++ @ Note that this bit is RAO/WI on v6 and earlier, so the ISB in ++ @ the enable path will be executed on v7+ only. ++ mrc p15, 0, r1, c1, c0, 0 @ read SCTLR ++ tst r1, #(1 << 5) @ CP15BEN bit set? ++ bne 0f ++ orr r1, r1, #(1 << 5) @ CP15 barrier instructions ++ mcr p15, 0, r1, c1, c0, 0 @ write SCTLR ++ ARM( .inst 0xf57ff06f @ v7+ isb ) ++ THUMB( isb ) ++ ++0: bl cache_clean_flush + bl cache_off + + @ Set parameters for booting zImage according to boot protocol diff --git a/queue-5.0/ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch b/queue-5.0/ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch new file mode 100644 index 00000000000..aafba986b7c --- /dev/null +++ b/queue-5.0/ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch @@ -0,0 +1,44 @@ +From 76a495d666e5043ffc315695f8241f5e94a98849 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Wed, 17 Apr 2019 12:58:28 -0400 +Subject: ceph: ensure d_name stability in ceph_dentry_hash() + +From: Jeff Layton + +commit 76a495d666e5043ffc315695f8241f5e94a98849 upstream. + +Take the d_lock here to ensure that d_name doesn't change. + +Cc: stable@vger.kernel.org +Signed-off-by: Jeff Layton +Reviewed-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/dir.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/ceph/dir.c ++++ b/fs/ceph/dir.c +@@ -1470,6 +1470,7 @@ void ceph_dentry_lru_del(struct dentry * + unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn) + { + struct ceph_inode_info *dci = ceph_inode(dir); ++ unsigned hash; + + switch (dci->i_dir_layout.dl_dir_hash) { + case 0: /* for backward compat */ +@@ -1477,8 +1478,11 @@ unsigned ceph_dentry_hash(struct inode * + return dn->d_name.hash; + + default: +- return ceph_str_hash(dci->i_dir_layout.dl_dir_hash, ++ spin_lock(&dn->d_lock); ++ hash = ceph_str_hash(dci->i_dir_layout.dl_dir_hash, + dn->d_name.name, dn->d_name.len); ++ spin_unlock(&dn->d_lock); ++ return hash; + } + } + diff --git a/queue-5.0/ceph-fix-ci-i_head_snapc-leak.patch b/queue-5.0/ceph-fix-ci-i_head_snapc-leak.patch new file mode 100644 index 00000000000..5b392bb093d --- /dev/null +++ b/queue-5.0/ceph-fix-ci-i_head_snapc-leak.patch @@ -0,0 +1,59 @@ +From 37659182bff1eeaaeadcfc8f853c6d2b6dbc3f47 Mon Sep 17 00:00:00 2001 +From: "Yan, Zheng" +Date: Thu, 18 Apr 2019 11:24:57 +0800 +Subject: ceph: fix ci->i_head_snapc leak + +From: Yan, Zheng + +commit 37659182bff1eeaaeadcfc8f853c6d2b6dbc3f47 upstream. + +We missed two places that i_wrbuffer_ref_head, i_wr_ref, i_dirty_caps +and i_flushing_caps may change. When they are all zeros, we should free +i_head_snapc. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/38224 +Reported-and-tested-by: Luis Henriques +Signed-off-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/mds_client.c | 9 +++++++++ + fs/ceph/snap.c | 7 ++++++- + 2 files changed, 15 insertions(+), 1 deletion(-) + +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -1286,6 +1286,15 @@ static int remove_session_caps_cb(struct + list_add(&ci->i_prealloc_cap_flush->i_list, &to_remove); + ci->i_prealloc_cap_flush = NULL; + } ++ ++ if (drop && ++ ci->i_wrbuffer_ref_head == 0 && ++ ci->i_wr_ref == 0 && ++ ci->i_dirty_caps == 0 && ++ ci->i_flushing_caps == 0) { ++ ceph_put_snap_context(ci->i_head_snapc); ++ ci->i_head_snapc = NULL; ++ } + } + spin_unlock(&ci->i_ceph_lock); + while (!list_empty(&to_remove)) { +--- a/fs/ceph/snap.c ++++ b/fs/ceph/snap.c +@@ -568,7 +568,12 @@ void ceph_queue_cap_snap(struct ceph_ino + old_snapc = NULL; + + update_snapc: +- if (ci->i_head_snapc) { ++ if (ci->i_wrbuffer_ref_head == 0 && ++ ci->i_wr_ref == 0 && ++ ci->i_dirty_caps == 0 && ++ ci->i_flushing_caps == 0) { ++ ci->i_head_snapc = NULL; ++ } else { + ci->i_head_snapc = ceph_get_snap_context(new_snapc); + dout(" new snapc is %p\n", new_snapc); + } diff --git a/queue-5.0/ceph-only-use-d_name-directly-when-parent-is-locked.patch b/queue-5.0/ceph-only-use-d_name-directly-when-parent-is-locked.patch new file mode 100644 index 00000000000..29647184b14 --- /dev/null +++ b/queue-5.0/ceph-only-use-d_name-directly-when-parent-is-locked.patch @@ -0,0 +1,165 @@ +From 1bcb344086f3ecf8d6705f6d708441baa823beb3 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Mon, 15 Apr 2019 12:00:42 -0400 +Subject: ceph: only use d_name directly when parent is locked + +From: Jeff Layton + +commit 1bcb344086f3ecf8d6705f6d708441baa823beb3 upstream. + +Ben reported tripping the BUG_ON in create_request_message during some +performance testing. Analysis of the vmcore showed that the length of +the r_dentry->d_name string changed after we allocated the buffer, but +before we encoded it. + +build_dentry_path returns pointers to d_name in the common case of +non-snapped dentries, but this optimization isn't safe unless the parent +directory is locked. When it isn't, have the code make a copy of the +d_name while holding the d_lock. + +Cc: stable@vger.kernel.org +Reported-by: Ben England +Signed-off-by: Jeff Layton +Reviewed-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/mds_client.c | 61 +++++++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 50 insertions(+), 11 deletions(-) + +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -1958,10 +1958,39 @@ retry: + return path; + } + ++/* Duplicate the dentry->d_name.name safely */ ++static int clone_dentry_name(struct dentry *dentry, const char **ppath, ++ int *ppathlen) ++{ ++ u32 len; ++ char *name; ++ ++retry: ++ len = READ_ONCE(dentry->d_name.len); ++ name = kmalloc(len + 1, GFP_NOFS); ++ if (!name) ++ return -ENOMEM; ++ ++ spin_lock(&dentry->d_lock); ++ if (dentry->d_name.len != len) { ++ spin_unlock(&dentry->d_lock); ++ kfree(name); ++ goto retry; ++ } ++ memcpy(name, dentry->d_name.name, len); ++ spin_unlock(&dentry->d_lock); ++ ++ name[len] = '\0'; ++ *ppath = name; ++ *ppathlen = len; ++ return 0; ++} ++ + static int build_dentry_path(struct dentry *dentry, struct inode *dir, + const char **ppath, int *ppathlen, u64 *pino, +- int *pfreepath) ++ bool *pfreepath, bool parent_locked) + { ++ int ret; + char *path; + + rcu_read_lock(); +@@ -1970,8 +1999,15 @@ static int build_dentry_path(struct dent + if (dir && ceph_snap(dir) == CEPH_NOSNAP) { + *pino = ceph_ino(dir); + rcu_read_unlock(); +- *ppath = dentry->d_name.name; +- *ppathlen = dentry->d_name.len; ++ if (parent_locked) { ++ *ppath = dentry->d_name.name; ++ *ppathlen = dentry->d_name.len; ++ } else { ++ ret = clone_dentry_name(dentry, ppath, ppathlen); ++ if (ret) ++ return ret; ++ *pfreepath = true; ++ } + return 0; + } + rcu_read_unlock(); +@@ -1979,13 +2015,13 @@ static int build_dentry_path(struct dent + if (IS_ERR(path)) + return PTR_ERR(path); + *ppath = path; +- *pfreepath = 1; ++ *pfreepath = true; + return 0; + } + + static int build_inode_path(struct inode *inode, + const char **ppath, int *ppathlen, u64 *pino, +- int *pfreepath) ++ bool *pfreepath) + { + struct dentry *dentry; + char *path; +@@ -2001,7 +2037,7 @@ static int build_inode_path(struct inode + if (IS_ERR(path)) + return PTR_ERR(path); + *ppath = path; +- *pfreepath = 1; ++ *pfreepath = true; + return 0; + } + +@@ -2012,7 +2048,7 @@ static int build_inode_path(struct inode + static int set_request_path_attr(struct inode *rinode, struct dentry *rdentry, + struct inode *rdiri, const char *rpath, + u64 rino, const char **ppath, int *pathlen, +- u64 *ino, int *freepath) ++ u64 *ino, bool *freepath, bool parent_locked) + { + int r = 0; + +@@ -2022,7 +2058,7 @@ static int set_request_path_attr(struct + ceph_snap(rinode)); + } else if (rdentry) { + r = build_dentry_path(rdentry, rdiri, ppath, pathlen, ino, +- freepath); ++ freepath, parent_locked); + dout(" dentry %p %llx/%.*s\n", rdentry, *ino, *pathlen, + *ppath); + } else if (rpath || rino) { +@@ -2048,7 +2084,7 @@ static struct ceph_msg *create_request_m + const char *path2 = NULL; + u64 ino1 = 0, ino2 = 0; + int pathlen1 = 0, pathlen2 = 0; +- int freepath1 = 0, freepath2 = 0; ++ bool freepath1 = false, freepath2 = false; + int len; + u16 releases; + void *p, *end; +@@ -2056,16 +2092,19 @@ static struct ceph_msg *create_request_m + + ret = set_request_path_attr(req->r_inode, req->r_dentry, + req->r_parent, req->r_path1, req->r_ino1.ino, +- &path1, &pathlen1, &ino1, &freepath1); ++ &path1, &pathlen1, &ino1, &freepath1, ++ test_bit(CEPH_MDS_R_PARENT_LOCKED, ++ &req->r_req_flags)); + if (ret < 0) { + msg = ERR_PTR(ret); + goto out; + } + ++ /* If r_old_dentry is set, then assume that its parent is locked */ + ret = set_request_path_attr(NULL, req->r_old_dentry, + req->r_old_dentry_dir, + req->r_path2, req->r_ino2.ino, +- &path2, &pathlen2, &ino2, &freepath2); ++ &path2, &pathlen2, &ino2, &freepath2, true); + if (ret < 0) { + msg = ERR_PTR(ret); + goto out_free1; diff --git a/queue-5.0/dmaengine-mediatek-cqdma-fix-wrong-register-usage-in-mtk_cqdma_start.patch b/queue-5.0/dmaengine-mediatek-cqdma-fix-wrong-register-usage-in-mtk_cqdma_start.patch new file mode 100644 index 00000000000..dedbddb1ef1 --- /dev/null +++ b/queue-5.0/dmaengine-mediatek-cqdma-fix-wrong-register-usage-in-mtk_cqdma_start.patch @@ -0,0 +1,33 @@ +From 5bb5c3a3ac102158b799bf5eda871223aa5e9c25 Mon Sep 17 00:00:00 2001 +From: Shun-Chih Yu +Date: Thu, 25 Apr 2019 11:53:50 +0800 +Subject: dmaengine: mediatek-cqdma: fix wrong register usage in mtk_cqdma_start + +From: Shun-Chih Yu + +commit 5bb5c3a3ac102158b799bf5eda871223aa5e9c25 upstream. + +This patch fixes wrong register usage in the mtk_cqdma_start. The +destination register should be MTK_CQDMA_DST2 instead. + +Fixes: b1f01e48df5a ("dmaengine: mediatek: Add MediaTek Command-Queue DMA controller for MT6765 SoC") +Signed-off-by: Shun-Chih Yu +Cc: stable@vger.kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/mediatek/mtk-cqdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/mediatek/mtk-cqdma.c ++++ b/drivers/dma/mediatek/mtk-cqdma.c +@@ -253,7 +253,7 @@ static void mtk_cqdma_start(struct mtk_c + #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT + mtk_dma_set(pc, MTK_CQDMA_DST2, cvd->dest >> MTK_CQDMA_ADDR2_SHFIT); + #else +- mtk_dma_set(pc, MTK_CQDMA_SRC2, 0); ++ mtk_dma_set(pc, MTK_CQDMA_DST2, 0); + #endif + + /* setup the length */ diff --git a/queue-5.0/dmaengine-sh-rcar-dmac-fix-glitch-in-dmaengine_tx_status.patch b/queue-5.0/dmaengine-sh-rcar-dmac-fix-glitch-in-dmaengine_tx_status.patch new file mode 100644 index 00000000000..98fe01fee3f --- /dev/null +++ b/queue-5.0/dmaengine-sh-rcar-dmac-fix-glitch-in-dmaengine_tx_status.patch @@ -0,0 +1,82 @@ +From 6e7da74775348d96e2d7efaf3f91410e18c481ef Mon Sep 17 00:00:00 2001 +From: Achim Dahlhoff +Date: Fri, 12 Apr 2019 07:29:14 +0200 +Subject: dmaengine: sh: rcar-dmac: Fix glitch in dmaengine_tx_status + +From: Achim Dahlhoff + +commit 6e7da74775348d96e2d7efaf3f91410e18c481ef upstream. + +The tx_status poll in the rcar_dmac driver reads the status register +which indicates which chunk is busy (DMACHCRB). Afterwards the point +inside the chunk is read from DMATCRB. It is possible that the chunk +has changed between the two reads. The result is a non-monotonous +increase of the residue. Fix this by introducing a 'safe read' logic. + +Fixes: 73a47bd0da66 ("dmaengine: rcar-dmac: use TCRB instead of TCR for residue") +Signed-off-by: Achim Dahlhoff +Signed-off-by: Dirk Behme +Reviewed-by: Yoshihiro Shimoda +Cc: # v4.16+ +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/sh/rcar-dmac.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1282,6 +1282,9 @@ static unsigned int rcar_dmac_chan_get_r + enum dma_status status; + unsigned int residue = 0; + unsigned int dptr = 0; ++ unsigned int chcrb; ++ unsigned int tcrb; ++ unsigned int i; + + if (!desc) + return 0; +@@ -1330,14 +1333,31 @@ static unsigned int rcar_dmac_chan_get_r + } + + /* ++ * We need to read two registers. ++ * Make sure the control register does not skip to next chunk ++ * while reading the counter. ++ * Trying it 3 times should be enough: Initial read, retry, retry ++ * for the paranoid. ++ */ ++ for (i = 0; i < 3; i++) { ++ chcrb = rcar_dmac_chan_read(chan, RCAR_DMACHCRB) & ++ RCAR_DMACHCRB_DPTR_MASK; ++ tcrb = rcar_dmac_chan_read(chan, RCAR_DMATCRB); ++ /* Still the same? */ ++ if (chcrb == (rcar_dmac_chan_read(chan, RCAR_DMACHCRB) & ++ RCAR_DMACHCRB_DPTR_MASK)) ++ break; ++ } ++ WARN_ONCE(i >= 3, "residue might be not continuous!"); ++ ++ /* + * In descriptor mode the descriptor running pointer is not maintained + * by the interrupt handler, find the running descriptor from the + * descriptor pointer field in the CHCRB register. In non-descriptor + * mode just use the running descriptor pointer. + */ + if (desc->hwdescs.use) { +- dptr = (rcar_dmac_chan_read(chan, RCAR_DMACHCRB) & +- RCAR_DMACHCRB_DPTR_MASK) >> RCAR_DMACHCRB_DPTR_SHIFT; ++ dptr = chcrb >> RCAR_DMACHCRB_DPTR_SHIFT; + if (dptr == 0) + dptr = desc->nchunks; + dptr--; +@@ -1355,7 +1375,7 @@ static unsigned int rcar_dmac_chan_get_r + } + + /* Add the residue for the current chunk. */ +- residue += rcar_dmac_chan_read(chan, RCAR_DMATCRB) << desc->xfer_shift; ++ residue += tcrb << desc->xfer_shift; + + return residue; + } diff --git a/queue-5.0/dmaengine-sh-rcar-dmac-with-cyclic-dma-residue-0-is-valid.patch b/queue-5.0/dmaengine-sh-rcar-dmac-with-cyclic-dma-residue-0-is-valid.patch new file mode 100644 index 00000000000..724259a2997 --- /dev/null +++ b/queue-5.0/dmaengine-sh-rcar-dmac-with-cyclic-dma-residue-0-is-valid.patch @@ -0,0 +1,51 @@ +From 907bd68a2edc491849e2fdcfe52c4596627bca94 Mon Sep 17 00:00:00 2001 +From: Dirk Behme +Date: Fri, 12 Apr 2019 07:29:13 +0200 +Subject: dmaengine: sh: rcar-dmac: With cyclic DMA residue 0 is valid + +From: Dirk Behme + +commit 907bd68a2edc491849e2fdcfe52c4596627bca94 upstream. + +Having a cyclic DMA, a residue 0 is not an indication of a completed +DMA. In case of cyclic DMA make sure that dma_set_residue() is called +and with this a residue of 0 is forwarded correctly to the caller. + +Fixes: 3544d2878817 ("dmaengine: rcar-dmac: use result of updated get_residue in tx_status") +Signed-off-by: Dirk Behme +Signed-off-by: Achim Dahlhoff +Signed-off-by: Hiroyuki Yokoyama +Signed-off-by: Yao Lihua +Reviewed-by: Yoshihiro Shimoda +Reviewed-by: Laurent Pinchart +Cc: # v4.8+ +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/sh/rcar-dmac.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1368,6 +1368,7 @@ static enum dma_status rcar_dmac_tx_stat + enum dma_status status; + unsigned long flags; + unsigned int residue; ++ bool cyclic; + + status = dma_cookie_status(chan, cookie, txstate); + if (status == DMA_COMPLETE || !txstate) +@@ -1375,10 +1376,11 @@ static enum dma_status rcar_dmac_tx_stat + + spin_lock_irqsave(&rchan->lock, flags); + residue = rcar_dmac_chan_get_residue(rchan, cookie); ++ cyclic = rchan->desc.running ? rchan->desc.running->cyclic : false; + spin_unlock_irqrestore(&rchan->lock, flags); + + /* if there's no residue, the cookie is complete */ +- if (!residue) ++ if (!residue && !cyclic) + return DMA_COMPLETE; + + dma_set_residue(txstate, residue); diff --git a/queue-5.0/drm-ttm-fix-re-init-of-global-structures.patch b/queue-5.0/drm-ttm-fix-re-init-of-global-structures.patch new file mode 100644 index 00000000000..5faa59fd7d4 --- /dev/null +++ b/queue-5.0/drm-ttm-fix-re-init-of-global-structures.patch @@ -0,0 +1,104 @@ +From bd4264112f93045704731850c5e4d85db981cd85 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Tue, 16 Apr 2019 11:49:17 +0200 +Subject: drm/ttm: fix re-init of global structures +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +commit bd4264112f93045704731850c5e4d85db981cd85 upstream. + +When a driver unloads without unloading TTM we don't correctly +clear the global structures leading to errors on re-init. + +Next step should probably be to remove the global structures and +kobjs all together, but this is tricky since we need to maintain +backward compatibility. + +Signed-off-by: Christian König +Reviewed-by: Karol Herbst +Tested-by: Karol Herbst +CC: stable@vger.kernel.org # 5.0.x +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ttm/ttm_bo.c | 10 +++++----- + drivers/gpu/drm/ttm/ttm_memory.c | 5 +++-- + include/drm/ttm/ttm_bo_driver.h | 1 - + 3 files changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/ttm/ttm_bo.c ++++ b/drivers/gpu/drm/ttm/ttm_bo.c +@@ -49,9 +49,8 @@ static void ttm_bo_global_kobj_release(s + * ttm_global_mutex - protecting the global BO state + */ + DEFINE_MUTEX(ttm_global_mutex); +-struct ttm_bo_global ttm_bo_glob = { +- .use_count = 0 +-}; ++unsigned ttm_bo_glob_use_count; ++struct ttm_bo_global ttm_bo_glob; + + static struct attribute ttm_bo_count = { + .name = "bo_count", +@@ -1535,12 +1534,13 @@ static void ttm_bo_global_release(void) + struct ttm_bo_global *glob = &ttm_bo_glob; + + mutex_lock(&ttm_global_mutex); +- if (--glob->use_count > 0) ++ if (--ttm_bo_glob_use_count > 0) + goto out; + + kobject_del(&glob->kobj); + kobject_put(&glob->kobj); + ttm_mem_global_release(&ttm_mem_glob); ++ memset(glob, 0, sizeof(*glob)); + out: + mutex_unlock(&ttm_global_mutex); + } +@@ -1552,7 +1552,7 @@ static int ttm_bo_global_init(void) + unsigned i; + + mutex_lock(&ttm_global_mutex); +- if (++glob->use_count > 1) ++ if (++ttm_bo_glob_use_count > 1) + goto out; + + ret = ttm_mem_global_init(&ttm_mem_glob); +--- a/drivers/gpu/drm/ttm/ttm_memory.c ++++ b/drivers/gpu/drm/ttm/ttm_memory.c +@@ -461,8 +461,8 @@ out_no_zone: + + void ttm_mem_global_release(struct ttm_mem_global *glob) + { +- unsigned int i; + struct ttm_mem_zone *zone; ++ unsigned int i; + + /* let the page allocator first stop the shrink work. */ + ttm_page_alloc_fini(); +@@ -475,9 +475,10 @@ void ttm_mem_global_release(struct ttm_m + zone = glob->zones[i]; + kobject_del(&zone->kobj); + kobject_put(&zone->kobj); +- } ++ } + kobject_del(&glob->kobj); + kobject_put(&glob->kobj); ++ memset(glob, 0, sizeof(*glob)); + } + + static void ttm_check_swapping(struct ttm_mem_global *glob) +--- a/include/drm/ttm/ttm_bo_driver.h ++++ b/include/drm/ttm/ttm_bo_driver.h +@@ -411,7 +411,6 @@ extern struct ttm_bo_global { + /** + * Protected by ttm_global_mutex. + */ +- unsigned int use_count; + struct list_head device_list; + + /** diff --git a/queue-5.0/drm-vc4-fix-compilation-error-reported-by-kbuild-test-bot.patch b/queue-5.0/drm-vc4-fix-compilation-error-reported-by-kbuild-test-bot.patch new file mode 100644 index 00000000000..c33144b7ae9 --- /dev/null +++ b/queue-5.0/drm-vc4-fix-compilation-error-reported-by-kbuild-test-bot.patch @@ -0,0 +1,39 @@ +From 462ce5d963f18b71c63f6b7730a35a2ee5273540 Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Wed, 24 Apr 2019 17:06:29 +0200 +Subject: drm/vc4: Fix compilation error reported by kbuild test bot + +From: Maarten Lankhorst + +commit 462ce5d963f18b71c63f6b7730a35a2ee5273540 upstream. + +A pointer to crtc was missing, resulting in the following build error: +drivers/gpu/drm/vc4/vc4_crtc.c:1045:44: sparse: sparse: incorrect type in argument 1 (different base types) +drivers/gpu/drm/vc4/vc4_crtc.c:1045:44: sparse: expected struct drm_crtc *crtc +drivers/gpu/drm/vc4/vc4_crtc.c:1045:44: sparse: got struct drm_crtc_state *state +drivers/gpu/drm/vc4/vc4_crtc.c:1045:39: sparse: sparse: not enough arguments for function vc4_crtc_destroy_state + +Signed-off-by: Maarten Lankhorst +Reported-by: kbuild test robot +Cc: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/2b6ed5e6-81b0-4276-8860-870b54ca3262@linux.intel.com +Fixes: d08106796a78 ("drm/vc4: Fix memory leak during gpu reset.") +Cc: # v4.6+ +Acked-by: Daniel Vetter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vc4/vc4_crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vc4/vc4_crtc.c ++++ b/drivers/gpu/drm/vc4/vc4_crtc.c +@@ -999,7 +999,7 @@ static void + vc4_crtc_reset(struct drm_crtc *crtc) + { + if (crtc->state) +- vc4_crtc_destroy_state(crtc->state); ++ vc4_crtc_destroy_state(crtc, crtc->state); + + crtc->state = kzalloc(sizeof(struct vc4_crtc_state), GFP_KERNEL); + if (crtc->state) diff --git a/queue-5.0/drm-vc4-fix-memory-leak-during-gpu-reset.patch b/queue-5.0/drm-vc4-fix-memory-leak-during-gpu-reset.patch new file mode 100644 index 00000000000..a0726a3b510 --- /dev/null +++ b/queue-5.0/drm-vc4-fix-memory-leak-during-gpu-reset.patch @@ -0,0 +1,35 @@ +From d08106796a78a4273e39e1bbdf538dc4334b2635 Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Fri, 1 Mar 2019 13:56:11 +0100 +Subject: drm/vc4: Fix memory leak during gpu reset. + +From: Maarten Lankhorst + +commit d08106796a78a4273e39e1bbdf538dc4334b2635 upstream. + +__drm_atomic_helper_crtc_destroy_state does not free memory, it only +cleans it up. Fix this by calling the functions own destroy function. + +Fixes: 6d6e50039187 ("drm/vc4: Allocate the right amount of space for boot-time CRTC state.") +Cc: Eric Anholt +Cc: # v4.6+ +Reviewed-by: Eric Anholt +Signed-off-by: Maarten Lankhorst +Link: https://patchwork.freedesktop.org/patch/msgid/20190301125627.7285-2-maarten.lankhorst@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vc4/vc4_crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vc4/vc4_crtc.c ++++ b/drivers/gpu/drm/vc4/vc4_crtc.c +@@ -999,7 +999,7 @@ static void + vc4_crtc_reset(struct drm_crtc *crtc) + { + if (crtc->state) +- __drm_atomic_helper_crtc_destroy_state(crtc->state); ++ vc4_crtc_destroy_state(crtc->state); + + crtc->state = kzalloc(sizeof(struct vc4_crtc_state), GFP_KERNEL); + if (crtc->state) diff --git a/queue-5.0/ext4-fix-some-error-pointer-dereferences.patch b/queue-5.0/ext4-fix-some-error-pointer-dereferences.patch new file mode 100644 index 00000000000..9e7c4b1bda8 --- /dev/null +++ b/queue-5.0/ext4-fix-some-error-pointer-dereferences.patch @@ -0,0 +1,47 @@ +From 7159a986b4202343f6cca3bb8079ecace5816fd6 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 21 Feb 2019 11:17:34 -0500 +Subject: ext4: fix some error pointer dereferences + +From: Dan Carpenter + +commit 7159a986b4202343f6cca3bb8079ecace5816fd6 upstream. + +We can't pass error pointers to brelse(). + +Fixes: fb265c9cb49e ("ext4: add ext4_sb_bread() to disambiguate ENOMEM cases") +Signed-off-by: Dan Carpenter +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/xattr.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -829,6 +829,7 @@ int ext4_get_inode_usage(struct inode *i + bh = ext4_sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl, REQ_PRIO); + if (IS_ERR(bh)) { + ret = PTR_ERR(bh); ++ bh = NULL; + goto out; + } + +@@ -2903,6 +2904,7 @@ int ext4_xattr_delete_inode(handle_t *ha + if (error == -EIO) + EXT4_ERROR_INODE(inode, "block %llu read error", + EXT4_I(inode)->i_file_acl); ++ bh = NULL; + goto cleanup; + } + error = ext4_xattr_check_block(inode, bh); +@@ -3059,6 +3061,7 @@ ext4_xattr_block_cache_find(struct inode + if (IS_ERR(bh)) { + if (PTR_ERR(bh) == -ENOMEM) + return NULL; ++ bh = NULL; + EXT4_ERROR_INODE(inode, "block %lu read error", + (unsigned long)ce->e_value); + } else if (ext4_xattr_cmp(header, BHDR(bh)) == 0) { diff --git a/queue-5.0/input-synaptics-rmi4-write-config-register-values-to-the-right-offset.patch b/queue-5.0/input-synaptics-rmi4-write-config-register-values-to-the-right-offset.patch new file mode 100644 index 00000000000..d6257174866 --- /dev/null +++ b/queue-5.0/input-synaptics-rmi4-write-config-register-values-to-the-right-offset.patch @@ -0,0 +1,35 @@ +From 3a349763cf11e63534b8f2d302f2d0c790566497 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Fri, 26 Apr 2019 17:22:01 -0700 +Subject: Input: synaptics-rmi4 - write config register values to the right offset + +From: Lucas Stach + +commit 3a349763cf11e63534b8f2d302f2d0c790566497 upstream. + +Currently any changed config register values don't take effect, as the +function to write them back is called with the wrong register offset. + +Fixes: ff8f83708b3e (Input: synaptics-rmi4 - add support for 2D + sensors and F11) +Signed-off-by: Lucas Stach +Reviewed-by: Philipp Zabel +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/rmi4/rmi_f11.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/rmi4/rmi_f11.c ++++ b/drivers/input/rmi4/rmi_f11.c +@@ -1230,7 +1230,7 @@ static int rmi_f11_initialize(struct rmi + } + + rc = f11_write_control_regs(fn, &f11->sens_query, +- &f11->dev_controls, fn->fd.query_base_addr); ++ &f11->dev_controls, fn->fd.control_base_addr); + if (rc) + dev_warn(&fn->dev, "Failed to write control registers\n"); + diff --git a/queue-5.0/nfsd-don-t-release-the-callback-slot-unless-it-was-actually-held.patch b/queue-5.0/nfsd-don-t-release-the-callback-slot-unless-it-was-actually-held.patch new file mode 100644 index 00000000000..f2882099dd0 --- /dev/null +++ b/queue-5.0/nfsd-don-t-release-the-callback-slot-unless-it-was-actually-held.patch @@ -0,0 +1,82 @@ +From e6abc8caa6deb14be2a206253f7e1c5e37e9515b Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Fri, 5 Apr 2019 08:54:37 -0700 +Subject: nfsd: Don't release the callback slot unless it was actually held + +From: Trond Myklebust + +commit e6abc8caa6deb14be2a206253f7e1c5e37e9515b upstream. + +If there are multiple callbacks queued, waiting for the callback +slot when the callback gets shut down, then they all currently +end up acting as if they hold the slot, and call +nfsd4_cb_sequence_done() resulting in interesting side-effects. + +In addition, the 'retry_nowait' path in nfsd4_cb_sequence_done() +causes a loop back to nfsd4_cb_prepare() without first freeing the +slot, which causes a deadlock when nfsd41_cb_get_slot() gets called +a second time. + +This patch therefore adds a boolean to track whether or not the +callback did pick up the slot, so that it can do the right thing +in these 2 cases. + +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4callback.c | 8 +++++++- + fs/nfsd/state.h | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -1023,8 +1023,9 @@ static void nfsd4_cb_prepare(struct rpc_ + cb->cb_seq_status = 1; + cb->cb_status = 0; + if (minorversion) { +- if (!nfsd41_cb_get_slot(clp, task)) ++ if (!cb->cb_holds_slot && !nfsd41_cb_get_slot(clp, task)) + return; ++ cb->cb_holds_slot = true; + } + rpc_call_start(task); + } +@@ -1051,6 +1052,9 @@ static bool nfsd4_cb_sequence_done(struc + return true; + } + ++ if (!cb->cb_holds_slot) ++ goto need_restart; ++ + switch (cb->cb_seq_status) { + case 0: + /* +@@ -1089,6 +1093,7 @@ static bool nfsd4_cb_sequence_done(struc + cb->cb_seq_status); + } + ++ cb->cb_holds_slot = false; + clear_bit(0, &clp->cl_cb_slot_busy); + rpc_wake_up_next(&clp->cl_cb_waitq); + dprintk("%s: freed slot, new seqid=%d\n", __func__, +@@ -1296,6 +1301,7 @@ void nfsd4_init_cb(struct nfsd4_callback + cb->cb_seq_status = 1; + cb->cb_status = 0; + cb->cb_need_restart = false; ++ cb->cb_holds_slot = false; + } + + void nfsd4_run_cb(struct nfsd4_callback *cb) +--- a/fs/nfsd/state.h ++++ b/fs/nfsd/state.h +@@ -70,6 +70,7 @@ struct nfsd4_callback { + int cb_seq_status; + int cb_status; + bool cb_need_restart; ++ bool cb_holds_slot; + }; + + struct nfsd4_callback_ops { diff --git a/queue-5.0/nfsd-wake-blocked-file-lock-waiters-before-sending-callback.patch b/queue-5.0/nfsd-wake-blocked-file-lock-waiters-before-sending-callback.patch new file mode 100644 index 00000000000..44e24b503a5 --- /dev/null +++ b/queue-5.0/nfsd-wake-blocked-file-lock-waiters-before-sending-callback.patch @@ -0,0 +1,56 @@ +From f456458e4d25a8962d0946891617c76cc3ff5fb9 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Mon, 22 Apr 2019 12:34:24 -0400 +Subject: nfsd: wake blocked file lock waiters before sending callback + +From: Jeff Layton + +commit f456458e4d25a8962d0946891617c76cc3ff5fb9 upstream. + +When a blocked NFS lock is "awoken" we send a callback to the server and +then wake any hosts waiting on it. If a client attempts to get a lock +and then drops off the net, we could end up waiting for a long time +until we end up waking locks blocked on that request. + +So, wake any other waiting lock requests before sending the callback. +Do this by calling locks_delete_block in a new "prepare" phase for +CB_NOTIFY_LOCK callbacks. + +URL: https://bugzilla.kernel.org/show_bug.cgi?id=203363 +Fixes: 16306a61d3b7 ("fs/locks: always delete_block after waiting.") +Reported-by: Slawomir Pryczek +Cc: Neil Brown +Cc: stable@vger.kernel.org +Signed-off-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -298,6 +298,14 @@ remove_blocked_locks(struct nfs4_lockown + } + } + ++static void ++nfsd4_cb_notify_lock_prepare(struct nfsd4_callback *cb) ++{ ++ struct nfsd4_blocked_lock *nbl = container_of(cb, ++ struct nfsd4_blocked_lock, nbl_cb); ++ locks_delete_block(&nbl->nbl_lock); ++} ++ + static int + nfsd4_cb_notify_lock_done(struct nfsd4_callback *cb, struct rpc_task *task) + { +@@ -325,6 +333,7 @@ nfsd4_cb_notify_lock_release(struct nfsd + } + + static const struct nfsd4_callback_ops nfsd4_cb_notify_lock_ops = { ++ .prepare = nfsd4_cb_notify_lock_prepare, + .done = nfsd4_cb_notify_lock_done, + .release = nfsd4_cb_notify_lock_release, + }; diff --git a/queue-5.0/nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch b/queue-5.0/nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch new file mode 100644 index 00000000000..afef7c0c255 --- /dev/null +++ b/queue-5.0/nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch @@ -0,0 +1,58 @@ +From 6aaafc43a4ecc5bc8a3f6a2811d5eddc996a97f3 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Mon, 22 Apr 2019 12:34:23 -0400 +Subject: nfsd: wake waiters blocked on file_lock before deleting it + +From: Jeff Layton + +commit 6aaafc43a4ecc5bc8a3f6a2811d5eddc996a97f3 upstream. + +After a blocked nfsd file_lock request is deleted, knfsd will send a +callback to the client and then free the request. Commit 16306a61d3b7 +("fs/locks: always delete_block after waiting.") changed it such that +locks_delete_block is always called on a request after it is awoken, +but that patch missed fixing up blocked nfsd request handling. + +Call locks_delete_block on the block to wake up any locks still blocked +on the nfsd lock request before freeing it. Some of its callers already +do this however, so just remove those calls. + +URL: https://bugzilla.kernel.org/show_bug.cgi?id=203363 +Fixes: 16306a61d3b7 ("fs/locks: always delete_block after waiting.") +Reported-by: Slawomir Pryczek +Cc: Neil Brown +Cc: stable@vger.kernel.org +Signed-off-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -265,6 +265,7 @@ find_or_allocate_block(struct nfs4_locko + static void + free_blocked_lock(struct nfsd4_blocked_lock *nbl) + { ++ locks_delete_block(&nbl->nbl_lock); + locks_release_private(&nbl->nbl_lock); + kfree(nbl); + } +@@ -293,7 +294,6 @@ remove_blocked_locks(struct nfs4_lockown + nbl = list_first_entry(&reaplist, struct nfsd4_blocked_lock, + nbl_lru); + list_del_init(&nbl->nbl_lru); +- locks_delete_block(&nbl->nbl_lock); + free_blocked_lock(nbl); + } + } +@@ -4863,7 +4863,6 @@ nfs4_laundromat(struct nfsd_net *nn) + nbl = list_first_entry(&reaplist, + struct nfsd4_blocked_lock, nbl_lru); + list_del_init(&nbl->nbl_lru); +- locks_delete_block(&nbl->nbl_lock); + free_blocked_lock(nbl); + } + out: diff --git a/queue-5.0/perf-x86-intel-update-kbl-package-c-state-events-to-also-include-pc8-pc9-pc10-counters.patch b/queue-5.0/perf-x86-intel-update-kbl-package-c-state-events-to-also-include-pc8-pc9-pc10-counters.patch new file mode 100644 index 00000000000..c5f39830a41 --- /dev/null +++ b/queue-5.0/perf-x86-intel-update-kbl-package-c-state-events-to-also-include-pc8-pc9-pc10-counters.patch @@ -0,0 +1,70 @@ +From 82c99f7a81f28f8c1be5f701c8377d14c4075b10 Mon Sep 17 00:00:00 2001 +From: Harry Pan +Date: Wed, 24 Apr 2019 22:50:33 +0800 +Subject: perf/x86/intel: Update KBL Package C-state events to also include PC8/PC9/PC10 counters + +From: Harry Pan + +commit 82c99f7a81f28f8c1be5f701c8377d14c4075b10 upstream. + +Kaby Lake (and Coffee Lake) has PC8/PC9/PC10 residency counters. + +This patch updates the list of Kaby/Coffee Lake PMU event counters +from the snb_cstates[] list of events to the hswult_cstates[] +list of events, which keeps all previously supported events and +also adds the PKG_C8, PKG_C9 and PKG_C10 residency counters. + +This allows user space tools to profile them through the perf interface. + +Signed-off-by: Harry Pan +Cc: +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Borislav Petkov +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: gs0622@gmail.com +Link: http://lkml.kernel.org/r/20190424145033.1924-1-harry.pan@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/events/intel/cstate.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/x86/events/intel/cstate.c ++++ b/arch/x86/events/intel/cstate.c +@@ -76,15 +76,15 @@ + * Scope: Package (physical package) + * MSR_PKG_C8_RESIDENCY: Package C8 Residency Counter. + * perf code: 0x04 +- * Available model: HSW ULT,CNL ++ * Available model: HSW ULT,KBL,CNL + * Scope: Package (physical package) + * MSR_PKG_C9_RESIDENCY: Package C9 Residency Counter. + * perf code: 0x05 +- * Available model: HSW ULT,CNL ++ * Available model: HSW ULT,KBL,CNL + * Scope: Package (physical package) + * MSR_PKG_C10_RESIDENCY: Package C10 Residency Counter. + * perf code: 0x06 +- * Available model: HSW ULT,GLM,CNL ++ * Available model: HSW ULT,KBL,GLM,CNL + * Scope: Package (physical package) + * + */ +@@ -572,8 +572,8 @@ static const struct x86_cpu_id intel_cst + X86_CSTATES_MODEL(INTEL_FAM6_SKYLAKE_DESKTOP, snb_cstates), + X86_CSTATES_MODEL(INTEL_FAM6_SKYLAKE_X, snb_cstates), + +- X86_CSTATES_MODEL(INTEL_FAM6_KABYLAKE_MOBILE, snb_cstates), +- X86_CSTATES_MODEL(INTEL_FAM6_KABYLAKE_DESKTOP, snb_cstates), ++ X86_CSTATES_MODEL(INTEL_FAM6_KABYLAKE_MOBILE, hswult_cstates), ++ X86_CSTATES_MODEL(INTEL_FAM6_KABYLAKE_DESKTOP, hswult_cstates), + + X86_CSTATES_MODEL(INTEL_FAM6_CANNONLAKE_MOBILE, cnl_cstates), + diff --git a/queue-5.0/powerpc-mm-radix-make-radix-require-hugetlb_page.patch b/queue-5.0/powerpc-mm-radix-make-radix-require-hugetlb_page.patch new file mode 100644 index 00000000000..d9db62c383b --- /dev/null +++ b/queue-5.0/powerpc-mm-radix-make-radix-require-hugetlb_page.patch @@ -0,0 +1,99 @@ +From 8adddf349fda0d3de2f6bb41ddf838cbf36a8ad2 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 16 Apr 2019 23:59:02 +1000 +Subject: powerpc/mm/radix: Make Radix require HUGETLB_PAGE + +From: Michael Ellerman + +commit 8adddf349fda0d3de2f6bb41ddf838cbf36a8ad2 upstream. + +Joel reported weird crashes using skiroot_defconfig, in his case we +jumped into an NX page: + + kernel tried to execute exec-protected page (c000000002bff4f0) - exploit attempt? (uid: 0) + BUG: Unable to handle kernel instruction fetch + Faulting instruction address: 0xc000000002bff4f0 + +Looking at the disassembly, we had simply branched to that address: + + c000000000c001bc 49fff335 bl c000000002bff4f0 + +But that didn't match the original kernel image: + + c000000000c001bc 4bfff335 bl c000000000bff4f0 + +When STRICT_KERNEL_RWX is enabled, and we're using the radix MMU, we +call radix__change_memory_range() late in boot to change page +protections. We do that both to mark rodata read only and also to mark +init text no-execute. That involves walking the kernel page tables, +and clearing _PAGE_WRITE or _PAGE_EXEC respectively. + +With radix we may use hugepages for the linear mapping, so the code in +radix__change_memory_range() uses eg. pmd_huge() to test if it has +found a huge mapping, and if so it stops the page table walk and +changes the PMD permissions. + +However if the kernel is built without HUGETLBFS support, pmd_huge() +is just a #define that always returns 0. That causes the code in +radix__change_memory_range() to incorrectly interpret the PMD value as +a pointer to a PTE page rather than as a PTE at the PMD level. + +We can see this using `dv` in xmon which also uses pmd_huge(): + + 0:mon> dv c000000000000000 + pgd @ 0xc000000001740000 + pgdp @ 0xc000000001740000 = 0x80000000ffffb009 + pudp @ 0xc0000000ffffb000 = 0x80000000ffffa009 + pmdp @ 0xc0000000ffffa000 = 0xc00000000000018f <- this is a PTE + ptep @ 0xc000000000000100 = 0xa64bb17da64ab07d <- kernel text + +The end result is we treat the value at 0xc000000000000100 as a PTE +and clear _PAGE_WRITE or _PAGE_EXEC, potentially corrupting the code +at that address. + +In Joel's specific case we cleared the sign bit in the offset of the +branch, causing a backward branch to turn into a forward branch which +caused us to branch into a non-executable page. However the exact +nature of the crash depends on kernel version, compiler version, and +other factors. + +We need to fix radix__change_memory_range() to not use accessors that +depend on HUGETLBFS, but we also have radix memory hotplug code that +uses pmd_huge() etc that will also need fixing. So for now just +disallow the broken combination of Radix with HUGETLBFS disabled. + +The only defconfig we have that is affected is skiroot_defconfig, so +turn on HUGETLBFS there so that it still gets Radix. + +Fixes: 566ca99af026 ("powerpc/mm/radix: Add dummy radix_enabled()") +Cc: stable@vger.kernel.org # v4.7+ +Reported-by: Joel Stanley +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/configs/skiroot_defconfig | 1 + + arch/powerpc/platforms/Kconfig.cputype | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/configs/skiroot_defconfig ++++ b/arch/powerpc/configs/skiroot_defconfig +@@ -260,6 +260,7 @@ CONFIG_UDF_FS=m + CONFIG_MSDOS_FS=m + CONFIG_VFAT_FS=m + CONFIG_PROC_KCORE=y ++CONFIG_HUGETLBFS=y + # CONFIG_MISC_FILESYSTEMS is not set + # CONFIG_NETWORK_FILESYSTEMS is not set + CONFIG_NLS=y +--- a/arch/powerpc/platforms/Kconfig.cputype ++++ b/arch/powerpc/platforms/Kconfig.cputype +@@ -318,7 +318,7 @@ config ARCH_ENABLE_SPLIT_PMD_PTLOCK + + config PPC_RADIX_MMU + bool "Radix MMU Support" +- depends on PPC_BOOK3S_64 ++ depends on PPC_BOOK3S_64 && HUGETLB_PAGE + select ARCH_HAS_GIGANTIC_PAGE if (MEMORY_ISOLATION && COMPACTION) || CMA + default y + help diff --git a/queue-5.0/revert-drm-i915-fbdev-actually-configure-untiled-displays.patch b/queue-5.0/revert-drm-i915-fbdev-actually-configure-untiled-displays.patch new file mode 100644 index 00000000000..92d00ce3975 --- /dev/null +++ b/queue-5.0/revert-drm-i915-fbdev-actually-configure-untiled-displays.patch @@ -0,0 +1,72 @@ +From 9fa246256e09dc30820524401cdbeeaadee94025 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Wed, 24 Apr 2019 10:47:56 +1000 +Subject: Revert "drm/i915/fbdev: Actually configure untiled displays" + +From: Dave Airlie + +commit 9fa246256e09dc30820524401cdbeeaadee94025 upstream. + +This reverts commit d179b88deb3bf6fed4991a31fd6f0f2cad21fab5. + +This commit is documented to break userspace X.org modesetting driver in certain configurations. + +The X.org modesetting userspace driver is broken. No fixes are available yet. In order for this patch to be applied it either needs a config option or a workaround developed. + +This has been reported a few times, saying it's a userspace problem is clearly against the regression rules. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=109806 +Signed-off-by: Dave Airlie +Cc: # v3.19+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_fbdev.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_fbdev.c ++++ b/drivers/gpu/drm/i915/intel_fbdev.c +@@ -336,8 +336,8 @@ static bool intel_fb_initial_config(stru + bool *enabled, int width, int height) + { + struct drm_i915_private *dev_priv = to_i915(fb_helper->dev); ++ unsigned long conn_configured, conn_seq, mask; + unsigned int count = min(fb_helper->connector_count, BITS_PER_LONG); +- unsigned long conn_configured, conn_seq; + int i, j; + bool *save_enabled; + bool fallback = true, ret = true; +@@ -355,9 +355,10 @@ static bool intel_fb_initial_config(stru + drm_modeset_backoff(&ctx); + + memcpy(save_enabled, enabled, count); +- conn_seq = GENMASK(count - 1, 0); ++ mask = GENMASK(count - 1, 0); + conn_configured = 0; + retry: ++ conn_seq = conn_configured; + for (i = 0; i < count; i++) { + struct drm_fb_helper_connector *fb_conn; + struct drm_connector *connector; +@@ -370,8 +371,7 @@ retry: + if (conn_configured & BIT(i)) + continue; + +- /* First pass, only consider tiled connectors */ +- if (conn_seq == GENMASK(count - 1, 0) && !connector->has_tile) ++ if (conn_seq == 0 && !connector->has_tile) + continue; + + if (connector->status == connector_status_connected) +@@ -475,10 +475,8 @@ retry: + conn_configured |= BIT(i); + } + +- if (conn_configured != conn_seq) { /* repeat until no more are found */ +- conn_seq = conn_configured; ++ if ((conn_configured & mask) != mask && conn_configured != conn_seq) + goto retry; +- } + + /* + * If the BIOS didn't enable everything it could, fall back to have the diff --git a/queue-5.0/series b/queue-5.0/series index 0e28fa524cc..be4383ab715 100644 --- a/queue-5.0/series +++ b/queue-5.0/series @@ -24,3 +24,25 @@ rdma-mlx5-do-not-allow-the-user-to-write-to-the-clock-page.patch rdma-mlx5-use-rdma_user_map_io-for-mapping-bar-pages.patch rdma-ucontext-fix-regression-with-disassociate.patch sched-numa-fix-a-possible-divide-by-zero.patch +ceph-only-use-d_name-directly-when-parent-is-locked.patch +ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch +ceph-fix-ci-i_head_snapc-leak.patch +nfsd-don-t-release-the-callback-slot-unless-it-was-actually-held.patch +nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch +nfsd-wake-blocked-file-lock-waiters-before-sending-callback.patch +sunrpc-don-t-mark-uninitialised-items-as-valid.patch +perf-x86-intel-update-kbl-package-c-state-events-to-also-include-pc8-pc9-pc10-counters.patch +input-synaptics-rmi4-write-config-register-values-to-the-right-offset.patch +vfio-type1-limit-dma-mappings-per-container.patch +dmaengine-sh-rcar-dmac-with-cyclic-dma-residue-0-is-valid.patch +dmaengine-sh-rcar-dmac-fix-glitch-in-dmaengine_tx_status.patch +dmaengine-mediatek-cqdma-fix-wrong-register-usage-in-mtk_cqdma_start.patch +arm-8857-1-efi-enable-cp15-dmb-instructions-before-cleaning-the-cache.patch +powerpc-mm-radix-make-radix-require-hugetlb_page.patch +drm-vc4-fix-memory-leak-during-gpu-reset.patch +drm-ttm-fix-re-init-of-global-structures.patch +revert-drm-i915-fbdev-actually-configure-untiled-displays.patch +drm-vc4-fix-compilation-error-reported-by-kbuild-test-bot.patch +usb-add-new-usb-lpm-helpers.patch +usb-consolidate-lpm-checks-to-avoid-enabling-lpm-twice.patch +ext4-fix-some-error-pointer-dereferences.patch diff --git a/queue-5.0/sunrpc-don-t-mark-uninitialised-items-as-valid.patch b/queue-5.0/sunrpc-don-t-mark-uninitialised-items-as-valid.patch new file mode 100644 index 00000000000..14917009e99 --- /dev/null +++ b/queue-5.0/sunrpc-don-t-mark-uninitialised-items-as-valid.patch @@ -0,0 +1,57 @@ +From d58431eacb226222430940134d97bfd72f292fcd Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 5 Apr 2019 11:34:40 +1100 +Subject: sunrpc: don't mark uninitialised items as VALID. + +From: NeilBrown + +commit d58431eacb226222430940134d97bfd72f292fcd upstream. + +A recent commit added a call to cache_fresh_locked() +when an expired item was found. +The call sets the CACHE_VALID flag, so it is important +that the item actually is valid. +There are two ways it could be valid: +1/ If ->update has been called to fill in relevant content +2/ if CACHE_NEGATIVE is set, to say that content doesn't exist. + +An expired item that is waiting for an update will be neither. +Setting CACHE_VALID will mean that a subsequent call to cache_put() +will be likely to dereference uninitialised pointers. + +So we must make sure the item is valid, and we already have code to do +that in try_to_negate_entry(). This takes the hash lock and so cannot +be used directly, so take out the two lines that we need and use them. + +Now cache_fresh_locked() is certain to be called only on +a valid item. + +Cc: stable@kernel.org # 2.6.35 +Fixes: 4ecd55ea0742 ("sunrpc: fix cache_head leak due to queued request") +Signed-off-by: NeilBrown +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/cache.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -54,6 +54,7 @@ static void cache_init(struct cache_head + h->last_refresh = now; + } + ++static inline int cache_is_valid(struct cache_head *h); + static void cache_fresh_locked(struct cache_head *head, time_t expiry, + struct cache_detail *detail); + static void cache_fresh_unlocked(struct cache_head *head, +@@ -105,6 +106,8 @@ static struct cache_head *sunrpc_cache_a + if (cache_is_expired(detail, tmp)) { + hlist_del_init_rcu(&tmp->cache_list); + detail->entries --; ++ if (cache_is_valid(tmp) == -EAGAIN) ++ set_bit(CACHE_NEGATIVE, &tmp->flags); + cache_fresh_locked(tmp, 0, detail); + freeme = tmp; + break; diff --git a/queue-5.0/usb-add-new-usb-lpm-helpers.patch b/queue-5.0/usb-add-new-usb-lpm-helpers.patch new file mode 100644 index 00000000000..be18c1b9d91 --- /dev/null +++ b/queue-5.0/usb-add-new-usb-lpm-helpers.patch @@ -0,0 +1,160 @@ +From 7529b2574a7aaf902f1f8159fbc2a7caa74be559 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Sat, 12 Jan 2019 03:54:24 +0800 +Subject: USB: Add new USB LPM helpers + +From: Kai-Heng Feng + +commit 7529b2574a7aaf902f1f8159fbc2a7caa74be559 upstream. + +Use new helpers to make LPM enabling/disabling more clear. + +This is a preparation to subsequent patch. + +Signed-off-by: Kai-Heng Feng +Cc: stable # after much soaking +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/driver.c | 12 +++++++++++- + drivers/usb/core/hub.c | 12 ++++++------ + drivers/usb/core/message.c | 2 +- + drivers/usb/core/sysfs.c | 5 ++++- + drivers/usb/core/usb.h | 10 ++++++++-- + 5 files changed, 30 insertions(+), 11 deletions(-) + +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -1896,7 +1896,7 @@ int usb_runtime_idle(struct device *dev) + return -EBUSY; + } + +-int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) ++static int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) + { + struct usb_hcd *hcd = bus_to_hcd(udev->bus); + int ret = -EPERM; +@@ -1913,6 +1913,16 @@ int usb_set_usb2_hardware_lpm(struct usb + return ret; + } + ++int usb_enable_usb2_hardware_lpm(struct usb_device *udev) ++{ ++ return usb_set_usb2_hardware_lpm(udev, 1); ++} ++ ++int usb_disable_usb2_hardware_lpm(struct usb_device *udev) ++{ ++ return usb_set_usb2_hardware_lpm(udev, 0); ++} ++ + #endif /* CONFIG_PM */ + + struct bus_type usb_bus_type = { +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3221,7 +3221,7 @@ int usb_port_suspend(struct usb_device * + + /* disable USB2 hardware LPM */ + if (udev->usb2_hw_lpm_enabled == 1) +- usb_set_usb2_hardware_lpm(udev, 0); ++ usb_disable_usb2_hardware_lpm(udev); + + if (usb_disable_ltm(udev)) { + dev_err(&udev->dev, "Failed to disable LTM before suspend\n"); +@@ -3260,7 +3260,7 @@ int usb_port_suspend(struct usb_device * + err_ltm: + /* Try to enable USB2 hardware LPM again */ + if (udev->usb2_hw_lpm_capable == 1) +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + + if (udev->do_remote_wakeup) + (void) usb_disable_remote_wakeup(udev); +@@ -3544,7 +3544,7 @@ int usb_port_resume(struct usb_device *u + } else { + /* Try to enable USB2 hardware LPM */ + if (udev->usb2_hw_lpm_capable == 1) +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + + /* Try to enable USB3 LTM */ + usb_enable_ltm(udev); +@@ -4435,7 +4435,7 @@ static void hub_set_initial_usb2_lpm_pol + if ((udev->bos->ext_cap->bmAttributes & cpu_to_le32(USB_BESL_SUPPORT)) || + connect_type == USB_PORT_CONNECT_TYPE_HARD_WIRED) { + udev->usb2_hw_lpm_allowed = 1; +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + } + } + +@@ -5650,7 +5650,7 @@ static int usb_reset_and_verify_device(s + * It will be re-enabled by the enumeration process. + */ + if (udev->usb2_hw_lpm_enabled == 1) +- usb_set_usb2_hardware_lpm(udev, 0); ++ usb_disable_usb2_hardware_lpm(udev); + + /* Disable LPM while we reset the device and reinstall the alt settings. + * Device-initiated LPM, and system exit latency settings are cleared +@@ -5753,7 +5753,7 @@ static int usb_reset_and_verify_device(s + + done: + /* Now that the alt settings are re-installed, enable LTM and LPM. */ +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + usb_unlocked_enable_lpm(udev); + usb_enable_ltm(udev); + usb_release_bos_descriptor(udev); +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -1244,7 +1244,7 @@ void usb_disable_device(struct usb_devic + } + + if (dev->usb2_hw_lpm_enabled == 1) +- usb_set_usb2_hardware_lpm(dev, 0); ++ usb_disable_usb2_hardware_lpm(dev); + usb_unlocked_disable_lpm(dev); + usb_disable_ltm(dev); + +--- a/drivers/usb/core/sysfs.c ++++ b/drivers/usb/core/sysfs.c +@@ -528,7 +528,10 @@ static ssize_t usb2_hardware_lpm_store(s + + if (!ret) { + udev->usb2_hw_lpm_allowed = value; +- ret = usb_set_usb2_hardware_lpm(udev, value); ++ if (value) ++ ret = usb_enable_usb2_hardware_lpm(udev); ++ else ++ ret = usb_disable_usb2_hardware_lpm(udev); + } + + usb_unlock_device(udev); +--- a/drivers/usb/core/usb.h ++++ b/drivers/usb/core/usb.h +@@ -92,7 +92,8 @@ extern int usb_remote_wakeup(struct usb_ + extern int usb_runtime_suspend(struct device *dev); + extern int usb_runtime_resume(struct device *dev); + extern int usb_runtime_idle(struct device *dev); +-extern int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable); ++extern int usb_enable_usb2_hardware_lpm(struct usb_device *udev); ++extern int usb_disable_usb2_hardware_lpm(struct usb_device *udev); + + #else + +@@ -112,7 +113,12 @@ static inline int usb_autoresume_device( + return 0; + } + +-static inline int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) ++static inline int usb_enable_usb2_hardware_lpm(struct usb_device *udev) ++{ ++ return 0; ++} ++ ++static inline int usb_disable_usb2_hardware_lpm(struct usb_device *udev) + { + return 0; + } diff --git a/queue-5.0/usb-consolidate-lpm-checks-to-avoid-enabling-lpm-twice.patch b/queue-5.0/usb-consolidate-lpm-checks-to-avoid-enabling-lpm-twice.patch new file mode 100644 index 00000000000..f8f4883340e --- /dev/null +++ b/queue-5.0/usb-consolidate-lpm-checks-to-avoid-enabling-lpm-twice.patch @@ -0,0 +1,125 @@ +From d7a6c0ce8d26412903c7981503bad9e1cc7c45d2 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Sat, 12 Jan 2019 03:54:25 +0800 +Subject: USB: Consolidate LPM checks to avoid enabling LPM twice +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai-Heng Feng + +commit d7a6c0ce8d26412903c7981503bad9e1cc7c45d2 upstream. + +USB Bluetooth controller QCA ROME (0cf3:e007) sometimes stops working +after S3: +[ 165.110742] Bluetooth: hci0: using NVM file: qca/nvm_usb_00000302.bin +[ 168.432065] Bluetooth: hci0: Failed to send body at 4 of 1953 (-110) + +After some experiments, I found that disabling LPM can workaround the +issue. + +On some platforms, the USB power is cut during S3, so the driver uses +reset-resume to resume the device. During port resume, LPM gets enabled +twice, by usb_reset_and_verify_device() and usb_port_resume(). + +Consolidate all checks into new LPM helpers to make sure LPM only gets +enabled once. + +Fixes: de68bab4fa96 ("usb: Don't enable USB 2.0 Link PM by default.”) +Signed-off-by: Kai-Heng Feng +Cc: stable # after much soaking +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/driver.c | 11 ++++++++--- + drivers/usb/core/hub.c | 12 ++++-------- + drivers/usb/core/message.c | 3 +-- + 3 files changed, 13 insertions(+), 13 deletions(-) + +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -1901,9 +1901,6 @@ static int usb_set_usb2_hardware_lpm(str + struct usb_hcd *hcd = bus_to_hcd(udev->bus); + int ret = -EPERM; + +- if (enable && !udev->usb2_hw_lpm_allowed) +- return 0; +- + if (hcd->driver->set_usb2_hw_lpm) { + ret = hcd->driver->set_usb2_hw_lpm(hcd, udev, enable); + if (!ret) +@@ -1915,11 +1912,19 @@ static int usb_set_usb2_hardware_lpm(str + + int usb_enable_usb2_hardware_lpm(struct usb_device *udev) + { ++ if (!udev->usb2_hw_lpm_capable || ++ !udev->usb2_hw_lpm_allowed || ++ udev->usb2_hw_lpm_enabled) ++ return 0; ++ + return usb_set_usb2_hardware_lpm(udev, 1); + } + + int usb_disable_usb2_hardware_lpm(struct usb_device *udev) + { ++ if (!udev->usb2_hw_lpm_enabled) ++ return 0; ++ + return usb_set_usb2_hardware_lpm(udev, 0); + } + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3220,8 +3220,7 @@ int usb_port_suspend(struct usb_device * + } + + /* disable USB2 hardware LPM */ +- if (udev->usb2_hw_lpm_enabled == 1) +- usb_disable_usb2_hardware_lpm(udev); ++ usb_disable_usb2_hardware_lpm(udev); + + if (usb_disable_ltm(udev)) { + dev_err(&udev->dev, "Failed to disable LTM before suspend\n"); +@@ -3259,8 +3258,7 @@ int usb_port_suspend(struct usb_device * + usb_enable_ltm(udev); + err_ltm: + /* Try to enable USB2 hardware LPM again */ +- if (udev->usb2_hw_lpm_capable == 1) +- usb_enable_usb2_hardware_lpm(udev); ++ usb_enable_usb2_hardware_lpm(udev); + + if (udev->do_remote_wakeup) + (void) usb_disable_remote_wakeup(udev); +@@ -3543,8 +3541,7 @@ int usb_port_resume(struct usb_device *u + hub_port_logical_disconnect(hub, port1); + } else { + /* Try to enable USB2 hardware LPM */ +- if (udev->usb2_hw_lpm_capable == 1) +- usb_enable_usb2_hardware_lpm(udev); ++ usb_enable_usb2_hardware_lpm(udev); + + /* Try to enable USB3 LTM */ + usb_enable_ltm(udev); +@@ -5649,8 +5646,7 @@ static int usb_reset_and_verify_device(s + /* Disable USB2 hardware LPM. + * It will be re-enabled by the enumeration process. + */ +- if (udev->usb2_hw_lpm_enabled == 1) +- usb_disable_usb2_hardware_lpm(udev); ++ usb_disable_usb2_hardware_lpm(udev); + + /* Disable LPM while we reset the device and reinstall the alt settings. + * Device-initiated LPM, and system exit latency settings are cleared +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -1243,8 +1243,7 @@ void usb_disable_device(struct usb_devic + dev->actconfig->interface[i] = NULL; + } + +- if (dev->usb2_hw_lpm_enabled == 1) +- usb_disable_usb2_hardware_lpm(dev); ++ usb_disable_usb2_hardware_lpm(dev); + usb_unlocked_disable_lpm(dev); + usb_disable_ltm(dev); + diff --git a/queue-5.0/vfio-type1-limit-dma-mappings-per-container.patch b/queue-5.0/vfio-type1-limit-dma-mappings-per-container.patch new file mode 100644 index 00000000000..75a37fef407 --- /dev/null +++ b/queue-5.0/vfio-type1-limit-dma-mappings-per-container.patch @@ -0,0 +1,94 @@ +From 492855939bdb59c6f947b0b5b44af9ad82b7e38c Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 3 Apr 2019 12:36:21 -0600 +Subject: vfio/type1: Limit DMA mappings per container + +From: Alex Williamson + +commit 492855939bdb59c6f947b0b5b44af9ad82b7e38c upstream. + +Memory backed DMA mappings are accounted against a user's locked +memory limit, including multiple mappings of the same memory. This +accounting bounds the number of such mappings that a user can create. +However, DMA mappings that are not backed by memory, such as DMA +mappings of device MMIO via mmaps, do not make use of page pinning +and therefore do not count against the user's locked memory limit. +These mappings still consume memory, but the memory is not well +associated to the process for the purpose of oom killing a task. + +To add bounding on this use case, we introduce a limit to the total +number of concurrent DMA mappings that a user is allowed to create. +This limit is exposed as a tunable module option where the default +value of 64K is expected to be well in excess of any reasonable use +case (a large virtual machine configuration would typically only make +use of tens of concurrent mappings). + +This fixes CVE-2019-3882. + +Reviewed-by: Eric Auger +Tested-by: Eric Auger +Reviewed-by: Peter Xu +Reviewed-by: Cornelia Huck +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/vfio_iommu_type1.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -58,12 +58,18 @@ module_param_named(disable_hugepages, + MODULE_PARM_DESC(disable_hugepages, + "Disable VFIO IOMMU support for IOMMU hugepages."); + ++static unsigned int dma_entry_limit __read_mostly = U16_MAX; ++module_param_named(dma_entry_limit, dma_entry_limit, uint, 0644); ++MODULE_PARM_DESC(dma_entry_limit, ++ "Maximum number of user DMA mappings per container (65535)."); ++ + struct vfio_iommu { + struct list_head domain_list; + struct vfio_domain *external_domain; /* domain for external user */ + struct mutex lock; + struct rb_root dma_list; + struct blocking_notifier_head notifier; ++ unsigned int dma_avail; + bool v2; + bool nesting; + }; +@@ -836,6 +842,7 @@ static void vfio_remove_dma(struct vfio_ + vfio_unlink_dma(iommu, dma); + put_task_struct(dma->task); + kfree(dma); ++ iommu->dma_avail++; + } + + static unsigned long vfio_pgsize_bitmap(struct vfio_iommu *iommu) +@@ -1081,12 +1088,18 @@ static int vfio_dma_do_map(struct vfio_i + goto out_unlock; + } + ++ if (!iommu->dma_avail) { ++ ret = -ENOSPC; ++ goto out_unlock; ++ } ++ + dma = kzalloc(sizeof(*dma), GFP_KERNEL); + if (!dma) { + ret = -ENOMEM; + goto out_unlock; + } + ++ iommu->dma_avail--; + dma->iova = iova; + dma->vaddr = vaddr; + dma->prot = prot; +@@ -1583,6 +1596,7 @@ static void *vfio_iommu_type1_open(unsig + + INIT_LIST_HEAD(&iommu->domain_list); + iommu->dma_list = RB_ROOT; ++ iommu->dma_avail = dma_entry_limit; + mutex_init(&iommu->lock); + BLOCKING_INIT_NOTIFIER_HEAD(&iommu->notifier); + -- 2.39.5