From cff421a5605a2eb5472f3a93deac865b85f52f6b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 7 Sep 2018 10:59:16 +0200 Subject: [PATCH] 4.18-stable patches added patches: blkcg-introduce-blkg_root_lookup.patch block-blk_init_allocated_queue-set-q-fq-as-null-in-the-fail-case.patch block-ensure-that-a-request-queue-is-dissociated-from-the-cgroup-controller.patch block-fix-infinite-loop-if-the-device-loses-discard-capability.patch block-introduce-blk_exit_queue.patch block-really-disable-runtime-pm-for-blk-mq.patch mmc-block-fix-unsupported-parallel-dispatch-of-requests.patch mmc-renesas_sdhi_internal_dmac-fix-define-rst_reserved_bits.patch mmc-renesas_sdhi_internal_dmac-mask-dmac-interrupts.patch readahead-stricter-check-for-bdi-io_pages.patch spi-cadence-change-usleep_range-to-udelay-for-atomic-context.patch spi-davinci-fix-a-null-pointer-dereference.patch spi-pxa2xx-add-support-for-intel-ice-lake.patch spi-spi-fsl-dspi-fix-imprecise-abort-on-vf500-during-probe.patch --- .../blkcg-introduce-blkg_root_lookup.patch | 63 +++++++++++ ...ue-set-q-fq-as-null-in-the-fail-case.patch | 45 ++++++++ ...ssociated-from-the-cgroup-controller.patch | 72 ++++++++++++ ...-the-device-loses-discard-capability.patch | 53 +++++++++ .../block-introduce-blk_exit_queue.patch | 107 ++++++++++++++++++ ...really-disable-runtime-pm-for-blk-mq.patch | 48 ++++++++ ...ported-parallel-dispatch-of-requests.patch | 83 ++++++++++++++ ...al_dmac-fix-define-rst_reserved_bits.patch | 34 ++++++ ...i_internal_dmac-mask-dmac-interrupts.patch | 54 +++++++++ ...head-stricter-check-for-bdi-io_pages.patch | 60 ++++++++++ queue-4.18/series | 14 +++ ...p_range-to-udelay-for-atomic-context.patch | 64 +++++++++++ ...vinci-fix-a-null-pointer-dereference.patch | 32 ++++++ ...xa2xx-add-support-for-intel-ice-lake.patch | 36 ++++++ ...mprecise-abort-on-vf500-during-probe.patch | 90 +++++++++++++++ 15 files changed, 855 insertions(+) create mode 100644 queue-4.18/blkcg-introduce-blkg_root_lookup.patch create mode 100644 queue-4.18/block-blk_init_allocated_queue-set-q-fq-as-null-in-the-fail-case.patch create mode 100644 queue-4.18/block-ensure-that-a-request-queue-is-dissociated-from-the-cgroup-controller.patch create mode 100644 queue-4.18/block-fix-infinite-loop-if-the-device-loses-discard-capability.patch create mode 100644 queue-4.18/block-introduce-blk_exit_queue.patch create mode 100644 queue-4.18/block-really-disable-runtime-pm-for-blk-mq.patch create mode 100644 queue-4.18/mmc-block-fix-unsupported-parallel-dispatch-of-requests.patch create mode 100644 queue-4.18/mmc-renesas_sdhi_internal_dmac-fix-define-rst_reserved_bits.patch create mode 100644 queue-4.18/mmc-renesas_sdhi_internal_dmac-mask-dmac-interrupts.patch create mode 100644 queue-4.18/readahead-stricter-check-for-bdi-io_pages.patch create mode 100644 queue-4.18/spi-cadence-change-usleep_range-to-udelay-for-atomic-context.patch create mode 100644 queue-4.18/spi-davinci-fix-a-null-pointer-dereference.patch create mode 100644 queue-4.18/spi-pxa2xx-add-support-for-intel-ice-lake.patch create mode 100644 queue-4.18/spi-spi-fsl-dspi-fix-imprecise-abort-on-vf500-during-probe.patch diff --git a/queue-4.18/blkcg-introduce-blkg_root_lookup.patch b/queue-4.18/blkcg-introduce-blkg_root_lookup.patch new file mode 100644 index 00000000000..2cb0000b0f2 --- /dev/null +++ b/queue-4.18/blkcg-introduce-blkg_root_lookup.patch @@ -0,0 +1,63 @@ +From 6bad9b210a228d2fe0e0efe26d9b115348529cee Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 9 Aug 2018 07:53:36 -0700 +Subject: blkcg: Introduce blkg_root_lookup() + +From: Bart Van Assche + +commit 6bad9b210a228d2fe0e0efe26d9b115348529cee upstream. + +This new function will be used in a later patch to verify whether a +queue has been dissociated from the cgroup controller before being +released. + +Signed-off-by: Bart Van Assche +Cc: Tejun Heo +Cc: Christoph Hellwig +Cc: Ming Lei +Cc: Omar Sandoval +Cc: Johannes Thumshirn +Cc: Alexandru Moise <00moses.alexander00@gmail.com> +Cc: Joseph Qi +Cc: +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/blk-cgroup.h | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/include/linux/blk-cgroup.h ++++ b/include/linux/blk-cgroup.h +@@ -296,6 +296,23 @@ static inline struct blkcg_gq *blkg_look + } + + /** ++ * blkg_lookup - look up blkg for the specified request queue ++ * @q: request_queue of interest ++ * ++ * Lookup blkg for @q at the root level. See also blkg_lookup(). ++ */ ++static inline struct blkcg_gq *blkg_root_lookup(struct request_queue *q) ++{ ++ struct blkcg_gq *blkg; ++ ++ rcu_read_lock(); ++ blkg = blkg_lookup(&blkcg_root, q); ++ rcu_read_unlock(); ++ ++ return blkg; ++} ++ ++/** + * blkg_to_pdata - get policy private data + * @blkg: blkg of interest + * @pol: policy of interest +@@ -737,6 +754,7 @@ struct blkcg_policy { + #ifdef CONFIG_BLOCK + + static inline struct blkcg_gq *blkg_lookup(struct blkcg *blkcg, void *key) { return NULL; } ++static inline struct blkcg_gq *blkg_root_lookup(struct request_queue *q) { return NULL; } + static inline int blkcg_init_queue(struct request_queue *q) { return 0; } + static inline void blkcg_drain_queue(struct request_queue *q) { } + static inline void blkcg_exit_queue(struct request_queue *q) { } diff --git a/queue-4.18/block-blk_init_allocated_queue-set-q-fq-as-null-in-the-fail-case.patch b/queue-4.18/block-blk_init_allocated_queue-set-q-fq-as-null-in-the-fail-case.patch new file mode 100644 index 00000000000..e506738e1b8 --- /dev/null +++ b/queue-4.18/block-blk_init_allocated_queue-set-q-fq-as-null-in-the-fail-case.patch @@ -0,0 +1,45 @@ +From 54648cf1ec2d7f4b6a71767799c45676a138ca24 Mon Sep 17 00:00:00 2001 +From: xiao jin +Date: Mon, 30 Jul 2018 14:11:12 +0800 +Subject: block: blk_init_allocated_queue() set q->fq as NULL in the fail case + +From: xiao jin + +commit 54648cf1ec2d7f4b6a71767799c45676a138ca24 upstream. + +We find the memory use-after-free issue in __blk_drain_queue() +on the kernel 4.14. After read the latest kernel 4.18-rc6 we +think it has the same problem. + +Memory is allocated for q->fq in the blk_init_allocated_queue(). +If the elevator init function called with error return, it will +run into the fail case to free the q->fq. + +Then the __blk_drain_queue() uses the same memory after the free +of the q->fq, it will lead to the unpredictable event. + +The patch is to set q->fq as NULL in the fail case of +blk_init_allocated_queue(). + +Fixes: commit 7c94e1c157a2 ("block: introduce blk_flush_queue to drive flush machinery") +Cc: +Reviewed-by: Ming Lei +Reviewed-by: Bart Van Assche +Signed-off-by: xiao jin +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -1180,6 +1180,7 @@ out_exit_flush_rq: + q->exit_rq_fn(q, q->fq->flush_rq); + out_free_flush_queue: + blk_free_flush_queue(q->fq); ++ q->fq = NULL; + return -ENOMEM; + } + EXPORT_SYMBOL(blk_init_allocated_queue); diff --git a/queue-4.18/block-ensure-that-a-request-queue-is-dissociated-from-the-cgroup-controller.patch b/queue-4.18/block-ensure-that-a-request-queue-is-dissociated-from-the-cgroup-controller.patch new file mode 100644 index 00000000000..122fd45f959 --- /dev/null +++ b/queue-4.18/block-ensure-that-a-request-queue-is-dissociated-from-the-cgroup-controller.patch @@ -0,0 +1,72 @@ +From 24ecc3585348b616993a3c4d6dc2c6b8007e358c Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 9 Aug 2018 07:53:38 -0700 +Subject: block: Ensure that a request queue is dissociated from the cgroup controller + +From: Bart Van Assche + +commit 24ecc3585348b616993a3c4d6dc2c6b8007e358c upstream. + +Several block drivers call alloc_disk() followed by put_disk() if +something fails before device_add_disk() is called without calling +blk_cleanup_queue(). Make sure that also for this scenario a request +queue is dissociated from the cgroup controller. This patch avoids +that loading the parport_pc, paride and pf drivers triggers the +following kernel crash: + +BUG: KASAN: null-ptr-deref in pi_init+0x42e/0x580 [paride] +Read of size 4 at addr 0000000000000008 by task modprobe/744 +Call Trace: +dump_stack+0x9a/0xeb +kasan_report+0x139/0x350 +pi_init+0x42e/0x580 [paride] +pf_init+0x2bb/0x1000 [pf] +do_one_initcall+0x8e/0x405 +do_init_module+0xd9/0x2f2 +load_module+0x3ab4/0x4700 +SYSC_finit_module+0x176/0x1a0 +do_syscall_64+0xee/0x2b0 +entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Reported-by: Alexandru Moise <00moses.alexander00@gmail.com> +Fixes: a063057d7c73 ("block: Fix a race between request queue removal and the block cgroup controller") # v4.17 +Signed-off-by: Bart Van Assche +Tested-by: Alexandru Moise <00moses.alexander00@gmail.com> +Reviewed-by: Johannes Thumshirn +Cc: Tejun Heo +Cc: Christoph Hellwig +Cc: Ming Lei +Cc: Alexandru Moise <00moses.alexander00@gmail.com> +Cc: Joseph Qi +Cc: +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-sysfs.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/block/blk-sysfs.c ++++ b/block/blk-sysfs.c +@@ -804,6 +804,21 @@ static void __blk_release_queue(struct w + blk_stat_remove_callback(q, q->poll_cb); + blk_stat_free_callback(q->poll_cb); + ++ if (!blk_queue_dead(q)) { ++ /* ++ * Last reference was dropped without having called ++ * blk_cleanup_queue(). ++ */ ++ WARN_ONCE(blk_queue_init_done(q), ++ "request queue %p has been registered but blk_cleanup_queue() has not been called for that queue\n", ++ q); ++ blk_exit_queue(q); ++ } ++ ++ WARN(blkg_root_lookup(q), ++ "request queue %p is being released but it has not yet been removed from the blkcg controller\n", ++ q); ++ + blk_free_queue_stats(q->stats); + + blk_exit_rl(q, &q->root_rl); diff --git a/queue-4.18/block-fix-infinite-loop-if-the-device-loses-discard-capability.patch b/queue-4.18/block-fix-infinite-loop-if-the-device-loses-discard-capability.patch new file mode 100644 index 00000000000..2f8e44e099b --- /dev/null +++ b/queue-4.18/block-fix-infinite-loop-if-the-device-loses-discard-capability.patch @@ -0,0 +1,53 @@ +From b88aef36b87c9787a4db724923ec4f57dfd513f3 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 3 Jul 2018 13:34:22 -0400 +Subject: block: fix infinite loop if the device loses discard capability + +From: Mikulas Patocka + +commit b88aef36b87c9787a4db724923ec4f57dfd513f3 upstream. + +If __blkdev_issue_discard is in progress and a device mapper device is +reloaded with a table that doesn't support discard, +q->limits.max_discard_sectors is set to zero. This results in infinite +loop in __blkdev_issue_discard. + +This patch checks if max_discard_sectors is zero and aborts with +-EOPNOTSUPP. + +Signed-off-by: Mikulas Patocka +Tested-by: Zdenek Kabelac +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-lib.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/block/blk-lib.c ++++ b/block/blk-lib.c +@@ -68,6 +68,8 @@ int __blkdev_issue_discard(struct block_ + */ + req_sects = min_t(sector_t, nr_sects, + q->limits.max_discard_sectors); ++ if (!req_sects) ++ goto fail; + if (req_sects > UINT_MAX >> 9) + req_sects = UINT_MAX >> 9; + +@@ -105,6 +107,14 @@ int __blkdev_issue_discard(struct block_ + + *biop = bio; + return 0; ++ ++fail: ++ if (bio) { ++ submit_bio_wait(bio); ++ bio_put(bio); ++ } ++ *biop = NULL; ++ return -EOPNOTSUPP; + } + EXPORT_SYMBOL(__blkdev_issue_discard); + diff --git a/queue-4.18/block-introduce-blk_exit_queue.patch b/queue-4.18/block-introduce-blk_exit_queue.patch new file mode 100644 index 00000000000..22e35d185e8 --- /dev/null +++ b/queue-4.18/block-introduce-blk_exit_queue.patch @@ -0,0 +1,107 @@ +From 4cf6324b17e96b7b7ab4021c6929500934d46750 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 9 Aug 2018 07:53:37 -0700 +Subject: block: Introduce blk_exit_queue() + +From: Bart Van Assche + +commit 4cf6324b17e96b7b7ab4021c6929500934d46750 upstream. + +This patch does not change any functionality. + +Signed-off-by: Bart Van Assche +Reviewed-by: Johannes Thumshirn +Cc: Christoph Hellwig +Cc: Ming Lei +Cc: Omar Sandoval +Cc: Alexandru Moise <00moses.alexander00@gmail.com> +Cc: Joseph Qi +Cc: +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-core.c | 54 ++++++++++++++++++++++++++++++------------------------ + block/blk.h | 1 + + 2 files changed, 31 insertions(+), 24 deletions(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -715,6 +715,35 @@ void blk_set_queue_dying(struct request_ + } + EXPORT_SYMBOL_GPL(blk_set_queue_dying); + ++/* Unconfigure the I/O scheduler and dissociate from the cgroup controller. */ ++void blk_exit_queue(struct request_queue *q) ++{ ++ /* ++ * Since the I/O scheduler exit code may access cgroup information, ++ * perform I/O scheduler exit before disassociating from the block ++ * cgroup controller. ++ */ ++ if (q->elevator) { ++ ioc_clear_queue(q); ++ elevator_exit(q, q->elevator); ++ q->elevator = NULL; ++ } ++ ++ /* ++ * Remove all references to @q from the block cgroup controller before ++ * restoring @q->queue_lock to avoid that restoring this pointer causes ++ * e.g. blkcg_print_blkgs() to crash. ++ */ ++ blkcg_exit_queue(q); ++ ++ /* ++ * Since the cgroup code may dereference the @q->backing_dev_info ++ * pointer, only decrease its reference count after having removed the ++ * association with the block cgroup controller. ++ */ ++ bdi_put(q->backing_dev_info); ++} ++ + /** + * blk_cleanup_queue - shutdown a request queue + * @q: request queue to shutdown +@@ -780,30 +809,7 @@ void blk_cleanup_queue(struct request_qu + */ + WARN_ON_ONCE(q->kobj.state_in_sysfs); + +- /* +- * Since the I/O scheduler exit code may access cgroup information, +- * perform I/O scheduler exit before disassociating from the block +- * cgroup controller. +- */ +- if (q->elevator) { +- ioc_clear_queue(q); +- elevator_exit(q, q->elevator); +- q->elevator = NULL; +- } +- +- /* +- * Remove all references to @q from the block cgroup controller before +- * restoring @q->queue_lock to avoid that restoring this pointer causes +- * e.g. blkcg_print_blkgs() to crash. +- */ +- blkcg_exit_queue(q); +- +- /* +- * Since the cgroup code may dereference the @q->backing_dev_info +- * pointer, only decrease its reference count after having removed the +- * association with the block cgroup controller. +- */ +- bdi_put(q->backing_dev_info); ++ blk_exit_queue(q); + + if (q->mq_ops) + blk_mq_free_queue(q); +--- a/block/blk.h ++++ b/block/blk.h +@@ -130,6 +130,7 @@ void blk_free_flush_queue(struct blk_flu + int blk_init_rl(struct request_list *rl, struct request_queue *q, + gfp_t gfp_mask); + void blk_exit_rl(struct request_queue *q, struct request_list *rl); ++void blk_exit_queue(struct request_queue *q); + void blk_rq_bio_prep(struct request_queue *q, struct request *rq, + struct bio *bio); + void blk_queue_bypass_start(struct request_queue *q); diff --git a/queue-4.18/block-really-disable-runtime-pm-for-blk-mq.patch b/queue-4.18/block-really-disable-runtime-pm-for-blk-mq.patch new file mode 100644 index 00000000000..c337c9de246 --- /dev/null +++ b/queue-4.18/block-really-disable-runtime-pm-for-blk-mq.patch @@ -0,0 +1,48 @@ +From b233f127042dba991229e3882c6217c80492f6ef Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Mon, 30 Jul 2018 20:02:19 +0800 +Subject: block: really disable runtime-pm for blk-mq + +From: Ming Lei + +commit b233f127042dba991229e3882c6217c80492f6ef upstream. + +Runtime PM isn't ready for blk-mq yet, and commit 765e40b675a9 ("block: +disable runtime-pm for blk-mq") tried to disable it. Unfortunately, +it can't take effect in that way since user space still can switch +it on via 'echo auto > /sys/block/sdN/device/power/control'. + +This patch disables runtime-pm for blk-mq really by pm_runtime_disable() +and fixes all kinds of PM related kernel crash. + +Cc: Tomas Janousek +Cc: Przemek Socha +Cc: Alan Stern +Cc: +Reviewed-by: Bart Van Assche +Reviewed-by: Christoph Hellwig +Tested-by: Patrick Steinhardt +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -3764,9 +3764,11 @@ EXPORT_SYMBOL(blk_finish_plug); + */ + void blk_pm_runtime_init(struct request_queue *q, struct device *dev) + { +- /* not support for RQF_PM and ->rpm_status in blk-mq yet */ +- if (q->mq_ops) ++ /* Don't enable runtime PM for blk-mq until it is ready */ ++ if (q->mq_ops) { ++ pm_runtime_disable(dev); + return; ++ } + + q->dev = dev; + q->rpm_status = RPM_ACTIVE; diff --git a/queue-4.18/mmc-block-fix-unsupported-parallel-dispatch-of-requests.patch b/queue-4.18/mmc-block-fix-unsupported-parallel-dispatch-of-requests.patch new file mode 100644 index 00000000000..d39168b1aea --- /dev/null +++ b/queue-4.18/mmc-block-fix-unsupported-parallel-dispatch-of-requests.patch @@ -0,0 +1,83 @@ +From 26caddf274cf1e89fd4ce44ab2b8dbc7a7f97681 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 21 Aug 2018 15:05:55 +0300 +Subject: mmc: block: Fix unsupported parallel dispatch of requests + +From: Adrian Hunter + +commit 26caddf274cf1e89fd4ce44ab2b8dbc7a7f97681 upstream. + +The mmc block driver does not support parallel dispatch of requests. In +normal circumstances, all requests are anyway funneled through a single +work item, so parallel dispatch never happens. However it can happen if +there is no elevator. + +Fix that by detecting if a dispatch is in progress and returning busy +(BLK_STS_RESOURCE) in that case + +Fixes: 81196976ed94 ("mmc: block: Add blk-mq support") +Cc: stable@vger.kernel.org # v4.16+ +Signed-off-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/queue.c | 12 +++++++----- + drivers/mmc/core/queue.h | 1 + + 2 files changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/mmc/core/queue.c ++++ b/drivers/mmc/core/queue.c +@@ -238,10 +238,6 @@ static void mmc_mq_exit_request(struct b + mmc_exit_request(mq->queue, req); + } + +-/* +- * We use BLK_MQ_F_BLOCKING and have only 1 hardware queue, which means requests +- * will not be dispatched in parallel. +- */ + static blk_status_t mmc_mq_queue_rq(struct blk_mq_hw_ctx *hctx, + const struct blk_mq_queue_data *bd) + { +@@ -264,7 +260,7 @@ static blk_status_t mmc_mq_queue_rq(stru + + spin_lock_irq(q->queue_lock); + +- if (mq->recovery_needed) { ++ if (mq->recovery_needed || mq->busy) { + spin_unlock_irq(q->queue_lock); + return BLK_STS_RESOURCE; + } +@@ -291,6 +287,9 @@ static blk_status_t mmc_mq_queue_rq(stru + break; + } + ++ /* Parallel dispatch of requests is not supported at the moment */ ++ mq->busy = true; ++ + mq->in_flight[issue_type] += 1; + get_card = (mmc_tot_in_flight(mq) == 1); + cqe_retune_ok = (mmc_cqe_qcnt(mq) == 1); +@@ -333,9 +332,12 @@ static blk_status_t mmc_mq_queue_rq(stru + mq->in_flight[issue_type] -= 1; + if (mmc_tot_in_flight(mq) == 0) + put_card = true; ++ mq->busy = false; + spin_unlock_irq(q->queue_lock); + if (put_card) + mmc_put_card(card, &mq->ctx); ++ } else { ++ WRITE_ONCE(mq->busy, false); + } + + return ret; +--- a/drivers/mmc/core/queue.h ++++ b/drivers/mmc/core/queue.h +@@ -81,6 +81,7 @@ struct mmc_queue { + unsigned int cqe_busy; + #define MMC_CQE_DCMD_BUSY BIT(0) + #define MMC_CQE_QUEUE_FULL BIT(1) ++ bool busy; + bool use_cqe; + bool recovery_needed; + bool in_recovery; diff --git a/queue-4.18/mmc-renesas_sdhi_internal_dmac-fix-define-rst_reserved_bits.patch b/queue-4.18/mmc-renesas_sdhi_internal_dmac-fix-define-rst_reserved_bits.patch new file mode 100644 index 00000000000..2bace298baf --- /dev/null +++ b/queue-4.18/mmc-renesas_sdhi_internal_dmac-fix-define-rst_reserved_bits.patch @@ -0,0 +1,34 @@ +From 9faf870e559a710c44e747ba20383ea82d8ac5d2 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Wed, 22 Aug 2018 21:28:01 +0300 +Subject: mmc: renesas_sdhi_internal_dmac: fix #define RST_RESERVED_BITS + +From: Sergei Shtylyov + +commit 9faf870e559a710c44e747ba20383ea82d8ac5d2 upstream. + +The DM_CM_RST register actually has bits 0-31 defaulting to 1s and bits +32-63 defaulting to 0s -- fix off-by-one in #define RST_RESERVED_BITS. + +Signed-off-by: Sergei Shtylyov +Reviewed-by: Wolfram Sang +Fixes: 2a68ea7896e3 ("mmc: renesas-sdhi: add support for R-Car Gen3 SDHI DMAC") +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/renesas_sdhi_internal_dmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c ++++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c +@@ -45,7 +45,7 @@ + /* DM_CM_RST */ + #define RST_DTRANRST1 BIT(9) + #define RST_DTRANRST0 BIT(8) +-#define RST_RESERVED_BITS GENMASK_ULL(32, 0) ++#define RST_RESERVED_BITS GENMASK_ULL(31, 0) + + /* DM_CM_INFO1 and DM_CM_INFO1_MASK */ + #define INFO1_CLEAR 0 diff --git a/queue-4.18/mmc-renesas_sdhi_internal_dmac-mask-dmac-interrupts.patch b/queue-4.18/mmc-renesas_sdhi_internal_dmac-mask-dmac-interrupts.patch new file mode 100644 index 00000000000..48fb3ceacd7 --- /dev/null +++ b/queue-4.18/mmc-renesas_sdhi_internal_dmac-mask-dmac-interrupts.patch @@ -0,0 +1,54 @@ +From d2332f887ddfba50fee93b8e1736376517c2df0c Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Wed, 22 Aug 2018 21:22:26 +0300 +Subject: mmc: renesas_sdhi_internal_dmac: mask DMAC interrupts + +From: Sergei Shtylyov + +commit d2332f887ddfba50fee93b8e1736376517c2df0c upstream. + +I have encountered an interrupt storm during the eMMC chip probing (and +the chip finally didn't get detected). It turned out that U-Boot left +the SDHI DMA interrupts enabled while the Linux driver didn't use those. +Masking those interrupts in renesas_sdhi_internal_dmac_request_dma() gets +rid of both issues... + +Signed-off-by: Sergei Shtylyov +Reviewed-by: Wolfram Sang +Fixes: 2a68ea7896e3 ("mmc: renesas-sdhi: add support for R-Car Gen3 SDHI DMAC") +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/renesas_sdhi_internal_dmac.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c ++++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c +@@ -49,10 +49,12 @@ + + /* DM_CM_INFO1 and DM_CM_INFO1_MASK */ + #define INFO1_CLEAR 0 ++#define INFO1_MASK_CLEAR GENMASK_ULL(31, 0) + #define INFO1_DTRANEND1 BIT(17) + #define INFO1_DTRANEND0 BIT(16) + + /* DM_CM_INFO2 and DM_CM_INFO2_MASK */ ++#define INFO2_MASK_CLEAR GENMASK_ULL(31, 0) + #define INFO2_DTRANERR1 BIT(17) + #define INFO2_DTRANERR0 BIT(16) + +@@ -236,6 +238,12 @@ renesas_sdhi_internal_dmac_request_dma(s + { + struct renesas_sdhi *priv = host_to_priv(host); + ++ /* Disable DMAC interrupts, we don't use them */ ++ renesas_sdhi_internal_dmac_dm_write(host, DM_CM_INFO1_MASK, ++ INFO1_MASK_CLEAR); ++ renesas_sdhi_internal_dmac_dm_write(host, DM_CM_INFO2_MASK, ++ INFO2_MASK_CLEAR); ++ + /* Each value is set to non-zero to assume "enabling" each DMA */ + host->chan_rx = host->chan_tx = (void *)0xdeadbeaf; + diff --git a/queue-4.18/readahead-stricter-check-for-bdi-io_pages.patch b/queue-4.18/readahead-stricter-check-for-bdi-io_pages.patch new file mode 100644 index 00000000000..d61610cd289 --- /dev/null +++ b/queue-4.18/readahead-stricter-check-for-bdi-io_pages.patch @@ -0,0 +1,60 @@ +From dc30b96ab6d569060741572cf30517d3179429a8 Mon Sep 17 00:00:00 2001 +From: Markus Stockhausen +Date: Fri, 27 Jul 2018 09:09:53 -0600 +Subject: readahead: stricter check for bdi io_pages + +From: Markus Stockhausen + +commit dc30b96ab6d569060741572cf30517d3179429a8 upstream. + +ondemand_readahead() checks bdi->io_pages to cap the maximum pages +that need to be processed. This works until the readit section. If +we would do an async only readahead (async size = sync size) and +target is at beginning of window we expand the pages by another +get_next_ra_size() pages. Btrace for large reads shows that kernel +always issues a doubled size read at the beginning of processing. +Add an additional check for io_pages in the lower part of the func. +The fix helps devices that hard limit bio pages and rely on proper +handling of max_hw_read_sectors (e.g. older FusionIO cards). For +that reason it could qualify for stable. + +Fixes: 9491ae4a ("mm: don't cap request size based on read-ahead setting") +Cc: stable@vger.kernel.org +Signed-off-by: Markus Stockhausen stockhausen@collogia.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + mm/readahead.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/mm/readahead.c ++++ b/mm/readahead.c +@@ -385,6 +385,7 @@ ondemand_readahead(struct address_space + { + struct backing_dev_info *bdi = inode_to_bdi(mapping->host); + unsigned long max_pages = ra->ra_pages; ++ unsigned long add_pages; + pgoff_t prev_offset; + + /* +@@ -474,10 +475,17 @@ readit: + * Will this read hit the readahead marker made by itself? + * If so, trigger the readahead marker hit now, and merge + * the resulted next readahead window into the current one. ++ * Take care of maximum IO pages as above. + */ + if (offset == ra->start && ra->size == ra->async_size) { +- ra->async_size = get_next_ra_size(ra, max_pages); +- ra->size += ra->async_size; ++ add_pages = get_next_ra_size(ra, max_pages); ++ if (ra->size + add_pages <= max_pages) { ++ ra->async_size = add_pages; ++ ra->size += add_pages; ++ } else { ++ ra->size = max_pages; ++ ra->async_size = max_pages >> 1; ++ } + } + + return ra_submit(ra, mapping, filp); diff --git a/queue-4.18/series b/queue-4.18/series index d9a1ec99f21..fd76a1d235d 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -2,3 +2,17 @@ rcu-make-expedited-gps-handle-cpu-0-being-offline.patch net-6lowpan-fix-reserved-space-for-single-frames.patch net-mac802154-tx-expand-tailroom-if-necessary.patch 9p-net-fix-zero-copy-path-in-the-9p-virtio-transport.patch +spi-davinci-fix-a-null-pointer-dereference.patch +spi-pxa2xx-add-support-for-intel-ice-lake.patch +spi-spi-fsl-dspi-fix-imprecise-abort-on-vf500-during-probe.patch +spi-cadence-change-usleep_range-to-udelay-for-atomic-context.patch +mmc-block-fix-unsupported-parallel-dispatch-of-requests.patch +mmc-renesas_sdhi_internal_dmac-mask-dmac-interrupts.patch +mmc-renesas_sdhi_internal_dmac-fix-define-rst_reserved_bits.patch +readahead-stricter-check-for-bdi-io_pages.patch +block-fix-infinite-loop-if-the-device-loses-discard-capability.patch +block-blk_init_allocated_queue-set-q-fq-as-null-in-the-fail-case.patch +block-really-disable-runtime-pm-for-blk-mq.patch +blkcg-introduce-blkg_root_lookup.patch +block-introduce-blk_exit_queue.patch +block-ensure-that-a-request-queue-is-dissociated-from-the-cgroup-controller.patch diff --git a/queue-4.18/spi-cadence-change-usleep_range-to-udelay-for-atomic-context.patch b/queue-4.18/spi-cadence-change-usleep_range-to-udelay-for-atomic-context.patch new file mode 100644 index 00000000000..5c01c3a1789 --- /dev/null +++ b/queue-4.18/spi-cadence-change-usleep_range-to-udelay-for-atomic-context.patch @@ -0,0 +1,64 @@ +From 931c4e9a72ae91d59c5332ffb6812911a749da8e Mon Sep 17 00:00:00 2001 +From: Janek Kotas +Date: Mon, 4 Jun 2018 11:24:44 +0000 +Subject: spi: cadence: Change usleep_range() to udelay(), for atomic context + +From: Janek Kotas + +commit 931c4e9a72ae91d59c5332ffb6812911a749da8e upstream. + +The path "spi: cadence: Add usleep_range() for +cdns_spi_fill_tx_fifo()" added a usleep_range() function call, +which cannot be used in atomic context. +However the cdns_spi_fill_tx_fifo() function can be called during +an interrupt which may result in a kernel panic: + +BUG: scheduling while atomic: grep/561/0x00010002 +Modules linked in: +Preemption disabled at: +[] wait_for_common+0x48/0x178 +CPU: 0 PID: 561 Comm: grep Not tainted 4.17.0 #1 +Hardware name: Cadence CSP (DT) +Call trace: + dump_backtrace+0x0/0x198 + show_stack+0x14/0x20 + dump_stack+0x8c/0xac + __schedule_bug+0x6c/0xb8 + __schedule+0x570/0x5d8 + schedule+0x34/0x98 + schedule_hrtimeout_range_clock+0x98/0x110 + schedule_hrtimeout_range+0x10/0x18 + usleep_range+0x64/0x98 + cdns_spi_fill_tx_fifo+0x70/0xb0 + cdns_spi_irq+0xd0/0xe0 + __handle_irq_event_percpu+0x9c/0x128 + handle_irq_event_percpu+0x34/0x88 + handle_irq_event+0x48/0x78 + handle_fasteoi_irq+0xbc/0x1b0 + generic_handle_irq+0x24/0x38 + __handle_domain_irq+0x84/0xf8 + gic_handle_irq+0xc4/0x180 + +This patch replaces the function call with udelay() which can be +used in an atomic context, like an interrupt. + +Signed-off-by: Jan Kotas +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-cadence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-cadence.c ++++ b/drivers/spi/spi-cadence.c +@@ -319,7 +319,7 @@ static void cdns_spi_fill_tx_fifo(struct + */ + if (cdns_spi_read(xspi, CDNS_SPI_ISR) & + CDNS_SPI_IXR_TXFULL) +- usleep_range(10, 20); ++ udelay(10); + + if (xspi->txbuf) + cdns_spi_write(xspi, CDNS_SPI_TXD, *xspi->txbuf++); diff --git a/queue-4.18/spi-davinci-fix-a-null-pointer-dereference.patch b/queue-4.18/spi-davinci-fix-a-null-pointer-dereference.patch new file mode 100644 index 00000000000..49a25c38812 --- /dev/null +++ b/queue-4.18/spi-davinci-fix-a-null-pointer-dereference.patch @@ -0,0 +1,32 @@ +From 563a53f3906a6b43692498e5b3ae891fac93a4af Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 10 Aug 2018 11:13:52 +0200 +Subject: spi: davinci: fix a NULL pointer dereference + +From: Bartosz Golaszewski + +commit 563a53f3906a6b43692498e5b3ae891fac93a4af upstream. + +On non-OF systems spi->controlled_data may be NULL. This causes a NULL +pointer derefence on dm365-evm. + +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-davinci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-davinci.c ++++ b/drivers/spi/spi-davinci.c +@@ -217,7 +217,7 @@ static void davinci_spi_chipselect(struc + pdata = &dspi->pdata; + + /* program delay transfers if tx_delay is non zero */ +- if (spicfg->wdelay) ++ if (spicfg && spicfg->wdelay) + spidat1 |= SPIDAT1_WDEL; + + /* diff --git a/queue-4.18/spi-pxa2xx-add-support-for-intel-ice-lake.patch b/queue-4.18/spi-pxa2xx-add-support-for-intel-ice-lake.patch new file mode 100644 index 00000000000..b1ab42addb7 --- /dev/null +++ b/queue-4.18/spi-pxa2xx-add-support-for-intel-ice-lake.patch @@ -0,0 +1,36 @@ +From 22d71a5097ec7059b6cbbee678a4f88484695941 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Thu, 28 Jun 2018 13:52:23 +0300 +Subject: spi: pxa2xx: Add support for Intel Ice Lake + +From: Mika Westerberg + +commit 22d71a5097ec7059b6cbbee678a4f88484695941 upstream. + +Intel Ice Lake SPI host controller follows the Intel Cannon Lake but the +PCI IDs are different. Add the new PCI IDs to the driver supported +devices list. + +Signed-off-by: Mika Westerberg +Signed-off-by: Jarkko Nikula +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-pxa2xx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -1391,6 +1391,10 @@ static const struct pci_device_id pxa2xx + { PCI_VDEVICE(INTEL, 0x31c2), LPSS_BXT_SSP }, + { PCI_VDEVICE(INTEL, 0x31c4), LPSS_BXT_SSP }, + { PCI_VDEVICE(INTEL, 0x31c6), LPSS_BXT_SSP }, ++ /* ICL-LP */ ++ { PCI_VDEVICE(INTEL, 0x34aa), LPSS_CNL_SSP }, ++ { PCI_VDEVICE(INTEL, 0x34ab), LPSS_CNL_SSP }, ++ { PCI_VDEVICE(INTEL, 0x34fb), LPSS_CNL_SSP }, + /* APL */ + { PCI_VDEVICE(INTEL, 0x5ac2), LPSS_BXT_SSP }, + { PCI_VDEVICE(INTEL, 0x5ac4), LPSS_BXT_SSP }, diff --git a/queue-4.18/spi-spi-fsl-dspi-fix-imprecise-abort-on-vf500-during-probe.patch b/queue-4.18/spi-spi-fsl-dspi-fix-imprecise-abort-on-vf500-during-probe.patch new file mode 100644 index 00000000000..d493bda5ce0 --- /dev/null +++ b/queue-4.18/spi-spi-fsl-dspi-fix-imprecise-abort-on-vf500-during-probe.patch @@ -0,0 +1,90 @@ +From d8ffee2f551a627ffb7b216e2da322cb9a037f77 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 29 Jun 2018 13:33:09 +0200 +Subject: spi: spi-fsl-dspi: Fix imprecise abort on VF500 during probe + +From: Krzysztof Kozlowski + +commit d8ffee2f551a627ffb7b216e2da322cb9a037f77 upstream. + +Registers of DSPI should not be accessed before enabling its clock. On +Toradex Colibri VF50 on Iris carrier board this could be seen during +bootup as imprecise abort: + + Unhandled fault: imprecise external abort (0x1c06) at 0x00000000 + Internal error: : 1c06 [#1] ARM + Modules linked in: + CPU: 0 PID: 1 Comm: swapper Not tainted 4.14.39-dirty #97 + Hardware name: Freescale Vybrid VF5xx/VF6xx (Device Tree) + Backtrace: + [<804166a8>] (regmap_write) from [<80466b5c>] (dspi_probe+0x1f0/0x8dc) + [<8046696c>] (dspi_probe) from [<8040107c>] (platform_drv_probe+0x54/0xb8) + [<80401028>] (platform_drv_probe) from [<803ff53c>] (driver_probe_device+0x280/0x2f8) + [<803ff2bc>] (driver_probe_device) from [<803ff674>] (__driver_attach+0xc0/0xc4) + [<803ff5b4>] (__driver_attach) from [<803fd818>] (bus_for_each_dev+0x70/0xa4) + [<803fd7a8>] (bus_for_each_dev) from [<803fee74>] (driver_attach+0x24/0x28) + [<803fee50>] (driver_attach) from [<803fe980>] (bus_add_driver+0x1a0/0x218) + [<803fe7e0>] (bus_add_driver) from [<803fffe8>] (driver_register+0x80/0x100) + [<803fff68>] (driver_register) from [<80400fdc>] (__platform_driver_register+0x48/0x50) + [<80400f94>] (__platform_driver_register) from [<8091cf7c>] (fsl_dspi_driver_init+0x1c/0x20) + [<8091cf60>] (fsl_dspi_driver_init) from [<8010195c>] (do_one_initcall+0x4c/0x174) + [<80101910>] (do_one_initcall) from [<80900e8c>] (kernel_init_freeable+0x144/0x1d8) + [<80900d48>] (kernel_init_freeable) from [<805ff6a8>] (kernel_init+0x10/0x114) + [<805ff698>] (kernel_init) from [<80107be8>] (ret_from_fork+0x14/0x2c) + +Cc: +Fixes: 5ee67b587a2b ("spi: dspi: clear SPI_SR before enable interrupt") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-fsl-dspi.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/spi/spi-fsl-dspi.c ++++ b/drivers/spi/spi-fsl-dspi.c +@@ -1029,31 +1029,31 @@ static int dspi_probe(struct platform_de + goto out_master_put; + } + ++ dspi->clk = devm_clk_get(&pdev->dev, "dspi"); ++ if (IS_ERR(dspi->clk)) { ++ ret = PTR_ERR(dspi->clk); ++ dev_err(&pdev->dev, "unable to get clock\n"); ++ goto out_master_put; ++ } ++ ret = clk_prepare_enable(dspi->clk); ++ if (ret) ++ goto out_master_put; ++ + dspi_init(dspi); + dspi->irq = platform_get_irq(pdev, 0); + if (dspi->irq < 0) { + dev_err(&pdev->dev, "can't get platform irq\n"); + ret = dspi->irq; +- goto out_master_put; ++ goto out_clk_put; + } + + ret = devm_request_irq(&pdev->dev, dspi->irq, dspi_interrupt, 0, + pdev->name, dspi); + if (ret < 0) { + dev_err(&pdev->dev, "Unable to attach DSPI interrupt\n"); +- goto out_master_put; ++ goto out_clk_put; + } + +- dspi->clk = devm_clk_get(&pdev->dev, "dspi"); +- if (IS_ERR(dspi->clk)) { +- ret = PTR_ERR(dspi->clk); +- dev_err(&pdev->dev, "unable to get clock\n"); +- goto out_master_put; +- } +- ret = clk_prepare_enable(dspi->clk); +- if (ret) +- goto out_master_put; +- + if (dspi->devtype_data->trans_mode == DSPI_DMA_MODE) { + ret = dspi_request_dma(dspi, res->start); + if (ret < 0) { -- 2.47.3