From e95e02c8032cb03913c75ed85946011d54e021c9 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 4 Aug 2019 11:43:03 -0400 Subject: [PATCH] fixes for 4.4 Signed-off-by: Sasha Levin --- ...alse-positive-wuninitialized-warning.patch | 58 +++++++++ ...-mark-that-the-rk3288-timer-might-st.patch | 48 +++++++ queue-4.4/arm-riscpc-fix-dma.patch | 48 +++++++ ...at-the-device-cannot-transmit-during.patch | 44 +++++++ ...nimum-number-of-chunk-errors-for-dup.patch | 48 +++++++ ...mproper-use-of-smp_mb__before_atomic.patch | 44 +++++++ .../coda-add-error-handling-for-fget.patch | 50 +++++++ ...fix-build-using-bare-metal-toolchain.patch | 48 +++++++ ...mac-reject-zero-length-slave-dma-req.patch | 46 +++++++ ...fs-adfs-super-fix-use-after-free-bug.patch | 45 +++++++ ...y-perform-resource-calculation-if-us.patch | 103 +++++++++++++++ ...only-return-eexist-for-modules-that-.patch | 74 +++++++++++ .../mips-lantiq-fix-bitfield-masking.patch | 42 ++++++ ...f-fixed-declaration-can-t-be-honored.patch | 68 ++++++++++ ...c-compiler-warning-emitted-with-wmay.patch | 117 +++++++++++++++++ queue-4.4/series | 19 +++ ...psdev.h-move-upc_req-definition-from.patch | 106 +++++++++++++++ ...lence-wtype-limits-compiler-warnings.patch | 74 +++++++++++ ...-call-kvm_spurious_fault-from-.fixup.patch | 122 ++++++++++++++++++ ...e-clang-warnings-for-16-bit-overflow.patch | 69 ++++++++++ 20 files changed, 1273 insertions(+) create mode 100644 queue-4.4/acpi-fix-false-positive-wuninitialized-warning.patch create mode 100644 queue-4.4/arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch create mode 100644 queue-4.4/arm-riscpc-fix-dma.patch create mode 100644 queue-4.4/be2net-signal-that-the-device-cannot-transmit-during.patch create mode 100644 queue-4.4/btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch create mode 100644 queue-4.4/ceph-fix-improper-use-of-smp_mb__before_atomic.patch create mode 100644 queue-4.4/coda-add-error-handling-for-fget.patch create mode 100644 queue-4.4/coda-fix-build-using-bare-metal-toolchain.patch create mode 100644 queue-4.4/dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch create mode 100644 queue-4.4/fs-adfs-super-fix-use-after-free-bug.patch create mode 100644 queue-4.4/ipc-mqueue.c-only-perform-resource-calculation-if-us.patch create mode 100644 queue-4.4/kernel-module.c-only-return-eexist-for-modules-that-.patch create mode 100644 queue-4.4/mips-lantiq-fix-bitfield-masking.patch create mode 100644 queue-4.4/mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch create mode 100644 queue-4.4/scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch create mode 100644 queue-4.4/series create mode 100644 queue-4.4/uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch create mode 100644 queue-4.4/x86-apic-silence-wtype-limits-compiler-warnings.patch create mode 100644 queue-4.4/x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch create mode 100644 queue-4.4/x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch diff --git a/queue-4.4/acpi-fix-false-positive-wuninitialized-warning.patch b/queue-4.4/acpi-fix-false-positive-wuninitialized-warning.patch new file mode 100644 index 00000000000..1362d5666ee --- /dev/null +++ b/queue-4.4/acpi-fix-false-positive-wuninitialized-warning.patch @@ -0,0 +1,58 @@ +From dfbc595f204165225c2720eb0adde0820f6ef26f Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:01:21 +0200 +Subject: ACPI: fix false-positive -Wuninitialized warning + +[ Upstream commit dfd6f9ad36368b8dbd5f5a2b2f0a4705ae69a323 ] + +clang gets confused by an uninitialized variable in what looks +to it like a never executed code path: + +arch/x86/kernel/acpi/boot.c:618:13: error: variable 'polarity' is uninitialized when used here [-Werror,-Wuninitialized] + polarity = polarity ? ACPI_ACTIVE_LOW : ACPI_ACTIVE_HIGH; + ^~~~~~~~ +arch/x86/kernel/acpi/boot.c:606:32: note: initialize the variable 'polarity' to silence this warning + int rc, irq, trigger, polarity; + ^ + = 0 +arch/x86/kernel/acpi/boot.c:617:12: error: variable 'trigger' is uninitialized when used here [-Werror,-Wuninitialized] + trigger = trigger ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE; + ^~~~~~~ +arch/x86/kernel/acpi/boot.c:606:22: note: initialize the variable 'trigger' to silence this warning + int rc, irq, trigger, polarity; + ^ + = 0 + +This is unfortunately a design decision in clang and won't be fixed. + +Changing the acpi_get_override_irq() macro to an inline function +reliably avoids the issue. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Andy Shevchenko +Reviewed-by: Nathan Chancellor +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + include/linux/acpi.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/linux/acpi.h b/include/linux/acpi.h +index 3672893b275ed..6a30f1e03aa9e 100644 +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -226,7 +226,10 @@ void acpi_set_irq_model(enum acpi_irq_model_id model, + #ifdef CONFIG_X86_IO_APIC + extern int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity); + #else +-#define acpi_get_override_irq(gsi, trigger, polarity) (-1) ++static inline int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity) ++{ ++ return -1; ++} + #endif + /* + * This function undoes the effect of one call to acpi_register_gsi(). +-- +2.20.1 + diff --git a/queue-4.4/arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch b/queue-4.4/arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch new file mode 100644 index 00000000000..eebe5d7e05e --- /dev/null +++ b/queue-4.4/arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch @@ -0,0 +1,48 @@ +From 4c804b609870f1364b92c031a9c17a5ba81b8bb6 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Tue, 21 May 2019 16:49:33 -0700 +Subject: ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend + +[ Upstream commit 8ef1ba39a9fa53d2205e633bc9b21840a275908e ] + +This is similar to commit e6186820a745 ("arm64: dts: rockchip: Arch +counter doesn't tick in system suspend"). Specifically on the rk3288 +it can be seen that the timer stops ticking in suspend if we end up +running through the "osc_disable" path in rk3288_slp_mode_set(). In +that path the 24 MHz clock will turn off and the timer stops. + +To test this, I ran this on a Chrome OS filesystem: + before=$(date); \ + suspend_stress_test -c1 --suspend_min=30 --suspend_max=31; \ + echo ${before}; date + +...and I found that unless I plug in a device that requests USB wakeup +to be active that the two calls to "date" would show that fewer than +30 seconds passed. + +NOTE: deep suspend (where the 24 MHz clock gets disabled) isn't +supported yet on upstream Linux so this was tested on a downstream +kernel. + +Signed-off-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3288.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi +index 04ea209f1737f..98abb053b7daf 100644 +--- a/arch/arm/boot/dts/rk3288.dtsi ++++ b/arch/arm/boot/dts/rk3288.dtsi +@@ -205,6 +205,7 @@ + , + ; + clock-frequency = <24000000>; ++ arm,no-tick-in-suspend; + }; + + timer: timer@ff810000 { +-- +2.20.1 + diff --git a/queue-4.4/arm-riscpc-fix-dma.patch b/queue-4.4/arm-riscpc-fix-dma.patch new file mode 100644 index 00000000000..db5008e09ce --- /dev/null +++ b/queue-4.4/arm-riscpc-fix-dma.patch @@ -0,0 +1,48 @@ +From 600ac51223a6816962f502f514f4520d38161902 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Thu, 2 May 2019 17:19:18 +0100 +Subject: ARM: riscpc: fix DMA + +[ Upstream commit ffd9a1ba9fdb7f2bd1d1ad9b9243d34e96756ba2 ] + +DMA got broken a while back in two different ways: +1) a change in the behaviour of disable_irq() to wait for the interrupt + to finish executing causes us to deadlock at the end of DMA. +2) a change to avoid modifying the scatterlist left the first transfer + uninitialised. + +DMA is only used with expansion cards, so has gone unnoticed. + +Fixes: fa4e99899932 ("[ARM] dma: RiscPC: don't modify DMA SG entries") +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mach-rpc/dma.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-rpc/dma.c b/arch/arm/mach-rpc/dma.c +index 6d3517dc4772a..82aac38fa2cff 100644 +--- a/arch/arm/mach-rpc/dma.c ++++ b/arch/arm/mach-rpc/dma.c +@@ -131,7 +131,7 @@ static irqreturn_t iomd_dma_handle(int irq, void *dev_id) + } while (1); + + idma->state = ~DMA_ST_AB; +- disable_irq(irq); ++ disable_irq_nosync(irq); + + return IRQ_HANDLED; + } +@@ -174,6 +174,9 @@ static void iomd_enable_dma(unsigned int chan, dma_t *dma) + DMA_FROM_DEVICE : DMA_TO_DEVICE); + } + ++ idma->dma_addr = idma->dma.sg->dma_address; ++ idma->dma_len = idma->dma.sg->length; ++ + iomd_writeb(DMA_CR_C, dma_base + CR); + idma->state = DMA_ST_AB; + } +-- +2.20.1 + diff --git a/queue-4.4/be2net-signal-that-the-device-cannot-transmit-during.patch b/queue-4.4/be2net-signal-that-the-device-cannot-transmit-during.patch new file mode 100644 index 00000000000..d4e61a3af12 --- /dev/null +++ b/queue-4.4/be2net-signal-that-the-device-cannot-transmit-during.patch @@ -0,0 +1,44 @@ +From 1c03bb0fc4e0c06773a639b4de35cdf69a01d00a Mon Sep 17 00:00:00 2001 +From: Benjamin Poirier +Date: Tue, 16 Jul 2019 17:16:55 +0900 +Subject: be2net: Signal that the device cannot transmit during reconfiguration + +[ Upstream commit 7429c6c0d9cb086d8e79f0d2a48ae14851d2115e ] + +While changing the number of interrupt channels, be2net stops adapter +operation (including netif_tx_disable()) but it doesn't signal that it +cannot transmit. This may lead dev_watchdog() to falsely trigger during +that time. + +Add the missing call to netif_carrier_off(), following the pattern used in +many other drivers. netif_carrier_on() is already taken care of in +be_open(). + +Signed-off-by: Benjamin Poirier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 26255862d1cfc..7524a33b7032c 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -4307,8 +4307,12 @@ int be_update_queues(struct be_adapter *adapter) + struct net_device *netdev = adapter->netdev; + int status; + +- if (netif_running(netdev)) ++ if (netif_running(netdev)) { ++ /* device cannot transmit now, avoid dev_watchdog timeouts */ ++ netif_carrier_off(netdev); ++ + be_close(netdev); ++ } + + be_cancel_worker(adapter); + +-- +2.20.1 + diff --git a/queue-4.4/btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch b/queue-4.4/btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch new file mode 100644 index 00000000000..b5e71c56d92 --- /dev/null +++ b/queue-4.4/btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch @@ -0,0 +1,48 @@ +From 445b1e2fbd15d3e71b837c247c76fc3704cbc03c Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Fri, 17 May 2019 11:43:13 +0200 +Subject: btrfs: fix minimum number of chunk errors for DUP + +[ Upstream commit 0ee5f8ae082e1f675a2fb6db601c31ac9958a134 ] + +The list of profiles in btrfs_chunk_max_errors lists DUP as a profile +DUP able to tolerate 1 device missing. Though this profile is special +with 2 copies, it still needs the device, unlike the others. + +Looking at the history of changes, thre's no clear reason why DUP is +there, functions were refactored and blocks of code merged to one +helper. + +d20983b40e828 Btrfs: fix writing data into the seed filesystem + - factor code to a helper + +de11cc12df173 Btrfs: don't pre-allocate btrfs bio + - unrelated change, DUP still in the list with max errors 1 + +a236aed14ccb0 Btrfs: Deal with failed writes in mirrored configurations + - introduced the max errors, leaves DUP and RAID1 in the same group + +Reviewed-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 4eb7a6ba7e470..55ce6543050d9 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4942,8 +4942,7 @@ static inline int btrfs_chunk_max_errors(struct map_lookup *map) + + if (map->type & (BTRFS_BLOCK_GROUP_RAID1 | + BTRFS_BLOCK_GROUP_RAID10 | +- BTRFS_BLOCK_GROUP_RAID5 | +- BTRFS_BLOCK_GROUP_DUP)) { ++ BTRFS_BLOCK_GROUP_RAID5)) { + max_errors = 1; + } else if (map->type & BTRFS_BLOCK_GROUP_RAID6) { + max_errors = 2; +-- +2.20.1 + diff --git a/queue-4.4/ceph-fix-improper-use-of-smp_mb__before_atomic.patch b/queue-4.4/ceph-fix-improper-use-of-smp_mb__before_atomic.patch new file mode 100644 index 00000000000..3224792821e --- /dev/null +++ b/queue-4.4/ceph-fix-improper-use-of-smp_mb__before_atomic.patch @@ -0,0 +1,44 @@ +From 58c6973954a8e028aae652948ac5db7e475338d0 Mon Sep 17 00:00:00 2001 +From: Andrea Parri +Date: Mon, 20 May 2019 19:23:58 +0200 +Subject: ceph: fix improper use of smp_mb__before_atomic() + +[ Upstream commit 749607731e26dfb2558118038c40e9c0c80d23b5 ] + +This barrier only applies to the read-modify-write operations; in +particular, it does not apply to the atomic64_set() primitive. + +Replace the barrier with an smp_mb(). + +Fixes: fdd4e15838e59 ("ceph: rework dcache readdir") +Reported-by: "Paul E. McKenney" +Reported-by: Peter Zijlstra +Signed-off-by: Andrea Parri +Reviewed-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/super.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/ceph/super.h b/fs/ceph/super.h +index 8c8cb8fe3d32f..5d05c77c158d4 100644 +--- a/fs/ceph/super.h ++++ b/fs/ceph/super.h +@@ -474,7 +474,12 @@ static inline void __ceph_dir_set_complete(struct ceph_inode_info *ci, + long long release_count, + long long ordered_count) + { +- smp_mb__before_atomic(); ++ /* ++ * Makes sure operations that setup readdir cache (update page ++ * cache and i_size) are strongly ordered w.r.t. the following ++ * atomic64_set() operations. ++ */ ++ smp_mb(); + atomic64_set(&ci->i_complete_seq[0], release_count); + atomic64_set(&ci->i_complete_seq[1], ordered_count); + } +-- +2.20.1 + diff --git a/queue-4.4/coda-add-error-handling-for-fget.patch b/queue-4.4/coda-add-error-handling-for-fget.patch new file mode 100644 index 00000000000..9e4f7e9f071 --- /dev/null +++ b/queue-4.4/coda-add-error-handling-for-fget.patch @@ -0,0 +1,50 @@ +From 1d7234fbd08fb11e2963dd35db56533036d68f94 Mon Sep 17 00:00:00 2001 +From: Zhouyang Jia +Date: Tue, 16 Jul 2019 16:28:13 -0700 +Subject: coda: add error handling for fget + +[ Upstream commit 02551c23bcd85f0c68a8259c7b953d49d44f86af ] + +When fget fails, the lack of error-handling code may cause unexpected +results. + +This patch adds error-handling code after calling fget. + +Link: http://lkml.kernel.org/r/2514ec03df9c33b86e56748513267a80dd8004d9.1558117389.git.jaharkes@cs.cmu.edu +Signed-off-by: Zhouyang Jia +Signed-off-by: Jan Harkes +Cc: Arnd Bergmann +Cc: Colin Ian King +Cc: Dan Carpenter +Cc: David Howells +Cc: Fabian Frederick +Cc: Mikko Rapeli +Cc: Sam Protsenko +Cc: Yann Droneaud +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/coda/psdev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c +index 822629126e89f..ff9b5cf8ff016 100644 +--- a/fs/coda/psdev.c ++++ b/fs/coda/psdev.c +@@ -187,8 +187,11 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf, + if (req->uc_opcode == CODA_OPEN_BY_FD) { + struct coda_open_by_fd_out *outp = + (struct coda_open_by_fd_out *)req->uc_data; +- if (!outp->oh.result) ++ if (!outp->oh.result) { + outp->fh = fget(outp->fd); ++ if (!outp->fh) ++ return -EBADF; ++ } + } + + wake_up(&req->uc_sleep); +-- +2.20.1 + diff --git a/queue-4.4/coda-fix-build-using-bare-metal-toolchain.patch b/queue-4.4/coda-fix-build-using-bare-metal-toolchain.patch new file mode 100644 index 00000000000..68c574f2995 --- /dev/null +++ b/queue-4.4/coda-fix-build-using-bare-metal-toolchain.patch @@ -0,0 +1,48 @@ +From 7e3efaab4b76a0bb629a5614092f9e62d4e93f9d Mon Sep 17 00:00:00 2001 +From: Sam Protsenko +Date: Tue, 16 Jul 2019 16:28:20 -0700 +Subject: coda: fix build using bare-metal toolchain + +[ Upstream commit b2a57e334086602be56b74958d9f29b955cd157f ] + +The kernel is self-contained project and can be built with bare-metal +toolchain. But bare-metal toolchain doesn't define __linux__. Because +of this u_quad_t type is not defined when using bare-metal toolchain and +codafs build fails. This patch fixes it by defining u_quad_t type +unconditionally. + +Link: http://lkml.kernel.org/r/3cbb40b0a57b6f9923a9d67b53473c0b691a3eaa.1558117389.git.jaharkes@cs.cmu.edu +Signed-off-by: Sam Protsenko +Signed-off-by: Jan Harkes +Cc: Arnd Bergmann +Cc: Colin Ian King +Cc: Dan Carpenter +Cc: David Howells +Cc: Fabian Frederick +Cc: Mikko Rapeli +Cc: Yann Droneaud +Cc: Zhouyang Jia +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/coda.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/include/linux/coda.h b/include/linux/coda.h +index d30209b9cef81..0ca0c83fdb1c4 100644 +--- a/include/linux/coda.h ++++ b/include/linux/coda.h +@@ -58,8 +58,7 @@ Mellon the rights to redistribute these changes without encumbrance. + #ifndef _CODA_HEADER_ + #define _CODA_HEADER_ + +-#if defined(__linux__) + typedef unsigned long long u_quad_t; +-#endif ++ + #include + #endif +-- +2.20.1 + diff --git a/queue-4.4/dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch b/queue-4.4/dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch new file mode 100644 index 00000000000..d1a26541fe0 --- /dev/null +++ b/queue-4.4/dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch @@ -0,0 +1,46 @@ +From df4c51f01bf778b12bed70fb28b6cc55e63f6325 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 24 Jun 2019 14:38:18 +0200 +Subject: dmaengine: rcar-dmac: Reject zero-length slave DMA requests + +[ Upstream commit 78efb76ab4dfb8f74f290ae743f34162cd627f19 ] + +While the .device_prep_slave_sg() callback rejects empty scatterlists, +it still accepts single-entry scatterlists with a zero-length segment. +These may happen if a driver calls dmaengine_prep_slave_single() with a +zero len parameter. The corresponding DMA request will never complete, +leading to messages like: + + rcar-dmac e7300000.dma-controller: Channel Address Error happen + +and DMA timeouts. + +Although requesting a zero-length DMA request is a driver bug, rejecting +it early eases debugging. Note that the .device_prep_dma_memcpy() +callback already rejects requests to copy zero bytes. + +Reported-by: Eugeniu Rosca +Analyzed-by: Yoshihiro Shimoda +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/sh/rcar-dmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c +index 2b36d1c63aa5f..956189a1ba81c 100644 +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1030,7 +1030,7 @@ rcar_dmac_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, + dma_addr_t dev_addr; + + /* Someone calling slave DMA on a generic channel? */ +- if (rchan->mid_rid < 0 || !sg_len) { ++ if (rchan->mid_rid < 0 || !sg_len || !sg_dma_len(sgl)) { + dev_warn(chan->device->dev, + "%s: bad parameter: len=%d, id=%d\n", + __func__, sg_len, rchan->mid_rid); +-- +2.20.1 + diff --git a/queue-4.4/fs-adfs-super-fix-use-after-free-bug.patch b/queue-4.4/fs-adfs-super-fix-use-after-free-bug.patch new file mode 100644 index 00000000000..b55e649070b --- /dev/null +++ b/queue-4.4/fs-adfs-super-fix-use-after-free-bug.patch @@ -0,0 +1,45 @@ +From 72cfaef0fbab3e052adbce1941dc946c73ab196b Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 4 Jun 2019 14:50:14 +0100 +Subject: fs/adfs: super: fix use-after-free bug + +[ Upstream commit 5808b14a1f52554de612fee85ef517199855e310 ] + +Fix a use-after-free bug during filesystem initialisation, where we +access the disc record (which is stored in a buffer) after we have +released the buffer. + +Signed-off-by: Russell King +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/adfs/super.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/adfs/super.c b/fs/adfs/super.c +index 4d4a0df8344fe..b00ae922ece27 100644 +--- a/fs/adfs/super.c ++++ b/fs/adfs/super.c +@@ -368,6 +368,7 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) + struct buffer_head *bh; + struct object_info root_obj; + unsigned char *b_data; ++ unsigned int blocksize; + struct adfs_sb_info *asb; + struct inode *root; + int ret = -EINVAL; +@@ -419,8 +420,10 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) + goto error_free_bh; + } + ++ blocksize = 1 << dr->log2secsize; + brelse(bh); +- if (sb_set_blocksize(sb, 1 << dr->log2secsize)) { ++ ++ if (sb_set_blocksize(sb, blocksize)) { + bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize); + if (!bh) { + adfs_error(sb, "couldn't read superblock on " +-- +2.20.1 + diff --git a/queue-4.4/ipc-mqueue.c-only-perform-resource-calculation-if-us.patch b/queue-4.4/ipc-mqueue.c-only-perform-resource-calculation-if-us.patch new file mode 100644 index 00000000000..3f6ceb8892d --- /dev/null +++ b/queue-4.4/ipc-mqueue.c-only-perform-resource-calculation-if-us.patch @@ -0,0 +1,103 @@ +From 0fa36513d45ef833121042430a76e42b4eff1f2f Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 16 Jul 2019 16:30:21 -0700 +Subject: ipc/mqueue.c: only perform resource calculation if user valid + +[ Upstream commit a318f12ed8843cfac53198390c74a565c632f417 ] + +Andreas Christoforou reported: + + UBSAN: Undefined behaviour in ipc/mqueue.c:414:49 signed integer overflow: + 9 * 2305843009213693951 cannot be represented in type 'long int' + ... + Call Trace: + mqueue_evict_inode+0x8e7/0xa10 ipc/mqueue.c:414 + evict+0x472/0x8c0 fs/inode.c:558 + iput_final fs/inode.c:1547 [inline] + iput+0x51d/0x8c0 fs/inode.c:1573 + mqueue_get_inode+0x8eb/0x1070 ipc/mqueue.c:320 + mqueue_create_attr+0x198/0x440 ipc/mqueue.c:459 + vfs_mkobj+0x39e/0x580 fs/namei.c:2892 + prepare_open ipc/mqueue.c:731 [inline] + do_mq_open+0x6da/0x8e0 ipc/mqueue.c:771 + +Which could be triggered by: + + struct mq_attr attr = { + .mq_flags = 0, + .mq_maxmsg = 9, + .mq_msgsize = 0x1fffffffffffffff, + .mq_curmsgs = 0, + }; + + if (mq_open("/testing", 0x40, 3, &attr) == (mqd_t) -1) + perror("mq_open"); + +mqueue_get_inode() was correctly rejecting the giant mq_msgsize, and +preparing to return -EINVAL. During the cleanup, it calls +mqueue_evict_inode() which performed resource usage tracking math for +updating "user", before checking if there was a valid "user" at all +(which would indicate that the calculations would be sane). Instead, +delay this check to after seeing a valid "user". + +The overflow was real, but the results went unused, so while the flaw is +harmless, it's noisy for kernel fuzzers, so just fix it by moving the +calculation under the non-NULL "user" where it actually gets used. + +Link: http://lkml.kernel.org/r/201906072207.ECB65450@keescook +Signed-off-by: Kees Cook +Reported-by: Andreas Christoforou +Acked-by: "Eric W. Biederman" +Cc: Al Viro +Cc: Arnd Bergmann +Cc: Davidlohr Bueso +Cc: Manfred Spraul +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + ipc/mqueue.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/ipc/mqueue.c b/ipc/mqueue.c +index 6ed74825ab542..2a39784d57044 100644 +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -371,7 +371,6 @@ static void mqueue_evict_inode(struct inode *inode) + { + struct mqueue_inode_info *info; + struct user_struct *user; +- unsigned long mq_bytes, mq_treesize; + struct ipc_namespace *ipc_ns; + struct msg_msg *msg, *nmsg; + LIST_HEAD(tmp_msg); +@@ -394,16 +393,18 @@ static void mqueue_evict_inode(struct inode *inode) + free_msg(msg); + } + +- /* Total amount of bytes accounted for the mqueue */ +- mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + +- min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * +- sizeof(struct posix_msg_tree_node); +- +- mq_bytes = mq_treesize + (info->attr.mq_maxmsg * +- info->attr.mq_msgsize); +- + user = info->user; + if (user) { ++ unsigned long mq_bytes, mq_treesize; ++ ++ /* Total amount of bytes accounted for the mqueue */ ++ mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) + ++ min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) * ++ sizeof(struct posix_msg_tree_node); ++ ++ mq_bytes = mq_treesize + (info->attr.mq_maxmsg * ++ info->attr.mq_msgsize); ++ + spin_lock(&mq_lock); + user->mq_bytes -= mq_bytes; + /* +-- +2.20.1 + diff --git a/queue-4.4/kernel-module.c-only-return-eexist-for-modules-that-.patch b/queue-4.4/kernel-module.c-only-return-eexist-for-modules-that-.patch new file mode 100644 index 00000000000..e5cb66c9de9 --- /dev/null +++ b/queue-4.4/kernel-module.c-only-return-eexist-for-modules-that-.patch @@ -0,0 +1,74 @@ +From aab1afeacf07663f3b3c17ed917a17628029ee9a Mon Sep 17 00:00:00 2001 +From: Prarit Bhargava +Date: Wed, 29 May 2019 07:26:25 -0400 +Subject: kernel/module.c: Only return -EEXIST for modules that have finished + loading + +[ Upstream commit 6e6de3dee51a439f76eb73c22ae2ffd2c9384712 ] + +Microsoft HyperV disables the X86_FEATURE_SMCA bit on AMD systems, and +linux guests boot with repeated errors: + +amd64_edac_mod: Unknown symbol amd_unregister_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_register_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_report_gart_errors (err -2) +amd64_edac_mod: Unknown symbol amd_unregister_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_register_ecc_decoder (err -2) +amd64_edac_mod: Unknown symbol amd_report_gart_errors (err -2) + +The warnings occur because the module code erroneously returns -EEXIST +for modules that have failed to load and are in the process of being +removed from the module list. + +module amd64_edac_mod has a dependency on module edac_mce_amd. Using +modules.dep, systemd will load edac_mce_amd for every request of +amd64_edac_mod. When the edac_mce_amd module loads, the module has +state MODULE_STATE_UNFORMED and once the module load fails and the state +becomes MODULE_STATE_GOING. Another request for edac_mce_amd module +executes and add_unformed_module() will erroneously return -EEXIST even +though the previous instance of edac_mce_amd has MODULE_STATE_GOING. +Upon receiving -EEXIST, systemd attempts to load amd64_edac_mod, which +fails because of unknown symbols from edac_mce_amd. + +add_unformed_module() must wait to return for any case other than +MODULE_STATE_LIVE to prevent a race between multiple loads of +dependent modules. + +Signed-off-by: Prarit Bhargava +Signed-off-by: Barret Rhoden +Cc: David Arcari +Cc: Jessica Yu +Cc: Heiko Carstens +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +--- + kernel/module.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/kernel/module.c b/kernel/module.c +index bcc78f4c15e9e..b940b2825b7b3 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3225,8 +3225,7 @@ static bool finished_loading(const char *name) + sched_annotate_sleep(); + mutex_lock(&module_mutex); + mod = find_module_all(name, strlen(name), true); +- ret = !mod || mod->state == MODULE_STATE_LIVE +- || mod->state == MODULE_STATE_GOING; ++ ret = !mod || mod->state == MODULE_STATE_LIVE; + mutex_unlock(&module_mutex); + + return ret; +@@ -3385,8 +3384,7 @@ again: + mutex_lock(&module_mutex); + old = find_module_all(mod->name, strlen(mod->name), true); + if (old != NULL) { +- if (old->state == MODULE_STATE_COMING +- || old->state == MODULE_STATE_UNFORMED) { ++ if (old->state != MODULE_STATE_LIVE) { + /* Wait in case it fails to load. */ + mutex_unlock(&module_mutex); + err = wait_event_interruptible(module_wq, +-- +2.20.1 + diff --git a/queue-4.4/mips-lantiq-fix-bitfield-masking.patch b/queue-4.4/mips-lantiq-fix-bitfield-masking.patch new file mode 100644 index 00000000000..772e9e309fe --- /dev/null +++ b/queue-4.4/mips-lantiq-fix-bitfield-masking.patch @@ -0,0 +1,42 @@ +From 6ce6aaa085d83a36c7ef68a7f6116e80bbcd9519 Mon Sep 17 00:00:00 2001 +From: Petr Cvek +Date: Thu, 20 Jun 2019 23:39:37 +0200 +Subject: MIPS: lantiq: Fix bitfield masking + +[ Upstream commit ba1bc0fcdeaf3bf583c1517bd2e3e29cf223c969 ] + +The modification of EXIN register doesn't clean the bitfield before +the writing of a new value. After a few modifications the bitfield would +accumulate only '1's. + +Signed-off-by: Petr Cvek +Signed-off-by: Paul Burton +Cc: hauke@hauke-m.de +Cc: john@phrozen.org +Cc: linux-mips@vger.kernel.org +Cc: openwrt-devel@lists.openwrt.org +Cc: pakahmar@hotmail.com +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/irq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c +index 2e7f60c9fc5df..a7057a06c0961 100644 +--- a/arch/mips/lantiq/irq.c ++++ b/arch/mips/lantiq/irq.c +@@ -160,8 +160,9 @@ static int ltq_eiu_settype(struct irq_data *d, unsigned int type) + if (edge) + irq_set_handler(d->hwirq, handle_edge_irq); + +- ltq_eiu_w32(ltq_eiu_r32(LTQ_EIU_EXIN_C) | +- (val << (i * 4)), LTQ_EIU_EXIN_C); ++ ltq_eiu_w32((ltq_eiu_r32(LTQ_EIU_EXIN_C) & ++ (~(7 << (i * 4)))) | (val << (i * 4)), ++ LTQ_EIU_EXIN_C); + } + } + +-- +2.20.1 + diff --git a/queue-4.4/mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch b/queue-4.4/mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch new file mode 100644 index 00000000000..2c1ecae33af --- /dev/null +++ b/queue-4.4/mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch @@ -0,0 +1,68 @@ +From 587e84d88a2d76e986ca3e28c8e0b69648509f1c Mon Sep 17 00:00:00 2001 +From: Doug Berger +Date: Tue, 16 Jul 2019 16:26:24 -0700 +Subject: mm/cma.c: fail if fixed declaration can't be honored + +[ Upstream commit c633324e311243586675e732249339685e5d6faa ] + +The description of cma_declare_contiguous() indicates that if the +'fixed' argument is true the reserved contiguous area must be exactly at +the address of the 'base' argument. + +However, the function currently allows the 'base', 'size', and 'limit' +arguments to be silently adjusted to meet alignment constraints. This +commit enforces the documented behavior through explicit checks that +return an error if the region does not fit within a specified region. + +Link: http://lkml.kernel.org/r/1561422051-16142-1-git-send-email-opendmb@gmail.com +Fixes: 5ea3b1b2f8ad ("cma: add placement specifier for "cma=" kernel parameter") +Signed-off-by: Doug Berger +Acked-by: Michal Nazarewicz +Cc: Yue Hu +Cc: Mike Rapoport +Cc: Laura Abbott +Cc: Peng Fan +Cc: Thomas Gleixner +Cc: Marek Szyprowski +Cc: Andrey Konovalov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/cma.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/mm/cma.c b/mm/cma.c +index 5ae4452656cdf..65c7aa419048c 100644 +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -268,6 +268,12 @@ int __init cma_declare_contiguous(phys_addr_t base, + */ + alignment = max(alignment, (phys_addr_t)PAGE_SIZE << + max_t(unsigned long, MAX_ORDER - 1, pageblock_order)); ++ if (fixed && base & (alignment - 1)) { ++ ret = -EINVAL; ++ pr_err("Region at %pa must be aligned to %pa bytes\n", ++ &base, &alignment); ++ goto err; ++ } + base = ALIGN(base, alignment); + size = ALIGN(size, alignment); + limit &= ~(alignment - 1); +@@ -298,6 +304,13 @@ int __init cma_declare_contiguous(phys_addr_t base, + if (limit == 0 || limit > memblock_end) + limit = memblock_end; + ++ if (base + size > limit) { ++ ret = -EINVAL; ++ pr_err("Size (%pa) of region at %pa exceeds limit (%pa)\n", ++ &size, &base, &limit); ++ goto err; ++ } ++ + /* Reserve memory */ + if (fixed) { + if (memblock_is_region_reserved(base, size) || +-- +2.20.1 + diff --git a/queue-4.4/scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch b/queue-4.4/scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch new file mode 100644 index 00000000000..afbab030f8d --- /dev/null +++ b/queue-4.4/scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch @@ -0,0 +1,117 @@ +From 13a7f6b15dfead2693f1e096f9bc5a9afd67b865 Mon Sep 17 00:00:00 2001 +From: Benjamin Block +Date: Tue, 2 Jul 2019 23:02:02 +0200 +Subject: scsi: zfcp: fix GCC compiler warning emitted with + -Wmaybe-uninitialized + +[ Upstream commit 484647088826f2f651acbda6bcf9536b8a466703 ] + +GCC v9 emits this warning: + CC drivers/s390/scsi/zfcp_erp.o + drivers/s390/scsi/zfcp_erp.c: In function 'zfcp_erp_action_enqueue': + drivers/s390/scsi/zfcp_erp.c:217:26: warning: 'erp_action' may be used uninitialized in this function [-Wmaybe-uninitialized] + 217 | struct zfcp_erp_action *erp_action; + | ^~~~~~~~~~ + +This is a possible false positive case, as also documented in the GCC +documentations: + https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wmaybe-uninitialized + +The actual code-sequence is like this: + Various callers can invoke the function below with the argument "want" + being one of: + ZFCP_ERP_ACTION_REOPEN_ADAPTER, + ZFCP_ERP_ACTION_REOPEN_PORT_FORCED, + ZFCP_ERP_ACTION_REOPEN_PORT, or + ZFCP_ERP_ACTION_REOPEN_LUN. + + zfcp_erp_action_enqueue(want, ...) + ... + need = zfcp_erp_required_act(want, ...) + need = want + ... + maybe: need = ZFCP_ERP_ACTION_REOPEN_PORT + maybe: need = ZFCP_ERP_ACTION_REOPEN_ADAPTER + ... + return need + ... + zfcp_erp_setup_act(need, ...) + struct zfcp_erp_action *erp_action; // <== line 217 + ... + switch(need) { + case ZFCP_ERP_ACTION_REOPEN_LUN: + ... + erp_action = &zfcp_sdev->erp_action; + WARN_ON_ONCE(erp_action->port != port); // <== access + ... + break; + case ZFCP_ERP_ACTION_REOPEN_PORT: + case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: + ... + erp_action = &port->erp_action; + WARN_ON_ONCE(erp_action->port != port); // <== access + ... + break; + case ZFCP_ERP_ACTION_REOPEN_ADAPTER: + ... + erp_action = &adapter->erp_action; + WARN_ON_ONCE(erp_action->port != NULL); // <== access + ... + break; + } + ... + WARN_ON_ONCE(erp_action->adapter != adapter); // <== access + +When zfcp_erp_setup_act() is called, 'need' will never be anything else +than one of the 4 possible enumeration-names that are used in the +switch-case, and 'erp_action' is initialized for every one of them, before +it is used. Thus the warning is a false positive, as documented. + +We introduce the extra if{} in the beginning to create an extra code-flow, +so the compiler can be convinced that the switch-case will never see any +other value. + +BUG_ON()/BUG() is intentionally not used to not crash anything, should +this ever happen anyway - right now it's impossible, as argued above; and +it doesn't introduce a 'default:' switch-case to retain warnings should +'enum zfcp_erp_act_type' ever be extended and no explicit case be +introduced. See also v5.0 commit 399b6c8bc9f7 ("scsi: zfcp: drop old +default switch case which might paper over missing case"). + +Signed-off-by: Benjamin Block +Reviewed-by: Jens Remus +Reviewed-by: Steffen Maier +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/s390/scsi/zfcp_erp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c +index abe460eac7126..cc62d8cc8cfdd 100644 +--- a/drivers/s390/scsi/zfcp_erp.c ++++ b/drivers/s390/scsi/zfcp_erp.c +@@ -10,6 +10,7 @@ + #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt + + #include ++#include + #include "zfcp_ext.h" + #include "zfcp_reqlist.h" + +@@ -244,6 +245,12 @@ static struct zfcp_erp_action *zfcp_erp_setup_act(int need, u32 act_status, + struct zfcp_erp_action *erp_action; + struct zfcp_scsi_dev *zfcp_sdev; + ++ if (WARN_ON_ONCE(need != ZFCP_ERP_ACTION_REOPEN_LUN && ++ need != ZFCP_ERP_ACTION_REOPEN_PORT && ++ need != ZFCP_ERP_ACTION_REOPEN_PORT_FORCED && ++ need != ZFCP_ERP_ACTION_REOPEN_ADAPTER)) ++ return NULL; ++ + switch (need) { + case ZFCP_ERP_ACTION_REOPEN_LUN: + zfcp_sdev = sdev_to_zfcp(sdev); +-- +2.20.1 + diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..005c5641bd3 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,19 @@ +arm-riscpc-fix-dma.patch +arm-dts-rockchip-mark-that-the-rk3288-timer-might-st.patch +kernel-module.c-only-return-eexist-for-modules-that-.patch +mips-lantiq-fix-bitfield-masking.patch +dmaengine-rcar-dmac-reject-zero-length-slave-dma-req.patch +fs-adfs-super-fix-use-after-free-bug.patch +btrfs-fix-minimum-number-of-chunk-errors-for-dup.patch +ceph-fix-improper-use-of-smp_mb__before_atomic.patch +scsi-zfcp-fix-gcc-compiler-warning-emitted-with-wmay.patch +acpi-fix-false-positive-wuninitialized-warning.patch +be2net-signal-that-the-device-cannot-transmit-during.patch +x86-apic-silence-wtype-limits-compiler-warnings.patch +x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch +mm-cma.c-fail-if-fixed-declaration-can-t-be-honored.patch +coda-add-error-handling-for-fget.patch +coda-fix-build-using-bare-metal-toolchain.patch +uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch +ipc-mqueue.c-only-perform-resource-calculation-if-us.patch +x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch diff --git a/queue-4.4/uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch b/queue-4.4/uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch new file mode 100644 index 00000000000..a1a2e4b7293 --- /dev/null +++ b/queue-4.4/uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch @@ -0,0 +1,106 @@ +From 31c06b5c73aed59b88e90e3aab173dff3818e6ff Mon Sep 17 00:00:00 2001 +From: Mikko Rapeli +Date: Tue, 16 Jul 2019 16:28:10 -0700 +Subject: uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel + side headers + +[ Upstream commit f90fb3c7e2c13ae829db2274b88b845a75038b8a ] + +Only users of upc_req in kernel side fs/coda/psdev.c and +fs/coda/upcall.c already include linux/coda_psdev.h. + +Suggested by Jan Harkes in + https://lore.kernel.org/lkml/20150531111913.GA23377@cs.cmu.edu/ + +Fixes these include/uapi/linux/coda_psdev.h compilation errors in userspace: + + linux/coda_psdev.h:12:19: error: field `uc_chain' has incomplete type + struct list_head uc_chain; + ^ + linux/coda_psdev.h:13:2: error: unknown type name `caddr_t' + caddr_t uc_data; + ^ + linux/coda_psdev.h:14:2: error: unknown type name `u_short' + u_short uc_flags; + ^ + linux/coda_psdev.h:15:2: error: unknown type name `u_short' + u_short uc_inSize; /* Size is at most 5000 bytes */ + ^ + linux/coda_psdev.h:16:2: error: unknown type name `u_short' + u_short uc_outSize; + ^ + linux/coda_psdev.h:17:2: error: unknown type name `u_short' + u_short uc_opcode; /* copied from data to save lookup */ + ^ + linux/coda_psdev.h:19:2: error: unknown type name `wait_queue_head_t' + wait_queue_head_t uc_sleep; /* process' wait queue */ + ^ + +Link: http://lkml.kernel.org/r/9f99f5ce6a0563d5266e6cf7aa9585aac2cae971.1558117389.git.jaharkes@cs.cmu.edu +Signed-off-by: Mikko Rapeli +Signed-off-by: Jan Harkes +Cc: Arnd Bergmann +Cc: Colin Ian King +Cc: Dan Carpenter +Cc: David Howells +Cc: Fabian Frederick +Cc: Sam Protsenko +Cc: Yann Droneaud +Cc: Zhouyang Jia +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/coda_psdev.h | 11 +++++++++++ + include/uapi/linux/coda_psdev.h | 13 ------------- + 2 files changed, 11 insertions(+), 13 deletions(-) + +diff --git a/include/linux/coda_psdev.h b/include/linux/coda_psdev.h +index 5b8721efa948e..fe1466daf2918 100644 +--- a/include/linux/coda_psdev.h ++++ b/include/linux/coda_psdev.h +@@ -19,6 +19,17 @@ struct venus_comm { + struct mutex vc_mutex; + }; + ++/* messages between coda filesystem in kernel and Venus */ ++struct upc_req { ++ struct list_head uc_chain; ++ caddr_t uc_data; ++ u_short uc_flags; ++ u_short uc_inSize; /* Size is at most 5000 bytes */ ++ u_short uc_outSize; ++ u_short uc_opcode; /* copied from data to save lookup */ ++ int uc_unique; ++ wait_queue_head_t uc_sleep; /* process' wait queue */ ++}; + + static inline struct venus_comm *coda_vcp(struct super_block *sb) + { +diff --git a/include/uapi/linux/coda_psdev.h b/include/uapi/linux/coda_psdev.h +index 79d05981fc4b0..e2c44d2f7d5bd 100644 +--- a/include/uapi/linux/coda_psdev.h ++++ b/include/uapi/linux/coda_psdev.h +@@ -6,19 +6,6 @@ + #define CODA_PSDEV_MAJOR 67 + #define MAX_CODADEVS 5 /* how many do we allow */ + +- +-/* messages between coda filesystem in kernel and Venus */ +-struct upc_req { +- struct list_head uc_chain; +- caddr_t uc_data; +- u_short uc_flags; +- u_short uc_inSize; /* Size is at most 5000 bytes */ +- u_short uc_outSize; +- u_short uc_opcode; /* copied from data to save lookup */ +- int uc_unique; +- wait_queue_head_t uc_sleep; /* process' wait queue */ +-}; +- + #define CODA_REQ_ASYNC 0x1 + #define CODA_REQ_READ 0x2 + #define CODA_REQ_WRITE 0x4 +-- +2.20.1 + diff --git a/queue-4.4/x86-apic-silence-wtype-limits-compiler-warnings.patch b/queue-4.4/x86-apic-silence-wtype-limits-compiler-warnings.patch new file mode 100644 index 00000000000..5b6b9561b96 --- /dev/null +++ b/queue-4.4/x86-apic-silence-wtype-limits-compiler-warnings.patch @@ -0,0 +1,74 @@ +From c905a93a506bfb407e0bfebdf541a052df33276a Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Mon, 8 Jul 2019 17:36:45 -0400 +Subject: x86/apic: Silence -Wtype-limits compiler warnings + +[ Upstream commit ec6335586953b0df32f83ef696002063090c7aef ] + +There are many compiler warnings like this, + +In file included from ./arch/x86/include/asm/smp.h:13, + from ./arch/x86/include/asm/mmzone_64.h:11, + from ./arch/x86/include/asm/mmzone.h:5, + from ./include/linux/mmzone.h:969, + from ./include/linux/gfp.h:6, + from ./include/linux/mm.h:10, + from arch/x86/kernel/apic/io_apic.c:34: +arch/x86/kernel/apic/io_apic.c: In function 'check_timer': +./arch/x86/include/asm/apic.h:37:11: warning: comparison of unsigned +expression >= 0 is always true [-Wtype-limits] + if ((v) <= apic_verbosity) \ + ^~ +arch/x86/kernel/apic/io_apic.c:2160:2: note: in expansion of macro +'apic_printk' + apic_printk(APIC_QUIET, KERN_INFO "..TIMER: vector=0x%02X " + ^~~~~~~~~~~ +./arch/x86/include/asm/apic.h:37:11: warning: comparison of unsigned +expression >= 0 is always true [-Wtype-limits] + if ((v) <= apic_verbosity) \ + ^~ +arch/x86/kernel/apic/io_apic.c:2207:4: note: in expansion of macro +'apic_printk' + apic_printk(APIC_QUIET, KERN_ERR "..MP-BIOS bug: " + ^~~~~~~~~~~ + +APIC_QUIET is 0, so silence them by making apic_verbosity type int. + +Signed-off-by: Qian Cai +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/1562621805-24789-1-git-send-email-cai@lca.pw +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/apic.h | 2 +- + arch/x86/kernel/apic/apic.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h +index fd810a57ab1b1..3328a37ddc75c 100644 +--- a/arch/x86/include/asm/apic.h ++++ b/arch/x86/include/asm/apic.h +@@ -44,7 +44,7 @@ static inline void generic_apic_probe(void) + + #ifdef CONFIG_X86_LOCAL_APIC + +-extern unsigned int apic_verbosity; ++extern int apic_verbosity; + extern int local_apic_timer_c2_ok; + + extern int disable_apic; +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index deddc9b932990..cc6c33249850e 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -171,7 +171,7 @@ int first_system_vector = FIRST_SYSTEM_VECTOR; + /* + * Debug level, exported for io_apic.c + */ +-unsigned int apic_verbosity; ++int apic_verbosity; + + int pic_mode; + +-- +2.20.1 + diff --git a/queue-4.4/x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch b/queue-4.4/x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch new file mode 100644 index 00000000000..b3051297d8d --- /dev/null +++ b/queue-4.4/x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch @@ -0,0 +1,122 @@ +From 1bcca4ddcecab0c8bc5a2f944c2164a653012ef1 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Wed, 17 Jul 2019 20:36:39 -0500 +Subject: x86/kvm: Don't call kvm_spurious_fault() from .fixup + +[ Upstream commit 3901336ed9887b075531bffaeef7742ba614058b ] + +After making a change to improve objtool's sibling call detection, it +started showing the following warning: + + arch/x86/kvm/vmx/nested.o: warning: objtool: .fixup+0x15: sibling call from callable instruction with modified stack frame + +The problem is the ____kvm_handle_fault_on_reboot() macro. It does a +fake call by pushing a fake RIP and doing a jump. That tricks the +unwinder into printing the function which triggered the exception, +rather than the .fixup code. + +Instead of the hack to make it look like the original function made the +call, just change the macro so that the original function actually does +make the call. This allows removal of the hack, and also makes objtool +happy. + +I triggered a vmx instruction exception and verified that the stack +trace is still sane: + + kernel BUG at arch/x86/kvm/x86.c:358! + invalid opcode: 0000 [#1] SMP PTI + CPU: 28 PID: 4096 Comm: qemu-kvm Not tainted 5.2.0+ #16 + Hardware name: Lenovo THINKSYSTEM SD530 -[7X2106Z000]-/-[7X2106Z000]-, BIOS -[TEE113Z-1.00]- 07/17/2017 + RIP: 0010:kvm_spurious_fault+0x5/0x10 + Code: 00 00 00 00 00 8b 44 24 10 89 d2 45 89 c9 48 89 44 24 10 8b 44 24 08 48 89 44 24 08 e9 d4 40 22 00 0f 1f 40 00 0f 1f 44 00 00 <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41 + RSP: 0018:ffffbf91c683bd00 EFLAGS: 00010246 + RAX: 000061f040000000 RBX: ffff9e159c77bba0 RCX: ffff9e15a5c87000 + RDX: 0000000665c87000 RSI: ffff9e15a5c87000 RDI: ffff9e159c77bba0 + RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9e15a5c87000 + R10: 0000000000000000 R11: fffff8f2d99721c0 R12: ffff9e159c77bba0 + R13: ffffbf91c671d960 R14: ffff9e159c778000 R15: 0000000000000000 + FS: 00007fa341cbe700(0000) GS:ffff9e15b7400000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fdd38356804 CR3: 00000006759de003 CR4: 00000000007606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + loaded_vmcs_init+0x4f/0xe0 + alloc_loaded_vmcs+0x38/0xd0 + vmx_create_vcpu+0xf7/0x600 + kvm_vm_ioctl+0x5e9/0x980 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? __switch_to_asm+0x40/0x70 + ? __switch_to_asm+0x34/0x70 + ? free_one_page+0x13f/0x4e0 + do_vfs_ioctl+0xa4/0x630 + ksys_ioctl+0x60/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x55/0x1c0 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7fa349b1ee5b + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Acked-by: Paolo Bonzini +Acked-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/64a9b64d127e87b6920a97afde8e96ea76f6524e.1563413318.git.jpoimboe@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/kvm_host.h | 34 ++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index 2cb49ac1b2b25..39f2024620292 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1184,25 +1184,29 @@ enum { + #define kvm_arch_vcpu_memslots_id(vcpu) ((vcpu)->arch.hflags & HF_SMM_MASK ? 1 : 0) + #define kvm_memslots_for_spte_role(kvm, role) __kvm_memslots(kvm, (role).smm) + ++asmlinkage void __noreturn kvm_spurious_fault(void); ++ + /* + * Hardware virtualization extension instructions may fault if a + * reboot turns off virtualization while processes are running. +- * Trap the fault and ignore the instruction if that happens. ++ * Usually after catching the fault we just panic; during reboot ++ * instead the instruction is ignored. + */ +-asmlinkage void kvm_spurious_fault(void); +- +-#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ +- "666: " insn "\n\t" \ +- "668: \n\t" \ +- ".pushsection .fixup, \"ax\" \n" \ +- "667: \n\t" \ +- cleanup_insn "\n\t" \ +- "cmpb $0, kvm_rebooting \n\t" \ +- "jne 668b \n\t" \ +- __ASM_SIZE(push) " $666b \n\t" \ +- "jmp kvm_spurious_fault \n\t" \ +- ".popsection \n\t" \ +- _ASM_EXTABLE(666b, 667b) ++#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \ ++ "666: \n\t" \ ++ insn "\n\t" \ ++ "jmp 668f \n\t" \ ++ "667: \n\t" \ ++ "call kvm_spurious_fault \n\t" \ ++ "668: \n\t" \ ++ ".pushsection .fixup, \"ax\" \n\t" \ ++ "700: \n\t" \ ++ cleanup_insn "\n\t" \ ++ "cmpb $0, kvm_rebooting\n\t" \ ++ "je 667b \n\t" \ ++ "jmp 668b \n\t" \ ++ ".popsection \n\t" \ ++ _ASM_EXTABLE(666b, 700b) + + #define __kvm_handle_fault_on_reboot(insn) \ + ____kvm_handle_fault_on_reboot(insn, "") +-- +2.20.1 + diff --git a/queue-4.4/x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch b/queue-4.4/x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch new file mode 100644 index 00000000000..99eb9c98411 --- /dev/null +++ b/queue-4.4/x86-math-emu-hide-clang-warnings-for-16-bit-overflow.patch @@ -0,0 +1,69 @@ +From 7df2746d1dca0b2da841772cdb3918ac5fdb3a7d Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 12 Jul 2019 11:08:05 +0200 +Subject: x86: math-emu: Hide clang warnings for 16-bit overflow + +[ Upstream commit 29e7e9664aec17b94a9c8c5a75f8d216a206aa3a ] + +clang warns about a few parts of the math-emu implementation +where a 16-bit integer becomes negative during assignment: + +arch/x86/math-emu/poly_tan.c:88:35: error: implicit conversion from 'int' to 'short' changes value from 49216 to -16320 [-Werror,-Wconstant-conversion] + (0x41 + EXTENDED_Ebias) | SIGN_Negative); + ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~ +arch/x86/math-emu/fpu_emu.h:180:58: note: expanded from macro 'setexponent16' + #define setexponent16(x,y) { (*(short *)&((x)->exp)) = (y); } + ~ ^ +arch/x86/math-emu/reg_constant.c:37:32: error: implicit conversion from 'int' to 'short' changes value from 49085 to -16451 [-Werror,-Wconstant-conversion] +FPU_REG const CONST_PI2extra = MAKE_REG(NEG, -66, + ^~~~~~~~~~~~~~~~~~ +arch/x86/math-emu/reg_constant.c:21:25: note: expanded from macro 'MAKE_REG' + ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } + ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ +arch/x86/math-emu/reg_constant.c:48:28: error: implicit conversion from 'int' to 'short' changes value from 65535 to -1 [-Werror,-Wconstant-conversion] +FPU_REG const CONST_QNaN = MAKE_REG(NEG, EXP_OVER, 0x00000000, 0xC0000000); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +arch/x86/math-emu/reg_constant.c:21:25: note: expanded from macro 'MAKE_REG' + ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } + ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ + +The code is correct as is, so add a typecast to shut up the warnings. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190712090816.350668-1-arnd@arndb.de +Signed-off-by: Sasha Levin +--- + arch/x86/math-emu/fpu_emu.h | 2 +- + arch/x86/math-emu/reg_constant.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/math-emu/fpu_emu.h b/arch/x86/math-emu/fpu_emu.h +index afbc4d805d66f..df5aee5402c44 100644 +--- a/arch/x86/math-emu/fpu_emu.h ++++ b/arch/x86/math-emu/fpu_emu.h +@@ -176,7 +176,7 @@ static inline void reg_copy(FPU_REG const *x, FPU_REG *y) + #define setexponentpos(x,y) { (*(short *)&((x)->exp)) = \ + ((y) + EXTENDED_Ebias) & 0x7fff; } + #define exponent16(x) (*(short *)&((x)->exp)) +-#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (y); } ++#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (u16)(y); } + #define addexponent(x,y) { (*(short *)&((x)->exp)) += (y); } + #define stdexp(x) { (*(short *)&((x)->exp)) += EXTENDED_Ebias; } + +diff --git a/arch/x86/math-emu/reg_constant.c b/arch/x86/math-emu/reg_constant.c +index 00548354912f4..382093c5072b0 100644 +--- a/arch/x86/math-emu/reg_constant.c ++++ b/arch/x86/math-emu/reg_constant.c +@@ -17,7 +17,7 @@ + #include "control_w.h" + + #define MAKE_REG(s, e, l, h) { l, h, \ +- ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } ++ (u16)((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) } + + FPU_REG const CONST_1 = MAKE_REG(POS, 0, 0x00000000, 0x80000000); + #if 0 +-- +2.20.1 + -- 2.47.3