From dd17b9d1ad07eba2c99faed0e161c63d47f9aa46 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 23 Mar 2020 15:59:10 +0100 Subject: [PATCH] 5.4-stable patches added patches: arm64-compat-fix-syscall-number-of-compat_clock_getres.patch btrfs-fix-log-context-list-corruption-after-rename-whiteout-error.patch cifs-fiemap-do-not-return-einval-if-get-nothing.patch drm-amd-amdgpu-fix-gpr-read-from-debugfs-v2.patch drm-lease-fix-warning-in-idr_destroy.patch epoll-fix-possible-lost-wakeup-on-epoll_ctl-path.patch iio-accel-adxl372-set-iio_chan-be.patch iio-adc-at91-sama5d2_adc-fix-differential-channels-in-triggered-mode.patch iio-adc-stm32-dfsdm-fix-sleep-in-atomic-context.patch iio-chemical-sps30-fix-missing-triggered-buffer-dependency.patch iio-light-vcnl4000-update-sampling-periods-for-vcnl4040.patch iio-light-vcnl4000-update-sampling-periods-for-vcnl4200.patch iio-magnetometer-ak8974-fix-negative-raw-values-in-sysfs.patch iio-st_sensors-remap-smo8840-to-lis2dh12.patch iio-trigger-stm32-timer-disable-master-mode-when-stopping.patch intel_th-fix-user-visible-error-codes.patch intel_th-msu-fix-the-unexpected-state-warning.patch intel_th-pci-add-elkhart-lake-cpu-support.patch kbuild-disable-wpointer-to-enum-cast.patch memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event.patch mm-do-not-allow-madv_pageout-for-cow-pages.patch mm-hotplug-fix-hot-remove-failure-in-sparsemem-vmemmap-case.patch mm-memcg-fix-corruption-on-64-bit-divisor-in-memory.high-throttling.patch mm-memcg-throttle-allocators-based-on-ancestral-memory.high.patch mm-slub-be-more-careful-about-the-double-cmpxchg-of-freelist.patch mm-slub-prevent-kmalloc_node-crashes-and-memory-leaks.patch mmc-rtsx_pci-fix-support-for-speed-modes-that-relies-on-tuning.patch mmc-sdhci-cadence-set-sdhci_quirk2_preset_value_broken-for-uniphier.patch mmc-sdhci-of-at91-fix-cd-gpios-for-sama5d2.patch modpost-move-the-namespace-field-in-module.symvers-last.patch page-flags-fix-a-crash-at-setpageerror-thp_swap.patch rtc-max8907-add-missing-select-regmap_irq.patch staging-greybus-loopback_test-fix-poll-mask-build-breakage.patch staging-rtl8188eu-add-device-id-for-mercusys-mw150us-v2.patch staging-speakup-fix-get_word-non-space-look-ahead.patch stm-class-sys-t-fix-the-use-of-time_after.patch tty-fix-compat-tiocgserial-checking-wrong-function-ptr.patch tty-fix-compat-tiocgserial-leaking-uninitialized-memory.patch x86-mm-split-vmalloc_sync_all.patch xhci-do-not-open-code-__print_symbolic-in-xhci-trace-events.patch --- ...yscall-number-of-compat_clock_getres.patch | 39 ++++ ...rruption-after-rename-whiteout-error.patch | 45 ++++ ...-do-not-return-einval-if-get-nothing.patch | 39 ++++ ...-amdgpu-fix-gpr-read-from-debugfs-v2.patch | 54 +++++ ...drm-lease-fix-warning-in-idr_destroy.patch | 52 +++++ ...ssible-lost-wakeup-on-epoll_ctl-path.patch | 82 +++++++ .../iio-accel-adxl372-set-iio_chan-be.patch | 32 +++ ...ferential-channels-in-triggered-mode.patch | 54 +++++ ...32-dfsdm-fix-sleep-in-atomic-context.patch | 100 +++++++++ ...-missing-triggered-buffer-dependency.patch | 37 ++++ ...update-sampling-periods-for-vcnl4040.patch | 51 +++++ ...update-sampling-periods-for-vcnl4200.patch | 50 +++++ ...974-fix-negative-raw-values-in-sysfs.patch | 41 ++++ ...st_sensors-remap-smo8840-to-lis2dh12.patch | 34 +++ ...er-disable-master-mode-when-stopping.patch | 58 +++++ ...ntel_th-fix-user-visible-error-codes.patch | 52 +++++ ...msu-fix-the-unexpected-state-warning.patch | 46 ++++ ..._th-pci-add-elkhart-lake-cpu-support.patch | 35 +++ ...kbuild-disable-wpointer-to-enum-cast.patch | 45 ++++ ...-__mem_cgroup_usage_unregister_event.patch | 123 +++++++++++ ...not-allow-madv_pageout-for-cow-pages.patch | 79 +++++++ ...ve-failure-in-sparsemem-vmemmap-case.patch | 92 ++++++++ ...it-divisor-in-memory.high-throttling.patch | 45 ++++ ...ators-based-on-ancestral-memory.high.patch | 160 ++++++++++++++ ...about-the-double-cmpxchg-of-freelist.patch | 52 +++++ ...malloc_node-crashes-and-memory-leaks.patch | 169 +++++++++++++++ ...or-speed-modes-that-relies-on-tuning.patch | 97 +++++++++ ...rk2_preset_value_broken-for-uniphier.patch | 89 ++++++++ ...hci-of-at91-fix-cd-gpios-for-sama5d2.patch | 56 +++++ ...mespace-field-in-module.symvers-last.patch | 126 +++++++++++ ...fix-a-crash-at-setpageerror-thp_swap.patch | 66 ++++++ ...ax8907-add-missing-select-regmap_irq.patch | 36 +++ queue-5.4/series | 40 ++++ ...ck_test-fix-poll-mask-build-breakage.patch | 43 ++++ ...dd-device-id-for-mercusys-mw150us-v2.patch | 32 +++ ...up-fix-get_word-non-space-look-ahead.patch | 43 ++++ ...lass-sys-t-fix-the-use-of-time_after.patch | 46 ++++ ...cgserial-checking-wrong-function-ptr.patch | 40 ++++ ...gserial-leaking-uninitialized-memory.patch | 44 ++++ queue-5.4/x86-mm-split-vmalloc_sync_all.patch | 205 ++++++++++++++++++ ..._print_symbolic-in-xhci-trace-events.patch | 69 ++++++ 41 files changed, 2698 insertions(+) create mode 100644 queue-5.4/arm64-compat-fix-syscall-number-of-compat_clock_getres.patch create mode 100644 queue-5.4/btrfs-fix-log-context-list-corruption-after-rename-whiteout-error.patch create mode 100644 queue-5.4/cifs-fiemap-do-not-return-einval-if-get-nothing.patch create mode 100644 queue-5.4/drm-amd-amdgpu-fix-gpr-read-from-debugfs-v2.patch create mode 100644 queue-5.4/drm-lease-fix-warning-in-idr_destroy.patch create mode 100644 queue-5.4/epoll-fix-possible-lost-wakeup-on-epoll_ctl-path.patch create mode 100644 queue-5.4/iio-accel-adxl372-set-iio_chan-be.patch create mode 100644 queue-5.4/iio-adc-at91-sama5d2_adc-fix-differential-channels-in-triggered-mode.patch create mode 100644 queue-5.4/iio-adc-stm32-dfsdm-fix-sleep-in-atomic-context.patch create mode 100644 queue-5.4/iio-chemical-sps30-fix-missing-triggered-buffer-dependency.patch create mode 100644 queue-5.4/iio-light-vcnl4000-update-sampling-periods-for-vcnl4040.patch create mode 100644 queue-5.4/iio-light-vcnl4000-update-sampling-periods-for-vcnl4200.patch create mode 100644 queue-5.4/iio-magnetometer-ak8974-fix-negative-raw-values-in-sysfs.patch create mode 100644 queue-5.4/iio-st_sensors-remap-smo8840-to-lis2dh12.patch create mode 100644 queue-5.4/iio-trigger-stm32-timer-disable-master-mode-when-stopping.patch create mode 100644 queue-5.4/intel_th-fix-user-visible-error-codes.patch create mode 100644 queue-5.4/intel_th-msu-fix-the-unexpected-state-warning.patch create mode 100644 queue-5.4/intel_th-pci-add-elkhart-lake-cpu-support.patch create mode 100644 queue-5.4/kbuild-disable-wpointer-to-enum-cast.patch create mode 100644 queue-5.4/memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event.patch create mode 100644 queue-5.4/mm-do-not-allow-madv_pageout-for-cow-pages.patch create mode 100644 queue-5.4/mm-hotplug-fix-hot-remove-failure-in-sparsemem-vmemmap-case.patch create mode 100644 queue-5.4/mm-memcg-fix-corruption-on-64-bit-divisor-in-memory.high-throttling.patch create mode 100644 queue-5.4/mm-memcg-throttle-allocators-based-on-ancestral-memory.high.patch create mode 100644 queue-5.4/mm-slub-be-more-careful-about-the-double-cmpxchg-of-freelist.patch create mode 100644 queue-5.4/mm-slub-prevent-kmalloc_node-crashes-and-memory-leaks.patch create mode 100644 queue-5.4/mmc-rtsx_pci-fix-support-for-speed-modes-that-relies-on-tuning.patch create mode 100644 queue-5.4/mmc-sdhci-cadence-set-sdhci_quirk2_preset_value_broken-for-uniphier.patch create mode 100644 queue-5.4/mmc-sdhci-of-at91-fix-cd-gpios-for-sama5d2.patch create mode 100644 queue-5.4/modpost-move-the-namespace-field-in-module.symvers-last.patch create mode 100644 queue-5.4/page-flags-fix-a-crash-at-setpageerror-thp_swap.patch create mode 100644 queue-5.4/rtc-max8907-add-missing-select-regmap_irq.patch create mode 100644 queue-5.4/staging-greybus-loopback_test-fix-poll-mask-build-breakage.patch create mode 100644 queue-5.4/staging-rtl8188eu-add-device-id-for-mercusys-mw150us-v2.patch create mode 100644 queue-5.4/staging-speakup-fix-get_word-non-space-look-ahead.patch create mode 100644 queue-5.4/stm-class-sys-t-fix-the-use-of-time_after.patch create mode 100644 queue-5.4/tty-fix-compat-tiocgserial-checking-wrong-function-ptr.patch create mode 100644 queue-5.4/tty-fix-compat-tiocgserial-leaking-uninitialized-memory.patch create mode 100644 queue-5.4/x86-mm-split-vmalloc_sync_all.patch create mode 100644 queue-5.4/xhci-do-not-open-code-__print_symbolic-in-xhci-trace-events.patch diff --git a/queue-5.4/arm64-compat-fix-syscall-number-of-compat_clock_getres.patch b/queue-5.4/arm64-compat-fix-syscall-number-of-compat_clock_getres.patch new file mode 100644 index 00000000000..a931260223a --- /dev/null +++ b/queue-5.4/arm64-compat-fix-syscall-number-of-compat_clock_getres.patch @@ -0,0 +1,39 @@ +From 3568b88944fef28db3ee989b957da49ffc627ede Mon Sep 17 00:00:00 2001 +From: Vincenzo Frascino +Date: Thu, 19 Mar 2020 14:11:38 +0000 +Subject: arm64: compat: Fix syscall number of compat_clock_getres + +From: Vincenzo Frascino + +commit 3568b88944fef28db3ee989b957da49ffc627ede upstream. + +The syscall number of compat_clock_getres was erroneously set to 247 +(__NR_io_cancel!) instead of 264. This causes the vDSO fallback of +clock_getres() to land on the wrong syscall for compat tasks. + +Fix the numbering. + +Cc: +Fixes: 53c489e1dfeb6 ("arm64: compat: Add missing syscall numbers") +Acked-by: Catalin Marinas +Reviewed-by: Nick Desaulniers +Signed-off-by: Vincenzo Frascino +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/unistd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/unistd.h ++++ b/arch/arm64/include/asm/unistd.h +@@ -25,8 +25,8 @@ + #define __NR_compat_gettimeofday 78 + #define __NR_compat_sigreturn 119 + #define __NR_compat_rt_sigreturn 173 +-#define __NR_compat_clock_getres 247 + #define __NR_compat_clock_gettime 263 ++#define __NR_compat_clock_getres 264 + #define __NR_compat_clock_gettime64 403 + #define __NR_compat_clock_getres_time64 406 + diff --git a/queue-5.4/btrfs-fix-log-context-list-corruption-after-rename-whiteout-error.patch b/queue-5.4/btrfs-fix-log-context-list-corruption-after-rename-whiteout-error.patch new file mode 100644 index 00000000000..a869df432fe --- /dev/null +++ b/queue-5.4/btrfs-fix-log-context-list-corruption-after-rename-whiteout-error.patch @@ -0,0 +1,45 @@ +From 236ebc20d9afc5e9ff52f3cf3f365a91583aac10 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 10 Mar 2020 12:13:53 +0000 +Subject: btrfs: fix log context list corruption after rename whiteout error + +From: Filipe Manana + +commit 236ebc20d9afc5e9ff52f3cf3f365a91583aac10 upstream. + +During a rename whiteout, if btrfs_whiteout_for_rename() returns an error +we can end up returning from btrfs_rename() with the log context object +still in the root's log context list - this happens if 'sync_log' was +set to true before we called btrfs_whiteout_for_rename() and it is +dangerous because we end up with a corrupt linked list (root->log_ctxs) +as the log context object was allocated on the stack. + +After btrfs_rename() returns, any task that is running btrfs_sync_log() +concurrently can end up crashing because that linked list is traversed by +btrfs_sync_log() (through btrfs_remove_all_log_ctxs()). That results in +the same issue that commit e6c617102c7e4 ("Btrfs: fix log context list +corruption after rename exchange operation") fixed. + +Fixes: d4682ba03ef618 ("Btrfs: sync log after logging new name") +CC: stable@vger.kernel.org # 4.19+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -10142,6 +10142,10 @@ out_fail: + ret = btrfs_sync_log(trans, BTRFS_I(old_inode)->root, &ctx); + if (ret) + commit_transaction = true; ++ } else if (sync_log) { ++ mutex_lock(&root->log_mutex); ++ list_del(&ctx.list); ++ mutex_unlock(&root->log_mutex); + } + if (commit_transaction) { + ret = btrfs_commit_transaction(trans); diff --git a/queue-5.4/cifs-fiemap-do-not-return-einval-if-get-nothing.patch b/queue-5.4/cifs-fiemap-do-not-return-einval-if-get-nothing.patch new file mode 100644 index 00000000000..701e455193e --- /dev/null +++ b/queue-5.4/cifs-fiemap-do-not-return-einval-if-get-nothing.patch @@ -0,0 +1,39 @@ +From 979a2665eb6c603ddce0ab374041ab101827b2e7 Mon Sep 17 00:00:00 2001 +From: Murphy Zhou +Date: Sat, 14 Mar 2020 11:38:31 +0800 +Subject: CIFS: fiemap: do not return EINVAL if get nothing + +From: Murphy Zhou + +commit 979a2665eb6c603ddce0ab374041ab101827b2e7 upstream. + +If we call fiemap on a truncated file with none blocks allocated, +it makes sense we get nothing from this call. No output means +no blocks have been counted, but the call succeeded. It's a valid +response. + +Simple example reproducer: +xfs_io -f 'truncate 2M' -c 'fiemap -v' /cifssch/testfile +xfs_io: ioctl(FS_IOC_FIEMAP) ["/cifssch/testfile"]: Invalid argument + +Signed-off-by: Murphy Zhou +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -3252,7 +3252,7 @@ static int smb3_fiemap(struct cifs_tcon + if (rc) + goto out; + +- if (out_data_len < sizeof(struct file_allocated_range_buffer)) { ++ if (out_data_len && out_data_len < sizeof(struct file_allocated_range_buffer)) { + rc = -EINVAL; + goto out; + } diff --git a/queue-5.4/drm-amd-amdgpu-fix-gpr-read-from-debugfs-v2.patch b/queue-5.4/drm-amd-amdgpu-fix-gpr-read-from-debugfs-v2.patch new file mode 100644 index 00000000000..9eff51b3f1d --- /dev/null +++ b/queue-5.4/drm-amd-amdgpu-fix-gpr-read-from-debugfs-v2.patch @@ -0,0 +1,54 @@ +From 5bbc6604a62814511c32f2e39bc9ffb2c1b92cbe Mon Sep 17 00:00:00 2001 +From: Tom St Denis +Date: Tue, 10 Mar 2020 08:40:41 -0400 +Subject: drm/amd/amdgpu: Fix GPR read from debugfs (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tom St Denis + +commit 5bbc6604a62814511c32f2e39bc9ffb2c1b92cbe upstream. + +The offset into the array was specified in bytes but should +be in terms of 32-bit words. Also prevent large reads that +would also cause a buffer overread. + +v2: Read from correct offset from internal storage buffer. + +Signed-off-by: Tom St Denis +Acked-by: Christian König +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +@@ -694,11 +694,11 @@ static ssize_t amdgpu_debugfs_gpr_read(s + ssize_t result = 0; + uint32_t offset, se, sh, cu, wave, simd, thread, bank, *data; + +- if (size & 3 || *pos & 3) ++ if (size > 4096 || size & 3 || *pos & 3) + return -EINVAL; + + /* decode offset */ +- offset = *pos & GENMASK_ULL(11, 0); ++ offset = (*pos & GENMASK_ULL(11, 0)) >> 2; + se = (*pos & GENMASK_ULL(19, 12)) >> 12; + sh = (*pos & GENMASK_ULL(27, 20)) >> 20; + cu = (*pos & GENMASK_ULL(35, 28)) >> 28; +@@ -729,7 +729,7 @@ static ssize_t amdgpu_debugfs_gpr_read(s + while (size) { + uint32_t value; + +- value = data[offset++]; ++ value = data[result >> 2]; + r = put_user(value, (uint32_t *)buf); + if (r) { + result = r; diff --git a/queue-5.4/drm-lease-fix-warning-in-idr_destroy.patch b/queue-5.4/drm-lease-fix-warning-in-idr_destroy.patch new file mode 100644 index 00000000000..40b1ec23947 --- /dev/null +++ b/queue-5.4/drm-lease-fix-warning-in-idr_destroy.patch @@ -0,0 +1,52 @@ +From b216a8e7908cd750550c0480cf7d2b3a37f06954 Mon Sep 17 00:00:00 2001 +From: Qiujun Huang +Date: Wed, 18 Mar 2020 15:53:50 +0800 +Subject: drm/lease: fix WARNING in idr_destroy + +From: Qiujun Huang + +commit b216a8e7908cd750550c0480cf7d2b3a37f06954 upstream. + +drm_lease_create takes ownership of leases. And leases will be released +by drm_master_put. + +drm_master_put + ->drm_master_destroy + ->idr_destroy + +So we needn't call idr_destroy again. + +Reported-and-tested-by: syzbot+05835159fe322770fe3d@syzkaller.appspotmail.com +Signed-off-by: Qiujun Huang +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/1584518030-4173-1-git-send-email-hqjagain@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_lease.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_lease.c ++++ b/drivers/gpu/drm/drm_lease.c +@@ -542,10 +542,12 @@ int drm_mode_create_lease_ioctl(struct d + } + + DRM_DEBUG_LEASE("Creating lease\n"); ++ /* lessee will take the ownership of leases */ + lessee = drm_lease_create(lessor, &leases); + + if (IS_ERR(lessee)) { + ret = PTR_ERR(lessee); ++ idr_destroy(&leases); + goto out_leases; + } + +@@ -580,7 +582,6 @@ out_lessee: + + out_leases: + put_unused_fd(fd); +- idr_destroy(&leases); + + DRM_DEBUG_LEASE("drm_mode_create_lease_ioctl failed: %d\n", ret); + return ret; diff --git a/queue-5.4/epoll-fix-possible-lost-wakeup-on-epoll_ctl-path.patch b/queue-5.4/epoll-fix-possible-lost-wakeup-on-epoll_ctl-path.patch new file mode 100644 index 00000000000..546f8e490e0 --- /dev/null +++ b/queue-5.4/epoll-fix-possible-lost-wakeup-on-epoll_ctl-path.patch @@ -0,0 +1,82 @@ +From 1b53734bd0b2feed8e7761771b2e76fc9126ea0c Mon Sep 17 00:00:00 2001 +From: Roman Penyaev +Date: Sat, 21 Mar 2020 18:22:30 -0700 +Subject: epoll: fix possible lost wakeup on epoll_ctl() path + +From: Roman Penyaev + +commit 1b53734bd0b2feed8e7761771b2e76fc9126ea0c upstream. + +This fixes possible lost wakeup introduced by commit a218cc491420. +Originally modifications to ep->wq were serialized by ep->wq.lock, but +in commit a218cc491420 ("epoll: use rwlock in order to reduce +ep_poll_callback() contention") a new rw lock was introduced in order to +relax fd event path, i.e. callers of ep_poll_callback() function. + +After the change ep_modify and ep_insert (both are called on epoll_ctl() +path) were switched to ep->lock, but ep_poll (epoll_wait) was using +ep->wq.lock on wqueue list modification. + +The bug doesn't lead to any wqueue list corruptions, because wake up +path and list modifications were serialized by ep->wq.lock internally, +but actual waitqueue_active() check prior wake_up() call can be +reordered with modifications of ep ready list, thus wake up can be lost. + +And yes, can be healed by explicit smp_mb(): + + list_add_tail(&epi->rdlink, &ep->rdllist); + smp_mb(); + if (waitqueue_active(&ep->wq)) + wake_up(&ep->wp); + +But let's make it simple, thus current patch replaces ep->wq.lock with +the ep->lock for wqueue modifications, thus wake up path always observes +activeness of the wqueue correcty. + +Fixes: a218cc491420 ("epoll: use rwlock in order to reduce ep_poll_callback() contention") +Reported-by: Max Neunhoeffer +Signed-off-by: Roman Penyaev +Signed-off-by: Andrew Morton +Tested-by: Max Neunhoeffer +Cc: Jakub Kicinski +Cc: Christopher Kohlhoff +Cc: Davidlohr Bueso +Cc: Jason Baron +Cc: Jes Sorensen +Cc: [5.1+] +Link: http://lkml.kernel.org/r/20200214170211.561524-1-rpenyaev@suse.de +References: https://bugzilla.kernel.org/show_bug.cgi?id=205933 +Bisected-by: Max Neunhoeffer +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/eventpoll.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1881,9 +1881,9 @@ fetch_events: + waiter = true; + init_waitqueue_entry(&wait, current); + +- spin_lock_irq(&ep->wq.lock); ++ write_lock_irq(&ep->lock); + __add_wait_queue_exclusive(&ep->wq, &wait); +- spin_unlock_irq(&ep->wq.lock); ++ write_unlock_irq(&ep->lock); + } + + for (;;) { +@@ -1931,9 +1931,9 @@ send_events: + goto fetch_events; + + if (waiter) { +- spin_lock_irq(&ep->wq.lock); ++ write_lock_irq(&ep->lock); + __remove_wait_queue(&ep->wq, &wait); +- spin_unlock_irq(&ep->wq.lock); ++ write_unlock_irq(&ep->lock); + } + + return res; diff --git a/queue-5.4/iio-accel-adxl372-set-iio_chan-be.patch b/queue-5.4/iio-accel-adxl372-set-iio_chan-be.patch new file mode 100644 index 00000000000..286b74a47cb --- /dev/null +++ b/queue-5.4/iio-accel-adxl372-set-iio_chan-be.patch @@ -0,0 +1,32 @@ +From cb2116ff97859d34fda6cb561ac654415f4c6230 Mon Sep 17 00:00:00 2001 +From: Alexandru Tachici +Date: Wed, 19 Feb 2020 16:31:12 +0200 +Subject: iio: accel: adxl372: Set iio_chan BE + +From: Alexandru Tachici + +commit cb2116ff97859d34fda6cb561ac654415f4c6230 upstream. + +Data stored in the iio-buffer is BE and this +should be specified in the iio_chan_spec struct. + +Fixes: f4f55ce38e5f8 ("iio:adxl372: Add FIFO and interrupts support") +Signed-off-by: Alexandru Tachici +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/adxl372.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/accel/adxl372.c ++++ b/drivers/iio/accel/adxl372.c +@@ -237,6 +237,7 @@ static const struct adxl372_axis_lookup + .realbits = 12, \ + .storagebits = 16, \ + .shift = 4, \ ++ .endianness = IIO_BE, \ + }, \ + } + diff --git a/queue-5.4/iio-adc-at91-sama5d2_adc-fix-differential-channels-in-triggered-mode.patch b/queue-5.4/iio-adc-at91-sama5d2_adc-fix-differential-channels-in-triggered-mode.patch new file mode 100644 index 00000000000..f2648227d63 --- /dev/null +++ b/queue-5.4/iio-adc-at91-sama5d2_adc-fix-differential-channels-in-triggered-mode.patch @@ -0,0 +1,54 @@ +From a500f3bd787f8224341e44b238f318c407b10897 Mon Sep 17 00:00:00 2001 +From: Eugen Hristev +Date: Tue, 28 Jan 2020 12:57:39 +0000 +Subject: iio: adc: at91-sama5d2_adc: fix differential channels in triggered mode + +From: Eugen Hristev + +commit a500f3bd787f8224341e44b238f318c407b10897 upstream. + +The differential channels require writing the channel offset register (COR). +Otherwise they do not work in differential mode. +The configuration of COR is missing in triggered mode. + +Fixes: 5e1a1da0f8c9 ("iio: adc: at91-sama5d2_adc: add hw trigger and buffer support") +Signed-off-by: Eugen Hristev +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/at91-sama5d2_adc.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -723,6 +723,7 @@ static int at91_adc_configure_trigger(st + + for_each_set_bit(bit, indio->active_scan_mask, indio->num_channels) { + struct iio_chan_spec const *chan = at91_adc_chan_get(indio, bit); ++ u32 cor; + + if (!chan) + continue; +@@ -732,6 +733,20 @@ static int at91_adc_configure_trigger(st + continue; + + if (state) { ++ cor = at91_adc_readl(st, AT91_SAMA5D2_COR); ++ ++ if (chan->differential) ++ cor |= (BIT(chan->channel) | ++ BIT(chan->channel2)) << ++ AT91_SAMA5D2_COR_DIFF_OFFSET; ++ else ++ cor &= ~(BIT(chan->channel) << ++ AT91_SAMA5D2_COR_DIFF_OFFSET); ++ ++ at91_adc_writel(st, AT91_SAMA5D2_COR, cor); ++ } ++ ++ if (state) { + at91_adc_writel(st, AT91_SAMA5D2_CHER, + BIT(chan->channel)); + /* enable irq only if not using DMA */ diff --git a/queue-5.4/iio-adc-stm32-dfsdm-fix-sleep-in-atomic-context.patch b/queue-5.4/iio-adc-stm32-dfsdm-fix-sleep-in-atomic-context.patch new file mode 100644 index 00000000000..df58da26383 --- /dev/null +++ b/queue-5.4/iio-adc-stm32-dfsdm-fix-sleep-in-atomic-context.patch @@ -0,0 +1,100 @@ +From e19ac9d9a978f8238a85a28ed624094a497d5ae6 Mon Sep 17 00:00:00 2001 +From: Olivier Moysan +Date: Tue, 21 Jan 2020 12:02:56 +0100 +Subject: iio: adc: stm32-dfsdm: fix sleep in atomic context + +From: Olivier Moysan + +commit e19ac9d9a978f8238a85a28ed624094a497d5ae6 upstream. + +This commit fixes the error message: +"BUG: sleeping function called from invalid context at kernel/irq/chip.c" +Suppress the trigger irq handler. Make the buffer transfers directly +in DMA callback, instead. +Push buffers without timestamps, as timestamps are not supported +in DFSDM driver. + +Fixes: 11646e81d775 ("iio: adc: stm32-dfsdm: add support for buffer modes") + +Signed-off-by: Olivier Moysan +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/stm32-dfsdm-adc.c | 43 ++++++++------------------------------ + 1 file changed, 10 insertions(+), 33 deletions(-) + +--- a/drivers/iio/adc/stm32-dfsdm-adc.c ++++ b/drivers/iio/adc/stm32-dfsdm-adc.c +@@ -842,31 +842,6 @@ static inline void stm32_dfsdm_process_d + } + } + +-static irqreturn_t stm32_dfsdm_adc_trigger_handler(int irq, void *p) +-{ +- struct iio_poll_func *pf = p; +- struct iio_dev *indio_dev = pf->indio_dev; +- struct stm32_dfsdm_adc *adc = iio_priv(indio_dev); +- int available = stm32_dfsdm_adc_dma_residue(adc); +- +- while (available >= indio_dev->scan_bytes) { +- s32 *buffer = (s32 *)&adc->rx_buf[adc->bufi]; +- +- stm32_dfsdm_process_data(adc, buffer); +- +- iio_push_to_buffers_with_timestamp(indio_dev, buffer, +- pf->timestamp); +- available -= indio_dev->scan_bytes; +- adc->bufi += indio_dev->scan_bytes; +- if (adc->bufi >= adc->buf_sz) +- adc->bufi = 0; +- } +- +- iio_trigger_notify_done(indio_dev->trig); +- +- return IRQ_HANDLED; +-} +- + static void stm32_dfsdm_dma_buffer_done(void *data) + { + struct iio_dev *indio_dev = data; +@@ -874,11 +849,6 @@ static void stm32_dfsdm_dma_buffer_done( + int available = stm32_dfsdm_adc_dma_residue(adc); + size_t old_pos; + +- if (indio_dev->currentmode & INDIO_BUFFER_TRIGGERED) { +- iio_trigger_poll_chained(indio_dev->trig); +- return; +- } +- + /* + * FIXME: In Kernel interface does not support cyclic DMA buffer,and + * offers only an interface to push data samples per samples. +@@ -906,7 +876,15 @@ static void stm32_dfsdm_dma_buffer_done( + adc->bufi = 0; + old_pos = 0; + } +- /* regular iio buffer without trigger */ ++ /* ++ * In DMA mode the trigger services of IIO are not used ++ * (e.g. no call to iio_trigger_poll). ++ * Calling irq handler associated to the hardware trigger is not ++ * relevant as the conversions have already been done. Data ++ * transfers are performed directly in DMA callback instead. ++ * This implementation avoids to call trigger irq handler that ++ * may sleep, in an atomic context (DMA irq handler context). ++ */ + if (adc->dev_data->type == DFSDM_IIO) + iio_push_to_buffers(indio_dev, buffer); + } +@@ -1517,8 +1495,7 @@ static int stm32_dfsdm_adc_init(struct i + } + + ret = iio_triggered_buffer_setup(indio_dev, +- &iio_pollfunc_store_time, +- &stm32_dfsdm_adc_trigger_handler, ++ &iio_pollfunc_store_time, NULL, + &stm32_dfsdm_buffer_setup_ops); + if (ret) { + stm32_dfsdm_dma_release(indio_dev); diff --git a/queue-5.4/iio-chemical-sps30-fix-missing-triggered-buffer-dependency.patch b/queue-5.4/iio-chemical-sps30-fix-missing-triggered-buffer-dependency.patch new file mode 100644 index 00000000000..f11c5c71f3e --- /dev/null +++ b/queue-5.4/iio-chemical-sps30-fix-missing-triggered-buffer-dependency.patch @@ -0,0 +1,37 @@ +From 016a8845f6da65b2203f102f192046fbb624e250 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0tetiar?= +Date: Thu, 27 Feb 2020 17:27:34 +0100 +Subject: iio: chemical: sps30: fix missing triggered buffer dependency +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Petr Štetiar + +commit 016a8845f6da65b2203f102f192046fbb624e250 upstream. + +SPS30 uses triggered buffer, but the dependency is not specified in the +Kconfig file. Fix this by selecting IIO_BUFFER and IIO_TRIGGERED_BUFFER +config symbols. + +Cc: stable@vger.kernel.org +Fixes: 232e0f6ddeae ("iio: chemical: add support for Sensirion SPS30 sensor") +Signed-off-by: Petr Štetiar +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/chemical/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/chemical/Kconfig ++++ b/drivers/iio/chemical/Kconfig +@@ -91,6 +91,8 @@ config SPS30 + tristate "SPS30 particulate matter sensor" + depends on I2C + select CRC8 ++ select IIO_BUFFER ++ select IIO_TRIGGERED_BUFFER + help + Say Y here to build support for the Sensirion SPS30 particulate + matter sensor. diff --git a/queue-5.4/iio-light-vcnl4000-update-sampling-periods-for-vcnl4040.patch b/queue-5.4/iio-light-vcnl4000-update-sampling-periods-for-vcnl4040.patch new file mode 100644 index 00000000000..1088350ed74 --- /dev/null +++ b/queue-5.4/iio-light-vcnl4000-update-sampling-periods-for-vcnl4040.patch @@ -0,0 +1,51 @@ +From 2ca5a8792d617b4035aacd0a8be527f667fbf912 Mon Sep 17 00:00:00 2001 +From: Tomas Novotny +Date: Tue, 18 Feb 2020 16:44:51 +0100 +Subject: iio: light: vcnl4000: update sampling periods for vcnl4040 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomas Novotny + +commit 2ca5a8792d617b4035aacd0a8be527f667fbf912 upstream. + +Vishay has published a new version of "Designing the VCNL4200 Into an +Application" application note in October 2019. The new version specifies +that there is +-20% of part to part tolerance. Although the application +note is related to vcnl4200, according to support the vcnl4040's "ASIC +is quite similar to that one for the VCNL4200". + +So update the sampling periods (and comment), including the correct +sampling period for proximity. Both sampling periods are lower. Users +relying on the blocking behaviour of reading will get proximity +measurements much earlier. + +Fixes: 5a441aade5b3 ("iio: light: vcnl4000 add support for the VCNL4040 proximity and light sensor") +Reviewed-by: Guido Günther +Tested-by: Guido Günther +Signed-off-by: Tomas Novotny +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/vcnl4000.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/iio/light/vcnl4000.c ++++ b/drivers/iio/light/vcnl4000.c +@@ -174,9 +174,10 @@ static int vcnl4200_init(struct vcnl4000 + data->al_scale = 24000; + break; + case VCNL4040_PROD_ID: +- /* Integration time is 80ms, add 10ms. */ +- data->vcnl4200_al.sampling_rate = ktime_set(0, 100000 * 1000); +- data->vcnl4200_ps.sampling_rate = ktime_set(0, 100000 * 1000); ++ /* Default wait time is 80ms, add 20% tolerance. */ ++ data->vcnl4200_al.sampling_rate = ktime_set(0, 96000 * 1000); ++ /* Default wait time is 5ms, add 20% tolerance. */ ++ data->vcnl4200_ps.sampling_rate = ktime_set(0, 6000 * 1000); + data->al_scale = 120000; + break; + } diff --git a/queue-5.4/iio-light-vcnl4000-update-sampling-periods-for-vcnl4200.patch b/queue-5.4/iio-light-vcnl4000-update-sampling-periods-for-vcnl4200.patch new file mode 100644 index 00000000000..019d6ba5726 --- /dev/null +++ b/queue-5.4/iio-light-vcnl4000-update-sampling-periods-for-vcnl4200.patch @@ -0,0 +1,50 @@ +From b42aa97ed5f1169cfd37175ef388ea62ff2dcf43 Mon Sep 17 00:00:00 2001 +From: Tomas Novotny +Date: Tue, 18 Feb 2020 16:44:50 +0100 +Subject: iio: light: vcnl4000: update sampling periods for vcnl4200 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomas Novotny + +commit b42aa97ed5f1169cfd37175ef388ea62ff2dcf43 upstream. + +Vishay has published a new version of "Designing the VCNL4200 Into an +Application" application note in October 2019. The new version specifies +that there is +-20% of part to part tolerance. This explains the drift +seen during experiments. The proximity pulse width is also changed from +32us to 30us. According to the support, the tolerance also applies to +ambient light. + +So update the sampling periods. As the reading is blocking, current +users may notice slightly longer response time. + +Fixes: be38866fbb97 ("iio: vcnl4000: add support for VCNL4200") +Reviewed-by: Guido Günther +Signed-off-by: Tomas Novotny +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/vcnl4000.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/iio/light/vcnl4000.c ++++ b/drivers/iio/light/vcnl4000.c +@@ -167,10 +167,10 @@ static int vcnl4200_init(struct vcnl4000 + data->vcnl4200_ps.reg = VCNL4200_PS_DATA; + switch (id) { + case VCNL4200_PROD_ID: +- /* Integration time is 50ms, but the experiments */ +- /* show 54ms in total. */ +- data->vcnl4200_al.sampling_rate = ktime_set(0, 54000 * 1000); +- data->vcnl4200_ps.sampling_rate = ktime_set(0, 4200 * 1000); ++ /* Default wait time is 50ms, add 20% tolerance. */ ++ data->vcnl4200_al.sampling_rate = ktime_set(0, 60000 * 1000); ++ /* Default wait time is 4.8ms, add 20% tolerance. */ ++ data->vcnl4200_ps.sampling_rate = ktime_set(0, 5760 * 1000); + data->al_scale = 24000; + break; + case VCNL4040_PROD_ID: diff --git a/queue-5.4/iio-magnetometer-ak8974-fix-negative-raw-values-in-sysfs.patch b/queue-5.4/iio-magnetometer-ak8974-fix-negative-raw-values-in-sysfs.patch new file mode 100644 index 00000000000..6a07b886b19 --- /dev/null +++ b/queue-5.4/iio-magnetometer-ak8974-fix-negative-raw-values-in-sysfs.patch @@ -0,0 +1,41 @@ +From b500c086e4110829a308c23e83a7cdc65b26228a Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Fri, 14 Feb 2020 12:03:24 +0100 +Subject: iio: magnetometer: ak8974: Fix negative raw values in sysfs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stephan Gerhold + +commit b500c086e4110829a308c23e83a7cdc65b26228a upstream. + +At the moment, reading from in_magn_*_raw in sysfs tends to return +large values around 65000, even though the output of ak8974 is actually +limited to ±32768. This happens because the value is never converted +to the signed 16-bit integer variant. + +Add an explicit cast to s16 to fix this. + +Fixes: 7c94a8b2ee8c ("iio: magn: add a driver for AK8974") +Signed-off-by: Stephan Gerhold +Reviewed-by: Linus Waleij +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/magnetometer/ak8974.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/magnetometer/ak8974.c ++++ b/drivers/iio/magnetometer/ak8974.c +@@ -564,7 +564,7 @@ static int ak8974_read_raw(struct iio_de + * We read all axes and discard all but one, for optimized + * reading, use the triggered buffer. + */ +- *val = le16_to_cpu(hw_values[chan->address]); ++ *val = (s16)le16_to_cpu(hw_values[chan->address]); + + ret = IIO_VAL_INT; + } diff --git a/queue-5.4/iio-st_sensors-remap-smo8840-to-lis2dh12.patch b/queue-5.4/iio-st_sensors-remap-smo8840-to-lis2dh12.patch new file mode 100644 index 00000000000..f64ca720680 --- /dev/null +++ b/queue-5.4/iio-st_sensors-remap-smo8840-to-lis2dh12.patch @@ -0,0 +1,34 @@ +From e43d110cdc206b6df4dd438cd10c81d1da910aad Mon Sep 17 00:00:00 2001 +From: Wen-chien Jesse Sung +Date: Mon, 24 Feb 2020 17:54:26 +0800 +Subject: iio: st_sensors: remap SMO8840 to LIS2DH12 + +From: Wen-chien Jesse Sung + +commit e43d110cdc206b6df4dd438cd10c81d1da910aad upstream. + +According to ST, the HID is for LIS2DH12. + +Fixes: 3d56e19815b3 ("iio: accel: st_accel: Add support for the SMO8840 ACPI id") +Signed-off-by: Wen-chien Jesse Sung +Tested-by: Hans de Goede +Reviewed-by: Hans de Goede +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/st_accel_i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/accel/st_accel_i2c.c ++++ b/drivers/iio/accel/st_accel_i2c.c +@@ -114,7 +114,7 @@ MODULE_DEVICE_TABLE(of, st_accel_of_matc + + #ifdef CONFIG_ACPI + static const struct acpi_device_id st_accel_acpi_match[] = { +- {"SMO8840", (kernel_ulong_t)LNG2DM_ACCEL_DEV_NAME}, ++ {"SMO8840", (kernel_ulong_t)LIS2DH12_ACCEL_DEV_NAME}, + {"SMO8A90", (kernel_ulong_t)LNG2DM_ACCEL_DEV_NAME}, + { }, + }; diff --git a/queue-5.4/iio-trigger-stm32-timer-disable-master-mode-when-stopping.patch b/queue-5.4/iio-trigger-stm32-timer-disable-master-mode-when-stopping.patch new file mode 100644 index 00000000000..479557245ce --- /dev/null +++ b/queue-5.4/iio-trigger-stm32-timer-disable-master-mode-when-stopping.patch @@ -0,0 +1,58 @@ +From 29e8c8253d7d5265f58122c0a7902e26df6c6f61 Mon Sep 17 00:00:00 2001 +From: Fabrice Gasnier +Date: Fri, 14 Feb 2020 17:46:35 +0100 +Subject: iio: trigger: stm32-timer: disable master mode when stopping + +From: Fabrice Gasnier + +commit 29e8c8253d7d5265f58122c0a7902e26df6c6f61 upstream. + +Master mode should be disabled when stopping. This mainly impacts +possible other use-case after timer has been stopped. Currently, +master mode remains set (from start routine). + +Fixes: 6fb34812c2a2 ("iio: stm32 trigger: Add support for TRGO2 triggers") + +Signed-off-by: Fabrice Gasnier +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/trigger/stm32-timer-trigger.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/iio/trigger/stm32-timer-trigger.c ++++ b/drivers/iio/trigger/stm32-timer-trigger.c +@@ -161,7 +161,8 @@ static int stm32_timer_start(struct stm3 + return 0; + } + +-static void stm32_timer_stop(struct stm32_timer_trigger *priv) ++static void stm32_timer_stop(struct stm32_timer_trigger *priv, ++ struct iio_trigger *trig) + { + u32 ccer, cr1; + +@@ -179,6 +180,12 @@ static void stm32_timer_stop(struct stm3 + regmap_write(priv->regmap, TIM_PSC, 0); + regmap_write(priv->regmap, TIM_ARR, 0); + ++ /* Force disable master mode */ ++ if (stm32_timer_is_trgo2_name(trig->name)) ++ regmap_update_bits(priv->regmap, TIM_CR2, TIM_CR2_MMS2, 0); ++ else ++ regmap_update_bits(priv->regmap, TIM_CR2, TIM_CR2_MMS, 0); ++ + /* Make sure that registers are updated */ + regmap_update_bits(priv->regmap, TIM_EGR, TIM_EGR_UG, TIM_EGR_UG); + } +@@ -197,7 +204,7 @@ static ssize_t stm32_tt_store_frequency( + return ret; + + if (freq == 0) { +- stm32_timer_stop(priv); ++ stm32_timer_stop(priv, trig); + } else { + ret = stm32_timer_start(priv, trig, freq); + if (ret) diff --git a/queue-5.4/intel_th-fix-user-visible-error-codes.patch b/queue-5.4/intel_th-fix-user-visible-error-codes.patch new file mode 100644 index 00000000000..13b8fb41374 --- /dev/null +++ b/queue-5.4/intel_th-fix-user-visible-error-codes.patch @@ -0,0 +1,52 @@ +From ce666be89a8a09c5924ff08fc32e119f974bdab6 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 17 Mar 2020 08:22:14 +0200 +Subject: intel_th: Fix user-visible error codes + +From: Alexander Shishkin + +commit ce666be89a8a09c5924ff08fc32e119f974bdab6 upstream. + +There are a few places in the driver that end up returning ENOTSUPP to +the user, replace those with EINVAL. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver") +Cc: stable@vger.kernel.org # v4.4+ +Link: https://lore.kernel.org/r/20200317062215.15598-6-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/msu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hwtracing/intel_th/msu.c ++++ b/drivers/hwtracing/intel_th/msu.c +@@ -761,7 +761,7 @@ static int msc_configure(struct msc *msc + lockdep_assert_held(&msc->buf_mutex); + + if (msc->mode > MSC_MODE_MULTI) +- return -ENOTSUPP; ++ return -EINVAL; + + if (msc->mode == MSC_MODE_MULTI) { + if (msc_win_set_lockout(msc->cur_win, WIN_READY, WIN_INUSE)) +@@ -1295,7 +1295,7 @@ static int msc_buffer_alloc(struct msc * + } else if (msc->mode == MSC_MODE_MULTI) { + ret = msc_buffer_multi_alloc(msc, nr_pages, nr_wins); + } else { +- ret = -ENOTSUPP; ++ ret = -EINVAL; + } + + if (!ret) { +@@ -1531,7 +1531,7 @@ static ssize_t intel_th_msc_read(struct + if (ret >= 0) + *ppos = iter->offset; + } else { +- ret = -ENOTSUPP; ++ ret = -EINVAL; + } + + put_count: diff --git a/queue-5.4/intel_th-msu-fix-the-unexpected-state-warning.patch b/queue-5.4/intel_th-msu-fix-the-unexpected-state-warning.patch new file mode 100644 index 00000000000..41961d13edb --- /dev/null +++ b/queue-5.4/intel_th-msu-fix-the-unexpected-state-warning.patch @@ -0,0 +1,46 @@ +From 885f123554bbdc1807ca25a374be6e9b3bddf4de Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 17 Mar 2020 08:22:13 +0200 +Subject: intel_th: msu: Fix the unexpected state warning + +From: Alexander Shishkin + +commit 885f123554bbdc1807ca25a374be6e9b3bddf4de upstream. + +The unexpected state warning should only warn on illegal state +transitions. Fix that. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Fixes: 615c164da0eb4 ("intel_th: msu: Introduce buffer interface") +Cc: stable@vger.kernel.org # v5.4+ +Link: https://lore.kernel.org/r/20200317062215.15598-5-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/msu.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/hwtracing/intel_th/msu.c ++++ b/drivers/hwtracing/intel_th/msu.c +@@ -718,9 +718,6 @@ static int msc_win_set_lockout(struct ms + + if (old != expect) { + ret = -EINVAL; +- dev_warn_ratelimited(msc_dev(win->msc), +- "expected lockout state %d, got %d\n", +- expect, old); + goto unlock; + } + +@@ -741,6 +738,10 @@ unlock: + /* from intel_th_msc_window_unlock(), don't warn if not locked */ + if (expect == WIN_LOCKED && old == new) + return 0; ++ ++ dev_warn_ratelimited(msc_dev(win->msc), ++ "expected lockout state %d, got %d\n", ++ expect, old); + } + + return ret; diff --git a/queue-5.4/intel_th-pci-add-elkhart-lake-cpu-support.patch b/queue-5.4/intel_th-pci-add-elkhart-lake-cpu-support.patch new file mode 100644 index 00000000000..f704bdfdfc2 --- /dev/null +++ b/queue-5.4/intel_th-pci-add-elkhart-lake-cpu-support.patch @@ -0,0 +1,35 @@ +From add492d2e9446a77ede9bb43699ec85ca8fc1aba Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 17 Mar 2020 08:22:15 +0200 +Subject: intel_th: pci: Add Elkhart Lake CPU support + +From: Alexander Shishkin + +commit add492d2e9446a77ede9bb43699ec85ca8fc1aba upstream. + +This adds support for the Trace Hub in Elkhart Lake CPU. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200317062215.15598-7-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -235,6 +235,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Elkhart Lake CPU */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4529), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Elkhart Lake */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4b26), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-5.4/kbuild-disable-wpointer-to-enum-cast.patch b/queue-5.4/kbuild-disable-wpointer-to-enum-cast.patch new file mode 100644 index 00000000000..f7a0a26b363 --- /dev/null +++ b/queue-5.4/kbuild-disable-wpointer-to-enum-cast.patch @@ -0,0 +1,45 @@ +From 82f2bc2fcc0160d6f82dd1ac64518ae0a4dd183f Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 11 Mar 2020 12:41:21 -0700 +Subject: kbuild: Disable -Wpointer-to-enum-cast + +From: Nathan Chancellor + +commit 82f2bc2fcc0160d6f82dd1ac64518ae0a4dd183f upstream. + +Clang's -Wpointer-to-int-cast deviates from GCC in that it warns when +casting to enums. The kernel does this in certain places, such as device +tree matches to set the version of the device being used, which allows +the kernel to avoid using a gigantic union. + +https://elixir.bootlin.com/linux/v5.5.8/source/drivers/ata/ahci_brcm.c#L428 +https://elixir.bootlin.com/linux/v5.5.8/source/drivers/ata/ahci_brcm.c#L402 +https://elixir.bootlin.com/linux/v5.5.8/source/include/linux/mod_devicetable.h#L264 + +To avoid a ton of false positive warnings, disable this particular part +of the warning, which has been split off into a separate diagnostic so +that the entire warning does not need to be turned off for clang. It +will be visible under W=1 in case people want to go about fixing these +easily and enabling the warning treewide. + +Cc: stable@vger.kernel.org +Link: https://github.com/ClangBuiltLinux/linux/issues/887 +Link: https://github.com/llvm/llvm-project/commit/2a41b31fcdfcb67ab7038fc2ffb606fd50b83a84 +Signed-off-by: Nathan Chancellor +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/Makefile.extrawarn | 1 + + 1 file changed, 1 insertion(+) + +--- a/scripts/Makefile.extrawarn ++++ b/scripts/Makefile.extrawarn +@@ -48,6 +48,7 @@ KBUILD_CFLAGS += -Wno-initializer-overri + KBUILD_CFLAGS += -Wno-format + KBUILD_CFLAGS += -Wno-sign-compare + KBUILD_CFLAGS += -Wno-format-zero-length ++KBUILD_CFLAGS += $(call cc-disable-warning, pointer-to-enum-cast) + endif + + endif diff --git a/queue-5.4/memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event.patch b/queue-5.4/memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event.patch new file mode 100644 index 00000000000..7bc04e9b3b2 --- /dev/null +++ b/queue-5.4/memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event.patch @@ -0,0 +1,123 @@ +From 7d36665a5886c27ca4c4d0afd3ecc50b400f3587 Mon Sep 17 00:00:00 2001 +From: Chunguang Xu +Date: Sat, 21 Mar 2020 18:22:10 -0700 +Subject: memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chunguang Xu + +commit 7d36665a5886c27ca4c4d0afd3ecc50b400f3587 upstream. + +An eventfd monitors multiple memory thresholds of the cgroup, closes them, +the kernel deletes all events related to this eventfd. Before all events +are deleted, another eventfd monitors the memory threshold of this cgroup, +leading to a crash: + + BUG: kernel NULL pointer dereference, address: 0000000000000004 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 800000033058e067 P4D 800000033058e067 PUD 3355ce067 PMD 0 + Oops: 0002 [#1] SMP PTI + CPU: 2 PID: 14012 Comm: kworker/2:6 Kdump: loaded Not tainted 5.6.0-rc4 #3 + Hardware name: LENOVO 20AWS01K00/20AWS01K00, BIOS GLET70WW (2.24 ) 05/21/2014 + Workqueue: events memcg_event_remove + RIP: 0010:__mem_cgroup_usage_unregister_event+0xb3/0x190 + RSP: 0018:ffffb47e01c4fe18 EFLAGS: 00010202 + RAX: 0000000000000001 RBX: ffff8bb223a8a000 RCX: 0000000000000001 + RDX: 0000000000000001 RSI: ffff8bb22fb83540 RDI: 0000000000000001 + RBP: ffffb47e01c4fe48 R08: 0000000000000000 R09: 0000000000000010 + R10: 000000000000000c R11: 071c71c71c71c71c R12: ffff8bb226aba880 + R13: ffff8bb223a8a480 R14: 0000000000000000 R15: 0000000000000000 + FS:  0000000000000000(0000) GS:ffff8bb242680000(0000) knlGS:0000000000000000 + CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000004 CR3: 000000032c29c003 CR4: 00000000001606e0 + Call Trace: + memcg_event_remove+0x32/0x90 + process_one_work+0x172/0x380 + worker_thread+0x49/0x3f0 + kthread+0xf8/0x130 + ret_from_fork+0x35/0x40 + CR2: 0000000000000004 + +We can reproduce this problem in the following ways: + +1. We create a new cgroup subdirectory and a new eventfd, and then we + monitor multiple memory thresholds of the cgroup through this eventfd. + +2. closing this eventfd, and __mem_cgroup_usage_unregister_event () + will be called multiple times to delete all events related to this + eventfd. + +The first time __mem_cgroup_usage_unregister_event() is called, the +kernel will clear all items related to this eventfd in thresholds-> +primary. + +Since there is currently only one eventfd, thresholds-> primary becomes +empty, so the kernel will set thresholds-> primary and hresholds-> spare +to NULL. If at this time, the user creates a new eventfd and monitor +the memory threshold of this cgroup, kernel will re-initialize +thresholds-> primary. + +Then when __mem_cgroup_usage_unregister_event () is called for the +second time, because thresholds-> primary is not empty, the system will +access thresholds-> spare, but thresholds-> spare is NULL, which will +trigger a crash. + +In general, the longer it takes to delete all events related to this +eventfd, the easier it is to trigger this problem. + +The solution is to check whether the thresholds associated with the +eventfd has been cleared when deleting the event. If so, we do nothing. + +[akpm@linux-foundation.org: fix comment, per Kirill] +Fixes: 907860ed381a ("cgroups: make cftype.unregister_event() void-returning") +Signed-off-by: Chunguang Xu +Signed-off-by: Andrew Morton +Acked-by: Michal Hocko +Acked-by: Kirill A. Shutemov +Cc: Johannes Weiner +Cc: Vladimir Davydov +Cc: +Link: http://lkml.kernel.org/r/077a6f67-aefa-4591-efec-f2f3af2b0b02@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memcontrol.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -4151,7 +4151,7 @@ static void __mem_cgroup_usage_unregiste + struct mem_cgroup_thresholds *thresholds; + struct mem_cgroup_threshold_ary *new; + unsigned long usage; +- int i, j, size; ++ int i, j, size, entries; + + mutex_lock(&memcg->thresholds_lock); + +@@ -4171,14 +4171,20 @@ static void __mem_cgroup_usage_unregiste + __mem_cgroup_threshold(memcg, type == _MEMSWAP); + + /* Calculate new number of threshold */ +- size = 0; ++ size = entries = 0; + for (i = 0; i < thresholds->primary->size; i++) { + if (thresholds->primary->entries[i].eventfd != eventfd) + size++; ++ else ++ entries++; + } + + new = thresholds->spare; + ++ /* If no items related to eventfd have been cleared, nothing to do */ ++ if (!entries) ++ goto unlock; ++ + /* Set thresholds array to NULL if we don't have thresholds */ + if (!size) { + kfree(new); diff --git a/queue-5.4/mm-do-not-allow-madv_pageout-for-cow-pages.patch b/queue-5.4/mm-do-not-allow-madv_pageout-for-cow-pages.patch new file mode 100644 index 00000000000..dd5b95785cf --- /dev/null +++ b/queue-5.4/mm-do-not-allow-madv_pageout-for-cow-pages.patch @@ -0,0 +1,79 @@ +From 12e967fd8e4e6c3d275b4c69c890adc838891300 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Sat, 21 Mar 2020 18:22:26 -0700 +Subject: mm: do not allow MADV_PAGEOUT for CoW pages + +From: Michal Hocko + +commit 12e967fd8e4e6c3d275b4c69c890adc838891300 upstream. + +Jann has brought up a very interesting point [1]. While shared pages +are excluded from MADV_PAGEOUT normally, CoW pages can be easily +reclaimed that way. This can lead to all sorts of hard to debug +problems. E.g. performance problems outlined by Daniel [2]. + +There are runtime environments where there is a substantial memory +shared among security domains via CoW memory and a easy to reclaim way +of that memory, which MADV_{COLD,PAGEOUT} offers, can lead to either +performance degradation in for the parent process which might be more +privileged or even open side channel attacks. + +The feasibility of the latter is not really clear to me TBH but there is +no real reason for exposure at this stage. It seems there is no real +use case to depend on reclaiming CoW memory via madvise at this stage so +it is much easier to simply disallow it and this is what this patch +does. Put it simply MADV_{PAGEOUT,COLD} can operate only on the +exclusively owned memory which is a straightforward semantic. + +[1] http://lkml.kernel.org/r/CAG48ez0G3JkMq61gUmyQAaCq=_TwHbi1XKzWRooxZkv08PQKuw@mail.gmail.com +[2] http://lkml.kernel.org/r/CAKOZueua_v8jHCpmEtTB6f3i9e2YnmX4mqdYVWhV4E=Z-n+zRQ@mail.gmail.com + +Fixes: 9c276cc65a58 ("mm: introduce MADV_COLD") +Reported-by: Jann Horn +Signed-off-by: Michal Hocko +Signed-off-by: Andrew Morton +Acked-by: Vlastimil Babka +Cc: Minchan Kim +Cc: Daniel Colascione +Cc: Dave Hansen +Cc: "Joel Fernandes (Google)" +Cc: +Link: http://lkml.kernel.org/r/20200312082248.GS23944@dhcp22.suse.cz +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/madvise.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -335,12 +335,14 @@ static int madvise_cold_or_pageout_pte_r + } + + page = pmd_page(orig_pmd); ++ ++ /* Do not interfere with other mappings of this page */ ++ if (page_mapcount(page) != 1) ++ goto huge_unlock; ++ + if (next - addr != HPAGE_PMD_SIZE) { + int err; + +- if (page_mapcount(page) != 1) +- goto huge_unlock; +- + get_page(page); + spin_unlock(ptl); + lock_page(page); +@@ -426,6 +428,10 @@ regular_page: + continue; + } + ++ /* Do not interfere with other mappings of this page */ ++ if (page_mapcount(page) != 1) ++ continue; ++ + VM_BUG_ON_PAGE(PageTransCompound(page), page); + + if (pte_young(ptent)) { diff --git a/queue-5.4/mm-hotplug-fix-hot-remove-failure-in-sparsemem-vmemmap-case.patch b/queue-5.4/mm-hotplug-fix-hot-remove-failure-in-sparsemem-vmemmap-case.patch new file mode 100644 index 00000000000..f74672c0201 --- /dev/null +++ b/queue-5.4/mm-hotplug-fix-hot-remove-failure-in-sparsemem-vmemmap-case.patch @@ -0,0 +1,92 @@ +From d41e2f3bd54699f85b3d6f45abd09fa24a222cb9 Mon Sep 17 00:00:00 2001 +From: Baoquan He +Date: Sat, 21 Mar 2020 18:22:13 -0700 +Subject: mm/hotplug: fix hot remove failure in SPARSEMEM|!VMEMMAP case + +From: Baoquan He + +commit d41e2f3bd54699f85b3d6f45abd09fa24a222cb9 upstream. + +In section_deactivate(), pfn_to_page() doesn't work any more after +ms->section_mem_map is resetting to NULL in SPARSEMEM|!VMEMMAP case. It +causes a hot remove failure: + + kernel BUG at mm/page_alloc.c:4806! + invalid opcode: 0000 [#1] SMP PTI + CPU: 3 PID: 8 Comm: kworker/u16:0 Tainted: G W 5.5.0-next-20200205+ #340 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 + Workqueue: kacpi_hotplug acpi_hotplug_work_fn + RIP: 0010:free_pages+0x85/0xa0 + Call Trace: + __remove_pages+0x99/0xc0 + arch_remove_memory+0x23/0x4d + try_remove_memory+0xc8/0x130 + __remove_memory+0xa/0x11 + acpi_memory_device_remove+0x72/0x100 + acpi_bus_trim+0x55/0x90 + acpi_device_hotplug+0x2eb/0x3d0 + acpi_hotplug_work_fn+0x1a/0x30 + process_one_work+0x1a7/0x370 + worker_thread+0x30/0x380 + kthread+0x112/0x130 + ret_from_fork+0x35/0x40 + +Let's move the ->section_mem_map resetting after +depopulate_section_memmap() to fix it. + +[akpm@linux-foundation.org: remove unneeded initialization, per David] +Fixes: ba72b4c8cf60 ("mm/sparsemem: support sub-section hotplug") +Signed-off-by: Baoquan He +Signed-off-by: Andrew Morton +Reviewed-by: Pankaj Gupta +Reviewed-by: David Hildenbrand +Acked-by: Michal Hocko +Cc: Wei Yang +Cc: Oscar Salvador +Cc: Mike Rapoport +Cc: +Link: http://lkml.kernel.org/r/20200307084229.28251-2-bhe@redhat.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/sparse.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/mm/sparse.c ++++ b/mm/sparse.c +@@ -742,6 +742,7 @@ static void section_deactivate(unsigned + struct mem_section *ms = __pfn_to_section(pfn); + bool section_is_early = early_section(ms); + struct page *memmap = NULL; ++ bool empty; + unsigned long *subsection_map = ms->usage + ? &ms->usage->subsection_map[0] : NULL; + +@@ -772,7 +773,8 @@ static void section_deactivate(unsigned + * For 2/ and 3/ the SPARSEMEM_VMEMMAP={y,n} cases are unified + */ + bitmap_xor(subsection_map, map, subsection_map, SUBSECTIONS_PER_SECTION); +- if (bitmap_empty(subsection_map, SUBSECTIONS_PER_SECTION)) { ++ empty = bitmap_empty(subsection_map, SUBSECTIONS_PER_SECTION); ++ if (empty) { + unsigned long section_nr = pfn_to_section_nr(pfn); + + /* +@@ -787,13 +789,15 @@ static void section_deactivate(unsigned + ms->usage = NULL; + } + memmap = sparse_decode_mem_map(ms->section_mem_map, section_nr); +- ms->section_mem_map = (unsigned long)NULL; + } + + if (section_is_early && memmap) + free_map_bootmem(memmap); + else + depopulate_section_memmap(pfn, nr_pages, altmap); ++ ++ if (empty) ++ ms->section_mem_map = (unsigned long)NULL; + } + + static struct page * __meminit section_activate(int nid, unsigned long pfn, diff --git a/queue-5.4/mm-memcg-fix-corruption-on-64-bit-divisor-in-memory.high-throttling.patch b/queue-5.4/mm-memcg-fix-corruption-on-64-bit-divisor-in-memory.high-throttling.patch new file mode 100644 index 00000000000..e3ae5b0bedf --- /dev/null +++ b/queue-5.4/mm-memcg-fix-corruption-on-64-bit-divisor-in-memory.high-throttling.patch @@ -0,0 +1,45 @@ +From d397a45fc741c80c32a14e2de008441e9976f50c Mon Sep 17 00:00:00 2001 +From: Chris Down +Date: Sat, 21 Mar 2020 18:22:20 -0700 +Subject: mm, memcg: fix corruption on 64-bit divisor in memory.high throttling + +From: Chris Down + +commit d397a45fc741c80c32a14e2de008441e9976f50c upstream. + +Commit 0e4b01df8659 had a bunch of fixups to use the right division +method. However, it seems that after all that it still wasn't right -- +div_u64 takes a 32-bit divisor. + +The headroom is still large (2^32 pages), so on mundane systems you +won't hit this, but this should definitely be fixed. + +Fixes: 0e4b01df8659 ("mm, memcg: throttle allocators when failing reclaim over memory.high") +Reported-by: Johannes Weiner +Signed-off-by: Chris Down +Signed-off-by: Andrew Morton +Acked-by: Johannes Weiner +Cc: Tejun Heo +Cc: Roman Gushchin +Cc: Michal Hocko +Cc: Nathan Chancellor +Cc: [5.4.x+] +Link: http://lkml.kernel.org/r/80780887060514967d414b3cd91f9a316a16ab98.1584036142.git.chris@chrisdown.name +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memcontrol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -2456,7 +2456,7 @@ void mem_cgroup_handle_over_high(void) + */ + clamped_high = max(high, 1UL); + +- overage = div_u64((u64)(usage - high) << MEMCG_DELAY_PRECISION_SHIFT, ++ overage = div64_u64((u64)(usage - high) << MEMCG_DELAY_PRECISION_SHIFT, + clamped_high); + + penalty_jiffies = ((u64)overage * overage * HZ) diff --git a/queue-5.4/mm-memcg-throttle-allocators-based-on-ancestral-memory.high.patch b/queue-5.4/mm-memcg-throttle-allocators-based-on-ancestral-memory.high.patch new file mode 100644 index 00000000000..a89d2812503 --- /dev/null +++ b/queue-5.4/mm-memcg-throttle-allocators-based-on-ancestral-memory.high.patch @@ -0,0 +1,160 @@ +From e26733e0d0ec6798eca93daa300bc3f43616127f Mon Sep 17 00:00:00 2001 +From: Chris Down +Date: Sat, 21 Mar 2020 18:22:23 -0700 +Subject: mm, memcg: throttle allocators based on ancestral memory.high + +From: Chris Down + +commit e26733e0d0ec6798eca93daa300bc3f43616127f upstream. + +Prior to this commit, we only directly check the affected cgroup's +memory.high against its usage. However, it's possible that we are being +reclaimed as a result of hitting an ancestor memory.high and should be +penalised based on that, instead. + +This patch changes memory.high overage throttling to use the largest +overage in its ancestors when considering how many penalty jiffies to +charge. This makes sure that we penalise poorly behaving cgroups in the +same way regardless of at what level of the hierarchy memory.high was +breached. + +Fixes: 0e4b01df8659 ("mm, memcg: throttle allocators when failing reclaim over memory.high") +Reported-by: Johannes Weiner +Signed-off-by: Chris Down +Signed-off-by: Andrew Morton +Acked-by: Johannes Weiner +Cc: Tejun Heo +Cc: Michal Hocko +Cc: Nathan Chancellor +Cc: Roman Gushchin +Cc: [5.4.x+] +Link: http://lkml.kernel.org/r/8cd132f84bd7e16cdb8fde3378cdbf05ba00d387.1584036142.git.chris@chrisdown.name +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memcontrol.c | 93 ++++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 58 insertions(+), 35 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -2414,28 +2414,41 @@ static void high_work_func(struct work_s + #define MEMCG_DELAY_SCALING_SHIFT 14 + + /* +- * Scheduled by try_charge() to be executed from the userland return path +- * and reclaims memory over the high limit. ++ * Get the number of jiffies that we should penalise a mischievous cgroup which ++ * is exceeding its memory.high by checking both it and its ancestors. + */ +-void mem_cgroup_handle_over_high(void) ++static unsigned long calculate_high_delay(struct mem_cgroup *memcg, ++ unsigned int nr_pages) + { +- unsigned long usage, high, clamped_high; +- unsigned long pflags; +- unsigned long penalty_jiffies, overage; +- unsigned int nr_pages = current->memcg_nr_pages_over_high; +- struct mem_cgroup *memcg; ++ unsigned long penalty_jiffies; ++ u64 max_overage = 0; + +- if (likely(!nr_pages)) +- return; ++ do { ++ unsigned long usage, high; ++ u64 overage; ++ ++ usage = page_counter_read(&memcg->memory); ++ high = READ_ONCE(memcg->high); ++ ++ /* ++ * Prevent division by 0 in overage calculation by acting as if ++ * it was a threshold of 1 page ++ */ ++ high = max(high, 1UL); ++ ++ overage = usage - high; ++ overage <<= MEMCG_DELAY_PRECISION_SHIFT; ++ overage = div64_u64(overage, high); ++ ++ if (overage > max_overage) ++ max_overage = overage; ++ } while ((memcg = parent_mem_cgroup(memcg)) && ++ !mem_cgroup_is_root(memcg)); + +- memcg = get_mem_cgroup_from_mm(current->mm); +- reclaim_high(memcg, nr_pages, GFP_KERNEL); +- current->memcg_nr_pages_over_high = 0; ++ if (!max_overage) ++ return 0; + + /* +- * memory.high is breached and reclaim is unable to keep up. Throttle +- * allocators proactively to slow down excessive growth. +- * + * We use overage compared to memory.high to calculate the number of + * jiffies to sleep (penalty_jiffies). Ideally this value should be + * fairly lenient on small overages, and increasingly harsh when the +@@ -2443,24 +2456,9 @@ void mem_cgroup_handle_over_high(void) + * its crazy behaviour, so we exponentially increase the delay based on + * overage amount. + */ +- +- usage = page_counter_read(&memcg->memory); +- high = READ_ONCE(memcg->high); +- +- if (usage <= high) +- goto out; +- +- /* +- * Prevent division by 0 in overage calculation by acting as if it was a +- * threshold of 1 page +- */ +- clamped_high = max(high, 1UL); +- +- overage = div64_u64((u64)(usage - high) << MEMCG_DELAY_PRECISION_SHIFT, +- clamped_high); +- +- penalty_jiffies = ((u64)overage * overage * HZ) +- >> (MEMCG_DELAY_PRECISION_SHIFT + MEMCG_DELAY_SCALING_SHIFT); ++ penalty_jiffies = max_overage * max_overage * HZ; ++ penalty_jiffies >>= MEMCG_DELAY_PRECISION_SHIFT; ++ penalty_jiffies >>= MEMCG_DELAY_SCALING_SHIFT; + + /* + * Factor in the task's own contribution to the overage, such that four +@@ -2477,7 +2475,32 @@ void mem_cgroup_handle_over_high(void) + * application moving forwards and also permit diagnostics, albeit + * extremely slowly. + */ +- penalty_jiffies = min(penalty_jiffies, MEMCG_MAX_HIGH_DELAY_JIFFIES); ++ return min(penalty_jiffies, MEMCG_MAX_HIGH_DELAY_JIFFIES); ++} ++ ++/* ++ * Scheduled by try_charge() to be executed from the userland return path ++ * and reclaims memory over the high limit. ++ */ ++void mem_cgroup_handle_over_high(void) ++{ ++ unsigned long penalty_jiffies; ++ unsigned long pflags; ++ unsigned int nr_pages = current->memcg_nr_pages_over_high; ++ struct mem_cgroup *memcg; ++ ++ if (likely(!nr_pages)) ++ return; ++ ++ memcg = get_mem_cgroup_from_mm(current->mm); ++ reclaim_high(memcg, nr_pages, GFP_KERNEL); ++ current->memcg_nr_pages_over_high = 0; ++ ++ /* ++ * memory.high is breached and reclaim is unable to keep up. Throttle ++ * allocators proactively to slow down excessive growth. ++ */ ++ penalty_jiffies = calculate_high_delay(memcg, nr_pages); + + /* + * Don't sleep if the amount of jiffies this memcg owes us is so low diff --git a/queue-5.4/mm-slub-be-more-careful-about-the-double-cmpxchg-of-freelist.patch b/queue-5.4/mm-slub-be-more-careful-about-the-double-cmpxchg-of-freelist.patch new file mode 100644 index 00000000000..5f26b36aedd --- /dev/null +++ b/queue-5.4/mm-slub-be-more-careful-about-the-double-cmpxchg-of-freelist.patch @@ -0,0 +1,52 @@ +From 5076190daded2197f62fe92cf69674488be44175 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Tue, 17 Mar 2020 11:04:09 -0700 +Subject: mm: slub: be more careful about the double cmpxchg of freelist + +From: Linus Torvalds + +commit 5076190daded2197f62fe92cf69674488be44175 upstream. + +This is just a cleanup addition to Jann's fix to properly update the +transaction ID for the slub slowpath in commit fd4d9c7d0c71 ("mm: slub: +add missing TID bump.."). + +The transaction ID is what protects us against any concurrent accesses, +but we should really also make sure to make the 'freelist' comparison +itself always use the same freelist value that we then used as the new +next free pointer. + +Jann points out that if we do all of this carefully, we could skip the +transaction ID update for all the paths that only remove entries from +the lists, and only update the TID when adding entries (to avoid the ABA +issue with cmpxchg and list handling re-adding a previously seen value). + +But this patch just does the "make sure to cmpxchg the same value we +used" rather than then try to be clever. + +Acked-by: Jann Horn +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -2977,11 +2977,13 @@ redo: + barrier(); + + if (likely(page == c->page)) { +- set_freepointer(s, tail_obj, c->freelist); ++ void **freelist = READ_ONCE(c->freelist); ++ ++ set_freepointer(s, tail_obj, freelist); + + if (unlikely(!this_cpu_cmpxchg_double( + s->cpu_slab->freelist, s->cpu_slab->tid, +- c->freelist, tid, ++ freelist, tid, + head, next_tid(tid)))) { + + note_cmpxchg_failure("slab_free", s, tid); diff --git a/queue-5.4/mm-slub-prevent-kmalloc_node-crashes-and-memory-leaks.patch b/queue-5.4/mm-slub-prevent-kmalloc_node-crashes-and-memory-leaks.patch new file mode 100644 index 00000000000..8412d6c8e84 --- /dev/null +++ b/queue-5.4/mm-slub-prevent-kmalloc_node-crashes-and-memory-leaks.patch @@ -0,0 +1,169 @@ +From 0715e6c516f106ed553828a671d30ad9a3431536 Mon Sep 17 00:00:00 2001 +From: Vlastimil Babka +Date: Sat, 21 Mar 2020 18:22:37 -0700 +Subject: mm, slub: prevent kmalloc_node crashes and memory leaks + +From: Vlastimil Babka + +commit 0715e6c516f106ed553828a671d30ad9a3431536 upstream. + +Sachin reports [1] a crash in SLUB __slab_alloc(): + + BUG: Kernel NULL pointer dereference on read at 0x000073b0 + Faulting instruction address: 0xc0000000003d55f4 + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: + CPU: 19 PID: 1 Comm: systemd Not tainted 5.6.0-rc2-next-20200218-autotest #1 + NIP: c0000000003d55f4 LR: c0000000003d5b94 CTR: 0000000000000000 + REGS: c0000008b37836d0 TRAP: 0300 Not tainted (5.6.0-rc2-next-20200218-autotest) + MSR: 8000000000009033 CR: 24004844 XER: 00000000 + CFAR: c00000000000dec4 DAR: 00000000000073b0 DSISR: 40000000 IRQMASK: 1 + GPR00: c0000000003d5b94 c0000008b3783960 c00000000155d400 c0000008b301f500 + GPR04: 0000000000000dc0 0000000000000002 c0000000003443d8 c0000008bb398620 + GPR08: 00000008ba2f0000 0000000000000001 0000000000000000 0000000000000000 + GPR12: 0000000024004844 c00000001ec52a00 0000000000000000 0000000000000000 + GPR16: c0000008a1b20048 c000000001595898 c000000001750c18 0000000000000002 + GPR20: c000000001750c28 c000000001624470 0000000fffffffe0 5deadbeef0000122 + GPR24: 0000000000000001 0000000000000dc0 0000000000000002 c0000000003443d8 + GPR28: c0000008b301f500 c0000008bb398620 0000000000000000 c00c000002287180 + NIP ___slab_alloc+0x1f4/0x760 + LR __slab_alloc+0x34/0x60 + Call Trace: + ___slab_alloc+0x334/0x760 (unreliable) + __slab_alloc+0x34/0x60 + __kmalloc_node+0x110/0x490 + kvmalloc_node+0x58/0x110 + mem_cgroup_css_online+0x108/0x270 + online_css+0x48/0xd0 + cgroup_apply_control_enable+0x2ec/0x4d0 + cgroup_mkdir+0x228/0x5f0 + kernfs_iop_mkdir+0x90/0xf0 + vfs_mkdir+0x110/0x230 + do_mkdirat+0xb0/0x1a0 + system_call+0x5c/0x68 + +This is a PowerPC platform with following NUMA topology: + + available: 2 nodes (0-1) + node 0 cpus: + node 0 size: 0 MB + node 0 free: 0 MB + node 1 cpus: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 + node 1 size: 35247 MB + node 1 free: 30907 MB + node distances: + node 0 1 + 0: 10 40 + 1: 40 10 + + possible numa nodes: 0-31 + +This only happens with a mmotm patch "mm/memcontrol.c: allocate +shrinker_map on appropriate NUMA node" [2] which effectively calls +kmalloc_node for each possible node. SLUB however only allocates +kmem_cache_node on online N_NORMAL_MEMORY nodes, and relies on +node_to_mem_node to return such valid node for other nodes since commit +a561ce00b09e ("slub: fall back to node_to_mem_node() node if allocating +on memoryless node"). This is however not true in this configuration +where the _node_numa_mem_ array is not initialized for nodes 0 and 2-31, +thus it contains zeroes and get_partial() ends up accessing +non-allocated kmem_cache_node. + +A related issue was reported by Bharata (originally by Ramachandran) [3] +where a similar PowerPC configuration, but with mainline kernel without +patch [2] ends up allocating large amounts of pages by kmalloc-1k +kmalloc-512. This seems to have the same underlying issue with +node_to_mem_node() not behaving as expected, and might probably also +lead to an infinite loop with CONFIG_SLUB_CPU_PARTIAL [4]. + +This patch should fix both issues by not relying on node_to_mem_node() +anymore and instead simply falling back to NUMA_NO_NODE, when +kmalloc_node(node) is attempted for a node that's not online, or has no +usable memory. The "usable memory" condition is also changed from +node_present_pages() to N_NORMAL_MEMORY node state, as that is exactly +the condition that SLUB uses to allocate kmem_cache_node structures. +The check in get_partial() is removed completely, as the checks in +___slab_alloc() are now sufficient to prevent get_partial() being +reached with an invalid node. + +[1] https://lore.kernel.org/linux-next/3381CD91-AB3D-4773-BA04-E7A072A63968@linux.vnet.ibm.com/ +[2] https://lore.kernel.org/linux-mm/fff0e636-4c36-ed10-281c-8cdb0687c839@virtuozzo.com/ +[3] https://lore.kernel.org/linux-mm/20200317092624.GB22538@in.ibm.com/ +[4] https://lore.kernel.org/linux-mm/088b5996-faae-8a56-ef9c-5b567125ae54@suse.cz/ + +Fixes: a561ce00b09e ("slub: fall back to node_to_mem_node() node if allocating on memoryless node") +Reported-by: Sachin Sant +Reported-by: PUVICHAKRAVARTHY RAMACHANDRAN +Signed-off-by: Vlastimil Babka +Signed-off-by: Andrew Morton +Tested-by: Sachin Sant +Tested-by: Bharata B Rao +Reviewed-by: Srikar Dronamraju +Cc: Mel Gorman +Cc: Michael Ellerman +Cc: Michal Hocko +Cc: Christopher Lameter +Cc: linuxppc-dev@lists.ozlabs.org +Cc: Joonsoo Kim +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Kirill Tkhai +Cc: Vlastimil Babka +Cc: Nathan Lynch +Cc: +Link: http://lkml.kernel.org/r/20200320115533.9604-1-vbabka@suse.cz +Debugged-by: Srikar Dronamraju +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1953,8 +1953,6 @@ static void *get_partial(struct kmem_cac + + if (node == NUMA_NO_NODE) + searchnode = numa_mem_id(); +- else if (!node_present_pages(node)) +- searchnode = node_to_mem_node(node); + + object = get_partial_node(s, get_node(s, searchnode), c, flags); + if (object || node != NUMA_NO_NODE) +@@ -2543,17 +2541,27 @@ static void *___slab_alloc(struct kmem_c + struct page *page; + + page = c->page; +- if (!page) ++ if (!page) { ++ /* ++ * if the node is not online or has no normal memory, just ++ * ignore the node constraint ++ */ ++ if (unlikely(node != NUMA_NO_NODE && ++ !node_state(node, N_NORMAL_MEMORY))) ++ node = NUMA_NO_NODE; + goto new_slab; ++ } + redo: + + if (unlikely(!node_match(page, node))) { +- int searchnode = node; +- +- if (node != NUMA_NO_NODE && !node_present_pages(node)) +- searchnode = node_to_mem_node(node); +- +- if (unlikely(!node_match(page, searchnode))) { ++ /* ++ * same as above but node_match() being false already ++ * implies node != NUMA_NO_NODE ++ */ ++ if (!node_state(node, N_NORMAL_MEMORY)) { ++ node = NUMA_NO_NODE; ++ goto redo; ++ } else { + stat(s, ALLOC_NODE_MISMATCH); + deactivate_slab(s, page, c->freelist, c); + goto new_slab; diff --git a/queue-5.4/mmc-rtsx_pci-fix-support-for-speed-modes-that-relies-on-tuning.patch b/queue-5.4/mmc-rtsx_pci-fix-support-for-speed-modes-that-relies-on-tuning.patch new file mode 100644 index 00000000000..2bd832beeea --- /dev/null +++ b/queue-5.4/mmc-rtsx_pci-fix-support-for-speed-modes-that-relies-on-tuning.patch @@ -0,0 +1,97 @@ +From 4686392c32361c97e8434adf9cc77ad7991bfa81 Mon Sep 17 00:00:00 2001 +From: Ricky Wu +Date: Mon, 16 Mar 2020 10:52:32 +0800 +Subject: mmc: rtsx_pci: Fix support for speed-modes that relies on tuning + +From: Ricky Wu + +commit 4686392c32361c97e8434adf9cc77ad7991bfa81 upstream. + +The TX/RX register should not be treated the same way to allow for better +support of tuning. Fix this by using a default initial value for TX. + +Signed-off-by: Ricky Wu +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200316025232.1167-1-ricky_wu@realtek.com +[Ulf: Updated changelog] +Signed-off-by: Ulf Hansson +Acked-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/cardreader/rts5227.c | 2 +- + drivers/misc/cardreader/rts5249.c | 2 ++ + drivers/misc/cardreader/rts5260.c | 2 +- + drivers/mmc/host/rtsx_pci_sdmmc.c | 13 ++++++++----- + 4 files changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/misc/cardreader/rts5227.c ++++ b/drivers/misc/cardreader/rts5227.c +@@ -394,7 +394,7 @@ static const struct pcr_ops rts522a_pcr_ + void rts522a_init_params(struct rtsx_pcr *pcr) + { + rts5227_init_params(pcr); +- ++ pcr->tx_initial_phase = SET_CLOCK_PHASE(20, 20, 11); + pcr->reg_pm_ctrl3 = RTS522A_PM_CTRL3; + + pcr->option.ocp_en = 1; +--- a/drivers/misc/cardreader/rts5249.c ++++ b/drivers/misc/cardreader/rts5249.c +@@ -618,6 +618,7 @@ static const struct pcr_ops rts524a_pcr_ + void rts524a_init_params(struct rtsx_pcr *pcr) + { + rts5249_init_params(pcr); ++ pcr->tx_initial_phase = SET_CLOCK_PHASE(27, 29, 11); + pcr->option.ltr_l1off_sspwrgate = LTR_L1OFF_SSPWRGATE_5250_DEF; + pcr->option.ltr_l1off_snooze_sspwrgate = + LTR_L1OFF_SNOOZE_SSPWRGATE_5250_DEF; +@@ -733,6 +734,7 @@ static const struct pcr_ops rts525a_pcr_ + void rts525a_init_params(struct rtsx_pcr *pcr) + { + rts5249_init_params(pcr); ++ pcr->tx_initial_phase = SET_CLOCK_PHASE(25, 29, 11); + pcr->option.ltr_l1off_sspwrgate = LTR_L1OFF_SSPWRGATE_5250_DEF; + pcr->option.ltr_l1off_snooze_sspwrgate = + LTR_L1OFF_SNOOZE_SSPWRGATE_5250_DEF; +--- a/drivers/misc/cardreader/rts5260.c ++++ b/drivers/misc/cardreader/rts5260.c +@@ -663,7 +663,7 @@ void rts5260_init_params(struct rtsx_pcr + pcr->sd30_drive_sel_1v8 = CFG_DRIVER_TYPE_B; + pcr->sd30_drive_sel_3v3 = CFG_DRIVER_TYPE_B; + pcr->aspm_en = ASPM_L1_EN; +- pcr->tx_initial_phase = SET_CLOCK_PHASE(1, 29, 16); ++ pcr->tx_initial_phase = SET_CLOCK_PHASE(27, 29, 11); + pcr->rx_initial_phase = SET_CLOCK_PHASE(24, 6, 5); + + pcr->ic_version = rts5260_get_ic_version(pcr); +--- a/drivers/mmc/host/rtsx_pci_sdmmc.c ++++ b/drivers/mmc/host/rtsx_pci_sdmmc.c +@@ -606,19 +606,22 @@ static int sd_change_phase(struct realte + u8 sample_point, bool rx) + { + struct rtsx_pcr *pcr = host->pcr; +- ++ u16 SD_VP_CTL = 0; + dev_dbg(sdmmc_dev(host), "%s(%s): sample_point = %d\n", + __func__, rx ? "RX" : "TX", sample_point); + + rtsx_pci_write_register(pcr, CLK_CTL, CHANGE_CLK, CHANGE_CLK); +- if (rx) ++ if (rx) { ++ SD_VP_CTL = SD_VPRX_CTL; + rtsx_pci_write_register(pcr, SD_VPRX_CTL, + PHASE_SELECT_MASK, sample_point); +- else ++ } else { ++ SD_VP_CTL = SD_VPTX_CTL; + rtsx_pci_write_register(pcr, SD_VPTX_CTL, + PHASE_SELECT_MASK, sample_point); +- rtsx_pci_write_register(pcr, SD_VPCLK0_CTL, PHASE_NOT_RESET, 0); +- rtsx_pci_write_register(pcr, SD_VPCLK0_CTL, PHASE_NOT_RESET, ++ } ++ rtsx_pci_write_register(pcr, SD_VP_CTL, PHASE_NOT_RESET, 0); ++ rtsx_pci_write_register(pcr, SD_VP_CTL, PHASE_NOT_RESET, + PHASE_NOT_RESET); + rtsx_pci_write_register(pcr, CLK_CTL, CHANGE_CLK, 0); + rtsx_pci_write_register(pcr, SD_CFG1, SD_ASYNC_FIFO_NOT_RST, 0); diff --git a/queue-5.4/mmc-sdhci-cadence-set-sdhci_quirk2_preset_value_broken-for-uniphier.patch b/queue-5.4/mmc-sdhci-cadence-set-sdhci_quirk2_preset_value_broken-for-uniphier.patch new file mode 100644 index 00000000000..c9d164e362d --- /dev/null +++ b/queue-5.4/mmc-sdhci-cadence-set-sdhci_quirk2_preset_value_broken-for-uniphier.patch @@ -0,0 +1,89 @@ +From 18b587b45c13bb6a07ed0edac15f06892593d07a Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Thu, 12 Mar 2020 19:42:57 +0900 +Subject: mmc: sdhci-cadence: set SDHCI_QUIRK2_PRESET_VALUE_BROKEN for UniPhier + +From: Masahiro Yamada + +commit 18b587b45c13bb6a07ed0edac15f06892593d07a upstream. + +The SDHCI_PRESET_FOR_* registers are not set for the UniPhier platform +integration. (They are all read as zeros). + +Set the SDHCI_QUIRK2_PRESET_VALUE_BROKEN quirk flag. Otherwise, the +High Speed DDR mode on the eMMC controller (MMC_TIMING_MMC_DDR52) +would not work. + +I split the platform data to give no impact to other platforms, +although the UniPhier platform is currently only the upstream user +of this IP. + +The SDHCI_QUIRK2_PRESET_VALUE_BROKEN flag is set if the compatible +string matches to "socionext,uniphier-sd4hc". + +Signed-off-by: Masahiro Yamada +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200312104257.21017-1-yamada.masahiro@socionext.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-cadence.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/sdhci-cadence.c ++++ b/drivers/mmc/host/sdhci-cadence.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + + #include "sdhci-pltfm.h" + +@@ -235,6 +236,11 @@ static const struct sdhci_ops sdhci_cdns + .set_uhs_signaling = sdhci_cdns_set_uhs_signaling, + }; + ++static const struct sdhci_pltfm_data sdhci_cdns_uniphier_pltfm_data = { ++ .ops = &sdhci_cdns_ops, ++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, ++}; ++ + static const struct sdhci_pltfm_data sdhci_cdns_pltfm_data = { + .ops = &sdhci_cdns_ops, + }; +@@ -334,6 +340,7 @@ static void sdhci_cdns_hs400_enhanced_st + static int sdhci_cdns_probe(struct platform_device *pdev) + { + struct sdhci_host *host; ++ const struct sdhci_pltfm_data *data; + struct sdhci_pltfm_host *pltfm_host; + struct sdhci_cdns_priv *priv; + struct clk *clk; +@@ -350,8 +357,12 @@ static int sdhci_cdns_probe(struct platf + if (ret) + return ret; + ++ data = of_device_get_match_data(dev); ++ if (!data) ++ data = &sdhci_cdns_pltfm_data; ++ + nr_phy_params = sdhci_cdns_phy_param_count(dev->of_node); +- host = sdhci_pltfm_init(pdev, &sdhci_cdns_pltfm_data, ++ host = sdhci_pltfm_init(pdev, data, + struct_size(priv, phy_params, nr_phy_params)); + if (IS_ERR(host)) { + ret = PTR_ERR(host); +@@ -431,7 +442,10 @@ static const struct dev_pm_ops sdhci_cdn + }; + + static const struct of_device_id sdhci_cdns_match[] = { +- { .compatible = "socionext,uniphier-sd4hc" }, ++ { ++ .compatible = "socionext,uniphier-sd4hc", ++ .data = &sdhci_cdns_uniphier_pltfm_data, ++ }, + { .compatible = "cdns,sd4hc" }, + { /* sentinel */ } + }; diff --git a/queue-5.4/mmc-sdhci-of-at91-fix-cd-gpios-for-sama5d2.patch b/queue-5.4/mmc-sdhci-of-at91-fix-cd-gpios-for-sama5d2.patch new file mode 100644 index 00000000000..0568e845deb --- /dev/null +++ b/queue-5.4/mmc-sdhci-of-at91-fix-cd-gpios-for-sama5d2.patch @@ -0,0 +1,56 @@ +From 53dd0a7cd65edc83b0c243d1c08377c8b876b2ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= +Date: Sun, 15 Mar 2020 17:44:25 +0100 +Subject: mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Mirosław + +commit 53dd0a7cd65edc83b0c243d1c08377c8b876b2ee upstream. + +SAMA5D2x doesn't drive CMD line if GPIO is used as CD line (at least +SAMA5D27 doesn't). Fix this by forcing card-detect in the module +if module-controlled CD is not used. + +Fixed commit addresses the problem only for non-removable cards. This +amends it to also cover gpio-cd case. + +Cc: stable@vger.kernel.org +Fixes: 7a1e3f143176 ("mmc: sdhci-of-at91: force card detect value for non removable devices") +Signed-off-by: Michał Mirosław +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/8d10950d9940468577daef4772b82a071b204716.1584290561.git.mirq-linux@rere.qmqm.pl +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-of-at91.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/sdhci-of-at91.c ++++ b/drivers/mmc/host/sdhci-of-at91.c +@@ -118,7 +118,8 @@ static void sdhci_at91_reset(struct sdhc + { + sdhci_reset(host, mask); + +- if (host->mmc->caps & MMC_CAP_NONREMOVABLE) ++ if ((host->mmc->caps & MMC_CAP_NONREMOVABLE) ++ || mmc_gpio_get_cd(host->mmc) >= 0) + sdhci_at91_set_force_card_detect(host); + } + +@@ -397,8 +398,11 @@ static int sdhci_at91_probe(struct platf + * detection procedure using the SDMCC_CD signal is bypassed. + * This bit is reset when a software reset for all command is performed + * so we need to implement our own reset function to set back this bit. ++ * ++ * WA: SAMA5D2 doesn't drive CMD if using CD GPIO line. + */ +- if (host->mmc->caps & MMC_CAP_NONREMOVABLE) ++ if ((host->mmc->caps & MMC_CAP_NONREMOVABLE) ++ || mmc_gpio_get_cd(host->mmc) >= 0) + sdhci_at91_set_force_card_detect(host); + + pm_runtime_put_autosuspend(&pdev->dev); diff --git a/queue-5.4/modpost-move-the-namespace-field-in-module.symvers-last.patch b/queue-5.4/modpost-move-the-namespace-field-in-module.symvers-last.patch new file mode 100644 index 00000000000..7cc689b1134 --- /dev/null +++ b/queue-5.4/modpost-move-the-namespace-field-in-module.symvers-last.patch @@ -0,0 +1,126 @@ +From 5190044c2965514a973184ca68ef5fad57a24670 Mon Sep 17 00:00:00 2001 +From: Jessica Yu +Date: Wed, 11 Mar 2020 18:01:20 +0100 +Subject: modpost: move the namespace field in Module.symvers last + +From: Jessica Yu + +commit 5190044c2965514a973184ca68ef5fad57a24670 upstream. + +In order to preserve backwards compatability with kmod tools, we have to +move the namespace field in Module.symvers last, as the depmod -e -E +option looks at the first three fields in Module.symvers to check symbol +versions (and it's expected they stay in the original order of crc, +symbol, module). + +In addition, update an ancient comment above read_dump() in modpost that +suggested that the export type field in Module.symvers was optional. I +suspect that there were historical reasons behind that comment that are +no longer accurate. We have been unconditionally printing the export +type since 2.6.18 (commit bd5cbcedf44), which is over a decade ago now. + +Fix up read_dump() to treat each field as non-optional. I suspect the +original read_dump() code treated the export field as optional in order +to support pre <= 2.6.18 Module.symvers (which did not have the export +type field). Note that although symbol namespaces are optional, the +field will not be omitted from Module.symvers if a symbol does not have +a namespace. In this case, the field will simply be empty and the next +delimiter or end of line will follow. + +Cc: stable@vger.kernel.org +Fixes: cb9b55d21fe0 ("modpost: add support for symbol namespaces") +Tested-by: Matthias Maennich +Reviewed-by: Matthias Maennich +Reviewed-by: Lucas De Marchi +Signed-off-by: Jessica Yu +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/kbuild/modules.rst | 4 ++-- + scripts/export_report.pl | 2 +- + scripts/mod/modpost.c | 24 ++++++++++++------------ + 3 files changed, 15 insertions(+), 15 deletions(-) + +--- a/Documentation/kbuild/modules.rst ++++ b/Documentation/kbuild/modules.rst +@@ -470,9 +470,9 @@ build. + + The syntax of the Module.symvers file is:: + +- ++ + +- 0xe1cc2a05 usb_stor_suspend USB_STORAGE drivers/usb/storage/usb-storage EXPORT_SYMBOL_GPL ++ 0xe1cc2a05 usb_stor_suspend drivers/usb/storage/usb-storage EXPORT_SYMBOL_GPL USB_STORAGE + + The fields are separated by tabs and values may be empty (e.g. + if no namespace is defined for an exported symbol). +--- a/scripts/export_report.pl ++++ b/scripts/export_report.pl +@@ -94,7 +94,7 @@ if (defined $opt{'o'}) { + # + while ( <$module_symvers> ) { + chomp; +- my (undef, $symbol, $namespace, $module, $gpl) = split('\t'); ++ my (undef, $symbol, $module, $gpl, $namespace) = split('\t'); + $SYMBOL { $symbol } = [ $module , "0" , $symbol, $gpl]; + } + close($module_symvers); +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -2434,7 +2434,7 @@ static void write_if_changed(struct buff + } + + /* parse Module.symvers file. line format: +- * 0x12345678symbolmodule[[export]something] ++ * 0x12345678symbolmoduleexportnamespace + **/ + static void read_dump(const char *fname, unsigned int kernel) + { +@@ -2447,7 +2447,7 @@ static void read_dump(const char *fname, + return; + + while ((line = get_next_line(&pos, file, size))) { +- char *symname, *namespace, *modname, *d, *export, *end; ++ char *symname, *namespace, *modname, *d, *export; + unsigned int crc; + struct module *mod; + struct symbol *s; +@@ -2455,16 +2455,16 @@ static void read_dump(const char *fname, + if (!(symname = strchr(line, '\t'))) + goto fail; + *symname++ = '\0'; +- if (!(namespace = strchr(symname, '\t'))) +- goto fail; +- *namespace++ = '\0'; +- if (!(modname = strchr(namespace, '\t'))) ++ if (!(modname = strchr(symname, '\t'))) + goto fail; + *modname++ = '\0'; +- if ((export = strchr(modname, '\t')) != NULL) +- *export++ = '\0'; +- if (export && ((end = strchr(export, '\t')) != NULL)) +- *end = '\0'; ++ if (!(export = strchr(modname, '\t'))) ++ goto fail; ++ *export++ = '\0'; ++ if (!(namespace = strchr(export, '\t'))) ++ goto fail; ++ *namespace++ = '\0'; ++ + crc = strtoul(line, &d, 16); + if (*symname == '\0' || *modname == '\0' || *d != '\0') + goto fail; +@@ -2516,9 +2516,9 @@ static void write_dump(const char *fname + namespace = symbol->namespace; + buf_printf(&buf, "0x%08x\t%s\t%s\t%s\t%s\n", + symbol->crc, symbol->name, +- namespace ? namespace : "", + symbol->module->name, +- export_str(symbol->export)); ++ export_str(symbol->export), ++ namespace ? namespace : ""); + } + symbol = symbol->next; + } diff --git a/queue-5.4/page-flags-fix-a-crash-at-setpageerror-thp_swap.patch b/queue-5.4/page-flags-fix-a-crash-at-setpageerror-thp_swap.patch new file mode 100644 index 00000000000..14475cad8cc --- /dev/null +++ b/queue-5.4/page-flags-fix-a-crash-at-setpageerror-thp_swap.patch @@ -0,0 +1,66 @@ +From d72520ad004a8ce18a6ba6cde317f0081b27365a Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Sat, 21 Mar 2020 18:22:17 -0700 +Subject: page-flags: fix a crash at SetPageError(THP_SWAP) + +From: Qian Cai + +commit d72520ad004a8ce18a6ba6cde317f0081b27365a upstream. + +Commit bd4c82c22c36 ("mm, THP, swap: delay splitting THP after swapped +out") supported writing THP to a swap device but forgot to upgrade an +older commit df8c94d13c7e ("page-flags: define behavior of FS/IO-related +flags on compound pages") which could trigger a crash during THP +swapping out with DEBUG_VM_PGFLAGS=y, + + kernel BUG at include/linux/page-flags.h:317! + + page dumped because: VM_BUG_ON_PAGE(1 && PageCompound(page)) + page:fffff3b2ec3a8000 refcount:512 mapcount:0 mapping:000000009eb0338c index:0x7f6e58200 head:fffff3b2ec3a8000 order:9 compound_mapcount:0 compound_pincount:0 + anon flags: 0x45fffe0000d8454(uptodate|lru|workingset|owner_priv_1|writeback|head|reclaim|swapbacked) + + end_swap_bio_write() + SetPageError(page) + VM_BUG_ON_PAGE(1 && PageCompound(page)) + + + bio_endio+0x297/0x560 + dec_pending+0x218/0x430 [dm_mod] + clone_endio+0xe4/0x2c0 [dm_mod] + bio_endio+0x297/0x560 + blk_update_request+0x201/0x920 + scsi_end_request+0x6b/0x4b0 + scsi_io_completion+0x509/0x7e0 + scsi_finish_command+0x1ed/0x2a0 + scsi_softirq_done+0x1c9/0x1d0 + __blk_mqnterrupt+0xf/0x20 + + +Fix by checking PF_NO_TAIL in those places instead. + +Fixes: bd4c82c22c36 ("mm, THP, swap: delay splitting THP after swapped out") +Signed-off-by: Qian Cai +Signed-off-by: Andrew Morton +Reviewed-by: David Hildenbrand +Acked-by: "Huang, Ying" +Acked-by: Rafael Aquini +Cc: +Link: http://lkml.kernel.org/r/20200310235846.1319-1-cai@lca.pw +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/page-flags.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/page-flags.h ++++ b/include/linux/page-flags.h +@@ -311,7 +311,7 @@ static inline int TestClearPage##uname(s + + __PAGEFLAG(Locked, locked, PF_NO_TAIL) + PAGEFLAG(Waiters, waiters, PF_ONLY_HEAD) __CLEARPAGEFLAG(Waiters, waiters, PF_ONLY_HEAD) +-PAGEFLAG(Error, error, PF_NO_COMPOUND) TESTCLEARFLAG(Error, error, PF_NO_COMPOUND) ++PAGEFLAG(Error, error, PF_NO_TAIL) TESTCLEARFLAG(Error, error, PF_NO_TAIL) + PAGEFLAG(Referenced, referenced, PF_HEAD) + TESTCLEARFLAG(Referenced, referenced, PF_HEAD) + __SETPAGEFLAG(Referenced, referenced, PF_HEAD) diff --git a/queue-5.4/rtc-max8907-add-missing-select-regmap_irq.patch b/queue-5.4/rtc-max8907-add-missing-select-regmap_irq.patch new file mode 100644 index 00000000000..03b5a2e9694 --- /dev/null +++ b/queue-5.4/rtc-max8907-add-missing-select-regmap_irq.patch @@ -0,0 +1,36 @@ +From 5d892919fdd0cefd361697472d4e1b174a594991 Mon Sep 17 00:00:00 2001 +From: Corentin Labbe +Date: Wed, 18 Mar 2020 15:26:49 +0000 +Subject: rtc: max8907: add missing select REGMAP_IRQ + +From: Corentin Labbe + +commit 5d892919fdd0cefd361697472d4e1b174a594991 upstream. + +I have hit the following build error: + + armv7a-hardfloat-linux-gnueabi-ld: drivers/rtc/rtc-max8907.o: in function `max8907_rtc_probe': + rtc-max8907.c:(.text+0x400): undefined reference to `regmap_irq_get_virq' + +max8907 should select REGMAP_IRQ + +Fixes: 94c01ab6d7544 ("rtc: add MAX8907 RTC driver") +Cc: stable +Signed-off-by: Corentin Labbe +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/rtc/Kconfig ++++ b/drivers/rtc/Kconfig +@@ -327,6 +327,7 @@ config RTC_DRV_MAX6900 + config RTC_DRV_MAX8907 + tristate "Maxim MAX8907" + depends on MFD_MAX8907 || COMPILE_TEST ++ select REGMAP_IRQ + help + If you say yes here you will get support for the + RTC of Maxim MAX8907 PMIC. diff --git a/queue-5.4/series b/queue-5.4/series index 0730a7acead..9ee46737645 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -51,3 +51,43 @@ alsa-seq-virmidi-fix-running-status-after-receiving-sysex.patch alsa-seq-oss-fix-running-status-after-receiving-sysex.patch alsa-pcm-oss-avoid-plugin-buffer-overflow.patch alsa-pcm-oss-remove-warning-from-snd_pcm_plug_alloc-checks.patch +tty-fix-compat-tiocgserial-leaking-uninitialized-memory.patch +tty-fix-compat-tiocgserial-checking-wrong-function-ptr.patch +iio-chemical-sps30-fix-missing-triggered-buffer-dependency.patch +iio-st_sensors-remap-smo8840-to-lis2dh12.patch +iio-trigger-stm32-timer-disable-master-mode-when-stopping.patch +iio-accel-adxl372-set-iio_chan-be.patch +iio-magnetometer-ak8974-fix-negative-raw-values-in-sysfs.patch +iio-adc-stm32-dfsdm-fix-sleep-in-atomic-context.patch +iio-adc-at91-sama5d2_adc-fix-differential-channels-in-triggered-mode.patch +iio-light-vcnl4000-update-sampling-periods-for-vcnl4200.patch +iio-light-vcnl4000-update-sampling-periods-for-vcnl4040.patch +mmc-rtsx_pci-fix-support-for-speed-modes-that-relies-on-tuning.patch +mmc-sdhci-of-at91-fix-cd-gpios-for-sama5d2.patch +mmc-sdhci-cadence-set-sdhci_quirk2_preset_value_broken-for-uniphier.patch +cifs-fiemap-do-not-return-einval-if-get-nothing.patch +kbuild-disable-wpointer-to-enum-cast.patch +staging-rtl8188eu-add-device-id-for-mercusys-mw150us-v2.patch +staging-greybus-loopback_test-fix-poll-mask-build-breakage.patch +staging-speakup-fix-get_word-non-space-look-ahead.patch +intel_th-msu-fix-the-unexpected-state-warning.patch +intel_th-fix-user-visible-error-codes.patch +intel_th-pci-add-elkhart-lake-cpu-support.patch +modpost-move-the-namespace-field-in-module.symvers-last.patch +rtc-max8907-add-missing-select-regmap_irq.patch +arm64-compat-fix-syscall-number-of-compat_clock_getres.patch +xhci-do-not-open-code-__print_symbolic-in-xhci-trace-events.patch +btrfs-fix-log-context-list-corruption-after-rename-whiteout-error.patch +drm-amd-amdgpu-fix-gpr-read-from-debugfs-v2.patch +drm-lease-fix-warning-in-idr_destroy.patch +stm-class-sys-t-fix-the-use-of-time_after.patch +memcg-fix-null-pointer-dereference-in-__mem_cgroup_usage_unregister_event.patch +mm-memcg-fix-corruption-on-64-bit-divisor-in-memory.high-throttling.patch +mm-memcg-throttle-allocators-based-on-ancestral-memory.high.patch +mm-hotplug-fix-hot-remove-failure-in-sparsemem-vmemmap-case.patch +mm-do-not-allow-madv_pageout-for-cow-pages.patch +epoll-fix-possible-lost-wakeup-on-epoll_ctl-path.patch +mm-slub-be-more-careful-about-the-double-cmpxchg-of-freelist.patch +mm-slub-prevent-kmalloc_node-crashes-and-memory-leaks.patch +page-flags-fix-a-crash-at-setpageerror-thp_swap.patch +x86-mm-split-vmalloc_sync_all.patch diff --git a/queue-5.4/staging-greybus-loopback_test-fix-poll-mask-build-breakage.patch b/queue-5.4/staging-greybus-loopback_test-fix-poll-mask-build-breakage.patch new file mode 100644 index 00000000000..3512d085d6f --- /dev/null +++ b/queue-5.4/staging-greybus-loopback_test-fix-poll-mask-build-breakage.patch @@ -0,0 +1,43 @@ +From 8f3675be4bda33adbdc1dd2ab3b6c76a7599a79e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Mar 2020 12:01:49 +0100 +Subject: staging: greybus: loopback_test: fix poll-mask build breakage + +From: Johan Hovold + +commit 8f3675be4bda33adbdc1dd2ab3b6c76a7599a79e upstream. + +A scripted conversion from userland POLL* to kernel EPOLL* constants +mistakingly replaced the poll flags in the loopback_test tool, which +therefore no longer builds. + +Fixes: a9a08845e9ac ("vfs: do bulk POLL* -> EPOLL* replacement") +Cc: stable # 4.16 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20200312110151.22028-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/greybus/tools/loopback_test.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/greybus/tools/loopback_test.c ++++ b/drivers/staging/greybus/tools/loopback_test.c +@@ -655,7 +655,7 @@ static int open_poll_files(struct loopba + goto err; + } + read(t->fds[fds_idx].fd, &dummy, 1); +- t->fds[fds_idx].events = EPOLLERR|EPOLLPRI; ++ t->fds[fds_idx].events = POLLERR | POLLPRI; + t->fds[fds_idx].revents = 0; + fds_idx++; + } +@@ -748,7 +748,7 @@ static int wait_for_complete(struct loop + } + + for (i = 0; i < t->poll_count; i++) { +- if (t->fds[i].revents & EPOLLPRI) { ++ if (t->fds[i].revents & POLLPRI) { + /* Dummy read to clear the event */ + read(t->fds[i].fd, &dummy, 1); + number_of_events++; diff --git a/queue-5.4/staging-rtl8188eu-add-device-id-for-mercusys-mw150us-v2.patch b/queue-5.4/staging-rtl8188eu-add-device-id-for-mercusys-mw150us-v2.patch new file mode 100644 index 00000000000..2d0ef734c38 --- /dev/null +++ b/queue-5.4/staging-rtl8188eu-add-device-id-for-mercusys-mw150us-v2.patch @@ -0,0 +1,32 @@ +From bb5786b9286c253557a0115bc8d21879e61b7b94 Mon Sep 17 00:00:00 2001 +From: Michael Straube +Date: Thu, 12 Mar 2020 10:36:52 +0100 +Subject: staging: rtl8188eu: Add device id for MERCUSYS MW150US v2 + +From: Michael Straube + +commit bb5786b9286c253557a0115bc8d21879e61b7b94 upstream. + +This device was added to the stand-alone driver on github. +Add it to the staging driver as well. + +Link: https://github.com/lwfinger/rtl8188eu/commit/2141f244c3e7 +Signed-off-by: Michael Straube +Cc: stable +Link: https://lore.kernel.org/r/20200312093652.13918-1-straube.linux@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -38,6 +38,7 @@ static const struct usb_device_id rtw_us + {USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */ + {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */ + {USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */ ++ {USB_DEVICE(0x2C4E, 0x0102)}, /* MERCUSYS MW150US v2 */ + {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */ + {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */ + {} /* Terminating entry */ diff --git a/queue-5.4/staging-speakup-fix-get_word-non-space-look-ahead.patch b/queue-5.4/staging-speakup-fix-get_word-non-space-look-ahead.patch new file mode 100644 index 00000000000..7cbe0156aa0 --- /dev/null +++ b/queue-5.4/staging-speakup-fix-get_word-non-space-look-ahead.patch @@ -0,0 +1,43 @@ +From 9d32c0cde4e2d1343dfb88a67b2ec6397705b32b Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Fri, 6 Mar 2020 01:30:47 +0100 +Subject: staging/speakup: fix get_word non-space look-ahead + +From: Samuel Thibault + +commit 9d32c0cde4e2d1343dfb88a67b2ec6397705b32b upstream. + +get_char was erroneously given the address of the pointer to the text +instead of the address of the text, thus leading to random crashes when +the user requests speaking a word while the current position is on a space +character and say_word_ctl is not enabled. + +Reported-on: https://github.com/bytefire/speakup/issues/1 +Reported-by: Kirk Reiser +Reported-by: Janina Sajka +Reported-by: Alexandr Epaneshnikov +Reported-by: Gregory Nowak +Reported-by: deedra waters +Signed-off-by: Samuel Thibault +Tested-by: Alexandr Epaneshnikov +Tested-by: Gregory Nowak +Tested-by: Michael Taboada +Cc: stable +Link: https://lore.kernel.org/r/20200306003047.thijtmqrnayd3dmw@function +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/speakup/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/speakup/main.c ++++ b/drivers/staging/speakup/main.c +@@ -561,7 +561,7 @@ static u_long get_word(struct vc_data *v + return 0; + } else if (tmpx < vc->vc_cols - 2 && + (ch == SPACE || ch == 0 || (ch < 0x100 && IS_WDLM(ch))) && +- get_char(vc, (u_short *)&tmp_pos + 1, &temp) > SPACE) { ++ get_char(vc, (u_short *)tmp_pos + 1, &temp) > SPACE) { + tmp_pos += 2; + tmpx++; + } else { diff --git a/queue-5.4/stm-class-sys-t-fix-the-use-of-time_after.patch b/queue-5.4/stm-class-sys-t-fix-the-use-of-time_after.patch new file mode 100644 index 00000000000..e664eced4f4 --- /dev/null +++ b/queue-5.4/stm-class-sys-t-fix-the-use-of-time_after.patch @@ -0,0 +1,46 @@ +From 283f87c0d5d32b4a5c22636adc559bca82196ed3 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 17 Mar 2020 08:22:11 +0200 +Subject: stm class: sys-t: Fix the use of time_after() + +From: Alexander Shishkin + +commit 283f87c0d5d32b4a5c22636adc559bca82196ed3 upstream. + +The operands of time_after() are in a wrong order in both instances in +the sys-t driver. Fix that. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Fixes: 39f10239df75 ("stm class: p_sys-t: Add support for CLOCKSYNC packets") +Fixes: d69d5e83110f ("stm class: Add MIPI SyS-T protocol support") +Cc: stable@vger.kernel.org # v4.20+ +Link: https://lore.kernel.org/r/20200317062215.15598-3-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/stm/p_sys-t.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hwtracing/stm/p_sys-t.c ++++ b/drivers/hwtracing/stm/p_sys-t.c +@@ -238,7 +238,7 @@ static struct configfs_attribute *sys_t_ + static inline bool sys_t_need_ts(struct sys_t_output *op) + { + if (op->node.ts_interval && +- time_after(op->ts_jiffies + op->node.ts_interval, jiffies)) { ++ time_after(jiffies, op->ts_jiffies + op->node.ts_interval)) { + op->ts_jiffies = jiffies; + + return true; +@@ -250,8 +250,8 @@ static inline bool sys_t_need_ts(struct + static bool sys_t_need_clock_sync(struct sys_t_output *op) + { + if (op->node.clocksync_interval && +- time_after(op->clocksync_jiffies + op->node.clocksync_interval, +- jiffies)) { ++ time_after(jiffies, ++ op->clocksync_jiffies + op->node.clocksync_interval)) { + op->clocksync_jiffies = jiffies; + + return true; diff --git a/queue-5.4/tty-fix-compat-tiocgserial-checking-wrong-function-ptr.patch b/queue-5.4/tty-fix-compat-tiocgserial-checking-wrong-function-ptr.patch new file mode 100644 index 00000000000..15607f8f683 --- /dev/null +++ b/queue-5.4/tty-fix-compat-tiocgserial-checking-wrong-function-ptr.patch @@ -0,0 +1,40 @@ +From 6e622cd8bd888c7fa3ee2b7dfb3514ab53b21570 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 24 Feb 2020 10:20:44 -0800 +Subject: tty: fix compat TIOCGSERIAL checking wrong function ptr + +From: Eric Biggers + +commit 6e622cd8bd888c7fa3ee2b7dfb3514ab53b21570 upstream. + +Commit 77654350306a ("take compat TIOC[SG]SERIAL treatment into +tty_compat_ioctl()") changed the compat version of TIOCGSERIAL to start +checking for the presence of the ->set_serial function pointer rather +than ->get_serial. This appears to be a copy-and-paste error, since +->get_serial is the function pointer that is called as well as the +pointer that is checked by the non-compat version of TIOCGSERIAL. + +Fix this by checking the correct function pointer. + +Fixes: 77654350306a ("take compat TIOC[SG]SERIAL treatment into tty_compat_ioctl()") +Cc: # v4.20+ +Signed-off-by: Eric Biggers +Acked-by: Jiri Slaby +Link: https://lore.kernel.org/r/20200224182044.234553-3-ebiggers@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2735,7 +2735,7 @@ static int compat_tty_tiocgserial(struct + memset(&v, 0, sizeof(v)); + memset(&v32, 0, sizeof(v32)); + +- if (!tty->ops->set_serial) ++ if (!tty->ops->get_serial) + return -ENOTTY; + err = tty->ops->get_serial(tty, &v); + if (!err) { diff --git a/queue-5.4/tty-fix-compat-tiocgserial-leaking-uninitialized-memory.patch b/queue-5.4/tty-fix-compat-tiocgserial-leaking-uninitialized-memory.patch new file mode 100644 index 00000000000..d0c6230b8d2 --- /dev/null +++ b/queue-5.4/tty-fix-compat-tiocgserial-leaking-uninitialized-memory.patch @@ -0,0 +1,44 @@ +From 17329563a97df3ba474eca5037c1336e46e14ff8 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 24 Feb 2020 10:20:43 -0800 +Subject: tty: fix compat TIOCGSERIAL leaking uninitialized memory + +From: Eric Biggers + +commit 17329563a97df3ba474eca5037c1336e46e14ff8 upstream. + +Commit 77654350306a ("take compat TIOC[SG]SERIAL treatment into +tty_compat_ioctl()") changed the compat version of TIOCGSERIAL to start +copying a whole 'serial_struct32' to userspace rather than individual +fields, but failed to initialize all padding and fields -- namely the +hole after the 'iomem_reg_shift' field, and the 'reserved' field. + +Fix this by initializing the struct to zero. + +[v2: use sizeof, and convert the adjacent line for consistency.] + +Reported-by: syzbot+8da9175e28eadcb203ce@syzkaller.appspotmail.com +Fixes: 77654350306a ("take compat TIOC[SG]SERIAL treatment into tty_compat_ioctl()") +Cc: # v4.20+ +Signed-off-by: Eric Biggers +Acked-by: Jiri Slaby +Link: https://lore.kernel.org/r/20200224182044.234553-2-ebiggers@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_io.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2731,7 +2731,9 @@ static int compat_tty_tiocgserial(struct + struct serial_struct32 v32; + struct serial_struct v; + int err; +- memset(&v, 0, sizeof(struct serial_struct)); ++ ++ memset(&v, 0, sizeof(v)); ++ memset(&v32, 0, sizeof(v32)); + + if (!tty->ops->set_serial) + return -ENOTTY; diff --git a/queue-5.4/x86-mm-split-vmalloc_sync_all.patch b/queue-5.4/x86-mm-split-vmalloc_sync_all.patch new file mode 100644 index 00000000000..fbf4c35df41 --- /dev/null +++ b/queue-5.4/x86-mm-split-vmalloc_sync_all.patch @@ -0,0 +1,205 @@ +From 763802b53a427ed3cbd419dbba255c414fdd9e7c Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Sat, 21 Mar 2020 18:22:41 -0700 +Subject: x86/mm: split vmalloc_sync_all() + +From: Joerg Roedel + +commit 763802b53a427ed3cbd419dbba255c414fdd9e7c upstream. + +Commit 3f8fd02b1bf1 ("mm/vmalloc: Sync unmappings in +__purge_vmap_area_lazy()") introduced a call to vmalloc_sync_all() in +the vunmap() code-path. While this change was necessary to maintain +correctness on x86-32-pae kernels, it also adds additional cycles for +architectures that don't need it. + +Specifically on x86-64 with CONFIG_VMAP_STACK=y some people reported +severe performance regressions in micro-benchmarks because it now also +calls the x86-64 implementation of vmalloc_sync_all() on vunmap(). But +the vmalloc_sync_all() implementation on x86-64 is only needed for newly +created mappings. + +To avoid the unnecessary work on x86-64 and to gain the performance +back, split up vmalloc_sync_all() into two functions: + + * vmalloc_sync_mappings(), and + * vmalloc_sync_unmappings() + +Most call-sites to vmalloc_sync_all() only care about new mappings being +synchronized. The only exception is the new call-site added in the +above mentioned commit. + +Shile Zhang directed us to a report of an 80% regression in reaim +throughput. + +Fixes: 3f8fd02b1bf1 ("mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy()") +Reported-by: kernel test robot +Reported-by: Shile Zhang +Signed-off-by: Joerg Roedel +Signed-off-by: Andrew Morton +Tested-by: Borislav Petkov +Acked-by: Rafael J. Wysocki [GHES] +Cc: Dave Hansen +Cc: Andy Lutomirski +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: +Link: http://lkml.kernel.org/r/20191009124418.8286-1-joro@8bytes.org +Link: https://lists.01.org/hyperkitty/list/lkp@lists.01.org/thread/4D3JPPHBNOSPFK2KEPC6KGKS6J25AIDB/ +Link: http://lkml.kernel.org/r/20191113095530.228959-1-shile.zhang@linux.alibaba.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/fault.c | 26 ++++++++++++++++++++++++-- + drivers/acpi/apei/ghes.c | 2 +- + include/linux/vmalloc.h | 5 +++-- + kernel/notifier.c | 2 +- + mm/nommu.c | 10 +++++++--- + mm/vmalloc.c | 11 +++++++---- + 6 files changed, 43 insertions(+), 13 deletions(-) + +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -189,7 +189,7 @@ static inline pmd_t *vmalloc_sync_one(pg + return pmd_k; + } + +-void vmalloc_sync_all(void) ++static void vmalloc_sync(void) + { + unsigned long address; + +@@ -216,6 +216,16 @@ void vmalloc_sync_all(void) + } + } + ++void vmalloc_sync_mappings(void) ++{ ++ vmalloc_sync(); ++} ++ ++void vmalloc_sync_unmappings(void) ++{ ++ vmalloc_sync(); ++} ++ + /* + * 32-bit: + * +@@ -318,11 +328,23 @@ out: + + #else /* CONFIG_X86_64: */ + +-void vmalloc_sync_all(void) ++void vmalloc_sync_mappings(void) + { ++ /* ++ * 64-bit mappings might allocate new p4d/pud pages ++ * that need to be propagated to all tasks' PGDs. ++ */ + sync_global_pgds(VMALLOC_START & PGDIR_MASK, VMALLOC_END); + } + ++void vmalloc_sync_unmappings(void) ++{ ++ /* ++ * Unmappings never allocate or free p4d/pud pages. ++ * No work is required here. ++ */ ++} ++ + /* + * 64-bit: + * +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -171,7 +171,7 @@ int ghes_estatus_pool_init(int num_ghes) + * New allocation must be visible in all pgd before it can be found by + * an NMI allocating from the pool. + */ +- vmalloc_sync_all(); ++ vmalloc_sync_mappings(); + + rc = gen_pool_add(ghes_estatus_pool, addr, PAGE_ALIGN(len), -1); + if (rc) +--- a/include/linux/vmalloc.h ++++ b/include/linux/vmalloc.h +@@ -126,8 +126,9 @@ extern int remap_vmalloc_range_partial(s + + extern int remap_vmalloc_range(struct vm_area_struct *vma, void *addr, + unsigned long pgoff); +-void vmalloc_sync_all(void); +- ++void vmalloc_sync_mappings(void); ++void vmalloc_sync_unmappings(void); ++ + /* + * Lowlevel-APIs (not for driver use!) + */ +--- a/kernel/notifier.c ++++ b/kernel/notifier.c +@@ -554,7 +554,7 @@ NOKPROBE_SYMBOL(notify_die); + + int register_die_notifier(struct notifier_block *nb) + { +- vmalloc_sync_all(); ++ vmalloc_sync_mappings(); + return atomic_notifier_chain_register(&die_chain, nb); + } + EXPORT_SYMBOL_GPL(register_die_notifier); +--- a/mm/nommu.c ++++ b/mm/nommu.c +@@ -359,10 +359,14 @@ void vm_unmap_aliases(void) + EXPORT_SYMBOL_GPL(vm_unmap_aliases); + + /* +- * Implement a stub for vmalloc_sync_all() if the architecture chose not to +- * have one. ++ * Implement a stub for vmalloc_sync_[un]mapping() if the architecture ++ * chose not to have one. + */ +-void __weak vmalloc_sync_all(void) ++void __weak vmalloc_sync_mappings(void) ++{ ++} ++ ++void __weak vmalloc_sync_unmappings(void) + { + } + +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -1259,7 +1259,7 @@ static bool __purge_vmap_area_lazy(unsig + * First make sure the mappings are removed from all page-tables + * before they are freed. + */ +- vmalloc_sync_all(); ++ vmalloc_sync_unmappings(); + + /* + * TODO: to calculate a flush range without looping. +@@ -3050,16 +3050,19 @@ int remap_vmalloc_range(struct vm_area_s + EXPORT_SYMBOL(remap_vmalloc_range); + + /* +- * Implement a stub for vmalloc_sync_all() if the architecture chose not to +- * have one. ++ * Implement stubs for vmalloc_sync_[un]mappings () if the architecture chose ++ * not to have one. + * + * The purpose of this function is to make sure the vmalloc area + * mappings are identical in all page-tables in the system. + */ +-void __weak vmalloc_sync_all(void) ++void __weak vmalloc_sync_mappings(void) + { + } + ++void __weak vmalloc_sync_unmappings(void) ++{ ++} + + static int f(pte_t *pte, unsigned long addr, void *data) + { diff --git a/queue-5.4/xhci-do-not-open-code-__print_symbolic-in-xhci-trace-events.patch b/queue-5.4/xhci-do-not-open-code-__print_symbolic-in-xhci-trace-events.patch new file mode 100644 index 00000000000..34d618ea99b --- /dev/null +++ b/queue-5.4/xhci-do-not-open-code-__print_symbolic-in-xhci-trace-events.patch @@ -0,0 +1,69 @@ +From 045706bff837ee89c13f1ace173db71922c1c40b Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Fri, 6 Mar 2020 17:08:57 +0200 +Subject: xhci: Do not open code __print_symbolic() in xhci trace events + +From: Steven Rostedt (VMware) + +commit 045706bff837ee89c13f1ace173db71922c1c40b upstream. + +libtraceevent (used by perf and trace-cmd) failed to parse the +xhci_urb_dequeue trace event. This is because the user space trace +event format parsing is not a full C compiler. It can handle some basic +logic, but is not meant to be able to handle everything C can do. + +In cases where a trace event field needs to be converted from a number +to a string, there's the __print_symbolic() macro that should be used: + + See samples/trace_events/trace-events-sample.h + +Some xhci trace events open coded the __print_symbolic() causing the +user spaces tools to fail to parse it. This has to be replaced with +__print_symbolic() instead. + +CC: stable@vger.kernel.org +Reported-by: Tzvetomir Stoyanov +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=206531 +Fixes: 5abdc2e6e12ff ("usb: host: xhci: add urb_enqueue/dequeue/giveback tracers") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20200306150858.21904-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-trace.h | 23 ++++++----------------- + 1 file changed, 6 insertions(+), 17 deletions(-) + +--- a/drivers/usb/host/xhci-trace.h ++++ b/drivers/usb/host/xhci-trace.h +@@ -289,23 +289,12 @@ DECLARE_EVENT_CLASS(xhci_log_urb, + ), + TP_printk("ep%d%s-%s: urb %p pipe %u slot %d length %d/%d sgs %d/%d stream %d flags %08x", + __entry->epnum, __entry->dir_in ? "in" : "out", +- ({ char *s; +- switch (__entry->type) { +- case USB_ENDPOINT_XFER_INT: +- s = "intr"; +- break; +- case USB_ENDPOINT_XFER_CONTROL: +- s = "control"; +- break; +- case USB_ENDPOINT_XFER_BULK: +- s = "bulk"; +- break; +- case USB_ENDPOINT_XFER_ISOC: +- s = "isoc"; +- break; +- default: +- s = "UNKNOWN"; +- } s; }), __entry->urb, __entry->pipe, __entry->slot_id, ++ __print_symbolic(__entry->type, ++ { USB_ENDPOINT_XFER_INT, "intr" }, ++ { USB_ENDPOINT_XFER_CONTROL, "control" }, ++ { USB_ENDPOINT_XFER_BULK, "bulk" }, ++ { USB_ENDPOINT_XFER_ISOC, "isoc" }), ++ __entry->urb, __entry->pipe, __entry->slot_id, + __entry->actual, __entry->length, __entry->num_mapped_sgs, + __entry->num_sgs, __entry->stream, __entry->flags + ) -- 2.47.3