From d369aec6b3513419e84a492dc5317ed5c1c0de46 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 11 Mar 2019 15:14:11 -0400 Subject: [PATCH] autosel patches for 4.9 Signed-off-by: Sasha Levin --- ...nneeded-to-free-devm_-allocated-data.patch | 43 + ...-dts-add-msm8996-compatible-to-gicv3.patch | 38 + ...ays-blacklist-the-kvm-world-switch-c.patch | 56 ++ ...ry-reference-only-when-it-is-never-u.patch | 46 + ...ix-error-return-in-autofs_fill_super.patch | 39 + ...ix-computation-for-max_smb2_hdr_size.patch | 35 + ...ac-fix-wrongfull-report-of-a-channel.patch | 100 +++ ...t-abort-test-in-case-of-mapping-erro.patch | 121 +++ ...repare-and-enable-tcon-channel-0-clo.patch | 50 ++ ...-avoid-softlockups-in-drop_pagecache.patch | 57 ++ ..._find_get_block_slow-failure-message.patch | 76 ++ .../gpio-vf610-mask-all-gpio-interrupts.patch | 52 ++ ...wc.byte_len-calculation-for-ud_send_.patch | 57 ++ ...ll-free_iova_fast-with-pfn-in-map_sg.patch | 38 + ...mmu-page-flush-when-detach-device-fr.patch | 81 ++ ...all-mapped-pages-in-error-path-of-ma.patch | 40 + ...integer-overflow-when-setsockopt-tim.patch | 91 ++ ...-touch-the-pj4-irq-fiq-bits-on-enabl.patch | 55 ++ ...n-introduce-and-use-loongson_llsc_mb.patch | 393 +++++++++ ...unction-size-check-in-get_frame_info.patch | 64 ++ ...g-is_mem_section_removable-do-not-pa.patch | 90 ++ ...g-test_pages_in_a_zone-do-not-pass-t.patch | 73 ++ ...ix-msgdma_tx_completion-on-non-zero-.patch | 40 + ...missing-of_node_put-after-of_parse_p.patch | 51 ++ ...g-read-accesses-via-clause-45-mdio-p.patch | 35 + ...-rk-fix-error-handling-in-rk_gmac_po.patch | 37 + ...-skip-nat-clash-resolution-for-same-.patch | 71 ++ ...null-pointer-dereference-of-dev_name.patch | 56 ++ ...ore-fix-perf_proc_update_handler-bug.patch | 84 ++ ...ilter-out-hidden-symbols-from-labels.patch | 94 ++ ...-handle-topology-headers-with-no-cpu.patch | 67 ++ ...-support-multiple-vfs_getname-probes.patch | 101 +++ ...-unmet-dependency-warning-for-samsun.patch | 43 + .../qed-fix-vf-probe-failure-while-flr.patch | 57 ++ ...eth-fix-use-after-free-in-error-path.patch | 70 ++ ...skb-when-receiving-invalid-flogi-res.patch | 56 ++ ...ter-add-simple-masq-redirect-test-ca.patch | 801 ++++++++++++++++++ ...ter-fix-config-fragment-config_nf_ta.patch | 29 + queue-4.9/series | 50 ++ ...void-race-in-clearing-qman-interrupt.patch | 51 ++ queue-4.9/usb-phy-fix-link-errors.patch | 58 ++ ...-kernel-panic-after-device-hot-unplu.patch | 101 +++ ...et-connected-sockets-on-device-remov.patch | 35 + ...packet-processing-bug-in-ipcomp-virt.patch | 119 +++ ...setup-efi-info-if-efi-runtime-is-not.patch | 70 ++ ...-increase-stack-size-for-kasan_extra.patch | 82 ++ ...xtensa-smp-fix-ccount_timer_shutdown.patch | 55 ++ ...smp-fix-secondary-cpu-initialization.patch | 128 +++ ...t-number-of-possible-cpus-by-nr_cpus.patch | 49 ++ ...mp-mark-each-possible-cpu-as-present.patch | 32 + ...mp_lx200_defconfig-fix-vectors-clash.patch | 33 + 51 files changed, 4250 insertions(+) create mode 100644 queue-4.9/arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch create mode 100644 queue-4.9/arm64-dts-add-msm8996-compatible-to-gicv3.patch create mode 100644 queue-4.9/arm64-kprobe-always-blacklist-the-kvm-world-switch-c.patch create mode 100644 queue-4.9/autofs-drop-dentry-reference-only-when-it-is-never-u.patch create mode 100644 queue-4.9/autofs-fix-error-return-in-autofs_fill_super.patch create mode 100644 queue-4.9/cifs-fix-computation-for-max_smb2_hdr_size.patch create mode 100644 queue-4.9/dmaengine-at_xdmac-fix-wrongfull-report-of-a-channel.patch create mode 100644 queue-4.9/dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch create mode 100644 queue-4.9/drm-sun4i-tcon-prepare-and-enable-tcon-channel-0-clo.patch create mode 100644 queue-4.9/fs-drop_caches.c-avoid-softlockups-in-drop_pagecache.patch create mode 100644 queue-4.9/fs-ratelimit-__find_get_block_slow-failure-message.patch create mode 100644 queue-4.9/gpio-vf610-mask-all-gpio-interrupts.patch create mode 100644 queue-4.9/ib-hfi1-qib-fix-wc.byte_len-calculation-for-ud_send_.patch create mode 100644 queue-4.9/iommu-amd-call-free_iova_fast-with-pfn-in-map_sg.patch create mode 100644 queue-4.9/iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch create mode 100644 queue-4.9/iommu-amd-unmap-all-mapped-pages-in-error-path-of-ma.patch create mode 100644 queue-4.9/ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch create mode 100644 queue-4.9/irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch create mode 100644 queue-4.9/mips-loongson-introduce-and-use-loongson_llsc_mb.patch create mode 100644 queue-4.9/mips-remove-function-size-check-in-get_frame_info.patch create mode 100644 queue-4.9/mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch create mode 100644 queue-4.9/mm-memory_hotplug-test_pages_in_a_zone-do-not-pass-t.patch create mode 100644 queue-4.9/net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch create mode 100644 queue-4.9/net-hns-fix-for-missing-of_node_put-after-of_parse_p.patch create mode 100644 queue-4.9/net-hns-fix-wrong-read-accesses-via-clause-45-mdio-p.patch create mode 100644 queue-4.9/net-stmmac-dwmac-rk-fix-error-handling-in-rk_gmac_po.patch create mode 100644 queue-4.9/netfilter-nf_nat-skip-nat-clash-resolution-for-same-.patch create mode 100644 queue-4.9/nfs-fix-null-pointer-dereference-of-dev_name.patch create mode 100644 queue-4.9/perf-core-fix-perf_proc_update_handler-bug.patch create mode 100644 queue-4.9/perf-symbols-filter-out-hidden-symbols-from-labels.patch create mode 100644 queue-4.9/perf-tools-handle-topology-headers-with-no-cpu.patch create mode 100644 queue-4.9/perf-trace-support-multiple-vfs_getname-probes.patch create mode 100644 queue-4.9/platform-x86-fix-unmet-dependency-warning-for-samsun.patch create mode 100644 queue-4.9/qed-fix-vf-probe-failure-while-flr.patch create mode 100644 queue-4.9/s390-qeth-fix-use-after-free-in-error-path.patch create mode 100644 queue-4.9/scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch create mode 100644 queue-4.9/selftests-netfilter-add-simple-masq-redirect-test-ca.patch create mode 100644 queue-4.9/selftests-netfilter-fix-config-fragment-config_nf_ta.patch create mode 100644 queue-4.9/soc-fsl-qbman-avoid-race-in-clearing-qman-interrupt.patch create mode 100644 queue-4.9/usb-phy-fix-link-errors.patch create mode 100644 queue-4.9/vsock-virtio-fix-kernel-panic-after-device-hot-unplu.patch create mode 100644 queue-4.9/vsock-virtio-reset-connected-sockets-on-device-remov.patch create mode 100644 queue-4.9/vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch create mode 100644 queue-4.9/x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch create mode 100644 queue-4.9/x86_64-increase-stack-size-for-kasan_extra.patch create mode 100644 queue-4.9/xtensa-smp-fix-ccount_timer_shutdown.patch create mode 100644 queue-4.9/xtensa-smp-fix-secondary-cpu-initialization.patch create mode 100644 queue-4.9/xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch create mode 100644 queue-4.9/xtensa-smp-mark-each-possible-cpu-as-present.patch create mode 100644 queue-4.9/xtensa-smp_lx200_defconfig-fix-vectors-clash.patch diff --git a/queue-4.9/arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch b/queue-4.9/arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch new file mode 100644 index 00000000000..26abd2e24ad --- /dev/null +++ b/queue-4.9/arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch @@ -0,0 +1,43 @@ +From 2fb549e897565f0228866a1b7d8207c8c8ffe7f7 Mon Sep 17 00:00:00 2001 +From: Peng Hao +Date: Sat, 29 Dec 2018 13:10:06 +0800 +Subject: ARM: pxa: ssp: unneeded to free devm_ allocated data + +[ Upstream commit ba16adeb346387eb2d1ada69003588be96f098fa ] + +devm_ allocated data will be automatically freed. The free +of devm_ allocated data is invalid. + +Fixes: 1c459de1e645 ("ARM: pxa: ssp: use devm_ functions") +Signed-off-by: Peng Hao +[title's prefix changed] +Signed-off-by: Robert Jarzmik +Signed-off-by: Sasha Levin +--- + arch/arm/plat-pxa/ssp.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/arch/arm/plat-pxa/ssp.c b/arch/arm/plat-pxa/ssp.c +index ba13f793fbce..b92673efffff 100644 +--- a/arch/arm/plat-pxa/ssp.c ++++ b/arch/arm/plat-pxa/ssp.c +@@ -237,8 +237,6 @@ static int pxa_ssp_remove(struct platform_device *pdev) + if (ssp == NULL) + return -ENODEV; + +- iounmap(ssp->mmio_base); +- + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + release_mem_region(res->start, resource_size(res)); + +@@ -248,7 +246,6 @@ static int pxa_ssp_remove(struct platform_device *pdev) + list_del(&ssp->node); + mutex_unlock(&ssp_lock); + +- kfree(ssp); + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.9/arm64-dts-add-msm8996-compatible-to-gicv3.patch b/queue-4.9/arm64-dts-add-msm8996-compatible-to-gicv3.patch new file mode 100644 index 00000000000..71008a27eeb --- /dev/null +++ b/queue-4.9/arm64-dts-add-msm8996-compatible-to-gicv3.patch @@ -0,0 +1,38 @@ +From d6c0776cf102b91078194bb1a2789d5a3775b2db Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Mon, 10 Dec 2018 13:56:33 +0000 +Subject: arm64: dts: add msm8996 compatible to gicv3 + +[ Upstream commit 2a81efb0de0e33f2d2c83154af0bd3ce389b3269 ] + +Add compatible to gicv3 node to enable quirk required to restrict writing +to GICR_WAKER register which is restricted on msm8996 SoC in Hypervisor. + +With this quirk MSM8996 can at least boot out of mainline, which can help +community to work with boards based on MSM8996. + +Without this patch Qualcomm DB820c board reboots on mainline. + +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi +index 2c93de7fffe5..bdea2d6fde94 100644 +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -219,7 +219,7 @@ + compatible = "simple-bus"; + + intc: interrupt-controller@9bc0000 { +- compatible = "arm,gic-v3"; ++ compatible = "qcom,msm8996-gic-v3", "arm,gic-v3"; + #interrupt-cells = <3>; + interrupt-controller; + #redistributor-regions = <1>; +-- +2.19.1 + diff --git a/queue-4.9/arm64-kprobe-always-blacklist-the-kvm-world-switch-c.patch b/queue-4.9/arm64-kprobe-always-blacklist-the-kvm-world-switch-c.patch new file mode 100644 index 00000000000..2718243d9c0 --- /dev/null +++ b/queue-4.9/arm64-kprobe-always-blacklist-the-kvm-world-switch-c.patch @@ -0,0 +1,56 @@ +From 223bff3fc5f45efc0f8b14c2ef2f0e1a61ace33d Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Thu, 24 Jan 2019 16:32:55 +0000 +Subject: arm64: kprobe: Always blacklist the KVM world-switch code + +[ Upstream commit f2b3d8566d81deaca31f4e3163def0bea7746e11 ] + +On systems with VHE the kernel and KVM's world-switch code run at the +same exception level. Code that is only used on a VHE system does not +need to be annotated as __hyp_text as it can reside anywhere in the + kernel text. + +__hyp_text was also used to prevent kprobes from patching breakpoint +instructions into this region, as this code runs at a different +exception level. While this is no longer true with VHE, KVM still +switches VBAR_EL1, meaning a kprobe's breakpoint executed in the +world-switch code will cause a hyp-panic. + +Move the __hyp_text check in the kprobes blacklist so it applies on +VHE systems too, to cover the common code and guest enter/exit +assembly. + +Fixes: 888b3c8720e0 ("arm64: Treat all entry code as non-kprobe-able") +Reviewed-by: Christoffer Dall +Signed-off-by: James Morse +Acked-by: Masami Hiramatsu +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/probes/kprobes.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kernel/probes/kprobes.c b/arch/arm64/kernel/probes/kprobes.c +index 30bcae0aef2a..d2b1b624ddc3 100644 +--- a/arch/arm64/kernel/probes/kprobes.c ++++ b/arch/arm64/kernel/probes/kprobes.c +@@ -546,13 +546,13 @@ bool arch_within_kprobe_blacklist(unsigned long addr) + addr < (unsigned long)__entry_text_end) || + (addr >= (unsigned long)__idmap_text_start && + addr < (unsigned long)__idmap_text_end) || ++ (addr >= (unsigned long)__hyp_text_start && ++ addr < (unsigned long)__hyp_text_end) || + !!search_exception_tables(addr)) + return true; + + if (!is_kernel_in_hyp_mode()) { +- if ((addr >= (unsigned long)__hyp_text_start && +- addr < (unsigned long)__hyp_text_end) || +- (addr >= (unsigned long)__hyp_idmap_text_start && ++ if ((addr >= (unsigned long)__hyp_idmap_text_start && + addr < (unsigned long)__hyp_idmap_text_end)) + return true; + } +-- +2.19.1 + diff --git a/queue-4.9/autofs-drop-dentry-reference-only-when-it-is-never-u.patch b/queue-4.9/autofs-drop-dentry-reference-only-when-it-is-never-u.patch new file mode 100644 index 00000000000..c3414592b46 --- /dev/null +++ b/queue-4.9/autofs-drop-dentry-reference-only-when-it-is-never-u.patch @@ -0,0 +1,46 @@ +From 28786b26b4a3bbd197474f0e510bb294fdb07eb7 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Fri, 1 Feb 2019 14:21:26 -0800 +Subject: autofs: drop dentry reference only when it is never used + +[ Upstream commit 63ce5f552beb9bdb41546b3a26c4374758b21815 ] + +autofs_expire_run() calls dput(dentry) to drop the reference count of +dentry. However, dentry is read via autofs_dentry_ino(dentry) after +that. This may result in a use-free-bug. The patch drops the reference +count of dentry only when it is never used. + +Link: http://lkml.kernel.org/r/154725122396.11260.16053424107144453867.stgit@pluto-themaw-net +Signed-off-by: Pan Bian +Signed-off-by: Ian Kent +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/autofs4/expire.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c +index d8e6d421c27f..2e1f50e467f1 100644 +--- a/fs/autofs4/expire.c ++++ b/fs/autofs4/expire.c +@@ -563,7 +563,6 @@ int autofs4_expire_run(struct super_block *sb, + pkt.len = dentry->d_name.len; + memcpy(pkt.name, dentry->d_name.name, pkt.len); + pkt.name[pkt.len] = '\0'; +- dput(dentry); + + if (copy_to_user(pkt_p, &pkt, sizeof(struct autofs_packet_expire))) + ret = -EFAULT; +@@ -576,6 +575,8 @@ int autofs4_expire_run(struct super_block *sb, + complete_all(&ino->expire_complete); + spin_unlock(&sbi->fs_lock); + ++ dput(dentry); ++ + return ret; + } + +-- +2.19.1 + diff --git a/queue-4.9/autofs-fix-error-return-in-autofs_fill_super.patch b/queue-4.9/autofs-fix-error-return-in-autofs_fill_super.patch new file mode 100644 index 00000000000..6e057084b52 --- /dev/null +++ b/queue-4.9/autofs-fix-error-return-in-autofs_fill_super.patch @@ -0,0 +1,39 @@ +From dc03b0354727e0960d2cda60ee7ad55bd0cadbf9 Mon Sep 17 00:00:00 2001 +From: Ian Kent +Date: Fri, 1 Feb 2019 14:21:29 -0800 +Subject: autofs: fix error return in autofs_fill_super() + +[ Upstream commit f585b283e3f025754c45bbe7533fc6e5c4643700 ] + +In autofs_fill_super() on error of get inode/make root dentry the return +should be ENOMEM as this is the only failure case of the called +functions. + +Link: http://lkml.kernel.org/r/154725123240.11260.796773942606871359.stgit@pluto-themaw-net +Signed-off-by: Ian Kent +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/autofs4/inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/autofs4/inode.c b/fs/autofs4/inode.c +index ce0c6ea96a87..d9a3264909d0 100644 +--- a/fs/autofs4/inode.c ++++ b/fs/autofs4/inode.c +@@ -259,8 +259,10 @@ int autofs4_fill_super(struct super_block *s, void *data, int silent) + } + root_inode = autofs4_get_inode(s, S_IFDIR | 0755); + root = d_make_root(root_inode); +- if (!root) ++ if (!root) { ++ ret = -ENOMEM; + goto fail_ino; ++ } + pipe = NULL; + + root->d_fsdata = ino; +-- +2.19.1 + diff --git a/queue-4.9/cifs-fix-computation-for-max_smb2_hdr_size.patch b/queue-4.9/cifs-fix-computation-for-max_smb2_hdr_size.patch new file mode 100644 index 00000000000..770ce33e290 --- /dev/null +++ b/queue-4.9/cifs-fix-computation-for-max_smb2_hdr_size.patch @@ -0,0 +1,35 @@ +From f5a8824506dc03bd6a858585026c0cbec3c88e94 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Tue, 29 Jan 2019 12:46:16 +1000 +Subject: cifs: fix computation for MAX_SMB2_HDR_SIZE + +[ Upstream commit 58d15ed1203f4d858c339ea4d7dafa94bd2a56d3 ] + +The size of the fixed part of the create response is 88 bytes not 56. + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2pdu.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h +index 1e1449ad00e8..1af7afae3ad1 100644 +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -84,8 +84,8 @@ + + #define NUMBER_OF_SMB2_COMMANDS 0x0013 + +-/* 4 len + 52 transform hdr + 64 hdr + 56 create rsp */ +-#define MAX_SMB2_HDR_SIZE 0x00b0 ++/* 52 transform hdr + 64 hdr + 88 create rsp */ ++#define MAX_SMB2_HDR_SIZE 204 + + #define SMB2_PROTO_NUMBER cpu_to_le32(0x424d53fe) + #define SMB2_TRANSFORM_PROTO_NUM cpu_to_le32(0x424d53fd) +-- +2.19.1 + diff --git a/queue-4.9/dmaengine-at_xdmac-fix-wrongfull-report-of-a-channel.patch b/queue-4.9/dmaengine-at_xdmac-fix-wrongfull-report-of-a-channel.patch new file mode 100644 index 00000000000..cef9976675b --- /dev/null +++ b/queue-4.9/dmaengine-at_xdmac-fix-wrongfull-report-of-a-channel.patch @@ -0,0 +1,100 @@ +From 5c2fe720b4a7fd4f4fded9047ed3750cebf7e0e5 Mon Sep 17 00:00:00 2001 +From: Codrin Ciubotariu +Date: Wed, 23 Jan 2019 16:33:47 +0000 +Subject: dmaengine: at_xdmac: Fix wrongfull report of a channel as in use + +[ Upstream commit dc3f595b6617ebc0307e0ce151e8f2f2b2489b95 ] + +atchan->status variable is used to store two different information: + - pass channel interrupts status from interrupt handler to tasklet; + - channel information like whether it is cyclic or paused; + +This causes a bug when device_terminate_all() is called, +(AT_XDMAC_CHAN_IS_CYCLIC cleared on atchan->status) and then a late End +of Block interrupt arrives (AT_XDMAC_CIS_BIS), which sets bit 0 of +atchan->status. Bit 0 is also used for AT_XDMAC_CHAN_IS_CYCLIC, so when +a new descriptor for a cyclic transfer is created, the driver reports +the channel as in use: + +if (test_and_set_bit(AT_XDMAC_CHAN_IS_CYCLIC, &atchan->status)) { + dev_err(chan2dev(chan), "channel currently used\n"); + return NULL; +} + +This patch fixes the bug by adding a different struct member to keep +the interrupts status separated from the channel status bits. + +Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver") +Signed-off-by: Codrin Ciubotariu +Acked-by: Ludovic Desroches +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/at_xdmac.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index ee7b48d5243c..b222dd7afe8e 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -203,6 +203,7 @@ struct at_xdmac_chan { + u32 save_cim; + u32 save_cnda; + u32 save_cndc; ++ u32 irq_status; + unsigned long status; + struct tasklet_struct tasklet; + struct dma_slave_config sconfig; +@@ -1582,8 +1583,8 @@ static void at_xdmac_tasklet(unsigned long data) + struct at_xdmac_desc *desc; + u32 error_mask; + +- dev_dbg(chan2dev(&atchan->chan), "%s: status=0x%08lx\n", +- __func__, atchan->status); ++ dev_dbg(chan2dev(&atchan->chan), "%s: status=0x%08x\n", ++ __func__, atchan->irq_status); + + error_mask = AT_XDMAC_CIS_RBEIS + | AT_XDMAC_CIS_WBEIS +@@ -1591,15 +1592,15 @@ static void at_xdmac_tasklet(unsigned long data) + + if (at_xdmac_chan_is_cyclic(atchan)) { + at_xdmac_handle_cyclic(atchan); +- } else if ((atchan->status & AT_XDMAC_CIS_LIS) +- || (atchan->status & error_mask)) { ++ } else if ((atchan->irq_status & AT_XDMAC_CIS_LIS) ++ || (atchan->irq_status & error_mask)) { + struct dma_async_tx_descriptor *txd; + +- if (atchan->status & AT_XDMAC_CIS_RBEIS) ++ if (atchan->irq_status & AT_XDMAC_CIS_RBEIS) + dev_err(chan2dev(&atchan->chan), "read bus error!!!"); +- if (atchan->status & AT_XDMAC_CIS_WBEIS) ++ if (atchan->irq_status & AT_XDMAC_CIS_WBEIS) + dev_err(chan2dev(&atchan->chan), "write bus error!!!"); +- if (atchan->status & AT_XDMAC_CIS_ROIS) ++ if (atchan->irq_status & AT_XDMAC_CIS_ROIS) + dev_err(chan2dev(&atchan->chan), "request overflow error!!!"); + + spin_lock_bh(&atchan->lock); +@@ -1654,7 +1655,7 @@ static irqreturn_t at_xdmac_interrupt(int irq, void *dev_id) + atchan = &atxdmac->chan[i]; + chan_imr = at_xdmac_chan_read(atchan, AT_XDMAC_CIM); + chan_status = at_xdmac_chan_read(atchan, AT_XDMAC_CIS); +- atchan->status = chan_status & chan_imr; ++ atchan->irq_status = chan_status & chan_imr; + dev_vdbg(atxdmac->dma.dev, + "%s: chan%d: imr=0x%x, status=0x%x\n", + __func__, i, chan_imr, chan_status); +@@ -1668,7 +1669,7 @@ static irqreturn_t at_xdmac_interrupt(int irq, void *dev_id) + at_xdmac_chan_read(atchan, AT_XDMAC_CDA), + at_xdmac_chan_read(atchan, AT_XDMAC_CUBC)); + +- if (atchan->status & (AT_XDMAC_CIS_RBEIS | AT_XDMAC_CIS_WBEIS)) ++ if (atchan->irq_status & (AT_XDMAC_CIS_RBEIS | AT_XDMAC_CIS_WBEIS)) + at_xdmac_write(atxdmac, AT_XDMAC_GD, atchan->mask); + + tasklet_schedule(&atchan->tasklet); +-- +2.19.1 + diff --git a/queue-4.9/dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch b/queue-4.9/dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch new file mode 100644 index 00000000000..c731f8fe021 --- /dev/null +++ b/queue-4.9/dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch @@ -0,0 +1,121 @@ +From 9824155cb69b51a46cbf2b976571026fa5485f98 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 30 Jan 2019 21:48:44 +0200 +Subject: dmaengine: dmatest: Abort test in case of mapping error + +[ Upstream commit 6454368a804c4955ccd116236037536f81e5b1f1 ] + +In case of mapping error the DMA addresses are invalid and continuing +will screw system memory or potentially something else. + +[ 222.480310] dmatest: dma0chan7-copy0: summary 1 tests, 3 failures 6 iops 349 KB/s (0) +... +[ 240.912725] check: Corrupted low memory at 00000000c7c75ac9 (2940 phys) = 5656000000000000 +[ 240.921998] check: Corrupted low memory at 000000005715a1cd (2948 phys) = 279f2aca5595ab2b +[ 240.931280] check: Corrupted low memory at 000000002f4024c0 (2950 phys) = 5e5624f349e793cf +... + +Abort any test if mapping failed. + +Fixes: 4076e755dbec ("dmatest: convert to dmaengine_unmap_data") +Cc: Dan Williams +Signed-off-by: Andy Shevchenko +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dmatest.c | 28 ++++++++++++---------------- + 1 file changed, 12 insertions(+), 16 deletions(-) + +diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c +index ebe72a466587..7dd46cf5ed84 100644 +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -583,11 +583,9 @@ static int dmatest_func(void *data) + srcs[i] = um->addr[i] + src_off; + ret = dma_mapping_error(dev->dev, um->addr[i]); + if (ret) { +- dmaengine_unmap_put(um); + result("src mapping error", total_tests, + src_off, dst_off, len, ret); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + um->to_cnt++; + } +@@ -602,11 +600,9 @@ static int dmatest_func(void *data) + DMA_BIDIRECTIONAL); + ret = dma_mapping_error(dev->dev, dsts[i]); + if (ret) { +- dmaengine_unmap_put(um); + result("dst mapping error", total_tests, + src_off, dst_off, len, ret); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + um->bidi_cnt++; + } +@@ -643,12 +639,10 @@ static int dmatest_func(void *data) + } + + if (!tx) { +- dmaengine_unmap_put(um); + result("prep error", total_tests, src_off, + dst_off, len, ret); + msleep(100); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + + done->done = false; +@@ -657,12 +651,10 @@ static int dmatest_func(void *data) + cookie = tx->tx_submit(tx); + + if (dma_submit_error(cookie)) { +- dmaengine_unmap_put(um); + result("submit error", total_tests, src_off, + dst_off, len, ret); + msleep(100); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + dma_async_issue_pending(chan); + +@@ -675,16 +667,14 @@ static int dmatest_func(void *data) + dmaengine_unmap_put(um); + result("test timed out", total_tests, src_off, dst_off, + len, 0); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } else if (status != DMA_COMPLETE) { + dmaengine_unmap_put(um); + result(status == DMA_ERROR ? + "completion error status" : + "completion busy status", total_tests, src_off, + dst_off, len, ret); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + + dmaengine_unmap_put(um); +@@ -727,6 +717,12 @@ static int dmatest_func(void *data) + verbose_result("test passed", total_tests, src_off, + dst_off, len, 0); + } ++ ++ continue; ++ ++error_unmap_continue: ++ dmaengine_unmap_put(um); ++ failed_tests++; + } + ktime = ktime_sub(ktime_get(), ktime); + ktime = ktime_sub(ktime, comparetime); +-- +2.19.1 + diff --git a/queue-4.9/drm-sun4i-tcon-prepare-and-enable-tcon-channel-0-clo.patch b/queue-4.9/drm-sun4i-tcon-prepare-and-enable-tcon-channel-0-clo.patch new file mode 100644 index 00000000000..4ed7c732d57 --- /dev/null +++ b/queue-4.9/drm-sun4i-tcon-prepare-and-enable-tcon-channel-0-clo.patch @@ -0,0 +1,50 @@ +From 8f63e81c1eabb61459e807bd9fd5790e9fe26e0f Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Thu, 31 Jan 2019 14:25:50 +0100 +Subject: drm/sun4i: tcon: Prepare and enable TCON channel 0 clock at init + +[ Upstream commit b14e945bda8ae227d1bf2b1837c0c4a61721cd1a ] + +When initializing clocks, a reference to the TCON channel 0 clock is +obtained. However, the clock is never prepared and enabled later. +Switching from simplefb to DRM actually disables the clock (that was +usually configured by U-Boot) because of that. + +On the V3s, this results in a hang when writing to some mixer registers +when switching over to DRM from simplefb. + +Fix this by preparing and enabling the clock when initializing other +clocks. Waiting for sun4i_tcon_channel_enable to enable the clock is +apparently too late and results in the same mixer register access hang. + +Signed-off-by: Paul Kocialkowski +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20190131132550.26355-1-paul.kocialkowski@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun4i_tcon.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.c b/drivers/gpu/drm/sun4i/sun4i_tcon.c +index f2975a1525be..2796fea70a42 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c ++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c +@@ -327,6 +327,7 @@ static int sun4i_tcon_init_clocks(struct device *dev, + dev_err(dev, "Couldn't get the TCON channel 0 clock\n"); + return PTR_ERR(tcon->sclk0); + } ++ clk_prepare_enable(tcon->sclk0); + + if (tcon->quirks->has_channel_1) { + tcon->sclk1 = devm_clk_get(dev, "tcon-ch1"); +@@ -341,6 +342,7 @@ static int sun4i_tcon_init_clocks(struct device *dev, + + static void sun4i_tcon_free_clocks(struct sun4i_tcon *tcon) + { ++ clk_disable_unprepare(tcon->sclk0); + clk_disable_unprepare(tcon->clk); + } + +-- +2.19.1 + diff --git a/queue-4.9/fs-drop_caches.c-avoid-softlockups-in-drop_pagecache.patch b/queue-4.9/fs-drop_caches.c-avoid-softlockups-in-drop_pagecache.patch new file mode 100644 index 00000000000..fd52942c925 --- /dev/null +++ b/queue-4.9/fs-drop_caches.c-avoid-softlockups-in-drop_pagecache.patch @@ -0,0 +1,57 @@ +From 2789a3d4ece35737d398ebd50100217952626ec9 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 1 Feb 2019 14:21:23 -0800 +Subject: fs/drop_caches.c: avoid softlockups in drop_pagecache_sb() + +[ Upstream commit c27d82f52f75fc9d8d9d40d120d2a96fdeeada5e ] + +When superblock has lots of inodes without any pagecache (like is the +case for /proc), drop_pagecache_sb() will iterate through all of them +without dropping sb->s_inode_list_lock which can lead to softlockups +(one of our customers hit this). + +Fix the problem by going to the slow path and doing cond_resched() in +case the process needs rescheduling. + +Link: http://lkml.kernel.org/r/20190114085343.15011-1-jack@suse.cz +Signed-off-by: Jan Kara +Acked-by: Michal Hocko +Reviewed-by: Andrew Morton +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/drop_caches.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/drop_caches.c b/fs/drop_caches.c +index d72d52b90433..280460fef066 100644 +--- a/fs/drop_caches.c ++++ b/fs/drop_caches.c +@@ -20,8 +20,13 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused) + spin_lock(&sb->s_inode_list_lock); + list_for_each_entry(inode, &sb->s_inodes, i_sb_list) { + spin_lock(&inode->i_lock); ++ /* ++ * We must skip inodes in unusual state. We may also skip ++ * inodes without pages but we deliberately won't in case ++ * we need to reschedule to avoid softlockups. ++ */ + if ((inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW)) || +- (inode->i_mapping->nrpages == 0)) { ++ (inode->i_mapping->nrpages == 0 && !need_resched())) { + spin_unlock(&inode->i_lock); + continue; + } +@@ -29,6 +34,7 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused) + spin_unlock(&inode->i_lock); + spin_unlock(&sb->s_inode_list_lock); + ++ cond_resched(); + invalidate_mapping_pages(inode->i_mapping, 0, -1); + iput(toput_inode); + toput_inode = inode; +-- +2.19.1 + diff --git a/queue-4.9/fs-ratelimit-__find_get_block_slow-failure-message.patch b/queue-4.9/fs-ratelimit-__find_get_block_slow-failure-message.patch new file mode 100644 index 00000000000..0cf040370b1 --- /dev/null +++ b/queue-4.9/fs-ratelimit-__find_get_block_slow-failure-message.patch @@ -0,0 +1,76 @@ +From b6ef1d4a1555f05aff0ac6394c164a09a864250d Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 21 Jan 2019 22:49:37 +0900 +Subject: fs: ratelimit __find_get_block_slow() failure message. + +[ Upstream commit 43636c804df0126da669c261fc820fb22f62bfc2 ] + +When something let __find_get_block_slow() hit all_mapped path, it calls +printk() for 100+ times per a second. But there is no need to print same +message with such high frequency; it is just asking for stall warning, or +at least bloating log files. + + [ 399.866302][T15342] __find_get_block_slow() failed. block=1, b_blocknr=8 + [ 399.873324][T15342] b_state=0x00000029, b_size=512 + [ 399.878403][T15342] device loop0 blocksize: 4096 + [ 399.883296][T15342] __find_get_block_slow() failed. block=1, b_blocknr=8 + [ 399.890400][T15342] b_state=0x00000029, b_size=512 + [ 399.895595][T15342] device loop0 blocksize: 4096 + [ 399.900556][T15342] __find_get_block_slow() failed. block=1, b_blocknr=8 + [ 399.907471][T15342] b_state=0x00000029, b_size=512 + [ 399.912506][T15342] device loop0 blocksize: 4096 + +This patch reduces frequency to up to once per a second, in addition to +concatenating three lines into one. + + [ 399.866302][T15342] __find_get_block_slow() failed. block=1, b_blocknr=8, b_state=0x00000029, b_size=512, device loop0 blocksize: 4096 + +Signed-off-by: Tetsuo Handa +Reviewed-by: Jan Kara +Cc: Dmitry Vyukov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/buffer.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/fs/buffer.c b/fs/buffer.c +index 5d8f496d624e..e0d46d47e358 100644 +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -207,6 +207,7 @@ __find_get_block_slow(struct block_device *bdev, sector_t block) + struct buffer_head *head; + struct page *page; + int all_mapped = 1; ++ static DEFINE_RATELIMIT_STATE(last_warned, HZ, 1); + + index = block >> (PAGE_SHIFT - bd_inode->i_blkbits); + page = find_get_page_flags(bd_mapping, index, FGP_ACCESSED); +@@ -234,15 +235,15 @@ __find_get_block_slow(struct block_device *bdev, sector_t block) + * file io on the block device and getblk. It gets dealt with + * elsewhere, don't buffer_error if we had some unmapped buffers + */ +- if (all_mapped) { +- printk("__find_get_block_slow() failed. " +- "block=%llu, b_blocknr=%llu\n", +- (unsigned long long)block, +- (unsigned long long)bh->b_blocknr); +- printk("b_state=0x%08lx, b_size=%zu\n", +- bh->b_state, bh->b_size); +- printk("device %pg blocksize: %d\n", bdev, +- 1 << bd_inode->i_blkbits); ++ ratelimit_set_flags(&last_warned, RATELIMIT_MSG_ON_RELEASE); ++ if (all_mapped && __ratelimit(&last_warned)) { ++ printk("__find_get_block_slow() failed. block=%llu, " ++ "b_blocknr=%llu, b_state=0x%08lx, b_size=%zu, " ++ "device %pg blocksize: %d\n", ++ (unsigned long long)block, ++ (unsigned long long)bh->b_blocknr, ++ bh->b_state, bh->b_size, bdev, ++ 1 << bd_inode->i_blkbits); + } + out_unlock: + spin_unlock(&bd_mapping->private_lock); +-- +2.19.1 + diff --git a/queue-4.9/gpio-vf610-mask-all-gpio-interrupts.patch b/queue-4.9/gpio-vf610-mask-all-gpio-interrupts.patch new file mode 100644 index 00000000000..f1b37fa87a4 --- /dev/null +++ b/queue-4.9/gpio-vf610-mask-all-gpio-interrupts.patch @@ -0,0 +1,52 @@ +From 5edb1fe06607bf6bc1d27efa2e1740784aa72efe Mon Sep 17 00:00:00 2001 +From: Andrew Lunn +Date: Sun, 27 Jan 2019 22:58:00 +0100 +Subject: gpio: vf610: Mask all GPIO interrupts + +[ Upstream commit 7ae710f9f8b2cf95297e7bbfe1c09789a7dc43d4 ] + +On SoC reset all GPIO interrupts are disable. However, if kexec is +used to boot into a new kernel, the SoC does not experience a +reset. Hence GPIO interrupts can be left enabled from the previous +kernel. It is then possible for the interrupt to fire before an +interrupt handler is registered, resulting in the kernel complaining +of an "unexpected IRQ trap", the interrupt is never cleared, and so +fires again, resulting in an interrupt storm. + +Disable all GPIO interrupts before registering the GPIO IRQ chip. + +Fixes: 7f2691a19627 ("gpio: vf610: add gpiolib/IRQ chip driver for Vybrid") +Signed-off-by: Andrew Lunn +Acked-by: Stefan Agner +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-vf610.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c +index 3edb09cb9ee0..1f599bc08237 100644 +--- a/drivers/gpio/gpio-vf610.c ++++ b/drivers/gpio/gpio-vf610.c +@@ -221,6 +221,7 @@ static int vf610_gpio_probe(struct platform_device *pdev) + struct vf610_gpio_port *port; + struct resource *iores; + struct gpio_chip *gc; ++ int i; + int ret; + + port = devm_kzalloc(&pdev->dev, sizeof(*port), GFP_KERNEL); +@@ -259,6 +260,10 @@ static int vf610_gpio_probe(struct platform_device *pdev) + if (ret < 0) + return ret; + ++ /* Mask all GPIO interrupts */ ++ for (i = 0; i < gc->ngpio; i++) ++ vf610_gpio_writel(0, port->base + PORT_PCR(i)); ++ + /* Clear the interrupt status register for all GPIO's */ + vf610_gpio_writel(~0, port->base + PORT_ISFR); + +-- +2.19.1 + diff --git a/queue-4.9/ib-hfi1-qib-fix-wc.byte_len-calculation-for-ud_send_.patch b/queue-4.9/ib-hfi1-qib-fix-wc.byte_len-calculation-for-ud_send_.patch new file mode 100644 index 00000000000..6f3f98f5646 --- /dev/null +++ b/queue-4.9/ib-hfi1-qib-fix-wc.byte_len-calculation-for-ud_send_.patch @@ -0,0 +1,57 @@ +From 5630de579b17ab19e4aca1ce9fbb8d8ae4c0f59e Mon Sep 17 00:00:00 2001 +From: Brian Welty +Date: Thu, 17 Jan 2019 12:41:32 -0800 +Subject: IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM + +[ Upstream commit 904bba211acc2112fdf866e5a2bc6cd9ecd0de1b ] + +The work completion length for a receiving a UD send with immediate is +short by 4 bytes causing application using this opcode to fail. + +The UD receive logic incorrectly subtracts 4 bytes for immediate +value. These bytes are already included in header length and are used to +calculate header/payload split, so the result is these 4 bytes are +subtracted twice, once when the header length subtracted from the overall +length and once again in the UD opcode specific path. + +Remove the extra subtraction when handling the opcode. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Reviewed-by: Michael J. Ruhl +Signed-off-by: Brian Welty +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/ud.c | 1 - + drivers/infiniband/hw/qib/qib_ud.c | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/ud.c b/drivers/infiniband/hw/hfi1/ud.c +index 1a7ce1d740ce..292d7b6a0536 100644 +--- a/drivers/infiniband/hw/hfi1/ud.c ++++ b/drivers/infiniband/hw/hfi1/ud.c +@@ -772,7 +772,6 @@ void hfi1_ud_rcv(struct hfi1_packet *packet) + opcode == IB_OPCODE_UD_SEND_ONLY_WITH_IMMEDIATE) { + wc.ex.imm_data = ohdr->u.ud.imm_data; + wc.wc_flags = IB_WC_WITH_IMM; +- tlen -= sizeof(u32); + } else if (opcode == IB_OPCODE_UD_SEND_ONLY) { + wc.ex.imm_data = 0; + wc.wc_flags = 0; +diff --git a/drivers/infiniband/hw/qib/qib_ud.c b/drivers/infiniband/hw/qib/qib_ud.c +index f45cad1198b0..93012fba287d 100644 +--- a/drivers/infiniband/hw/qib/qib_ud.c ++++ b/drivers/infiniband/hw/qib/qib_ud.c +@@ -525,7 +525,6 @@ void qib_ud_rcv(struct qib_ibport *ibp, struct ib_header *hdr, + opcode == IB_OPCODE_UD_SEND_ONLY_WITH_IMMEDIATE) { + wc.ex.imm_data = ohdr->u.ud.imm_data; + wc.wc_flags = IB_WC_WITH_IMM; +- tlen -= sizeof(u32); + } else if (opcode == IB_OPCODE_UD_SEND_ONLY) { + wc.ex.imm_data = 0; + wc.wc_flags = 0; +-- +2.19.1 + diff --git a/queue-4.9/iommu-amd-call-free_iova_fast-with-pfn-in-map_sg.patch b/queue-4.9/iommu-amd-call-free_iova_fast-with-pfn-in-map_sg.patch new file mode 100644 index 00000000000..80d3ba322d0 --- /dev/null +++ b/queue-4.9/iommu-amd-call-free_iova_fast-with-pfn-in-map_sg.patch @@ -0,0 +1,38 @@ +From c29c588e3effcc4628891f5294517d32c253787a Mon Sep 17 00:00:00 2001 +From: Jerry Snitselaar +Date: Thu, 17 Jan 2019 12:29:02 -0700 +Subject: iommu/amd: Call free_iova_fast with pfn in map_sg + +[ Upstream commit 51d8838d66d3249508940d8f59b07701f2129723 ] + +In the error path of map_sg, free_iova_fast is being called with +address instead of the pfn. This results in a bad value getting into +the rcache, and can result in hitting a BUG_ON when +iova_magazine_free_pfns is called. + +Cc: Joerg Roedel +Cc: Suravee Suthikulpanit +Signed-off-by: Jerry Snitselaar +Fixes: 80187fd39dcb ("iommu/amd: Optimize map_sg and unmap_sg") +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index e984418ffa2a..e413a4ef3c5c 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -2617,7 +2617,7 @@ static int map_sg(struct device *dev, struct scatterlist *sglist, + } + + out_free_iova: +- free_iova_fast(&dma_dom->iovad, address, npages); ++ free_iova_fast(&dma_dom->iovad, address >> PAGE_SHIFT, npages); + + out_err: + return 0; +-- +2.19.1 + diff --git a/queue-4.9/iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch b/queue-4.9/iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch new file mode 100644 index 00000000000..e3eda1de145 --- /dev/null +++ b/queue-4.9/iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch @@ -0,0 +1,81 @@ +From 95b0198cbdeb35821d5b37d71e520baa8f4f4c69 Mon Sep 17 00:00:00 2001 +From: Suravee Suthikulpanit +Date: Thu, 24 Jan 2019 04:16:45 +0000 +Subject: iommu/amd: Fix IOMMU page flush when detach device from a domain + +[ Upstream commit 9825bd94e3a2baae1f4874767ae3a7d4c049720e ] + +When a VM is terminated, the VFIO driver detaches all pass-through +devices from VFIO domain by clearing domain id and page table root +pointer from each device table entry (DTE), and then invalidates +the DTE. Then, the VFIO driver unmap pages and invalidate IOMMU pages. + +Currently, the IOMMU driver keeps track of which IOMMU and how many +devices are attached to the domain. When invalidate IOMMU pages, +the driver checks if the IOMMU is still attached to the domain before +issuing the invalidate page command. + +However, since VFIO has already detached all devices from the domain, +the subsequent INVALIDATE_IOMMU_PAGES commands are being skipped as +there is no IOMMU attached to the domain. This results in data +corruption and could cause the PCI device to end up in indeterministic +state. + +Fix this by invalidate IOMMU pages when detach a device, and +before decrementing the per-domain device reference counts. + +Cc: Boris Ostrovsky +Suggested-by: Joerg Roedel +Co-developed-by: Brijesh Singh +Signed-off-by: Brijesh Singh +Signed-off-by: Suravee Suthikulpanit +Fixes: 6de8ad9b9ee0 ('x86/amd-iommu: Make iommu_flush_pages aware of multiple IOMMUs') +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index b182839d36cb..ca22483d253f 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -1896,6 +1896,7 @@ static void do_attach(struct iommu_dev_data *dev_data, + + static void do_detach(struct iommu_dev_data *dev_data) + { ++ struct protection_domain *domain = dev_data->domain; + struct amd_iommu *iommu; + u16 alias; + +@@ -1911,10 +1912,6 @@ static void do_detach(struct iommu_dev_data *dev_data) + iommu = amd_iommu_rlookup_table[dev_data->devid]; + alias = dev_data->alias; + +- /* decrease reference counters */ +- dev_data->domain->dev_iommu[iommu->index] -= 1; +- dev_data->domain->dev_cnt -= 1; +- + /* Update data structures */ + dev_data->domain = NULL; + list_del(&dev_data->list); +@@ -1924,6 +1921,16 @@ static void do_detach(struct iommu_dev_data *dev_data) + + /* Flush the DTE entry */ + device_flush_dte(dev_data); ++ ++ /* Flush IOTLB */ ++ domain_flush_tlb_pde(domain); ++ ++ /* Wait for the flushes to finish */ ++ domain_flush_complete(domain); ++ ++ /* decrease reference counters - needs to happen after the flushes */ ++ domain->dev_iommu[iommu->index] -= 1; ++ domain->dev_cnt -= 1; + } + + /* +-- +2.19.1 + diff --git a/queue-4.9/iommu-amd-unmap-all-mapped-pages-in-error-path-of-ma.patch b/queue-4.9/iommu-amd-unmap-all-mapped-pages-in-error-path-of-ma.patch new file mode 100644 index 00000000000..cf30ef4b7d2 --- /dev/null +++ b/queue-4.9/iommu-amd-unmap-all-mapped-pages-in-error-path-of-ma.patch @@ -0,0 +1,40 @@ +From 3bfefd551147bb2699d297702c239a01ef8a8b25 Mon Sep 17 00:00:00 2001 +From: Jerry Snitselaar +Date: Sat, 19 Jan 2019 10:38:05 -0700 +Subject: iommu/amd: Unmap all mapped pages in error path of map_sg + +[ Upstream commit f1724c0883bb0ce93b8dcb94b53dcca3b75ac9a7 ] + +In the error path of map_sg there is an incorrect if condition +for breaking out of the loop that searches the scatterlist +for mapped pages to unmap. Instead of breaking out of the +loop once all the pages that were mapped have been unmapped, +it will break out of the loop after it has unmapped 1 page. +Fix the condition, so it breaks out of the loop only after +all the mapped pages have been unmapped. + +Fixes: 80187fd39dcb ("iommu/amd: Optimize map_sg and unmap_sg") +Cc: Joerg Roedel +Signed-off-by: Jerry Snitselaar +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index e413a4ef3c5c..b182839d36cb 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -2611,7 +2611,7 @@ static int map_sg(struct device *dev, struct scatterlist *sglist, + bus_addr = address + s->dma_address + (j << PAGE_SHIFT); + iommu_unmap_page(domain, bus_addr, PAGE_SIZE); + +- if (--mapped_pages) ++ if (--mapped_pages == 0) + goto out_free_iova; + } + } +-- +2.19.1 + diff --git a/queue-4.9/ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch b/queue-4.9/ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch new file mode 100644 index 00000000000..115d5e7acbf --- /dev/null +++ b/queue-4.9/ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch @@ -0,0 +1,91 @@ +From f8030e10edbc4b577d68ce621d869b40eb4ca8c3 Mon Sep 17 00:00:00 2001 +From: ZhangXiaoxu +Date: Thu, 10 Jan 2019 16:39:06 +0800 +Subject: ipvs: Fix signed integer overflow when setsockopt timeout + +[ Upstream commit 53ab60baa1ac4f20b080a22c13b77b6373922fd7 ] + +There is a UBSAN bug report as below: +UBSAN: Undefined behaviour in net/netfilter/ipvs/ip_vs_ctl.c:2227:21 +signed integer overflow: +-2147483647 * 1000 cannot be represented in type 'int' + +Reproduce program: + #include + #include + #include + + #define IPPROTO_IP 0 + #define IPPROTO_RAW 255 + + #define IP_VS_BASE_CTL (64+1024+64) + #define IP_VS_SO_SET_TIMEOUT (IP_VS_BASE_CTL+10) + + /* The argument to IP_VS_SO_GET_TIMEOUT */ + struct ipvs_timeout_t { + int tcp_timeout; + int tcp_fin_timeout; + int udp_timeout; + }; + + int main() { + int ret = -1; + int sockfd = -1; + struct ipvs_timeout_t to; + + sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); + if (sockfd == -1) { + printf("socket init error\n"); + return -1; + } + + to.tcp_timeout = -2147483647; + to.tcp_fin_timeout = -2147483647; + to.udp_timeout = -2147483647; + + ret = setsockopt(sockfd, + IPPROTO_IP, + IP_VS_SO_SET_TIMEOUT, + (char *)(&to), + sizeof(to)); + + printf("setsockopt return %d\n", ret); + return ret; + } + +Return -EINVAL if the timeout value is negative or max than 'INT_MAX / HZ'. + +Signed-off-by: ZhangXiaoxu +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 8382b7880b24..8037b25ddb76 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2258,6 +2258,18 @@ static int ip_vs_set_timeout(struct netns_ipvs *ipvs, struct ip_vs_timeout_user + u->tcp_fin_timeout, + u->udp_timeout); + ++#ifdef CONFIG_IP_VS_PROTO_TCP ++ if (u->tcp_timeout < 0 || u->tcp_timeout > (INT_MAX / HZ) || ++ u->tcp_fin_timeout < 0 || u->tcp_fin_timeout > (INT_MAX / HZ)) { ++ return -EINVAL; ++ } ++#endif ++ ++#ifdef CONFIG_IP_VS_PROTO_UDP ++ if (u->udp_timeout < 0 || u->udp_timeout > (INT_MAX / HZ)) ++ return -EINVAL; ++#endif ++ + #ifdef CONFIG_IP_VS_PROTO_TCP + if (u->tcp_timeout) { + pd = ip_vs_proto_data_get(ipvs, IPPROTO_TCP); +-- +2.19.1 + diff --git a/queue-4.9/irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch b/queue-4.9/irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch new file mode 100644 index 00000000000..b3429498955 --- /dev/null +++ b/queue-4.9/irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch @@ -0,0 +1,55 @@ +From fdb8c02014c40396a5fd0d62c07eebe1f50d4849 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Mon, 28 Jan 2019 16:59:35 +0100 +Subject: irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable + +[ Upstream commit 2380a22b60ce6f995eac806e69c66e397b59d045 ] + +Resetting bit 4 disables the interrupt delivery to the "secure +processor" core. This breaks the keyboard on a OLPC XO 1.75 laptop, +where the firmware running on the "secure processor" bit-bangs the +PS/2 protocol over the GPIO lines. + +It is not clear what the rest of the bits are and Marvell was unhelpful +when asked for documentation. Aside from the SP bit, there are probably +priority bits. + +Leaving the unknown bits as the firmware set them up seems to be a wiser +course of action compared to just turning them off. + +Signed-off-by: Lubomir Rintel +Acked-by: Pavel Machek +[maz: fixed-up subject and commit message] +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mmp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-mmp.c b/drivers/irqchip/irq-mmp.c +index 013fc9659a84..2fe2bcb63a71 100644 +--- a/drivers/irqchip/irq-mmp.c ++++ b/drivers/irqchip/irq-mmp.c +@@ -34,6 +34,9 @@ + #define SEL_INT_PENDING (1 << 6) + #define SEL_INT_NUM_MASK 0x3f + ++#define MMP2_ICU_INT_ROUTE_PJ4_IRQ (1 << 5) ++#define MMP2_ICU_INT_ROUTE_PJ4_FIQ (1 << 6) ++ + struct icu_chip_data { + int nr_irqs; + unsigned int virq_base; +@@ -190,7 +193,8 @@ static struct mmp_intc_conf mmp_conf = { + static struct mmp_intc_conf mmp2_conf = { + .conf_enable = 0x20, + .conf_disable = 0x0, +- .conf_mask = 0x7f, ++ .conf_mask = MMP2_ICU_INT_ROUTE_PJ4_IRQ | ++ MMP2_ICU_INT_ROUTE_PJ4_FIQ, + }; + + static void __exception_irq_entry mmp_handle_irq(struct pt_regs *regs) +-- +2.19.1 + diff --git a/queue-4.9/mips-loongson-introduce-and-use-loongson_llsc_mb.patch b/queue-4.9/mips-loongson-introduce-and-use-loongson_llsc_mb.patch new file mode 100644 index 00000000000..533e2d51f70 --- /dev/null +++ b/queue-4.9/mips-loongson-introduce-and-use-loongson_llsc_mb.patch @@ -0,0 +1,393 @@ +From f5b8eab7b576bfe14eaee9db154c48cd56a2b046 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Tue, 15 Jan 2019 16:04:54 +0800 +Subject: MIPS: Loongson: Introduce and use loongson_llsc_mb() + +[ Upstream commit e02e07e3127d8aec1f4bcdfb2fc52a2d99b4859e ] + +On the Loongson-2G/2H/3A/3B there is a hardware flaw that ll/sc and +lld/scd is very weak ordering. We should add sync instructions "before +each ll/lld" and "at the branch-target between ll/sc" to workaround. +Otherwise, this flaw will cause deadlock occasionally (e.g. when doing +heavy load test with LTP). + +Below is the explaination of CPU designer: + +"For Loongson 3 family, when a memory access instruction (load, store, +or prefetch)'s executing occurs between the execution of LL and SC, the +success or failure of SC is not predictable. Although programmer would +not insert memory access instructions between LL and SC, the memory +instructions before LL in program-order, may dynamically executed +between the execution of LL/SC, so a memory fence (SYNC) is needed +before LL/LLD to avoid this situation. + +Since Loongson-3A R2 (3A2000), we have improved our hardware design to +handle this case. But we later deduce a rarely circumstance that some +speculatively executed memory instructions due to branch misprediction +between LL/SC still fall into the above case, so a memory fence (SYNC) +at branch-target (if its target is not between LL/SC) is needed for +Loongson 3A1000, 3B1500, 3A2000 and 3A3000. + +Our processor is continually evolving and we aim to to remove all these +workaround-SYNCs around LL/SC for new-come processor." + +Here is an example: + +Both cpu1 and cpu2 simutaneously run atomic_add by 1 on same atomic var, +this bug cause both 'sc' run by two cpus (in atomic_add) succeed at same +time('sc' return 1), and the variable is only *added by 1*, sometimes, +which is wrong and unacceptable(it should be added by 2). + +Why disable fix-loongson3-llsc in compiler? +Because compiler fix will cause problems in kernel's __ex_table section. + +This patch fix all the cases in kernel, but: + ++. the fix at the end of futex_atomic_cmpxchg_inatomic is for branch-target +of 'bne', there other cases which smp_mb__before_llsc() and smp_llsc_mb() fix +the ll and branch-target coincidently such as atomic_sub_if_positive/ +cmpxchg/xchg, just like this one. + ++. Loongson 3 does support CONFIG_EDAC_ATOMIC_SCRUB, so no need to touch +edac.h + ++. local_ops and cmpxchg_local should not be affected by this bug since +only the owner can write. + ++. mips_atomic_set for syscall.c is deprecated and rarely used, just let +it go + +Signed-off-by: Huacai Chen +Signed-off-by: Huang Pei +[paul.burton@mips.com: + - Simplify the addition of -mno-fix-loongson3-llsc to cflags, and add + a comment describing why it's there. + - Make loongson_llsc_mb() a no-op when + CONFIG_CPU_LOONGSON3_WORKAROUNDS=n, rather than a compiler memory + barrier. + - Add a comment describing the bug & how loongson_llsc_mb() helps + in asm/barrier.h.] +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: ambrosehua@gmail.com +Cc: Steven J . Hill +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: Li Xuefeng +Cc: Xu Chenghua +Signed-off-by: Sasha Levin +--- + arch/mips/Kconfig | 15 ++++++++++++++ + arch/mips/include/asm/atomic.h | 6 ++++++ + arch/mips/include/asm/barrier.h | 36 +++++++++++++++++++++++++++++++++ + arch/mips/include/asm/bitops.h | 5 +++++ + arch/mips/include/asm/futex.h | 3 +++ + arch/mips/include/asm/pgtable.h | 2 ++ + arch/mips/loongson64/Platform | 23 +++++++++++++++++++++ + arch/mips/mm/tlbex.c | 10 +++++++++ + 8 files changed, 100 insertions(+) + +diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig +index bb9940c6927e..47662626a375 100644 +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -1396,6 +1396,21 @@ config LOONGSON3_ENHANCEMENT + please say 'N' here. If you want a high-performance kernel to run on + new Loongson 3 machines only, please say 'Y' here. + ++config CPU_LOONGSON3_WORKAROUNDS ++ bool "Old Loongson 3 LLSC Workarounds" ++ default y if SMP ++ depends on CPU_LOONGSON3 ++ help ++ Loongson 3 processors have the llsc issues which require workarounds. ++ Without workarounds the system may hang unexpectedly. ++ ++ Newer Loongson 3 will fix these issues and no workarounds are needed. ++ The workarounds have no significant side effect on them but may ++ decrease the performance of the system so this option should be ++ disabled unless the kernel is intended to be run on old systems. ++ ++ If unsure, please say Y. ++ + config CPU_LOONGSON2E + bool "Loongson 2E" + depends on SYS_HAS_CPU_LOONGSON2E +diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h +index 0ab176bdb8e8..8ee17565bc78 100644 +--- a/arch/mips/include/asm/atomic.h ++++ b/arch/mips/include/asm/atomic.h +@@ -47,6 +47,7 @@ static __inline__ void atomic_##op(int i, atomic_t * v) \ + if (kernel_uses_llsc && R10000_LLSC_WAR) { \ + int temp; \ + \ ++ loongson_llsc_mb(); \ + __asm__ __volatile__( \ + " .set arch=r4000 \n" \ + "1: ll %0, %1 # atomic_" #op " \n" \ +@@ -86,6 +87,7 @@ static __inline__ int atomic_##op##_return_relaxed(int i, atomic_t * v) \ + if (kernel_uses_llsc && R10000_LLSC_WAR) { \ + int temp; \ + \ ++ loongson_llsc_mb(); \ + __asm__ __volatile__( \ + " .set arch=r4000 \n" \ + "1: ll %1, %2 # atomic_" #op "_return \n" \ +@@ -134,6 +136,7 @@ static __inline__ int atomic_fetch_##op##_relaxed(int i, atomic_t * v) \ + if (kernel_uses_llsc && R10000_LLSC_WAR) { \ + int temp; \ + \ ++ loongson_llsc_mb(); \ + __asm__ __volatile__( \ + " .set arch=r4000 \n" \ + "1: ll %1, %2 # atomic_fetch_" #op " \n" \ +@@ -389,6 +392,7 @@ static __inline__ void atomic64_##op(long i, atomic64_t * v) \ + if (kernel_uses_llsc && R10000_LLSC_WAR) { \ + long temp; \ + \ ++ loongson_llsc_mb(); \ + __asm__ __volatile__( \ + " .set arch=r4000 \n" \ + "1: lld %0, %1 # atomic64_" #op " \n" \ +@@ -428,6 +432,7 @@ static __inline__ long atomic64_##op##_return_relaxed(long i, atomic64_t * v) \ + if (kernel_uses_llsc && R10000_LLSC_WAR) { \ + long temp; \ + \ ++ loongson_llsc_mb(); \ + __asm__ __volatile__( \ + " .set arch=r4000 \n" \ + "1: lld %1, %2 # atomic64_" #op "_return\n" \ +@@ -477,6 +482,7 @@ static __inline__ long atomic64_fetch_##op##_relaxed(long i, atomic64_t * v) \ + if (kernel_uses_llsc && R10000_LLSC_WAR) { \ + long temp; \ + \ ++ loongson_llsc_mb(); \ + __asm__ __volatile__( \ + " .set arch=r4000 \n" \ + "1: lld %1, %2 # atomic64_fetch_" #op "\n" \ +diff --git a/arch/mips/include/asm/barrier.h b/arch/mips/include/asm/barrier.h +index a5eb1bb199a7..b7f6ac5e513c 100644 +--- a/arch/mips/include/asm/barrier.h ++++ b/arch/mips/include/asm/barrier.h +@@ -222,6 +222,42 @@ + #define __smp_mb__before_atomic() __smp_mb__before_llsc() + #define __smp_mb__after_atomic() smp_llsc_mb() + ++/* ++ * Some Loongson 3 CPUs have a bug wherein execution of a memory access (load, ++ * store or pref) in between an ll & sc can cause the sc instruction to ++ * erroneously succeed, breaking atomicity. Whilst it's unusual to write code ++ * containing such sequences, this bug bites harder than we might otherwise ++ * expect due to reordering & speculation: ++ * ++ * 1) A memory access appearing prior to the ll in program order may actually ++ * be executed after the ll - this is the reordering case. ++ * ++ * In order to avoid this we need to place a memory barrier (ie. a sync ++ * instruction) prior to every ll instruction, in between it & any earlier ++ * memory access instructions. Many of these cases are already covered by ++ * smp_mb__before_llsc() but for the remaining cases, typically ones in ++ * which multiple CPUs may operate on a memory location but ordering is not ++ * usually guaranteed, we use loongson_llsc_mb() below. ++ * ++ * This reordering case is fixed by 3A R2 CPUs, ie. 3A2000 models and later. ++ * ++ * 2) If a conditional branch exists between an ll & sc with a target outside ++ * of the ll-sc loop, for example an exit upon value mismatch in cmpxchg() ++ * or similar, then misprediction of the branch may allow speculative ++ * execution of memory accesses from outside of the ll-sc loop. ++ * ++ * In order to avoid this we need a memory barrier (ie. a sync instruction) ++ * at each affected branch target, for which we also use loongson_llsc_mb() ++ * defined below. ++ * ++ * This case affects all current Loongson 3 CPUs. ++ */ ++#ifdef CONFIG_CPU_LOONGSON3_WORKAROUNDS /* Loongson-3's LLSC workaround */ ++#define loongson_llsc_mb() __asm__ __volatile__(__WEAK_LLSC_MB : : :"memory") ++#else ++#define loongson_llsc_mb() do { } while (0) ++#endif ++ + #include + + #endif /* __ASM_BARRIER_H */ +diff --git a/arch/mips/include/asm/bitops.h b/arch/mips/include/asm/bitops.h +index fa57cef12a46..38a162d11b7b 100644 +--- a/arch/mips/include/asm/bitops.h ++++ b/arch/mips/include/asm/bitops.h +@@ -68,6 +68,7 @@ static inline void set_bit(unsigned long nr, volatile unsigned long *addr) + : "ir" (1UL << bit), GCC_OFF_SMALL_ASM() (*m)); + #if defined(CONFIG_CPU_MIPSR2) || defined(CONFIG_CPU_MIPSR6) + } else if (kernel_uses_llsc && __builtin_constant_p(bit)) { ++ loongson_llsc_mb(); + do { + __asm__ __volatile__( + " " __LL "%0, %1 # set_bit \n" +@@ -78,6 +79,7 @@ static inline void set_bit(unsigned long nr, volatile unsigned long *addr) + } while (unlikely(!temp)); + #endif /* CONFIG_CPU_MIPSR2 || CONFIG_CPU_MIPSR6 */ + } else if (kernel_uses_llsc) { ++ loongson_llsc_mb(); + do { + __asm__ __volatile__( + " .set "MIPS_ISA_ARCH_LEVEL" \n" +@@ -120,6 +122,7 @@ static inline void clear_bit(unsigned long nr, volatile unsigned long *addr) + : "ir" (~(1UL << bit))); + #if defined(CONFIG_CPU_MIPSR2) || defined(CONFIG_CPU_MIPSR6) + } else if (kernel_uses_llsc && __builtin_constant_p(bit)) { ++ loongson_llsc_mb(); + do { + __asm__ __volatile__( + " " __LL "%0, %1 # clear_bit \n" +@@ -130,6 +133,7 @@ static inline void clear_bit(unsigned long nr, volatile unsigned long *addr) + } while (unlikely(!temp)); + #endif /* CONFIG_CPU_MIPSR2 || CONFIG_CPU_MIPSR6 */ + } else if (kernel_uses_llsc) { ++ loongson_llsc_mb(); + do { + __asm__ __volatile__( + " .set "MIPS_ISA_ARCH_LEVEL" \n" +@@ -188,6 +192,7 @@ static inline void change_bit(unsigned long nr, volatile unsigned long *addr) + unsigned long *m = ((unsigned long *) addr) + (nr >> SZLONG_LOG); + unsigned long temp; + ++ loongson_llsc_mb(); + do { + __asm__ __volatile__( + " .set "MIPS_ISA_ARCH_LEVEL" \n" +diff --git a/arch/mips/include/asm/futex.h b/arch/mips/include/asm/futex.h +index a9e61ea54ca9..0a62a91b592d 100644 +--- a/arch/mips/include/asm/futex.h ++++ b/arch/mips/include/asm/futex.h +@@ -50,6 +50,7 @@ + "i" (-EFAULT) \ + : "memory"); \ + } else if (cpu_has_llsc) { \ ++ loongson_llsc_mb(); \ + __asm__ __volatile__( \ + " .set push \n" \ + " .set noat \n" \ +@@ -162,6 +163,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, + "i" (-EFAULT) + : "memory"); + } else if (cpu_has_llsc) { ++ loongson_llsc_mb(); + __asm__ __volatile__( + "# futex_atomic_cmpxchg_inatomic \n" + " .set push \n" +@@ -190,6 +192,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, + : GCC_OFF_SMALL_ASM() (*uaddr), "Jr" (oldval), "Jr" (newval), + "i" (-EFAULT) + : "memory"); ++ loongson_llsc_mb(); + } else + return -ENOSYS; + +diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h +index 9e9e94415d08..aab7b382a062 100644 +--- a/arch/mips/include/asm/pgtable.h ++++ b/arch/mips/include/asm/pgtable.h +@@ -229,6 +229,7 @@ static inline void set_pte(pte_t *ptep, pte_t pteval) + : [buddy] "+m" (buddy->pte), [tmp] "=&r" (tmp) + : [global] "r" (page_global)); + } else if (kernel_uses_llsc) { ++ loongson_llsc_mb(); + __asm__ __volatile__ ( + " .set "MIPS_ISA_ARCH_LEVEL" \n" + " .set push \n" +@@ -244,6 +245,7 @@ static inline void set_pte(pte_t *ptep, pte_t pteval) + " .set mips0 \n" + : [buddy] "+m" (buddy->pte), [tmp] "=&r" (tmp) + : [global] "r" (page_global)); ++ loongson_llsc_mb(); + } + #else /* !CONFIG_SMP */ + if (pte_none(*buddy)) +diff --git a/arch/mips/loongson64/Platform b/arch/mips/loongson64/Platform +index 0fce4608aa88..c1a4d4dc4665 100644 +--- a/arch/mips/loongson64/Platform ++++ b/arch/mips/loongson64/Platform +@@ -23,6 +23,29 @@ ifdef CONFIG_CPU_LOONGSON2F_WORKAROUNDS + endif + + cflags-$(CONFIG_CPU_LOONGSON3) += -Wa,--trap ++ ++# ++# Some versions of binutils, not currently mainline as of 2019/02/04, support ++# an -mfix-loongson3-llsc flag which emits a sync prior to each ll instruction ++# to work around a CPU bug (see loongson_llsc_mb() in asm/barrier.h for a ++# description). ++# ++# We disable this in order to prevent the assembler meddling with the ++# instruction that labels refer to, ie. if we label an ll instruction: ++# ++# 1: ll v0, 0(a0) ++# ++# ...then with the assembler fix applied the label may actually point at a sync ++# instruction inserted by the assembler, and if we were using the label in an ++# exception table the table would no longer contain the address of the ll ++# instruction. ++# ++# Avoid this by explicitly disabling that assembler behaviour. If upstream ++# binutils does not merge support for the flag then we can revisit & remove ++# this later - for now it ensures vendor toolchains don't cause problems. ++# ++cflags-$(CONFIG_CPU_LOONGSON3) += $(call as-option,-Wa$(comma)-mno-fix-loongson3-llsc,) ++ + # + # binutils from v2.25 on and gcc starting from v4.9.0 treat -march=loongson3a + # as MIPS64 R2; older versions as just R1. This leaves the possibility open +diff --git a/arch/mips/mm/tlbex.c b/arch/mips/mm/tlbex.c +index 2da5649fc545..0026c7735134 100644 +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -931,6 +931,8 @@ build_get_pgd_vmalloc64(u32 **p, struct uasm_label **l, struct uasm_reloc **r, + * to mimic that here by taking a load/istream page + * fault. + */ ++ if (IS_ENABLED(CONFIG_CPU_LOONGSON3_WORKAROUNDS)) ++ uasm_i_sync(p, 0); + UASM_i_LA(p, ptr, (unsigned long)tlb_do_page_fault_0); + uasm_i_jr(p, ptr); + +@@ -1637,6 +1639,8 @@ static void + iPTE_LW(u32 **p, unsigned int pte, unsigned int ptr) + { + #ifdef CONFIG_SMP ++ if (IS_ENABLED(CONFIG_CPU_LOONGSON3_WORKAROUNDS)) ++ uasm_i_sync(p, 0); + # ifdef CONFIG_PHYS_ADDR_T_64BIT + if (cpu_has_64bits) + uasm_i_lld(p, pte, 0, ptr); +@@ -2218,6 +2222,8 @@ static void build_r4000_tlb_load_handler(void) + #endif + + uasm_l_nopage_tlbl(&l, p); ++ if (IS_ENABLED(CONFIG_CPU_LOONGSON3_WORKAROUNDS)) ++ uasm_i_sync(&p, 0); + build_restore_work_registers(&p); + #ifdef CONFIG_CPU_MICROMIPS + if ((unsigned long)tlb_do_page_fault_0 & 1) { +@@ -2273,6 +2279,8 @@ static void build_r4000_tlb_store_handler(void) + #endif + + uasm_l_nopage_tlbs(&l, p); ++ if (IS_ENABLED(CONFIG_CPU_LOONGSON3_WORKAROUNDS)) ++ uasm_i_sync(&p, 0); + build_restore_work_registers(&p); + #ifdef CONFIG_CPU_MICROMIPS + if ((unsigned long)tlb_do_page_fault_1 & 1) { +@@ -2329,6 +2337,8 @@ static void build_r4000_tlb_modify_handler(void) + #endif + + uasm_l_nopage_tlbm(&l, p); ++ if (IS_ENABLED(CONFIG_CPU_LOONGSON3_WORKAROUNDS)) ++ uasm_i_sync(&p, 0); + build_restore_work_registers(&p); + #ifdef CONFIG_CPU_MICROMIPS + if ((unsigned long)tlb_do_page_fault_1 & 1) { +-- +2.19.1 + diff --git a/queue-4.9/mips-remove-function-size-check-in-get_frame_info.patch b/queue-4.9/mips-remove-function-size-check-in-get_frame_info.patch new file mode 100644 index 00000000000..f13aedcd718 --- /dev/null +++ b/queue-4.9/mips-remove-function-size-check-in-get_frame_info.patch @@ -0,0 +1,64 @@ +From 0e726c284bdd1d9b69c854d1c86102b1c2a1b617 Mon Sep 17 00:00:00 2001 +From: Jun-Ru Chang +Date: Tue, 29 Jan 2019 11:56:07 +0800 +Subject: MIPS: Remove function size check in get_frame_info() + +[ Upstream commit 2b424cfc69728224fcb5fad138ea7260728e0901 ] + +Patch (b6c7a324df37b "MIPS: Fix get_frame_info() handling of +microMIPS function size.") introduces additional function size +check for microMIPS by only checking insn between ip and ip + func_size. +However, func_size in get_frame_info() is always 0 if KALLSYMS is not +enabled. This causes get_frame_info() to return immediately without +calculating correct frame_size, which in turn causes "Can't analyze +schedule() prologue" warning messages at boot time. + +This patch removes func_size check, and let the frame_size check run +up to 128 insns for both MIPS and microMIPS. + +Signed-off-by: Jun-Ru Chang +Signed-off-by: Tony Wu +Signed-off-by: Paul Burton +Fixes: b6c7a324df37b ("MIPS: Fix get_frame_info() handling of microMIPS function size.") +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/process.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index 1cc133e7026f..fffd031dc6b6 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -344,7 +344,7 @@ static inline int is_sp_move_ins(union mips_instruction *ip) + static int get_frame_info(struct mips_frame_info *info) + { + bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS); +- union mips_instruction insn, *ip, *ip_end; ++ union mips_instruction insn, *ip; + const unsigned int max_insns = 128; + unsigned int last_insn_size = 0; + unsigned int i; +@@ -356,10 +356,9 @@ static int get_frame_info(struct mips_frame_info *info) + if (!ip) + goto err; + +- ip_end = (void *)ip + info->func_size; +- +- for (i = 0; i < max_insns && ip < ip_end; i++) { ++ for (i = 0; i < max_insns; i++) { + ip = (void *)ip + last_insn_size; ++ + if (is_mmips && mm_insn_16bit(ip->halfword[0])) { + insn.halfword[0] = 0; + insn.halfword[1] = ip->halfword[0]; +-- +2.19.1 + diff --git a/queue-4.9/mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch b/queue-4.9/mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch new file mode 100644 index 00000000000..66724efeb30 --- /dev/null +++ b/queue-4.9/mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch @@ -0,0 +1,90 @@ +From fb201897058d8c1dd742cf0e310def07dfca039c Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Fri, 1 Feb 2019 14:20:34 -0800 +Subject: mm, memory_hotplug: is_mem_section_removable do not pass the end of a + zone + +[ Upstream commit efad4e475c312456edb3c789d0996d12ed744c13 ] + +Patch series "mm, memory_hotplug: fix uninitialized pages fallouts", v2. + +Mikhail Zaslonko has posted fixes for the two bugs quite some time ago +[1]. I have pushed back on those fixes because I believed that it is +much better to plug the problem at the initialization time rather than +play whack-a-mole all over the hotplug code and find all the places +which expect the full memory section to be initialized. + +We have ended up with commit 2830bf6f05fb ("mm, memory_hotplug: +initialize struct pages for the full memory section") merged and cause a +regression [2][3]. The reason is that there might be memory layouts +when two NUMA nodes share the same memory section so the merged fix is +simply incorrect. + +In order to plug this hole we really have to be zone range aware in +those handlers. I have split up the original patch into two. One is +unchanged (patch 2) and I took a different approach for `removable' +crash. + +[1] http://lkml.kernel.org/r/20181105150401.97287-2-zaslonko@linux.ibm.com +[2] https://bugzilla.redhat.com/show_bug.cgi?id=1666948 +[3] http://lkml.kernel.org/r/20190125163938.GA20411@dhcp22.suse.cz + +This patch (of 2): + +Mikhail has reported the following VM_BUG_ON triggered when reading sysfs +removable state of a memory block: + + page:000003d08300c000 is uninitialized and poisoned + page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p)) + Call Trace: + is_mem_section_removable+0xb4/0x190 + show_mem_removable+0x9a/0xd8 + dev_attr_show+0x34/0x70 + sysfs_kf_seq_show+0xc8/0x148 + seq_read+0x204/0x480 + __vfs_read+0x32/0x178 + vfs_read+0x82/0x138 + ksys_read+0x5a/0xb0 + system_call+0xdc/0x2d8 + Last Breaking-Event-Address: + is_mem_section_removable+0xb4/0x190 + Kernel panic - not syncing: Fatal exception: panic_on_oops + +The reason is that the memory block spans the zone boundary and we are +stumbling over an unitialized struct page. Fix this by enforcing zone +range in is_mem_section_removable so that we never run away from a zone. + +Link: http://lkml.kernel.org/r/20190128144506.15603-2-mhocko@kernel.org +Signed-off-by: Michal Hocko +Reported-by: Mikhail Zaslonko +Debugged-by: Mikhail Zaslonko +Tested-by: Gerald Schaefer +Tested-by: Mikhail Gavrilov +Reviewed-by: Oscar Salvador +Cc: Pavel Tatashin +Cc: Heiko Carstens +Cc: Martin Schwidefsky +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memory_hotplug.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index e4c271298074..a03a401f11b6 100644 +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1471,7 +1471,8 @@ static struct page *next_active_pageblock(struct page *page) + bool is_mem_section_removable(unsigned long start_pfn, unsigned long nr_pages) + { + struct page *page = pfn_to_page(start_pfn); +- struct page *end_page = page + nr_pages; ++ unsigned long end_pfn = min(start_pfn + nr_pages, zone_end_pfn(page_zone(page))); ++ struct page *end_page = pfn_to_page(end_pfn); + + /* Check the starting page of each pageblock within the range */ + for (; page < end_page; page = next_active_pageblock(page)) { +-- +2.19.1 + diff --git a/queue-4.9/mm-memory_hotplug-test_pages_in_a_zone-do-not-pass-t.patch b/queue-4.9/mm-memory_hotplug-test_pages_in_a_zone-do-not-pass-t.patch new file mode 100644 index 00000000000..b52dff6a5a8 --- /dev/null +++ b/queue-4.9/mm-memory_hotplug-test_pages_in_a_zone-do-not-pass-t.patch @@ -0,0 +1,73 @@ +From f6c280bc09a58c9c08e0490a54aa4982f4ad277a Mon Sep 17 00:00:00 2001 +From: Mikhail Zaslonko +Date: Fri, 1 Feb 2019 14:20:38 -0800 +Subject: mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone + +[ Upstream commit 24feb47c5fa5b825efb0151f28906dfdad027e61 ] + +If memory end is not aligned with the sparse memory section boundary, +the mapping of such a section is only partly initialized. This may lead +to VM_BUG_ON due to uninitialized struct pages access from +test_pages_in_a_zone() function triggered by memory_hotplug sysfs +handlers. + +Here are the the panic examples: + CONFIG_DEBUG_VM_PGFLAGS=y + kernel parameter mem=2050M + -------------------------- + page:000003d082008000 is uninitialized and poisoned + page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p)) + Call Trace: + test_pages_in_a_zone+0xde/0x160 + show_valid_zones+0x5c/0x190 + dev_attr_show+0x34/0x70 + sysfs_kf_seq_show+0xc8/0x148 + seq_read+0x204/0x480 + __vfs_read+0x32/0x178 + vfs_read+0x82/0x138 + ksys_read+0x5a/0xb0 + system_call+0xdc/0x2d8 + Last Breaking-Event-Address: + test_pages_in_a_zone+0xde/0x160 + Kernel panic - not syncing: Fatal exception: panic_on_oops + +Fix this by checking whether the pfn to check is within the zone. + +[mhocko@suse.com: separated this change from http://lkml.kernel.org/r/20181105150401.97287-2-zaslonko@linux.ibm.com] +Link: http://lkml.kernel.org/r/20190128144506.15603-3-mhocko@kernel.org + +[mhocko@suse.com: separated this change from +http://lkml.kernel.org/r/20181105150401.97287-2-zaslonko@linux.ibm.com] +Signed-off-by: Michal Hocko +Signed-off-by: Mikhail Zaslonko +Tested-by: Mikhail Gavrilov +Reviewed-by: Oscar Salvador +Tested-by: Gerald Schaefer +Cc: Heiko Carstens +Cc: Martin Schwidefsky +Cc: Mikhail Gavrilov +Cc: Pavel Tatashin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memory_hotplug.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index a03a401f11b6..b4c8d7b9ab82 100644 +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1512,6 +1512,9 @@ int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn, + i++; + if (i == MAX_ORDER_NR_PAGES || pfn + i >= end_pfn) + continue; ++ /* Check if we got outside of the zone */ ++ if (zone && !zone_spans_pfn(zone, pfn + i)) ++ return 0; + page = pfn_to_page(pfn + i); + if (zone && page_zone(page) != zone) + return 0; +-- +2.19.1 + diff --git a/queue-4.9/net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch b/queue-4.9/net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch new file mode 100644 index 00000000000..3248ab6edb3 --- /dev/null +++ b/queue-4.9/net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch @@ -0,0 +1,40 @@ +From cc6226dd773083288be31039503ee739b9517037 Mon Sep 17 00:00:00 2001 +From: Tomonori Sakita +Date: Fri, 25 Jan 2019 11:02:22 +0900 +Subject: net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case + +[ Upstream commit 6571ebce112a21ec9be68ef2f53b96fcd41fd81b ] + +If fill_level was not zero and status was not BUSY, +result of "tx_prod - tx_cons - inuse" might be zero. +Subtracting 1 unconditionally results invalid negative return value +on this case. +Make sure not to return an negative value. + +Signed-off-by: Tomonori Sakita +Signed-off-by: Atsushi Nemoto +Reviewed-by: Dalon L Westergreen +Acked-by: Thor Thayer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/altera/altera_msgdma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/altera/altera_msgdma.c b/drivers/net/ethernet/altera/altera_msgdma.c +index 0fb986ba3290..0ae723f75341 100644 +--- a/drivers/net/ethernet/altera/altera_msgdma.c ++++ b/drivers/net/ethernet/altera/altera_msgdma.c +@@ -145,7 +145,8 @@ u32 msgdma_tx_completions(struct altera_tse_private *priv) + & 0xffff; + + if (inuse) { /* Tx FIFO is not empty */ +- ready = priv->tx_prod - priv->tx_cons - inuse - 1; ++ ready = max_t(int, ++ priv->tx_prod - priv->tx_cons - inuse - 1, 0); + } else { + /* Check for buffered last packet */ + status = csrrd32(priv->tx_dma_csr, msgdma_csroffs(status)); +-- +2.19.1 + diff --git a/queue-4.9/net-hns-fix-for-missing-of_node_put-after-of_parse_p.patch b/queue-4.9/net-hns-fix-for-missing-of_node_put-after-of_parse_p.patch new file mode 100644 index 00000000000..17293d7edfd --- /dev/null +++ b/queue-4.9/net-hns-fix-for-missing-of_node_put-after-of_parse_p.patch @@ -0,0 +1,51 @@ +From f6e667fca06fed9880c469aa0200a309be87820d Mon Sep 17 00:00:00 2001 +From: Yonglong Liu +Date: Sat, 26 Jan 2019 17:18:25 +0800 +Subject: net: hns: Fix for missing of_node_put() after of_parse_phandle() + +[ Upstream commit 263c6d75f9a544a3c2f8f6a26de4f4808d8f59cf ] + +In hns enet driver, we use of_parse_handle() to get hold of the +device node related to "ae-handle" but we have missed to put +the node reference using of_node_put() after we are done using +the node. This patch fixes it. + +Note: +This problem is stated in Link: https://lkml.org/lkml/2018/12/22/217 + +Fixes: 48189d6aaf1e ("net: hns: enet specifies a reference to dsaf") +Reported-by: Alexey Khoroshilov +Signed-off-by: Yonglong Liu +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_enet.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +index a2f7d0834071..ad8681cf5ef0 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -2078,6 +2078,8 @@ static int hns_nic_dev_probe(struct platform_device *pdev) + out_notify_fail: + (void)cancel_work_sync(&priv->service_task); + out_read_prop_fail: ++ /* safe for ACPI FW */ ++ of_node_put(to_of_node(priv->fwnode)); + free_netdev(ndev); + return ret; + } +@@ -2107,6 +2109,9 @@ static int hns_nic_dev_remove(struct platform_device *pdev) + set_bit(NIC_STATE_REMOVING, &priv->state); + (void)cancel_work_sync(&priv->service_task); + ++ /* safe for ACPI FW */ ++ of_node_put(to_of_node(priv->fwnode)); ++ + free_netdev(ndev); + return 0; + } +-- +2.19.1 + diff --git a/queue-4.9/net-hns-fix-wrong-read-accesses-via-clause-45-mdio-p.patch b/queue-4.9/net-hns-fix-wrong-read-accesses-via-clause-45-mdio-p.patch new file mode 100644 index 00000000000..201306b1c8c --- /dev/null +++ b/queue-4.9/net-hns-fix-wrong-read-accesses-via-clause-45-mdio-p.patch @@ -0,0 +1,35 @@ +From c0922744d77fd3e24c0c8cda7742d9b4a8c4015f Mon Sep 17 00:00:00 2001 +From: Yonglong Liu +Date: Sat, 26 Jan 2019 17:18:27 +0800 +Subject: net: hns: Fix wrong read accesses via Clause 45 MDIO protocol + +[ Upstream commit cec8abba13e6a26729dfed41019720068eeeff2b ] + +When reading phy registers via Clause 45 MDIO protocol, after write +address operation, the driver use another write address operation, so +can not read the right value of any phy registers. This patch fixes it. + +Signed-off-by: Yonglong Liu +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns_mdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns_mdio.c b/drivers/net/ethernet/hisilicon/hns_mdio.c +index 501eb2090ca6..de23a0ead5d7 100644 +--- a/drivers/net/ethernet/hisilicon/hns_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns_mdio.c +@@ -329,7 +329,7 @@ static int hns_mdio_read(struct mii_bus *bus, int phy_id, int regnum) + } + + hns_mdio_cmd_write(mdio_dev, is_c45, +- MDIO_C45_WRITE_ADDR, phy_id, devad); ++ MDIO_C45_READ, phy_id, devad); + } + + /* Step 5: waitting for MDIO_COMMAND_REG 's mdio_start==0,*/ +-- +2.19.1 + diff --git a/queue-4.9/net-stmmac-dwmac-rk-fix-error-handling-in-rk_gmac_po.patch b/queue-4.9/net-stmmac-dwmac-rk-fix-error-handling-in-rk_gmac_po.patch new file mode 100644 index 00000000000..7aef9f8da38 --- /dev/null +++ b/queue-4.9/net-stmmac-dwmac-rk-fix-error-handling-in-rk_gmac_po.patch @@ -0,0 +1,37 @@ +From 316e6104bc59184b234e5b8af818b3162d808b5c Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Sat, 26 Jan 2019 22:48:57 +0300 +Subject: net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() + +[ Upstream commit c69c29a1a0a8f68cd87e98ba4a5a79fb8ef2a58c ] + +If phy_power_on() fails in rk_gmac_powerup(), clocks are left enabled. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c +index d80c88bd2bba..6e61bccc90b3 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c +@@ -877,8 +877,10 @@ static int rk_gmac_powerup(struct rk_priv_data *bsp_priv) + } + + ret = phy_power_on(bsp_priv, true); +- if (ret) ++ if (ret) { ++ gmac_clk_enable(bsp_priv, false); + return ret; ++ } + + ret = gmac_clk_enable(bsp_priv, true); + if (ret) +-- +2.19.1 + diff --git a/queue-4.9/netfilter-nf_nat-skip-nat-clash-resolution-for-same-.patch b/queue-4.9/netfilter-nf_nat-skip-nat-clash-resolution-for-same-.patch new file mode 100644 index 00000000000..619141f2ecc --- /dev/null +++ b/queue-4.9/netfilter-nf_nat-skip-nat-clash-resolution-for-same-.patch @@ -0,0 +1,71 @@ +From fa5a79c231930a82cbec821669aa9fdbf8574fc0 Mon Sep 17 00:00:00 2001 +From: Martynas Pumputis +Date: Tue, 29 Jan 2019 15:51:42 +0100 +Subject: netfilter: nf_nat: skip nat clash resolution for same-origin entries + +[ Upstream commit 4e35c1cb9460240e983a01745b5f29fe3a4d8e39 ] + +It is possible that two concurrent packets originating from the same +socket of a connection-less protocol (e.g. UDP) can end up having +different IP_CT_DIR_REPLY tuples which results in one of the packets +being dropped. + +To illustrate this, consider the following simplified scenario: + +1. Packet A and B are sent at the same time from two different threads + by same UDP socket. No matching conntrack entry exists yet. + Both packets cause allocation of a new conntrack entry. +2. get_unique_tuple gets called for A. No clashing entry found. + conntrack entry for A is added to main conntrack table. +3. get_unique_tuple is called for B and will find that the reply + tuple of B is already taken by A. + It will allocate a new UDP source port for B to resolve the clash. +4. conntrack entry for B cannot be added to main conntrack table + because its ORIGINAL direction is clashing with A and the REPLY + directions of A and B are not the same anymore due to UDP source + port reallocation done in step 3. + +This patch modifies nf_conntrack_tuple_taken so it doesn't consider +colliding reply tuples if the IP_CT_DIR_ORIGINAL tuples are equal. + +[ Florian: simplify patch to not use .allow_clash setting + and always ignore identical flows ] + +Signed-off-by: Martynas Pumputis +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 19b3f4fbea52..df1d5618b008 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -855,6 +855,22 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, + } + + if (nf_ct_key_equal(h, tuple, zone, net)) { ++ /* Tuple is taken already, so caller will need to find ++ * a new source port to use. ++ * ++ * Only exception: ++ * If the *original tuples* are identical, then both ++ * conntracks refer to the same flow. ++ * This is a rare situation, it can occur e.g. when ++ * more than one UDP packet is sent from same socket ++ * in different threads. ++ * ++ * Let nf_ct_resolve_clash() deal with this later. ++ */ ++ if (nf_ct_tuple_equal(&ignored_conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple, ++ &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)) ++ continue; ++ + NF_CT_STAT_INC_ATOMIC(net, found); + rcu_read_unlock(); + return 1; +-- +2.19.1 + diff --git a/queue-4.9/nfs-fix-null-pointer-dereference-of-dev_name.patch b/queue-4.9/nfs-fix-null-pointer-dereference-of-dev_name.patch new file mode 100644 index 00000000000..f881cd0be7c --- /dev/null +++ b/queue-4.9/nfs-fix-null-pointer-dereference-of-dev_name.patch @@ -0,0 +1,56 @@ +From 13767b9980cb6dd54f93c1288ecfb19939d6d93e Mon Sep 17 00:00:00 2001 +From: Yao Liu +Date: Mon, 28 Jan 2019 19:44:14 +0800 +Subject: nfs: Fix NULL pointer dereference of dev_name + +[ Upstream commit 80ff00172407e0aad4b10b94ef0816fc3e7813cb ] + +There is a NULL pointer dereference of dev_name in nfs_parse_devname() + +The oops looks something like: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + ... + RIP: 0010:nfs_fs_mount+0x3b6/0xc20 [nfs] + ... + Call Trace: + ? ida_alloc_range+0x34b/0x3d0 + ? nfs_clone_super+0x80/0x80 [nfs] + ? nfs_free_parsed_mount_data+0x60/0x60 [nfs] + mount_fs+0x52/0x170 + ? __init_waitqueue_head+0x3b/0x50 + vfs_kern_mount+0x6b/0x170 + do_mount+0x216/0xdc0 + ksys_mount+0x83/0xd0 + __x64_sys_mount+0x25/0x30 + do_syscall_64+0x65/0x220 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fix this by adding a NULL check on dev_name + +Signed-off-by: Yao Liu +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 35aef192a13f..659ad12e33ba 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1904,6 +1904,11 @@ static int nfs_parse_devname(const char *dev_name, + size_t len; + char *end; + ++ if (unlikely(!dev_name || !*dev_name)) { ++ dfprintk(MOUNT, "NFS: device name not specified\n"); ++ return -EINVAL; ++ } ++ + /* Is the host name protected with square brakcets? */ + if (*dev_name == '[') { + end = strchr(++dev_name, ']'); +-- +2.19.1 + diff --git a/queue-4.9/perf-core-fix-perf_proc_update_handler-bug.patch b/queue-4.9/perf-core-fix-perf_proc_update_handler-bug.patch new file mode 100644 index 00000000000..45012963bdd --- /dev/null +++ b/queue-4.9/perf-core-fix-perf_proc_update_handler-bug.patch @@ -0,0 +1,84 @@ +From 44ffebceaecadfd0200cc161bddebaaca65ce963 Mon Sep 17 00:00:00 2001 +From: Stephane Eranian +Date: Thu, 10 Jan 2019 17:17:16 -0800 +Subject: perf core: Fix perf_proc_update_handler() bug + +[ Upstream commit 1a51c5da5acc6c188c917ba572eebac5f8793432 ] + +The perf_proc_update_handler() handles /proc/sys/kernel/perf_event_max_sample_rate +syctl variable. When the PMU IRQ handler timing monitoring is disabled, i.e, +when /proc/sys/kernel/perf_cpu_time_max_percent is equal to 0 or 100, +then no modification to sysctl_perf_event_sample_rate is allowed to prevent +possible hang from wrong values. + +The problem is that the test to prevent modification is made after the +sysctl variable is modified in perf_proc_update_handler(). + +You get an error: + + $ echo 10001 >/proc/sys/kernel/perf_event_max_sample_rate + echo: write error: invalid argument + +But the value is still modified causing all sorts of inconsistencies: + + $ cat /proc/sys/kernel/perf_event_max_sample_rate + 10001 + +This patch fixes the problem by moving the parsing of the value after +the test. + +Committer testing: + + # echo 100 > /proc/sys/kernel/perf_cpu_time_max_percent + # echo 10001 > /proc/sys/kernel/perf_event_max_sample_rate + -bash: echo: write error: Invalid argument + # cat /proc/sys/kernel/perf_event_max_sample_rate + 10001 + # + +Signed-off-by: Stephane Eranian +Reviewed-by: Andi Kleen +Reviewed-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1547169436-6266-1-git-send-email-eranian@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 17339506f9f8..5cbb2eda80b5 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -428,18 +428,18 @@ int perf_proc_update_handler(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, + loff_t *ppos) + { +- int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); +- +- if (ret || !write) +- return ret; +- ++ int ret; ++ int perf_cpu = sysctl_perf_cpu_time_max_percent; + /* + * If throttling is disabled don't allow the write: + */ +- if (sysctl_perf_cpu_time_max_percent == 100 || +- sysctl_perf_cpu_time_max_percent == 0) ++ if (write && (perf_cpu == 100 || perf_cpu == 0)) + return -EINVAL; + ++ ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); ++ if (ret || !write) ++ return ret; ++ + max_samples_per_tick = DIV_ROUND_UP(sysctl_perf_event_sample_rate, HZ); + perf_sample_period_ns = NSEC_PER_SEC / sysctl_perf_event_sample_rate; + update_perf_cpu_limits(); +-- +2.19.1 + diff --git a/queue-4.9/perf-symbols-filter-out-hidden-symbols-from-labels.patch b/queue-4.9/perf-symbols-filter-out-hidden-symbols-from-labels.patch new file mode 100644 index 00000000000..7d5b8037004 --- /dev/null +++ b/queue-4.9/perf-symbols-filter-out-hidden-symbols-from-labels.patch @@ -0,0 +1,94 @@ +From b5e95e020f924f2be34f82c4ad4a4d8f4e767d34 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Mon, 28 Jan 2019 14:35:26 +0100 +Subject: perf symbols: Filter out hidden symbols from labels + +[ Upstream commit 59a17706915fe5ea6f711e1f92d4fb706bce07fe ] + +When perf is built with the annobin plugin (RHEL8 build) extra symbols +are added to its binary: + + # nm perf | grep annobin | head -10 + 0000000000241100 t .annobin_annotate.c + 0000000000326490 t .annobin_annotate.c + 0000000000249255 t .annobin_annotate.c_end + 00000000003283a8 t .annobin_annotate.c_end + 00000000001bce18 t .annobin_annotate.c_end.hot + 00000000001bce18 t .annobin_annotate.c_end.hot + 00000000001bc3e2 t .annobin_annotate.c_end.unlikely + 00000000001bc400 t .annobin_annotate.c_end.unlikely + 00000000001bce18 t .annobin_annotate.c.hot + 00000000001bce18 t .annobin_annotate.c.hot + ... + +Those symbols have no use for report or annotation and should be +skipped. Moreover they interfere with the DWARF unwind test on the PPC +arch, where they are mixed with checked symbols and then the test fails: + + # perf test dwarf -v + 59: Test dwarf unwind : + --- start --- + test child forked, pid 8515 + unwind: .annobin_dwarf_unwind.c:ip = 0x10dba40dc (0x2740dc) + ... + got: .annobin_dwarf_unwind.c 0x10dba40dc, expecting test__arch_unwind_sample + unwind: failed with 'no error' + +The annobin symbols are defined as NOTYPE/LOCAL/HIDDEN: + + # readelf -s ./perf | grep annobin | head -1 + 40: 00000000001bce4f 0 NOTYPE LOCAL HIDDEN 13 .annobin_init.c + +They can still pass the check for the label symbol. Adding check for +HIDDEN and INTERNAL (as suggested by Nick below) visibility and filter +out such symbols. + +> Just to be awkward, if you are going to ignore STV_HIDDEN +> symbols then you should probably also ignore STV_INTERNAL ones +> as well... Annobin does not generate them, but you never know, +> one day some other tool might create some. + +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Masami Hiramatsu +Cc: Michael Petlan +Cc: Namhyung Kim +Cc: Nick Clifton +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20190128133526.GD15461@krava +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/symbol-elf.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c +index adbc6c02c3aa..20ba5a9aeae4 100644 +--- a/tools/perf/util/symbol-elf.c ++++ b/tools/perf/util/symbol-elf.c +@@ -85,6 +85,11 @@ static inline uint8_t elf_sym__type(const GElf_Sym *sym) + return GELF_ST_TYPE(sym->st_info); + } + ++static inline uint8_t elf_sym__visibility(const GElf_Sym *sym) ++{ ++ return GELF_ST_VISIBILITY(sym->st_other); ++} ++ + #ifndef STT_GNU_IFUNC + #define STT_GNU_IFUNC 10 + #endif +@@ -109,7 +114,9 @@ static inline int elf_sym__is_label(const GElf_Sym *sym) + return elf_sym__type(sym) == STT_NOTYPE && + sym->st_name != 0 && + sym->st_shndx != SHN_UNDEF && +- sym->st_shndx != SHN_ABS; ++ sym->st_shndx != SHN_ABS && ++ elf_sym__visibility(sym) != STV_HIDDEN && ++ elf_sym__visibility(sym) != STV_INTERNAL; + } + + static bool elf_sym__is_a(GElf_Sym *sym, enum map_type type) +-- +2.19.1 + diff --git a/queue-4.9/perf-tools-handle-topology-headers-with-no-cpu.patch b/queue-4.9/perf-tools-handle-topology-headers-with-no-cpu.patch new file mode 100644 index 00000000000..61280a0cb92 --- /dev/null +++ b/queue-4.9/perf-tools-handle-topology-headers-with-no-cpu.patch @@ -0,0 +1,67 @@ +From 85b1ab976069f040e9b94b52c9ee3dbe4ec3f626 Mon Sep 17 00:00:00 2001 +From: Stephane Eranian +Date: Sat, 19 Jan 2019 00:12:39 -0800 +Subject: perf tools: Handle TOPOLOGY headers with no CPU + +[ Upstream commit 1497e804d1a6e2bd9107ddf64b0310449f4673eb ] + +This patch fixes an issue in cpumap.c when used with the TOPOLOGY +header. In some configurations, some NUMA nodes may have no CPU (empty +cpulist). Yet a cpumap map must be created otherwise perf abort with an +error. This patch handles this case by creating a dummy map. + + Before: + + $ perf record -o - -e cycles noploop 2 | perf script -i - + 0x6e8 [0x6c]: failed to process type: 80 + + After: + + $ perf record -o - -e cycles noploop 2 | perf script -i - + noploop for 2 seconds + +Signed-off-by: Stephane Eranian +Acked-by: Jiri Olsa +Cc: Andi Kleen +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1547885559-1657-1-git-send-email-eranian@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/cpumap.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c +index 2c0b52264a46..a625cb1500f9 100644 +--- a/tools/perf/util/cpumap.c ++++ b/tools/perf/util/cpumap.c +@@ -129,7 +129,12 @@ struct cpu_map *cpu_map__new(const char *cpu_list) + if (!cpu_list) + return cpu_map__read_all_cpu_map(); + +- if (!isdigit(*cpu_list)) ++ /* ++ * must handle the case of empty cpumap to cover ++ * TOPOLOGY header for NUMA nodes with no CPU ++ * ( e.g., because of CPU hotplug) ++ */ ++ if (!isdigit(*cpu_list) && *cpu_list != '\0') + goto out; + + while (isdigit(*cpu_list)) { +@@ -176,8 +181,10 @@ struct cpu_map *cpu_map__new(const char *cpu_list) + + if (nr_cpus > 0) + cpus = cpu_map__trim_new(nr_cpus, tmp_cpus); +- else ++ else if (*cpu_list != '\0') + cpus = cpu_map__default_new(); ++ else ++ cpus = cpu_map__dummy_new(); + invalid: + free(tmp_cpus); + out: +-- +2.19.1 + diff --git a/queue-4.9/perf-trace-support-multiple-vfs_getname-probes.patch b/queue-4.9/perf-trace-support-multiple-vfs_getname-probes.patch new file mode 100644 index 00000000000..e61581f367e --- /dev/null +++ b/queue-4.9/perf-trace-support-multiple-vfs_getname-probes.patch @@ -0,0 +1,101 @@ +From 5cc31b3875f48286a9e60f4362898bf9533c2199 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Tue, 29 Jan 2019 15:12:34 +0100 +Subject: perf trace: Support multiple "vfs_getname" probes + +[ Upstream commit 6ab3bc240ade47a0f52bc16d97edd9accbe0024e ] + +With a suitably defined "probe:vfs_getname" probe, 'perf trace' can +"beautify" its output, so syscalls like open() or openat() can print the +"filename" argument instead of just its hex address, like: + + $ perf trace -e open -- touch /dev/null + [...] + 0.590 ( 0.014 ms): touch/18063 open(filename: /dev/null, flags: CREAT|NOCTTY|NONBLOCK|WRONLY, mode: IRUGO|IWUGO) = 3 + [...] + +The output without such beautifier looks like: + + 0.529 ( 0.011 ms): touch/18075 open(filename: 0xc78cf288, flags: CREAT|NOCTTY|NONBLOCK|WRONLY, mode: IRUGO|IWUGO) = 3 + +However, when the vfs_getname probe expands to multiple probes and it is +not the first one that is hit, the beautifier fails, as following: + + 0.326 ( 0.010 ms): touch/18072 open(filename: , flags: CREAT|NOCTTY|NONBLOCK|WRONLY, mode: IRUGO|IWUGO) = 3 + +Fix it by hooking into all the expanded probes (inlines), now, for instance: + + [root@quaco ~]# perf probe -l + probe:vfs_getname (on getname_flags:73@fs/namei.c with pathname) + probe:vfs_getname_1 (on getname_flags:73@fs/namei.c with pathname) + [root@quaco ~]# perf trace -e open* sleep 1 + 0.010 ( 0.005 ms): sleep/5588 openat(dfd: CWD, filename: /etc/ld.so.cache, flags: RDONLY|CLOEXEC) = 3 + 0.029 ( 0.006 ms): sleep/5588 openat(dfd: CWD, filename: /lib64/libc.so.6, flags: RDONLY|CLOEXEC) = 3 + 0.194 ( 0.008 ms): sleep/5588 openat(dfd: CWD, filename: /usr/lib/locale/locale-archive, flags: RDONLY|CLOEXEC) = 3 + [root@quaco ~]# + +Works, further verified with: + + [root@quaco ~]# perf test vfs + 65: Use vfs_getname probe to get syscall args filenames : Ok + 66: Add vfs_getname probe to get syscall args filenames : Ok + 67: Check open filename arg using perf trace + vfs_getname: Ok + [root@quaco ~]# + +Reported-by: Michael Petlan +Tested-by: Michael Petlan +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-mv8kolk17xla1smvmp3qabv1@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index 0fd8bfb77f65..6e568d361edf 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -2059,19 +2059,30 @@ static size_t trace__fprintf_thread_summary(struct trace *trace, FILE *fp); + + static bool perf_evlist__add_vfs_getname(struct perf_evlist *evlist) + { +- struct perf_evsel *evsel = perf_evsel__newtp("probe", "vfs_getname"); ++ bool found = false; ++ struct perf_evsel *evsel, *tmp; ++ struct parse_events_error err = { .idx = 0, }; ++ int ret = parse_events(evlist, "probe:vfs_getname*", &err); + +- if (IS_ERR(evsel)) ++ if (ret) + return false; + +- if (perf_evsel__field(evsel, "pathname") == NULL) { ++ evlist__for_each_entry_safe(evlist, evsel, tmp) { ++ if (!strstarts(perf_evsel__name(evsel), "probe:vfs_getname")) ++ continue; ++ ++ if (perf_evsel__field(evsel, "pathname")) { ++ evsel->handler = trace__vfs_getname; ++ found = true; ++ continue; ++ } ++ ++ list_del_init(&evsel->node); ++ evsel->evlist = NULL; + perf_evsel__delete(evsel); +- return false; + } + +- evsel->handler = trace__vfs_getname; +- perf_evlist__add(evlist, evsel); +- return true; ++ return found; + } + + static struct perf_evsel *perf_evsel__new_pgfault(u64 config) +-- +2.19.1 + diff --git a/queue-4.9/platform-x86-fix-unmet-dependency-warning-for-samsun.patch b/queue-4.9/platform-x86-fix-unmet-dependency-warning-for-samsun.patch new file mode 100644 index 00000000000..434d4384e66 --- /dev/null +++ b/queue-4.9/platform-x86-fix-unmet-dependency-warning-for-samsun.patch @@ -0,0 +1,43 @@ +From 7645d99bdfb8b52b0d506be8f53fc597e23b5c62 Mon Sep 17 00:00:00 2001 +From: Sinan Kaya +Date: Thu, 24 Jan 2019 19:31:01 +0000 +Subject: platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 + +[ Upstream commit 0ee4b5f801b73b83a9fb3921d725f2162fd4a2e5 ] + +Add BACKLIGHT_LCD_SUPPORT for SAMSUNG_Q10 to fix the +warning: unmet direct dependencies detected for BACKLIGHT_CLASS_DEVICE. + +SAMSUNG_Q10 selects BACKLIGHT_CLASS_DEVICE but BACKLIGHT_CLASS_DEVICE +depends on BACKLIGHT_LCD_SUPPORT. + +Copy BACKLIGHT_LCD_SUPPORT dependency into SAMSUNG_Q10 to fix: + +WARNING: unmet direct dependencies detected for BACKLIGHT_CLASS_DEVICE + Depends on [n]: HAS_IOMEM [=y] && BACKLIGHT_LCD_SUPPORT [=n] + Selected by [y]: + - SAMSUNG_Q10 [=y] && X86 [=y] && X86_PLATFORM_DEVICES [=y] && ACPI [=y] + +Signed-off-by: Sinan Kaya +Acked-by: Andy Shevchenko +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index b8a21d7b25d4..1d81149c9ea4 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -945,6 +945,7 @@ config INTEL_OAKTRAIL + config SAMSUNG_Q10 + tristate "Samsung Q10 Extras" + depends on ACPI ++ depends on BACKLIGHT_LCD_SUPPORT + select BACKLIGHT_CLASS_DEVICE + ---help--- + This driver provides support for backlight control on Samsung Q10 +-- +2.19.1 + diff --git a/queue-4.9/qed-fix-vf-probe-failure-while-flr.patch b/queue-4.9/qed-fix-vf-probe-failure-while-flr.patch new file mode 100644 index 00000000000..0be7dcc3d83 --- /dev/null +++ b/queue-4.9/qed-fix-vf-probe-failure-while-flr.patch @@ -0,0 +1,57 @@ +From edf3cdfa0ffd622189109949ed07070e37dae9c1 Mon Sep 17 00:00:00 2001 +From: Manish Chopra +Date: Mon, 28 Jan 2019 10:05:06 -0800 +Subject: qed: Fix VF probe failure while FLR + +[ Upstream commit 327852ec64205bb651be391a069784872098a3b2 ] + +VFs may hit VF-PF channel timeout while probing, as in some +cases it was observed that VF FLR and VF "acquire" message +transaction (i.e first message from VF to PF in VF's probe flow) +could occur simultaneously which could lead VF to fail sending +"acquire" message to PF as VF is marked disabled from HW perspective +due to FLR, which will result into channel timeout and VF probe failure. + +In such cases, try retrying VF "acquire" message so that in later +attempts it could be successful to pass message to PF after the VF +FLR is completed and can be probed successfully. + +Signed-off-by: Manish Chopra +Signed-off-by: Ariel Elior +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_vf.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c +index 9cc02b94328a..cf34908ec8e1 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c +@@ -158,6 +158,7 @@ static int qed_vf_pf_acquire(struct qed_hwfn *p_hwfn) + struct pfvf_acquire_resp_tlv *resp = &p_iov->pf2vf_reply->acquire_resp; + struct pf_vf_pfdev_info *pfdev_info = &resp->pfdev_info; + struct vf_pf_resc_request *p_resc; ++ u8 retry_cnt = VF_ACQUIRE_THRESH; + bool resources_acquired = false; + struct vfpf_acquire_tlv *req; + int rc = 0, attempts = 0; +@@ -203,6 +204,15 @@ static int qed_vf_pf_acquire(struct qed_hwfn *p_hwfn) + + /* send acquire request */ + rc = qed_send_msg2pf(p_hwfn, &resp->hdr.status, sizeof(*resp)); ++ ++ /* Re-try acquire in case of vf-pf hw channel timeout */ ++ if (retry_cnt && rc == -EBUSY) { ++ DP_VERBOSE(p_hwfn, QED_MSG_IOV, ++ "VF retrying to acquire due to VPC timeout\n"); ++ retry_cnt--; ++ continue; ++ } ++ + if (rc) + goto exit; + +-- +2.19.1 + diff --git a/queue-4.9/s390-qeth-fix-use-after-free-in-error-path.patch b/queue-4.9/s390-qeth-fix-use-after-free-in-error-path.patch new file mode 100644 index 00000000000..91c2baab1cd --- /dev/null +++ b/queue-4.9/s390-qeth-fix-use-after-free-in-error-path.patch @@ -0,0 +1,70 @@ +From 6d1a2dd8f197d97c7425e6f6c05d29ddd0ffddb2 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Mon, 4 Feb 2019 17:40:07 +0100 +Subject: s390/qeth: fix use-after-free in error path + +[ Upstream commit afa0c5904ba16d59b0454f7ee4c807dae350f432 ] + +The error path in qeth_alloc_qdio_buffers() that takes care of +cleaning up the Output Queues is buggy. It first frees the queue, but +then calls qeth_clear_outq_buffers() with that very queue struct. + +Make the call to qeth_clear_outq_buffers() part of the free action +(in the correct order), and while at it fix the naming of the helper. + +Fixes: 0da9581ddb0f ("qeth: exploit asynchronous delivery of storage blocks") +Signed-off-by: Julian Wiedmann +Reviewed-by: Alexandra Winter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_core_main.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index 8f77fc0630ce..86a02592b982 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -2449,11 +2449,12 @@ static int qeth_init_qdio_out_buf(struct qeth_qdio_out_q *q, int bidx) + return rc; + } + +-static void qeth_free_qdio_out_buf(struct qeth_qdio_out_q *q) ++static void qeth_free_output_queue(struct qeth_qdio_out_q *q) + { + if (!q) + return; + ++ qeth_clear_outq_buffers(q, 1); + qdio_free_buffers(q->qdio_bufs, QDIO_MAX_BUFFERS_PER_Q); + kfree(q); + } +@@ -2526,10 +2527,8 @@ static int qeth_alloc_qdio_buffers(struct qeth_card *card) + card->qdio.out_qs[i]->bufs[j] = NULL; + } + out_freeoutq: +- while (i > 0) { +- qeth_free_qdio_out_buf(card->qdio.out_qs[--i]); +- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1); +- } ++ while (i > 0) ++ qeth_free_output_queue(card->qdio.out_qs[--i]); + kfree(card->qdio.out_qs); + card->qdio.out_qs = NULL; + out_freepool: +@@ -2562,10 +2561,8 @@ static void qeth_free_qdio_buffers(struct qeth_card *card) + qeth_free_buffer_pool(card); + /* free outbound qdio_qs */ + if (card->qdio.out_qs) { +- for (i = 0; i < card->qdio.no_out_queues; ++i) { +- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1); +- qeth_free_qdio_out_buf(card->qdio.out_qs[i]); +- } ++ for (i = 0; i < card->qdio.no_out_queues; i++) ++ qeth_free_output_queue(card->qdio.out_qs[i]); + kfree(card->qdio.out_qs); + card->qdio.out_qs = NULL; + } +-- +2.19.1 + diff --git a/queue-4.9/scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch b/queue-4.9/scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch new file mode 100644 index 00000000000..4fa629e5922 --- /dev/null +++ b/queue-4.9/scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch @@ -0,0 +1,56 @@ +From 18dd833e5e61f45921253d34f23b5aa1cd9fbc62 Mon Sep 17 00:00:00 2001 +From: Ming Lu +Date: Thu, 24 Jan 2019 13:25:42 +0800 +Subject: scsi: libfc: free skb when receiving invalid flogi resp + +[ Upstream commit 5d8fc4a9f0eec20b6c07895022a6bea3fb6dfb38 ] + +The issue to be fixed in this commit is when libfc found it received a +invalid FLOGI response from FC switch, it would return without freeing the +fc frame, which is just the skb data. This would cause memory leak if FC +switch keeps sending invalid FLOGI responses. + +This fix is just to make it execute `fc_frame_free(fp)` before returning +from function `fc_lport_flogi_resp`. + +Signed-off-by: Ming Lu +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libfc/fc_lport.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c +index 50c71678a156..ae93f45f9cd8 100644 +--- a/drivers/scsi/libfc/fc_lport.c ++++ b/drivers/scsi/libfc/fc_lport.c +@@ -1736,14 +1736,14 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp, + fc_frame_payload_op(fp) != ELS_LS_ACC) { + FC_LPORT_DBG(lport, "FLOGI not accepted or bad response\n"); + fc_lport_error(lport, fp); +- goto err; ++ goto out; + } + + flp = fc_frame_payload_get(fp, sizeof(*flp)); + if (!flp) { + FC_LPORT_DBG(lport, "FLOGI bad response\n"); + fc_lport_error(lport, fp); +- goto err; ++ goto out; + } + + mfs = ntohs(flp->fl_csp.sp_bb_data) & +@@ -1753,7 +1753,7 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp, + FC_LPORT_DBG(lport, "FLOGI bad mfs:%hu response, " + "lport->mfs:%hu\n", mfs, lport->mfs); + fc_lport_error(lport, fp); +- goto err; ++ goto out; + } + + if (mfs <= lport->mfs) { +-- +2.19.1 + diff --git a/queue-4.9/selftests-netfilter-add-simple-masq-redirect-test-ca.patch b/queue-4.9/selftests-netfilter-add-simple-masq-redirect-test-ca.patch new file mode 100644 index 00000000000..5a69d426fa2 --- /dev/null +++ b/queue-4.9/selftests-netfilter-add-simple-masq-redirect-test-ca.patch @@ -0,0 +1,801 @@ +From 996d3b50b0d82b0ee1f47d248b17e7aa23b1fc0a Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 29 Jan 2019 15:16:23 +0100 +Subject: selftests: netfilter: add simple masq/redirect test cases + +[ Upstream commit 98bfc3414bda335dbd7fec58bde6266f991801d7 ] + +Check basic nat/redirect/masquerade for ipv4 and ipv6. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/netfilter/Makefile | 2 +- + tools/testing/selftests/netfilter/nft_nat.sh | 762 +++++++++++++++++++ + 2 files changed, 763 insertions(+), 1 deletion(-) + create mode 100755 tools/testing/selftests/netfilter/nft_nat.sh + +diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile +index 47ed6cef93fb..c9ff2b47bd1c 100644 +--- a/tools/testing/selftests/netfilter/Makefile ++++ b/tools/testing/selftests/netfilter/Makefile +@@ -1,6 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + # Makefile for netfilter selftests + +-TEST_PROGS := nft_trans_stress.sh ++TEST_PROGS := nft_trans_stress.sh nft_nat.sh + + include ../lib.mk +diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh +new file mode 100755 +index 000000000000..8ec76681605c +--- /dev/null ++++ b/tools/testing/selftests/netfilter/nft_nat.sh +@@ -0,0 +1,762 @@ ++#!/bin/bash ++# ++# This test is for basic NAT functionality: snat, dnat, redirect, masquerade. ++# ++ ++# Kselftest framework requirement - SKIP code is 4. ++ksft_skip=4 ++ret=0 ++ ++nft --version > /dev/null 2>&1 ++if [ $? -ne 0 ];then ++ echo "SKIP: Could not run test without nft tool" ++ exit $ksft_skip ++fi ++ ++ip -Version > /dev/null 2>&1 ++if [ $? -ne 0 ];then ++ echo "SKIP: Could not run test without ip tool" ++ exit $ksft_skip ++fi ++ ++ip netns add ns0 ++ip netns add ns1 ++ip netns add ns2 ++ ++ip link add veth0 netns ns0 type veth peer name eth0 netns ns1 ++ip link add veth1 netns ns0 type veth peer name eth0 netns ns2 ++ ++ip -net ns0 link set lo up ++ip -net ns0 link set veth0 up ++ip -net ns0 addr add 10.0.1.1/24 dev veth0 ++ip -net ns0 addr add dead:1::1/64 dev veth0 ++ ++ip -net ns0 link set veth1 up ++ip -net ns0 addr add 10.0.2.1/24 dev veth1 ++ip -net ns0 addr add dead:2::1/64 dev veth1 ++ ++for i in 1 2; do ++ ip -net ns$i link set lo up ++ ip -net ns$i link set eth0 up ++ ip -net ns$i addr add 10.0.$i.99/24 dev eth0 ++ ip -net ns$i route add default via 10.0.$i.1 ++ ip -net ns$i addr add dead:$i::99/64 dev eth0 ++ ip -net ns$i route add default via dead:$i::1 ++done ++ ++bad_counter() ++{ ++ local ns=$1 ++ local counter=$2 ++ local expect=$3 ++ ++ echo "ERROR: $counter counter in $ns has unexpected value (expected $expect)" 1>&2 ++ ip netns exec $ns nft list counter inet filter $counter 1>&2 ++} ++ ++check_counters() ++{ ++ ns=$1 ++ local lret=0 ++ ++ cnt=$(ip netns exec $ns nft list counter inet filter ns0in | grep -q "packets 1 bytes 84") ++ if [ $? -ne 0 ]; then ++ bad_counter $ns ns0in "packets 1 bytes 84" ++ lret=1 ++ fi ++ cnt=$(ip netns exec $ns nft list counter inet filter ns0out | grep -q "packets 1 bytes 84") ++ if [ $? -ne 0 ]; then ++ bad_counter $ns ns0out "packets 1 bytes 84" ++ lret=1 ++ fi ++ ++ expect="packets 1 bytes 104" ++ cnt=$(ip netns exec $ns nft list counter inet filter ns0in6 | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter $ns ns0in6 "$expect" ++ lret=1 ++ fi ++ cnt=$(ip netns exec $ns nft list counter inet filter ns0out6 | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter $ns ns0out6 "$expect" ++ lret=1 ++ fi ++ ++ return $lret ++} ++ ++check_ns0_counters() ++{ ++ local ns=$1 ++ local lret=0 ++ ++ cnt=$(ip netns exec ns0 nft list counter inet filter ns0in | grep -q "packets 0 bytes 0") ++ if [ $? -ne 0 ]; then ++ bad_counter ns0 ns0in "packets 0 bytes 0" ++ lret=1 ++ fi ++ ++ cnt=$(ip netns exec ns0 nft list counter inet filter ns0in6 | grep -q "packets 0 bytes 0") ++ if [ $? -ne 0 ]; then ++ bad_counter ns0 ns0in6 "packets 0 bytes 0" ++ lret=1 ++ fi ++ ++ cnt=$(ip netns exec ns0 nft list counter inet filter ns0out | grep -q "packets 0 bytes 0") ++ if [ $? -ne 0 ]; then ++ bad_counter ns0 ns0out "packets 0 bytes 0" ++ lret=1 ++ fi ++ cnt=$(ip netns exec ns0 nft list counter inet filter ns0out6 | grep -q "packets 0 bytes 0") ++ if [ $? -ne 0 ]; then ++ bad_counter ns0 ns0out6 "packets 0 bytes 0" ++ lret=1 ++ fi ++ ++ for dir in "in" "out" ; do ++ expect="packets 1 bytes 84" ++ cnt=$(ip netns exec ns0 nft list counter inet filter ${ns}${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns0 $ns$dir "$expect" ++ lret=1 ++ fi ++ ++ expect="packets 1 bytes 104" ++ cnt=$(ip netns exec ns0 nft list counter inet filter ${ns}${dir}6 | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns0 $ns$dir6 "$expect" ++ lret=1 ++ fi ++ done ++ ++ return $lret ++} ++ ++reset_counters() ++{ ++ for i in 0 1 2;do ++ ip netns exec ns$i nft reset counters inet > /dev/null ++ done ++} ++ ++test_local_dnat6() ++{ ++ local lret=0 ++ip netns exec ns0 nft -f - < /dev/null ++ if [ $? -ne 0 ]; then ++ lret=1 ++ echo "ERROR: ping6 failed" ++ return $lret ++ fi ++ ++ expect="packets 0 bytes 0" ++ for dir in "in6" "out6" ; do ++ cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns0 ns1$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ expect="packets 1 bytes 104" ++ for dir in "in6" "out6" ; do ++ cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns0 ns2$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ # expect 0 count in ns1 ++ expect="packets 0 bytes 0" ++ for dir in "in6" "out6" ; do ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns0$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ # expect 1 packet in ns2 ++ expect="packets 1 bytes 104" ++ for dir in "in6" "out6" ; do ++ cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns2 ns0$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ test $lret -eq 0 && echo "PASS: ipv6 ping to ns1 was NATted to ns2" ++ ip netns exec ns0 nft flush chain ip6 nat output ++ ++ return $lret ++} ++ ++test_local_dnat() ++{ ++ local lret=0 ++ip netns exec ns0 nft -f - < /dev/null ++ if [ $? -ne 0 ]; then ++ lret=1 ++ echo "ERROR: ping failed" ++ return $lret ++ fi ++ ++ expect="packets 0 bytes 0" ++ for dir in "in" "out" ; do ++ cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns0 ns1$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ expect="packets 1 bytes 84" ++ for dir in "in" "out" ; do ++ cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns0 ns2$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ # expect 0 count in ns1 ++ expect="packets 0 bytes 0" ++ for dir in "in" "out" ; do ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns0$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ # expect 1 packet in ns2 ++ expect="packets 1 bytes 84" ++ for dir in "in" "out" ; do ++ cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns2 ns0$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ test $lret -eq 0 && echo "PASS: ping to ns1 was NATted to ns2" ++ ++ ip netns exec ns0 nft flush chain ip nat output ++ ++ reset_counters ++ ip netns exec ns0 ping -q -c 1 10.0.1.99 > /dev/null ++ if [ $? -ne 0 ]; then ++ lret=1 ++ echo "ERROR: ping failed" ++ return $lret ++ fi ++ ++ expect="packets 1 bytes 84" ++ for dir in "in" "out" ; do ++ cnt=$(ip netns exec ns0 nft list counter inet filter ns1${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns1$dir "$expect" ++ lret=1 ++ fi ++ done ++ expect="packets 0 bytes 0" ++ for dir in "in" "out" ; do ++ cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns0 ns2$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ # expect 1 count in ns1 ++ expect="packets 1 bytes 84" ++ for dir in "in" "out" ; do ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns0 ns0$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ # expect 0 packet in ns2 ++ expect="packets 0 bytes 0" ++ for dir in "in" "out" ; do ++ cnt=$(ip netns exec ns2 nft list counter inet filter ns0${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns2 ns2$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ test $lret -eq 0 && echo "PASS: ping to ns1 OK after nat output chain flush" ++ ++ return $lret ++} ++ ++ ++test_masquerade6() ++{ ++ local lret=0 ++ ++ ip netns exec ns0 sysctl net.ipv6.conf.all.forwarding=1 > /dev/null ++ ++ ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 ++ if [ $? -ne 0 ] ; then ++ echo "ERROR: cannot ping ns1 from ns2 via ipv6" ++ return 1 ++ lret=1 ++ fi ++ ++ expect="packets 1 bytes 104" ++ for dir in "in6" "out6" ; do ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns2$dir "$expect" ++ lret=1 ++ fi ++ ++ cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns2 ns1$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ reset_counters ++ ++# add masquerading rule ++ip netns exec ns0 nft -f - < /dev/null # ping ns2->ns1 ++ if [ $? -ne 0 ] ; then ++ echo "ERROR: cannot ping ns1 from ns2 with active ipv6 masquerading" ++ lret=1 ++ fi ++ ++ # ns1 should have seen packets from ns0, due to masquerade ++ expect="packets 1 bytes 104" ++ for dir in "in6" "out6" ; do ++ ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns0$dir "$expect" ++ lret=1 ++ fi ++ ++ cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns2 ns1$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ # ns1 should not have seen packets from ns2, due to masquerade ++ expect="packets 0 bytes 0" ++ for dir in "in6" "out6" ; do ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns0$dir "$expect" ++ lret=1 ++ fi ++ ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns2 ns1$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ ip netns exec ns0 nft flush chain ip6 nat postrouting ++ if [ $? -ne 0 ]; then ++ echo "ERROR: Could not flush ip6 nat postrouting" 1>&2 ++ lret=1 ++ fi ++ ++ test $lret -eq 0 && echo "PASS: IPv6 masquerade for ns2" ++ ++ return $lret ++} ++ ++test_masquerade() ++{ ++ local lret=0 ++ ++ ip netns exec ns0 sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null ++ ip netns exec ns0 sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null ++ ++ ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 ++ if [ $? -ne 0 ] ; then ++ echo "ERROR: canot ping ns1 from ns2" ++ lret=1 ++ fi ++ ++ expect="packets 1 bytes 84" ++ for dir in "in" "out" ; do ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns2$dir "$expect" ++ lret=1 ++ fi ++ ++ cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns2 ns1$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ reset_counters ++ ++# add masquerading rule ++ip netns exec ns0 nft -f - < /dev/null # ping ns2->ns1 ++ if [ $? -ne 0 ] ; then ++ echo "ERROR: cannot ping ns1 from ns2 with active ip masquerading" ++ lret=1 ++ fi ++ ++ # ns1 should have seen packets from ns0, due to masquerade ++ expect="packets 1 bytes 84" ++ for dir in "in" "out" ; do ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns0${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns0$dir "$expect" ++ lret=1 ++ fi ++ ++ cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns2 ns1$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ # ns1 should not have seen packets from ns2, due to masquerade ++ expect="packets 0 bytes 0" ++ for dir in "in" "out" ; do ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns0$dir "$expect" ++ lret=1 ++ fi ++ ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns2 ns1$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ ip netns exec ns0 nft flush chain ip nat postrouting ++ if [ $? -ne 0 ]; then ++ echo "ERROR: Could not flush nat postrouting" 1>&2 ++ lret=1 ++ fi ++ ++ test $lret -eq 0 && echo "PASS: IP masquerade for ns2" ++ ++ return $lret ++} ++ ++test_redirect6() ++{ ++ local lret=0 ++ ++ ip netns exec ns0 sysctl net.ipv6.conf.all.forwarding=1 > /dev/null ++ ++ ip netns exec ns2 ping -q -c 1 dead:1::99 > /dev/null # ping ns2->ns1 ++ if [ $? -ne 0 ] ; then ++ echo "ERROR: cannnot ping ns1 from ns2 via ipv6" ++ lret=1 ++ fi ++ ++ expect="packets 1 bytes 104" ++ for dir in "in6" "out6" ; do ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns2$dir "$expect" ++ lret=1 ++ fi ++ ++ cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns2 ns1$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ reset_counters ++ ++# add redirect rule ++ip netns exec ns0 nft -f - < /dev/null # ping ns2->ns1 ++ if [ $? -ne 0 ] ; then ++ echo "ERROR: cannot ping ns1 from ns2 with active ip6 redirect" ++ lret=1 ++ fi ++ ++ # ns1 should have seen no packets from ns2, due to redirection ++ expect="packets 0 bytes 0" ++ for dir in "in6" "out6" ; do ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns0$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ # ns0 should have seen packets from ns2, due to masquerade ++ expect="packets 1 bytes 104" ++ for dir in "in6" "out6" ; do ++ cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns0$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ ip netns exec ns0 nft delete table ip6 nat ++ if [ $? -ne 0 ]; then ++ echo "ERROR: Could not delete ip6 nat table" 1>&2 ++ lret=1 ++ fi ++ ++ test $lret -eq 0 && echo "PASS: IPv6 redirection for ns2" ++ ++ return $lret ++} ++ ++test_redirect() ++{ ++ local lret=0 ++ ++ ip netns exec ns0 sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null ++ ip netns exec ns0 sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null ++ ++ ip netns exec ns2 ping -q -c 1 10.0.1.99 > /dev/null # ping ns2->ns1 ++ if [ $? -ne 0 ] ; then ++ echo "ERROR: cannot ping ns1 from ns2" ++ lret=1 ++ fi ++ ++ expect="packets 1 bytes 84" ++ for dir in "in" "out" ; do ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns2$dir "$expect" ++ lret=1 ++ fi ++ ++ cnt=$(ip netns exec ns2 nft list counter inet filter ns1${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns2 ns1$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ reset_counters ++ ++# add redirect rule ++ip netns exec ns0 nft -f - < /dev/null # ping ns2->ns1 ++ if [ $? -ne 0 ] ; then ++ echo "ERROR: cannot ping ns1 from ns2 with active ip redirect" ++ lret=1 ++ fi ++ ++ # ns1 should have seen no packets from ns2, due to redirection ++ expect="packets 0 bytes 0" ++ for dir in "in" "out" ; do ++ ++ cnt=$(ip netns exec ns1 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns0$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ # ns0 should have seen packets from ns2, due to masquerade ++ expect="packets 1 bytes 84" ++ for dir in "in" "out" ; do ++ cnt=$(ip netns exec ns0 nft list counter inet filter ns2${dir} | grep -q "$expect") ++ if [ $? -ne 0 ]; then ++ bad_counter ns1 ns0$dir "$expect" ++ lret=1 ++ fi ++ done ++ ++ ip netns exec ns0 nft delete table ip nat ++ if [ $? -ne 0 ]; then ++ echo "ERROR: Could not delete nat table" 1>&2 ++ lret=1 ++ fi ++ ++ test $lret -eq 0 && echo "PASS: IP redirection for ns2" ++ ++ return $lret ++} ++ ++ ++# ip netns exec ns0 ping -c 1 -q 10.0.$i.99 ++for i in 0 1 2; do ++ip netns exec ns$i nft -f - < /dev/null ++ if [ $? -ne 0 ];then ++ echo "ERROR: Could not reach other namespace(s)" 1>&2 ++ ret=1 ++ fi ++ ++ ip netns exec ns0 ping -c 1 -q dead:$i::99 > /dev/null ++ if [ $? -ne 0 ];then ++ echo "ERROR: Could not reach other namespace(s) via ipv6" 1>&2 ++ ret=1 ++ fi ++ check_counters ns$i ++ if [ $? -ne 0 ]; then ++ ret=1 ++ fi ++ ++ check_ns0_counters ns$i ++ if [ $? -ne 0 ]; then ++ ret=1 ++ fi ++ reset_counters ++done ++ ++if [ $ret -eq 0 ];then ++ echo "PASS: netns routing/connectivity: ns0 can reach ns1 and ns2" ++fi ++ ++reset_counters ++test_local_dnat ++test_local_dnat6 ++ ++reset_counters ++test_masquerade ++test_masquerade6 ++ ++reset_counters ++test_redirect ++test_redirect6 ++ ++for i in 0 1 2; do ip netns del ns$i;done ++ ++exit $ret +-- +2.19.1 + diff --git a/queue-4.9/selftests-netfilter-fix-config-fragment-config_nf_ta.patch b/queue-4.9/selftests-netfilter-fix-config-fragment-config_nf_ta.patch new file mode 100644 index 00000000000..4138c6d044c --- /dev/null +++ b/queue-4.9/selftests-netfilter-fix-config-fragment-config_nf_ta.patch @@ -0,0 +1,29 @@ +From 1686802151b9e88161f402792c8088fc8d2e1db8 Mon Sep 17 00:00:00 2001 +From: Naresh Kamboju +Date: Tue, 29 Jan 2019 06:28:35 +0000 +Subject: selftests: netfilter: fix config fragment CONFIG_NF_TABLES_INET + +[ Upstream commit 952b72f89ae23b316da8c1021b18d0c388ad6cc4 ] + +In selftests the config fragment for netfilter was added as +NF_TABLES_INET=y and this patch correct it as CONFIG_NF_TABLES_INET=y + +Signed-off-by: Naresh Kamboju +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/netfilter/config | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/netfilter/config b/tools/testing/selftests/netfilter/config +index 1017313e41a8..59caa8f71cd8 100644 +--- a/tools/testing/selftests/netfilter/config ++++ b/tools/testing/selftests/netfilter/config +@@ -1,2 +1,2 @@ + CONFIG_NET_NS=y +-NF_TABLES_INET=y ++CONFIG_NF_TABLES_INET=y +-- +2.19.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 0fac18a2895..499e6873f9a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -31,3 +31,53 @@ mips-irq-allocate-accurate-order-pages-for-irq-stack.patch hugetlbfs-fix-races-and-page-leaks-during-migration.patch exec-fix-mem-leak-in-kernel_read_file.patch media-uvcvideo-fix-type-check-leading-to-overflow.patch +vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch +perf-core-fix-perf_proc_update_handler-bug.patch +perf-tools-handle-topology-headers-with-no-cpu.patch +ib-hfi1-qib-fix-wc.byte_len-calculation-for-ud_send_.patch +iommu-amd-call-free_iova_fast-with-pfn-in-map_sg.patch +iommu-amd-unmap-all-mapped-pages-in-error-path-of-ma.patch +ipvs-fix-signed-integer-overflow-when-setsockopt-tim.patch +iommu-amd-fix-iommu-page-flush-when-detach-device-fr.patch +xtensa-smp-fix-ccount_timer_shutdown.patch +xtensa-smp-fix-secondary-cpu-initialization.patch +xtensa-smp_lx200_defconfig-fix-vectors-clash.patch +xtensa-smp-mark-each-possible-cpu-as-present.patch +xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch +net-altera_tse-fix-msgdma_tx_completion-on-non-zero-.patch +net-hns-fix-for-missing-of_node_put-after-of_parse_p.patch +net-hns-fix-wrong-read-accesses-via-clause-45-mdio-p.patch +net-stmmac-dwmac-rk-fix-error-handling-in-rk_gmac_po.patch +gpio-vf610-mask-all-gpio-interrupts.patch +nfs-fix-null-pointer-dereference-of-dev_name.patch +qed-fix-vf-probe-failure-while-flr.patch +scsi-libfc-free-skb-when-receiving-invalid-flogi-res.patch +platform-x86-fix-unmet-dependency-warning-for-samsun.patch +cifs-fix-computation-for-max_smb2_hdr_size.patch +arm64-kprobe-always-blacklist-the-kvm-world-switch-c.patch +x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch +x86_64-increase-stack-size-for-kasan_extra.patch +mm-memory_hotplug-is_mem_section_removable-do-not-pa.patch +mm-memory_hotplug-test_pages_in_a_zone-do-not-pass-t.patch +fs-drop_caches.c-avoid-softlockups-in-drop_pagecache.patch +autofs-drop-dentry-reference-only-when-it-is-never-u.patch +autofs-fix-error-return-in-autofs_fill_super.patch +soc-fsl-qbman-avoid-race-in-clearing-qman-interrupt.patch +arm-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch +arm64-dts-add-msm8996-compatible-to-gicv3.patch +usb-phy-fix-link-errors.patch +irqchip-mmp-only-touch-the-pj4-irq-fiq-bits-on-enabl.patch +drm-sun4i-tcon-prepare-and-enable-tcon-channel-0-clo.patch +dmaengine-at_xdmac-fix-wrongfull-report-of-a-channel.patch +vsock-virtio-fix-kernel-panic-after-device-hot-unplu.patch +vsock-virtio-reset-connected-sockets-on-device-remov.patch +dmaengine-dmatest-abort-test-in-case-of-mapping-erro.patch +selftests-netfilter-fix-config-fragment-config_nf_ta.patch +selftests-netfilter-add-simple-masq-redirect-test-ca.patch +netfilter-nf_nat-skip-nat-clash-resolution-for-same-.patch +s390-qeth-fix-use-after-free-in-error-path.patch +perf-symbols-filter-out-hidden-symbols-from-labels.patch +perf-trace-support-multiple-vfs_getname-probes.patch +mips-loongson-introduce-and-use-loongson_llsc_mb.patch +mips-remove-function-size-check-in-get_frame_info.patch +fs-ratelimit-__find_get_block_slow-failure-message.patch diff --git a/queue-4.9/soc-fsl-qbman-avoid-race-in-clearing-qman-interrupt.patch b/queue-4.9/soc-fsl-qbman-avoid-race-in-clearing-qman-interrupt.patch new file mode 100644 index 00000000000..8464c8c6a61 --- /dev/null +++ b/queue-4.9/soc-fsl-qbman-avoid-race-in-clearing-qman-interrupt.patch @@ -0,0 +1,51 @@ +From 970c726ceef69d5778c4a50d26252e56d4e0c980 Mon Sep 17 00:00:00 2001 +From: Madalin Bucur +Date: Fri, 21 Dec 2018 16:41:42 +0200 +Subject: soc: fsl: qbman: avoid race in clearing QMan interrupt + +[ Upstream commit 89857a8a5c89a406b967ab2be7bd2ccdbe75e73d ] + +By clearing all interrupt sources, not only those that +already occurred, the existing code may acknowledge by +mistake interrupts that occurred after the code checks +for them. + +Signed-off-by: Madalin Bucur +Signed-off-by: Roy Pledge +Signed-off-by: Li Yang +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qbman/qman.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c +index 2cc82ed6433a..91f5c951850f 100644 +--- a/drivers/soc/fsl/qbman/qman.c ++++ b/drivers/soc/fsl/qbman/qman.c +@@ -1073,18 +1073,19 @@ static void qm_mr_process_task(struct work_struct *work); + static irqreturn_t portal_isr(int irq, void *ptr) + { + struct qman_portal *p = ptr; +- +- u32 clear = QM_DQAVAIL_MASK | p->irq_sources; + u32 is = qm_in(&p->p, QM_REG_ISR) & p->irq_sources; ++ u32 clear = 0; + + if (unlikely(!is)) + return IRQ_NONE; + + /* DQRR-handling if it's interrupt-driven */ +- if (is & QM_PIRQ_DQRI) ++ if (is & QM_PIRQ_DQRI) { + __poll_portal_fast(p, QMAN_POLL_LIMIT); ++ clear = QM_DQAVAIL_MASK | QM_PIRQ_DQRI; ++ } + /* Handling of anything else that's interrupt-driven */ +- clear |= __poll_portal_slow(p, is); ++ clear |= __poll_portal_slow(p, is) & QM_PIRQ_SLOW; + qm_out(&p->p, QM_REG_ISR, clear); + return IRQ_HANDLED; + } +-- +2.19.1 + diff --git a/queue-4.9/usb-phy-fix-link-errors.patch b/queue-4.9/usb-phy-fix-link-errors.patch new file mode 100644 index 00000000000..e6a4d48ea62 --- /dev/null +++ b/queue-4.9/usb-phy-fix-link-errors.patch @@ -0,0 +1,58 @@ +From 648cef86886c3f4103bbe2171d68226bfd6c0218 Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Tue, 22 Jan 2019 11:36:02 +0100 +Subject: usb: phy: fix link errors + +[ Upstream commit f2105d42597f4d10e431b195d69e96dccaf9b012 ] + +Fix link errors when CONFIG_FSL_USB2_OTG is enabled and USB_OTG_FSM is +set to module then the following link error occurs. + +aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.o: in function `fsl_otg_ioctl': +drivers/usb/phy/phy-fsl-usb.c:1083: undefined reference to `otg_statemachine' +aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.c:1083:(.text+0x574): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `otg_statemachine' +aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.o: in function `fsl_otg_start_srp': +drivers/usb/phy/phy-fsl-usb.c:674: undefined reference to `otg_statemachine' +aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.c:674:(.text+0x61c): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `otg_statemachine' +aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.o: in function `fsl_otg_set_host': +drivers/usb/phy/phy-fsl-usb.c:593: undefined reference to `otg_statemachine' +aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.c:593:(.text+0x7a4): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `otg_statemachine' +aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.o: in function `fsl_otg_start_hnp': +drivers/usb/phy/phy-fsl-usb.c:695: undefined reference to `otg_statemachine' +aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.c:695:(.text+0x858): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `otg_statemachine' +aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.o: in function `a_wait_enum': +drivers/usb/phy/phy-fsl-usb.c:274: undefined reference to `otg_statemachine' +aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.c:274:(.text+0x16f0): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `otg_statemachine' +aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.o:drivers/usb/phy/phy-fsl-usb.c:619: more undefined references to `otg_statemachine' follow +aarch64-linux-gnu-ld: drivers/usb/phy/phy-fsl-usb.o: in function `fsl_otg_set_peripheral': +drivers/usb/phy/phy-fsl-usb.c:619:(.text+0x1fa0): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `otg_statemachine' +make[1]: *** [Makefile:1020: vmlinux] Error 1 +make[1]: Target 'Image' not remade because of errors. +make: *** [Makefile:152: sub-make] Error 2 +make: Target 'Image' not remade because of errors. + +Rework so that FSL_USB2_OTG depends on that the USB_OTG_FSM is builtin. + +Signed-off-by: Anders Roxell +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/phy/Kconfig b/drivers/usb/phy/Kconfig +index 125cea1c3c8d..19ce615455c1 100644 +--- a/drivers/usb/phy/Kconfig ++++ b/drivers/usb/phy/Kconfig +@@ -20,7 +20,7 @@ config AB8500_USB + + config FSL_USB2_OTG + bool "Freescale USB OTG Transceiver Driver" +- depends on USB_EHCI_FSL && USB_FSL_USB2 && USB_OTG_FSM && PM ++ depends on USB_EHCI_FSL && USB_FSL_USB2 && USB_OTG_FSM=y && PM + depends on USB_GADGET || !USB_GADGET # if USB_GADGET=m, this can't be 'y' + select USB_PHY + help +-- +2.19.1 + diff --git a/queue-4.9/vsock-virtio-fix-kernel-panic-after-device-hot-unplu.patch b/queue-4.9/vsock-virtio-fix-kernel-panic-after-device-hot-unplu.patch new file mode 100644 index 00000000000..6d673aac2c2 --- /dev/null +++ b/queue-4.9/vsock-virtio-fix-kernel-panic-after-device-hot-unplu.patch @@ -0,0 +1,101 @@ +From 57b7adaa0723180e2282faa1dda4257930956086 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 1 Feb 2019 12:42:06 +0100 +Subject: vsock/virtio: fix kernel panic after device hot-unplug + +[ Upstream commit 22b5c0b63f32568e130fa2df4ba23efce3eb495b ] + +virtio_vsock_remove() invokes the vsock_core_exit() also if there +are opened sockets for the AF_VSOCK protocol family. In this way +the vsock "transport" pointer is set to NULL, triggering the +kernel panic at the first socket activity. + +This patch move the vsock_core_init()/vsock_core_exit() in the +virtio_vsock respectively in module_init and module_exit functions, +that cannot be invoked until there are open sockets. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1609699 +Reported-by: Yan Fu +Signed-off-by: Stefano Garzarella +Acked-by: Stefan Hajnoczi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c +index 936d7eee62d0..6cbc08d82e7f 100644 +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -71,6 +71,9 @@ static u32 virtio_transport_get_local_cid(void) + { + struct virtio_vsock *vsock = virtio_vsock_get(); + ++ if (!vsock) ++ return VMADDR_CID_ANY; ++ + return vsock->guest_cid; + } + +@@ -495,10 +498,6 @@ static int virtio_vsock_probe(struct virtio_device *vdev) + + virtio_vsock_update_guest_cid(vsock); + +- ret = vsock_core_init(&virtio_transport.transport); +- if (ret < 0) +- goto out_vqs; +- + vsock->rx_buf_nr = 0; + vsock->rx_buf_max_nr = 0; + atomic_set(&vsock->queued_replies, 0); +@@ -526,8 +525,6 @@ static int virtio_vsock_probe(struct virtio_device *vdev) + mutex_unlock(&the_virtio_vsock_mutex); + return 0; + +-out_vqs: +- vsock->vdev->config->del_vqs(vsock->vdev); + out: + kfree(vsock); + mutex_unlock(&the_virtio_vsock_mutex); +@@ -567,7 +564,6 @@ static void virtio_vsock_remove(struct virtio_device *vdev) + + mutex_lock(&the_virtio_vsock_mutex); + the_virtio_vsock = NULL; +- vsock_core_exit(); + mutex_unlock(&the_virtio_vsock_mutex); + + vdev->config->del_vqs(vdev); +@@ -600,14 +596,28 @@ static int __init virtio_vsock_init(void) + virtio_vsock_workqueue = alloc_workqueue("virtio_vsock", 0, 0); + if (!virtio_vsock_workqueue) + return -ENOMEM; ++ + ret = register_virtio_driver(&virtio_vsock_driver); + if (ret) +- destroy_workqueue(virtio_vsock_workqueue); ++ goto out_wq; ++ ++ ret = vsock_core_init(&virtio_transport.transport); ++ if (ret) ++ goto out_vdr; ++ ++ return 0; ++ ++out_vdr: ++ unregister_virtio_driver(&virtio_vsock_driver); ++out_wq: ++ destroy_workqueue(virtio_vsock_workqueue); + return ret; ++ + } + + static void __exit virtio_vsock_exit(void) + { ++ vsock_core_exit(); + unregister_virtio_driver(&virtio_vsock_driver); + destroy_workqueue(virtio_vsock_workqueue); + } +-- +2.19.1 + diff --git a/queue-4.9/vsock-virtio-reset-connected-sockets-on-device-remov.patch b/queue-4.9/vsock-virtio-reset-connected-sockets-on-device-remov.patch new file mode 100644 index 00000000000..fa1af2bbbc5 --- /dev/null +++ b/queue-4.9/vsock-virtio-reset-connected-sockets-on-device-remov.patch @@ -0,0 +1,35 @@ +From fe1d1570c7430e3e9bb51e0e0592c371181adc68 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 1 Feb 2019 12:42:07 +0100 +Subject: vsock/virtio: reset connected sockets on device removal + +[ Upstream commit 85965487abc540368393a15491e6e7fcd230039d ] + +When the virtio transport device disappear, we should reset all +connected sockets in order to inform the users. + +Signed-off-by: Stefano Garzarella +Reviewed-by: Stefan Hajnoczi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c +index 6cbc08d82e7f..f66a6010ae07 100644 +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -541,6 +541,9 @@ static void virtio_vsock_remove(struct virtio_device *vdev) + flush_work(&vsock->event_work); + flush_work(&vsock->send_pkt_work); + ++ /* Reset all connected sockets when the device disappear */ ++ vsock_for_each_connected_socket(virtio_vsock_reset_sock); ++ + vdev->config->reset(vdev); + + mutex_lock(&vsock->rx_lock); +-- +2.19.1 + diff --git a/queue-4.9/vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch b/queue-4.9/vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch new file mode 100644 index 00000000000..2bb5d6f0bf0 --- /dev/null +++ b/queue-4.9/vti4-fix-a-ipip-packet-processing-bug-in-ipcomp-virt.patch @@ -0,0 +1,119 @@ +From 68546b9d8b81a0860bfac539a0b68f0f06fab025 Mon Sep 17 00:00:00 2001 +From: Su Yanjun +Date: Sun, 6 Jan 2019 21:31:20 -0500 +Subject: vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel + +[ Upstream commit dd9ee3444014e8f28c0eefc9fffc9ac9c5248c12 ] + +Recently we run a network test over ipcomp virtual tunnel.We find that +if a ipv4 packet needs fragment, then the peer can't receive +it. + +We deep into the code and find that when packet need fragment the smaller +fragment will be encapsulated by ipip not ipcomp. So when the ipip packet +goes into xfrm, it's skb->dev is not properly set. The ipv4 reassembly code +always set skb'dev to the last fragment's dev. After ipv4 defrag processing, +when the kernel rp_filter parameter is set, the skb will be drop by -EXDEV +error. + +This patch adds compatible support for the ipip process in ipcomp virtual tunnel. + +Signed-off-by: Su Yanjun +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_vti.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 50 insertions(+) + +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c +index cbff0d6ff1ac..270e79f4d40e 100644 +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -74,6 +74,33 @@ static int vti_input(struct sk_buff *skb, int nexthdr, __be32 spi, + return 0; + } + ++static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi, ++ int encap_type) ++{ ++ struct ip_tunnel *tunnel; ++ const struct iphdr *iph = ip_hdr(skb); ++ struct net *net = dev_net(skb->dev); ++ struct ip_tunnel_net *itn = net_generic(net, vti_net_id); ++ ++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, ++ iph->saddr, iph->daddr, 0); ++ if (tunnel) { ++ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) ++ goto drop; ++ ++ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel; ++ ++ skb->dev = tunnel->dev; ++ ++ return xfrm_input(skb, nexthdr, spi, encap_type); ++ } ++ ++ return -EINVAL; ++drop: ++ kfree_skb(skb); ++ return 0; ++} ++ + static int vti_rcv(struct sk_buff *skb) + { + XFRM_SPI_SKB_CB(skb)->family = AF_INET; +@@ -82,6 +109,14 @@ static int vti_rcv(struct sk_buff *skb) + return vti_input(skb, ip_hdr(skb)->protocol, 0, 0); + } + ++static int vti_rcv_ipip(struct sk_buff *skb) ++{ ++ XFRM_SPI_SKB_CB(skb)->family = AF_INET; ++ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); ++ ++ return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr, 0); ++} ++ + static int vti_rcv_cb(struct sk_buff *skb, int err) + { + unsigned short family; +@@ -439,6 +474,12 @@ static struct xfrm4_protocol vti_ipcomp4_protocol __read_mostly = { + .priority = 100, + }; + ++static struct xfrm_tunnel ipip_handler __read_mostly = { ++ .handler = vti_rcv_ipip, ++ .err_handler = vti4_err, ++ .priority = 0, ++}; ++ + static int __net_init vti_init_net(struct net *net) + { + int err; +@@ -622,6 +663,13 @@ static int __init vti_init(void) + if (err < 0) + goto xfrm_proto_comp_failed; + ++ msg = "ipip tunnel"; ++ err = xfrm4_tunnel_register(&ipip_handler, AF_INET); ++ if (err < 0) { ++ pr_info("%s: cant't register tunnel\n",__func__); ++ goto xfrm_tunnel_failed; ++ } ++ + msg = "netlink interface"; + err = rtnl_link_register(&vti_link_ops); + if (err < 0) +@@ -631,6 +679,8 @@ static int __init vti_init(void) + + rtnl_link_failed: + xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP); ++xfrm_tunnel_failed: ++ xfrm4_tunnel_deregister(&ipip_handler, AF_INET); + xfrm_proto_comp_failed: + xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH); + xfrm_proto_ah_failed: +-- +2.19.1 + diff --git a/queue-4.9/x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch b/queue-4.9/x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch new file mode 100644 index 00000000000..4427ac5632c --- /dev/null +++ b/queue-4.9/x86-kexec-don-t-setup-efi-info-if-efi-runtime-is-not.patch @@ -0,0 +1,70 @@ +From 0383a303087b85df031d205ab020f3235a739ce1 Mon Sep 17 00:00:00 2001 +From: Kairui Song +Date: Fri, 18 Jan 2019 19:13:08 +0800 +Subject: x86/kexec: Don't setup EFI info if EFI runtime is not enabled + +[ Upstream commit 2aa958c99c7fd3162b089a1a56a34a0cdb778de1 ] + +Kexec-ing a kernel with "efi=noruntime" on the first kernel's command +line causes the following null pointer dereference: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + #PF error: [normal kernel read fault] + Call Trace: + efi_runtime_map_copy+0x28/0x30 + bzImage64_load+0x688/0x872 + arch_kexec_kernel_image_load+0x6d/0x70 + kimage_file_alloc_init+0x13e/0x220 + __x64_sys_kexec_file_load+0x144/0x290 + do_syscall_64+0x55/0x1a0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Just skip the EFI info setup if EFI runtime services are not enabled. + + [ bp: Massage commit message. ] + +Suggested-by: Dave Young +Signed-off-by: Kairui Song +Signed-off-by: Borislav Petkov +Acked-by: Dave Young +Cc: AKASHI Takahiro +Cc: Andrew Morton +Cc: Ard Biesheuvel +Cc: bhe@redhat.com +Cc: David Howells +Cc: erik.schmauss@intel.com +Cc: fanc.fnst@cn.fujitsu.com +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: kexec@lists.infradead.org +Cc: lenb@kernel.org +Cc: linux-acpi@vger.kernel.org +Cc: Philipp Rudo +Cc: rafael.j.wysocki@intel.com +Cc: robert.moore@intel.com +Cc: Thomas Gleixner +Cc: x86-ml +Cc: Yannik Sembritzki +Link: https://lkml.kernel.org/r/20190118111310.29589-2-kasong@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/kexec-bzimage64.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c +index 490f9be3fda2..167ecc270ca5 100644 +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -167,6 +167,9 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, + struct efi_info *current_ei = &boot_params.efi_info; + struct efi_info *ei = ¶ms->efi_info; + ++ if (!efi_enabled(EFI_RUNTIME_SERVICES)) ++ return 0; ++ + if (!current_ei->efi_memmap_size) + return 0; + +-- +2.19.1 + diff --git a/queue-4.9/x86_64-increase-stack-size-for-kasan_extra.patch b/queue-4.9/x86_64-increase-stack-size-for-kasan_extra.patch new file mode 100644 index 00000000000..75f193487be --- /dev/null +++ b/queue-4.9/x86_64-increase-stack-size-for-kasan_extra.patch @@ -0,0 +1,82 @@ +From 0c8d9702c8745d4b4e89ae3d8ba34f4543b00a0b Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Fri, 1 Feb 2019 14:20:20 -0800 +Subject: x86_64: increase stack size for KASAN_EXTRA + +[ Upstream commit a8e911d13540487942d53137c156bd7707f66e5d ] + +If the kernel is configured with KASAN_EXTRA, the stack size is +increasted significantly because this option sets "-fstack-reuse" to +"none" in GCC [1]. As a result, it triggers stack overrun quite often +with 32k stack size compiled using GCC 8. For example, this reproducer + + https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/madvise/madvise06.c + +triggers a "corrupted stack end detected inside scheduler" very reliably +with CONFIG_SCHED_STACK_END_CHECK enabled. + +There are just too many functions that could have a large stack with +KASAN_EXTRA due to large local variables that have been called over and +over again without being able to reuse the stacks. Some noticiable ones +are + + size + 7648 shrink_page_list + 3584 xfs_rmap_convert + 3312 migrate_page_move_mapping + 3312 dev_ethtool + 3200 migrate_misplaced_transhuge_page + 3168 copy_process + +There are other 49 functions are over 2k in size while compiling kernel +with "-Wframe-larger-than=" even with a related minimal config on this +machine. Hence, it is too much work to change Makefiles for each object +to compile without "-fsanitize-address-use-after-scope" individually. + +[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715#c23 + +Although there is a patch in GCC 9 to help the situation, GCC 9 probably +won't be released in a few months and then it probably take another +6-month to 1-year for all major distros to include it as a default. +Hence, the stack usage with KASAN_EXTRA can be revisited again in 2020 +when GCC 9 is everywhere. Until then, this patch will help users avoid +stack overrun. + +This has already been fixed for arm64 for the same reason via +6e8830674ea ("arm64: kasan: Increase stack size for KASAN_EXTRA"). + +Link: http://lkml.kernel.org/r/20190109215209.2903-1-cai@lca.pw +Signed-off-by: Qian Cai +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/page_64_types.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h +index 9215e0527647..390fdd39e0e2 100644 +--- a/arch/x86/include/asm/page_64_types.h ++++ b/arch/x86/include/asm/page_64_types.h +@@ -6,7 +6,11 @@ + #endif + + #ifdef CONFIG_KASAN ++#ifdef CONFIG_KASAN_EXTRA ++#define KASAN_STACK_ORDER 2 ++#else + #define KASAN_STACK_ORDER 1 ++#endif + #else + #define KASAN_STACK_ORDER 0 + #endif +-- +2.19.1 + diff --git a/queue-4.9/xtensa-smp-fix-ccount_timer_shutdown.patch b/queue-4.9/xtensa-smp-fix-ccount_timer_shutdown.patch new file mode 100644 index 00000000000..70b12571fc3 --- /dev/null +++ b/queue-4.9/xtensa-smp-fix-ccount_timer_shutdown.patch @@ -0,0 +1,55 @@ +From 93875974ffc0292755b40634d1a4135a551dfa00 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Mon, 29 Jan 2018 09:09:41 -0800 +Subject: xtensa: SMP: fix ccount_timer_shutdown + +[ Upstream commit 4fe8713b873fc881284722ce4ac47995de7cf62c ] + +ccount_timer_shutdown is called from the atomic context in the +secondary_start_kernel, resulting in the following BUG: + +BUG: sleeping function called from invalid context +in_atomic(): 1, irqs_disabled(): 1, pid: 0, name: swapper/1 +Preemption disabled at: + secondary_start_kernel+0xa1/0x130 +Call Trace: + ___might_sleep+0xe7/0xfc + __might_sleep+0x41/0x44 + synchronize_irq+0x24/0x64 + disable_irq+0x11/0x14 + ccount_timer_shutdown+0x12/0x20 + clockevents_switch_state+0x82/0xb4 + clockevents_exchange_device+0x54/0x60 + tick_check_new_device+0x46/0x70 + clockevents_register_device+0x8c/0xc8 + clockevents_config_and_register+0x1d/0x2c + local_timer_setup+0x75/0x7c + secondary_start_kernel+0xb4/0x130 + should_never_return+0x32/0x35 + +Use disable_irq_nosync instead of disable_irq to avoid it. +This is safe because the ccount timer IRQ is per-CPU, and once IRQ is +masked the ISR will not be called. + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/kernel/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/xtensa/kernel/time.c b/arch/xtensa/kernel/time.c +index be81e69b25bc..2251a6e0973a 100644 +--- a/arch/xtensa/kernel/time.c ++++ b/arch/xtensa/kernel/time.c +@@ -89,7 +89,7 @@ static int ccount_timer_shutdown(struct clock_event_device *evt) + container_of(evt, struct ccount_timer, evt); + + if (timer->irq_enabled) { +- disable_irq(evt->irq); ++ disable_irq_nosync(evt->irq); + timer->irq_enabled = 0; + } + return 0; +-- +2.19.1 + diff --git a/queue-4.9/xtensa-smp-fix-secondary-cpu-initialization.patch b/queue-4.9/xtensa-smp-fix-secondary-cpu-initialization.patch new file mode 100644 index 00000000000..6b970919afd --- /dev/null +++ b/queue-4.9/xtensa-smp-fix-secondary-cpu-initialization.patch @@ -0,0 +1,128 @@ +From 389218e28ff521d3ce9e395b756b1b25ef73d914 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Fri, 21 Dec 2018 08:26:20 -0800 +Subject: xtensa: SMP: fix secondary CPU initialization + +[ Upstream commit 32a7726c4f4aadfabdb82440d84f88a5a2c8fe13 ] + +- add missing memory barriers to the secondary CPU synchronization spin + loops; add comment to the matching memory barrier in the boot_secondary + and __cpu_die functions; +- use READ_ONCE/WRITE_ONCE to access cpu_start_id/cpu_start_ccount + instead of reading/writing them directly; +- re-initialize cpu_running every time before starting secondary CPU to + flush possible previous CPU startup results. + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/kernel/head.S | 5 ++++- + arch/xtensa/kernel/smp.c | 34 +++++++++++++++++++++------------- + 2 files changed, 25 insertions(+), 14 deletions(-) + +diff --git a/arch/xtensa/kernel/head.S b/arch/xtensa/kernel/head.S +index 27c8e07ace43..29f445b410b3 100644 +--- a/arch/xtensa/kernel/head.S ++++ b/arch/xtensa/kernel/head.S +@@ -281,12 +281,13 @@ should_never_return: + + movi a2, cpu_start_ccount + 1: ++ memw + l32i a3, a2, 0 + beqi a3, 0, 1b + movi a3, 0 + s32i a3, a2, 0 +- memw + 1: ++ memw + l32i a3, a2, 0 + beqi a3, 0, 1b + wsr a3, ccount +@@ -323,11 +324,13 @@ ENTRY(cpu_restart) + rsr a0, prid + neg a2, a0 + movi a3, cpu_start_id ++ memw + s32i a2, a3, 0 + #if XCHAL_DCACHE_IS_WRITEBACK + dhwbi a3, 0 + #endif + 1: ++ memw + l32i a2, a3, 0 + dhi a3, 0 + bne a2, a0, 1b +diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c +index fc4ad21a5ed4..fd0f0b50e021 100644 +--- a/arch/xtensa/kernel/smp.c ++++ b/arch/xtensa/kernel/smp.c +@@ -192,9 +192,11 @@ static int boot_secondary(unsigned int cpu, struct task_struct *ts) + int i; + + #ifdef CONFIG_HOTPLUG_CPU +- cpu_start_id = cpu; +- system_flush_invalidate_dcache_range( +- (unsigned long)&cpu_start_id, sizeof(cpu_start_id)); ++ WRITE_ONCE(cpu_start_id, cpu); ++ /* Pairs with the third memw in the cpu_restart */ ++ mb(); ++ system_flush_invalidate_dcache_range((unsigned long)&cpu_start_id, ++ sizeof(cpu_start_id)); + #endif + smp_call_function_single(0, mx_cpu_start, (void *)cpu, 1); + +@@ -203,18 +205,21 @@ static int boot_secondary(unsigned int cpu, struct task_struct *ts) + ccount = get_ccount(); + while (!ccount); + +- cpu_start_ccount = ccount; ++ WRITE_ONCE(cpu_start_ccount, ccount); + +- while (time_before(jiffies, timeout)) { ++ do { ++ /* ++ * Pairs with the first two memws in the ++ * .Lboot_secondary. ++ */ + mb(); +- if (!cpu_start_ccount) +- break; +- } ++ ccount = READ_ONCE(cpu_start_ccount); ++ } while (ccount && time_before(jiffies, timeout)); + +- if (cpu_start_ccount) { ++ if (ccount) { + smp_call_function_single(0, mx_cpu_stop, +- (void *)cpu, 1); +- cpu_start_ccount = 0; ++ (void *)cpu, 1); ++ WRITE_ONCE(cpu_start_ccount, 0); + return -EIO; + } + } +@@ -234,6 +239,7 @@ int __cpu_up(unsigned int cpu, struct task_struct *idle) + pr_debug("%s: Calling wakeup_secondary(cpu:%d, idle:%p, sp: %08lx)\n", + __func__, cpu, idle, start_info.stack); + ++ init_completion(&cpu_running); + ret = boot_secondary(cpu, idle); + if (ret == 0) { + wait_for_completion_timeout(&cpu_running, +@@ -295,8 +301,10 @@ void __cpu_die(unsigned int cpu) + unsigned long timeout = jiffies + msecs_to_jiffies(1000); + while (time_before(jiffies, timeout)) { + system_invalidate_dcache_range((unsigned long)&cpu_start_id, +- sizeof(cpu_start_id)); +- if (cpu_start_id == -cpu) { ++ sizeof(cpu_start_id)); ++ /* Pairs with the second memw in the cpu_restart */ ++ mb(); ++ if (READ_ONCE(cpu_start_id) == -cpu) { + platform_cpu_kill(cpu); + return; + } +-- +2.19.1 + diff --git a/queue-4.9/xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch b/queue-4.9/xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch new file mode 100644 index 00000000000..58b0cf4f819 --- /dev/null +++ b/queue-4.9/xtensa-smp-limit-number-of-possible-cpus-by-nr_cpus.patch @@ -0,0 +1,49 @@ +From 63305c04169e1783ae5d7535b79849220fe75532 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Sat, 26 Jan 2019 20:35:18 -0800 +Subject: xtensa: SMP: limit number of possible CPUs by NR_CPUS + +[ Upstream commit 25384ce5f9530def39421597b1457d9462df6455 ] + +This fixes the following warning at boot when the kernel is booted on a +board with more CPU cores than was configured in NR_CPUS: + + smp_init_cpus: Core Count = 8 + smp_init_cpus: Core Id = 0 + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 0 at include/linux/cpumask.h:121 smp_init_cpus+0x54/0x74 + Modules linked in: + CPU: 0 PID: 0 Comm: swapper Not tainted 5.0.0-rc3-00015-g1459333f88a0 #124 + Call Trace: + __warn$part$3+0x6a/0x7c + warn_slowpath_null+0x35/0x3c + smp_init_cpus+0x54/0x74 + setup_arch+0x1c0/0x1d0 + start_kernel+0x44/0x310 + _startup+0x107/0x107 + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/kernel/smp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c +index 8329891071aa..44805673a250 100644 +--- a/arch/xtensa/kernel/smp.c ++++ b/arch/xtensa/kernel/smp.c +@@ -93,6 +93,11 @@ void __init smp_init_cpus(void) + pr_info("%s: Core Count = %d\n", __func__, ncpus); + pr_info("%s: Core Id = %d\n", __func__, core_id); + ++ if (ncpus > NR_CPUS) { ++ ncpus = NR_CPUS; ++ pr_info("%s: limiting core count by %d\n", __func__, ncpus); ++ } ++ + for (i = 0; i < ncpus; ++i) + set_cpu_possible(i, true); + } +-- +2.19.1 + diff --git a/queue-4.9/xtensa-smp-mark-each-possible-cpu-as-present.patch b/queue-4.9/xtensa-smp-mark-each-possible-cpu-as-present.patch new file mode 100644 index 00000000000..3e6e9047494 --- /dev/null +++ b/queue-4.9/xtensa-smp-mark-each-possible-cpu-as-present.patch @@ -0,0 +1,32 @@ +From 80798c5f3f9a66ca0497bcad2ddd2874d7a352e5 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Sat, 19 Jan 2019 00:26:48 -0800 +Subject: xtensa: SMP: mark each possible CPU as present + +[ Upstream commit 8b1c42cdd7181200dc1fff39dcb6ac1a3fac2c25 ] + +Otherwise it is impossible to enable CPUs after booting with 'maxcpus' +parameter. + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/kernel/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c +index fd0f0b50e021..8329891071aa 100644 +--- a/arch/xtensa/kernel/smp.c ++++ b/arch/xtensa/kernel/smp.c +@@ -80,7 +80,7 @@ void __init smp_prepare_cpus(unsigned int max_cpus) + { + unsigned i; + +- for (i = 0; i < max_cpus; ++i) ++ for_each_possible_cpu(i) + set_cpu_present(i, true); + } + +-- +2.19.1 + diff --git a/queue-4.9/xtensa-smp_lx200_defconfig-fix-vectors-clash.patch b/queue-4.9/xtensa-smp_lx200_defconfig-fix-vectors-clash.patch new file mode 100644 index 00000000000..69f79df94b0 --- /dev/null +++ b/queue-4.9/xtensa-smp_lx200_defconfig-fix-vectors-clash.patch @@ -0,0 +1,33 @@ +From 18912fee36d492b925479c6cff35c9a8cfab7f6d Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Thu, 24 Jan 2019 17:16:11 -0800 +Subject: xtensa: smp_lx200_defconfig: fix vectors clash + +[ Upstream commit 306b38305c0f86de7f17c5b091a95451dcc93d7d ] + +Secondary CPU reset vector overlaps part of the double exception handler +code, resulting in weird crashes and hangups when running user code. +Move exception vectors one page up so that they don't clash with the +secondary CPU reset vector. + +Signed-off-by: Max Filippov +Signed-off-by: Sasha Levin +--- + arch/xtensa/configs/smp_lx200_defconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/xtensa/configs/smp_lx200_defconfig b/arch/xtensa/configs/smp_lx200_defconfig +index 14e3ca353ac8..5035b86a2e49 100644 +--- a/arch/xtensa/configs/smp_lx200_defconfig ++++ b/arch/xtensa/configs/smp_lx200_defconfig +@@ -34,6 +34,7 @@ CONFIG_SMP=y + CONFIG_HOTPLUG_CPU=y + # CONFIG_INITIALIZE_XTENSA_MMU_INSIDE_VMLINUX is not set + # CONFIG_PCI is not set ++CONFIG_VECTORS_OFFSET=0x00002000 + CONFIG_XTENSA_PLATFORM_XTFPGA=y + CONFIG_CMDLINE_BOOL=y + CONFIG_CMDLINE="earlycon=uart8250,mmio32native,0xfd050020,115200n8 console=ttyS0,115200n8 ip=dhcp root=/dev/nfs rw debug memmap=96M@0" +-- +2.19.1 + -- 2.47.2