From f688f4599dba8b5a3c898999d6faf203c414ea78 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 3 Apr 2019 23:43:24 -0400 Subject: [PATCH] fixes for 5.0 Signed-off-by: Sasha Levin --- ...d-chassis-type-detection-with-a-lunc.patch | 47 +++ ...ideo-refactor-and-fix-dmi_is_desktop.patch | 72 +++++ ...pport-for-solid-state-logic-duende-c.patch | 109 +++++++ ...f-ops-are-defined-before-suspending-.patch | 49 +++ ...ble-free-when-unpack-of-secmark-rule.patch | 70 +++++ .../appletalk-fix-compile-regression.patch | 69 +++++ ...-toggle-only-bits-in-exc_return-we-a.patch | 98 ++++++ ...e-that-neon-code-always-compiles-wit.patch | 122 ++++++++ ...840-1-use-a-raw_spinlock_t-in-unwind.patch | 92 ++++++ ...5-1-use-unified-assembler-in-c-files.patch | 99 ++++++ ...ortex-a9-livelock-on-tight-dmb-loops.patch | 209 +++++++++++++ ...remove-leading-0x-and-0s-from-bindin.patch | 133 ++++++++ ...fix-the-ethernet-data-line-signals-i.patch | 98 ++++++ ...obile-fix-r-car-gen2-regulator-quirk.patch | 59 ++++ ...rd-fix-object-reference-leaks-in-fsl.patch | 44 +++ ...-node-refcount-unbalance-in-qcom_snd.patch | 74 +++++ ...-utils-check-reg-property-on-asoc_si.patch | 68 +++++ ...report-unset-rssi-values-to-mac80211.patch | 52 ++++ ...w-register-implementation-for-wcn399.patch | 108 +++++++ ...rong-updation-of-bw-in-tx_stats-debu.patch | 63 ++++ ...-context-to-audit_kill_trees-for-sys.patch | 182 +++++++++++ ...-use-gpiod_get_value_cansleep-to-get.patch | 67 +++++ ...-overflow-to-cache-set-sysfs-file-io.patch | 50 ++++ ...-input-overflow-to-sequential_cutoff.patch | 42 +++ ...tial-div-zero-error-of-writeback_rat.patch | 50 ++++ ...iv-zero-error-of-writeback_rat.patch-17972 | 48 +++ .../bcache-improve-sysfs_strtoul_clamp.patch | 64 ++++ ...-service-queue-check-for-queue-mergi.patch | 79 +++++ ...-fix-queue-removal-from-weights-tree.patch | 119 ++++++++ .../bpf-fix-missing-prototype-warnings.patch | 49 +++ ...x-possible-out-of-bound-access-warni.patch | 156 ++++++++++ ...mware_request_nowarn-for-the-clm_blo.patch | 55 ++++ ...-enospc-all-tickets-on-flush-failure.patch | 159 ++++++++++ ...e-qgroup-async-transaction-commit-mo.patch | 117 ++++++++ ...drop_progress-if-we-drop-refs-at-all.patch | 153 ++++++++++ ...e-condition-in-cdrom_sysctl_register.patch | 99 ++++++ ...-cgroup_subsys-free-into-cgroup_subs.patch | 173 +++++++++++ ...-t-flush-subtree-root-unless-necessa.patch | 72 +++++ ...date-negotiate-if-server-return-nt_s.patch | 55 ++++ ...-null-pointer-dereference-of-devname.patch | 60 ++++ ...osix-lock-leak-and-invalid-ptr-deref.patch | 147 +++++++++ .../cifs-use-correct-format-characters.patch | 80 +++++ ...ivider-check-parent-rate-only-if-fla.patch | 104 +++++++ ...lk-meson-clean-up-clock-registration.patch | 56 ++++ ...-frac-settings-of-gpll-clock-for-rk3.patch | 65 ++++ ...ix-clkdm_name-regression-for-ti_clk_.patch | 56 ++++ ...-etm4x-add-support-to-enable-etmv4.2.patch | 64 ++++ ...lug-mute-hotplug-lockdep-during-init.patch | 101 +++++++ ...freq-report-if-cpu-doesn-t-support-b.patch | 49 +++ ...p-fix-collision-with-generic-cra_dri.patch | 68 +++++ ...-add-missing-of_node_put-after-of_de.patch | 63 ++++ ...ty-checks-to-thin-pool-and-external-.patch | 111 +++++++ ...a-fix-warning-comparison-of-distinct.patch | 60 ++++ ...idma-assign-channel-cookie-correctly.patch | 86 ++++++ ...idma-initialize-tx-flags-in-hidma_pr.patch | 55 ++++ ...egra-avoid-overflow-of-byte-tracking.patch | 55 ++++ ...-fix-user-memory-accessors-formattin.patch | 178 +++++++++++ ...clear-stream-mode_changed-after-comm.patch | 53 ++++ ...lay-disconnect-mpcc-when-changing-tg.patch | 71 +++++ ...don-t-re-program-planes-for-dpms-cha.patch | 64 ++++ ...enable-vblank-interrupt-during-crc-c.patch | 133 ++++++++ ...fix-reference-counting-for-struct-dc.patch | 261 ++++++++++++++++ ...ow_fb_modifiers-when-given-modifiers.patch | 46 +++ ...gure-no_stop_bit-correctly-for-remot.patch | 48 +++ ...x-leaks-in-error-path-of-drm_fb_help.patch | 67 +++++ ...sm-dpu-convert-to-a-chained-irq-chip.patch | 202 +++++++++++++ ...au-stop-using-drm_crtc_force_disable.patch | 48 +++ .../drm-rcar-du-add-missing-of_node_put.patch | 64 ++++ ...property_atomic-to-avoid-returning-w.patch | 51 ++++ .../drm-sched-fix-entities-with-0-rqs.patch | 122 ++++++++ .../drm-vkms-bugfix-extra-vblank-frame.patch | 67 +++++ ...-bugfix-racing-hrtimer-vblank-handle.patch | 91 ++++++ ...evice-from-suspend-direct-complete-o.patch | 41 +++ ...lic-resets-at-link-up-with-active-tx.patch | 91 ++++++ ...000e-fix-wformat-truncation-warnings.patch | 72 +++++ ...low-setvirtualaddressmap-to-be-omitt.patch | 153 ++++++++++ ...er-fix-possible-out-of-bounds-access.patch | 65 ++++ ...ror-due-to-enum-collision-between-ef.patch | 283 ++++++++++++++++++ ...t-bail-on-zero-va-if-it-equals-the-r.patch | 68 +++++ ...arning-without-config_cpumask_offsta.patch | 64 ++++ ...c-cluster-freeing-when-hole-punching.patch | 65 ++++ ...not-use-mutex-lock-in-atomic-context.patch | 107 +++++++ ...t-small-inline-xattr-space-in-__find.patch | 68 +++++ ...oid-deadlock-in-f2fs_read_inline_dir.patch | 121 ++++++++ ...k-inline_xattr_size-boundary-correct.patch | 111 +++++++ ...-block-override-node-segment-by-mist.patch | 67 +++++ ...ialize-variable-to-avoid-ubsan-smatc.patch | 99 ++++++ ...oolean-value-iostat_enable-correctly.patch | 72 +++++ ...memory-access-if-logo-is-bigger-than.patch | 52 ++++ ....c-initialize-init_files.resize_wait.patch | 80 +++++ ...bio_eod-to-check-for-real-eod-errors.patch | 79 +++++ ...nd-tee-take-into-account-o_nonblock-.patch | 99 ++++++ ...-avoid-summation-loops-for-proc-stat.patch | 156 ++++++++++ ...gpio-omap-fix-level-interrupt-idling.patch | 87 ++++++ ...gulator-gpio-quirk-only-to-enable-gp.patch | 84 ++++++ ...-enable-gpio-quirk-to-regulator-gpio.patch | 56 ++++ ...ss-prefix-instead-of-hardcoding-h830.patch | 61 ++++ ...d-avoid-binding-wrong-ishtp_cl_devic.patch | 53 ++++ ...c-handle-pimr-before-ish_wakeup-also.patch | 64 ++++ ...-character-in-the-__setup-code-of-hp.patch | 59 ++++ ...io-avoid-repeated-init-of-completion.patch | 57 ++++ ...ry-of-the-initial-irq-by-an-i2c-clie.patch | 75 +++++ ...o-not-allow-i2c_dw_xfer-calls-while-.patch | 149 +++++++++ ...nd-an-i2c-adapter-matching-the-paren.patch | 63 ++++ ...x4-increase-the-timeout-for-cm-cache.patch | 106 +++++++ ...move_rule_internal-vsi_list-handling.patch | 81 +++++ ...ing-in-qualcomm-pm8xxx-hk-xoadc-driv.patch | 79 +++++ ...lay.h-fix-percpu-annotation-in-struc.patch | 53 ++++ ..._array-fix-mapping-of-the-5th-gpio-i.patch | 55 ++++ ...-arm-v7s-only-kmemleak_ignore-l2-tab.patch | 51 ++++ ...ble-ats-support-on-untrusted-devices.patch | 47 +++ ...-srqidx-leak-during-connection-abort.patch | 60 ++++ ...-fix-rfh-config-command-with-10-cpus.patch | 68 +++++ .../iwlwifi-pcie-fix-emergency-path.patch | 73 +++++ ...ix-invalid-descriptor-block-checksum.patch | 52 ++++ ...bd2-fix-race-when-writing-superblock.patch | 157 ++++++++++ ...x-kasan_check_read-write-definitions.patch | 71 +++++ ...ncconfig-if-include-config-auto.conf.patch | 72 +++++ ...effective-in-top-makefile-for-old-ma.patch | 149 +++++++++ .../kprobes-prohibit-probing-on-bsearch.patch | 56 ++++ ...rohibit-probing-on-rcu-debug-routine.patch | 58 ++++ ...-null-deref-on-firmware-load-failure.patch | 58 ++++ ...dep-compilation-at-the-start-of-the-.patch | 120 ++++++++ .../lockdep-lib-tests-fix-run_tests.sh.patch | 65 ++++ ...l_no_part_scan-after-blkdev_reread_p.patch | 86 ++++++ ...et-initial-frame-size-other-than-0x0.patch | 39 +++ ...orrect-return-type-for-mem2mem-buffe.patch | 178 +++++++++++ ...p-correct-return-type-for-mem2mem-bu.patch | 61 ++++ ...ov7740-fix-runtime-pm-initialization.patch | 81 +++++ ...llow-independent-vin-link-enablement.patch | 70 +++++ ...ga-correct-return-type-for-mem2mem-b.patch | 61 ++++ ...pu-correct-return-type-for-mem2mem-b.patch | 100 +++++++ ...rrect-return-type-for-mem2mem-buffer.patch | 63 ++++ ...heck-for-fmt_ver_flag-when-doing-fmt.patch | 86 ++++++ ...orrect-return-type-for-mem2mem-buffe.patch | 199 ++++++++++++ ...rect-return-type-for-mem2mem-buffer-.patch | 57 ++++ ...eads-should-not-invoke-memcg-oom-kil.patch | 97 ++++++ ...um-avoid-wformat-truncation-warnings.patch | 70 +++++ ...lare_contiguous-correct-err-handling.patch | 59 ++++ ...m-mempolicy-fix-uninit-memory-access.patch | 95 ++++++ ...ill-global-init-via-memory.oom.group.patch | 177 +++++++++++ ...ext.c-fix-an-imbalance-with-kmemleak.patch | 82 +++++ ...rn-real-error-codes-from-walk-failur.patch | 80 +++++ ...slab.c-kmemleak-no-scan-alien-caches.patch | 151 ++++++++++ .../mm-sparse-fix-a-bad-comparison.patch | 63 ++++ ...heck-swap_info-array-accesses-to-avo.patch | 213 +++++++++++++ ...c-fix-kernel-bug-at-mm-vmalloc.c-512.patch | 62 ++++ ...omap-fix-the-maximum-timeout-setting.patch | 51 ++++ ...d-reference-by-adding-a-missing-of_n.patch | 81 +++++ ...do-not-run-mt76u_queues_deinit-twice.patch | 97 ++++++ ...t7601u-bump-supported-eeprom-version.patch | 61 ++++ ...vertise-ibss-features-without-fw-sup.patch | 66 ++++ ...x-add-lockdep-classes-to-fix-false-p.patch | 119 ++++++++ ...x-default-cmode-to-1000basex-only-on.patch | 46 +++ ...ting-of-the-hns-reset_type-for-rdma-.patch | 126 ++++++++ ...2-fix-stuck-in-band-sgmii-negotiatio.patch | 82 +++++ ...anic-when-setting-vport-mac-getting-.patch | 80 +++++ ...-avoid-panic-when-setting-vport-rate.patch | 81 +++++ ...access-to-non-existing-receive-queue.patch | 43 +++ ...-latched-link-down-status-in-polling.patch | 85 ++++++ ...-one-more-sometimes-uninitialized-cl.patch | 51 ++++ ...-sometimes-uninitialized-clang-warni.patch | 70 +++++ ...ack-fix-cloned-unconfirmed-skb-_nfct.patch | 131 ++++++++ ...ack-tcp-only-close-if-rst-matches-ex.patch | 213 +++++++++++++ ...les-check-the-result-of-dereferencin.patch | 70 +++++ ...hysdev-relax-br_netfilter-dependency.patch | 95 ++++++ ...me-fc-fix-numa_node-when-dev-is-null.patch | 47 +++ ...vmet_ctrl-fatal_err_work-when-alloca.patch | 99 ++++++ ...x-a-panic-problem-caused-by-o2cb_ctl.patch | 70 +++++ .../page_poison-play-nicely-with-kasan.patch | 93 ++++++ ...-memory-mapped-io-range-size-computa.patch | 78 +++++ ...n-ctrl-slot_ctrl-before-writing-it-t.patch | 54 ++++ ...lug-sysfs-remove-deadlock-in-pcie_pm.patch | 143 +++++++++ ...tate-fix-getting-source-line-failure.patch | 176 +++++++++++ ...e-perf_event-accessible-to-setup_aux.patch | 174 +++++++++++ ...flags-add-missing-s-lost-when-adding.patch | 69 +++++ ...id-options-fix-up-prefix-showing-log.patch | 80 +++++ ...c-fix-c2c-report-for-empty-numa-node.patch | 63 ++++ ...o-not-test-for-libopencsd-by-default.patch | 172 +++++++++++ ...s390-diagnosic-sampling-descriptor-s.patch | 63 ++++ ...t-shadow-inlined-symbol-with-differe.patch | 71 +++++ ...-script-handle-missing-fields-with-f.patch | 82 +++++ ...on-add-trace_context-extension-modul.patch | 122 ++++++++ ...on-use-pybytes-for-attr-in-trace-eve.patch | 62 ++++ ...ilure-of-evsel-tp-sched-test-on-s390.patch | 120 ++++++++ ...-if-the-fd-is-negative-when-mapping-.patch | 75 +++++ .../perf-trace-fixup-etcsnoop-example.patch | 51 ++++ ...x-g12a-ao-pull-registers-base-addres.patch | 89 ++++++ ...son8b-add-the-eth_rxd2-and-eth_rxd3-.patch | 80 +++++ ...c-r8a77990-fix-mod_sel-bit-numbering.patch | 121 ++++++++ ...c-r8a77995-fix-mod_sel-bit-numbering.patch | 79 +++++ ...nox-mlxreg-hotplug-fix-kasan-warning.patch | 166 ++++++++++ ...apad-laptop-fix-no_hw_rfkill_list-fo.patch | 59 ++++ ...el-hid-missing-power-button-release-.patch | 68 +++++ ...ntel_pmc_core-fix-pch-ip-sts-reading.patch | 63 ++++ ...werpc-44x-force-pci-on-for-currituck.patch | 50 ++++ ...r-on-stack-exception-marker-upon-exc.patch | 80 +++++ ...handle-mmap_min_addr-correctly-in-ge.patch | 70 +++++ ...ioda-fix-locked_vm-counting-for-memo.patch | 89 ++++++ ...perform-full-re-add-of-cpu-for-topol.patch | 110 +++++++ ...ptrace-mitigate-potential-spectre-v1.patch | 78 +++++ ...-opcode-being-uninitialized-in-print.patch | 59 ++++ ...5-fix-act8600_sudcdc_voltage_ranges-.patch | 55 ++++ ...ake-lock-before-applying-system-load.patch | 102 +++++++ ...02-include-linux-gpio-consumer.h-to-.patch | 49 +++ ...re-some-errors-during-deregistration.patch | 76 +++++ ...ead_once-write_once-in-move_queued_t.patch | 115 +++++++ ...ialize-sd_sysctl_cpus-if-config_cpum.patch | 65 ++++ ...ix-percpu-data-types-in-struct-sd_da.patch | 81 +++++ ...e-gfp_atomic-with-gfp_kernel-in-scsi.patch | 114 +++++++ ...e-make-use-of-fip_mode-enum-complete.patch | 149 +++++++++ ...x-a-timeout-race-of-driver-internal-.patch | 61 ++++ ...s-set-phy-linkrate-when-disconnected.patch | 81 +++++ ...s-return-error-when-create-dma-pool-.patch | 79 +++++ ...ip-verifier-tests-for-unsupported-pr.patch | 71 +++++ ...ppress-readelf-stderr-when-probing-f.patch | 57 ++++ ...-warning-s-directive-output-may-be-t.patch | 61 ++++ ...eccomp-get_metadata-test-if-not-real.patch | 45 +++ ...t-override-context-on-context-mounts.patch | 100 +++++++ ...honor-the-port-number-from-devicetre.patch | 43 +++ queue-5.0/series | 245 +++++++++++++++ ...-imx-sgtl5000-add-missing-put_device.patch | 56 ++++ ...sbi-fix-error-handling-in-gsbi_probe.patch | 48 +++ ...-fix-illegal-free-of-io-base-address.patch | 108 +++++++ ...-iio-adt7316-fix-dac_bits-assignment.patch | 80 +++++ ...21-add-return-code-check-on-device_r.patch | 50 ++++ .../sysctl-handle-overflow-for-file-max.patch | 70 +++++ ...sts-add-map-lookup-to-test_map_in_ma.patch | 61 ++++ ...-lrt-to-feature_check_ldflags-libaio.patch | 48 +++ ...test-reallocarray.c-to-test-all.c-to.patch | 188 ++++++++++++ ...vent-fix-buffer-overflow-in-arg_eval.patch | 47 +++ .../tracing-kdb-fix-ftdump-to-not-sleep.patch | 143 +++++++++ ...-default-flip-buffer-limit-to-2-640k.patch | 51 ++++ ...b-the-legacy-usb-phy-by-phandle-firs.patch | 57 ++++ ...fix-otg-events-when-gadget-driver-is.patch | 46 +++ ...rash-due-to-out-of-scope-stack-ptr-a.patch | 101 +++++++ queue-5.0/veth-fix-wformat-truncation.patch | 51 ++++ ...v2-and-pwritev64v2-compat-syscalls-w.patch | 55 ++++ ...ll-pointer-in-_wil_cfg80211_merge_ex.patch | 68 +++++ ...y-leak-in-case-wl12xx_fetch_firmware.patch | 59 ++++ ...er-cpu-symbols-as-absolute-explicitl.patch | 80 +++++ ...y-elf_i386-linker-emulation-explicit.patch | 91 ++++++ ...ix-kernel-panic-when-kexec-on-hyperv.patch | 74 +++++ ...n-acpi_rsdp_addr-from-the-first-kern.patch | 76 +++++ ...t-destroy-context-while-dma-bufs-are.patch | 114 +++++++ ...-to-reject-invalid-flags-in-xsk_bind.patch | 53 ++++ 246 files changed, 21349 insertions(+) create mode 100644 queue-5.0/acpi-video-extend-chassis-type-detection-with-a-lunc.patch create mode 100644 queue-5.0/acpi-video-refactor-and-fix-dmi_is_desktop.patch create mode 100644 queue-5.0/alsa-dice-add-support-for-solid-state-logic-duende-c.patch create mode 100644 queue-5.0/alsa-pcm-check-if-ops-are-defined-before-suspending-.patch create mode 100644 queue-5.0/apparmor-fix-double-free-when-unpack-of-secmark-rule.patch create mode 100644 queue-5.0/appletalk-fix-compile-regression.patch create mode 100644 queue-5.0/arm-8830-1-nommu-toggle-only-bits-in-exc_return-we-a.patch create mode 100644 queue-5.0/arm-8833-1-ensure-that-neon-code-always-compiles-wit.patch create mode 100644 queue-5.0/arm-8840-1-use-a-raw_spinlock_t-in-unwind.patch create mode 100644 queue-5.0/arm-8845-1-use-unified-assembler-in-c-files.patch create mode 100644 queue-5.0/arm-avoid-cortex-a9-livelock-on-tight-dmb-loops.patch create mode 100644 queue-5.0/arm-dts-lpc32xx-remove-leading-0x-and-0s-from-bindin.patch create mode 100644 queue-5.0/arm-dts-meson8b-fix-the-ethernet-data-line-signals-i.patch create mode 100644 queue-5.0/arm-shmobile-fix-r-car-gen2-regulator-quirk.patch create mode 100644 queue-5.0/asoc-fsl-asoc-card-fix-object-reference-leaks-in-fsl.patch create mode 100644 queue-5.0/asoc-qcom-fix-of-node-refcount-unbalance-in-qcom_snd.patch create mode 100644 queue-5.0/asoc-simple-card-utils-check-reg-property-on-asoc_si.patch create mode 100644 queue-5.0/ath10k-don-t-report-unset-rssi-values-to-mac80211.patch create mode 100644 queue-5.0/ath10k-fix-shadow-register-implementation-for-wcn399.patch create mode 100644 queue-5.0/ath10k-fix-the-wrong-updation-of-bw-in-tx_stats-debu.patch create mode 100644 queue-5.0/audit-hand-taken-context-to-audit_kill_trees-for-sys.patch create mode 100644 queue-5.0/backlight-pwm_bl-use-gpiod_get_value_cansleep-to-get.patch create mode 100644 queue-5.0/bcache-fix-input-overflow-to-cache-set-sysfs-file-io.patch create mode 100644 queue-5.0/bcache-fix-input-overflow-to-sequential_cutoff.patch create mode 100644 queue-5.0/bcache-fix-potential-div-zero-error-of-writeback_rat.patch create mode 100644 queue-5.0/bcache-fix-potential-div-zero-error-of-writeback_rat.patch-17972 create mode 100644 queue-5.0/bcache-improve-sysfs_strtoul_clamp.patch create mode 100644 queue-5.0/block-bfq-fix-in-service-queue-check-for-queue-mergi.patch create mode 100644 queue-5.0/block-bfq-fix-queue-removal-from-weights-tree.patch create mode 100644 queue-5.0/bpf-fix-missing-prototype-warnings.patch create mode 100644 queue-5.0/bpf-test_maps-fix-possible-out-of-bound-access-warni.patch create mode 100644 queue-5.0/brcmfmac-use-firmware_request_nowarn-for-the-clm_blo.patch create mode 100644 queue-5.0/btrfs-don-t-enospc-all-tickets-on-flush-failure.patch create mode 100644 queue-5.0/btrfs-qgroup-make-qgroup-async-transaction-commit-mo.patch create mode 100644 queue-5.0/btrfs-save-drop_progress-if-we-drop-refs-at-all.patch create mode 100644 queue-5.0/cdrom-fix-race-condition-in-cdrom_sysctl_register.patch create mode 100644 queue-5.0/cgroup-pids-turn-cgroup_subsys-free-into-cgroup_subs.patch create mode 100644 queue-5.0/cgroup-rstat-don-t-flush-subtree-root-unless-necessa.patch create mode 100644 queue-5.0/cifs-accept-validate-negotiate-if-server-return-nt_s.patch create mode 100644 queue-5.0/cifs-fix-null-pointer-dereference-of-devname.patch create mode 100644 queue-5.0/cifs-fix-posix-lock-leak-and-invalid-ptr-deref.patch create mode 100644 queue-5.0/cifs-use-correct-format-characters.patch create mode 100644 queue-5.0/clk-fractional-divider-check-parent-rate-only-if-fla.patch create mode 100644 queue-5.0/clk-meson-clean-up-clock-registration.patch create mode 100644 queue-5.0/clk-rockchip-fix-frac-settings-of-gpll-clock-for-rk3.patch create mode 100644 queue-5.0/clk-ti-clkctrl-fix-clkdm_name-regression-for-ti_clk_.patch create mode 100644 queue-5.0/coresight-etm4x-add-support-to-enable-etmv4.2.patch create mode 100644 queue-5.0/cpu-hotplug-mute-hotplug-lockdep-during-init.patch create mode 100644 queue-5.0/cpufreq-acpi-cpufreq-report-if-cpu-doesn-t-support-b.patch create mode 100644 queue-5.0/crypto-cavium-zip-fix-collision-with-generic-cra_dri.patch create mode 100644 queue-5.0/crypto-crypto4xx-add-missing-of_node_put-after-of_de.patch create mode 100644 queue-5.0/dm-thin-add-sanity-checks-to-thin-pool-and-external-.patch create mode 100644 queue-5.0/dmaengine-imx-dma-fix-warning-comparison-of-distinct.patch create mode 100644 queue-5.0/dmaengine-qcom_hidma-assign-channel-cookie-correctly.patch create mode 100644 queue-5.0/dmaengine-qcom_hidma-initialize-tx-flags-in-hidma_pr.patch create mode 100644 queue-5.0/dmaengine-tegra-avoid-overflow-of-byte-tracking.patch create mode 100644 queue-5.0/docs-core-api-mm-fix-user-memory-accessors-formattin.patch create mode 100644 queue-5.0/drm-amd-display-clear-stream-mode_changed-after-comm.patch create mode 100644 queue-5.0/drm-amd-display-disconnect-mpcc-when-changing-tg.patch create mode 100644 queue-5.0/drm-amd-display-don-t-re-program-planes-for-dpms-cha.patch create mode 100644 queue-5.0/drm-amd-display-enable-vblank-interrupt-during-crc-c.patch create mode 100644 queue-5.0/drm-amd-display-fix-reference-counting-for-struct-dc.patch create mode 100644 queue-5.0/drm-auto-set-allow_fb_modifiers-when-given-modifiers.patch create mode 100644 queue-5.0/drm-dp-mst-configure-no_stop_bit-correctly-for-remot.patch create mode 100644 queue-5.0/drm-fb-helper-fix-leaks-in-error-path-of-drm_fb_help.patch create mode 100644 queue-5.0/drm-msm-dpu-convert-to-a-chained-irq-chip.patch create mode 100644 queue-5.0/drm-nouveau-stop-using-drm_crtc_force_disable.patch create mode 100644 queue-5.0/drm-rcar-du-add-missing-of_node_put.patch create mode 100644 queue-5.0/drm-reorder-set_property_atomic-to-avoid-returning-w.patch create mode 100644 queue-5.0/drm-sched-fix-entities-with-0-rqs.patch create mode 100644 queue-5.0/drm-vkms-bugfix-extra-vblank-frame.patch create mode 100644 queue-5.0/drm-vkms-bugfix-racing-hrtimer-vblank-handle.patch create mode 100644 queue-5.0/e1000e-exclude-device-from-suspend-direct-complete-o.patch create mode 100644 queue-5.0/e1000e-fix-cyclic-resets-at-link-up-with-active-tx.patch create mode 100644 queue-5.0/e1000e-fix-wformat-truncation-warnings.patch create mode 100644 queue-5.0/efi-arm-arm64-allow-setvirtualaddressmap-to-be-omitt.patch create mode 100644 queue-5.0/efi-cper-fix-possible-out-of-bounds-access.patch create mode 100644 queue-5.0/efi-fix-build-error-due-to-enum-collision-between-ef.patch create mode 100644 queue-5.0/efi-memattr-don-t-bail-on-zero-va-if-it-equals-the-r.patch create mode 100644 queue-5.0/enic-fix-build-warning-without-config_cpumask_offsta.patch create mode 100644 queue-5.0/ext4-fix-bigalloc-cluster-freeing-when-hole-punching.patch create mode 100644 queue-5.0/f2fs-do-not-use-mutex-lock-in-atomic-context.patch create mode 100644 queue-5.0/f2fs-fix-to-adapt-small-inline-xattr-space-in-__find.patch create mode 100644 queue-5.0/f2fs-fix-to-avoid-deadlock-in-f2fs_read_inline_dir.patch create mode 100644 queue-5.0/f2fs-fix-to-check-inline_xattr_size-boundary-correct.patch create mode 100644 queue-5.0/f2fs-fix-to-data-block-override-node-segment-by-mist.patch create mode 100644 queue-5.0/f2fs-fix-to-initialize-variable-to-avoid-ubsan-smatc.patch create mode 100644 queue-5.0/f2fs-ubsan-set-boolean-value-iostat_enable-correctly.patch create mode 100644 queue-5.0/fbdev-fbmem-fix-memory-access-if-logo-is-bigger-than.patch create mode 100644 queue-5.0/fs-file.c-initialize-init_files.resize_wait.patch create mode 100644 queue-5.0/fs-fix-guard_bio_eod-to-check-for-real-eod-errors.patch create mode 100644 queue-5.0/fs-make-splice-and-tee-take-into-account-o_nonblock-.patch create mode 100644 queue-5.0/genirq-avoid-summation-loops-for-proc-stat.patch create mode 100644 queue-5.0/gpio-gpio-omap-fix-level-interrupt-idling.patch create mode 100644 queue-5.0/gpio-of-apply-regulator-gpio-quirk-only-to-enable-gp.patch create mode 100644 queue-5.0/gpio-of-restrict-enable-gpio-quirk-to-regulator-gpio.patch create mode 100644 queue-5.0/h8300-use-cc-cross-prefix-instead-of-hardcoding-h830.patch create mode 100644 queue-5.0/hid-intel-ish-hid-avoid-binding-wrong-ishtp_cl_devic.patch create mode 100644 queue-5.0/hid-intel-ish-ipc-handle-pimr-before-ish_wakeup-also.patch create mode 100644 queue-5.0/hpet-fix-missing-character-in-the-__setup-code-of-hp.patch create mode 100644 queue-5.0/hwrng-virtio-avoid-repeated-init-of-completion.patch create mode 100644 queue-5.0/i2c-allow-recovery-of-the-initial-irq-by-an-i2c-clie.patch create mode 100644 queue-5.0/i2c-designware-do-not-allow-i2c_dw_xfer-calls-while-.patch create mode 100644 queue-5.0/i2c-of-try-to-find-an-i2c-adapter-matching-the-paren.patch create mode 100644 queue-5.0/ib-mlx4-increase-the-timeout-for-cm-cache.patch create mode 100644 queue-5.0/ice-fix-ice_remove_rule_internal-vsi_list-handling.patch create mode 100644 queue-5.0/iio-adc-fix-warning-in-qualcomm-pm8xxx-hk-xoadc-driv.patch create mode 100644 queue-5.0/include-linux-relay.h-fix-percpu-annotation-in-struc.patch create mode 100644 queue-5.0/input-soc_button_array-fix-mapping-of-the-5th-gpio-i.patch create mode 100644 queue-5.0/iommu-io-pgtable-arm-v7s-only-kmemleak_ignore-l2-tab.patch create mode 100644 queue-5.0/iommu-vt-d-disable-ats-support-on-untrusted-devices.patch create mode 100644 queue-5.0/iw_cxgb4-fix-srqidx-leak-during-connection-abort.patch create mode 100644 queue-5.0/iwlwifi-mvm-fix-rfh-config-command-with-10-cpus.patch create mode 100644 queue-5.0/iwlwifi-pcie-fix-emergency-path.patch create mode 100644 queue-5.0/jbd2-fix-invalid-descriptor-block-checksum.patch create mode 100644 queue-5.0/jbd2-fix-race-when-writing-superblock.patch create mode 100644 queue-5.0/kasan-fix-kasan_check_read-write-definitions.patch create mode 100644 queue-5.0/kbuild-invoke-syncconfig-if-include-config-auto.conf.patch create mode 100644 queue-5.0/kbuild-make-r-r-effective-in-top-makefile-for-old-ma.patch create mode 100644 queue-5.0/kprobes-prohibit-probing-on-bsearch.patch create mode 100644 queue-5.0/kprobes-prohibit-probing-on-rcu-debug-routine.patch create mode 100644 queue-5.0/leds-lp55xx-fix-null-deref-on-firmware-load-failure.patch create mode 100644 queue-5.0/libbpf-force-fixdep-compilation-at-the-start-of-the-.patch create mode 100644 queue-5.0/lockdep-lib-tests-fix-run_tests.sh.patch create mode 100644 queue-5.0/loop-set-genhd_fl_no_part_scan-after-blkdev_reread_p.patch create mode 100644 queue-5.0/media-mt9m111-set-initial-frame-size-other-than-0x0.patch create mode 100644 queue-5.0/media-mtk-jpeg-correct-return-type-for-mem2mem-buffe.patch create mode 100644 queue-5.0/media-mx2_emmaprp-correct-return-type-for-mem2mem-bu.patch create mode 100644 queue-5.0/media-ov7740-fix-runtime-pm-initialization.patch create mode 100644 queue-5.0/media-rcar-vin-allow-independent-vin-link-enablement.patch create mode 100644 queue-5.0/media-rockchip-rga-correct-return-type-for-mem2mem-b.patch create mode 100644 queue-5.0/media-rockchip-vpu-correct-return-type-for-mem2mem-b.patch create mode 100644 queue-5.0/media-s5p-g2d-correct-return-type-for-mem2mem-buffer.patch create mode 100644 queue-5.0/media-s5p-jpeg-check-for-fmt_ver_flag-when-doing-fmt.patch create mode 100644 queue-5.0/media-s5p-jpeg-correct-return-type-for-mem2mem-buffe.patch create mode 100644 queue-5.0/media-sh_veu-correct-return-type-for-mem2mem-buffer-.patch create mode 100644 queue-5.0/memcg-killed-threads-should-not-invoke-memcg-oom-kil.patch create mode 100644 queue-5.0/mlxsw-spectrum-avoid-wformat-truncation-warnings.patch create mode 100644 queue-5.0/mm-cma.c-cma_declare_contiguous-correct-err-handling.patch create mode 100644 queue-5.0/mm-mempolicy-fix-uninit-memory-access.patch create mode 100644 queue-5.0/mm-oom-don-t-kill-global-init-via-memory.oom.group.patch create mode 100644 queue-5.0/mm-page_ext.c-fix-an-imbalance-with-kmemleak.patch create mode 100644 queue-5.0/mm-resource-return-real-error-codes-from-walk-failur.patch create mode 100644 queue-5.0/mm-slab.c-kmemleak-no-scan-alien-caches.patch create mode 100644 queue-5.0/mm-sparse-fix-a-bad-comparison.patch create mode 100644 queue-5.0/mm-swap-bounds-check-swap_info-array-accesses-to-avo.patch create mode 100644 queue-5.0/mm-vmalloc.c-fix-kernel-bug-at-mm-vmalloc.c-512.patch create mode 100644 queue-5.0/mmc-omap-fix-the-maximum-timeout-setting.patch create mode 100644 queue-5.0/mt76-fix-a-leaked-reference-by-adding-a-missing-of_n.patch create mode 100644 queue-5.0/mt76-usb-do-not-run-mt76u_queues_deinit-twice.patch create mode 100644 queue-5.0/mt7601u-bump-supported-eeprom-version.patch create mode 100644 queue-5.0/mwifiex-don-t-advertise-ibss-features-without-fw-sup.patch create mode 100644 queue-5.0/net-dsa-mv88e6xxx-add-lockdep-classes-to-fix-false-p.patch create mode 100644 queue-5.0/net-dsa-mv88e6xxx-default-cmode-to-1000basex-only-on.patch create mode 100644 queue-5.0/net-hns3-fix-setting-of-the-hns-reset_type-for-rdma-.patch create mode 100644 queue-5.0/net-marvell-mvpp2-fix-stuck-in-band-sgmii-negotiatio.patch create mode 100644 queue-5.0/net-mlx5-avoid-panic-when-setting-vport-mac-getting-.patch create mode 100644 queue-5.0/net-mlx5-avoid-panic-when-setting-vport-rate.patch create mode 100644 queue-5.0/net-mlx5e-fix-access-to-non-existing-receive-queue.patch create mode 100644 queue-5.0/net-phy-consider-latched-link-down-status-in-polling.patch create mode 100644 queue-5.0/net-stmmac-avoid-one-more-sometimes-uninitialized-cl.patch create mode 100644 queue-5.0/net-stmmac-avoid-sometimes-uninitialized-clang-warni.patch create mode 100644 queue-5.0/netfilter-conntrack-fix-cloned-unconfirmed-skb-_nfct.patch create mode 100644 queue-5.0/netfilter-conntrack-tcp-only-close-if-rst-matches-ex.patch create mode 100644 queue-5.0/netfilter-nf_tables-check-the-result-of-dereferencin.patch create mode 100644 queue-5.0/netfilter-physdev-relax-br_netfilter-dependency.patch create mode 100644 queue-5.0/nvme-fc-fix-numa_node-when-dev-is-null.patch create mode 100644 queue-5.0/nvme-loop-init-nvmet_ctrl-fatal_err_work-when-alloca.patch create mode 100644 queue-5.0/ocfs2-fix-a-panic-problem-caused-by-o2cb_ctl.patch create mode 100644 queue-5.0/page_poison-play-nicely-with-kasan.patch create mode 100644 queue-5.0/pci-mediatek-fix-memory-mapped-io-range-size-computa.patch create mode 100644 queue-5.0/pci-pciehp-assign-ctrl-slot_ctrl-before-writing-it-t.patch create mode 100644 queue-5.0/pci-pme-fix-hotplug-sysfs-remove-deadlock-in-pcie_pm.patch create mode 100644 queue-5.0/perf-annotate-fix-getting-source-line-failure.patch create mode 100644 queue-5.0/perf-aux-make-perf_event-accessible-to-setup_aux.patch create mode 100644 queue-5.0/perf-beauty-msg_flags-add-missing-s-lost-when-adding.patch create mode 100644 queue-5.0/perf-beauty-waitid-options-fix-up-prefix-showing-log.patch create mode 100644 queue-5.0/perf-c2c-fix-c2c-report-for-empty-numa-node.patch create mode 100644 queue-5.0/perf-coresight-do-not-test-for-libopencsd-by-default.patch create mode 100644 queue-5.0/perf-report-add-s390-diagnosic-sampling-descriptor-s.patch create mode 100644 queue-5.0/perf-report-don-t-shadow-inlined-symbol-with-differe.patch create mode 100644 queue-5.0/perf-script-handle-missing-fields-with-f.patch create mode 100644 queue-5.0/perf-script-python-add-trace_context-extension-modul.patch create mode 100644 queue-5.0/perf-script-python-use-pybytes-for-attr-in-trace-eve.patch create mode 100644 queue-5.0/perf-test-fix-failure-of-evsel-tp-sched-test-on-s390.patch create mode 100644 queue-5.0/perf-trace-check-if-the-fd-is-negative-when-mapping-.patch create mode 100644 queue-5.0/perf-trace-fixup-etcsnoop-example.patch create mode 100644 queue-5.0/pinctrl-meson-fix-g12a-ao-pull-registers-base-addres.patch create mode 100644 queue-5.0/pinctrl-meson-meson8b-add-the-eth_rxd2-and-eth_rxd3-.patch create mode 100644 queue-5.0/pinctrl-sh-pfc-r8a77990-fix-mod_sel-bit-numbering.patch create mode 100644 queue-5.0/pinctrl-sh-pfc-r8a77995-fix-mod_sel-bit-numbering.patch create mode 100644 queue-5.0/platform-mellanox-mlxreg-hotplug-fix-kasan-warning.patch create mode 100644 queue-5.0/platform-x86-ideapad-laptop-fix-no_hw_rfkill_list-fo.patch create mode 100644 queue-5.0/platform-x86-intel-hid-missing-power-button-release-.patch create mode 100644 queue-5.0/platform-x86-intel_pmc_core-fix-pch-ip-sts-reading.patch create mode 100644 queue-5.0/powerpc-44x-force-pci-on-for-currituck.patch create mode 100644 queue-5.0/powerpc-64s-clear-on-stack-exception-marker-upon-exc.patch create mode 100644 queue-5.0/powerpc-hugetlb-handle-mmap_min_addr-correctly-in-ge.patch create mode 100644 queue-5.0/powerpc-powernv-ioda-fix-locked_vm-counting-for-memo.patch create mode 100644 queue-5.0/powerpc-pseries-perform-full-re-add-of-cpu-for-topol.patch create mode 100644 queue-5.0/powerpc-ptrace-mitigate-potential-spectre-v1.patch create mode 100644 queue-5.0/powerpc-xmon-fix-opcode-being-uninitialized-in-print.patch create mode 100644 queue-5.0/regulator-act8865-fix-act8600_sudcdc_voltage_ranges-.patch create mode 100644 queue-5.0/regulator-core-take-lock-before-applying-system-load.patch create mode 100644 queue-5.0/regulator-mcp16502-include-linux-gpio-consumer.h-to-.patch create mode 100644 queue-5.0/s390-ism-ignore-some-errors-during-deregistration.patch create mode 100644 queue-5.0/sched-core-use-read_once-write_once-in-move_queued_t.patch create mode 100644 queue-5.0/sched-debug-initialize-sd_sysctl_cpus-if-config_cpum.patch create mode 100644 queue-5.0/sched-topology-fix-percpu-data-types-in-struct-sd_da.patch create mode 100644 queue-5.0/scsi-core-replace-gfp_atomic-with-gfp_kernel-in-scsi.patch create mode 100644 queue-5.0/scsi-fcoe-make-use-of-fip_mode-enum-complete.patch create mode 100644 queue-5.0/scsi-hisi_sas-fix-a-timeout-race-of-driver-internal-.patch create mode 100644 queue-5.0/scsi-hisi_sas-set-phy-linkrate-when-disconnected.patch create mode 100644 queue-5.0/scsi-megaraid_sas-return-error-when-create-dma-pool-.patch create mode 100644 queue-5.0/selftests-bpf-skip-verifier-tests-for-unsupported-pr.patch create mode 100644 queue-5.0/selftests-bpf-suppress-readelf-stderr-when-probing-f.patch create mode 100644 queue-5.0/selftests-ir-fix-warning-s-directive-output-may-be-t.patch create mode 100644 queue-5.0/selftests-skip-seccomp-get_metadata-test-if-not-real.patch create mode 100644 queue-5.0/selinux-do-not-override-context-on-context-mounts.patch create mode 100644 queue-5.0/serial-8250_pxa-honor-the-port-number-from-devicetre.patch create mode 100644 queue-5.0/soc-imx-sgtl5000-add-missing-put_device.patch create mode 100644 queue-5.0/soc-qcom-gsbi-fix-error-handling-in-gsbi_probe.patch create mode 100644 queue-5.0/soc-tegra-fuse-fix-illegal-free-of-io-base-address.patch create mode 100644 queue-5.0/staging-iio-adt7316-fix-dac_bits-assignment.patch create mode 100644 queue-5.0/staging-spi-mt7621-add-return-code-check-on-device_r.patch create mode 100644 queue-5.0/sysctl-handle-overflow-for-file-max.patch create mode 100644 queue-5.0/tools-bpf-selftests-add-map-lookup-to-test_map_in_ma.patch create mode 100644 queue-5.0/tools-build-add-lrt-to-feature_check_ldflags-libaio.patch create mode 100644 queue-5.0/tools-build-add-test-reallocarray.c-to-test-all.c-to.patch create mode 100644 queue-5.0/tools-lib-traceevent-fix-buffer-overflow-in-arg_eval.patch create mode 100644 queue-5.0/tracing-kdb-fix-ftdump-to-not-sleep.patch create mode 100644 queue-5.0/tty-increase-the-default-flip-buffer-limit-to-2-640k.patch create mode 100644 queue-5.0/usb-chipidea-grab-the-legacy-usb-phy-by-phandle-firs.patch create mode 100644 queue-5.0/usb-dwc3-gadget-fix-otg-events-when-gadget-driver-is.patch create mode 100644 queue-5.0/usb-f_fs-avoid-crash-due-to-out-of-scope-stack-ptr-a.patch create mode 100644 queue-5.0/veth-fix-wformat-truncation.patch create mode 100644 queue-5.0/vfs-fix-preadv64v2-and-pwritev64v2-compat-syscalls-w.patch create mode 100644 queue-5.0/wil6210-check-null-pointer-in-_wil_cfg80211_merge_ex.patch create mode 100644 queue-5.0/wlcore-fix-memory-leak-in-case-wl12xx_fetch_firmware.patch create mode 100644 queue-5.0/x86-build-mark-per-cpu-symbols-as-absolute-explicitl.patch create mode 100644 queue-5.0/x86-build-specify-elf_i386-linker-emulation-explicit.patch create mode 100644 queue-5.0/x86-hyperv-fix-kernel-panic-when-kexec-on-hyperv.patch create mode 100644 queue-5.0/x86-kexec-fill-in-acpi_rsdp_addr-from-the-first-kern.patch create mode 100644 queue-5.0/xen-gntdev-do-not-destroy-context-while-dma-bufs-are.patch create mode 100644 queue-5.0/xsk-fix-to-reject-invalid-flags-in-xsk_bind.patch diff --git a/queue-5.0/acpi-video-extend-chassis-type-detection-with-a-lunc.patch b/queue-5.0/acpi-video-extend-chassis-type-detection-with-a-lunc.patch new file mode 100644 index 00000000000..6e8934aa158 --- /dev/null +++ b/queue-5.0/acpi-video-extend-chassis-type-detection-with-a-lunc.patch @@ -0,0 +1,47 @@ +From de0b9f3919942fd80e46d99dd08aa21e06c931ac Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 7 Jan 2019 17:08:21 +0100 +Subject: ACPI / video: Extend chassis-type detection with a "Lunch Box" check + +[ Upstream commit d693c008e3ca04db5916ff72e68ce661888a913b ] + +Commit 53fa1f6e8a59 ("ACPI / video: Only default only_lcd to true on +Win8-ready _desktops_") introduced chassis type detection, limiting the +lcd_only check for the backlight to devices where the chassis-type +indicates their is no builtin LCD panel. + +The purpose of the lcd_only check is to avoid advertising a backlight +interface on desktops, since skylake and newer machines seem to always +have a backlight interface even if there is no LCD panel. The limiting +of this check to desktops only was done to avoid breaking backlight +support on some laptops which do not have the lcd flag set. + +The Fujitsu ESPRIMO Q910 which is a compact (NUC like) desktop machine +has a chassis type of 0x10 aka "Lunch Box". Without the lcd_only check +we end up falsely advertising backlight/brightness control on this +device. This commit extend the dmi_is_desktop check to return true +for type 0x10 to fix this. + +Fixes: 53fa1f6e8a59 ("ACPI / video: Only default only_lcd to true ...") +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_video.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c +index 1ab1460c4a4e..d73afb562ad9 100644 +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -2143,6 +2143,7 @@ static bool dmi_is_desktop(void) + case 0x05: /* Pizza Box */ + case 0x06: /* Mini Tower */ + case 0x07: /* Tower */ ++ case 0x10: /* Lunch Box */ + case 0x11: /* Main Server Chassis */ + return true; + } +-- +2.19.1 + diff --git a/queue-5.0/acpi-video-refactor-and-fix-dmi_is_desktop.patch b/queue-5.0/acpi-video-refactor-and-fix-dmi_is_desktop.patch new file mode 100644 index 00000000000..05d4818fd21 --- /dev/null +++ b/queue-5.0/acpi-video-refactor-and-fix-dmi_is_desktop.patch @@ -0,0 +1,72 @@ +From 2c4b51b8a7c075f5e60b5e1395898062f5136502 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 7 Jan 2019 17:08:20 +0100 +Subject: ACPI / video: Refactor and fix dmi_is_desktop() + +[ Upstream commit cecf3e3e0803462335e25d083345682518097334 ] + +This commit refactors the chassis-type detection introduced by +commit 53fa1f6e8a59 ("ACPI / video: Only default only_lcd to true on +Win8-ready _desktops_") (where desktop means anything without a builtin +screen). + +The DMI chassis_type is an unsigned integer, so rather then doing a +whole bunch of string-compares on it, convert it to an int and feed +the result to a switch case. + +Note the switch case uses hex values, this is done because the spec +uses hex values too. This changes the check for "Main Server Chassis" +from checking for 11 decimal to 11 hexadecimal, this is a bug fix, +the original check for 11 decimal was wrong. + +Fixes: 53fa1f6e8a59 ("ACPI / video: Only default only_lcd to true ...") +Signed-off-by: Hans de Goede +[ rjw: Drop redundant return statements ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_video.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c +index f0b52266b3ac..1ab1460c4a4e 100644 +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -2124,21 +2124,28 @@ static int __init intel_opregion_present(void) + return opregion; + } + ++/* Check if the chassis-type indicates there is no builtin LCD panel */ + static bool dmi_is_desktop(void) + { + const char *chassis_type; ++ unsigned long type; + + chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE); + if (!chassis_type) + return false; + +- if (!strcmp(chassis_type, "3") || /* 3: Desktop */ +- !strcmp(chassis_type, "4") || /* 4: Low Profile Desktop */ +- !strcmp(chassis_type, "5") || /* 5: Pizza Box */ +- !strcmp(chassis_type, "6") || /* 6: Mini Tower */ +- !strcmp(chassis_type, "7") || /* 7: Tower */ +- !strcmp(chassis_type, "11")) /* 11: Main Server Chassis */ ++ if (kstrtoul(chassis_type, 10, &type) != 0) ++ return false; ++ ++ switch (type) { ++ case 0x03: /* Desktop */ ++ case 0x04: /* Low Profile Desktop */ ++ case 0x05: /* Pizza Box */ ++ case 0x06: /* Mini Tower */ ++ case 0x07: /* Tower */ ++ case 0x11: /* Main Server Chassis */ + return true; ++ } + + return false; + } +-- +2.19.1 + diff --git a/queue-5.0/alsa-dice-add-support-for-solid-state-logic-duende-c.patch b/queue-5.0/alsa-dice-add-support-for-solid-state-logic-duende-c.patch new file mode 100644 index 00000000000..7c13cca2465 --- /dev/null +++ b/queue-5.0/alsa-dice-add-support-for-solid-state-logic-duende-c.patch @@ -0,0 +1,109 @@ +From 29f98f381d9af5bf44f825b624699cbc20f3fbe0 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Mon, 28 Jan 2019 20:40:58 +0900 +Subject: ALSA: dice: add support for Solid State Logic Duende Classic/Mini + +[ Upstream commit b2e9e1c8810ee05c95f4d55800b8afae70ab01b4 ] + +Duende Classic was produced by Solid State Logic in 2006, as a +first model of Duende DSP series. The following model, Duende Mini +was produced in 2008. They are designed to receive isochronous +packets for PCM frames via IEEE 1394 bus, perform signal processing by +downloaded program, then transfer isochronous packets for converted +PCM frames. + +These two models includes the same embedded board, consists of several +ICs below: + - Texus Instruments Inc, TSB41AB3 for physical layer of IEEE 1394 bus + - WaveFront semiconductor, DICE II STD ASIC for link/protocol layer + - Altera MAX 3000A CPLD for programs + - Analog devices, SHARC ADSP-21363 for signal processing (4 chips) + +This commit adds support for the two models to ALSA dice driver. Like +support for the other devices, packet streaming is just available. +Userspace applications should be developed if full features became +available; e.g. program uploader and parameter controller. + +$ ./hinawa-config-rom-printer /dev/fw1 +{ 'bus-info': { 'adj': False, + 'bmc': False, + 'chip_ID': 349771402425, + 'cmc': True, + 'cyc_clk_acc': 255, + 'generation': 1, + 'imc': True, + 'isc': True, + 'link_spd': 2, + 'max_ROM': 1, + 'max_rec': 512, + 'name': '1394', + 'node_vendor_ID': 20674, + 'pmc': False}, + 'root-directory': [ ['VENDOR', 20674], + ['DESCRIPTOR', 'Solid State Logic'], + ['MODEL', 112], + ['DESCRIPTOR', 'Duende board'], + [ 'NODE_CAPABILITIES', + { 'addressing': {'64': True, 'fix': True, 'prv': True}, + 'misc': {'int': False, 'ms': False, 'spt': True}, + 'state': { 'atn': False, + 'ded': False, + 'drq': True, + 'elo': False, + 'init': False, + 'lst': True, + 'off': False}, + 'testing': {'bas': False, 'ext': False}}], + [ 'UNIT', + [ ['SPECIFIER_ID', 20674], + ['VERSION', 1], + ['MODEL', 112], + ['DESCRIPTOR', 'Duende board']]]]} + +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/dice/dice.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/sound/firewire/dice/dice.c b/sound/firewire/dice/dice.c +index ed50b222d36e..eee184b05d93 100644 +--- a/sound/firewire/dice/dice.c ++++ b/sound/firewire/dice/dice.c +@@ -18,6 +18,7 @@ MODULE_LICENSE("GPL v2"); + #define OUI_ALESIS 0x000595 + #define OUI_MAUDIO 0x000d6c + #define OUI_MYTEK 0x001ee8 ++#define OUI_SSL 0x0050c2 // Actually ID reserved by IEEE. + + #define DICE_CATEGORY_ID 0x04 + #define WEISS_CATEGORY_ID 0x00 +@@ -196,7 +197,7 @@ static int dice_probe(struct fw_unit *unit, + struct snd_dice *dice; + int err; + +- if (!entry->driver_data) { ++ if (!entry->driver_data && entry->vendor_id != OUI_SSL) { + err = check_dice_category(unit); + if (err < 0) + return -ENODEV; +@@ -361,6 +362,15 @@ static const struct ieee1394_device_id dice_id_table[] = { + .model_id = 0x000002, + .driver_data = (kernel_ulong_t)snd_dice_detect_mytek_formats, + }, ++ // Solid State Logic, Duende Classic and Mini. ++ // NOTE: each field of GUID in config ROM is not compliant to standard ++ // DICE scheme. ++ { ++ .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_MODEL_ID, ++ .vendor_id = OUI_SSL, ++ .model_id = 0x000070, ++ }, + { + .match_flags = IEEE1394_MATCH_VERSION, + .version = DICE_INTERFACE, +-- +2.19.1 + diff --git a/queue-5.0/alsa-pcm-check-if-ops-are-defined-before-suspending-.patch b/queue-5.0/alsa-pcm-check-if-ops-are-defined-before-suspending-.patch new file mode 100644 index 00000000000..9a804b8bb22 --- /dev/null +++ b/queue-5.0/alsa-pcm-check-if-ops-are-defined-before-suspending-.patch @@ -0,0 +1,49 @@ +From 246a0b2de8cf78d82e79c537614ad609d85b1b08 Mon Sep 17 00:00:00 2001 +From: Ranjani Sridharan +Date: Fri, 8 Feb 2019 17:29:53 -0600 +Subject: ALSA: PCM: check if ops are defined before suspending PCM + +[ Upstream commit d9c0b2afe820fa3b3f8258a659daee2cc71ca3ef ] + +BE dai links only have internal PCM's and their substream ops may +not be set. Suspending these PCM's will result in their + ops->trigger() being invoked and cause a kernel oops. +So skip suspending PCM's if their ops are NULL. + +[ NOTE: this change is required now for following the recent PCM core + change to get rid of snd_pcm_suspend() call. Since DPCM BE takes + the runtime carried from FE while keeping NULL ops, it can hit this + bug. See details at: + https://github.com/thesofproject/linux/pull/582 + -- tiwai ] + +Signed-off-by: Ranjani Sridharan +Signed-off-by: Pierre-Louis Bossart +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_native.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index b67f6fe08a1b..e08c6c6ca029 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -1513,6 +1513,14 @@ int snd_pcm_suspend_all(struct snd_pcm *pcm) + /* FIXME: the open/close code should lock this as well */ + if (substream->runtime == NULL) + continue; ++ ++ /* ++ * Skip BE dai link PCM's that are internal and may ++ * not have their substream ops set. ++ */ ++ if (!substream->ops) ++ continue; ++ + err = snd_pcm_suspend(substream); + if (err < 0 && err != -EBUSY) + return err; +-- +2.19.1 + diff --git a/queue-5.0/apparmor-fix-double-free-when-unpack-of-secmark-rule.patch b/queue-5.0/apparmor-fix-double-free-when-unpack-of-secmark-rule.patch new file mode 100644 index 00000000000..157a746b09f --- /dev/null +++ b/queue-5.0/apparmor-fix-double-free-when-unpack-of-secmark-rule.patch @@ -0,0 +1,70 @@ +From 8be07f50cf696fa4cc0acbc1e425be29823214c5 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Tue, 12 Feb 2019 03:35:40 -0800 +Subject: apparmor: fix double free when unpack of secmark rules fails + +[ Upstream commit d8dbb581d4f86a2ac669c056fc71a28ebeb367f4 ] + +if secmark rules fail to unpack a double free happens resulting in +the following oops + +[ 1295.584074] audit: type=1400 audit(1549970525.256:51): apparmor="STATUS" info="failed to unpack profile secmark rules" error=-71 profile="unconfined" name="/root/test" pid=29882 comm="apparmor_parser" name="/root/test" offset=120 +[ 1374.042334] ------------[ cut here ]------------ +[ 1374.042336] kernel BUG at mm/slub.c:294! +[ 1374.042404] invalid opcode: 0000 [#1] SMP PTI +[ 1374.042436] CPU: 0 PID: 29921 Comm: apparmor_parser Not tainted 4.20.7-042007-generic #201902061234 +[ 1374.042461] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +[ 1374.042489] RIP: 0010:kfree+0x164/0x180 +[ 1374.042502] Code: 74 05 41 0f b6 72 51 4c 89 d7 e8 37 cd f8 ff eb 8b 41 b8 01 00 00 00 48 89 d9 48 89 da 4c 89 d6 e8 11 f6 ff ff e9 72 ff ff ff <0f> 0b 49 8b 42 08 a8 01 75 c2 0f 0b 48 8b 3d a9 f4 19 01 e9 c5 fe +[ 1374.042552] RSP: 0018:ffffaf7b812d7b90 EFLAGS: 00010246 +[ 1374.042568] RAX: ffff91e437679200 RBX: ffff91e437679200 RCX: ffff91e437679200 +[ 1374.042589] RDX: 00000000000088b6 RSI: ffff91e43da27060 RDI: ffff91e43d401a80 +[ 1374.042609] RBP: ffffaf7b812d7ba8 R08: 0000000000027080 R09: ffffffffa6627a6d +[ 1374.042629] R10: ffffd3af41dd9e40 R11: ffff91e43a1740dc R12: ffff91e3f52e8000 +[ 1374.042650] R13: ffffffffa6627a6d R14: ffffffffffffffb9 R15: 0000000000000001 +[ 1374.042675] FS: 00007f928df77740(0000) GS:ffff91e43da00000(0000) knlGS:0000000000000000 +[ 1374.042697] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1374.042714] CR2: 000055a0c3ab6b50 CR3: 0000000079ed8004 CR4: 0000000000360ef0 +[ 1374.042737] Call Trace: +[ 1374.042750] kzfree+0x2d/0x40 +[ 1374.042763] aa_free_profile+0x12b/0x270 +[ 1374.042776] unpack_profile+0xc1/0xf10 +[ 1374.042790] aa_unpack+0x115/0x4e0 +[ 1374.042802] aa_replace_profiles+0x8e/0xcc0 +[ 1374.042817] ? kvmalloc_node+0x6d/0x80 +[ 1374.042831] ? __check_object_size+0x166/0x192 +[ 1374.042845] policy_update+0xcf/0x1b0 +[ 1374.042858] profile_load+0x7d/0xa0 +[ 1374.042871] __vfs_write+0x3a/0x190 +[ 1374.042883] ? apparmor_file_permission+0x1a/0x20 +[ 1374.042899] ? security_file_permission+0x31/0xc0 +[ 1374.042918] ? _cond_resched+0x19/0x30 +[ 1374.042931] vfs_write+0xab/0x1b0 +[ 1374.042963] ksys_write+0x55/0xc0 +[ 1374.043004] __x64_sys_write+0x1a/0x20 +[ 1374.043046] do_syscall_64+0x5a/0x110 +[ 1374.043087] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 9caafbe2b4cf ("apparmor: Parse secmark policy") +Reported-by: Alex Murray +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/policy_unpack.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c +index 379682e2a8d5..f6c2bcb2ab14 100644 +--- a/security/apparmor/policy_unpack.c ++++ b/security/apparmor/policy_unpack.c +@@ -579,6 +579,7 @@ fail: + kfree(profile->secmark[i].label); + kfree(profile->secmark); + profile->secmark_count = 0; ++ profile->secmark = NULL; + } + + e->pos = pos; +-- +2.19.1 + diff --git a/queue-5.0/appletalk-fix-compile-regression.patch b/queue-5.0/appletalk-fix-compile-regression.patch new file mode 100644 index 00000000000..bd321c940b2 --- /dev/null +++ b/queue-5.0/appletalk-fix-compile-regression.patch @@ -0,0 +1,69 @@ +From 17719956443d53f1510f7f63798bfac971821ae8 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 6 Mar 2019 11:52:36 +0100 +Subject: appletalk: Fix compile regression + +[ Upstream commit 27da0d2ef998e222a876c0cec72aa7829a626266 ] + +A bugfix just broke compilation of appletalk when CONFIG_SYSCTL +is disabled: + +In file included from net/appletalk/ddp.c:65: +net/appletalk/ddp.c: In function 'atalk_init': +include/linux/atalk.h:164:34: error: expected expression before 'do' + #define atalk_register_sysctl() do { } while(0) + ^~ +net/appletalk/ddp.c:1934:7: note: in expansion of macro 'atalk_register_sysctl' + rc = atalk_register_sysctl(); + +This is easier to avoid by using conventional inline functions +as stubs rather than macros. The header already has inline +functions for other purposes, so I'm changing over all the +macros for consistency. + +Fixes: 6377f787aeb9 ("appletalk: Fix use-after-free in atalk_proc_exit") +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/atalk.h | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/include/linux/atalk.h b/include/linux/atalk.h +index 23f805562f4e..840cf92307ba 100644 +--- a/include/linux/atalk.h ++++ b/include/linux/atalk.h +@@ -161,16 +161,26 @@ extern int sysctl_aarp_resolve_time; + extern void atalk_register_sysctl(void); + extern void atalk_unregister_sysctl(void); + #else +-#define atalk_register_sysctl() do { } while(0) +-#define atalk_unregister_sysctl() do { } while(0) ++static inline int atalk_register_sysctl(void) ++{ ++ return 0; ++} ++static inline void atalk_unregister_sysctl(void) ++{ ++} + #endif + + #ifdef CONFIG_PROC_FS + extern int atalk_proc_init(void); + extern void atalk_proc_exit(void); + #else +-#define atalk_proc_init() ({ 0; }) +-#define atalk_proc_exit() do { } while(0) ++static inline int atalk_proc_init(void) ++{ ++ return 0; ++} ++static inline void atalk_proc_exit(void) ++{ ++} + #endif /* CONFIG_PROC_FS */ + + #endif /* __LINUX_ATALK_H__ */ +-- +2.19.1 + diff --git a/queue-5.0/arm-8830-1-nommu-toggle-only-bits-in-exc_return-we-a.patch b/queue-5.0/arm-8830-1-nommu-toggle-only-bits-in-exc_return-we-a.patch new file mode 100644 index 00000000000..41476d5465e --- /dev/null +++ b/queue-5.0/arm-8830-1-nommu-toggle-only-bits-in-exc_return-we-a.patch @@ -0,0 +1,98 @@ +From c28c13d7f10bc8ea64a64ed06b1f38c906469195 Mon Sep 17 00:00:00 2001 +From: Vladimir Murzin +Date: Fri, 25 Jan 2019 15:18:37 +0100 +Subject: ARM: 8830/1: NOMMU: Toggle only bits in EXC_RETURN we are really care + of + +[ Upstream commit 72cd4064fccaae15ab84d40d4be23667402df4ed ] + +ARMv8M introduces support for Security extension to M class, among +other things it affects exception handling, especially, encoding of +EXC_RETURN. + +The new bits have been added: + +Bit [6] Secure or Non-secure stack +Bit [5] Default callee register stacking +Bit [0] Exception Secure + +which conflicts with hard-coded value of EXC_RETURN: + +In fact, we only care of few bits: + +Bit [3] Mode (0 - Handler, 1 - Thread) +Bit [2] Stack pointer selection (0 - Main, 1 - Process) + +We can toggle only those bits and left other bits as they were on +exception entry. + +It is basically, what patch does - saves EXC_RETURN when we do +transition form Thread to Handler mode (it is first svc), so later +saved value is used instead of EXC_RET_THREADMODE_PROCESSSTACK. + +Signed-off-by: Vladimir Murzin +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/v7m.h | 2 +- + arch/arm/kernel/entry-header.S | 3 ++- + arch/arm/kernel/entry-v7m.S | 4 ++++ + arch/arm/mm/proc-v7m.S | 3 +++ + 4 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/include/asm/v7m.h b/arch/arm/include/asm/v7m.h +index 187ccf6496ad..2cb00d15831b 100644 +--- a/arch/arm/include/asm/v7m.h ++++ b/arch/arm/include/asm/v7m.h +@@ -49,7 +49,7 @@ + * (0 -> msp; 1 -> psp). Bits [1:0] are fixed to 0b01. + */ + #define EXC_RET_STACK_MASK 0x00000004 +-#define EXC_RET_THREADMODE_PROCESSSTACK 0xfffffffd ++#define EXC_RET_THREADMODE_PROCESSSTACK (3 << 2) + + /* Cache related definitions */ + +diff --git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S +index 773424843d6e..62db1c9746cb 100644 +--- a/arch/arm/kernel/entry-header.S ++++ b/arch/arm/kernel/entry-header.S +@@ -127,7 +127,8 @@ + */ + .macro v7m_exception_slow_exit ret_r0 + cpsid i +- ldr lr, =EXC_RET_THREADMODE_PROCESSSTACK ++ ldr lr, =exc_ret ++ ldr lr, [lr] + + @ read original r12, sp, lr, pc and xPSR + add r12, sp, #S_IP +diff --git a/arch/arm/kernel/entry-v7m.S b/arch/arm/kernel/entry-v7m.S +index abcf47848525..19d2dcd6530d 100644 +--- a/arch/arm/kernel/entry-v7m.S ++++ b/arch/arm/kernel/entry-v7m.S +@@ -146,3 +146,7 @@ ENTRY(vector_table) + .rept CONFIG_CPU_V7M_NUM_IRQ + .long __irq_entry @ External Interrupts + .endr ++ .align 2 ++ .globl exc_ret ++exc_ret: ++ .space 4 +diff --git a/arch/arm/mm/proc-v7m.S b/arch/arm/mm/proc-v7m.S +index 47a5acc64433..92e84181933a 100644 +--- a/arch/arm/mm/proc-v7m.S ++++ b/arch/arm/mm/proc-v7m.S +@@ -139,6 +139,9 @@ __v7m_setup_cont: + cpsie i + svc #0 + 1: cpsid i ++ ldr r0, =exc_ret ++ orr lr, lr, #EXC_RET_THREADMODE_PROCESSSTACK ++ str lr, [r0] + ldmia sp, {r0-r3, r12} + str r5, [r12, #11 * 4] @ restore the original SVC vector entry + mov lr, r6 @ restore LR +-- +2.19.1 + diff --git a/queue-5.0/arm-8833-1-ensure-that-neon-code-always-compiles-wit.patch b/queue-5.0/arm-8833-1-ensure-that-neon-code-always-compiles-wit.patch new file mode 100644 index 00000000000..5c2876342a3 --- /dev/null +++ b/queue-5.0/arm-8833-1-ensure-that-neon-code-always-compiles-wit.patch @@ -0,0 +1,122 @@ +From 16d1c33a20bc6e13dc5787b09007e32008065bb8 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Sat, 2 Feb 2019 03:34:36 +0100 +Subject: ARM: 8833/1: Ensure that NEON code always compiles with Clang + +[ Upstream commit de9c0d49d85dc563549972edc5589d195cd5e859 ] + +While building arm32 allyesconfig, I ran into the following errors: + + arch/arm/lib/xor-neon.c:17:2: error: You should compile this file with + '-mfloat-abi=softfp -mfpu=neon' + + In file included from lib/raid6/neon1.c:27: + /home/nathan/cbl/prebuilt/lib/clang/8.0.0/include/arm_neon.h:28:2: + error: "NEON support not enabled" + +Building V=1 showed NEON_FLAGS getting passed along to Clang but +__ARM_NEON__ was not getting defined. Ultimately, it boils down to Clang +only defining __ARM_NEON__ when targeting armv7, rather than armv6k, +which is the '-march' value for allyesconfig. + +>From lib/Basic/Targets/ARM.cpp in the Clang source: + + // This only gets set when Neon instructions are actually available, unlike + // the VFP define, hence the soft float and arch check. This is subtly + // different from gcc, we follow the intent which was that it should be set + // when Neon instructions are actually available. + if ((FPU & NeonFPU) && !SoftFloat && ArchVersion >= 7) { + Builder.defineMacro("__ARM_NEON", "1"); + Builder.defineMacro("__ARM_NEON__"); + // current AArch32 NEON implementations do not support double-precision + // floating-point even when it is present in VFP. + Builder.defineMacro("__ARM_NEON_FP", + "0x" + Twine::utohexstr(HW_FP & ~HW_FP_DP)); + } + +Ard Biesheuvel recommended explicitly adding '-march=armv7-a' at the +beginning of the NEON_FLAGS definitions so that __ARM_NEON__ always gets +definined by Clang. This doesn't functionally change anything because +that code will only run where NEON is supported, which is implicitly +armv7. + +Link: https://github.com/ClangBuiltLinux/linux/issues/287 + +Suggested-by: Ard Biesheuvel +Signed-off-by: Nathan Chancellor +Acked-by: Nicolas Pitre +Reviewed-by: Nick Desaulniers +Reviewed-by: Stefan Agner +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + Documentation/arm/kernel_mode_neon.txt | 4 ++-- + arch/arm/lib/Makefile | 2 +- + arch/arm/lib/xor-neon.c | 2 +- + lib/raid6/Makefile | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/Documentation/arm/kernel_mode_neon.txt b/Documentation/arm/kernel_mode_neon.txt +index 525452726d31..b9e060c5b61e 100644 +--- a/Documentation/arm/kernel_mode_neon.txt ++++ b/Documentation/arm/kernel_mode_neon.txt +@@ -6,7 +6,7 @@ TL;DR summary + * Use only NEON instructions, or VFP instructions that don't rely on support + code + * Isolate your NEON code in a separate compilation unit, and compile it with +- '-mfpu=neon -mfloat-abi=softfp' ++ '-march=armv7-a -mfpu=neon -mfloat-abi=softfp' + * Put kernel_neon_begin() and kernel_neon_end() calls around the calls into your + NEON code + * Don't sleep in your NEON code, and be aware that it will be executed with +@@ -87,7 +87,7 @@ instructions appearing in unexpected places if no special care is taken. + Therefore, the recommended and only supported way of using NEON/VFP in the + kernel is by adhering to the following rules: + * isolate the NEON code in a separate compilation unit and compile it with +- '-mfpu=neon -mfloat-abi=softfp'; ++ '-march=armv7-a -mfpu=neon -mfloat-abi=softfp'; + * issue the calls to kernel_neon_begin(), kernel_neon_end() as well as the calls + into the unit containing the NEON code from a compilation unit which is *not* + built with the GCC flag '-mfpu=neon' set. +diff --git a/arch/arm/lib/Makefile b/arch/arm/lib/Makefile +index ad25fd1872c7..0bff0176db2c 100644 +--- a/arch/arm/lib/Makefile ++++ b/arch/arm/lib/Makefile +@@ -39,7 +39,7 @@ $(obj)/csumpartialcopy.o: $(obj)/csumpartialcopygeneric.S + $(obj)/csumpartialcopyuser.o: $(obj)/csumpartialcopygeneric.S + + ifeq ($(CONFIG_KERNEL_MODE_NEON),y) +- NEON_FLAGS := -mfloat-abi=softfp -mfpu=neon ++ NEON_FLAGS := -march=armv7-a -mfloat-abi=softfp -mfpu=neon + CFLAGS_xor-neon.o += $(NEON_FLAGS) + obj-$(CONFIG_XOR_BLOCKS) += xor-neon.o + endif +diff --git a/arch/arm/lib/xor-neon.c b/arch/arm/lib/xor-neon.c +index 2c40aeab3eaa..c691b901092f 100644 +--- a/arch/arm/lib/xor-neon.c ++++ b/arch/arm/lib/xor-neon.c +@@ -14,7 +14,7 @@ + MODULE_LICENSE("GPL"); + + #ifndef __ARM_NEON__ +-#error You should compile this file with '-mfloat-abi=softfp -mfpu=neon' ++#error You should compile this file with '-march=armv7-a -mfloat-abi=softfp -mfpu=neon' + #endif + + /* +diff --git a/lib/raid6/Makefile b/lib/raid6/Makefile +index 4e90d443d1b0..e723eacf7868 100644 +--- a/lib/raid6/Makefile ++++ b/lib/raid6/Makefile +@@ -39,7 +39,7 @@ endif + ifeq ($(CONFIG_KERNEL_MODE_NEON),y) + NEON_FLAGS := -ffreestanding + ifeq ($(ARCH),arm) +-NEON_FLAGS += -mfloat-abi=softfp -mfpu=neon ++NEON_FLAGS += -march=armv7-a -mfloat-abi=softfp -mfpu=neon + endif + CFLAGS_recov_neon_inner.o += $(NEON_FLAGS) + ifeq ($(ARCH),arm64) +-- +2.19.1 + diff --git a/queue-5.0/arm-8840-1-use-a-raw_spinlock_t-in-unwind.patch b/queue-5.0/arm-8840-1-use-a-raw_spinlock_t-in-unwind.patch new file mode 100644 index 00000000000..4b38d8e989c --- /dev/null +++ b/queue-5.0/arm-8840-1-use-a-raw_spinlock_t-in-unwind.patch @@ -0,0 +1,92 @@ +From 43cb0d9473be8edb4885dae454a5b1f636000195 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Wed, 13 Feb 2019 17:14:42 +0100 +Subject: ARM: 8840/1: use a raw_spinlock_t in unwind + +[ Upstream commit 74ffe79ae538283bbf7c155e62339f1e5c87b55a ] + +Mostly unwind is done with irqs enabled however SLUB may call it with +irqs disabled while creating a new SLUB cache. + +I had system freeze while loading a module which called +kmem_cache_create() on init. That means SLUB's __slab_alloc() disabled +interrupts and then + +->new_slab_objects() + ->new_slab() + ->setup_object() + ->setup_object_debug() + ->init_tracking() + ->set_track() + ->save_stack_trace() + ->save_stack_trace_tsk() + ->walk_stackframe() + ->unwind_frame() + ->unwind_find_idx() + =>spin_lock_irqsave(&unwind_lock); + +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/unwind.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/arm/kernel/unwind.c b/arch/arm/kernel/unwind.c +index 0bee233fef9a..314cfb232a63 100644 +--- a/arch/arm/kernel/unwind.c ++++ b/arch/arm/kernel/unwind.c +@@ -93,7 +93,7 @@ extern const struct unwind_idx __start_unwind_idx[]; + static const struct unwind_idx *__origin_unwind_idx; + extern const struct unwind_idx __stop_unwind_idx[]; + +-static DEFINE_SPINLOCK(unwind_lock); ++static DEFINE_RAW_SPINLOCK(unwind_lock); + static LIST_HEAD(unwind_tables); + + /* Convert a prel31 symbol to an absolute address */ +@@ -201,7 +201,7 @@ static const struct unwind_idx *unwind_find_idx(unsigned long addr) + /* module unwind tables */ + struct unwind_table *table; + +- spin_lock_irqsave(&unwind_lock, flags); ++ raw_spin_lock_irqsave(&unwind_lock, flags); + list_for_each_entry(table, &unwind_tables, list) { + if (addr >= table->begin_addr && + addr < table->end_addr) { +@@ -213,7 +213,7 @@ static const struct unwind_idx *unwind_find_idx(unsigned long addr) + break; + } + } +- spin_unlock_irqrestore(&unwind_lock, flags); ++ raw_spin_unlock_irqrestore(&unwind_lock, flags); + } + + pr_debug("%s: idx = %p\n", __func__, idx); +@@ -529,9 +529,9 @@ struct unwind_table *unwind_table_add(unsigned long start, unsigned long size, + tab->begin_addr = text_addr; + tab->end_addr = text_addr + text_size; + +- spin_lock_irqsave(&unwind_lock, flags); ++ raw_spin_lock_irqsave(&unwind_lock, flags); + list_add_tail(&tab->list, &unwind_tables); +- spin_unlock_irqrestore(&unwind_lock, flags); ++ raw_spin_unlock_irqrestore(&unwind_lock, flags); + + return tab; + } +@@ -543,9 +543,9 @@ void unwind_table_del(struct unwind_table *tab) + if (!tab) + return; + +- spin_lock_irqsave(&unwind_lock, flags); ++ raw_spin_lock_irqsave(&unwind_lock, flags); + list_del(&tab->list); +- spin_unlock_irqrestore(&unwind_lock, flags); ++ raw_spin_unlock_irqrestore(&unwind_lock, flags); + + kfree(tab); + } +-- +2.19.1 + diff --git a/queue-5.0/arm-8845-1-use-unified-assembler-in-c-files.patch b/queue-5.0/arm-8845-1-use-unified-assembler-in-c-files.patch new file mode 100644 index 00000000000..92abcd6df3a --- /dev/null +++ b/queue-5.0/arm-8845-1-use-unified-assembler-in-c-files.patch @@ -0,0 +1,99 @@ +From 79957a77dbe636a706b6f4ea60f0a324ea6bba2c Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Mon, 18 Feb 2019 00:58:29 +0100 +Subject: ARM: 8845/1: use unified assembler in c files + +[ Upstream commit b7e8c9397cd4efe6567d2728f091f1b728025533 ] + +Use unified assembler syntax (UAL) in inline assembler. Divided +syntax is considered deprecated. This will also allow to build +the kernel using LLVM's integrated assembler. + +When compiling non-Thumb2 GCC always emits a ".syntax divided" +at the beginning of the inline assembly which makes the +assembler fail. Since GCC 5 there is the -masm-syntax-unified +GCC option which make GCC assume unified syntax asm and hence +emits ".syntax unified" even in ARM mode. However, the option +is broken since GCC version 6 (see GCC PR88648 [1]). Work +around by adding ".syntax unified" as part of the inline +assembly. + +[0] https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html#index-masm-syntax-unified +[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88648 + +Signed-off-by: Stefan Agner +Acked-by: Nicolas Pitre +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/copypage-v4mc.c | 3 ++- + arch/arm/mm/copypage-v4wb.c | 3 ++- + arch/arm/mm/copypage-v4wt.c | 3 ++- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mm/copypage-v4mc.c b/arch/arm/mm/copypage-v4mc.c +index b03202cddddb..f74cdce6d4da 100644 +--- a/arch/arm/mm/copypage-v4mc.c ++++ b/arch/arm/mm/copypage-v4mc.c +@@ -45,6 +45,7 @@ static void mc_copy_user_page(void *from, void *to) + int tmp; + + asm volatile ("\ ++ .syntax unified\n\ + ldmia %0!, {r2, r3, ip, lr} @ 4\n\ + 1: mcr p15, 0, %1, c7, c6, 1 @ 1 invalidate D line\n\ + stmia %1!, {r2, r3, ip, lr} @ 4\n\ +@@ -56,7 +57,7 @@ static void mc_copy_user_page(void *from, void *to) + ldmia %0!, {r2, r3, ip, lr} @ 4\n\ + subs %2, %2, #1 @ 1\n\ + stmia %1!, {r2, r3, ip, lr} @ 4\n\ +- ldmneia %0!, {r2, r3, ip, lr} @ 4\n\ ++ ldmiane %0!, {r2, r3, ip, lr} @ 4\n\ + bne 1b @ " + : "+&r" (from), "+&r" (to), "=&r" (tmp) + : "2" (PAGE_SIZE / 64) +diff --git a/arch/arm/mm/copypage-v4wb.c b/arch/arm/mm/copypage-v4wb.c +index cd3e165afeed..6d336740aae4 100644 +--- a/arch/arm/mm/copypage-v4wb.c ++++ b/arch/arm/mm/copypage-v4wb.c +@@ -27,6 +27,7 @@ static void v4wb_copy_user_page(void *kto, const void *kfrom) + int tmp; + + asm volatile ("\ ++ .syntax unified\n\ + ldmia %1!, {r3, r4, ip, lr} @ 4\n\ + 1: mcr p15, 0, %0, c7, c6, 1 @ 1 invalidate D line\n\ + stmia %0!, {r3, r4, ip, lr} @ 4\n\ +@@ -38,7 +39,7 @@ static void v4wb_copy_user_page(void *kto, const void *kfrom) + ldmia %1!, {r3, r4, ip, lr} @ 4\n\ + subs %2, %2, #1 @ 1\n\ + stmia %0!, {r3, r4, ip, lr} @ 4\n\ +- ldmneia %1!, {r3, r4, ip, lr} @ 4\n\ ++ ldmiane %1!, {r3, r4, ip, lr} @ 4\n\ + bne 1b @ 1\n\ + mcr p15, 0, %1, c7, c10, 4 @ 1 drain WB" + : "+&r" (kto), "+&r" (kfrom), "=&r" (tmp) +diff --git a/arch/arm/mm/copypage-v4wt.c b/arch/arm/mm/copypage-v4wt.c +index 8614572e1296..3851bb396442 100644 +--- a/arch/arm/mm/copypage-v4wt.c ++++ b/arch/arm/mm/copypage-v4wt.c +@@ -25,6 +25,7 @@ static void v4wt_copy_user_page(void *kto, const void *kfrom) + int tmp; + + asm volatile ("\ ++ .syntax unified\n\ + ldmia %1!, {r3, r4, ip, lr} @ 4\n\ + 1: stmia %0!, {r3, r4, ip, lr} @ 4\n\ + ldmia %1!, {r3, r4, ip, lr} @ 4+1\n\ +@@ -34,7 +35,7 @@ static void v4wt_copy_user_page(void *kto, const void *kfrom) + ldmia %1!, {r3, r4, ip, lr} @ 4\n\ + subs %2, %2, #1 @ 1\n\ + stmia %0!, {r3, r4, ip, lr} @ 4\n\ +- ldmneia %1!, {r3, r4, ip, lr} @ 4\n\ ++ ldmiane %1!, {r3, r4, ip, lr} @ 4\n\ + bne 1b @ 1\n\ + mcr p15, 0, %2, c7, c7, 0 @ flush ID cache" + : "+&r" (kto), "+&r" (kfrom), "=&r" (tmp) +-- +2.19.1 + diff --git a/queue-5.0/arm-avoid-cortex-a9-livelock-on-tight-dmb-loops.patch b/queue-5.0/arm-avoid-cortex-a9-livelock-on-tight-dmb-loops.patch new file mode 100644 index 00000000000..bd4a76ee5e1 --- /dev/null +++ b/queue-5.0/arm-avoid-cortex-a9-livelock-on-tight-dmb-loops.patch @@ -0,0 +1,209 @@ +From 57d72d4ed1e8b7f7ecba1fc55d6a3777ecda2c1e Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 10 Apr 2018 11:35:36 +0100 +Subject: ARM: avoid Cortex-A9 livelock on tight dmb loops + +[ Upstream commit 5388a5b82199facacd3d7ac0d05aca6e8f902fed ] + +machine_crash_nonpanic_core() does this: + + while (1) + cpu_relax(); + +because the kernel has crashed, and we have no known safe way to deal +with the CPU. So, we place the CPU into an infinite loop which we +expect it to never exit - at least not until the system as a whole is +reset by some method. + +In the absence of erratum 754327, this code assembles to: + + b . + +In other words, an infinite loop. When erratum 754327 is enabled, +this becomes: + +1: dmb + b 1b + +It has been observed that on some systems (eg, OMAP4) where, if a +crash is triggered, the system tries to kexec into the panic kernel, +but fails after taking the secondary CPU down - placing it into one +of these loops. This causes the system to livelock, and the most +noticable effect is the system stops after issuing: + + Loading crashdump kernel... + +to the system console. + +The tested as working solution I came up with was to add wfe() to +these infinite loops thusly: + + while (1) { + cpu_relax(); + wfe(); + } + +which, without 754327 builds to: + +1: wfe + b 1b + +or with 754327 is enabled: + +1: dmb + wfe + b 1b + +Adding "wfe" does two things depending on the environment we're running +under: +- where we're running on bare metal, and the processor implements + "wfe", it stops us spinning endlessly in a loop where we're never + going to do any useful work. +- if we're running in a VM, it allows the CPU to be given back to the + hypervisor and rescheduled for other purposes (maybe a different VM) + rather than wasting CPU cycles inside a crashed VM. + +However, in light of erratum 794072, Will Deacon wanted to see 10 nops +as well - which is reasonable to cover the case where we have erratum +754327 enabled _and_ we have a processor that doesn't implement the +wfe hint. + +So, we now end up with: + +1: wfe + b 1b + +when erratum 754327 is disabled, or: + +1: dmb + nop + nop + nop + nop + nop + nop + nop + nop + nop + nop + wfe + b 1b + +when erratum 754327 is enabled. We also get the dmb + 10 nop +sequence elsewhere in the kernel, in terminating loops. + +This is reasonable - it means we get the workaround for erratum +794072 when erratum 754327 is enabled, but still relinquish the dead +processor - either by placing it in a lower power mode when wfe is +implemented as such or by returning it to the hypervisior, or in the +case where wfe is a no-op, we use the workaround specified in erratum +794072 to avoid the problem. + +These as two entirely orthogonal problems - the 10 nops addresses +erratum 794072, and the wfe is an optimisation that makes the system +more efficient when crashed either in terms of power consumption or +by allowing the host/other VMs to make use of the CPU. + +I don't see any reason not to use kexec() inside a VM - it has the +potential to provide automated recovery from a failure of the VMs +kernel with the opportunity for saving a crashdump of the failure. +A panic() with a reboot timeout won't do that, and reading the +libvirt documentation, setting on_reboot to "preserve" won't either +(the documentation states "The preserve action for an on_reboot event +is treated as a destroy".) Surely it has to be a good thing to +avoiding having CPUs spinning inside a VM that is doing no useful +work. + +Acked-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/barrier.h | 2 ++ + arch/arm/include/asm/processor.h | 6 +++++- + arch/arm/kernel/machine_kexec.c | 5 ++++- + arch/arm/kernel/smp.c | 4 +++- + arch/arm/mach-omap2/prm_common.c | 4 +++- + 5 files changed, 17 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/include/asm/barrier.h b/arch/arm/include/asm/barrier.h +index 69772e742a0a..83ae97c049d9 100644 +--- a/arch/arm/include/asm/barrier.h ++++ b/arch/arm/include/asm/barrier.h +@@ -11,6 +11,8 @@ + #define sev() __asm__ __volatile__ ("sev" : : : "memory") + #define wfe() __asm__ __volatile__ ("wfe" : : : "memory") + #define wfi() __asm__ __volatile__ ("wfi" : : : "memory") ++#else ++#define wfe() do { } while (0) + #endif + + #if __LINUX_ARM_ARCH__ >= 7 +diff --git a/arch/arm/include/asm/processor.h b/arch/arm/include/asm/processor.h +index 120f4c9bbfde..57fe73ea0f72 100644 +--- a/arch/arm/include/asm/processor.h ++++ b/arch/arm/include/asm/processor.h +@@ -89,7 +89,11 @@ extern void release_thread(struct task_struct *); + unsigned long get_wchan(struct task_struct *p); + + #if __LINUX_ARM_ARCH__ == 6 || defined(CONFIG_ARM_ERRATA_754327) +-#define cpu_relax() smp_mb() ++#define cpu_relax() \ ++ do { \ ++ smp_mb(); \ ++ __asm__ __volatile__("nop; nop; nop; nop; nop; nop; nop; nop; nop; nop;"); \ ++ } while (0) + #else + #define cpu_relax() barrier() + #endif +diff --git a/arch/arm/kernel/machine_kexec.c b/arch/arm/kernel/machine_kexec.c +index dd2eb5f76b9f..76300f3813e8 100644 +--- a/arch/arm/kernel/machine_kexec.c ++++ b/arch/arm/kernel/machine_kexec.c +@@ -91,8 +91,11 @@ void machine_crash_nonpanic_core(void *unused) + + set_cpu_online(smp_processor_id(), false); + atomic_dec(&waiting_for_crash_ipi); +- while (1) ++ ++ while (1) { + cpu_relax(); ++ wfe(); ++ } + } + + void crash_smp_send_stop(void) +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index 1d6f5ea522f4..a3ce7c5365fa 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -604,8 +604,10 @@ static void ipi_cpu_stop(unsigned int cpu) + local_fiq_disable(); + local_irq_disable(); + +- while (1) ++ while (1) { + cpu_relax(); ++ wfe(); ++ } + } + + static DEFINE_PER_CPU(struct completion *, cpu_completion); +diff --git a/arch/arm/mach-omap2/prm_common.c b/arch/arm/mach-omap2/prm_common.c +index 058a37e6d11c..fd6e0671f957 100644 +--- a/arch/arm/mach-omap2/prm_common.c ++++ b/arch/arm/mach-omap2/prm_common.c +@@ -523,8 +523,10 @@ void omap_prm_reset_system(void) + + prm_ll_data->reset_system(); + +- while (1) ++ while (1) { + cpu_relax(); ++ wfe(); ++ } + } + + /** +-- +2.19.1 + diff --git a/queue-5.0/arm-dts-lpc32xx-remove-leading-0x-and-0s-from-bindin.patch b/queue-5.0/arm-dts-lpc32xx-remove-leading-0x-and-0s-from-bindin.patch new file mode 100644 index 00000000000..97faeb3fb84 --- /dev/null +++ b/queue-5.0/arm-dts-lpc32xx-remove-leading-0x-and-0s-from-bindin.patch @@ -0,0 +1,133 @@ +From 5bfd4de5872b5094cf4af1e6f6b25732377355ce Mon Sep 17 00:00:00 2001 +From: Mathieu Malaterre +Date: Fri, 15 Dec 2017 13:46:39 +0100 +Subject: ARM: dts: lpc32xx: Remove leading 0x and 0s from bindings notation + +[ Upstream commit 3e3380d0675d5e20b0af067d60cb947a4348bf9b ] + +Improve the DTS files by removing all the leading "0x" and zeros to fix +the following dtc warnings: + +Warning (unit_address_format): Node /XXX unit name should not have leading "0x" + +and + +Warning (unit_address_format): Node /XXX unit name should not have leading 0s + +Converted using the following command: + +find . -type f \( -iname *.dts -o -iname *.dtsi \) -exec sed -i -e "s/@\([0-9a-fA-FxX\.;:#]+\)\s*{/@\L\1 {/g" -e "s/@0x\(.*\) {/@\1 {/g" -e "s/@0+\(.*\) {/@\1 {/g" {} + + +For simplicity, two sed expressions were used to solve each warnings +separately. + +To make the regex expression more robust a few other issues were resolved, +namely setting unit-address to lower case, and adding a whitespace before +the opening curly brace: + +https://elinux.org/Device_Tree_Linux#Linux_conventions + +This will solve as a side effect warning: + +Warning (simple_bus_reg): Node /XXX@ simple-bus unit address format error, expected "" + +This is a follow up to commit 4c9847b7375a ("dt-bindings: Remove leading 0x from bindings notation") + +Reported-by: David Daney +Suggested-by: Rob Herring +Signed-off-by: Mathieu Malaterre +[vzapolskiy: fixed commit message to pass checkpatch.pl test] +Signed-off-by: Vladimir Zapolskiy +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/lpc32xx.dtsi | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/arch/arm/boot/dts/lpc32xx.dtsi b/arch/arm/boot/dts/lpc32xx.dtsi +index b7303a4e4236..ed0d6fb20122 100644 +--- a/arch/arm/boot/dts/lpc32xx.dtsi ++++ b/arch/arm/boot/dts/lpc32xx.dtsi +@@ -230,7 +230,7 @@ + status = "disabled"; + }; + +- i2s1: i2s@2009C000 { ++ i2s1: i2s@2009c000 { + compatible = "nxp,lpc3220-i2s"; + reg = <0x2009C000 0x1000>; + }; +@@ -273,7 +273,7 @@ + status = "disabled"; + }; + +- i2c1: i2c@400A0000 { ++ i2c1: i2c@400a0000 { + compatible = "nxp,pnx-i2c"; + reg = <0x400A0000 0x100>; + interrupt-parent = <&sic1>; +@@ -284,7 +284,7 @@ + clocks = <&clk LPC32XX_CLK_I2C1>; + }; + +- i2c2: i2c@400A8000 { ++ i2c2: i2c@400a8000 { + compatible = "nxp,pnx-i2c"; + reg = <0x400A8000 0x100>; + interrupt-parent = <&sic1>; +@@ -295,7 +295,7 @@ + clocks = <&clk LPC32XX_CLK_I2C2>; + }; + +- mpwm: mpwm@400E8000 { ++ mpwm: mpwm@400e8000 { + compatible = "nxp,lpc3220-motor-pwm"; + reg = <0x400E8000 0x78>; + status = "disabled"; +@@ -394,7 +394,7 @@ + #gpio-cells = <3>; /* bank, pin, flags */ + }; + +- timer4: timer@4002C000 { ++ timer4: timer@4002c000 { + compatible = "nxp,lpc3220-timer"; + reg = <0x4002C000 0x1000>; + interrupts = <3 IRQ_TYPE_LEVEL_LOW>; +@@ -412,7 +412,7 @@ + status = "disabled"; + }; + +- watchdog: watchdog@4003C000 { ++ watchdog: watchdog@4003c000 { + compatible = "nxp,pnx4008-wdt"; + reg = <0x4003C000 0x1000>; + clocks = <&clk LPC32XX_CLK_WDOG>; +@@ -451,7 +451,7 @@ + status = "disabled"; + }; + +- timer1: timer@4004C000 { ++ timer1: timer@4004c000 { + compatible = "nxp,lpc3220-timer"; + reg = <0x4004C000 0x1000>; + interrupts = <17 IRQ_TYPE_LEVEL_LOW>; +@@ -475,7 +475,7 @@ + status = "disabled"; + }; + +- pwm1: pwm@4005C000 { ++ pwm1: pwm@4005c000 { + compatible = "nxp,lpc3220-pwm"; + reg = <0x4005C000 0x4>; + clocks = <&clk LPC32XX_CLK_PWM1>; +@@ -484,7 +484,7 @@ + status = "disabled"; + }; + +- pwm2: pwm@4005C004 { ++ pwm2: pwm@4005c004 { + compatible = "nxp,lpc3220-pwm"; + reg = <0x4005C004 0x4>; + clocks = <&clk LPC32XX_CLK_PWM2>; +-- +2.19.1 + diff --git a/queue-5.0/arm-dts-meson8b-fix-the-ethernet-data-line-signals-i.patch b/queue-5.0/arm-dts-meson8b-fix-the-ethernet-data-line-signals-i.patch new file mode 100644 index 00000000000..0d1177e95a0 --- /dev/null +++ b/queue-5.0/arm-dts-meson8b-fix-the-ethernet-data-line-signals-i.patch @@ -0,0 +1,98 @@ +From 624324604d470a0139d977966ec8b60823123655 Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sat, 29 Dec 2018 15:35:56 +0100 +Subject: ARM: dts: meson8b: fix the Ethernet data line signals in + eth_rgmii_pins +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 29f0023d01f063feacfc404f0446905aee4f82ee ] + +According to the Odroid-C1+ schematics the Ethernet TXD1 signal is +routed to GPIOH_5 and the TXD0 signal is routed to GPIOH_6. +The public S805 datasheet shows that TXD0 can be routed to DIF_2_P and +TXD1 can be routed to DIF_2_N instead. + +The pin groups eth_txd0_0 (GPIOH_6) and eth_txd0_1 (DIF_2_P) are both +configured as Ethernet TXD0 and TXD1 data lines in meson8b.dtsi. At the +same time eth_txd1_0 (GPIOH_5) and eth_txd1_1 (DIF_2_N) are configured +as TXD0 and TXD1 data lines as well. +This results in a bad Ethernet receive performance. Presumably this is +due to the eth_txd0 and eth_txd1 signal being routed to the wrong pins. +As a result of that data can only be transmitted on eth_txd2 and +eth_txd3. However, I have no scope to fully confirm this assumption. + +The vendor u-boot sources for Odroid-C1 use the following Ethernet +pinmux configuration: + SET_CBUS_REG_MASK(PERIPHS_PIN_MUX_6, 0x3f4f); + SET_CBUS_REG_MASK(PERIPHS_PIN_MUX_7, 0xf00000); +This translates to the following pin groups in the mainline kernel: +- register 6 bit 0: eth_rxd1 (DIF_0_P) +- register 6 bit 1: eth_rxd0 (DIF_0_N) +- register 6 bit 2: eth_rx_dv (DIF_1_P) +- register 6 bit 3: eth_rx_clk (DIF_1_N) +- register 6 bit 6: eth_tx_en (DIF_3_P) +- register 6 bit 8: eth_ref_clk (DIF_3_N) +- register 6 bit 9: eth_mdc (DIF_4_P) +- register 6 bit 10: eth_mdio_en (DIF_4_N) +- register 6 bit 11: eth_tx_clk (GPIOH_9) +- register 6 bit 12: eth_txd2 (GPIOH_8) +- register 6 bit 13: eth_txd3 (GPIOH_7) +- register 7 bit 20: eth_txd0_0 (GPIOH_6) +- register 7 bit 21: eth_txd1_0 (GPIOH_5) +- register 7 bit 22: eth_rxd3 (DIF_2_P) +- register 7 bit 23: eth_rxd2 (DIF_2_N) + +Drop the eth_txd0_1 and eth_txd1_1 groups from eth_rgmii_pins to fix the +Ethernet transmit performance on Odroid-C1. Also add the eth_rxd2 and +eth_rxd3 groups so we don't rely on the bootloader to set them up. + +iperf3 statistics before this change: +- transmitting from Odroid-C1: 741 Mbits/sec (0 retries) +- receiving on Odroid-C1: 199 Mbits/sec (1713 retries) + +iperf3 statistics after this change: +- transmitting from Odroid-C1: 667 Mbits/sec (0 retries) +- receiving on Odroid-C1: 750 Mbits/sec (0 retries) + +Fixes: b96446541d8390 ("ARM: dts: meson8b: extend ethernet controller description") +Signed-off-by: Martin Blumenstingl +Cc: Emiliano Ingrassia +Cc: Linus Lüssing +Tested-by: Emiliano Ingrassia +Reviewed-by: Emiliano Ingrassia +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/meson8b.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/meson8b.dtsi b/arch/arm/boot/dts/meson8b.dtsi +index 22d775460767..dc125769fe85 100644 +--- a/arch/arm/boot/dts/meson8b.dtsi ++++ b/arch/arm/boot/dts/meson8b.dtsi +@@ -270,9 +270,7 @@ + groups = "eth_tx_clk", + "eth_tx_en", + "eth_txd1_0", +- "eth_txd1_1", + "eth_txd0_0", +- "eth_txd0_1", + "eth_rx_clk", + "eth_rx_dv", + "eth_rxd1", +@@ -281,7 +279,9 @@ + "eth_mdc", + "eth_ref_clk", + "eth_txd2", +- "eth_txd3"; ++ "eth_txd3", ++ "eth_rxd3", ++ "eth_rxd2"; + function = "ethernet"; + bias-disable; + }; +-- +2.19.1 + diff --git a/queue-5.0/arm-shmobile-fix-r-car-gen2-regulator-quirk.patch b/queue-5.0/arm-shmobile-fix-r-car-gen2-regulator-quirk.patch new file mode 100644 index 00000000000..5191d107d0c --- /dev/null +++ b/queue-5.0/arm-shmobile-fix-r-car-gen2-regulator-quirk.patch @@ -0,0 +1,59 @@ +From 40931f84ae8f1ad2f143a46bfb927ea432009ca5 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Fri, 7 Dec 2018 21:28:58 +0100 +Subject: ARM: shmobile: Fix R-Car Gen2 regulator quirk + +[ Upstream commit 5347a0203709d5039a74d7c94e23519eee478094 ] + +The quirk code currently detects all compatible I2C chips with a shared +IRQ line on all I2C busses, adds them into a list, and registers a bus +notifier. For every chip for which the bus notifier triggers, the quirk +code performs I2C transfer on that I2C bus for all addresses in the list. +The problem is that this may generate transfers to non-existing chips on +systems with multiple I2C busses. + +This patch adds a check to verify that the I2C bus to which the chip with +shared IRQ is attached to matches the I2C bus of the chip which triggered +the bus notifier and only starts the I2C transfer if they match. + +Signed-off-by: Marek Vasut +Tested-by: Nguyen Viet Dung +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +--- + arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c b/arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c +index 8e50daa99151..dc526ef2e9b3 100644 +--- a/arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c ++++ b/arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c +@@ -40,6 +40,7 @@ + struct regulator_quirk { + struct list_head list; + const struct of_device_id *id; ++ struct device_node *np; + struct of_phandle_args irq_args; + struct i2c_msg i2c_msg; + bool shared; /* IRQ line is shared */ +@@ -101,6 +102,9 @@ static int regulator_quirk_notify(struct notifier_block *nb, + if (!pos->shared) + continue; + ++ if (pos->np->parent != client->dev.parent->of_node) ++ continue; ++ + dev_info(&client->dev, "clearing %s@0x%02x interrupts\n", + pos->id->compatible, pos->i2c_msg.addr); + +@@ -165,6 +169,7 @@ static int __init rcar_gen2_regulator_quirk(void) + memcpy(&quirk->i2c_msg, id->data, sizeof(quirk->i2c_msg)); + + quirk->id = id; ++ quirk->np = np; + quirk->i2c_msg.addr = addr; + + ret = of_irq_parse_one(np, 0, argsa); +-- +2.19.1 + diff --git a/queue-5.0/asoc-fsl-asoc-card-fix-object-reference-leaks-in-fsl.patch b/queue-5.0/asoc-fsl-asoc-card-fix-object-reference-leaks-in-fsl.patch new file mode 100644 index 00000000000..d9d3f0cd6a1 --- /dev/null +++ b/queue-5.0/asoc-fsl-asoc-card-fix-object-reference-leaks-in-fsl.patch @@ -0,0 +1,44 @@ +From bd9a8a4ded356f4052387792c0b551e3218f4ba9 Mon Sep 17 00:00:00 2001 +From: wen yang +Date: Sat, 2 Feb 2019 14:53:16 +0000 +Subject: ASoC: fsl-asoc-card: fix object reference leaks in + fsl_asoc_card_probe + +[ Upstream commit 11907e9d3533648615db08140e3045b829d2c141 ] + +The of_find_device_by_node() takes a reference to the underlying device +structure, we should release that reference. + +Signed-off-by: Wen Yang +Cc: Timur Tabi +Cc: Nicolin Chen +Cc: Xiubo Li +Cc: Fabio Estevam +Cc: Liam Girdwood +Cc: Mark Brown +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: alsa-devel@alsa-project.org +Cc: linuxppc-dev@lists.ozlabs.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl-asoc-card.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/fsl/fsl-asoc-card.c b/sound/soc/fsl/fsl-asoc-card.c +index 81f2fe2c6d23..60f87a0d99f4 100644 +--- a/sound/soc/fsl/fsl-asoc-card.c ++++ b/sound/soc/fsl/fsl-asoc-card.c +@@ -689,6 +689,7 @@ static int fsl_asoc_card_probe(struct platform_device *pdev) + asrc_fail: + of_node_put(asrc_np); + of_node_put(codec_np); ++ put_device(&cpu_pdev->dev); + fail: + of_node_put(cpu_np); + +-- +2.19.1 + diff --git a/queue-5.0/asoc-qcom-fix-of-node-refcount-unbalance-in-qcom_snd.patch b/queue-5.0/asoc-qcom-fix-of-node-refcount-unbalance-in-qcom_snd.patch new file mode 100644 index 00000000000..779a05723b3 --- /dev/null +++ b/queue-5.0/asoc-qcom-fix-of-node-refcount-unbalance-in-qcom_snd.patch @@ -0,0 +1,74 @@ +From da2136adf409aa1b49f7420672507e0607ad2bc3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 19 Feb 2019 16:46:51 +0100 +Subject: ASoC: qcom: Fix of-node refcount unbalance in qcom_snd_parse_of() + +[ Upstream commit 70b773219a32c7b8f3e53e041bc023ad99fd81f4 ] + +Although qcom_snd_parse_of() tries to manage the of-node refcount, +there are still a few places that lead to the unblanced refcount in +the error code path. Namely, + +- for_each_child_of_node() needs to unreference the iterator node if + aborting the loop in the middle, +- cpu, codec and platform node objects have to be unreferenced at each + iteration, +- platform and codec node objects have to be referred before jumping + to the error handling code that unreference them unconditionally. + +This patch tries to address these by moving the assignment of platform +and codec node objects to the beginning of the loop and adding the +of_node_put() calls adequately. + +Fixes: c25e295cd77b ("ASoC: qcom: Add support to parse common audio device nodes") +Cc: Patrick Lai +Cc: Banajit Goswami +Signed-off-by: Takashi Iwai +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/common.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/qcom/common.c b/sound/soc/qcom/common.c +index 4715527054e5..5661025e8cec 100644 +--- a/sound/soc/qcom/common.c ++++ b/sound/soc/qcom/common.c +@@ -42,6 +42,9 @@ int qcom_snd_parse_of(struct snd_soc_card *card) + link = card->dai_link; + for_each_child_of_node(dev->of_node, np) { + cpu = of_get_child_by_name(np, "cpu"); ++ platform = of_get_child_by_name(np, "platform"); ++ codec = of_get_child_by_name(np, "codec"); ++ + if (!cpu) { + dev_err(dev, "Can't find cpu DT node\n"); + ret = -EINVAL; +@@ -63,8 +66,6 @@ int qcom_snd_parse_of(struct snd_soc_card *card) + goto err; + } + +- platform = of_get_child_by_name(np, "platform"); +- codec = of_get_child_by_name(np, "codec"); + if (codec && platform) { + link->platform_of_node = of_parse_phandle(platform, + "sound-dai", +@@ -100,10 +101,15 @@ int qcom_snd_parse_of(struct snd_soc_card *card) + link->dpcm_capture = 1; + link->stream_name = link->name; + link++; ++ ++ of_node_put(cpu); ++ of_node_put(codec); ++ of_node_put(platform); + } + + return 0; + err: ++ of_node_put(np); + of_node_put(cpu); + of_node_put(codec); + of_node_put(platform); +-- +2.19.1 + diff --git a/queue-5.0/asoc-simple-card-utils-check-reg-property-on-asoc_si.patch b/queue-5.0/asoc-simple-card-utils-check-reg-property-on-asoc_si.patch new file mode 100644 index 00000000000..025b3e42440 --- /dev/null +++ b/queue-5.0/asoc-simple-card-utils-check-reg-property-on-asoc_si.patch @@ -0,0 +1,68 @@ +From 10f9dcd24232330539efe47c62f86b892357933e Mon Sep 17 00:00:00 2001 +From: Kuninori Morimoto +Date: Thu, 20 Dec 2018 10:45:42 +0900 +Subject: ASoC: simple-card-utils: check "reg" property on + asoc_simple_card_get_dai_id() + +[ Upstream commit a0c426fe143328760c9fd565cd203a37a7b4fde8 ] + +We will get DAI ID from "reg" property if it has on DT, otherwise get +it by counting port/endpoint. + +But in below case, we need to get DAI ID = 0 via port reg = <0>, but +current implementation returns ID = 1, because it can't judge ID = 0 was +from "non reg" or "reg = <0>". +Thus, it will count port/endpoint number as "non reg" case. + +of_graph_parse_endpoint() implementation itself is not a problem, +but because asoc_simple_card_get_dai_id() need to count port/endpoint +number when "non reg" case, it need to know ID = 0 was from +"non reg" or "reg = <0>". +This patch fix this issue. + + port { + reg = <0>; + xxxx: endpoint@0 { + }; +=> xxxx: endpoint@1 { + }; + }; + +Signed-off-by: Kuninori Morimoto +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/generic/simple-card-utils.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c +index b807a47515eb..336895f7fd1e 100644 +--- a/sound/soc/generic/simple-card-utils.c ++++ b/sound/soc/generic/simple-card-utils.c +@@ -283,12 +283,20 @@ static int asoc_simple_card_get_dai_id(struct device_node *ep) + /* use endpoint/port reg if exist */ + ret = of_graph_parse_endpoint(ep, &info); + if (ret == 0) { +- if (info.id) ++ /* ++ * Because it will count port/endpoint if it doesn't have "reg". ++ * But, we can't judge whether it has "no reg", or "reg = <0>" ++ * only of_graph_parse_endpoint(). ++ * We need to check "reg" property ++ */ ++ if (of_get_property(ep, "reg", NULL)) + return info.id; +- if (info.port) ++ ++ node = of_get_parent(ep); ++ of_node_put(node); ++ if (of_get_property(node, "reg", NULL)) + return info.port; + } +- + node = of_graph_get_port_parent(ep); + + /* +-- +2.19.1 + diff --git a/queue-5.0/ath10k-don-t-report-unset-rssi-values-to-mac80211.patch b/queue-5.0/ath10k-don-t-report-unset-rssi-values-to-mac80211.patch new file mode 100644 index 00000000000..0bd30049274 --- /dev/null +++ b/queue-5.0/ath10k-don-t-report-unset-rssi-values-to-mac80211.patch @@ -0,0 +1,52 @@ +From 788401e5a0c7444e3cc4b07af64bbe3040197f02 Mon Sep 17 00:00:00 2001 +From: Alagu Sankar +Date: Mon, 25 Feb 2019 11:46:03 +0200 +Subject: ath10k: don't report unset rssi values to mac80211 + +[ Upstream commit 7d444522303177f3a3c09b9abb104ddeea470a70 ] + +The SDIO firmware does not provide RSSI value to the host, it's only set to +zero. In that case don't report the value to mac80211. One risk here is that +value zero might be a valid value with other firmware, currently there's no way +to detect that. + +Without the fix, the rssi value indicated by iw changes between the actual +value and -95. + +Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00005-QCARMSWP-1. + +Co-developed-by: Wen Gong +Signed-off-by: Alagu Sankar +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index f42bac204ef8..ecf34ce7acf0 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -2130,9 +2130,15 @@ static bool ath10k_htt_rx_proc_rx_ind_hl(struct ath10k_htt *htt, + hdr = (struct ieee80211_hdr *)skb->data; + rx_status = IEEE80211_SKB_RXCB(skb); + rx_status->chains |= BIT(0); +- rx_status->signal = ATH10K_DEFAULT_NOISE_FLOOR + +- rx->ppdu.combined_rssi; +- rx_status->flag &= ~RX_FLAG_NO_SIGNAL_VAL; ++ if (rx->ppdu.combined_rssi == 0) { ++ /* SDIO firmware does not provide signal */ ++ rx_status->signal = 0; ++ rx_status->flag |= RX_FLAG_NO_SIGNAL_VAL; ++ } else { ++ rx_status->signal = ATH10K_DEFAULT_NOISE_FLOOR + ++ rx->ppdu.combined_rssi; ++ rx_status->flag &= ~RX_FLAG_NO_SIGNAL_VAL; ++ } + + spin_lock_bh(&ar->data_lock); + ch = ar->scan_channel; +-- +2.19.1 + diff --git a/queue-5.0/ath10k-fix-shadow-register-implementation-for-wcn399.patch b/queue-5.0/ath10k-fix-shadow-register-implementation-for-wcn399.patch new file mode 100644 index 00000000000..2ef587654a0 --- /dev/null +++ b/queue-5.0/ath10k-fix-shadow-register-implementation-for-wcn399.patch @@ -0,0 +1,108 @@ +From 243744b6f192312caa0a3d3ad73640e9048c8744 Mon Sep 17 00:00:00 2001 +From: Rakesh Pillai +Date: Fri, 8 Feb 2019 15:50:24 +0200 +Subject: ath10k: fix shadow register implementation for WCN3990 + +[ Upstream commit 1863008369ae0407508033b4b00f98b985adeb15 ] + +WCN3990 supports shadow registers write operation support +for copy engine for regular operation in powersave mode. + +Since WCN3990 is a 64-bit target, the shadow register +implementation needs to be done in the copy engine handlers +for 64-bit target. Currently the shadow register implementation +is present in the 32-bit target handlers of copy engine. + +Fix the shadow register copy engine write operation +implementation for 64-bit target(WCN3990). + +Tested HW: WCN3990 +Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1 + +Fixes: b7ba83f7c414 ("ath10k: add support for shadow register for WNC3990") +Signed-off-by: Rakesh Pillai +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/ce.c | 26 +++++++++++++------------- + drivers/net/wireless/ath/ath10k/ce.h | 2 +- + 2 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c +index 2a5668b4f6bc..1a1ea4bbf8a0 100644 +--- a/drivers/net/wireless/ath/ath10k/ce.c ++++ b/drivers/net/wireless/ath/ath10k/ce.c +@@ -500,14 +500,8 @@ static int _ath10k_ce_send_nolock(struct ath10k_ce_pipe *ce_state, + write_index = CE_RING_IDX_INCR(nentries_mask, write_index); + + /* WORKAROUND */ +- if (!(flags & CE_SEND_FLAG_GATHER)) { +- if (ar->hw_params.shadow_reg_support) +- ath10k_ce_shadow_src_ring_write_index_set(ar, ce_state, +- write_index); +- else +- ath10k_ce_src_ring_write_index_set(ar, ctrl_addr, +- write_index); +- } ++ if (!(flags & CE_SEND_FLAG_GATHER)) ++ ath10k_ce_src_ring_write_index_set(ar, ctrl_addr, write_index); + + src_ring->write_index = write_index; + exit: +@@ -581,8 +575,14 @@ static int _ath10k_ce_send_nolock_64(struct ath10k_ce_pipe *ce_state, + /* Update Source Ring Write Index */ + write_index = CE_RING_IDX_INCR(nentries_mask, write_index); + +- if (!(flags & CE_SEND_FLAG_GATHER)) +- ath10k_ce_src_ring_write_index_set(ar, ctrl_addr, write_index); ++ if (!(flags & CE_SEND_FLAG_GATHER)) { ++ if (ar->hw_params.shadow_reg_support) ++ ath10k_ce_shadow_src_ring_write_index_set(ar, ce_state, ++ write_index); ++ else ++ ath10k_ce_src_ring_write_index_set(ar, ctrl_addr, ++ write_index); ++ } + + src_ring->write_index = write_index; + exit: +@@ -1404,12 +1404,12 @@ static int ath10k_ce_alloc_shadow_base(struct ath10k *ar, + u32 nentries) + { + src_ring->shadow_base_unaligned = kcalloc(nentries, +- sizeof(struct ce_desc), ++ sizeof(struct ce_desc_64), + GFP_KERNEL); + if (!src_ring->shadow_base_unaligned) + return -ENOMEM; + +- src_ring->shadow_base = (struct ce_desc *) ++ src_ring->shadow_base = (struct ce_desc_64 *) + PTR_ALIGN(src_ring->shadow_base_unaligned, + CE_DESC_RING_ALIGN); + return 0; +@@ -1461,7 +1461,7 @@ ath10k_ce_alloc_src_ring(struct ath10k *ar, unsigned int ce_id, + ret = ath10k_ce_alloc_shadow_base(ar, src_ring, nentries); + if (ret) { + dma_free_coherent(ar->dev, +- (nentries * sizeof(struct ce_desc) + ++ (nentries * sizeof(struct ce_desc_64) + + CE_DESC_RING_ALIGN), + src_ring->base_addr_owner_space_unaligned, + base_addr); +diff --git a/drivers/net/wireless/ath/ath10k/ce.h b/drivers/net/wireless/ath/ath10k/ce.h +index ead9987c3259..463e2fc8b501 100644 +--- a/drivers/net/wireless/ath/ath10k/ce.h ++++ b/drivers/net/wireless/ath/ath10k/ce.h +@@ -118,7 +118,7 @@ struct ath10k_ce_ring { + u32 base_addr_ce_space; + + char *shadow_base_unaligned; +- struct ce_desc *shadow_base; ++ struct ce_desc_64 *shadow_base; + + /* keep last */ + void *per_transfer_context[0]; +-- +2.19.1 + diff --git a/queue-5.0/ath10k-fix-the-wrong-updation-of-bw-in-tx_stats-debu.patch b/queue-5.0/ath10k-fix-the-wrong-updation-of-bw-in-tx_stats-debu.patch new file mode 100644 index 00000000000..2ff6346db6d --- /dev/null +++ b/queue-5.0/ath10k-fix-the-wrong-updation-of-bw-in-tx_stats-debu.patch @@ -0,0 +1,63 @@ +From 2de1783ea802fcd6518d20f58fc40dd0fb4ecb5b Mon Sep 17 00:00:00 2001 +From: Surabhi Vishnoi +Date: Tue, 26 Feb 2019 14:57:56 +0530 +Subject: ath10k: Fix the wrong updation of BW in tx_stats debugfs entry + +[ Upstream commit ef9051c72ab7bc664e8047c55ac74bdb1c7fa3ee ] + +Currently, the bandwidth is updated wrongly in BW table in tx_stats +debugfs per sta as there is difference in number of bandwidth type +in mac80211 and driver stats table. This leads to bandwidth getting +updated at wrong index in bandwidth table in tx_stats. + +Fix this index mismatch between mac80211 and driver stats table (BW table) +by making the number of bandwidth type in driver compatible with mac80211. + +Tested HW: WCN3990 +Tested FW: WLAN.HL.3.1-00784-QCAHLSWMTPLZ-1 + +Fixes: a904417fc876 ("ath10k: add extended per sta tx statistics support") +Signed-off-by: Surabhi Vishnoi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/debugfs_sta.c | 7 ++++--- + drivers/net/wireless/ath/ath10k/wmi.h | 2 +- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/debugfs_sta.c b/drivers/net/wireless/ath/ath10k/debugfs_sta.c +index 4778a455d81a..068f1a7e07d3 100644 +--- a/drivers/net/wireless/ath/ath10k/debugfs_sta.c ++++ b/drivers/net/wireless/ath/ath10k/debugfs_sta.c +@@ -696,11 +696,12 @@ static ssize_t ath10k_dbg_sta_dump_tx_stats(struct file *file, + " %llu ", stats->ht[j][i]); + len += scnprintf(buf + len, size - len, "\n"); + len += scnprintf(buf + len, size - len, +- " BW %s (20,40,80,160 MHz)\n", str[j]); ++ " BW %s (20,5,10,40,80,160 MHz)\n", str[j]); + len += scnprintf(buf + len, size - len, +- " %llu %llu %llu %llu\n", ++ " %llu %llu %llu %llu %llu %llu\n", + stats->bw[j][0], stats->bw[j][1], +- stats->bw[j][2], stats->bw[j][3]); ++ stats->bw[j][2], stats->bw[j][3], ++ stats->bw[j][4], stats->bw[j][5]); + len += scnprintf(buf + len, size - len, + " NSS %s (1x1,2x2,3x3,4x4)\n", str[j]); + len += scnprintf(buf + len, size - len, +diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h +index 2034ccc7cc72..1d5d0209ebeb 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.h ++++ b/drivers/net/wireless/ath/ath10k/wmi.h +@@ -5003,7 +5003,7 @@ enum wmi_rate_preamble { + #define ATH10K_FW_SKIPPED_RATE_CTRL(flags) (((flags) >> 6) & 0x1) + + #define ATH10K_VHT_MCS_NUM 10 +-#define ATH10K_BW_NUM 4 ++#define ATH10K_BW_NUM 6 + #define ATH10K_NSS_NUM 4 + #define ATH10K_LEGACY_NUM 12 + #define ATH10K_GI_NUM 2 +-- +2.19.1 + diff --git a/queue-5.0/audit-hand-taken-context-to-audit_kill_trees-for-sys.patch b/queue-5.0/audit-hand-taken-context-to-audit_kill_trees-for-sys.patch new file mode 100644 index 00000000000..04911747ba5 --- /dev/null +++ b/queue-5.0/audit-hand-taken-context-to-audit_kill_trees-for-sys.patch @@ -0,0 +1,182 @@ +From 931154b00e4a913959923b29b598c65988221b2d Mon Sep 17 00:00:00 2001 +From: Richard Guy Briggs +Date: Mon, 10 Dec 2018 17:17:50 -0500 +Subject: audit: hand taken context to audit_kill_trees for syscall logging + +[ Upstream commit 9e36a5d49c3a6fc4a2e0ba2dc11b27c4a8ae6303 ] + +Since the context is derived from the task parameter handed to +__audit_free(), hand the context to audit_kill_trees() so it can be used +to associate with a syscall record. This requires adding the context +parameter to kill_rules() rather than using the current audit_context. + +The callers of trim_marked() and evict_chunk() still have their context. + +The EOE record was being issued prior to the pruning of the killed_tree +list. + +Move the kill_trees call before the audit_log_exit call in +__audit_free() and __audit_syscall_exit() so that any pruned trees +CONFIG_CHANGE records are included with the associated syscall event by +the user library due to the EOE record flagging the end of the event. + +See: https://github.com/linux-audit/audit-kernel/issues/50 +See: https://github.com/linux-audit/audit-kernel/issues/59 + +Signed-off-by: Richard Guy Briggs +[PM: fixed merge fuzz in kernel/audit_tree.c] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/audit.h | 4 ++-- + kernel/audit_tree.c | 19 +++++++++++-------- + kernel/auditsc.c | 12 ++++++------ + 3 files changed, 19 insertions(+), 16 deletions(-) + +diff --git a/kernel/audit.h b/kernel/audit.h +index 91421679a168..6ffb70575082 100644 +--- a/kernel/audit.h ++++ b/kernel/audit.h +@@ -314,7 +314,7 @@ extern void audit_trim_trees(void); + extern int audit_tag_tree(char *old, char *new); + extern const char *audit_tree_path(struct audit_tree *tree); + extern void audit_put_tree(struct audit_tree *tree); +-extern void audit_kill_trees(struct list_head *list); ++extern void audit_kill_trees(struct audit_context *context); + #else + #define audit_remove_tree_rule(rule) BUG() + #define audit_add_tree_rule(rule) -EINVAL +@@ -323,7 +323,7 @@ extern void audit_kill_trees(struct list_head *list); + #define audit_put_tree(tree) (void)0 + #define audit_tag_tree(old, new) -EINVAL + #define audit_tree_path(rule) "" /* never called */ +-#define audit_kill_trees(list) BUG() ++#define audit_kill_trees(context) BUG() + #endif + + extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len); +diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c +index d4af4d97f847..abfb112f26aa 100644 +--- a/kernel/audit_tree.c ++++ b/kernel/audit_tree.c +@@ -524,13 +524,14 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree) + return 0; + } + +-static void audit_tree_log_remove_rule(struct audit_krule *rule) ++static void audit_tree_log_remove_rule(struct audit_context *context, ++ struct audit_krule *rule) + { + struct audit_buffer *ab; + + if (!audit_enabled) + return; +- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); ++ ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE); + if (unlikely(!ab)) + return; + audit_log_format(ab, "op=remove_rule dir="); +@@ -540,7 +541,7 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule) + audit_log_end(ab); + } + +-static void kill_rules(struct audit_tree *tree) ++static void kill_rules(struct audit_context *context, struct audit_tree *tree) + { + struct audit_krule *rule, *next; + struct audit_entry *entry; +@@ -551,7 +552,7 @@ static void kill_rules(struct audit_tree *tree) + list_del_init(&rule->rlist); + if (rule->tree) { + /* not a half-baked one */ +- audit_tree_log_remove_rule(rule); ++ audit_tree_log_remove_rule(context, rule); + if (entry->rule.exe) + audit_remove_mark(entry->rule.exe); + rule->tree = NULL; +@@ -633,7 +634,7 @@ static void trim_marked(struct audit_tree *tree) + tree->goner = 1; + spin_unlock(&hash_lock); + mutex_lock(&audit_filter_mutex); +- kill_rules(tree); ++ kill_rules(audit_context(), tree); + list_del_init(&tree->list); + mutex_unlock(&audit_filter_mutex); + prune_one(tree); +@@ -973,8 +974,10 @@ static void audit_schedule_prune(void) + * ... and that one is done if evict_chunk() decides to delay until the end + * of syscall. Runs synchronously. + */ +-void audit_kill_trees(struct list_head *list) ++void audit_kill_trees(struct audit_context *context) + { ++ struct list_head *list = &context->killed_trees; ++ + audit_ctl_lock(); + mutex_lock(&audit_filter_mutex); + +@@ -982,7 +985,7 @@ void audit_kill_trees(struct list_head *list) + struct audit_tree *victim; + + victim = list_entry(list->next, struct audit_tree, list); +- kill_rules(victim); ++ kill_rules(context, victim); + list_del_init(&victim->list); + + mutex_unlock(&audit_filter_mutex); +@@ -1017,7 +1020,7 @@ static void evict_chunk(struct audit_chunk *chunk) + list_del_init(&owner->same_root); + spin_unlock(&hash_lock); + if (!postponed) { +- kill_rules(owner); ++ kill_rules(audit_context(), owner); + list_move(&owner->list, &prune_list); + need_prune = 1; + } else { +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index 6593a5207fb0..b585ceb2f7a2 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -1444,6 +1444,9 @@ void __audit_free(struct task_struct *tsk) + if (!context) + return; + ++ if (!list_empty(&context->killed_trees)) ++ audit_kill_trees(context); ++ + /* We are called either by do_exit() or the fork() error handling code; + * in the former case tsk == current and in the latter tsk is a + * random task_struct that doesn't doesn't have any meaningful data we +@@ -1460,9 +1463,6 @@ void __audit_free(struct task_struct *tsk) + audit_log_exit(); + } + +- if (!list_empty(&context->killed_trees)) +- audit_kill_trees(&context->killed_trees); +- + audit_set_context(tsk, NULL); + audit_free_context(context); + } +@@ -1537,6 +1537,9 @@ void __audit_syscall_exit(int success, long return_code) + if (!context) + return; + ++ if (!list_empty(&context->killed_trees)) ++ audit_kill_trees(context); ++ + if (!context->dummy && context->in_syscall) { + if (success) + context->return_valid = AUDITSC_SUCCESS; +@@ -1571,9 +1574,6 @@ void __audit_syscall_exit(int success, long return_code) + context->in_syscall = 0; + context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0; + +- if (!list_empty(&context->killed_trees)) +- audit_kill_trees(&context->killed_trees); +- + audit_free_names(context); + unroll_tree_refs(context, NULL, 0); + audit_free_aux(context); +-- +2.19.1 + diff --git a/queue-5.0/backlight-pwm_bl-use-gpiod_get_value_cansleep-to-get.patch b/queue-5.0/backlight-pwm_bl-use-gpiod_get_value_cansleep-to-get.patch new file mode 100644 index 00000000000..c0391c18710 --- /dev/null +++ b/queue-5.0/backlight-pwm_bl-use-gpiod_get_value_cansleep-to-get.patch @@ -0,0 +1,67 @@ +From 351c892d7ffd8d21cba482a126b91798d2337d93 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Sun, 27 Jan 2019 22:50:54 +0800 +Subject: backlight: pwm_bl: Use gpiod_get_value_cansleep() to get initial + state + +[ Upstream commit cec2b18832e26bc866bef2be22eff4e25bbc4034 ] + +gpiod_get_value() gives out a warning if access to the underlying gpiochip +requires sleeping, which is common for I2C based chips: + + WARNING: CPU: 0 PID: 77 at drivers/gpio/gpiolib.c:2500 gpiod_get_value+0xd0/0x100 + Modules linked in: + CPU: 0 PID: 77 Comm: kworker/0:2 Not tainted 4.14.0-rc3-00589-gf32897915d48-dirty #90 + Hardware name: Allwinner sun4i/sun5i Families + Workqueue: events deferred_probe_work_func + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (dump_stack+0x88/0x9c) + [] (dump_stack) from [] (__warn+0xe8/0x100) + [] (__warn) from [] (warn_slowpath_null+0x20/0x28) + [] (warn_slowpath_null) from [] (gpiod_get_value+0xd0/0x100) + [] (gpiod_get_value) from [] (pwm_backlight_probe+0x238/0x508) + [] (pwm_backlight_probe) from [] (platform_drv_probe+0x50/0xac) + [] (platform_drv_probe) from [] (driver_probe_device+0x238/0x2e8) + [] (driver_probe_device) from [] (bus_for_each_drv+0x44/0x94) + [] (bus_for_each_drv) from [] (__device_attach+0xb0/0x114) + [] (__device_attach) from [] (bus_probe_device+0x84/0x8c) + [] (bus_probe_device) from [] (deferred_probe_work_func+0x50/0x14c) + [] (deferred_probe_work_func) from [] (process_one_work+0x1ec/0x414) + [] (process_one_work) from [] (worker_thread+0x2b0/0x5a0) + [] (worker_thread) from [] (kthread+0x14c/0x154) + [] (kthread) from [] (ret_from_fork+0x14/0x24) + +This was missed in commit 0c9501f823a4 ("backlight: pwm_bl: Handle gpio +that can sleep"). The code was then moved to a separate function in +commit 7613c922315e ("backlight: pwm_bl: Move the checks for initial power +state to a separate function"). + +The only usage of gpiod_get_value() is during the probe stage, which is +safe to sleep in. Switch to gpiod_get_value_cansleep(). + +Fixes: 0c9501f823a4 ("backlight: pwm_bl: Handle gpio that can sleep") +Signed-off-by: Chen-Yu Tsai +Acked-by: Maxime Ripard +Acked-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/pwm_bl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/backlight/pwm_bl.c b/drivers/video/backlight/pwm_bl.c +index feb90764a811..53b8ceea9bde 100644 +--- a/drivers/video/backlight/pwm_bl.c ++++ b/drivers/video/backlight/pwm_bl.c +@@ -435,7 +435,7 @@ static int pwm_backlight_initial_power_state(const struct pwm_bl_data *pb) + */ + + /* if the enable GPIO is disabled, do not enable the backlight */ +- if (pb->enable_gpio && gpiod_get_value(pb->enable_gpio) == 0) ++ if (pb->enable_gpio && gpiod_get_value_cansleep(pb->enable_gpio) == 0) + return FB_BLANK_POWERDOWN; + + /* The regulator is disabled, do not enable the backlight */ +-- +2.19.1 + diff --git a/queue-5.0/bcache-fix-input-overflow-to-cache-set-sysfs-file-io.patch b/queue-5.0/bcache-fix-input-overflow-to-cache-set-sysfs-file-io.patch new file mode 100644 index 00000000000..decadd4b3f0 --- /dev/null +++ b/queue-5.0/bcache-fix-input-overflow-to-cache-set-sysfs-file-io.patch @@ -0,0 +1,50 @@ +From 0ea7b5790b9558ac1e85ecc0e3b7fad81c4ccaf8 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 9 Feb 2019 12:53:10 +0800 +Subject: bcache: fix input overflow to cache set sysfs file io_error_halflife + +[ Upstream commit a91fbda49f746119828f7e8ad0f0aa2ab0578f65 ] + +Cache set sysfs entry io_error_halflife is used to set c->error_decay. +c->error_decay is in type unsigned int, and it is converted by +strtoul_or_return(), therefore overflow to c->error_decay is possible +for a large input value. + +This patch fixes the overflow by using strtoul_safe_clamp() to convert +input string to an unsigned long value in range [0, UINT_MAX], then +divides by 88 and set it to c->error_decay. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/sysfs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c +index 557a8a3270a1..3b287f974fd9 100644 +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -778,8 +778,17 @@ STORE(__bch_cache_set) + c->error_limit = strtoul_or_return(buf); + + /* See count_io_errors() for why 88 */ +- if (attr == &sysfs_io_error_halflife) +- c->error_decay = strtoul_or_return(buf) / 88; ++ if (attr == &sysfs_io_error_halflife) { ++ unsigned long v = 0; ++ ssize_t ret; ++ ++ ret = strtoul_safe_clamp(buf, v, 0, UINT_MAX); ++ if (!ret) { ++ c->error_decay = v / 88; ++ return size; ++ } ++ return ret; ++ } + + if (attr == &sysfs_io_disable) { + v = strtoul_or_return(buf); +-- +2.19.1 + diff --git a/queue-5.0/bcache-fix-input-overflow-to-sequential_cutoff.patch b/queue-5.0/bcache-fix-input-overflow-to-sequential_cutoff.patch new file mode 100644 index 00000000000..ae137d9dc52 --- /dev/null +++ b/queue-5.0/bcache-fix-input-overflow-to-sequential_cutoff.patch @@ -0,0 +1,42 @@ +From 26dc991aa23a704c16c56e43cb4970e4d9f00508 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 9 Feb 2019 12:53:01 +0800 +Subject: bcache: fix input overflow to sequential_cutoff + +[ Upstream commit 8c27a3953e92eb0b22dbb03d599f543a05f9574e ] + +People may set sequential_cutoff of a cached device via sysfs file, +but current code does not check input value overflow. E.g. if value +4294967295 (UINT_MAX) is written to file sequential_cutoff, its value +is 4GB, but if 4294967296 (UINT_MAX + 1) is written into, its value +will be 0. This is an unexpected behavior. + +This patch replaces d_strtoi_h() by sysfs_strtoul_clamp() to convert +input string to unsigned integer value, and limit its range in +[0, UINT_MAX]. Then the input overflow can be fixed. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/sysfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c +index 3b287f974fd9..f98cda32065d 100644 +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -299,7 +299,9 @@ STORE(__cached_dev) + dc->io_disable = v ? 1 : 0; + } + +- d_strtoi_h(sequential_cutoff); ++ sysfs_strtoul_clamp(sequential_cutoff, ++ dc->sequential_cutoff, ++ 0, UINT_MAX); + d_strtoi_h(readahead); + + if (attr == &sysfs_clear_stats) +-- +2.19.1 + diff --git a/queue-5.0/bcache-fix-potential-div-zero-error-of-writeback_rat.patch b/queue-5.0/bcache-fix-potential-div-zero-error-of-writeback_rat.patch new file mode 100644 index 00000000000..0e87fa1ffa7 --- /dev/null +++ b/queue-5.0/bcache-fix-potential-div-zero-error-of-writeback_rat.patch @@ -0,0 +1,50 @@ +From f6ab39bead4f063ab712bd4198141ab7d7f1cfa8 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 9 Feb 2019 12:53:05 +0800 +Subject: bcache: fix potential div-zero error of writeback_rate_i_term_inverse + +[ Upstream commit c3b75a2199cdbfc1c335155fe143d842604b1baa ] + +dc->writeback_rate_i_term_inverse can be set via sysfs interface. It is +in type unsigned int, and convert from input string by d_strtoul(). The +problem is d_strtoul() does not check valid range of the input, if +4294967296 is written into sysfs file writeback_rate_i_term_inverse, +an overflow of unsigned integer will happen and value 0 is set to +dc->writeback_rate_i_term_inverse. + +In writeback.c:__update_writeback_rate(), there are following lines of +code, + integral_scaled = div_s64(dc->writeback_rate_integral, + dc->writeback_rate_i_term_inverse); +If dc->writeback_rate_i_term_inverse is set to 0 via sysfs interface, +a div-zero error might be triggered in the above code. + +Therefore we need to add a range limitation in the sysfs interface, +this is what this patch does, use sysfs_stroul_clamp() to replace +d_strtoul() and restrict the input range in [1, UINT_MAX]. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/sysfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c +index f98cda32065d..28e0d5a5e25b 100644 +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -287,7 +287,9 @@ STORE(__cached_dev) + sysfs_strtoul_clamp(writeback_rate_update_seconds, + dc->writeback_rate_update_seconds, + 1, WRITEBACK_RATE_UPDATE_SECS_MAX); +- d_strtoul(writeback_rate_i_term_inverse); ++ sysfs_strtoul_clamp(writeback_rate_i_term_inverse, ++ dc->writeback_rate_i_term_inverse, ++ 1, UINT_MAX); + d_strtoul_nonzero(writeback_rate_p_term_inverse); + d_strtoul_nonzero(writeback_rate_minimum); + +-- +2.19.1 + diff --git a/queue-5.0/bcache-fix-potential-div-zero-error-of-writeback_rat.patch-17972 b/queue-5.0/bcache-fix-potential-div-zero-error-of-writeback_rat.patch-17972 new file mode 100644 index 00000000000..edde3a490fa --- /dev/null +++ b/queue-5.0/bcache-fix-potential-div-zero-error-of-writeback_rat.patch-17972 @@ -0,0 +1,48 @@ +From 6192a345e08526a4189417f5462734761e95ff95 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 9 Feb 2019 12:53:06 +0800 +Subject: bcache: fix potential div-zero error of writeback_rate_p_term_inverse + +[ Upstream commit 5b5fd3c94eef69dcfaa8648198e54c92e5687d6d ] + +Current code already uses d_strtoul_nonzero() to convert input string +to an unsigned integer, to make sure writeback_rate_p_term_inverse +won't be zero value. But overflow may happen when converting input +string to an unsigned integer value by d_strtoul_nonzero(), then +dc->writeback_rate_p_term_inverse can still be set to 0 even if the +sysfs file input value is not zero, e.g. 4294967296 (a.k.a UINT_MAX+1). + +If dc->writeback_rate_p_term_inverse is set to 0, it might cause a +dev-zero error in following code from __update_writeback_rate(), + int64_t proportional_scaled = + div_s64(error, dc->writeback_rate_p_term_inverse); + +This patch replaces d_strtoul_nonzero() by sysfs_strtoul_clamp() and +limit the value range in [1, UINT_MAX]. Then the unsigned integer +overflow and dev-zero error can be avoided. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/sysfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c +index 28e0d5a5e25b..e5daf91310f6 100644 +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -290,7 +290,9 @@ STORE(__cached_dev) + sysfs_strtoul_clamp(writeback_rate_i_term_inverse, + dc->writeback_rate_i_term_inverse, + 1, UINT_MAX); +- d_strtoul_nonzero(writeback_rate_p_term_inverse); ++ sysfs_strtoul_clamp(writeback_rate_p_term_inverse, ++ dc->writeback_rate_p_term_inverse, ++ 1, UINT_MAX); + d_strtoul_nonzero(writeback_rate_minimum); + + sysfs_strtoul_clamp(io_error_limit, dc->error_limit, 0, INT_MAX); +-- +2.19.1 + diff --git a/queue-5.0/bcache-improve-sysfs_strtoul_clamp.patch b/queue-5.0/bcache-improve-sysfs_strtoul_clamp.patch new file mode 100644 index 00000000000..3d3845cf413 --- /dev/null +++ b/queue-5.0/bcache-improve-sysfs_strtoul_clamp.patch @@ -0,0 +1,64 @@ +From 8c8b8767d54722e3e3ea9c9d2f166f75977570a3 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Sat, 9 Feb 2019 12:52:59 +0800 +Subject: bcache: improve sysfs_strtoul_clamp() + +[ Upstream commit 596b5a5dd1bc2fa019fdaaae522ef331deef927f ] + +Currently sysfs_strtoul_clamp() is defined as, + 82 #define sysfs_strtoul_clamp(file, var, min, max) \ + 83 do { \ + 84 if (attr == &sysfs_ ## file) \ + 85 return strtoul_safe_clamp(buf, var, min, max) \ + 86 ?: (ssize_t) size; \ + 87 } while (0) + +The problem is, if bit width of var is less then unsigned long, min and +max may not protect var from integer overflow, because overflow happens +in strtoul_safe_clamp() before checking min and max. + +To fix such overflow in sysfs_strtoul_clamp(), to make min and max take +effect, this patch adds an unsigned long variable, and uses it to macro +strtoul_safe_clamp() to convert an unsigned long value in range defined +by [min, max]. Then assign this value to var. By this method, if bit +width of var is less than unsigned long, integer overflow won't happen +before min and max are checking. + +Now sysfs_strtoul_clamp() can properly handle smaller data type like +unsigned int, of cause min and max should be defined in range of +unsigned int too. + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/sysfs.h | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/bcache/sysfs.h b/drivers/md/bcache/sysfs.h +index 3fe82425859c..0ad2715a884e 100644 +--- a/drivers/md/bcache/sysfs.h ++++ b/drivers/md/bcache/sysfs.h +@@ -81,9 +81,16 @@ do { \ + + #define sysfs_strtoul_clamp(file, var, min, max) \ + do { \ +- if (attr == &sysfs_ ## file) \ +- return strtoul_safe_clamp(buf, var, min, max) \ +- ?: (ssize_t) size; \ ++ if (attr == &sysfs_ ## file) { \ ++ unsigned long v = 0; \ ++ ssize_t ret; \ ++ ret = strtoul_safe_clamp(buf, v, min, max); \ ++ if (!ret) { \ ++ var = v; \ ++ return size; \ ++ } \ ++ return ret; \ ++ } \ + } while (0) + + #define strtoul_or_return(cp) \ +-- +2.19.1 + diff --git a/queue-5.0/block-bfq-fix-in-service-queue-check-for-queue-mergi.patch b/queue-5.0/block-bfq-fix-in-service-queue-check-for-queue-mergi.patch new file mode 100644 index 00000000000..64decda449b --- /dev/null +++ b/queue-5.0/block-bfq-fix-in-service-queue-check-for-queue-mergi.patch @@ -0,0 +1,79 @@ +From 2ddfd90024ae484c9ef0dbdeceeacfc01ae21c57 Mon Sep 17 00:00:00 2001 +From: Paolo Valente +Date: Tue, 29 Jan 2019 12:06:38 +0100 +Subject: block, bfq: fix in-service-queue check for queue merging + +[ Upstream commit 058fdecc6de7cdecbf4c59b851e80eb2d6c5295f ] + +When a new I/O request arrives for a bfq_queue, say Q, bfq checks +whether that request is close to +(a) the head request of some other queue waiting to be served, or +(b) the last request dispatched for the in-service queue (in case Q +itself is not the in-service queue) + +If a queue, say Q2, is found for which the above condition holds, then +bfq merges Q and Q2, to hopefully get a more sequential I/O in the +resulting merged queue, and thus a possibly higher throughput. + +Case (b) is checked by comparing the new request for Q with the last +request dispatched, assuming that the latter necessarily belonged to the +in-service queue. Unfortunately, this assumption is no longer always +correct, since commit d0edc2473be9 ("block, bfq: inject other-queue I/O +into seeky idle queues on NCQ flash"). + +When the assumption does not hold, queues that must not be merged may be +merged, causing unexpected loss of control on per-queue service +guarantees. + +This commit solves this problem by adding an extra field, which stores +the actual last request dispatched for the in-service queue, and by +using this new field to correctly check case (b). + +Signed-off-by: Paolo Valente +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 5 ++++- + block/bfq-iosched.h | 3 +++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index cd307767a134..f010810c095f 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -2224,7 +2224,8 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq, + + if (in_service_bfqq && in_service_bfqq != bfqq && + likely(in_service_bfqq != &bfqd->oom_bfqq) && +- bfq_rq_close_to_sector(io_struct, request, bfqd->last_position) && ++ bfq_rq_close_to_sector(io_struct, request, ++ bfqd->in_serv_last_pos) && + bfqq->entity.parent == in_service_bfqq->entity.parent && + bfq_may_be_close_cooperator(bfqq, in_service_bfqq)) { + new_bfqq = bfq_setup_merge(bfqq, in_service_bfqq); +@@ -2764,6 +2765,8 @@ update_rate_and_reset: + bfq_update_rate_reset(bfqd, rq); + update_last_values: + bfqd->last_position = blk_rq_pos(rq) + blk_rq_sectors(rq); ++ if (RQ_BFQQ(rq) == bfqd->in_service_queue) ++ bfqd->in_serv_last_pos = bfqd->last_position; + bfqd->last_dispatch = now_ns; + } + +diff --git a/block/bfq-iosched.h b/block/bfq-iosched.h +index 0b02bf302de0..746bd570b85a 100644 +--- a/block/bfq-iosched.h ++++ b/block/bfq-iosched.h +@@ -537,6 +537,9 @@ struct bfq_data { + /* on-disk position of the last served request */ + sector_t last_position; + ++ /* position of the last served request for the in-service queue */ ++ sector_t in_serv_last_pos; ++ + /* time of last request completion (ns) */ + u64 last_completion; + +-- +2.19.1 + diff --git a/queue-5.0/block-bfq-fix-queue-removal-from-weights-tree.patch b/queue-5.0/block-bfq-fix-queue-removal-from-weights-tree.patch new file mode 100644 index 00000000000..59a024ce635 --- /dev/null +++ b/queue-5.0/block-bfq-fix-queue-removal-from-weights-tree.patch @@ -0,0 +1,119 @@ +From e617aa7f725ebca3d65d58974f08df4c0ee54393 Mon Sep 17 00:00:00 2001 +From: Paolo Valente +Date: Tue, 29 Jan 2019 12:06:34 +0100 +Subject: block, bfq: fix queue removal from weights tree + +[ Upstream commit 9dee8b3b057e1da26f85f1842f2aaf3bb200fb94 ] + +bfq maintains an ordered list, through a red-black tree, of unique +weights of active bfq_queues. This list is used to detect whether there +are active queues with differentiated weights. The weight of a queue is +removed from the list when both the following two conditions become +true: + +(1) the bfq_queue is flagged as inactive +(2) the has no in-flight request any longer; + +Unfortunately, in the rare cases where condition (2) becomes true before +condition (1), the removal fails, because the function to remove the +weight of the queue (bfq_weights_tree_remove) is rightly invoked in the +path that deactivates the bfq_queue, but mistakenly invoked *before* the +function that actually performs the deactivation (bfq_deactivate_bfqq). + +This commits moves the invocation of bfq_weights_tree_remove for +condition (1) to after bfq_deactivate_bfqq. As a consequence of this +move, it is necessary to add a further reference to the queue when the +weight of a queue is added, because the queue might otherwise be freed +before bfq_weights_tree_remove is invoked. This commit adds this +reference and makes all related modifications. + +Signed-off-by: Paolo Valente +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 17 +++++++++++++---- + block/bfq-wf2q.c | 6 +++--- + 2 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index f010810c095f..e5ed28629271 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -747,6 +747,7 @@ void bfq_weights_tree_add(struct bfq_data *bfqd, struct bfq_queue *bfqq, + + inc_counter: + bfqq->weight_counter->num_active++; ++ bfqq->ref++; + } + + /* +@@ -771,6 +772,7 @@ void __bfq_weights_tree_remove(struct bfq_data *bfqd, + + reset_entity_pointer: + bfqq->weight_counter = NULL; ++ bfq_put_queue(bfqq); + } + + /* +@@ -782,9 +784,6 @@ void bfq_weights_tree_remove(struct bfq_data *bfqd, + { + struct bfq_entity *entity = bfqq->entity.parent; + +- __bfq_weights_tree_remove(bfqd, bfqq, +- &bfqd->queue_weights_tree); +- + for_each_entity(entity) { + struct bfq_sched_data *sd = entity->my_sched_data; + +@@ -818,6 +817,15 @@ void bfq_weights_tree_remove(struct bfq_data *bfqd, + bfqd->num_groups_with_pending_reqs--; + } + } ++ ++ /* ++ * Next function is invoked last, because it causes bfqq to be ++ * freed if the following holds: bfqq is not in service and ++ * has no dispatched request. DO NOT use bfqq after the next ++ * function invocation. ++ */ ++ __bfq_weights_tree_remove(bfqd, bfqq, ++ &bfqd->queue_weights_tree); + } + + /* +@@ -1011,7 +1019,8 @@ bfq_bfqq_resume_state(struct bfq_queue *bfqq, struct bfq_data *bfqd, + + static int bfqq_process_refs(struct bfq_queue *bfqq) + { +- return bfqq->ref - bfqq->allocated - bfqq->entity.on_st; ++ return bfqq->ref - bfqq->allocated - bfqq->entity.on_st - ++ (bfqq->weight_counter != NULL); + } + + /* Empty burst list and add just bfqq (see comments on bfq_handle_burst) */ +diff --git a/block/bfq-wf2q.c b/block/bfq-wf2q.c +index 72adbbe975d5..4aab1a8191f0 100644 +--- a/block/bfq-wf2q.c ++++ b/block/bfq-wf2q.c +@@ -1667,15 +1667,15 @@ void bfq_del_bfqq_busy(struct bfq_data *bfqd, struct bfq_queue *bfqq, + + bfqd->busy_queues--; + +- if (!bfqq->dispatched) +- bfq_weights_tree_remove(bfqd, bfqq); +- + if (bfqq->wr_coeff > 1) + bfqd->wr_busy_queues--; + + bfqg_stats_update_dequeue(bfqq_group(bfqq)); + + bfq_deactivate_bfqq(bfqd, bfqq, true, expiration); ++ ++ if (!bfqq->dispatched) ++ bfq_weights_tree_remove(bfqd, bfqq); + } + + /* +-- +2.19.1 + diff --git a/queue-5.0/bpf-fix-missing-prototype-warnings.patch b/queue-5.0/bpf-fix-missing-prototype-warnings.patch new file mode 100644 index 00000000000..f7bcb470175 --- /dev/null +++ b/queue-5.0/bpf-fix-missing-prototype-warnings.patch @@ -0,0 +1,49 @@ +From 1eec6503cd0a38f0944e9c76211457a2748b0f36 Mon Sep 17 00:00:00 2001 +From: Valdis Kletnieks +Date: Tue, 29 Jan 2019 01:04:25 -0500 +Subject: bpf: fix missing prototype warnings + +[ Upstream commit 116bfa96a255123ed209da6544f74a4f2eaca5da ] + +Compiling with W=1 generates warnings: + + CC kernel/bpf/core.o +kernel/bpf/core.c:721:12: warning: no previous prototype for ?bpf_jit_alloc_exec_limit? [-Wmissing-prototypes] + 721 | u64 __weak bpf_jit_alloc_exec_limit(void) + | ^~~~~~~~~~~~~~~~~~~~~~~~ +kernel/bpf/core.c:757:14: warning: no previous prototype for ?bpf_jit_alloc_exec? [-Wmissing-prototypes] + 757 | void *__weak bpf_jit_alloc_exec(unsigned long size) + | ^~~~~~~~~~~~~~~~~~ +kernel/bpf/core.c:762:13: warning: no previous prototype for ?bpf_jit_free_exec? [-Wmissing-prototypes] + 762 | void __weak bpf_jit_free_exec(void *addr) + | ^~~~~~~~~~~~~~~~~ + +All three are weak functions that archs can override, provide +proper prototypes for when a new arch provides their own. + +Signed-off-by: Valdis Kletnieks +Acked-by: Song Liu +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + include/linux/filter.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index e532fcc6e4b5..3358646a8e7a 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -874,7 +874,9 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr, + unsigned int alignment, + bpf_jit_fill_hole_t bpf_fill_ill_insns); + void bpf_jit_binary_free(struct bpf_binary_header *hdr); +- ++u64 bpf_jit_alloc_exec_limit(void); ++void *bpf_jit_alloc_exec(unsigned long size); ++void bpf_jit_free_exec(void *addr); + void bpf_jit_free(struct bpf_prog *fp); + + int bpf_jit_get_func_addr(const struct bpf_prog *prog, +-- +2.19.1 + diff --git a/queue-5.0/bpf-test_maps-fix-possible-out-of-bound-access-warni.patch b/queue-5.0/bpf-test_maps-fix-possible-out-of-bound-access-warni.patch new file mode 100644 index 00000000000..bda2c5fa180 --- /dev/null +++ b/queue-5.0/bpf-test_maps-fix-possible-out-of-bound-access-warni.patch @@ -0,0 +1,156 @@ +From 09ea04f6f564d5af569fc6e4d295b7fb8e1ab71b Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Tue, 5 Feb 2019 15:12:34 -0200 +Subject: bpf: test_maps: fix possible out of bound access warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit dd9cef43c222df7c0d76d34451808e789952379d ] + +When compiling test_maps selftest with GCC-8, it warns that an array +might be indexed with a negative value, which could cause a negative +out of bound access, depending on parameters of the function. This +is the GCC-8 warning: + + gcc -Wall -O2 -I../../../include/uapi -I../../../lib -I../../../lib/bpf -I../../../../include/generated -DHAVE_GENHDR -I../../../include test_maps.c /home/breno/Devel/linux/tools/testing/selftests/bpf/libbpf.a -lcap -lelf -lrt -lpthread -o /home/breno/Devel/linux/tools/testing/selftests/bpf/test_maps + In file included from test_maps.c:16: + test_maps.c: In function ‘run_all_tests’: + test_maps.c:1079:10: warning: array subscript -1 is below array bounds of ‘pid_t[ + 1]’ [-Warray-bounds] + assert(waitpid(pid[i], &status, 0) == pid[i]); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + test_maps.c:1059:6: warning: array subscript -1 is below array bounds of ‘pid_t[ + 1]’ [-Warray-bounds] + pid[i] = fork(); + ~~~^~~ + +This patch simply guarantees that the task(s) variables are unsigned, +thus, they could never be a negative number (which they are not in +current code anyway), hence avoiding an out of bound access warning. + +Signed-off-by: Breno Leitao +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_maps.c | 27 +++++++++++++------------ + 1 file changed, 14 insertions(+), 13 deletions(-) + +diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c +index e2b9eee37187..6e05a22b346c 100644 +--- a/tools/testing/selftests/bpf/test_maps.c ++++ b/tools/testing/selftests/bpf/test_maps.c +@@ -43,7 +43,7 @@ static int map_flags; + } \ + }) + +-static void test_hashmap(int task, void *data) ++static void test_hashmap(unsigned int task, void *data) + { + long long key, next_key, first_key, value; + int fd; +@@ -133,7 +133,7 @@ static void test_hashmap(int task, void *data) + close(fd); + } + +-static void test_hashmap_sizes(int task, void *data) ++static void test_hashmap_sizes(unsigned int task, void *data) + { + int fd, i, j; + +@@ -153,7 +153,7 @@ static void test_hashmap_sizes(int task, void *data) + } + } + +-static void test_hashmap_percpu(int task, void *data) ++static void test_hashmap_percpu(unsigned int task, void *data) + { + unsigned int nr_cpus = bpf_num_possible_cpus(); + BPF_DECLARE_PERCPU(long, value); +@@ -280,7 +280,7 @@ static int helper_fill_hashmap(int max_entries) + return fd; + } + +-static void test_hashmap_walk(int task, void *data) ++static void test_hashmap_walk(unsigned int task, void *data) + { + int fd, i, max_entries = 1000; + long long key, value, next_key; +@@ -351,7 +351,7 @@ static void test_hashmap_zero_seed(void) + close(second); + } + +-static void test_arraymap(int task, void *data) ++static void test_arraymap(unsigned int task, void *data) + { + int key, next_key, fd; + long long value; +@@ -406,7 +406,7 @@ static void test_arraymap(int task, void *data) + close(fd); + } + +-static void test_arraymap_percpu(int task, void *data) ++static void test_arraymap_percpu(unsigned int task, void *data) + { + unsigned int nr_cpus = bpf_num_possible_cpus(); + BPF_DECLARE_PERCPU(long, values); +@@ -502,7 +502,7 @@ static void test_arraymap_percpu_many_keys(void) + close(fd); + } + +-static void test_devmap(int task, void *data) ++static void test_devmap(unsigned int task, void *data) + { + int fd; + __u32 key, value; +@@ -517,7 +517,7 @@ static void test_devmap(int task, void *data) + close(fd); + } + +-static void test_queuemap(int task, void *data) ++static void test_queuemap(unsigned int task, void *data) + { + const int MAP_SIZE = 32; + __u32 vals[MAP_SIZE + MAP_SIZE/2], val; +@@ -575,7 +575,7 @@ static void test_queuemap(int task, void *data) + close(fd); + } + +-static void test_stackmap(int task, void *data) ++static void test_stackmap(unsigned int task, void *data) + { + const int MAP_SIZE = 32; + __u32 vals[MAP_SIZE + MAP_SIZE/2], val; +@@ -641,7 +641,7 @@ static void test_stackmap(int task, void *data) + #define SOCKMAP_PARSE_PROG "./sockmap_parse_prog.o" + #define SOCKMAP_VERDICT_PROG "./sockmap_verdict_prog.o" + #define SOCKMAP_TCP_MSG_PROG "./sockmap_tcp_msg_prog.o" +-static void test_sockmap(int tasks, void *data) ++static void test_sockmap(unsigned int tasks, void *data) + { + struct bpf_map *bpf_map_rx, *bpf_map_tx, *bpf_map_msg, *bpf_map_break; + int map_fd_msg = 0, map_fd_rx = 0, map_fd_tx = 0, map_fd_break; +@@ -1258,10 +1258,11 @@ static void test_map_large(void) + } + + #define run_parallel(N, FN, DATA) \ +- printf("Fork %d tasks to '" #FN "'\n", N); \ ++ printf("Fork %u tasks to '" #FN "'\n", N); \ + __run_parallel(N, FN, DATA) + +-static void __run_parallel(int tasks, void (*fn)(int task, void *data), ++static void __run_parallel(unsigned int tasks, ++ void (*fn)(unsigned int task, void *data), + void *data) + { + pid_t pid[tasks]; +@@ -1302,7 +1303,7 @@ static void test_map_stress(void) + #define DO_UPDATE 1 + #define DO_DELETE 0 + +-static void test_update_delete(int fn, void *data) ++static void test_update_delete(unsigned int fn, void *data) + { + int do_update = ((int *)data)[1]; + int fd = ((int *)data)[0]; +-- +2.19.1 + diff --git a/queue-5.0/brcmfmac-use-firmware_request_nowarn-for-the-clm_blo.patch b/queue-5.0/brcmfmac-use-firmware_request_nowarn-for-the-clm_blo.patch new file mode 100644 index 00000000000..58c3323aea3 --- /dev/null +++ b/queue-5.0/brcmfmac-use-firmware_request_nowarn-for-the-clm_blo.patch @@ -0,0 +1,55 @@ +From 361235d8c79ba5e8a21268c4d83f95974fab2f10 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 7 Jan 2019 14:33:27 +0100 +Subject: brcmfmac: Use firmware_request_nowarn for the clm_blob + +[ Upstream commit 4ad0be160544ffbdafb7cec39bb8e6dd0a97317a ] + +The linux-firmware brcmfmac firmware files contain an embedded table with +per country allowed channels and strength info. + +For recent hardware these versions of the firmware are specially build for +linux-firmware, the firmware files directly available from Cypress rely on +a separate clm_blob file for this info. + +For some unknown reason Cypress refuses to provide the standard firmware +files + clm_blob files it uses elsewhere for inclusion into linux-firmware, +instead relying on these special builds with the clm_blob info embedded. +This means that the linux-firmware firmware versions often lag behind, +but I digress. + +The brcmfmac driver does support the separate clm_blob file and always +tries to load this. Currently we use request_firmware for this. This means +that on any standard install, using the standard combo of linux-kernel + +linux-firmware, we will get a warning: +"Direct firmware load for ... failed with error -2" + +On top of this, brcmfmac itself prints: "no clm_blob available (err=-2), +device may have limited channels available". + +This commit switches to firmware_request_nowarn, fixing almost any brcmfmac +device logging the warning (it leaves the brcmfmac info message in place). + +Signed-off-by: Hans de Goede +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c +index 1f1e95a15a17..0ce1d8174e6d 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c +@@ -149,7 +149,7 @@ static int brcmf_c_process_clm_blob(struct brcmf_if *ifp) + return err; + } + +- err = request_firmware(&clm, clm_name, bus->dev); ++ err = firmware_request_nowarn(&clm, clm_name, bus->dev); + if (err) { + brcmf_info("no clm_blob available (err=%d), device may have limited channels available\n", + err); +-- +2.19.1 + diff --git a/queue-5.0/btrfs-don-t-enospc-all-tickets-on-flush-failure.patch b/queue-5.0/btrfs-don-t-enospc-all-tickets-on-flush-failure.patch new file mode 100644 index 00000000000..47f7909ee28 --- /dev/null +++ b/queue-5.0/btrfs-don-t-enospc-all-tickets-on-flush-failure.patch @@ -0,0 +1,159 @@ +From 97ab9e8ed89fdf135cfa70c7b26cd13719831add Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 21 Nov 2018 14:03:10 -0500 +Subject: btrfs: don't enospc all tickets on flush failure + +[ Upstream commit f91587e4151e84f798f37839dddd3e4152fb4c76 ] + +With the introduction of the per-inode block_rsv it became possible to +have really really large reservation requests made because of data +fragmentation. Since the ticket stuff assumed that we'd always have +relatively small reservation requests it just killed all tickets if we +were unable to satisfy the current request. + +However, this is generally not the case anymore. So fix this logic to +instead see if we had a ticket that we were able to give some +reservation to, and if we were continue the flushing loop again. + +Likewise we make the tickets use the space_info_add_old_bytes() method +of returning what reservation they did receive in hopes that it could +satisfy reservations down the line. + +Reviewed-by: Nikolay Borisov +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent-tree.c | 45 +++++++++++++++++++++++------------------- + 1 file changed, 25 insertions(+), 20 deletions(-) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index a9656685a951..1b68700bc1c5 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -4808,6 +4808,7 @@ skip_async: + } + + struct reserve_ticket { ++ u64 orig_bytes; + u64 bytes; + int error; + struct list_head list; +@@ -5030,7 +5031,7 @@ static inline int need_do_async_reclaim(struct btrfs_fs_info *fs_info, + !test_bit(BTRFS_FS_STATE_REMOUNTING, &fs_info->fs_state)); + } + +-static void wake_all_tickets(struct list_head *head) ++static bool wake_all_tickets(struct list_head *head) + { + struct reserve_ticket *ticket; + +@@ -5039,7 +5040,10 @@ static void wake_all_tickets(struct list_head *head) + list_del_init(&ticket->list); + ticket->error = -ENOSPC; + wake_up(&ticket->wait); ++ if (ticket->bytes != ticket->orig_bytes) ++ return true; + } ++ return false; + } + + /* +@@ -5094,8 +5098,12 @@ static void btrfs_async_reclaim_metadata_space(struct work_struct *work) + if (flush_state > COMMIT_TRANS) { + commit_cycles++; + if (commit_cycles > 2) { +- wake_all_tickets(&space_info->tickets); +- space_info->flush = 0; ++ if (wake_all_tickets(&space_info->tickets)) { ++ flush_state = FLUSH_DELAYED_ITEMS_NR; ++ commit_cycles--; ++ } else { ++ space_info->flush = 0; ++ } + } else { + flush_state = FLUSH_DELAYED_ITEMS_NR; + } +@@ -5147,10 +5155,11 @@ static void priority_reclaim_metadata_space(struct btrfs_fs_info *fs_info, + + static int wait_reserve_ticket(struct btrfs_fs_info *fs_info, + struct btrfs_space_info *space_info, +- struct reserve_ticket *ticket, u64 orig_bytes) ++ struct reserve_ticket *ticket) + + { + DEFINE_WAIT(wait); ++ u64 reclaim_bytes = 0; + int ret = 0; + + spin_lock(&space_info->lock); +@@ -5171,14 +5180,12 @@ static int wait_reserve_ticket(struct btrfs_fs_info *fs_info, + ret = ticket->error; + if (!list_empty(&ticket->list)) + list_del_init(&ticket->list); +- if (ticket->bytes && ticket->bytes < orig_bytes) { +- u64 num_bytes = orig_bytes - ticket->bytes; +- update_bytes_may_use(space_info, -num_bytes); +- trace_btrfs_space_reservation(fs_info, "space_info", +- space_info->flags, num_bytes, 0); +- } ++ if (ticket->bytes && ticket->bytes < ticket->orig_bytes) ++ reclaim_bytes = ticket->orig_bytes - ticket->bytes; + spin_unlock(&space_info->lock); + ++ if (reclaim_bytes) ++ space_info_add_old_bytes(fs_info, space_info, reclaim_bytes); + return ret; + } + +@@ -5204,6 +5211,7 @@ static int __reserve_metadata_bytes(struct btrfs_fs_info *fs_info, + { + struct reserve_ticket ticket; + u64 used; ++ u64 reclaim_bytes = 0; + int ret = 0; + + ASSERT(orig_bytes); +@@ -5239,6 +5247,7 @@ static int __reserve_metadata_bytes(struct btrfs_fs_info *fs_info, + * the list and we will do our own flushing further down. + */ + if (ret && flush != BTRFS_RESERVE_NO_FLUSH) { ++ ticket.orig_bytes = orig_bytes; + ticket.bytes = orig_bytes; + ticket.error = 0; + init_waitqueue_head(&ticket.wait); +@@ -5279,25 +5288,21 @@ static int __reserve_metadata_bytes(struct btrfs_fs_info *fs_info, + return ret; + + if (flush == BTRFS_RESERVE_FLUSH_ALL) +- return wait_reserve_ticket(fs_info, space_info, &ticket, +- orig_bytes); ++ return wait_reserve_ticket(fs_info, space_info, &ticket); + + ret = 0; + priority_reclaim_metadata_space(fs_info, space_info, &ticket); + spin_lock(&space_info->lock); + if (ticket.bytes) { +- if (ticket.bytes < orig_bytes) { +- u64 num_bytes = orig_bytes - ticket.bytes; +- update_bytes_may_use(space_info, -num_bytes); +- trace_btrfs_space_reservation(fs_info, "space_info", +- space_info->flags, +- num_bytes, 0); +- +- } ++ if (ticket.bytes < orig_bytes) ++ reclaim_bytes = orig_bytes - ticket.bytes; + list_del_init(&ticket.list); + ret = -ENOSPC; + } + spin_unlock(&space_info->lock); ++ ++ if (reclaim_bytes) ++ space_info_add_old_bytes(fs_info, space_info, reclaim_bytes); + ASSERT(list_empty(&ticket.list)); + return ret; + } +-- +2.19.1 + diff --git a/queue-5.0/btrfs-qgroup-make-qgroup-async-transaction-commit-mo.patch b/queue-5.0/btrfs-qgroup-make-qgroup-async-transaction-commit-mo.patch new file mode 100644 index 00000000000..c07f1b7e78a --- /dev/null +++ b/queue-5.0/btrfs-qgroup-make-qgroup-async-transaction-commit-mo.patch @@ -0,0 +1,117 @@ +From c6df68a8bde30b1839c74d3d40f79e87e6faf11c Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Fri, 25 Jan 2019 07:55:27 +0800 +Subject: btrfs: qgroup: Make qgroup async transaction commit more aggressive + +[ Upstream commit f5fef4593653dfa2a865c485bb81415de51d5c99 ] + +[BUG] +Btrfs qgroup will still hit EDQUOT under the following case: + + $ dev=/dev/test/test + $ mnt=/mnt/btrfs + $ umount $mnt &> /dev/null + $ umount $dev &> /dev/null + + $ mkfs.btrfs -f $dev + $ mount $dev $mnt -o nospace_cache + + $ btrfs subv create $mnt/subv + $ btrfs quota enable $mnt + $ btrfs quota rescan -w $mnt + $ btrfs qgroup limit -e 1G $mnt/subv + + $ fallocate -l 900M $mnt/subv/padding + $ sync + + $ rm $mnt/subv/padding + + # Hit EDQUOT + $ xfs_io -f -c "pwrite 0 512M" $mnt/subv/real_file + +[CAUSE] +Since commit a514d63882c3 ("btrfs: qgroup: Commit transaction in advance +to reduce early EDQUOT"), btrfs is not forced to commit transaction to +reclaim more quota space. + +Instead, we just check pertrans metadata reservation against some +threshold and try to do asynchronously transaction commit. + +However in above case, the pertrans metadata reservation is pretty small +thus it will never trigger asynchronous transaction commit. + +[FIX] +Instead of only accounting pertrans metadata reservation, we calculate +how much free space we have, and if there isn't much free space left, +commit transaction asynchronously to try to free some space. + +This may slow down the fs when we have less than 32M free qgroup space, +but should reduce a lot of false EDQUOT, so the cost should be +acceptable. + +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index 543dd5e66f31..e28fb43e943b 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2842,16 +2842,15 @@ out: + /* + * Two limits to commit transaction in advance. + * +- * For RATIO, it will be 1/RATIO of the remaining limit +- * (excluding data and prealloc meta) as threshold. ++ * For RATIO, it will be 1/RATIO of the remaining limit as threshold. + * For SIZE, it will be in byte unit as threshold. + */ +-#define QGROUP_PERTRANS_RATIO 32 +-#define QGROUP_PERTRANS_SIZE SZ_32M ++#define QGROUP_FREE_RATIO 32 ++#define QGROUP_FREE_SIZE SZ_32M + static bool qgroup_check_limits(struct btrfs_fs_info *fs_info, + const struct btrfs_qgroup *qg, u64 num_bytes) + { +- u64 limit; ++ u64 free; + u64 threshold; + + if ((qg->lim_flags & BTRFS_QGROUP_LIMIT_MAX_RFER) && +@@ -2870,20 +2869,21 @@ static bool qgroup_check_limits(struct btrfs_fs_info *fs_info, + */ + if ((qg->lim_flags & (BTRFS_QGROUP_LIMIT_MAX_RFER | + BTRFS_QGROUP_LIMIT_MAX_EXCL))) { +- if (qg->lim_flags & BTRFS_QGROUP_LIMIT_MAX_EXCL) +- limit = qg->max_excl; +- else +- limit = qg->max_rfer; +- threshold = (limit - qg->rsv.values[BTRFS_QGROUP_RSV_DATA] - +- qg->rsv.values[BTRFS_QGROUP_RSV_META_PREALLOC]) / +- QGROUP_PERTRANS_RATIO; +- threshold = min_t(u64, threshold, QGROUP_PERTRANS_SIZE); ++ if (qg->lim_flags & BTRFS_QGROUP_LIMIT_MAX_EXCL) { ++ free = qg->max_excl - qgroup_rsv_total(qg) - qg->excl; ++ threshold = min_t(u64, qg->max_excl / QGROUP_FREE_RATIO, ++ QGROUP_FREE_SIZE); ++ } else { ++ free = qg->max_rfer - qgroup_rsv_total(qg) - qg->rfer; ++ threshold = min_t(u64, qg->max_rfer / QGROUP_FREE_RATIO, ++ QGROUP_FREE_SIZE); ++ } + + /* + * Use transaction_kthread to commit transaction, so we no + * longer need to bother nested transaction nor lock context. + */ +- if (qg->rsv.values[BTRFS_QGROUP_RSV_META_PERTRANS] > threshold) ++ if (free < threshold) + btrfs_commit_transaction_locksafe(fs_info); + } + +-- +2.19.1 + diff --git a/queue-5.0/btrfs-save-drop_progress-if-we-drop-refs-at-all.patch b/queue-5.0/btrfs-save-drop_progress-if-we-drop-refs-at-all.patch new file mode 100644 index 00000000000..c9da1824e02 --- /dev/null +++ b/queue-5.0/btrfs-save-drop_progress-if-we-drop-refs-at-all.patch @@ -0,0 +1,153 @@ +From d64d6be387203cf28f3dd66a1998b9a6d481709b Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 6 Feb 2019 15:46:15 -0500 +Subject: btrfs: save drop_progress if we drop refs at all + +[ Upstream commit aea6f028d01d629eda2e958ccd1133e805cda159 ] + +Previously we only updated the drop_progress key if we were in the +DROP_REFERENCE stage of snapshot deletion. This is because the +UPDATE_BACKREF stage checks the flags of the blocks it's converting to +FULL_BACKREF, so if we go over a block we processed before it doesn't +matter, we just don't do anything. + +The problem is in do_walk_down() we will go ahead and drop the roots +reference to any blocks that we know we won't need to walk into. + +Given subvolume A and snapshot B. The root of B points to all of the +nodes that belong to A, so all of those nodes have a refcnt > 1. If B +did not modify those blocks it'll hit this condition in do_walk_down + +if (!wc->update_ref || + generation <= root->root_key.offset) + goto skip; + +and in "goto skip" we simply do a btrfs_free_extent() for that bytenr +that we point at. + +Now assume we modified some data in B, and then took a snapshot of B and +call it C. C points to all the nodes in B, making every node the root +of B points to have a refcnt > 1. This assumes the root level is 2 or +higher. + +We delete snapshot B, which does the above work in do_walk_down, +free'ing our ref for nodes we share with A that we didn't modify. Now +we hit a node we _did_ modify, thus we own. We need to walk down into +this node and we set wc->stage == UPDATE_BACKREF. We walk down to level +0 which we also own because we modified data. We can't walk any further +down and thus now need to walk up and start the next part of the +deletion. Now walk_up_proc is supposed to put us back into +DROP_REFERENCE, but there's an exception to this + +if (level < wc->shared_level) + goto out; + +we are at level == 0, and our shared_level == 1. We skip out of this +one and go up to level 1. Since path->slots[1] < nritems we +path->slots[1]++ and break out of walk_up_tree to stop our transaction +and loop back around. Now in btrfs_drop_snapshot we have this snippet + +if (wc->stage == DROP_REFERENCE) { + level = wc->level; + btrfs_node_key(path->nodes[level], + &root_item->drop_progress, + path->slots[level]); + root_item->drop_level = level; +} + +our stage == UPDATE_BACKREF still, so we don't update the drop_progress +key. This is a problem because we would have done btrfs_free_extent() +for the nodes leading up to our current position. If we crash or +unmount here and go to remount we'll start over where we were before and +try to free our ref for blocks we've already freed, and thus abort() +out. + +Fix this by keeping track of the last place we dropped a reference for +our block in do_walk_down. Then if wc->stage == UPDATE_BACKREF we know +we'll start over from a place we meant to, and otherwise things continue +to work as they did before. + +I have a complicated reproducer for this problem, without this patch +we'll fail to fsck the fs when replaying the log writes log. With this +patch we can replay the whole log without any fsck or mount failures. + +The steps to reproduce this easily are sort of tricky, I had to add a +couple of debug patches to the kernel in order to make it easy, +basically I just needed to make sure we did actually commit the +transaction every time we finished a walk_down_tree/walk_up_tree combo. + +The reproducer: + +1) Creates a base subvolume. +2) Creates 100k files in the subvolume. +3) Snapshots the base subvolume (snap1). +4) Touches files 5000-6000 in snap1. +5) Snapshots snap1 (snap2). +6) Deletes snap1. + +I do this with dm-log-writes, and then replay to every FUA in the log +and fsck the fs. + +Reviewed-by: Filipe Manana +Signed-off-by: Josef Bacik +[ copy reproducer steps ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent-tree.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 0a6615573351..a9656685a951 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -8690,6 +8690,8 @@ struct walk_control { + u64 refs[BTRFS_MAX_LEVEL]; + u64 flags[BTRFS_MAX_LEVEL]; + struct btrfs_key update_progress; ++ struct btrfs_key drop_progress; ++ int drop_level; + int stage; + int level; + int shared_level; +@@ -9028,6 +9030,16 @@ skip: + ret); + } + } ++ ++ /* ++ * We need to update the next key in our walk control so we can ++ * update the drop_progress key accordingly. We don't care if ++ * find_next_key doesn't find a key because that means we're at ++ * the end and are going to clean up now. ++ */ ++ wc->drop_level = level; ++ find_next_key(path, level, &wc->drop_progress); ++ + ret = btrfs_free_extent(trans, root, bytenr, fs_info->nodesize, + parent, root->root_key.objectid, + level - 1, 0); +@@ -9378,12 +9390,14 @@ int btrfs_drop_snapshot(struct btrfs_root *root, + } + + if (wc->stage == DROP_REFERENCE) { +- level = wc->level; +- btrfs_node_key(path->nodes[level], +- &root_item->drop_progress, +- path->slots[level]); +- root_item->drop_level = level; +- } ++ wc->drop_level = wc->level; ++ btrfs_node_key_to_cpu(path->nodes[wc->drop_level], ++ &wc->drop_progress, ++ path->slots[wc->drop_level]); ++ } ++ btrfs_cpu_key_to_disk(&root_item->drop_progress, ++ &wc->drop_progress); ++ root_item->drop_level = wc->drop_level; + + BUG_ON(wc->level == 0); + if (btrfs_should_end_transaction(trans) || +-- +2.19.1 + diff --git a/queue-5.0/cdrom-fix-race-condition-in-cdrom_sysctl_register.patch b/queue-5.0/cdrom-fix-race-condition-in-cdrom_sysctl_register.patch new file mode 100644 index 00000000000..e476bd95e25 --- /dev/null +++ b/queue-5.0/cdrom-fix-race-condition-in-cdrom_sysctl_register.patch @@ -0,0 +1,99 @@ +From 3a5a49be0906ff3d8e7ddcd7eec62ac4d93a994a Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 6 Feb 2019 21:13:49 -0800 +Subject: cdrom: Fix race condition in cdrom_sysctl_register + +[ Upstream commit f25191bb322dec8fa2979ecb8235643aa42470e1 ] + +The following traceback is sometimes seen when booting an image in qemu: + +[ 54.608293] cdrom: Uniform CD-ROM driver Revision: 3.20 +[ 54.611085] Fusion MPT base driver 3.04.20 +[ 54.611877] Copyright (c) 1999-2008 LSI Corporation +[ 54.616234] Fusion MPT SAS Host driver 3.04.20 +[ 54.635139] sysctl duplicate entry: /dev/cdrom//info +[ 54.639578] CPU: 0 PID: 266 Comm: kworker/u4:5 Not tainted 5.0.0-rc5 #1 +[ 54.639578] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 +[ 54.641273] Workqueue: events_unbound async_run_entry_fn +[ 54.641273] Call Trace: +[ 54.641273] dump_stack+0x67/0x90 +[ 54.641273] __register_sysctl_table+0x50b/0x570 +[ 54.641273] ? rcu_read_lock_sched_held+0x6f/0x80 +[ 54.641273] ? kmem_cache_alloc_trace+0x1c7/0x1f0 +[ 54.646814] __register_sysctl_paths+0x1c8/0x1f0 +[ 54.646814] cdrom_sysctl_register.part.7+0xc/0x5f +[ 54.646814] register_cdrom.cold.24+0x2a/0x33 +[ 54.646814] sr_probe+0x4bd/0x580 +[ 54.646814] ? __driver_attach+0xd0/0xd0 +[ 54.646814] really_probe+0xd6/0x260 +[ 54.646814] ? __driver_attach+0xd0/0xd0 +[ 54.646814] driver_probe_device+0x4a/0xb0 +[ 54.646814] ? __driver_attach+0xd0/0xd0 +[ 54.646814] bus_for_each_drv+0x73/0xc0 +[ 54.646814] __device_attach+0xd6/0x130 +[ 54.646814] bus_probe_device+0x9a/0xb0 +[ 54.646814] device_add+0x40c/0x670 +[ 54.646814] ? __pm_runtime_resume+0x4f/0x80 +[ 54.646814] scsi_sysfs_add_sdev+0x81/0x290 +[ 54.646814] scsi_probe_and_add_lun+0x888/0xc00 +[ 54.646814] ? scsi_autopm_get_host+0x21/0x40 +[ 54.646814] __scsi_add_device+0x116/0x130 +[ 54.646814] ata_scsi_scan_host+0x93/0x1c0 +[ 54.646814] async_run_entry_fn+0x34/0x100 +[ 54.646814] process_one_work+0x237/0x5e0 +[ 54.646814] worker_thread+0x37/0x380 +[ 54.646814] ? rescuer_thread+0x360/0x360 +[ 54.646814] kthread+0x118/0x130 +[ 54.646814] ? kthread_create_on_node+0x60/0x60 +[ 54.646814] ret_from_fork+0x3a/0x50 + +The only sensible explanation is that cdrom_sysctl_register() is called +twice, once from the module init function and once from register_cdrom(). +cdrom_sysctl_register() is not mutex protected and may happily execute +twice if the second call is made before the first call is complete. + +Use a static atomic to ensure that the function is executed exactly once. + +Signed-off-by: Guenter Roeck +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/cdrom/cdrom.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index 614ecdbb4ab7..933268b8d6a5 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -265,6 +265,7 @@ + /* #define ERRLOGMASK (CD_WARNING|CD_OPEN|CD_COUNT_TRACKS|CD_CLOSE) */ + /* #define ERRLOGMASK (CD_WARNING|CD_REG_UNREG|CD_DO_IOCTL|CD_OPEN|CD_CLOSE|CD_COUNT_TRACKS) */ + ++#include + #include + #include + #include +@@ -3692,9 +3693,9 @@ static struct ctl_table_header *cdrom_sysctl_header; + + static void cdrom_sysctl_register(void) + { +- static int initialized; ++ static atomic_t initialized = ATOMIC_INIT(0); + +- if (initialized == 1) ++ if (!atomic_add_unless(&initialized, 1, 1)) + return; + + cdrom_sysctl_header = register_sysctl_table(cdrom_root_table); +@@ -3705,8 +3706,6 @@ static void cdrom_sysctl_register(void) + cdrom_sysctl_settings.debug = debug; + cdrom_sysctl_settings.lock = lockdoor; + cdrom_sysctl_settings.check = check_media_type; +- +- initialized = 1; + } + + static void cdrom_sysctl_unregister(void) +-- +2.19.1 + diff --git a/queue-5.0/cgroup-pids-turn-cgroup_subsys-free-into-cgroup_subs.patch b/queue-5.0/cgroup-pids-turn-cgroup_subsys-free-into-cgroup_subs.patch new file mode 100644 index 00000000000..f41b9c70b24 --- /dev/null +++ b/queue-5.0/cgroup-pids-turn-cgroup_subsys-free-into-cgroup_subs.patch @@ -0,0 +1,173 @@ +From 0b9efa305046bf251ecda27a6f8f22c4b5e3592d Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Mon, 28 Jan 2019 17:00:13 +0100 +Subject: cgroup/pids: turn cgroup_subsys->free() into cgroup_subsys->release() + to fix the accounting + +[ Upstream commit 51bee5abeab2058ea5813c5615d6197a23dbf041 ] + +The only user of cgroup_subsys->free() callback is pids_cgrp_subsys which +needs pids_free() to uncharge the pid. + +However, ->free() is called from __put_task_struct()->cgroup_free() and this +is too late. Even the trivial program which does + + for (;;) { + int pid = fork(); + assert(pid >= 0); + if (pid) + wait(NULL); + else + exit(0); + } + +can run out of limits because release_task()->call_rcu(delayed_put_task_struct) +implies an RCU gp after the task/pid goes away and before the final put(). + +Test-case: + + mkdir -p /tmp/CG + mount -t cgroup2 none /tmp/CG + echo '+pids' > /tmp/CG/cgroup.subtree_control + + mkdir /tmp/CG/PID + echo 2 > /tmp/CG/PID/pids.max + + perl -e 'while ($p = fork) { wait; } $p // die "fork failed: $!\n"' & + echo $! > /tmp/CG/PID/cgroup.procs + +Without this patch the forking process fails soon after migration. + +Rename cgroup_subsys->free() to cgroup_subsys->release() and move the callsite +into the new helper, cgroup_release(), called by release_task() which actually +frees the pid(s). + +Reported-by: Herton R. Krzesinski +Reported-by: Jan Stancek +Signed-off-by: Oleg Nesterov +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + include/linux/cgroup-defs.h | 2 +- + include/linux/cgroup.h | 2 ++ + kernel/cgroup/cgroup.c | 15 +++++++++------ + kernel/cgroup/pids.c | 4 ++-- + kernel/exit.c | 1 + + 5 files changed, 15 insertions(+), 9 deletions(-) + +diff --git a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h +index 8fcbae1b8db0..120d1d40704b 100644 +--- a/include/linux/cgroup-defs.h ++++ b/include/linux/cgroup-defs.h +@@ -602,7 +602,7 @@ struct cgroup_subsys { + void (*cancel_fork)(struct task_struct *task); + void (*fork)(struct task_struct *task); + void (*exit)(struct task_struct *task); +- void (*free)(struct task_struct *task); ++ void (*release)(struct task_struct *task); + void (*bind)(struct cgroup_subsys_state *root_css); + + bool early_init:1; +diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h +index 9968332cceed..81f58b4a5418 100644 +--- a/include/linux/cgroup.h ++++ b/include/linux/cgroup.h +@@ -121,6 +121,7 @@ extern int cgroup_can_fork(struct task_struct *p); + extern void cgroup_cancel_fork(struct task_struct *p); + extern void cgroup_post_fork(struct task_struct *p); + void cgroup_exit(struct task_struct *p); ++void cgroup_release(struct task_struct *p); + void cgroup_free(struct task_struct *p); + + int cgroup_init_early(void); +@@ -697,6 +698,7 @@ static inline int cgroup_can_fork(struct task_struct *p) { return 0; } + static inline void cgroup_cancel_fork(struct task_struct *p) {} + static inline void cgroup_post_fork(struct task_struct *p) {} + static inline void cgroup_exit(struct task_struct *p) {} ++static inline void cgroup_release(struct task_struct *p) {} + static inline void cgroup_free(struct task_struct *p) {} + + static inline int cgroup_init_early(void) { return 0; } +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 503bba3c4bae..f84bf28f36ba 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -197,7 +197,7 @@ static u64 css_serial_nr_next = 1; + */ + static u16 have_fork_callback __read_mostly; + static u16 have_exit_callback __read_mostly; +-static u16 have_free_callback __read_mostly; ++static u16 have_release_callback __read_mostly; + static u16 have_canfork_callback __read_mostly; + + /* cgroup namespace for init task */ +@@ -5316,7 +5316,7 @@ static void __init cgroup_init_subsys(struct cgroup_subsys *ss, bool early) + + have_fork_callback |= (bool)ss->fork << ss->id; + have_exit_callback |= (bool)ss->exit << ss->id; +- have_free_callback |= (bool)ss->free << ss->id; ++ have_release_callback |= (bool)ss->release << ss->id; + have_canfork_callback |= (bool)ss->can_fork << ss->id; + + /* At system boot, before all subsystems have been +@@ -5752,16 +5752,19 @@ void cgroup_exit(struct task_struct *tsk) + } while_each_subsys_mask(); + } + +-void cgroup_free(struct task_struct *task) ++void cgroup_release(struct task_struct *task) + { +- struct css_set *cset = task_css_set(task); + struct cgroup_subsys *ss; + int ssid; + +- do_each_subsys_mask(ss, ssid, have_free_callback) { +- ss->free(task); ++ do_each_subsys_mask(ss, ssid, have_release_callback) { ++ ss->release(task); + } while_each_subsys_mask(); ++} + ++void cgroup_free(struct task_struct *task) ++{ ++ struct css_set *cset = task_css_set(task); + put_css_set(cset); + } + +diff --git a/kernel/cgroup/pids.c b/kernel/cgroup/pids.c +index 9829c67ebc0a..c9960baaa14f 100644 +--- a/kernel/cgroup/pids.c ++++ b/kernel/cgroup/pids.c +@@ -247,7 +247,7 @@ static void pids_cancel_fork(struct task_struct *task) + pids_uncharge(pids, 1); + } + +-static void pids_free(struct task_struct *task) ++static void pids_release(struct task_struct *task) + { + struct pids_cgroup *pids = css_pids(task_css(task, pids_cgrp_id)); + +@@ -342,7 +342,7 @@ struct cgroup_subsys pids_cgrp_subsys = { + .cancel_attach = pids_cancel_attach, + .can_fork = pids_can_fork, + .cancel_fork = pids_cancel_fork, +- .free = pids_free, ++ .release = pids_release, + .legacy_cftypes = pids_files, + .dfl_cftypes = pids_files, + .threaded = true, +diff --git a/kernel/exit.c b/kernel/exit.c +index 2639a30a8aa5..2166c2d92ddc 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -219,6 +219,7 @@ repeat: + } + + write_unlock_irq(&tasklist_lock); ++ cgroup_release(p); + release_thread(p); + call_rcu(&p->rcu, delayed_put_task_struct); + +-- +2.19.1 + diff --git a/queue-5.0/cgroup-rstat-don-t-flush-subtree-root-unless-necessa.patch b/queue-5.0/cgroup-rstat-don-t-flush-subtree-root-unless-necessa.patch new file mode 100644 index 00000000000..eb1ace76207 --- /dev/null +++ b/queue-5.0/cgroup-rstat-don-t-flush-subtree-root-unless-necessa.patch @@ -0,0 +1,72 @@ +From a193c0bf04e55acbf678a3db0b633b80e356e99d Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 15 Feb 2019 11:01:31 -0800 +Subject: cgroup, rstat: Don't flush subtree root unless necessary + +[ Upstream commit b4ff1b44bcd384d22fcbac6ebaf9cc0d33debe50 ] + +cgroup_rstat_cpu_pop_updated() is used to traverse the updated cgroups +on flush. While it was only visiting updated ones in the subtree, it +was visiting @root unconditionally. We can easily check whether @root +is updated or not by looking at its ->updated_next just as with the +cgroups in the subtree. + +* Remove the unnecessary cgroup_parent() test. The system root cgroup + is never updated and thus its ->updated_next is always NULL. No + need to test whether cgroup_parent() exists in addition to + ->updated_next. + +* Terminate traverse if ->updated_next is NULL. This can only happen + for subtree @root and there's no reason to visit it if it's not + marked updated. + +This reduces cpu consumption when reading a lot of rstat backed files. +In a micro benchmark reading stat from ~1600 cgroups, the sys time was +lowered by >40%. + +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/rstat.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/kernel/cgroup/rstat.c b/kernel/cgroup/rstat.c +index d503d1a9007c..bb95a35e8c2d 100644 +--- a/kernel/cgroup/rstat.c ++++ b/kernel/cgroup/rstat.c +@@ -87,7 +87,6 @@ static struct cgroup *cgroup_rstat_cpu_pop_updated(struct cgroup *pos, + struct cgroup *root, int cpu) + { + struct cgroup_rstat_cpu *rstatc; +- struct cgroup *parent; + + if (pos == root) + return NULL; +@@ -115,8 +114,8 @@ static struct cgroup *cgroup_rstat_cpu_pop_updated(struct cgroup *pos, + * However, due to the way we traverse, @pos will be the first + * child in most cases. The only exception is @root. + */ +- parent = cgroup_parent(pos); +- if (parent && rstatc->updated_next) { ++ if (rstatc->updated_next) { ++ struct cgroup *parent = cgroup_parent(pos); + struct cgroup_rstat_cpu *prstatc = cgroup_rstat_cpu(parent, cpu); + struct cgroup_rstat_cpu *nrstatc; + struct cgroup **nextp; +@@ -140,9 +139,12 @@ static struct cgroup *cgroup_rstat_cpu_pop_updated(struct cgroup *pos, + * updated stat. + */ + smp_mb(); ++ ++ return pos; + } + +- return pos; ++ /* only happens for @root */ ++ return NULL; + } + + /* see cgroup_rstat_flush() */ +-- +2.19.1 + diff --git a/queue-5.0/cifs-accept-validate-negotiate-if-server-return-nt_s.patch b/queue-5.0/cifs-accept-validate-negotiate-if-server-return-nt_s.patch new file mode 100644 index 00000000000..46dd3f9802d --- /dev/null +++ b/queue-5.0/cifs-accept-validate-negotiate-if-server-return-nt_s.patch @@ -0,0 +1,55 @@ +From 63aa588537f6d4811a08192950f84688a34143b4 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 22 Jan 2019 09:46:45 +0900 +Subject: cifs: Accept validate negotiate if server return + NT_STATUS_NOT_SUPPORTED + +[ Upstream commit 969ae8e8d4ee54c99134d3895f2adf96047f5bee ] + +Old windows version or Netapp SMB server will return +NT_STATUS_NOT_SUPPORTED since they do not allow or implement +FSCTL_VALIDATE_NEGOTIATE_INFO. The client should accept the response +provided it's properly signed. + +See +https://blogs.msdn.microsoft.com/openspecification/2012/06/28/smb3-secure-dialect-negotiation/ + +and + +MS-SMB2 validate negotiate response processing: +https://msdn.microsoft.com/en-us/library/hh880630.aspx + +Samba client had already handled it. +https://bugzilla.samba.org/attachment.cgi?id=13285&action=edit + +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2pdu.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 104905732fbe..53642a237bf9 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -986,8 +986,14 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) + rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID, + FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */, + (char *)pneg_inbuf, inbuflen, (char **)&pneg_rsp, &rsplen); +- +- if (rc != 0) { ++ if (rc == -EOPNOTSUPP) { ++ /* ++ * Old Windows versions or Netapp SMB server can return ++ * not supported error. Client should accept it. ++ */ ++ cifs_dbg(VFS, "Server does not support validate negotiate\n"); ++ return 0; ++ } else if (rc != 0) { + cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc); + rc = -EIO; + goto out_free_inbuf; +-- +2.19.1 + diff --git a/queue-5.0/cifs-fix-null-pointer-dereference-of-devname.patch b/queue-5.0/cifs-fix-null-pointer-dereference-of-devname.patch new file mode 100644 index 00000000000..554f9ef5739 --- /dev/null +++ b/queue-5.0/cifs-fix-null-pointer-dereference-of-devname.patch @@ -0,0 +1,60 @@ +From 8e9d886106b559d70d18c4837b14eeae478c2ed2 Mon Sep 17 00:00:00 2001 +From: Yao Liu +Date: Mon, 28 Jan 2019 19:47:28 +0800 +Subject: cifs: Fix NULL pointer dereference of devname + +[ Upstream commit 68e2672f8fbd1e04982b8d2798dd318bf2515dd2 ] + +There is a NULL pointer dereference of devname in strspn() + +The oops looks something like: + + CIFS: Attempting to mount (null) + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + ... + RIP: 0010:strspn+0x0/0x50 + ... + Call Trace: + ? cifs_parse_mount_options+0x222/0x1710 [cifs] + ? cifs_get_volume_info+0x2f/0x80 [cifs] + cifs_setup_volume_info+0x20/0x190 [cifs] + cifs_get_volume_info+0x50/0x80 [cifs] + cifs_smb3_do_mount+0x59/0x630 [cifs] + ? ida_alloc_range+0x34b/0x3d0 + cifs_do_mount+0x11/0x20 [cifs] + mount_fs+0x52/0x170 + vfs_kern_mount+0x6b/0x170 + do_mount+0x216/0xdc0 + ksys_mount+0x83/0xd0 + __x64_sys_mount+0x25/0x30 + do_syscall_64+0x65/0x220 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fix this by adding a NULL check on devname in cifs_parse_devname() + +Signed-off-by: Yao Liu +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index e61cd2938c9e..9d4e60123db4 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1487,6 +1487,11 @@ cifs_parse_devname(const char *devname, struct smb_vol *vol) + const char *delims = "/\\"; + size_t len; + ++ if (unlikely(!devname || !*devname)) { ++ cifs_dbg(VFS, "Device name not specified.\n"); ++ return -EINVAL; ++ } ++ + /* make sure we have a valid UNC double delimiter prefix */ + len = strspn(devname, delims); + if (len != 2) +-- +2.19.1 + diff --git a/queue-5.0/cifs-fix-posix-lock-leak-and-invalid-ptr-deref.patch b/queue-5.0/cifs-fix-posix-lock-leak-and-invalid-ptr-deref.patch new file mode 100644 index 00000000000..8e8f31330e5 --- /dev/null +++ b/queue-5.0/cifs-fix-posix-lock-leak-and-invalid-ptr-deref.patch @@ -0,0 +1,147 @@ +From a0ba2a45763cbb04ac0f7b7c6e0eb8bfdfaafa0b Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Thu, 14 Mar 2019 18:44:16 +0100 +Subject: CIFS: fix POSIX lock leak and invalid ptr deref + +[ Upstream commit bc31d0cdcfbadb6258b45db97e93b1c83822ba33 ] + +We have a customer reporting crashes in lock_get_status() with many +"Leaked POSIX lock" messages preceeding the crash. + + Leaked POSIX lock on dev=0x0:0x56 ... + Leaked POSIX lock on dev=0x0:0x56 ... + Leaked POSIX lock on dev=0x0:0x56 ... + Leaked POSIX lock on dev=0x0:0x53 ... + Leaked POSIX lock on dev=0x0:0x53 ... + Leaked POSIX lock on dev=0x0:0x53 ... + Leaked POSIX lock on dev=0x0:0x53 ... + POSIX: fl_owner=ffff8900e7b79380 fl_flags=0x1 fl_type=0x1 fl_pid=20709 + Leaked POSIX lock on dev=0x0:0x4b ino... + Leaked locks on dev=0x0:0x4b ino=0xf911400000029: + POSIX: fl_owner=ffff89f41c870e00 fl_flags=0x1 fl_type=0x1 fl_pid=19592 + stack segment: 0000 [#1] SMP + Modules linked in: binfmt_misc msr tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag rpcsec_gss_krb5 arc4 ecb auth_rpcgss nfsv4 md4 nfs nls_utf8 lockd grace cifs sunrpc ccm dns_resolver fscache af_packet iscsi_ibft iscsi_boot_sysfs vmw_vsock_vmci_transport vsock xfs libcrc32c sb_edac edac_core crct10dif_pclmul crc32_pclmul ghash_clmulni_intel drbg ansi_cprng vmw_balloon aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd joydev pcspkr vmxnet3 i2c_piix4 vmw_vmci shpchp fjes processor button ac btrfs xor raid6_pq sr_mod cdrom ata_generic sd_mod ata_piix vmwgfx crc32c_intel drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm serio_raw ahci libahci drm libata vmw_pvscsi sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4 + + Supported: Yes + CPU: 6 PID: 28250 Comm: lsof Not tainted 4.4.156-94.64-default #1 + Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 + task: ffff88a345f28740 ti: ffff88c74005c000 task.ti: ffff88c74005c000 + RIP: 0010:[] [] lock_get_status+0x9b/0x3b0 + RSP: 0018:ffff88c74005fd90 EFLAGS: 00010202 + RAX: ffff89bde83e20ae RBX: ffff89e870003d18 RCX: 0000000049534f50 + RDX: ffffffff81a3541f RSI: ffffffff81a3544e RDI: ffff89bde83e20ae + RBP: 0026252423222120 R08: 0000000020584953 R09: 000000000000ffff + R10: 0000000000000000 R11: ffff88c74005fc70 R12: ffff89e5ca7b1340 + R13: 00000000000050e5 R14: ffff89e870003d30 R15: ffff89e5ca7b1340 + FS: 00007fafd64be800(0000) GS:ffff89f41fd00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000001c80018 CR3: 000000a522048000 CR4: 0000000000360670 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Stack: + 0000000000000208 ffffffff81a3d6b6 ffff89e870003d30 ffff89e870003d18 + ffff89e5ca7b1340 ffff89f41738d7c0 ffff89e870003d30 ffff89e5ca7b1340 + ffffffff8125e08f 0000000000000000 ffff89bc22b67d00 ffff88c74005ff28 + Call Trace: + [] locks_show+0x2f/0x70 + [] seq_read+0x251/0x3a0 + [] proc_reg_read+0x3c/0x70 + [] __vfs_read+0x26/0x140 + [] vfs_read+0x7a/0x120 + [] SyS_read+0x42/0xa0 + [] entry_SYSCALL_64_fastpath+0x1e/0xb7 + +When Linux closes a FD (close(), close-on-exec, dup2(), ...) it calls +filp_close() which also removes all posix locks. + +The lock struct is initialized like so in filp_close() and passed +down to cifs + + ... + lock.fl_type = F_UNLCK; + lock.fl_flags = FL_POSIX | FL_CLOSE; + lock.fl_start = 0; + lock.fl_end = OFFSET_MAX; + ... + +Note the FL_CLOSE flag, which hints the VFS code that this unlocking +is done for closing the fd. + +filp_close() + locks_remove_posix(filp, id); + vfs_lock_file(filp, F_SETLK, &lock, NULL); + return filp->f_op->lock(filp, cmd, fl) => cifs_lock() + rc = cifs_setlk(file, flock, type, wait_flag, posix_lck, lock, unlock, xid); + rc = server->ops->mand_unlock_range(cfile, flock, xid); + if (flock->fl_flags & FL_POSIX && !rc) + rc = locks_lock_file_wait(file, flock) + +Notice how we don't call locks_lock_file_wait() which does the +generic VFS lock/unlock/wait work on the inode if rc != 0. + +If we are closing the handle, the SMB server is supposed to remove any +locks associated with it. Similarly, cifs.ko frees and wakes up any +lock and lock waiter when closing the file: + +cifs_close() + cifsFileInfo_put(file->private_data) + /* + * Delete any outstanding lock records. We'll lose them when the file + * is closed anyway. + */ + down_write(&cifsi->lock_sem); + list_for_each_entry_safe(li, tmp, &cifs_file->llist->locks, llist) { + list_del(&li->llist); + cifs_del_lock_waiters(li); + kfree(li); + } + list_del(&cifs_file->llist->llist); + kfree(cifs_file->llist); + up_write(&cifsi->lock_sem); + +So we can safely ignore unlocking failures in cifs_lock() if they +happen with the FL_CLOSE flag hint set as both the server and the +client take care of it during the actual closing. + +This is not a proper fix for the unlocking failure but it's safe and +it seems to prevent the lock leakages and crashes the customer +experiences. + +Signed-off-by: Aurelien Aptel +Signed-off-by: NeilBrown +Signed-off-by: Steve French +Acked-by: Pavel Shilovsky +Signed-off-by: Sasha Levin +--- + fs/cifs/file.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 95461db80011..8d107587208f 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -1645,8 +1645,20 @@ cifs_setlk(struct file *file, struct file_lock *flock, __u32 type, + rc = server->ops->mand_unlock_range(cfile, flock, xid); + + out: +- if (flock->fl_flags & FL_POSIX && !rc) ++ if (flock->fl_flags & FL_POSIX) { ++ /* ++ * If this is a request to remove all locks because we ++ * are closing the file, it doesn't matter if the ++ * unlocking failed as both cifs.ko and the SMB server ++ * remove the lock on file close ++ */ ++ if (rc) { ++ cifs_dbg(VFS, "%s failed rc=%d\n", __func__, rc); ++ if (!(flock->fl_flags & FL_CLOSE)) ++ return rc; ++ } + rc = locks_lock_file_wait(file, flock); ++ } + return rc; + } + +-- +2.19.1 + diff --git a/queue-5.0/cifs-use-correct-format-characters.patch b/queue-5.0/cifs-use-correct-format-characters.patch new file mode 100644 index 00000000000..168217d2987 --- /dev/null +++ b/queue-5.0/cifs-use-correct-format-characters.patch @@ -0,0 +1,80 @@ +From 24d94ab39b8a0600d0120ce36a729cafd04c3f10 Mon Sep 17 00:00:00 2001 +From: Louis Taylor +Date: Wed, 27 Feb 2019 22:25:15 +0000 +Subject: cifs: use correct format characters + +[ Upstream commit 259594bea574e515a148171b5cd84ce5cbdc028a ] + +When compiling with -Wformat, clang emits the following warnings: + +fs/cifs/smb1ops.c:312:20: warning: format specifies type 'unsigned +short' but the argument has type 'unsigned int' [-Wformat] + tgt_total_cnt, total_in_tgt); + ^~~~~~~~~~~~ + +fs/cifs/cifs_dfs_ref.c:289:4: warning: format specifies type 'short' +but the argument has type 'int' [-Wformat] + ref->flags, ref->server_type); + ^~~~~~~~~~ + +fs/cifs/cifs_dfs_ref.c:289:16: warning: format specifies type 'short' +but the argument has type 'int' [-Wformat] + ref->flags, ref->server_type); + ^~~~~~~~~~~~~~~~ + +fs/cifs/cifs_dfs_ref.c:291:4: warning: format specifies type 'short' +but the argument has type 'int' [-Wformat] + ref->ref_flag, ref->path_consumed); + ^~~~~~~~~~~~~ + +fs/cifs/cifs_dfs_ref.c:291:19: warning: format specifies type 'short' +but the argument has type 'int' [-Wformat] + ref->ref_flag, ref->path_consumed); + ^~~~~~~~~~~~~~~~~~ +The types of these arguments are unconditionally defined, so this patch +updates the format character to the correct ones for ints and unsigned +ints. + +Link: https://github.com/ClangBuiltLinux/linux/issues/378 + +Signed-off-by: Louis Taylor +Signed-off-by: Steve French +Reviewed-by: Nick Desaulniers +Signed-off-by: Sasha Levin +--- + fs/cifs/cifs_dfs_ref.c | 4 ++-- + fs/cifs/smb1ops.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c +index d9b99abe1243..5d83c924cc47 100644 +--- a/fs/cifs/cifs_dfs_ref.c ++++ b/fs/cifs/cifs_dfs_ref.c +@@ -285,9 +285,9 @@ static void dump_referral(const struct dfs_info3_param *ref) + { + cifs_dbg(FYI, "DFS: ref path: %s\n", ref->path_name); + cifs_dbg(FYI, "DFS: node path: %s\n", ref->node_name); +- cifs_dbg(FYI, "DFS: fl: %hd, srv_type: %hd\n", ++ cifs_dbg(FYI, "DFS: fl: %d, srv_type: %d\n", + ref->flags, ref->server_type); +- cifs_dbg(FYI, "DFS: ref_flags: %hd, path_consumed: %hd\n", ++ cifs_dbg(FYI, "DFS: ref_flags: %d, path_consumed: %d\n", + ref->ref_flag, ref->path_consumed); + } + +diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c +index 32a6c020478f..20a88776f04d 100644 +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -308,7 +308,7 @@ coalesce_t2(char *second_buf, struct smb_hdr *target_hdr) + remaining = tgt_total_cnt - total_in_tgt; + + if (remaining < 0) { +- cifs_dbg(FYI, "Server sent too much data. tgt_total_cnt=%hu total_in_tgt=%hu\n", ++ cifs_dbg(FYI, "Server sent too much data. tgt_total_cnt=%hu total_in_tgt=%u\n", + tgt_total_cnt, total_in_tgt); + return -EPROTO; + } +-- +2.19.1 + diff --git a/queue-5.0/clk-fractional-divider-check-parent-rate-only-if-fla.patch b/queue-5.0/clk-fractional-divider-check-parent-rate-only-if-fla.patch new file mode 100644 index 00000000000..548bb59c012 --- /dev/null +++ b/queue-5.0/clk-fractional-divider-check-parent-rate-only-if-fla.patch @@ -0,0 +1,104 @@ +From b0398f11e5e79b738f115a4691e5eddd387076bd Mon Sep 17 00:00:00 2001 +From: Katsuhiro Suzuki +Date: Mon, 11 Feb 2019 00:38:06 +0900 +Subject: clk: fractional-divider: check parent rate only if flag is set + +[ Upstream commit d13501a2bedfbea0983cc868d3f1dc692627f60d ] + +Custom approximation of fractional-divider may not need parent clock +rate checking. For example Rockchip SoCs work fine using grand parent +clock rate even if target rate is greater than parent. + +This patch checks parent clock rate only if CLK_SET_RATE_PARENT flag +is set. + +For detailed example, clock tree of Rockchip I2S audio hardware. + - Clock rate of CPLL is 1.2GHz, GPLL is 491.52MHz. + - i2s1_div is integer divider can divide N (N is 1~128). + Input clock is CPLL or GPLL. Initial divider value is N = 1. + Ex) PLL = CPLL, N = 10, i2s1_div output rate is + CPLL / 10 = 1.2GHz / 10 = 120MHz + - i2s1_frac is fractional divider can divide input to x/y, x and + y are 16bit integer. + +CPLL --> | selector | ---> i2s1_div -+--> | selector | --> I2S1 MCLK +GPLL --> | | ,--------------' | | + `--> i2s1_frac ---> | | + +Clock mux system try to choose suitable one from i2s1_div and +i2s1_frac for master clock (MCLK) of I2S1. + +Bad scenario as follows: + - Try to set MCLK to 8.192MHz (32kHz audio replay) + Candidate setting is + - i2s1_div: GPLL / 60 = 8.192MHz + i2s1_div candidate is exactly same as target clock rate, so mux + choose this clock source. i2s1_div output rate is changed + 491.52MHz -> 8.192MHz + + - After that try to set to 11.2896MHz (44.1kHz audio replay) + Candidate settings are + - i2s1_div : CPLL / 107 = 11.214945MHz + - i2s1_frac: i2s1_div = 8.192MHz + This is because clk_fd_round_rate() thinks target rate + (11.2896MHz) is higher than parent rate (i2s1_div = 8.192MHz) + and returns parent clock rate. + +Above is current upstreamed behavior. Clock mux system choose +i2s1_div, but this clock rate is not acceptable for I2S driver, so +users cannot replay audio. + +Expected behavior is: + - Try to set master clock to 11.2896MHz (44.1kHz audio replay) + Candidate settings are + - i2s1_div : CPLL / 107 = 11.214945MHz + - i2s1_frac: i2s1_div * 147/6400 = 11.2896MHz + Change i2s1_div to GPLL / 1 = 491.52MHz at same + time. + +If apply this commit, clk_fd_round_rate() calls custom approximate +function of Rockchip even if target rate is higher than parent. +Custom function changes both grand parent (i2s1_div) and parent +(i2s_frac) settings at same time. Clock mux system can choose +i2s1_frac and audio works fine. + +Signed-off-by: Katsuhiro Suzuki +Reviewed-by: Heiko Stuebner +[sboyd@kernel.org: Make function into a macro instead] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-fractional-divider.c | 2 +- + include/linux/clk-provider.h | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/clk-fractional-divider.c b/drivers/clk/clk-fractional-divider.c +index 545dceec0bbf..fdfe2e423d15 100644 +--- a/drivers/clk/clk-fractional-divider.c ++++ b/drivers/clk/clk-fractional-divider.c +@@ -79,7 +79,7 @@ static long clk_fd_round_rate(struct clk_hw *hw, unsigned long rate, + unsigned long m, n; + u64 ret; + +- if (!rate || rate >= *parent_rate) ++ if (!rate || (!clk_hw_can_set_rate_parent(hw) && rate >= *parent_rate)) + return *parent_rate; + + if (fd->approximation) +diff --git a/include/linux/clk-provider.h b/include/linux/clk-provider.h +index e443fa9fa859..b7cf80a71293 100644 +--- a/include/linux/clk-provider.h ++++ b/include/linux/clk-provider.h +@@ -792,6 +792,9 @@ unsigned int __clk_get_enable_count(struct clk *clk); + unsigned long clk_hw_get_rate(const struct clk_hw *hw); + unsigned long __clk_get_flags(struct clk *clk); + unsigned long clk_hw_get_flags(const struct clk_hw *hw); ++#define clk_hw_can_set_rate_parent(hw) \ ++ (clk_hw_get_flags((hw)) & CLK_SET_RATE_PARENT) ++ + bool clk_hw_is_prepared(const struct clk_hw *hw); + bool clk_hw_rate_is_protected(const struct clk_hw *hw); + bool clk_hw_is_enabled(const struct clk_hw *hw); +-- +2.19.1 + diff --git a/queue-5.0/clk-meson-clean-up-clock-registration.patch b/queue-5.0/clk-meson-clean-up-clock-registration.patch new file mode 100644 index 00000000000..0388b3f57b8 --- /dev/null +++ b/queue-5.0/clk-meson-clean-up-clock-registration.patch @@ -0,0 +1,56 @@ +From 076d1f2d1a05a4814ef8eaeaa08502103c39b381 Mon Sep 17 00:00:00 2001 +From: Jerome Brunet +Date: Fri, 21 Dec 2018 17:02:36 +0100 +Subject: clk: meson: clean-up clock registration + +[ Upstream commit 8d9981efbcab066d17af4d3c85c169200f6f78df ] + +Order, ids and size between the table of regmap clocks and the onecell +data table could be different. + +Set regmap pointer in all the regmap clocks before starting the +registration using the onecell data, to make sure we don't +get into an incoherent situation. + +Signed-off-by: Jerome Brunet +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://lkml.kernel.org/r/20181221160239.26265-3-jbrunet@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/meson-aoclk.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/clk/meson/meson-aoclk.c b/drivers/clk/meson/meson-aoclk.c +index f965845917e3..258c8d259ea1 100644 +--- a/drivers/clk/meson/meson-aoclk.c ++++ b/drivers/clk/meson/meson-aoclk.c +@@ -65,15 +65,20 @@ int meson_aoclkc_probe(struct platform_device *pdev) + return ret; + } + +- /* +- * Populate regmap and register all clks +- */ +- for (clkid = 0; clkid < data->num_clks; clkid++) { ++ /* Populate regmap */ ++ for (clkid = 0; clkid < data->num_clks; clkid++) + data->clks[clkid]->map = regmap; + ++ /* Register all clks */ ++ for (clkid = 0; clkid < data->hw_data->num; clkid++) { ++ if (!data->hw_data->hws[clkid]) ++ continue; ++ + ret = devm_clk_hw_register(dev, data->hw_data->hws[clkid]); +- if (ret) ++ if (ret) { ++ dev_err(dev, "Clock registration failed\n"); + return ret; ++ } + } + + return devm_of_clk_add_hw_provider(dev, of_clk_hw_onecell_get, +-- +2.19.1 + diff --git a/queue-5.0/clk-rockchip-fix-frac-settings-of-gpll-clock-for-rk3.patch b/queue-5.0/clk-rockchip-fix-frac-settings-of-gpll-clock-for-rk3.patch new file mode 100644 index 00000000000..13b6cd66ba6 --- /dev/null +++ b/queue-5.0/clk-rockchip-fix-frac-settings-of-gpll-clock-for-rk3.patch @@ -0,0 +1,65 @@ +From 749233a83ad65fd78c9ce47b2d07e19a8c4d295f Mon Sep 17 00:00:00 2001 +From: Katsuhiro Suzuki +Date: Sun, 23 Dec 2018 01:42:49 +0900 +Subject: clk: rockchip: fix frac settings of GPLL clock for rk3328 + +[ Upstream commit a0e447b0c50240a90ab84b7126b3c06b0bab4adc ] + +This patch fixes settings of GPLL frequency in fractional mode for +rk3328. In this mode, FOUTVCO is calcurated by following formula: + FOUTVCO = FREF * FBDIV / REFDIV + ((FREF * FRAC / REFDIV) >> 24) + +The problem is in FREF * FRAC >> 24 term. This result always lacks +one from target value is specified by rate member. For example first +itme of rk3328_pll_frac_rate originally has + - rate : 1016064000 + - refdiv: 3 + - fbdiv : 127 + - frac : 134217 + - FREF * FBDIV / REFDIV = 1016000000 + - (FREF * FRAC / REFDIV) >> 24 = 63999 +Thus calculated rate is 1016063999. It seems wrong. + +If frac has 134218 (it is increased 1 from original value), second +term is 64000. All other items have same situation. So this patch +adds 1 to frac member in all items of rk3328_pll_frac_rate. + +Signed-off-by: Katsuhiro Suzuki +Acked-by: Elaine Zhang +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3328.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/rockchip/clk-rk3328.c b/drivers/clk/rockchip/clk-rk3328.c +index faa94adb2a37..65ab5c2f48b0 100644 +--- a/drivers/clk/rockchip/clk-rk3328.c ++++ b/drivers/clk/rockchip/clk-rk3328.c +@@ -78,17 +78,17 @@ static struct rockchip_pll_rate_table rk3328_pll_rates[] = { + + static struct rockchip_pll_rate_table rk3328_pll_frac_rates[] = { + /* _mhz, _refdiv, _fbdiv, _postdiv1, _postdiv2, _dsmpd, _frac */ +- RK3036_PLL_RATE(1016064000, 3, 127, 1, 1, 0, 134217), ++ RK3036_PLL_RATE(1016064000, 3, 127, 1, 1, 0, 134218), + /* vco = 1016064000 */ +- RK3036_PLL_RATE(983040000, 24, 983, 1, 1, 0, 671088), ++ RK3036_PLL_RATE(983040000, 24, 983, 1, 1, 0, 671089), + /* vco = 983040000 */ +- RK3036_PLL_RATE(491520000, 24, 983, 2, 1, 0, 671088), ++ RK3036_PLL_RATE(491520000, 24, 983, 2, 1, 0, 671089), + /* vco = 983040000 */ +- RK3036_PLL_RATE(61440000, 6, 215, 7, 2, 0, 671088), ++ RK3036_PLL_RATE(61440000, 6, 215, 7, 2, 0, 671089), + /* vco = 860156000 */ +- RK3036_PLL_RATE(56448000, 12, 451, 4, 4, 0, 9797894), ++ RK3036_PLL_RATE(56448000, 12, 451, 4, 4, 0, 9797895), + /* vco = 903168000 */ +- RK3036_PLL_RATE(40960000, 12, 409, 4, 5, 0, 10066329), ++ RK3036_PLL_RATE(40960000, 12, 409, 4, 5, 0, 10066330), + /* vco = 819200000 */ + { /* sentinel */ }, + }; +-- +2.19.1 + diff --git a/queue-5.0/clk-ti-clkctrl-fix-clkdm_name-regression-for-ti_clk_.patch b/queue-5.0/clk-ti-clkctrl-fix-clkdm_name-regression-for-ti_clk_.patch new file mode 100644 index 00000000000..a95174804d9 --- /dev/null +++ b/queue-5.0/clk-ti-clkctrl-fix-clkdm_name-regression-for-ti_clk_.patch @@ -0,0 +1,56 @@ +From 5cfb1a1518354693a6bfb1b42d25d49cfe5f151c Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Thu, 7 Mar 2019 12:10:56 -0800 +Subject: clk: ti: clkctrl: Fix clkdm_name regression for TI_CLK_CLKCTRL_COMPAT + +[ Upstream commit d17a718db40df2548e99a62dc3d7e5e2b38143cc ] + +Commit a72d785021cb ("clk: ti: Prepare for remove of OF node name") +changed the code to use kasprintf() for provider->clkdm_name but also +changed the offset used later on by three. We don't need to change the +offset as we already have the extra three characters in the format for +kasprintf with "%pOFnxxx". + +This caused the clocks with TI_CLK_CLKCTRL_COMPAT to have NULL +clk->clkdm_name for omap4 and 5. And null clkdm_name can cause module +reset, enable, and idle to fail. + +The issue can also be seen also when enabling DEBUG for clkctrl.c +and then we start seeing "clock: could not associate" messages for +omap4 and 5 as the generated name is something like "l4_wkclkdm" instead +of "l4_wkup_clkdm" that's needed. + +Let's fix the issue with a partial revert of commit a72d785021cb ("clk: +ti: Prepare for remove of OF node name"). + +ALso note that in general code should not depend on the dts node names. +And the node names should be generic types like clock-domain in this case. +This could be fixed later by using separate compatible properties for the +clockdomains, or by adding soc_device_match() table with reg offsets +to the driver. But let's fix the regression first. + +Fixes: a72d785021cb ("clk: ti: Prepare for remove of OF node name") +Cc: Tero Kristo +Signed-off-by: Tony Lindgren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/clkctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/ti/clkctrl.c b/drivers/clk/ti/clkctrl.c +index 40630eb950fc..85d7f301149b 100644 +--- a/drivers/clk/ti/clkctrl.c ++++ b/drivers/clk/ti/clkctrl.c +@@ -530,7 +530,7 @@ static void __init _ti_omap4_clkctrl_setup(struct device_node *node) + * Create default clkdm name, replace _cm from end of parent + * node name with _clkdm + */ +- provider->clkdm_name[strlen(provider->clkdm_name) - 5] = 0; ++ provider->clkdm_name[strlen(provider->clkdm_name) - 2] = 0; + } else { + provider->clkdm_name = kasprintf(GFP_KERNEL, "%pOFn", node); + if (!provider->clkdm_name) { +-- +2.19.1 + diff --git a/queue-5.0/coresight-etm4x-add-support-to-enable-etmv4.2.patch b/queue-5.0/coresight-etm4x-add-support-to-enable-etmv4.2.patch new file mode 100644 index 00000000000..db4e8d06402 --- /dev/null +++ b/queue-5.0/coresight-etm4x-add-support-to-enable-etmv4.2.patch @@ -0,0 +1,64 @@ +From e2c1caecf2d364cc65840c172457e3a4249026d5 Mon Sep 17 00:00:00 2001 +From: Sai Prakash Ranjan +Date: Mon, 25 Feb 2019 10:54:01 -0700 +Subject: coresight: etm4x: Add support to enable ETMv4.2 + +[ Upstream commit 5666dfd1d8a45a167f0d8b4ef47ea7f780b1f24a ] + +SDM845 has ETMv4.2 and can use the existing etm4x driver. +But the current etm driver checks only for ETMv4.0 and +errors out for other etm4x versions. This patch adds this +missing support to enable SoC's with ETMv4x to use same +driver by checking only the ETM architecture major version +number. + +Without this change, we get below error during etm probe: + +/ # dmesg | grep etm +[ 6.660093] coresight-etm4x: probe of 7040000.etm failed with error -22 +[ 6.666902] coresight-etm4x: probe of 7140000.etm failed with error -22 +[ 6.673708] coresight-etm4x: probe of 7240000.etm failed with error -22 +[ 6.680511] coresight-etm4x: probe of 7340000.etm failed with error -22 +[ 6.687313] coresight-etm4x: probe of 7440000.etm failed with error -22 +[ 6.694113] coresight-etm4x: probe of 7540000.etm failed with error -22 +[ 6.700914] coresight-etm4x: probe of 7640000.etm failed with error -22 +[ 6.707717] coresight-etm4x: probe of 7740000.etm failed with error -22 + +With this change, etm probe is successful: + +/ # dmesg | grep etm +[ 6.659198] coresight-etm4x 7040000.etm: CPU0: ETM v4.2 initialized +[ 6.665848] coresight-etm4x 7140000.etm: CPU1: ETM v4.2 initialized +[ 6.672493] coresight-etm4x 7240000.etm: CPU2: ETM v4.2 initialized +[ 6.679129] coresight-etm4x 7340000.etm: CPU3: ETM v4.2 initialized +[ 6.685770] coresight-etm4x 7440000.etm: CPU4: ETM v4.2 initialized +[ 6.692403] coresight-etm4x 7540000.etm: CPU5: ETM v4.2 initialized +[ 6.699024] coresight-etm4x 7640000.etm: CPU6: ETM v4.2 initialized +[ 6.705646] coresight-etm4x 7740000.etm: CPU7: ETM v4.2 initialized + +Signed-off-by: Sai Prakash Ranjan +Reviewed-by: Suzuki K Poulose +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-etm4x.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c +index 53e2fb6e86f6..fe76b176974a 100644 +--- a/drivers/hwtracing/coresight/coresight-etm4x.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x.c +@@ -55,7 +55,8 @@ static void etm4_os_unlock(struct etmv4_drvdata *drvdata) + + static bool etm4_arch_supported(u8 arch) + { +- switch (arch) { ++ /* Mask out the minor version number */ ++ switch (arch & 0xf0) { + case ETM_ARCH_V4: + break; + default: +-- +2.19.1 + diff --git a/queue-5.0/cpu-hotplug-mute-hotplug-lockdep-during-init.patch b/queue-5.0/cpu-hotplug-mute-hotplug-lockdep-during-init.patch new file mode 100644 index 00000000000..6bdd7734758 --- /dev/null +++ b/queue-5.0/cpu-hotplug-mute-hotplug-lockdep-during-init.patch @@ -0,0 +1,101 @@ +From ac04b14e9eeeaa3e022440c2a20a221e7f67f60d Mon Sep 17 00:00:00 2001 +From: Valentin Schneider +Date: Wed, 19 Dec 2018 18:23:15 +0000 +Subject: cpu/hotplug: Mute hotplug lockdep during init + +[ Upstream commit ce48c457b95316b9a01b5aa9d4456ce820df94b4 ] + +Since we've had: + + commit cb538267ea1e ("jump_label/lockdep: Assert we hold the hotplug lock for _cpuslocked() operations") + +we've been getting some lockdep warnings during init, such as on HiKey960: + +[ 0.820495] WARNING: CPU: 4 PID: 0 at kernel/cpu.c:316 lockdep_assert_cpus_held+0x3c/0x48 +[ 0.820498] Modules linked in: +[ 0.820509] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G S 4.20.0-rc5-00051-g4cae42a #34 +[ 0.820511] Hardware name: HiKey960 (DT) +[ 0.820516] pstate: 600001c5 (nZCv dAIF -PAN -UAO) +[ 0.820520] pc : lockdep_assert_cpus_held+0x3c/0x48 +[ 0.820523] lr : lockdep_assert_cpus_held+0x38/0x48 +[ 0.820526] sp : ffff00000a9cbe50 +[ 0.820528] x29: ffff00000a9cbe50 x28: 0000000000000000 +[ 0.820533] x27: 00008000b69e5000 x26: ffff8000bff4cfe0 +[ 0.820537] x25: ffff000008ba69e0 x24: 0000000000000001 +[ 0.820541] x23: ffff000008fce000 x22: ffff000008ba70c8 +[ 0.820545] x21: 0000000000000001 x20: 0000000000000003 +[ 0.820548] x19: ffff00000a35d628 x18: ffffffffffffffff +[ 0.820552] x17: 0000000000000000 x16: 0000000000000000 +[ 0.820556] x15: ffff00000958f848 x14: 455f3052464d4d34 +[ 0.820559] x13: 00000000769dde98 x12: ffff8000bf3f65a8 +[ 0.820564] x11: 0000000000000000 x10: ffff00000958f848 +[ 0.820567] x9 : ffff000009592000 x8 : ffff00000958f848 +[ 0.820571] x7 : ffff00000818ffa0 x6 : 0000000000000000 +[ 0.820574] x5 : 0000000000000000 x4 : 0000000000000001 +[ 0.820578] x3 : 0000000000000000 x2 : 0000000000000001 +[ 0.820582] x1 : 00000000ffffffff x0 : 0000000000000000 +[ 0.820587] Call trace: +[ 0.820591] lockdep_assert_cpus_held+0x3c/0x48 +[ 0.820598] static_key_enable_cpuslocked+0x28/0xd0 +[ 0.820606] arch_timer_check_ool_workaround+0xe8/0x228 +[ 0.820610] arch_timer_starting_cpu+0xe4/0x2d8 +[ 0.820615] cpuhp_invoke_callback+0xe8/0xd08 +[ 0.820619] notify_cpu_starting+0x80/0xb8 +[ 0.820625] secondary_start_kernel+0x118/0x1d0 + +We've also had a similar warning in sched_init_smp() for every +asymmetric system that would enable the sched_asym_cpucapacity static +key, although that was singled out in: + + commit 40fa3780bac2 ("sched/core: Take the hotplug lock in sched_init_smp()") + +Those warnings are actually harmless, since we cannot have hotplug +operations at the time they appear. Instead of starting to sprinkle +useless hotplug lock operations in the init codepaths, mute the +warnings until they start warning about real problems. + +Suggested-by: Peter Zijlstra +Signed-off-by: Valentin Schneider +Signed-off-by: Peter Zijlstra (Intel) +Cc: Andrew Morton +Cc: Linus Torvalds +Cc: Paul E. McKenney +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: cai@gmx.us +Cc: daniel.lezcano@linaro.org +Cc: dietmar.eggemann@arm.com +Cc: linux-arm-kernel@lists.infradead.org +Cc: longman@redhat.com +Cc: marc.zyngier@arm.com +Cc: mark.rutland@arm.com +Link: https://lkml.kernel.org/r/1545243796-23224-2-git-send-email-valentin.schneider@arm.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/cpu.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/kernel/cpu.c b/kernel/cpu.c +index 47f695d80dd1..6754f3ecfd94 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -313,6 +313,15 @@ void cpus_write_unlock(void) + + void lockdep_assert_cpus_held(void) + { ++ /* ++ * We can't have hotplug operations before userspace starts running, ++ * and some init codepaths will knowingly not take the hotplug lock. ++ * This is all valid, so mute lockdep until it makes sense to report ++ * unheld locks. ++ */ ++ if (system_state < SYSTEM_RUNNING) ++ return; ++ + percpu_rwsem_assert_held(&cpu_hotplug_lock); + } + +-- +2.19.1 + diff --git a/queue-5.0/cpufreq-acpi-cpufreq-report-if-cpu-doesn-t-support-b.patch b/queue-5.0/cpufreq-acpi-cpufreq-report-if-cpu-doesn-t-support-b.patch new file mode 100644 index 00000000000..87e5cf6e7d6 --- /dev/null +++ b/queue-5.0/cpufreq-acpi-cpufreq-report-if-cpu-doesn-t-support-b.patch @@ -0,0 +1,49 @@ +From b8b23d94ec59809d9d4c43a9fcdd5f256e7549c6 Mon Sep 17 00:00:00 2001 +From: Erwan Velu +Date: Wed, 20 Feb 2019 11:10:17 +0100 +Subject: cpufreq: acpi-cpufreq: Report if CPU doesn't support boost + technologies + +[ Upstream commit 1222d527f314c86a3b59a522115d62facc5a7965 ] + +There is some rare cases where CPB (and possibly IDA) are missing on +processors. + +This is the case fixed by commit f7f3dc00f612 ("x86/cpu/AMD: Fix +erratum 1076 (CPB bit)") and following. + +In such context, the boost status isn't reported by +/sys/devices/system/cpu/cpufreq/boost. + +This commit is about printing a message to report that the CPU +doesn't expose the boost capabilities. + +This message could help debugging platforms hit by this phenomena. + +Signed-off-by: Erwan Velu +[ rjw: Change the message text somewhat ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/acpi-cpufreq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c +index d62fd374d5c7..c72258a44ba4 100644 +--- a/drivers/cpufreq/acpi-cpufreq.c ++++ b/drivers/cpufreq/acpi-cpufreq.c +@@ -916,8 +916,10 @@ static void __init acpi_cpufreq_boost_init(void) + { + int ret; + +- if (!(boot_cpu_has(X86_FEATURE_CPB) || boot_cpu_has(X86_FEATURE_IDA))) ++ if (!(boot_cpu_has(X86_FEATURE_CPB) || boot_cpu_has(X86_FEATURE_IDA))) { ++ pr_debug("Boost capabilities not present in the processor\n"); + return; ++ } + + acpi_cpufreq_driver.set_boost = set_boost; + acpi_cpufreq_driver.boost_enabled = boost_state(0); +-- +2.19.1 + diff --git a/queue-5.0/crypto-cavium-zip-fix-collision-with-generic-cra_dri.patch b/queue-5.0/crypto-cavium-zip-fix-collision-with-generic-cra_dri.patch new file mode 100644 index 00000000000..4383ab61e42 --- /dev/null +++ b/queue-5.0/crypto-cavium-zip-fix-collision-with-generic-cra_dri.patch @@ -0,0 +1,68 @@ +From 17c82c2d8ad76c73ee0afd77da85f7632ac170c4 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sat, 23 Feb 2019 00:23:23 -0800 +Subject: crypto: cavium/zip - fix collision with generic cra_driver_name + +[ Upstream commit 41798036430015ad45137db2d4c213cd77fd0251 ] + +The cavium/zip implementation of the deflate compression algorithm is +incorrectly being registered under the generic driver name, which +prevents the generic implementation from being registered with the +crypto API when CONFIG_CRYPTO_DEV_CAVIUM_ZIP=y. Similarly the lzs +algorithm (which does not currently have a generic implementation...) +is incorrectly being registered as lzs-generic. + +Fix the naming collision by adding a suffix "-cavium" to the +cra_driver_name of the cavium/zip algorithms. + +Fixes: 640035a2dc55 ("crypto: zip - Add ThunderX ZIP driver core") +Cc: Mahipal Challa +Cc: Jan Glauber +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/cavium/zip/zip_main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/cavium/zip/zip_main.c b/drivers/crypto/cavium/zip/zip_main.c +index be055b9547f6..6183f9128a8a 100644 +--- a/drivers/crypto/cavium/zip/zip_main.c ++++ b/drivers/crypto/cavium/zip/zip_main.c +@@ -351,6 +351,7 @@ static struct pci_driver zip_driver = { + + static struct crypto_alg zip_comp_deflate = { + .cra_name = "deflate", ++ .cra_driver_name = "deflate-cavium", + .cra_flags = CRYPTO_ALG_TYPE_COMPRESS, + .cra_ctxsize = sizeof(struct zip_kernel_ctx), + .cra_priority = 300, +@@ -365,6 +366,7 @@ static struct crypto_alg zip_comp_deflate = { + + static struct crypto_alg zip_comp_lzs = { + .cra_name = "lzs", ++ .cra_driver_name = "lzs-cavium", + .cra_flags = CRYPTO_ALG_TYPE_COMPRESS, + .cra_ctxsize = sizeof(struct zip_kernel_ctx), + .cra_priority = 300, +@@ -384,7 +386,7 @@ static struct scomp_alg zip_scomp_deflate = { + .decompress = zip_scomp_decompress, + .base = { + .cra_name = "deflate", +- .cra_driver_name = "deflate-scomp", ++ .cra_driver_name = "deflate-scomp-cavium", + .cra_module = THIS_MODULE, + .cra_priority = 300, + } +@@ -397,7 +399,7 @@ static struct scomp_alg zip_scomp_lzs = { + .decompress = zip_scomp_decompress, + .base = { + .cra_name = "lzs", +- .cra_driver_name = "lzs-scomp", ++ .cra_driver_name = "lzs-scomp-cavium", + .cra_module = THIS_MODULE, + .cra_priority = 300, + } +-- +2.19.1 + diff --git a/queue-5.0/crypto-crypto4xx-add-missing-of_node_put-after-of_de.patch b/queue-5.0/crypto-crypto4xx-add-missing-of_node_put-after-of_de.patch new file mode 100644 index 00000000000..3c6ae8385a1 --- /dev/null +++ b/queue-5.0/crypto-crypto4xx-add-missing-of_node_put-after-of_de.patch @@ -0,0 +1,63 @@ +From a8d2403c8e7ac2cea44b56888a276d04b1fc7ffc Mon Sep 17 00:00:00 2001 +From: Julia Lawall +Date: Sat, 23 Feb 2019 14:20:39 +0100 +Subject: crypto: crypto4xx - add missing of_node_put after + of_device_is_available + +[ Upstream commit 8c2b43d2d85b48a97d2f8279278a4aac5b45f925 ] + +Add an of_node_put when a tested device node is not available. + +The semantic patch that fixes this problem is as follows +(http://coccinelle.lip6.fr): + +// +@@ +identifier f; +local idexpression e; +expression x; +@@ + +e = f(...); +... when != of_node_put(e) + when != x = e + when != e = x + when any +if (<+...of_device_is_available(e)...+>) { + ... when != of_node_put(e) +( + return e; +| ++ of_node_put(e); + return ...; +) +} +// + +Fixes: 5343e674f32fb ("crypto4xx: integrate ppc4xx-rng into crypto4xx") +Signed-off-by: Julia Lawall +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/amcc/crypto4xx_trng.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/amcc/crypto4xx_trng.c b/drivers/crypto/amcc/crypto4xx_trng.c +index 5e63742b0d22..53ab1f140a26 100644 +--- a/drivers/crypto/amcc/crypto4xx_trng.c ++++ b/drivers/crypto/amcc/crypto4xx_trng.c +@@ -80,8 +80,10 @@ void ppc4xx_trng_probe(struct crypto4xx_core_device *core_dev) + + /* Find the TRNG device node and map it */ + trng = of_find_matching_node(NULL, ppc4xx_trng_match); +- if (!trng || !of_device_is_available(trng)) ++ if (!trng || !of_device_is_available(trng)) { ++ of_node_put(trng); + return; ++ } + + dev->trng_base = of_iomap(trng, 0); + of_node_put(trng); +-- +2.19.1 + diff --git a/queue-5.0/dm-thin-add-sanity-checks-to-thin-pool-and-external-.patch b/queue-5.0/dm-thin-add-sanity-checks-to-thin-pool-and-external-.patch new file mode 100644 index 00000000000..c4d5c1ee881 --- /dev/null +++ b/queue-5.0/dm-thin-add-sanity-checks-to-thin-pool-and-external-.patch @@ -0,0 +1,111 @@ +From 72c2a4f3267f041c59652664c8291d82e2e70459 Mon Sep 17 00:00:00 2001 +From: "Jason Cai (Xiang Feng)" +Date: Sun, 20 Jan 2019 22:39:13 +0800 +Subject: dm thin: add sanity checks to thin-pool and external snapshot + creation + +[ Upstream commit 70de2cbda8a5d788284469e755f8b097d339c240 ] + +Invoking dm_get_device() twice on the same device path with different +modes is dangerous. Because in that case, upgrade_mode() will alloc a +new 'dm_dev' and free the old one, which may be referenced by a previous +caller. Dereferencing the dangling pointer will trigger kernel NULL +pointer dereference. + +The following two cases can reproduce this issue. Actually, they are +invalid setups that must be disallowed, e.g.: + +1. Creating a thin-pool with read_only mode, and the same device as +both metadata and data. + +dmsetup create thinp --table \ + "0 41943040 thin-pool /dev/vdb /dev/vdb 128 0 1 read_only" + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000080 +... +Call Trace: + new_read+0xfb/0x110 [dm_bufio] + dm_bm_read_lock+0x43/0x190 [dm_persistent_data] + ? kmem_cache_alloc_trace+0x15c/0x1e0 + __create_persistent_data_objects+0x65/0x3e0 [dm_thin_pool] + dm_pool_metadata_open+0x8c/0xf0 [dm_thin_pool] + pool_ctr.cold.79+0x213/0x913 [dm_thin_pool] + ? realloc_argv+0x50/0x70 [dm_mod] + dm_table_add_target+0x14e/0x330 [dm_mod] + table_load+0x122/0x2e0 [dm_mod] + ? dev_status+0x40/0x40 [dm_mod] + ctl_ioctl+0x1aa/0x3e0 [dm_mod] + dm_ctl_ioctl+0xa/0x10 [dm_mod] + do_vfs_ioctl+0xa2/0x600 + ? handle_mm_fault+0xda/0x200 + ? __do_page_fault+0x26c/0x4f0 + ksys_ioctl+0x60/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x55/0x150 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +2. Creating a external snapshot using the same thin-pool device. + +dmsetup create thinp --table \ + "0 41943040 thin-pool /dev/vdc /dev/vdb 128 0 2 ignore_discard" +dmsetup message /dev/mapper/thinp 0 "create_thin 0" +dmsetup create snap --table \ + "0 204800 thin /dev/mapper/thinp 0 /dev/mapper/thinp" + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 +... +Call Trace: +? __alloc_pages_nodemask+0x13c/0x2e0 +retrieve_status+0xa5/0x1f0 [dm_mod] +? dm_get_live_or_inactive_table.isra.7+0x20/0x20 [dm_mod] + table_status+0x61/0xa0 [dm_mod] + ctl_ioctl+0x1aa/0x3e0 [dm_mod] + dm_ctl_ioctl+0xa/0x10 [dm_mod] + do_vfs_ioctl+0xa2/0x600 + ksys_ioctl+0x60/0x90 + ? ksys_write+0x4f/0xb0 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x55/0x150 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Jason Cai (Xiang Feng) +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-thin.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c +index e83b63608262..254c26eb963a 100644 +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -3283,6 +3283,13 @@ static int pool_ctr(struct dm_target *ti, unsigned argc, char **argv) + as.argc = argc; + as.argv = argv; + ++ /* make sure metadata and data are different devices */ ++ if (!strcmp(argv[0], argv[1])) { ++ ti->error = "Error setting metadata or data device"; ++ r = -EINVAL; ++ goto out_unlock; ++ } ++ + /* + * Set default pool features. + */ +@@ -4167,6 +4174,12 @@ static int thin_ctr(struct dm_target *ti, unsigned argc, char **argv) + tc->sort_bio_list = RB_ROOT; + + if (argc == 3) { ++ if (!strcmp(argv[0], argv[2])) { ++ ti->error = "Error setting origin device"; ++ r = -EINVAL; ++ goto bad_origin_dev; ++ } ++ + r = dm_get_device(ti, argv[2], FMODE_READ, &origin_dev); + if (r) { + ti->error = "Error opening origin device"; +-- +2.19.1 + diff --git a/queue-5.0/dmaengine-imx-dma-fix-warning-comparison-of-distinct.patch b/queue-5.0/dmaengine-imx-dma-fix-warning-comparison-of-distinct.patch new file mode 100644 index 00000000000..6707e4d900e --- /dev/null +++ b/queue-5.0/dmaengine-imx-dma-fix-warning-comparison-of-distinct.patch @@ -0,0 +1,60 @@ +From e89636003a610e15419a29d10d32c3de47e78c3e Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Thu, 10 Jan 2019 12:15:35 +0100 +Subject: dmaengine: imx-dma: fix warning comparison of distinct pointer types +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 9227ab5643cb8350449502dd9e3168a873ab0e3b ] + +The warning got introduced by commit 930507c18304 ("arm64: add basic +Kconfig symbols for i.MX8"). Since it got enabled for arm64. The warning +haven't been seen before since size_t was 'unsigned int' when built on +arm32. + +../drivers/dma/imx-dma.c: In function ‘imxdma_sg_next’: +../include/linux/kernel.h:846:29: warning: comparison of distinct pointer types lacks a cast + (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1))) + ^~ +../include/linux/kernel.h:860:4: note: in expansion of macro ‘__typecheck’ + (__typecheck(x, y) && __no_side_effects(x, y)) + ^~~~~~~~~~~ +../include/linux/kernel.h:870:24: note: in expansion of macro ‘__safe_cmp’ + __builtin_choose_expr(__safe_cmp(x, y), \ + ^~~~~~~~~~ +../include/linux/kernel.h:879:19: note: in expansion of macro ‘__careful_cmp’ + #define min(x, y) __careful_cmp(x, y, <) + ^~~~~~~~~~~~~ +../drivers/dma/imx-dma.c:288:8: note: in expansion of macro ‘min’ + now = min(d->len, sg_dma_len(sg)); + ^~~ + +Rework so that we use min_t and pass in the size_t that returns the +minimum of two values, using the specified type. + +Signed-off-by: Anders Roxell +Acked-by: Olof Johansson +Reviewed-by: Fabio Estevam +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/imx-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/imx-dma.c b/drivers/dma/imx-dma.c +index 4a09af3cd546..7b9a7fb28bb9 100644 +--- a/drivers/dma/imx-dma.c ++++ b/drivers/dma/imx-dma.c +@@ -285,7 +285,7 @@ static inline int imxdma_sg_next(struct imxdma_desc *d) + struct scatterlist *sg = d->sg; + unsigned long now; + +- now = min(d->len, sg_dma_len(sg)); ++ now = min_t(size_t, d->len, sg_dma_len(sg)); + if (d->len != IMX_DMA_LENGTH_LOOP) + d->len -= now; + +-- +2.19.1 + diff --git a/queue-5.0/dmaengine-qcom_hidma-assign-channel-cookie-correctly.patch b/queue-5.0/dmaengine-qcom_hidma-assign-channel-cookie-correctly.patch new file mode 100644 index 00000000000..878a7eb7b1e --- /dev/null +++ b/queue-5.0/dmaengine-qcom_hidma-assign-channel-cookie-correctly.patch @@ -0,0 +1,86 @@ +From 80462eb3f153397b19f36b2c31b8e5f92465891d Mon Sep 17 00:00:00 2001 +From: Shunyong Yang +Date: Mon, 7 Jan 2019 09:34:02 +0800 +Subject: dmaengine: qcom_hidma: assign channel cookie correctly + +[ Upstream commit 546c0547555efca8ba8c120716c325435e29df1b ] + +When dma_cookie_complete() is called in hidma_process_completed(), +dma_cookie_status() will return DMA_COMPLETE in hidma_tx_status(). Then, +hidma_txn_is_success() will be called to use channel cookie +mchan->last_success to do additional DMA status check. Current code +assigns mchan->last_success after dma_cookie_complete(). This causes +a race condition of dma_cookie_status() returns DMA_COMPLETE before +mchan->last_success is assigned correctly. The race will cause +hidma_tx_status() return DMA_ERROR but the transaction is actually a +success. Moreover, in async_tx case, it will cause a timeout panic +in async_tx_quiesce(). + + Kernel panic - not syncing: async_tx_quiesce: DMA error waiting for + transaction + ... + Call trace: + [] dump_backtrace+0x0/0x1f4 + [] show_stack+0x24/0x2c + [] dump_stack+0x84/0xa8 + [] panic+0x12c/0x29c + [] async_tx_quiesce+0xa4/0xc8 [async_tx] + [] async_trigger_callback+0x70/0x1c0 [async_tx] + [] raid_run_ops+0x86c/0x1540 [raid456] + [] handle_stripe+0x5e8/0x1c7c [raid456] + [] handle_active_stripes.isra.45+0x2d4/0x550 [raid456] + [] raid5d+0x38c/0x5d0 [raid456] + [] md_thread+0x108/0x168 + [] kthread+0x10c/0x138 + [] ret_from_fork+0x10/0x18 + +Cc: Joey Zheng +Reviewed-by: Sinan Kaya +Signed-off-by: Shunyong Yang +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/qcom/hidma.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/dma/qcom/hidma.c b/drivers/dma/qcom/hidma.c +index 43d4b00b8138..ea219bca116d 100644 +--- a/drivers/dma/qcom/hidma.c ++++ b/drivers/dma/qcom/hidma.c +@@ -138,24 +138,25 @@ static void hidma_process_completed(struct hidma_chan *mchan) + desc = &mdesc->desc; + last_cookie = desc->cookie; + ++ llstat = hidma_ll_status(mdma->lldev, mdesc->tre_ch); ++ + spin_lock_irqsave(&mchan->lock, irqflags); ++ if (llstat == DMA_COMPLETE) { ++ mchan->last_success = last_cookie; ++ result.result = DMA_TRANS_NOERROR; ++ } else { ++ result.result = DMA_TRANS_ABORTED; ++ } ++ + dma_cookie_complete(desc); + spin_unlock_irqrestore(&mchan->lock, irqflags); + +- llstat = hidma_ll_status(mdma->lldev, mdesc->tre_ch); + dmaengine_desc_get_callback(desc, &cb); + + dma_run_dependencies(desc); + + spin_lock_irqsave(&mchan->lock, irqflags); + list_move(&mdesc->node, &mchan->free); +- +- if (llstat == DMA_COMPLETE) { +- mchan->last_success = last_cookie; +- result.result = DMA_TRANS_NOERROR; +- } else +- result.result = DMA_TRANS_ABORTED; +- + spin_unlock_irqrestore(&mchan->lock, irqflags); + + dmaengine_desc_callback_invoke(&cb, &result); +-- +2.19.1 + diff --git a/queue-5.0/dmaengine-qcom_hidma-initialize-tx-flags-in-hidma_pr.patch b/queue-5.0/dmaengine-qcom_hidma-initialize-tx-flags-in-hidma_pr.patch new file mode 100644 index 00000000000..1dd0d2d0f86 --- /dev/null +++ b/queue-5.0/dmaengine-qcom_hidma-initialize-tx-flags-in-hidma_pr.patch @@ -0,0 +1,55 @@ +From 5d41442e376c7619d53085e56ac1575706dce848 Mon Sep 17 00:00:00 2001 +From: Shunyong Yang +Date: Mon, 7 Jan 2019 09:32:14 +0800 +Subject: dmaengine: qcom_hidma: initialize tx flags in hidma_prep_dma_* + +[ Upstream commit 875aac8a46424e5b73a9ff7f40b83311b609e407 ] + +In async_tx_test_ack(), it uses flags in struct dma_async_tx_descriptor +to check the ACK status. As hidma reuses the descriptor in a free list +when hidma_prep_dma_*(memcpy/memset) is called, the flag will keep ACKed +if the descriptor has been used before. This will cause a BUG_ON in +async_tx_quiesce(). + + kernel BUG at crypto/async_tx/async_tx.c:282! + Internal error: Oops - BUG: 0 1 SMP + ... + task: ffff8017dd3ec000 task.stack: ffff8017dd3e8000 + PC is at async_tx_quiesce+0x54/0x78 [async_tx] + LR is at async_trigger_callback+0x98/0x110 [async_tx] + +This patch initializes flags in dma_async_tx_descriptor by the flags +passed from the caller when hidma_prep_dma_*(memcpy/memset) is called. + +Cc: Joey Zheng +Reviewed-by: Sinan Kaya +Signed-off-by: Shunyong Yang +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/qcom/hidma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/dma/qcom/hidma.c b/drivers/dma/qcom/hidma.c +index ea219bca116d..411f91fde734 100644 +--- a/drivers/dma/qcom/hidma.c ++++ b/drivers/dma/qcom/hidma.c +@@ -416,6 +416,7 @@ hidma_prep_dma_memcpy(struct dma_chan *dmach, dma_addr_t dest, dma_addr_t src, + if (!mdesc) + return NULL; + ++ mdesc->desc.flags = flags; + hidma_ll_set_transfer_params(mdma->lldev, mdesc->tre_ch, + src, dest, len, flags, + HIDMA_TRE_MEMCPY); +@@ -448,6 +449,7 @@ hidma_prep_dma_memset(struct dma_chan *dmach, dma_addr_t dest, int value, + if (!mdesc) + return NULL; + ++ mdesc->desc.flags = flags; + hidma_ll_set_transfer_params(mdma->lldev, mdesc->tre_ch, + value, dest, len, flags, + HIDMA_TRE_MEMSET); +-- +2.19.1 + diff --git a/queue-5.0/dmaengine-tegra-avoid-overflow-of-byte-tracking.patch b/queue-5.0/dmaengine-tegra-avoid-overflow-of-byte-tracking.patch new file mode 100644 index 00000000000..d3d9697bdd4 --- /dev/null +++ b/queue-5.0/dmaengine-tegra-avoid-overflow-of-byte-tracking.patch @@ -0,0 +1,55 @@ +From 44581730e9d919c7b5ec61f7c84ffa4a637d455d Mon Sep 17 00:00:00 2001 +From: Ben Dooks +Date: Wed, 21 Nov 2018 16:13:19 +0000 +Subject: dmaengine: tegra: avoid overflow of byte tracking + +[ Upstream commit e486df39305864604b7e25f2a95d51039517ac57 ] + +The dma_desc->bytes_transferred counter tracks the number of bytes +moved by the DMA channel. This is then used to calculate the information +passed back in the in the tegra_dma_tx_status callback, which is usually +fine. + +When the DMA channel is configured as continous, then the bytes_transferred +counter will increase over time and eventually overflow to become negative +so the residue count will become invalid and the ALSA sound-dma code will +report invalid hardware pointer values to the application. This results in +some users becoming confused about the playout position and putting audio +data in the wrong place. + +To fix this issue, always ensure the bytes_transferred field is modulo the +size of the request. We only do this for the case of the cyclic transfer +done ISR as anyone attempting to move 2GiB of DMA data in one transfer +is unlikely. + +Note, we don't fix the issue that we should /never/ transfer a negative +number of bytes so we could make those fields unsigned. + +Reviewed-by: Dmitry Osipenko +Signed-off-by: Ben Dooks +Acked-by: Jon Hunter +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra20-apb-dma.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c +index 9a558e30c461..8219ab88a507 100644 +--- a/drivers/dma/tegra20-apb-dma.c ++++ b/drivers/dma/tegra20-apb-dma.c +@@ -636,7 +636,10 @@ static void handle_cont_sngl_cycle_dma_done(struct tegra_dma_channel *tdc, + + sgreq = list_first_entry(&tdc->pending_sg_req, typeof(*sgreq), node); + dma_desc = sgreq->dma_desc; +- dma_desc->bytes_transferred += sgreq->req_len; ++ /* if we dma for long enough the transfer count will wrap */ ++ dma_desc->bytes_transferred = ++ (dma_desc->bytes_transferred + sgreq->req_len) % ++ dma_desc->bytes_requested; + + /* Callback need to be call */ + if (!dma_desc->cb_count) +-- +2.19.1 + diff --git a/queue-5.0/docs-core-api-mm-fix-user-memory-accessors-formattin.patch b/queue-5.0/docs-core-api-mm-fix-user-memory-accessors-formattin.patch new file mode 100644 index 00000000000..a0b23acd5d3 --- /dev/null +++ b/queue-5.0/docs-core-api-mm-fix-user-memory-accessors-formattin.patch @@ -0,0 +1,178 @@ +From 345c1b40916b5d96a7d73c0b1b239a1f1874660c Mon Sep 17 00:00:00 2001 +From: Mike Rapoport +Date: Tue, 5 Mar 2019 15:48:39 -0800 +Subject: docs/core-api/mm: fix user memory accessors formatting + +[ Upstream commit bc8ff3ca6589d63c6d10f5ee8bed38f74851b469 ] + +The descriptions of userspace memory access functions had minor issues +with formatting that made kernel-doc unable to properly detect the +function/macro names and the return value sections: + +./arch/x86/include/asm/uaccess.h:80: info: Scanning doc for +./arch/x86/include/asm/uaccess.h:139: info: Scanning doc for +./arch/x86/include/asm/uaccess.h:231: info: Scanning doc for +./arch/x86/include/asm/uaccess.h:505: info: Scanning doc for +./arch/x86/include/asm/uaccess.h:530: info: Scanning doc for +./arch/x86/lib/usercopy_32.c:58: info: Scanning doc for +./arch/x86/lib/usercopy_32.c:69: warning: No description found for return +value of 'clear_user' +./arch/x86/lib/usercopy_32.c:78: info: Scanning doc for +./arch/x86/lib/usercopy_32.c:90: warning: No description found for return +value of '__clear_user' + +Fix the formatting. + +Link: http://lkml.kernel.org/r/1549549644-4903-3-git-send-email-rppt@linux.ibm.com +Signed-off-by: Mike Rapoport +Reviewed-by: Andrew Morton +Cc: Jonathan Corbet +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/uaccess.h | 24 ++++++++++++------------ + arch/x86/lib/usercopy_32.c | 8 ++++---- + 2 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h +index c1334aaaa78d..f3aed639dccd 100644 +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -76,7 +76,7 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un + #endif + + /** +- * access_ok: - Checks if a user space pointer is valid ++ * access_ok - Checks if a user space pointer is valid + * @addr: User space pointer to start of block to check + * @size: Size of block to check + * +@@ -85,12 +85,12 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un + * + * Checks if a pointer to a block of memory in user space is valid. + * +- * Returns true (nonzero) if the memory block may be valid, false (zero) +- * if it is definitely invalid. +- * + * Note that, depending on architecture, this function probably just + * checks that the pointer is in the user space range - after calling + * this function, memory access functions may still return -EFAULT. ++ * ++ * Return: true (nonzero) if the memory block may be valid, false (zero) ++ * if it is definitely invalid. + */ + #define access_ok(addr, size) \ + ({ \ +@@ -135,7 +135,7 @@ extern int __get_user_bad(void); + __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) + + /** +- * get_user: - Get a simple variable from user space. ++ * get_user - Get a simple variable from user space. + * @x: Variable to store result. + * @ptr: Source address, in user space. + * +@@ -149,7 +149,7 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) + * @ptr must have pointer-to-simple-variable type, and the result of + * dereferencing @ptr must be assignable to @x without a cast. + * +- * Returns zero on success, or -EFAULT on error. ++ * Return: zero on success, or -EFAULT on error. + * On error, the variable @x is set to zero. + */ + /* +@@ -227,7 +227,7 @@ extern void __put_user_4(void); + extern void __put_user_8(void); + + /** +- * put_user: - Write a simple value into user space. ++ * put_user - Write a simple value into user space. + * @x: Value to copy to user space. + * @ptr: Destination address, in user space. + * +@@ -241,7 +241,7 @@ extern void __put_user_8(void); + * @ptr must have pointer-to-simple-variable type, and @x must be assignable + * to the result of dereferencing @ptr. + * +- * Returns zero on success, or -EFAULT on error. ++ * Return: zero on success, or -EFAULT on error. + */ + #define put_user(x, ptr) \ + ({ \ +@@ -503,7 +503,7 @@ struct __large_struct { unsigned long buf[100]; }; + } while (0) + + /** +- * __get_user: - Get a simple variable from user space, with less checking. ++ * __get_user - Get a simple variable from user space, with less checking. + * @x: Variable to store result. + * @ptr: Source address, in user space. + * +@@ -520,7 +520,7 @@ struct __large_struct { unsigned long buf[100]; }; + * Caller must check the pointer with access_ok() before calling this + * function. + * +- * Returns zero on success, or -EFAULT on error. ++ * Return: zero on success, or -EFAULT on error. + * On error, the variable @x is set to zero. + */ + +@@ -528,7 +528,7 @@ struct __large_struct { unsigned long buf[100]; }; + __get_user_nocheck((x), (ptr), sizeof(*(ptr))) + + /** +- * __put_user: - Write a simple value into user space, with less checking. ++ * __put_user - Write a simple value into user space, with less checking. + * @x: Value to copy to user space. + * @ptr: Destination address, in user space. + * +@@ -545,7 +545,7 @@ struct __large_struct { unsigned long buf[100]; }; + * Caller must check the pointer with access_ok() before calling this + * function. + * +- * Returns zero on success, or -EFAULT on error. ++ * Return: zero on success, or -EFAULT on error. + */ + + #define __put_user(x, ptr) \ +diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c +index bfd94e7812fc..7d290777246d 100644 +--- a/arch/x86/lib/usercopy_32.c ++++ b/arch/x86/lib/usercopy_32.c +@@ -54,13 +54,13 @@ do { \ + } while (0) + + /** +- * clear_user: - Zero a block of memory in user space. ++ * clear_user - Zero a block of memory in user space. + * @to: Destination address, in user space. + * @n: Number of bytes to zero. + * + * Zero a block of memory in user space. + * +- * Returns number of bytes that could not be cleared. ++ * Return: number of bytes that could not be cleared. + * On success, this will be zero. + */ + unsigned long +@@ -74,14 +74,14 @@ clear_user(void __user *to, unsigned long n) + EXPORT_SYMBOL(clear_user); + + /** +- * __clear_user: - Zero a block of memory in user space, with less checking. ++ * __clear_user - Zero a block of memory in user space, with less checking. + * @to: Destination address, in user space. + * @n: Number of bytes to zero. + * + * Zero a block of memory in user space. Caller must check + * the specified block with access_ok() before calling this function. + * +- * Returns number of bytes that could not be cleared. ++ * Return: number of bytes that could not be cleared. + * On success, this will be zero. + */ + unsigned long +-- +2.19.1 + diff --git a/queue-5.0/drm-amd-display-clear-stream-mode_changed-after-comm.patch b/queue-5.0/drm-amd-display-clear-stream-mode_changed-after-comm.patch new file mode 100644 index 00000000000..cbf94442337 --- /dev/null +++ b/queue-5.0/drm-amd-display-clear-stream-mode_changed-after-comm.patch @@ -0,0 +1,53 @@ +From 7a25993a5ade9be6f4bcc102aa0c82d2ab41835b Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Fri, 25 Jan 2019 15:23:09 -0500 +Subject: drm/amd/display: Clear stream->mode_changed after commit + +[ Upstream commit d8d2f174bcc2c26c3485c70e0c6fe22b27bce739 ] + +[Why] +The stream->mode_changed flag can persist in the following sequence +of atomic commits: + +Commit 1: +Enable CRTC0 (mode_changed = true), Enable CRTC1 (mode_changed = true) + +Commit 2: +Disable CRTC1 (mode_changed = false) + +In this sequence we want to keep the exiting CRTC0 but it's not in the +atomic state for the commit since it hasn't been modified. In this case +the stream->mode_changed flag persists as true and we don't re-program +the planes for the existing stream. + +[How] +The flag needs to be cleared and it makes the most sense to do it within +DC after the state has been committed. Nothing following dc_commit_state +should think that the stream's mode has changed. + +Signed-off-by: Nicholas Kazlauskas +Reviewed-by: Leo Li +Acked-by: Tony Cheng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 5fd52094d459..1f92e7e8e3d3 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1078,6 +1078,9 @@ static enum dc_status dc_commit_state_no_check(struct dc *dc, struct dc_state *c + /* pplib is notified if disp_num changed */ + dc->hwss.optimize_bandwidth(dc, context); + ++ for (i = 0; i < context->stream_count; i++) ++ context->streams[i]->mode_changed = false; ++ + dc_release_state(dc->current_state); + + dc->current_state = context; +-- +2.19.1 + diff --git a/queue-5.0/drm-amd-display-disconnect-mpcc-when-changing-tg.patch b/queue-5.0/drm-amd-display-disconnect-mpcc-when-changing-tg.patch new file mode 100644 index 00000000000..72b425fe600 --- /dev/null +++ b/queue-5.0/drm-amd-display-disconnect-mpcc-when-changing-tg.patch @@ -0,0 +1,71 @@ +From 178e38831022826d7db2316f3ef6efe328d016df Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Wed, 23 Jan 2019 13:50:17 -0500 +Subject: drm/amd/display: Disconnect mpcc when changing tg + +[ Upstream commit 77476360f173c127c191bfe8ca8113130ef283b8 ] + +[Why] +This fixes an mpc programming error for the following sequence of +atomic commits when pipe split is enabled: + +Commit 1: CRTC0 (plane 4, plane 3) + +Pipe 0: old_plane_state = A0, new_plane_state = A1, new_tg = T0 +Pipe 1: old_plane_state = B0, new_plane_state = B1, new_tg = T0 +Pipe 2: old_plane_state = A0, new_plane_state = A1, new_tg = T0 +Pipe 3: old_plane_state = B0, new_plane_state = B1, new_tg = T0 + +Commit 2: CRTC0 (plane 3), CRTC1 (plane 2) + +Pipe 0: old_plane_state = A1, new_plane_state = A2, new_tg = T0 +Pipe 1: old_plane_state = B1, new_plane_state = B2, new_tg = T1 +Pipe 2: old_plane_state = A1, new_plane_state = NULL, new_tg = NULL +Pipe 3: old_plane_state = B1, new_plane_state = NULL, new_tg = NULL + +In the second commit the assertion for mpcc in use is hit because +mpcc disconnect never occurs for pipe 1. This is because the stream +changes for pipe 1 and the opp_list is empty. + +This sequence occurs when running the +"igt@kms_plane_multiple@atomic-pipe-A-tiling-none" test with two +displays connected. + +[How] +Expand the reset condition to include: + +"old_pipe_ctx->stream_res.tg != new_pipe_ctx->stream_res.tg" + +...but only when the plane state is non-NULL for both old and new. + +Signed-off-by: Nicholas Kazlauskas +Reviewed-by: Dmytro Laktyushkin +Reviewed-by: Tony Cheng +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +index 41883c981789..a684b38332ac 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +@@ -2334,9 +2334,10 @@ static void dcn10_apply_ctx_for_surface( + } + } + +- if (!pipe_ctx->plane_state && +- old_pipe_ctx->plane_state && +- old_pipe_ctx->stream_res.tg == tg) { ++ if ((!pipe_ctx->plane_state || ++ pipe_ctx->stream_res.tg != old_pipe_ctx->stream_res.tg) && ++ old_pipe_ctx->plane_state && ++ old_pipe_ctx->stream_res.tg == tg) { + + dc->hwss.plane_atomic_disconnect(dc, old_pipe_ctx); + removed_pipe[i] = true; +-- +2.19.1 + diff --git a/queue-5.0/drm-amd-display-don-t-re-program-planes-for-dpms-cha.patch b/queue-5.0/drm-amd-display-don-t-re-program-planes-for-dpms-cha.patch new file mode 100644 index 00000000000..d6a8f92012d --- /dev/null +++ b/queue-5.0/drm-amd-display-don-t-re-program-planes-for-dpms-cha.patch @@ -0,0 +1,64 @@ +From b1cd3d1a2c1b347c809225aa0568329ff194f8cf Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Wed, 23 Jan 2019 14:55:58 -0500 +Subject: drm/amd/display: Don't re-program planes for DPMS changes + +[ Upstream commit 5062b797db4103218fa00ee254417b8ecaab7401 ] + +[Why] +There are opt1c lock warnings and CRTC read timeouts when running the +"igt@kms_plane@plane-position-hole-dpms-pipe-*" tests. These are +caused by trying to reprogram planes that are not in the current +context. + +DPMS off removes the stream from the context. In this case: + +new_crtc_state->active_changed = true +new_crtc_state->mode_changed = false + +The planes are reprogrammed before the stream is removed from the +context because stream_state->mode_changed = false. + +For DPMS adds the stream and planes back to the context: + +new_crtc_state->active_changed = true +new_crtc_state->mode_changed = false + +The planes are also reprogrammed here before the stream is added to the +context because stream_state->mode_changed = true. They were not +previously in the current context so warnings occur here. + +[How] +Set stream_state->mode_changed = true when +new_crtc_state->active_changed = true too. + +This prevents reprogramming before the context is applied in DC. The +programming will be done after the context is applied. + +Signed-off-by: Nicholas Kazlauskas +Reviewed-by: Sun peng Li +Acked-by: Bhawanpreet Lakha +Acked-by: Tony Cheng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 6d77fd966dbd..0040605cace8 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -4975,7 +4975,8 @@ static void amdgpu_dm_commit_planes(struct drm_atomic_state *state, + static void amdgpu_dm_crtc_copy_transient_flags(struct drm_crtc_state *crtc_state, + struct dc_stream_state *stream_state) + { +- stream_state->mode_changed = crtc_state->mode_changed; ++ stream_state->mode_changed = ++ crtc_state->mode_changed || crtc_state->active_changed; + } + + static int amdgpu_dm_atomic_commit(struct drm_device *dev, +-- +2.19.1 + diff --git a/queue-5.0/drm-amd-display-enable-vblank-interrupt-during-crc-c.patch b/queue-5.0/drm-amd-display-enable-vblank-interrupt-during-crc-c.patch new file mode 100644 index 00000000000..446e4378ff1 --- /dev/null +++ b/queue-5.0/drm-amd-display-enable-vblank-interrupt-during-crc-c.patch @@ -0,0 +1,133 @@ +From bd5341a6311044982f9c276647289e57b050a120 Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Mon, 14 Jan 2019 16:04:10 -0500 +Subject: drm/amd/display: Enable vblank interrupt during CRC capture + +[ Upstream commit 428da2bdb05d76c48d0bd8fbfa2e4c102685be08 ] + +[Why] +In order to read CRC events when CRC capture is enabled the vblank +interrput handler needs to be running for the CRTC. The handler is +enabled while there is an active vblank reference. + +When running IGT tests there will often be no active vblank reference +but the test expects to read a CRC value. This is valid usage (and +works on i915 since they have a CRC interrupt handler) so the reference +to the vblank should be grabbed while capture is active. + +This issue was found running: + +igt@kms_plane_multiple@atomic-pipe-b-tiling-none + +The pipe-b is the only one in the initial commit and was not previously +active so no vblank reference is grabbed. The vblank interrupt is +not enabled and the test times out. + +[How] +Keep a reference to the vblank as long as CRC capture is enabled. +If userspace never explicitly disables it then the reference is +also dropped when removing the CRTC from the context (stream = NULL). + +Signed-off-by: Nicholas Kazlauskas +Reviewed-by: Harry Wentland +Reviewed-by: Sun peng Li +Acked-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 ++++++- + .../drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c | 42 +++++++++---------- + 2 files changed, 34 insertions(+), 22 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 0040605cace8..83c8a0407537 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -4997,10 +4997,22 @@ static int amdgpu_dm_atomic_commit(struct drm_device *dev, + */ + for_each_oldnew_crtc_in_state(state, crtc, old_crtc_state, new_crtc_state, i) { + struct dm_crtc_state *dm_old_crtc_state = to_dm_crtc_state(old_crtc_state); ++ struct dm_crtc_state *dm_new_crtc_state = to_dm_crtc_state(new_crtc_state); + struct amdgpu_crtc *acrtc = to_amdgpu_crtc(crtc); + +- if (drm_atomic_crtc_needs_modeset(new_crtc_state) && dm_old_crtc_state->stream) ++ if (drm_atomic_crtc_needs_modeset(new_crtc_state) ++ && dm_old_crtc_state->stream) { ++ /* ++ * CRC capture was enabled but not disabled. ++ * Release the vblank reference. ++ */ ++ if (dm_new_crtc_state->crc_enabled) { ++ drm_crtc_vblank_put(crtc); ++ dm_new_crtc_state->crc_enabled = false; ++ } ++ + manage_dm_interrupts(adev, acrtc, false); ++ } + } + /* + * Add check here for SoC's that support hardware cursor plane, to +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c +index f088ac585978..26b651148c67 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c +@@ -66,6 +66,7 @@ int amdgpu_dm_crtc_set_crc_source(struct drm_crtc *crtc, const char *src_name) + { + struct dm_crtc_state *crtc_state = to_dm_crtc_state(crtc->state); + struct dc_stream_state *stream_state = crtc_state->stream; ++ bool enable; + + enum amdgpu_dm_pipe_crc_source source = dm_parse_crc_source(src_name); + +@@ -80,28 +81,27 @@ int amdgpu_dm_crtc_set_crc_source(struct drm_crtc *crtc, const char *src_name) + return -EINVAL; + } + ++ enable = (source == AMDGPU_DM_PIPE_CRC_SOURCE_AUTO); ++ ++ if (!dc_stream_configure_crc(stream_state->ctx->dc, stream_state, ++ enable, enable)) ++ return -EINVAL; ++ + /* When enabling CRC, we should also disable dithering. */ +- if (source == AMDGPU_DM_PIPE_CRC_SOURCE_AUTO) { +- if (dc_stream_configure_crc(stream_state->ctx->dc, +- stream_state, +- true, true)) { +- crtc_state->crc_enabled = true; +- dc_stream_set_dither_option(stream_state, +- DITHER_OPTION_TRUN8); +- } +- else +- return -EINVAL; +- } else { +- if (dc_stream_configure_crc(stream_state->ctx->dc, +- stream_state, +- false, false)) { +- crtc_state->crc_enabled = false; +- dc_stream_set_dither_option(stream_state, +- DITHER_OPTION_DEFAULT); +- } +- else +- return -EINVAL; +- } ++ dc_stream_set_dither_option(stream_state, ++ enable ? DITHER_OPTION_TRUN8 ++ : DITHER_OPTION_DEFAULT); ++ ++ /* ++ * Reading the CRC requires the vblank interrupt handler to be ++ * enabled. Keep a reference until CRC capture stops. ++ */ ++ if (!crtc_state->crc_enabled && enable) ++ drm_crtc_vblank_get(crtc); ++ else if (crtc_state->crc_enabled && !enable) ++ drm_crtc_vblank_put(crtc); ++ ++ crtc_state->crc_enabled = enable; + + /* Reset crc_skipped on dm state */ + crtc_state->crc_skip_count = 0; +-- +2.19.1 + diff --git a/queue-5.0/drm-amd-display-fix-reference-counting-for-struct-dc.patch b/queue-5.0/drm-amd-display-fix-reference-counting-for-struct-dc.patch new file mode 100644 index 00000000000..7e27ebdf73c --- /dev/null +++ b/queue-5.0/drm-amd-display-fix-reference-counting-for-struct-dc.patch @@ -0,0 +1,261 @@ +From a8987356ace1969ad17c5ced67f56822ea7f2705 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mathias=20Fr=C3=B6hlich?= +Date: Sun, 10 Feb 2019 11:13:01 +0100 +Subject: drm/amd/display: Fix reference counting for struct dc_sink. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit dcd5fb82ffb484124203aa339733663ac0b059f3 ] + +Reference counting in amdgpu_dm_connector for amdgpu_dm_connector::dc_sink +and amdgpu_dm_connector::dc_em_sink as well as in dc_link::local_sink seems +to be out of shape. Thus make reference counting consistent for these +members and just plain increment the reference count when the variable +gets assigned and decrement when the pointer is set to zero or replaced. +Also simplify reference counting in selected function sopes to be sure the +reference is released in any case. In some cases add NULL pointer check +before dereferencing. +At a hand full of places a comment is placed to stat that the reference +increment happened already somewhere else. + +This actually fixes the following kernel bug on my system when enabling +display core in amdgpu. There are some more similar bug reports around, +so it probably helps at more places. + + kernel BUG at mm/slub.c:294! + invalid opcode: 0000 [#1] SMP PTI + CPU: 9 PID: 1180 Comm: Xorg Not tainted 5.0.0-rc1+ #2 + Hardware name: Supermicro X10DAi/X10DAI, BIOS 3.0a 02/05/2018 + RIP: 0010:__slab_free+0x1e2/0x3d0 + Code: 8b 54 24 30 48 89 4c 24 28 e8 da fb ff ff 4c 8b 54 24 28 85 c0 0f 85 67 fe ff ff 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 <0f> 0b 49 3b 5c 24 28 75 ab 48 8b 44 24 30 49 89 4c 24 28 49 89 44 + RSP: 0018:ffffb0978589fa90 EFLAGS: 00010246 + RAX: ffff92f12806c400 RBX: 0000000080200019 RCX: ffff92f12806c400 + RDX: ffff92f12806c400 RSI: ffffdd6421a01a00 RDI: ffff92ed2f406e80 + RBP: ffffb0978589fb40 R08: 0000000000000001 R09: ffffffffc0ee4748 + R10: ffff92f12806c400 R11: 0000000000000001 R12: ffffdd6421a01a00 + R13: ffff92f12806c400 R14: ffff92ed2f406e80 R15: ffffdd6421a01a20 + FS: 00007f4170be0ac0(0000) GS:ffff92ed2fb40000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000562818aaa000 CR3: 000000045745a002 CR4: 00000000003606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + ? drm_dbg+0x87/0x90 [drm] + dc_stream_release+0x28/0x50 [amdgpu] + amdgpu_dm_connector_mode_valid+0xb4/0x1f0 [amdgpu] + drm_helper_probe_single_connector_modes+0x492/0x6b0 [drm_kms_helper] + drm_mode_getconnector+0x457/0x490 [drm] + ? drm_connector_property_set_ioctl+0x60/0x60 [drm] + drm_ioctl_kernel+0xa9/0xf0 [drm] + drm_ioctl+0x201/0x3a0 [drm] + ? drm_connector_property_set_ioctl+0x60/0x60 [drm] + amdgpu_drm_ioctl+0x49/0x80 [amdgpu] + do_vfs_ioctl+0xa4/0x630 + ? __sys_recvmsg+0x83/0xa0 + ksys_ioctl+0x60/0x90 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x5b/0x160 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7f417110809b + Code: 0f 1e fa 48 8b 05 ed bd 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d bd bd 0c 00 f7 d8 64 89 01 48 + RSP: 002b:00007ffdd8d1c268 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + RAX: ffffffffffffffda RBX: 0000562818a8ebc0 RCX: 00007f417110809b + RDX: 00007ffdd8d1c2a0 RSI: 00000000c05064a7 RDI: 0000000000000012 + RBP: 00007ffdd8d1c2a0 R08: 0000562819012280 R09: 0000000000000007 + R10: 0000000000000000 R11: 0000000000000246 R12: 00000000c05064a7 + R13: 0000000000000012 R14: 0000000000000012 R15: 00007ffdd8d1c2a0 + Modules linked in: nfsv4 dns_resolver nfs lockd grace fscache fuse vfat fat amdgpu intel_rapl sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul chash gpu_sched crc32_pclmul snd_hda_codec_realtek ghash_clmulni_intel amd_iommu_v2 iTCO_wdt iTCO_vendor_support ttm snd_hda_codec_generic snd_hda_codec_hdmi ledtrig_audio snd_hda_intel drm_kms_helper snd_hda_codec intel_cstate snd_hda_core drm snd_hwdep snd_seq snd_seq_device intel_uncore snd_pcm intel_rapl_perf snd_timer snd soundcore ioatdma pcspkr intel_wmi_thunderbolt mxm_wmi i2c_i801 lpc_ich pcc_cpufreq auth_rpcgss sunrpc igb crc32c_intel i2c_algo_bit dca wmi hid_cherry analog gameport joydev + +This patch is based on agd5f/drm-next-5.1-wip. This patch does not require +all of that, but agd5f/drm-next-5.1-wip contains at least one more dc_sink +counting fix that I could spot. + +Signed-off-by: Mathias Fröhlich +Reviewed-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 43 +++++++++++++++---- + .../display/amdgpu_dm/amdgpu_dm_mst_types.c | 1 + + drivers/gpu/drm/amd/display/dc/core/dc_link.c | 1 + + 3 files changed, 37 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 636d14a60952..6d77fd966dbd 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -886,6 +886,7 @@ static void emulated_link_detect(struct dc_link *link) + return; + } + ++ /* dc_sink_create returns a new reference */ + link->local_sink = sink; + + edid_status = dm_helpers_read_local_edid( +@@ -952,6 +953,8 @@ static int dm_resume(void *handle) + if (aconnector->fake_enable && aconnector->dc_link->local_sink) + aconnector->fake_enable = false; + ++ if (aconnector->dc_sink) ++ dc_sink_release(aconnector->dc_sink); + aconnector->dc_sink = NULL; + amdgpu_dm_update_connector_after_detect(aconnector); + mutex_unlock(&aconnector->hpd_lock); +@@ -1061,6 +1064,8 @@ amdgpu_dm_update_connector_after_detect(struct amdgpu_dm_connector *aconnector) + + + sink = aconnector->dc_link->local_sink; ++ if (sink) ++ dc_sink_retain(sink); + + /* + * Edid mgmt connector gets first update only in mode_valid hook and then +@@ -1085,21 +1090,24 @@ amdgpu_dm_update_connector_after_detect(struct amdgpu_dm_connector *aconnector) + * to it anymore after disconnect, so on next crtc to connector + * reshuffle by UMD we will get into unwanted dc_sink release + */ +- if (aconnector->dc_sink != aconnector->dc_em_sink) +- dc_sink_release(aconnector->dc_sink); ++ dc_sink_release(aconnector->dc_sink); + } + aconnector->dc_sink = sink; ++ dc_sink_retain(aconnector->dc_sink); + amdgpu_dm_update_freesync_caps(connector, + aconnector->edid); + } else { + amdgpu_dm_update_freesync_caps(connector, NULL); +- if (!aconnector->dc_sink) ++ if (!aconnector->dc_sink) { + aconnector->dc_sink = aconnector->dc_em_sink; +- else if (aconnector->dc_sink != aconnector->dc_em_sink) + dc_sink_retain(aconnector->dc_sink); ++ } + } + + mutex_unlock(&dev->mode_config.mutex); ++ ++ if (sink) ++ dc_sink_release(sink); + return; + } + +@@ -1107,8 +1115,10 @@ amdgpu_dm_update_connector_after_detect(struct amdgpu_dm_connector *aconnector) + * TODO: temporary guard to look for proper fix + * if this sink is MST sink, we should not do anything + */ +- if (sink && sink->sink_signal == SIGNAL_TYPE_DISPLAY_PORT_MST) ++ if (sink && sink->sink_signal == SIGNAL_TYPE_DISPLAY_PORT_MST) { ++ dc_sink_release(sink); + return; ++ } + + if (aconnector->dc_sink == sink) { + /* +@@ -1117,6 +1127,8 @@ amdgpu_dm_update_connector_after_detect(struct amdgpu_dm_connector *aconnector) + */ + DRM_DEBUG_DRIVER("DCHPD: connector_id=%d: dc_sink didn't change.\n", + aconnector->connector_id); ++ if (sink) ++ dc_sink_release(sink); + return; + } + +@@ -1138,6 +1150,7 @@ amdgpu_dm_update_connector_after_detect(struct amdgpu_dm_connector *aconnector) + amdgpu_dm_update_freesync_caps(connector, NULL); + + aconnector->dc_sink = sink; ++ dc_sink_retain(aconnector->dc_sink); + if (sink->dc_edid.length == 0) { + aconnector->edid = NULL; + drm_dp_cec_unset_edid(&aconnector->dm_dp_aux.aux); +@@ -1158,11 +1171,15 @@ amdgpu_dm_update_connector_after_detect(struct amdgpu_dm_connector *aconnector) + amdgpu_dm_update_freesync_caps(connector, NULL); + drm_connector_update_edid_property(connector, NULL); + aconnector->num_modes = 0; ++ dc_sink_release(aconnector->dc_sink); + aconnector->dc_sink = NULL; + aconnector->edid = NULL; + } + + mutex_unlock(&dev->mode_config.mutex); ++ ++ if (sink) ++ dc_sink_release(sink); + } + + static void handle_hpd_irq(void *param) +@@ -2908,6 +2925,7 @@ create_stream_for_sink(struct amdgpu_dm_connector *aconnector, + } + } else { + sink = aconnector->dc_sink; ++ dc_sink_retain(sink); + } + + stream = dc_create_stream_for_sink(sink); +@@ -2974,8 +2992,7 @@ create_stream_for_sink(struct amdgpu_dm_connector *aconnector, + stream->ignore_msa_timing_param = true; + + finish: +- if (sink && sink->sink_signal == SIGNAL_TYPE_VIRTUAL && aconnector->base.force != DRM_FORCE_ON) +- dc_sink_release(sink); ++ dc_sink_release(sink); + + return stream; + } +@@ -3233,6 +3250,14 @@ static void amdgpu_dm_connector_destroy(struct drm_connector *connector) + dm->backlight_dev = NULL; + } + #endif ++ ++ if (aconnector->dc_em_sink) ++ dc_sink_release(aconnector->dc_em_sink); ++ aconnector->dc_em_sink = NULL; ++ if (aconnector->dc_sink) ++ dc_sink_release(aconnector->dc_sink); ++ aconnector->dc_sink = NULL; ++ + drm_dp_cec_unregister_connector(&aconnector->dm_dp_aux.aux); + drm_connector_unregister(connector); + drm_connector_cleanup(connector); +@@ -3330,10 +3355,12 @@ static void create_eml_sink(struct amdgpu_dm_connector *aconnector) + (edid->extensions + 1) * EDID_LENGTH, + &init_params); + +- if (aconnector->base.force == DRM_FORCE_ON) ++ if (aconnector->base.force == DRM_FORCE_ON) { + aconnector->dc_sink = aconnector->dc_link->local_sink ? + aconnector->dc_link->local_sink : + aconnector->dc_em_sink; ++ dc_sink_retain(aconnector->dc_sink); ++ } + } + + static void handle_edid_mgmt(struct amdgpu_dm_connector *aconnector) +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +index 1b0d209d8367..3b95a637b508 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +@@ -239,6 +239,7 @@ static int dm_dp_mst_get_modes(struct drm_connector *connector) + &init_params); + + dc_sink->priv = aconnector; ++ /* dc_link_add_remote_sink returns a new reference */ + aconnector->dc_sink = dc_sink; + + if (aconnector->dc_sink) +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +index b0265dbebd4c..583eb367850f 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +@@ -792,6 +792,7 @@ bool dc_link_detect(struct dc_link *link, enum dc_detect_reason reason) + sink->dongle_max_pix_clk = sink_caps.max_hdmi_pixel_clock; + sink->converter_disable_audio = converter_disable_audio; + ++ /* dc_sink_create returns a new reference */ + link->local_sink = sink; + + edid_status = dm_helpers_read_local_edid( +-- +2.19.1 + diff --git a/queue-5.0/drm-auto-set-allow_fb_modifiers-when-given-modifiers.patch b/queue-5.0/drm-auto-set-allow_fb_modifiers-when-given-modifiers.patch new file mode 100644 index 00000000000..d6daee3312a --- /dev/null +++ b/queue-5.0/drm-auto-set-allow_fb_modifiers-when-given-modifiers.patch @@ -0,0 +1,46 @@ +From cad18f23efd8fc95c78925796c2f6a070010a892 Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Fri, 4 Jan 2019 09:56:10 +0100 +Subject: drm: Auto-set allow_fb_modifiers when given modifiers at plane init + +[ Upstream commit 890880ddfdbe256083170866e49c87618b706ac7 ] + +When drivers pass non-empty lists of modifiers for initializing their +planes, we can infer that they allow framebuffer modifiers and set the +driver's allow_fb_modifiers mode config element. + +In case the allow_fb_modifiers element was not set (some drivers tend +to set them after registering planes), the modifiers will still be +registered but won't be available to userspace unless the flag is set +later. However in that case, the IN_FORMATS blob won't be created. + +In order to avoid this case and generally reduce the trouble associated +with the flag, always set allow_fb_modifiers when a non-empty list of +format modifiers is passed at plane init. + +Reviewed-by: Daniel Vetter +Signed-off-by: Paul Kocialkowski +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20190104085610.5829-1-paul.kocialkowski@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_plane.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c +index 5f650d8fc66b..4cfb56893b7f 100644 +--- a/drivers/gpu/drm/drm_plane.c ++++ b/drivers/gpu/drm/drm_plane.c +@@ -220,6 +220,9 @@ int drm_universal_plane_init(struct drm_device *dev, struct drm_plane *plane, + format_modifier_count++; + } + ++ if (format_modifier_count) ++ config->allow_fb_modifiers = true; ++ + plane->modifier_count = format_modifier_count; + plane->modifiers = kmalloc_array(format_modifier_count, + sizeof(format_modifiers[0]), +-- +2.19.1 + diff --git a/queue-5.0/drm-dp-mst-configure-no_stop_bit-correctly-for-remot.patch b/queue-5.0/drm-dp-mst-configure-no_stop_bit-correctly-for-remot.patch new file mode 100644 index 00000000000..dfb6558097c --- /dev/null +++ b/queue-5.0/drm-dp-mst-configure-no_stop_bit-correctly-for-remot.patch @@ -0,0 +1,48 @@ +From 0f86321774e2465784b4650546d327ed86fe7b4a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Fri, 28 Sep 2018 21:03:59 +0300 +Subject: drm/dp/mst: Configure no_stop_bit correctly for remote i2c xfers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit c978ae9bde582e82a04c63a4071701691dd8b35c ] + +We aren't supposed to force a stop+start between every i2c msg +when performing multi message transfers. This should eg. cause +the DDC segment address to be reset back to 0 between writing +the segment address and reading the actual EDID extension block. + +To quote the E-DDC spec: +"... this standard requires that the segment pointer be + reset to 00h when a NO ACK or a STOP condition is received." + +Since we're going to touch this might as well consult the +I2C_M_STOP flag to determine whether we want to force the stop +or not. + +Cc: Brian Vincent +References: https://bugs.freedesktop.org/show_bug.cgi?id=108081 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20180928180403.22499-1-ville.syrjala@linux.intel.com +Reviewed-by: Dhinakaran Pandiyan +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c +index 529414556962..1a244c53252c 100644 +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -3286,6 +3286,7 @@ static int drm_dp_mst_i2c_xfer(struct i2c_adapter *adapter, struct i2c_msg *msgs + msg.u.i2c_read.transactions[i].i2c_dev_id = msgs[i].addr; + msg.u.i2c_read.transactions[i].num_bytes = msgs[i].len; + msg.u.i2c_read.transactions[i].bytes = msgs[i].buf; ++ msg.u.i2c_read.transactions[i].no_stop_bit = !(msgs[i].flags & I2C_M_STOP); + } + msg.u.i2c_read.read_i2c_device_id = msgs[num - 1].addr; + msg.u.i2c_read.num_bytes_read = msgs[num - 1].len; +-- +2.19.1 + diff --git a/queue-5.0/drm-fb-helper-fix-leaks-in-error-path-of-drm_fb_help.patch b/queue-5.0/drm-fb-helper-fix-leaks-in-error-path-of-drm_fb_help.patch new file mode 100644 index 00000000000..aafe076d8ae --- /dev/null +++ b/queue-5.0/drm-fb-helper-fix-leaks-in-error-path-of-drm_fb_help.patch @@ -0,0 +1,67 @@ +From c81c43d2e347cd2f2537b4ea4e39da31f42113aa Mon Sep 17 00:00:00 2001 +From: Peter Wu +Date: Sun, 23 Dec 2018 01:55:07 +0100 +Subject: drm/fb-helper: fix leaks in error path of drm_fb_helper_fbdev_setup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 00eb5b0da8d27b3c944bfc959c3344d665caae26 ] + +After drm_fb_helper_fbdev_setup calls drm_fb_helper_init, +"dev->fb_helper" will be initialized (and thus drm_fb_helper_fini will +have some effect). After that, drm_fb_helper_initial_config is called +which may call the "fb_probe" driver callback. + +This driver callback may call drm_fb_helper_defio_init (as is done by +drm_fb_helper_generic_probe) or set a framebuffer (as is done by bochs) +as documented. These are normally cleaned up on exit by +drm_fb_helper_fbdev_teardown which also calls drm_fb_helper_fini. + +If an error occurs after "fb_probe", but before setup is complete, then +calling just drm_fb_helper_fini will leak resources. This was triggered +by df2052cc922 ("bochs: convert to drm_fb_helper_fbdev_setup/teardown"): + + [ 50.008030] bochsdrmfb: enable CONFIG_FB_LITTLE_ENDIAN to support this framebuffer + [ 50.009436] bochs-drm 0000:00:02.0: [drm:drm_fb_helper_fbdev_setup] *ERROR* fbdev: Failed to set configuration (ret=-38) + [ 50.011456] [drm] Initialized bochs-drm 1.0.0 20130925 for 0000:00:02.0 on minor 2 + [ 50.013604] WARNING: CPU: 1 PID: 1 at drivers/gpu/drm/drm_mode_config.c:477 drm_mode_config_cleanup+0x280/0x2a0 + [ 50.016175] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G T 4.20.0-rc7 #1 + [ 50.017732] EIP: drm_mode_config_cleanup+0x280/0x2a0 + ... + [ 50.023155] Call Trace: + [ 50.023155] ? bochs_kms_fini+0x1e/0x30 + [ 50.023155] ? bochs_unload+0x18/0x40 + +This can be reproduced with QEMU and CONFIG_FB_LITTLE_ENDIAN=n. + +Link: https://lkml.kernel.org/r/20181221083226.GI23332@shao2-debian +Link: https://lkml.kernel.org/r/20181223004315.GA11455@al +Fixes: 8741216396b2 ("drm/fb-helper: Add drm_fb_helper_fbdev_setup/teardown()") +Reported-by: kernel test robot +Cc: Noralf Trønnes +Signed-off-by: Peter Wu +Reviewed-by: Noralf Trønnes +Signed-off-by: Noralf Trønnes +Link: https://patchwork.freedesktop.org/patch/msgid/20181223005507.28328-1-peter@lekensteyn.nl +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_fb_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c +index 70fc8e356b18..edd8cb497f3b 100644 +--- a/drivers/gpu/drm/drm_fb_helper.c ++++ b/drivers/gpu/drm/drm_fb_helper.c +@@ -2891,7 +2891,7 @@ int drm_fb_helper_fbdev_setup(struct drm_device *dev, + return 0; + + err_drm_fb_helper_fini: +- drm_fb_helper_fini(fb_helper); ++ drm_fb_helper_fbdev_teardown(dev); + + return ret; + } +-- +2.19.1 + diff --git a/queue-5.0/drm-msm-dpu-convert-to-a-chained-irq-chip.patch b/queue-5.0/drm-msm-dpu-convert-to-a-chained-irq-chip.patch new file mode 100644 index 00000000000..3a3d16a8696 --- /dev/null +++ b/queue-5.0/drm-msm-dpu-convert-to-a-chained-irq-chip.patch @@ -0,0 +1,202 @@ +From bfcb682a70038d67b6af586683b3989035e332a5 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Thu, 3 Jan 2019 11:06:02 -0800 +Subject: drm/msm/dpu: Convert to a chained irq chip + +[ Upstream commit 070e64dc1bbc879b7e0e9fffccd9dd139baf89f0 ] + +Devices that make up DPU, i.e. graphics card, request their interrupts +from this "virtual" interrupt chip. The interrupt chip builds upon a GIC +SPI interrupt that raises high when any of the interrupts in the DPU's +irq status register are triggered. From the kernel's perspective this is +a chained irq chip, so requesting a flow handler for the GIC SPI and +then calling generic IRQ handling code from that irq handler is not +completely proper. It's better to convert this to a chained irq so that +the GIC SPI irq doesn't appear in /proc/interrupts, can't have CPU +affinity changed, and won't be accounted for with irq stats. Doing this +also silences a recursive lockdep warning because we can specify a +different lock class for the chained interrupts, silencing a warning +that is easy to see with 'threadirqs' on the kernel commandline. + + WARNING: inconsistent lock state + 4.19.10 #76 Tainted: G W + -------------------------------- + inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. + irq/40-dpu_mdss/203 [HC0[0]:SC0[2]:HE1:SE0] takes: + 0000000053ea9021 (&irq_desc_lock_class){?.-.}, at: handle_level_irq+0x34/0x26c + {IN-HARDIRQ-W} state was registered at: + lock_acquire+0x244/0x360 + _raw_spin_lock+0x64/0xa0 + handle_fasteoi_irq+0x54/0x2ec + generic_handle_irq+0x44/0x5c + __handle_domain_irq+0x9c/0x11c + gic_handle_irq+0x208/0x260 + el1_irq+0xb4/0x130 + arch_cpu_idle+0x178/0x3cc + default_idle_call+0x3c/0x54 + do_idle+0x1a8/0x3dc + cpu_startup_entry+0x24/0x28 + rest_init+0x240/0x270 + start_kernel+0x5a8/0x6bc + irq event stamp: 18 + hardirqs last enabled at (17): [] _raw_spin_unlock_irq+0x40/0xc0 + hardirqs last disabled at (16): [] __schedule+0x20c/0x1bbc + softirqs last enabled at (0): [] copy_process+0xb50/0x3964 + softirqs last disabled at (18): [] local_bh_disable+0x8/0x20 + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&irq_desc_lock_class); + + lock(&irq_desc_lock_class); + + *** DEADLOCK *** + + no locks held by irq/40-dpu_mdss/203. + + stack backtrace: + CPU: 0 PID: 203 Comm: irq/40-dpu_mdss Tainted: G W 4.19.10 #76 + Call trace: + dump_backtrace+0x0/0x2f8 + show_stack+0x20/0x2c + __dump_stack+0x20/0x28 + dump_stack+0xcc/0x10c + mark_lock+0xbe0/0xe24 + __lock_acquire+0x4cc/0x2708 + lock_acquire+0x244/0x360 + _raw_spin_lock+0x64/0xa0 + handle_level_irq+0x34/0x26c + generic_handle_irq+0x44/0x5c + dpu_mdss_irq+0x64/0xec + irq_forced_thread_fn+0x58/0x9c + irq_thread+0x120/0x1dc + kthread+0x248/0x260 + ret_from_fork+0x10/0x18 + ------------[ cut here ]------------ + irq 169 handler irq_default_primary_handler+0x0/0x18 enabled interrupts + +Cc: Sean Paul +Cc: Jordan Crouse +Cc: Jayant Shekhar +Cc: Rajesh Yadav +Cc: Jeykumar Sankaran +Signed-off-by: Stephen Boyd +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_mdss.c | 36 ++++++++++++++---------- + 1 file changed, 21 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_mdss.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_mdss.c +index cb307a2abf06..7316b4ab1b85 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_mdss.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_mdss.c +@@ -23,11 +23,14 @@ struct dpu_mdss { + struct dpu_irq_controller irq_controller; + }; + +-static irqreturn_t dpu_mdss_irq(int irq, void *arg) ++static void dpu_mdss_irq(struct irq_desc *desc) + { +- struct dpu_mdss *dpu_mdss = arg; ++ struct dpu_mdss *dpu_mdss = irq_desc_get_handler_data(desc); ++ struct irq_chip *chip = irq_desc_get_chip(desc); + u32 interrupts; + ++ chained_irq_enter(chip, desc); ++ + interrupts = readl_relaxed(dpu_mdss->mmio + HW_INTR_STATUS); + + while (interrupts) { +@@ -39,20 +42,20 @@ static irqreturn_t dpu_mdss_irq(int irq, void *arg) + hwirq); + if (mapping == 0) { + DRM_ERROR("couldn't find irq mapping for %lu\n", hwirq); +- return IRQ_NONE; ++ break; + } + + rc = generic_handle_irq(mapping); + if (rc < 0) { + DRM_ERROR("handle irq fail: irq=%lu mapping=%u rc=%d\n", + hwirq, mapping, rc); +- return IRQ_NONE; ++ break; + } + + interrupts &= ~(1 << hwirq); + } + +- return IRQ_HANDLED; ++ chained_irq_exit(chip, desc); + } + + static void dpu_mdss_irq_mask(struct irq_data *irqd) +@@ -83,16 +86,16 @@ static struct irq_chip dpu_mdss_irq_chip = { + .irq_unmask = dpu_mdss_irq_unmask, + }; + ++static struct lock_class_key dpu_mdss_lock_key, dpu_mdss_request_key; ++ + static int dpu_mdss_irqdomain_map(struct irq_domain *domain, + unsigned int irq, irq_hw_number_t hwirq) + { + struct dpu_mdss *dpu_mdss = domain->host_data; +- int ret; + ++ irq_set_lockdep_class(irq, &dpu_mdss_lock_key, &dpu_mdss_request_key); + irq_set_chip_and_handler(irq, &dpu_mdss_irq_chip, handle_level_irq); +- ret = irq_set_chip_data(irq, dpu_mdss); +- +- return ret; ++ return irq_set_chip_data(irq, dpu_mdss); + } + + static const struct irq_domain_ops dpu_mdss_irqdomain_ops = { +@@ -159,11 +162,13 @@ static void dpu_mdss_destroy(struct drm_device *dev) + struct msm_drm_private *priv = dev->dev_private; + struct dpu_mdss *dpu_mdss = to_dpu_mdss(priv->mdss); + struct dss_module_power *mp = &dpu_mdss->mp; ++ int irq; + + pm_runtime_suspend(dev->dev); + pm_runtime_disable(dev->dev); + _dpu_mdss_irq_domain_fini(dpu_mdss); +- free_irq(platform_get_irq(pdev, 0), dpu_mdss); ++ irq = platform_get_irq(pdev, 0); ++ irq_set_chained_handler_and_data(irq, NULL, NULL); + msm_dss_put_clk(mp->clk_config, mp->num_clk); + devm_kfree(&pdev->dev, mp->clk_config); + +@@ -187,6 +192,7 @@ int dpu_mdss_init(struct drm_device *dev) + struct dpu_mdss *dpu_mdss; + struct dss_module_power *mp; + int ret = 0; ++ int irq; + + dpu_mdss = devm_kzalloc(dev->dev, sizeof(*dpu_mdss), GFP_KERNEL); + if (!dpu_mdss) +@@ -219,12 +225,12 @@ int dpu_mdss_init(struct drm_device *dev) + if (ret) + goto irq_domain_error; + +- ret = request_irq(platform_get_irq(pdev, 0), +- dpu_mdss_irq, 0, "dpu_mdss_isr", dpu_mdss); +- if (ret) { +- DPU_ERROR("failed to init irq: %d\n", ret); ++ irq = platform_get_irq(pdev, 0); ++ if (irq < 0) + goto irq_error; +- } ++ ++ irq_set_chained_handler_and_data(irq, dpu_mdss_irq, ++ dpu_mdss); + + pm_runtime_enable(dev->dev); + +-- +2.19.1 + diff --git a/queue-5.0/drm-nouveau-stop-using-drm_crtc_force_disable.patch b/queue-5.0/drm-nouveau-stop-using-drm_crtc_force_disable.patch new file mode 100644 index 00000000000..d110f476422 --- /dev/null +++ b/queue-5.0/drm-nouveau-stop-using-drm_crtc_force_disable.patch @@ -0,0 +1,48 @@ +From 9fa71ecbd2ea8824a533ac583f8cfe487d28ac43 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Mon, 17 Dec 2018 20:42:58 +0100 +Subject: drm/nouveau: Stop using drm_crtc_force_disable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 934c5b32a5e43d8de2ab4f1566f91d7c3bf8cb64 ] + +The correct way for legacy drivers to update properties that need to +do a full modeset, is to do a full modeset. + +Note that we don't need to call the drm_mode_config_internal helper +because we're not changing any of the refcounted paramters. + +v2: Fixup error handling (Ville). Since the old code didn't bother +I decided to just delete it instead of adding even more code for just +error handling. + +Cc: Ville Syrjälä +Reviewed-by: Alex Deucher (v1) +Cc: Sean Paul +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20181217194303.14397-2-daniel.vetter@ffwll.ch +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c +index 6a4ca139cf5d..8fd8124d72ba 100644 +--- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c ++++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c +@@ -750,7 +750,9 @@ static int nv17_tv_set_property(struct drm_encoder *encoder, + /* Disable the crtc to ensure a full modeset is + * performed whenever it's turned on again. */ + if (crtc) +- drm_crtc_force_disable(crtc); ++ drm_crtc_helper_set_mode(crtc, &crtc->mode, ++ crtc->x, crtc->y, ++ crtc->primary->fb); + } + + return 0; +-- +2.19.1 + diff --git a/queue-5.0/drm-rcar-du-add-missing-of_node_put.patch b/queue-5.0/drm-rcar-du-add-missing-of_node_put.patch new file mode 100644 index 00000000000..bd9e1e57084 --- /dev/null +++ b/queue-5.0/drm-rcar-du-add-missing-of_node_put.patch @@ -0,0 +1,64 @@ +From b655918be0f5aa178bf2bffbfe11a0a7ef2df6f0 Mon Sep 17 00:00:00 2001 +From: Julia Lawall +Date: Mon, 14 Jan 2019 17:44:56 +0100 +Subject: drm: rcar-du: add missing of_node_put + +[ Upstream commit 4c6d8fc20b09f9684743afd72e4dbc3f15524479 ] + +Add an of_node_put when the result of of_graph_get_remote_port_parent is +not available. + +Add a second of_node_put if no encoder is selected (encoder remains NULL). + +The semantic match that finds the first problem is as follows +(http://coccinelle.lip6.fr): + +// +@r exists@ +local idexpression e; +expression x; +@@ +e = of_graph_get_remote_port_parent(...); +... when != x = e + when != true e == NULL + when != of_node_put(e) + when != of_fwnode_handle(e) +( +return e; +| +*return ...; +) +// + +Signed-off-by: Julia Lawall +Reviewed-by: Laurent Pinchart +Reviewed-by: Kieran Bingham +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rcar-du/rcar_du_kms.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/rcar-du/rcar_du_kms.c b/drivers/gpu/drm/rcar-du/rcar_du_kms.c +index 9c7007d45408..f9a90ff24e6d 100644 +--- a/drivers/gpu/drm/rcar-du/rcar_du_kms.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_kms.c +@@ -331,6 +331,7 @@ static int rcar_du_encoders_init_one(struct rcar_du_device *rcdu, + dev_dbg(rcdu->dev, + "connected entity %pOF is disabled, skipping\n", + entity); ++ of_node_put(entity); + return -ENODEV; + } + +@@ -366,6 +367,7 @@ static int rcar_du_encoders_init_one(struct rcar_du_device *rcdu, + dev_warn(rcdu->dev, + "no encoder found for endpoint %pOF, skipping\n", + ep->local_node); ++ of_node_put(entity); + return -ENODEV; + } + +-- +2.19.1 + diff --git a/queue-5.0/drm-reorder-set_property_atomic-to-avoid-returning-w.patch b/queue-5.0/drm-reorder-set_property_atomic-to-avoid-returning-w.patch new file mode 100644 index 00000000000..294675b6bd8 --- /dev/null +++ b/queue-5.0/drm-reorder-set_property_atomic-to-avoid-returning-w.patch @@ -0,0 +1,51 @@ +From 45cda71199cb76136d787aa68ef751ff438da3ae Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Sun, 30 Dec 2018 12:28:42 +0000 +Subject: drm: Reorder set_property_atomic to avoid returning with an active + ww_ctx + +[ Upstream commit 227ad6d957898a88b1746e30234ece64d305f066 ] + +Delay the drm_modeset_acquire_init() until after we check for an +allocation failure so that we can return immediately upon error without +having to unwind. + +WARNING: lock held when returning to user space! +4.20.0+ #174 Not tainted +------------------------------------------------ +syz-executor556/8153 is leaving the kernel with locks still held! +1 lock held by syz-executor556/8153: + #0: 000000005100c85c (crtc_ww_class_acquire){+.+.}, at: +set_property_atomic+0xb3/0x330 drivers/gpu/drm/drm_mode_object.c:462 + +Reported-by: syzbot+6ea337c427f5083ebdf2@syzkaller.appspotmail.com +Fixes: 144a7999d633 ("drm: Handle properties in the core for atomic drivers") +Signed-off-by: Chris Wilson +Cc: Daniel Vetter +Cc: Maarten Lankhorst +Cc: Sean Paul +Cc: David Airlie +Cc: # v4.14+ +Reviewed-by: Maarten Lankhorst +Link: https://patchwork.freedesktop.org/patch/msgid/20181230122842.21917-1-chris@chris-wilson.co.uk + +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_mode_object.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/drm_mode_object.c b/drivers/gpu/drm/drm_mode_object.c +index 004191d01772..15b919f90c5a 100644 +--- a/drivers/gpu/drm/drm_mode_object.c ++++ b/drivers/gpu/drm/drm_mode_object.c +@@ -465,6 +465,7 @@ static int set_property_atomic(struct drm_mode_object *obj, + + drm_modeset_acquire_init(&ctx, 0); + state->acquire_ctx = &ctx; ++ + retry: + if (prop == state->dev->mode_config.dpms_property) { + if (obj->type != DRM_MODE_OBJECT_CONNECTOR) { +-- +2.19.1 + diff --git a/queue-5.0/drm-sched-fix-entities-with-0-rqs.patch b/queue-5.0/drm-sched-fix-entities-with-0-rqs.patch new file mode 100644 index 00000000000..c0402ec0acc --- /dev/null +++ b/queue-5.0/drm-sched-fix-entities-with-0-rqs.patch @@ -0,0 +1,122 @@ +From 0c6702a5fde9246ea47b110a8ece19bacdc21080 Mon Sep 17 00:00:00 2001 +From: Bas Nieuwenhuizen +Date: Wed, 30 Jan 2019 02:53:19 +0100 +Subject: drm/sched: Fix entities with 0 rqs. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa ] + +Some blocks in amdgpu can have 0 rqs. + +Job creation already fails with -ENOENT when entity->rq is NULL, +so jobs cannot be pushed. Without a rq there is no scheduler to +pop jobs, and rq selection already does the right thing with a +list of length 0. + +So the operations we need to fix are: + - Creation, do not set rq to rq_list[0] if the list can have length 0. + - Do not flush any jobs when there is no rq. + - On entity destruction handle the rq = NULL case. + - on set_priority, do not try to change the rq if it is NULL. + +Signed-off-by: Bas Nieuwenhuizen +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/scheduler/sched_entity.c | 39 ++++++++++++++++-------- + 1 file changed, 26 insertions(+), 13 deletions(-) + +diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c +index e2942c9a11a7..35ddbec1375a 100644 +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -52,12 +52,12 @@ int drm_sched_entity_init(struct drm_sched_entity *entity, + { + int i; + +- if (!(entity && rq_list && num_rq_list > 0 && rq_list[0])) ++ if (!(entity && rq_list && (num_rq_list == 0 || rq_list[0]))) + return -EINVAL; + + memset(entity, 0, sizeof(struct drm_sched_entity)); + INIT_LIST_HEAD(&entity->list); +- entity->rq = rq_list[0]; ++ entity->rq = NULL; + entity->guilty = guilty; + entity->num_rq_list = num_rq_list; + entity->rq_list = kcalloc(num_rq_list, sizeof(struct drm_sched_rq *), +@@ -67,6 +67,10 @@ int drm_sched_entity_init(struct drm_sched_entity *entity, + + for (i = 0; i < num_rq_list; ++i) + entity->rq_list[i] = rq_list[i]; ++ ++ if (num_rq_list) ++ entity->rq = rq_list[0]; ++ + entity->last_scheduled = NULL; + + spin_lock_init(&entity->rq_lock); +@@ -165,6 +169,9 @@ long drm_sched_entity_flush(struct drm_sched_entity *entity, long timeout) + struct task_struct *last_user; + long ret = timeout; + ++ if (!entity->rq) ++ return 0; ++ + sched = entity->rq->sched; + /** + * The client will not queue more IBs during this fini, consume existing +@@ -264,20 +271,24 @@ static void drm_sched_entity_kill_jobs(struct drm_sched_entity *entity) + */ + void drm_sched_entity_fini(struct drm_sched_entity *entity) + { +- struct drm_gpu_scheduler *sched; ++ struct drm_gpu_scheduler *sched = NULL; + +- sched = entity->rq->sched; +- drm_sched_rq_remove_entity(entity->rq, entity); ++ if (entity->rq) { ++ sched = entity->rq->sched; ++ drm_sched_rq_remove_entity(entity->rq, entity); ++ } + + /* Consumption of existing IBs wasn't completed. Forcefully + * remove them here. + */ + if (spsc_queue_peek(&entity->job_queue)) { +- /* Park the kernel for a moment to make sure it isn't processing +- * our enity. +- */ +- kthread_park(sched->thread); +- kthread_unpark(sched->thread); ++ if (sched) { ++ /* Park the kernel for a moment to make sure it isn't processing ++ * our enity. ++ */ ++ kthread_park(sched->thread); ++ kthread_unpark(sched->thread); ++ } + if (entity->dependency) { + dma_fence_remove_callback(entity->dependency, + &entity->cb); +@@ -362,9 +373,11 @@ void drm_sched_entity_set_priority(struct drm_sched_entity *entity, + for (i = 0; i < entity->num_rq_list; ++i) + drm_sched_entity_set_rq_priority(&entity->rq_list[i], priority); + +- drm_sched_rq_remove_entity(entity->rq, entity); +- drm_sched_entity_set_rq_priority(&entity->rq, priority); +- drm_sched_rq_add_entity(entity->rq, entity); ++ if (entity->rq) { ++ drm_sched_rq_remove_entity(entity->rq, entity); ++ drm_sched_entity_set_rq_priority(&entity->rq, priority); ++ drm_sched_rq_add_entity(entity->rq, entity); ++ } + + spin_unlock(&entity->rq_lock); + } +-- +2.19.1 + diff --git a/queue-5.0/drm-vkms-bugfix-extra-vblank-frame.patch b/queue-5.0/drm-vkms-bugfix-extra-vblank-frame.patch new file mode 100644 index 00000000000..2c698143e9f --- /dev/null +++ b/queue-5.0/drm-vkms-bugfix-extra-vblank-frame.patch @@ -0,0 +1,67 @@ +From 74957d21a5ec4f0e0c3f8e7a644ba01f458d6c0f Mon Sep 17 00:00:00 2001 +From: Shayenne Moura +Date: Wed, 30 Jan 2019 14:06:36 -0200 +Subject: drm/vkms: Bugfix extra vblank frame + +[ Upstream commit def35e7c592616bc09be328de8795e5e624a3cf8 ] + +kms_flip tests are breaking on vkms when simulate vblank because vblank +event sequence count returns one extra frame after arm vblank event to +make a page flip. + +When vblank interrupt happens, userspace processes the vblank event and +issues the next page flip command. Kernel calls queue_work to call +commit_planes and arm the new page flip. The next vblank picks up the +newly armed vblank event and vblank interrupt happens again. + +The arm and vblank event are asynchronous, then, on the next vblank, we +receive x+2 from `get_vblank_timestamp`, instead x+1, although timestamp +and vblank seqno matches. + +Function `get_vblank_timestamp` is reached by 2 ways: + + - from `drm_mode_page_flip_ioctl`: driver is doing one atomic + operation to synchronize planes in the same output. There is no + vblank simulation, the `drm_crtc_arm_vblank_event` function adds 1 + on vblank count, and the variable in_vblank_irq is false + - from `vkms_vblank_simulate`: since the driver is doing a vblank + simulation, the variable in_vblank_irq is true. + +Fix this problem subtracting one vblank period from vblank_time when +`get_vblank_timestamp` is called from trace `drm_mode_page_flip_ioctl`, +i.e., is not a real vblank interrupt, and getting the timestamp and +vblank seqno when it is a real vblank interrupt. + +The reason for all this is that get_vblank_timestamp always supplies the +timestamp for the next vblank event. The hrtimer is the vblank +simulator, and it needs the correct previous value to present the next +vblank. Since this is how hw timestamp registers work and what the +vblank core expects. + +Signed-off-by: Shayenne Moura +Signed-off-by: Daniel Vetter +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Rodrigo Siqueira +Link: https://patchwork.freedesktop.org/patch/msgid/171e6e1c239cbca0c3df7183ed8acdfeeace9cf4.1548856186.git.shayenneluzmoura@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vkms/vkms_crtc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c +index 00d961862d77..1054f535178a 100644 +--- a/drivers/gpu/drm/vkms/vkms_crtc.c ++++ b/drivers/gpu/drm/vkms/vkms_crtc.c +@@ -75,6 +75,9 @@ bool vkms_get_vblank_timestamp(struct drm_device *dev, unsigned int pipe, + + *vblank_time = output->vblank_hrtimer.node.expires; + ++ if (!in_vblank_irq) ++ *vblank_time -= output->period_ns; ++ + return true; + } + +-- +2.19.1 + diff --git a/queue-5.0/drm-vkms-bugfix-racing-hrtimer-vblank-handle.patch b/queue-5.0/drm-vkms-bugfix-racing-hrtimer-vblank-handle.patch new file mode 100644 index 00000000000..2fda9cfb9b0 --- /dev/null +++ b/queue-5.0/drm-vkms-bugfix-racing-hrtimer-vblank-handle.patch @@ -0,0 +1,91 @@ +From 87c688337c56a7d9af4c8d68e158d4239671e3a1 Mon Sep 17 00:00:00 2001 +From: Shayenne Moura +Date: Wed, 30 Jan 2019 14:07:11 -0200 +Subject: drm/vkms: Bugfix racing hrtimer vblank handle + +[ Upstream commit ba420afab565bdc7b028ddd4f222260f2de7a1db ] + +When the vblank irq happens, kernel time subsystem executes +`vkms_vblank_simulate`. In parallel or not, it prepares all stuff +necessary to the next vblank with arm, and it must flush these stuff +before the next vblank irq. However, vblank counter is ahead when arm is +executed in parallel with handle vblank. + +CPU 0: CPU 1: + | | +atomic_commit_tail is ongoing | + | | + | hrtimer: vkms_vblank_simulate() + | | + | drm_crtc_handle_vblank() + | | +drm_crtc_arm_vblank() | + | | +->get_vblank_timestamp() | + | | + | hrtimer_forward_now() + +Then, we should guarantee that the vblank interval time is correct (not +changed) before finish the vblank handle. + +Fix the bug including the call to `hrtimer_forward_now()` in the same +lock of `drm_crtc_handle_vblank()` to ensure that the timestamp update +is correct when finish the vblank handle. + +Signed-off-by: Shayenne Moura +Signed-off-by: Daniel Vetter +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Rodrigo Siqueira +Link: https://patchwork.freedesktop.org/patch/msgid/e2e4b8f3a5cab7b2dba75bf1930f86b0a4ee08c9.1548856186.git.shayenneluzmoura@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vkms/vkms_crtc.c | 18 ++++++------------ + 1 file changed, 6 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c +index e747a7d16739..00d961862d77 100644 +--- a/drivers/gpu/drm/vkms/vkms_crtc.c ++++ b/drivers/gpu/drm/vkms/vkms_crtc.c +@@ -4,13 +4,17 @@ + #include + #include + +-static void _vblank_handle(struct vkms_output *output) ++static enum hrtimer_restart vkms_vblank_simulate(struct hrtimer *timer) + { ++ struct vkms_output *output = container_of(timer, struct vkms_output, ++ vblank_hrtimer); + struct drm_crtc *crtc = &output->crtc; + struct vkms_crtc_state *state = to_vkms_crtc_state(crtc->state); ++ int ret_overrun; + bool ret; + + spin_lock(&output->lock); ++ + ret = drm_crtc_handle_vblank(crtc); + if (!ret) + DRM_ERROR("vkms failure on handling vblank"); +@@ -31,19 +35,9 @@ static void _vblank_handle(struct vkms_output *output) + DRM_WARN("failed to queue vkms_crc_work_handle"); + } + +- spin_unlock(&output->lock); +-} +- +-static enum hrtimer_restart vkms_vblank_simulate(struct hrtimer *timer) +-{ +- struct vkms_output *output = container_of(timer, struct vkms_output, +- vblank_hrtimer); +- int ret_overrun; +- +- _vblank_handle(output); +- + ret_overrun = hrtimer_forward_now(&output->vblank_hrtimer, + output->period_ns); ++ spin_unlock(&output->lock); + + return HRTIMER_RESTART; + } +-- +2.19.1 + diff --git a/queue-5.0/e1000e-exclude-device-from-suspend-direct-complete-o.patch b/queue-5.0/e1000e-exclude-device-from-suspend-direct-complete-o.patch new file mode 100644 index 00000000000..e316afe32fc --- /dev/null +++ b/queue-5.0/e1000e-exclude-device-from-suspend-direct-complete-o.patch @@ -0,0 +1,41 @@ +From a108a89686d35758ad8194795b9e40aeefb76c04 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Tue, 11 Dec 2018 15:59:37 +0800 +Subject: e1000e: Exclude device from suspend direct complete optimization + +[ Upstream commit 59f58708c5047289589cbf6ee95146b76cf57d1e ] + +e1000e sets different WoL settings in system suspend callback and +runtime suspend callback. + +The suspend direct complete optimization leaves e1000e in runtime +suspended state with wrong WoL setting during system suspend. + +To fix this, we need to disable suspend direct complete optimization to +let e1000e always use suspend callback to set correct WoL during system +suspend. + +Signed-off-by: Kai-Heng Feng +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index ca48a75be4f2..7acc61e4f645 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -7348,6 +7348,8 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + e1000_print_device_info(adapter); + ++ dev_pm_set_driver_flags(&pdev->dev, DPM_FLAG_NEVER_SKIP); ++ + if (pci_dev_run_wake(pdev)) + pm_runtime_put_noidle(&pdev->dev); + +-- +2.19.1 + diff --git a/queue-5.0/e1000e-fix-cyclic-resets-at-link-up-with-active-tx.patch b/queue-5.0/e1000e-fix-cyclic-resets-at-link-up-with-active-tx.patch new file mode 100644 index 00000000000..ca01a200e07 --- /dev/null +++ b/queue-5.0/e1000e-fix-cyclic-resets-at-link-up-with-active-tx.patch @@ -0,0 +1,91 @@ +From fcb12406099f573573b45a2392006cb1492f5d7f Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Mon, 14 Jan 2019 16:29:30 +0300 +Subject: e1000e: fix cyclic resets at link up with active tx + +[ Upstream commit 0f9e980bf5ee1a97e2e401c846b2af989eb21c61 ] + +I'm seeing series of e1000e resets (sometimes endless) at system boot +if something generates tx traffic at this time. In my case this is +netconsole who sends message "e1000e 0000:02:00.0: Some CPU C-states +have been disabled in order to enable jumbo frames" from e1000e itself. +As result e1000_watchdog_task sees used tx buffer while carrier is off +and start this reset cycle again. + +[ 17.794359] e1000e: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None +[ 17.794714] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready +[ 22.936455] e1000e 0000:02:00.0 eth1: changing MTU from 1500 to 9000 +[ 23.033336] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 26.102364] e1000e: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None +[ 27.174495] 8021q: 802.1Q VLAN Support v1.8 +[ 27.174513] 8021q: adding VLAN 0 to HW filter on device eth1 +[ 30.671724] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation +[ 30.898564] netpoll: netconsole: local port 6666 +[ 30.898566] netpoll: netconsole: local IPv6 address 2a02:6b8:0:80b:beae:c5ff:fe28:23f8 +[ 30.898567] netpoll: netconsole: interface 'eth1' +[ 30.898568] netpoll: netconsole: remote port 6666 +[ 30.898568] netpoll: netconsole: remote IPv6 address 2a02:6b8:b000:605c:e61d:2dff:fe03:3790 +[ 30.898569] netpoll: netconsole: remote ethernet address b0:a8:6e:f4:ff:c0 +[ 30.917747] console [netcon0] enabled +[ 30.917749] netconsole: network logging started +[ 31.453353] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 34.185730] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 34.321840] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 34.465822] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 34.597423] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 34.745417] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 34.877356] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 35.005441] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 35.157376] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 35.289362] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 35.417441] e1000e 0000:02:00.0: Some CPU C-states have been disabled in order to enable jumbo frames +[ 37.790342] e1000e: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None + +This patch flushes tx buffers only once when carrier is off +rather than at each watchdog iteration. + +Signed-off-by: Konstantin Khlebnikov +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 23eae3df01a9..ca48a75be4f2 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5309,8 +5309,13 @@ static void e1000_watchdog_task(struct work_struct *work) + /* 8000ES2LAN requires a Rx packet buffer work-around + * on link down event; reset the controller to flush + * the Rx packet buffer. ++ * ++ * If the link is lost the controller stops DMA, but ++ * if there is queued Tx work it cannot be done. So ++ * reset the controller to flush the Tx packet buffers. + */ +- if (adapter->flags & FLAG_RX_NEEDS_RESTART) ++ if ((adapter->flags & FLAG_RX_NEEDS_RESTART) || ++ e1000_desc_unused(tx_ring) + 1 < tx_ring->count) + adapter->flags |= FLAG_RESTART_NOW; + else + pm_schedule_suspend(netdev->dev.parent, +@@ -5333,14 +5338,6 @@ link_up: + adapter->gotc_old = adapter->stats.gotc; + spin_unlock(&adapter->stats64_lock); + +- /* If the link is lost the controller stops DMA, but +- * if there is queued Tx work it cannot be done. So +- * reset the controller to flush the Tx packet buffers. +- */ +- if (!netif_carrier_ok(netdev) && +- (e1000_desc_unused(tx_ring) + 1 < tx_ring->count)) +- adapter->flags |= FLAG_RESTART_NOW; +- + /* If reset is necessary, do it outside of interrupt context. */ + if (adapter->flags & FLAG_RESTART_NOW) { + schedule_work(&adapter->reset_task); +-- +2.19.1 + diff --git a/queue-5.0/e1000e-fix-wformat-truncation-warnings.patch b/queue-5.0/e1000e-fix-wformat-truncation-warnings.patch new file mode 100644 index 00000000000..ca49fd3ec20 --- /dev/null +++ b/queue-5.0/e1000e-fix-wformat-truncation-warnings.patch @@ -0,0 +1,72 @@ +From ee9f56268c35b4af1153a12c9e4b14bf9d71352e Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 21 Feb 2019 20:09:28 -0800 +Subject: e1000e: Fix -Wformat-truncation warnings + +[ Upstream commit 135e7245479addc6b1f5d031e3d7e2ddb3d2b109 ] + +Provide precision hints to snprintf() since we know the destination +buffer size of the RX/TX ring names are IFNAMSIZ + 5 - 1. This fixes the +following warnings: + +drivers/net/ethernet/intel/e1000e/netdev.c: In function +'e1000_request_msix': +drivers/net/ethernet/intel/e1000e/netdev.c:2109:13: warning: 'snprintf' +output may be truncated before the last format character +[-Wformat-truncation=] + "%s-rx-0", netdev->name); + ^ +drivers/net/ethernet/intel/e1000e/netdev.c:2107:3: note: 'snprintf' +output between 6 and 21 bytes into a destination of size 20 + snprintf(adapter->rx_ring->name, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + sizeof(adapter->rx_ring->name) - 1, + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + "%s-rx-0", netdev->name); + ~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/net/ethernet/intel/e1000e/netdev.c:2125:13: warning: 'snprintf' +output may be truncated before the last format character +[-Wformat-truncation=] + "%s-tx-0", netdev->name); + ^ +drivers/net/ethernet/intel/e1000e/netdev.c:2123:3: note: 'snprintf' +output between 6 and 21 bytes into a destination of size 20 + snprintf(adapter->tx_ring->name, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + sizeof(adapter->tx_ring->name) - 1, + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + "%s-tx-0", netdev->name); + ~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 189f231075c2..23eae3df01a9 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -2106,7 +2106,7 @@ static int e1000_request_msix(struct e1000_adapter *adapter) + if (strlen(netdev->name) < (IFNAMSIZ - 5)) + snprintf(adapter->rx_ring->name, + sizeof(adapter->rx_ring->name) - 1, +- "%s-rx-0", netdev->name); ++ "%.14s-rx-0", netdev->name); + else + memcpy(adapter->rx_ring->name, netdev->name, IFNAMSIZ); + err = request_irq(adapter->msix_entries[vector].vector, +@@ -2122,7 +2122,7 @@ static int e1000_request_msix(struct e1000_adapter *adapter) + if (strlen(netdev->name) < (IFNAMSIZ - 5)) + snprintf(adapter->tx_ring->name, + sizeof(adapter->tx_ring->name) - 1, +- "%s-tx-0", netdev->name); ++ "%.14s-tx-0", netdev->name); + else + memcpy(adapter->tx_ring->name, netdev->name, IFNAMSIZ); + err = request_irq(adapter->msix_entries[vector].vector, +-- +2.19.1 + diff --git a/queue-5.0/efi-arm-arm64-allow-setvirtualaddressmap-to-be-omitt.patch b/queue-5.0/efi-arm-arm64-allow-setvirtualaddressmap-to-be-omitt.patch new file mode 100644 index 00000000000..704d2af984a --- /dev/null +++ b/queue-5.0/efi-arm-arm64-allow-setvirtualaddressmap-to-be-omitt.patch @@ -0,0 +1,153 @@ +From 4c2864e97399875c9be609acdb47256f6db2eec5 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Sat, 2 Feb 2019 10:41:16 +0100 +Subject: efi/arm/arm64: Allow SetVirtualAddressMap() to be omitted + +[ Upstream commit 4e46c2a956215482418d7b315749fb1b6c6bc224 ] + +The UEFI spec revision 2.7 errata A section 8.4 has the following to +say about the virtual memory runtime services: + + "This section contains function definitions for the virtual memory + support that may be optionally used by an operating system at runtime. + If an operating system chooses to make EFI runtime service calls in a + virtual addressing mode instead of the flat physical mode, then the + operating system must use the services in this section to switch the + EFI runtime services from flat physical addressing to virtual + addressing." + +So it is pretty clear that calling SetVirtualAddressMap() is entirely +optional, and so there is no point in doing so unless it achieves +anything useful for us. + +This is not the case for 64-bit ARM. The identity mapping used by the +firmware is arbitrarily converted into another permutation of userland +addresses (i.e., bits [63:48] cleared), and the runtime code could easily +deal with the original layout in exactly the same way as it deals with +the converted layout. However, due to constraints related to page size +differences if the OS is not running with 4k pages, and related to +systems that may expose the individual sections of PE/COFF runtime +modules as different memory regions, creating the virtual layout is a +bit fiddly, and requires us to sort the memory map and reason about +adjacent regions with identical memory types etc etc. + +So the obvious fix is to stop calling SetVirtualAddressMap() altogether +on arm64 systems. However, to avoid surprises, which are notoriously +hard to diagnose when it comes to OS<->firmware interactions, let's +start by making it an opt-out feature, and implement support for the +'efi=novamap' kernel command line parameter on ARM and arm64 systems. + +( Note that 32-bit ARM generally does require SetVirtualAddressMap() to be + used, given that the physical memory map and the kernel virtual address + map are not guaranteed to be non-overlapping like on arm64. However, + having support for efi=novamap,noruntime on 32-bit ARM, combined with + the recently proposed support for earlycon=efifb, is likely to be useful + to diagnose boot issues on such systems if they have no accessible serial + port. ) + +Tested-by: Jeffrey Hugo +Tested-by: Bjorn Andersson +Tested-by: Lee Jones +Signed-off-by: Ard Biesheuvel +Cc: AKASHI Takahiro +Cc: Alexander Graf +Cc: Borislav Petkov +Cc: Heinrich Schuchardt +Cc: Leif Lindholm +Cc: Linus Torvalds +Cc: Matt Fleming +Cc: Peter Jones +Cc: Peter Zijlstra +Cc: Sai Praneeth Prakhya +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20190202094119.13230-8-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/arm-stub.c | 5 +++++ + drivers/firmware/efi/libstub/efi-stub-helper.c | 10 ++++++++++ + drivers/firmware/efi/libstub/efistub.h | 1 + + drivers/firmware/efi/libstub/fdt.c | 3 +++ + 4 files changed, 19 insertions(+) + +diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c +index c037c6c5d0b7..04e6ecd72cd9 100644 +--- a/drivers/firmware/efi/libstub/arm-stub.c ++++ b/drivers/firmware/efi/libstub/arm-stub.c +@@ -367,6 +367,11 @@ void efi_get_virtmap(efi_memory_desc_t *memory_map, unsigned long map_size, + paddr = in->phys_addr; + size = in->num_pages * EFI_PAGE_SIZE; + ++ if (novamap()) { ++ in->virt_addr = in->phys_addr; ++ continue; ++ } ++ + /* + * Make the mapping compatible with 64k pages: this allows + * a 4k page size kernel to kexec a 64k page size kernel and +diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c +index e94975f4655b..442f51c2a53d 100644 +--- a/drivers/firmware/efi/libstub/efi-stub-helper.c ++++ b/drivers/firmware/efi/libstub/efi-stub-helper.c +@@ -34,6 +34,7 @@ static unsigned long __chunk_size = EFI_READ_CHUNK_SIZE; + + static int __section(.data) __nokaslr; + static int __section(.data) __quiet; ++static int __section(.data) __novamap; + + int __pure nokaslr(void) + { +@@ -43,6 +44,10 @@ int __pure is_quiet(void) + { + return __quiet; + } ++int __pure novamap(void) ++{ ++ return __novamap; ++} + + #define EFI_MMAP_NR_SLACK_SLOTS 8 + +@@ -482,6 +487,11 @@ efi_status_t efi_parse_options(char const *cmdline) + __chunk_size = -1UL; + } + ++ if (!strncmp(str, "novamap", 7)) { ++ str += strlen("novamap"); ++ __novamap = 1; ++ } ++ + /* Group words together, delimited by "," */ + while (*str && *str != ' ' && *str != ',') + str++; +diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h +index 32799cf039ef..337b52c4702c 100644 +--- a/drivers/firmware/efi/libstub/efistub.h ++++ b/drivers/firmware/efi/libstub/efistub.h +@@ -27,6 +27,7 @@ + + extern int __pure nokaslr(void); + extern int __pure is_quiet(void); ++extern int __pure novamap(void); + + #define pr_efi(sys_table, msg) do { \ + if (!is_quiet()) efi_printk(sys_table, "EFI stub: "msg); \ +diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c +index 0dc7b4987cc2..f8f89f995e9d 100644 +--- a/drivers/firmware/efi/libstub/fdt.c ++++ b/drivers/firmware/efi/libstub/fdt.c +@@ -327,6 +327,9 @@ efi_status_t allocate_new_fdt_and_exit_boot(efi_system_table_t *sys_table, + if (status == EFI_SUCCESS) { + efi_set_virtual_address_map_t *svam; + ++ if (novamap()) ++ return EFI_SUCCESS; ++ + /* Install the new virtual address map */ + svam = sys_table->runtime->set_virtual_address_map; + status = svam(runtime_entry_count * desc_size, desc_size, +-- +2.19.1 + diff --git a/queue-5.0/efi-cper-fix-possible-out-of-bounds-access.patch b/queue-5.0/efi-cper-fix-possible-out-of-bounds-access.patch new file mode 100644 index 00000000000..98870db8860 --- /dev/null +++ b/queue-5.0/efi-cper-fix-possible-out-of-bounds-access.patch @@ -0,0 +1,65 @@ +From 5c57610dee5ae3451a64b732b26aadab58182f1d Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Mon, 28 Jan 2019 10:04:24 +0000 +Subject: efi: cper: Fix possible out-of-bounds access + +[ Upstream commit 45b14a4ffcc1e0b5caa246638f942cbe7eaea7ad ] + +When checking a generic status block, we iterate over all the generic +data blocks. The loop condition only checks that the start of the +generic data block is valid (within estatus->data_length) but not the +whole block. Because the size of data blocks (excluding error data) may +vary depending on the revision and the revision is contained within the +data block, ensure that enough of the current data block is valid before +dereferencing any members otherwise an out-of-bounds access may occur if +estatus->data_length is invalid. + +This relies on the fact that struct acpi_hest_generic_data_v300 is a +superset of the earlier version. Also rework the other checks to avoid +potential underflow. + +Signed-off-by: Ross Lagerwall +Acked-by: Borislav Petkov +Tested-by: Tyler Baicar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/cper.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c +index a7902fccdcfa..6090d25dce85 100644 +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -546,19 +546,24 @@ EXPORT_SYMBOL_GPL(cper_estatus_check_header); + int cper_estatus_check(const struct acpi_hest_generic_status *estatus) + { + struct acpi_hest_generic_data *gdata; +- unsigned int data_len, gedata_len; ++ unsigned int data_len, record_size; + int rc; + + rc = cper_estatus_check_header(estatus); + if (rc) + return rc; ++ + data_len = estatus->data_length; + + apei_estatus_for_each_section(estatus, gdata) { +- gedata_len = acpi_hest_get_error_length(gdata); +- if (gedata_len > data_len - acpi_hest_get_size(gdata)) ++ if (sizeof(struct acpi_hest_generic_data) > data_len) ++ return -EINVAL; ++ ++ record_size = acpi_hest_get_record_size(gdata); ++ if (record_size > data_len) + return -EINVAL; +- data_len -= acpi_hest_get_record_size(gdata); ++ ++ data_len -= record_size; + } + if (data_len) + return -EINVAL; +-- +2.19.1 + diff --git a/queue-5.0/efi-fix-build-error-due-to-enum-collision-between-ef.patch b/queue-5.0/efi-fix-build-error-due-to-enum-collision-between-ef.patch new file mode 100644 index 00000000000..27cf9a3a105 --- /dev/null +++ b/queue-5.0/efi-fix-build-error-due-to-enum-collision-between-ef.patch @@ -0,0 +1,283 @@ +From 1a9dadec64cfd4ce5002359c8c9f9de42ef8894a Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Fri, 15 Feb 2019 17:55:51 +0100 +Subject: efi: Fix build error due to enum collision between efi.h and ima.h + +[ Upstream commit 5c418dc789a3898717ebf2caa5716ba91a7150b2 ] + +The following commit: + + a893ea15d764 ("tpm: move tpm_chip definition to include/linux/tpm.h") + +introduced a build error when both IMA and EFI are enabled: + + In file included from ../security/integrity/ima/ima_fs.c:30: + ../security/integrity/ima/ima.h:176:7: error: redeclaration of enumerator "NONE" + +What happens is that both headers (ima.h and efi.h) defines the same +'NONE' constant, and it broke when they started getting included from +the same file: + +Rework to prefix the EFI enum with 'EFI_*'. + +Signed-off-by: Anders Roxell +Signed-off-by: Ard Biesheuvel +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20190215165551.12220-2-ard.biesheuvel@linaro.org +[ Cleaned up the changelog a bit. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/platform/efi/quirks.c | 4 +-- + drivers/firmware/efi/runtime-wrappers.c | 48 ++++++++++++------------- + include/linux/efi.h | 26 +++++++------- + 3 files changed, 39 insertions(+), 39 deletions(-) + +diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c +index 17456a1d3f04..6c571ae86947 100644 +--- a/arch/x86/platform/efi/quirks.c ++++ b/arch/x86/platform/efi/quirks.c +@@ -717,7 +717,7 @@ void efi_recover_from_page_fault(unsigned long phys_addr) + * "efi_mm" cannot be used to check if the page fault had occurred + * in the firmware context because efi=old_map doesn't use efi_pgd. + */ +- if (efi_rts_work.efi_rts_id == NONE) ++ if (efi_rts_work.efi_rts_id == EFI_NONE) + return; + + /* +@@ -742,7 +742,7 @@ void efi_recover_from_page_fault(unsigned long phys_addr) + * because this case occurs *very* rarely and hence could be improved + * on a need by basis. + */ +- if (efi_rts_work.efi_rts_id == RESET_SYSTEM) { ++ if (efi_rts_work.efi_rts_id == EFI_RESET_SYSTEM) { + pr_info("efi_reset_system() buggy! Reboot through BIOS\n"); + machine_real_restart(MRR_BIOS); + return; +diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c +index e2abfdb5cee6..698745c249e8 100644 +--- a/drivers/firmware/efi/runtime-wrappers.c ++++ b/drivers/firmware/efi/runtime-wrappers.c +@@ -85,7 +85,7 @@ struct efi_runtime_work efi_rts_work; + pr_err("Failed to queue work to efi_rts_wq.\n"); \ + \ + exit: \ +- efi_rts_work.efi_rts_id = NONE; \ ++ efi_rts_work.efi_rts_id = EFI_NONE; \ + efi_rts_work.status; \ + }) + +@@ -175,50 +175,50 @@ static void efi_call_rts(struct work_struct *work) + arg5 = efi_rts_work.arg5; + + switch (efi_rts_work.efi_rts_id) { +- case GET_TIME: ++ case EFI_GET_TIME: + status = efi_call_virt(get_time, (efi_time_t *)arg1, + (efi_time_cap_t *)arg2); + break; +- case SET_TIME: ++ case EFI_SET_TIME: + status = efi_call_virt(set_time, (efi_time_t *)arg1); + break; +- case GET_WAKEUP_TIME: ++ case EFI_GET_WAKEUP_TIME: + status = efi_call_virt(get_wakeup_time, (efi_bool_t *)arg1, + (efi_bool_t *)arg2, (efi_time_t *)arg3); + break; +- case SET_WAKEUP_TIME: ++ case EFI_SET_WAKEUP_TIME: + status = efi_call_virt(set_wakeup_time, *(efi_bool_t *)arg1, + (efi_time_t *)arg2); + break; +- case GET_VARIABLE: ++ case EFI_GET_VARIABLE: + status = efi_call_virt(get_variable, (efi_char16_t *)arg1, + (efi_guid_t *)arg2, (u32 *)arg3, + (unsigned long *)arg4, (void *)arg5); + break; +- case GET_NEXT_VARIABLE: ++ case EFI_GET_NEXT_VARIABLE: + status = efi_call_virt(get_next_variable, (unsigned long *)arg1, + (efi_char16_t *)arg2, + (efi_guid_t *)arg3); + break; +- case SET_VARIABLE: ++ case EFI_SET_VARIABLE: + status = efi_call_virt(set_variable, (efi_char16_t *)arg1, + (efi_guid_t *)arg2, *(u32 *)arg3, + *(unsigned long *)arg4, (void *)arg5); + break; +- case QUERY_VARIABLE_INFO: ++ case EFI_QUERY_VARIABLE_INFO: + status = efi_call_virt(query_variable_info, *(u32 *)arg1, + (u64 *)arg2, (u64 *)arg3, (u64 *)arg4); + break; +- case GET_NEXT_HIGH_MONO_COUNT: ++ case EFI_GET_NEXT_HIGH_MONO_COUNT: + status = efi_call_virt(get_next_high_mono_count, (u32 *)arg1); + break; +- case UPDATE_CAPSULE: ++ case EFI_UPDATE_CAPSULE: + status = efi_call_virt(update_capsule, + (efi_capsule_header_t **)arg1, + *(unsigned long *)arg2, + *(unsigned long *)arg3); + break; +- case QUERY_CAPSULE_CAPS: ++ case EFI_QUERY_CAPSULE_CAPS: + status = efi_call_virt(query_capsule_caps, + (efi_capsule_header_t **)arg1, + *(unsigned long *)arg2, (u64 *)arg3, +@@ -242,7 +242,7 @@ static efi_status_t virt_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc) + + if (down_interruptible(&efi_runtime_lock)) + return EFI_ABORTED; +- status = efi_queue_work(GET_TIME, tm, tc, NULL, NULL, NULL); ++ status = efi_queue_work(EFI_GET_TIME, tm, tc, NULL, NULL, NULL); + up(&efi_runtime_lock); + return status; + } +@@ -253,7 +253,7 @@ static efi_status_t virt_efi_set_time(efi_time_t *tm) + + if (down_interruptible(&efi_runtime_lock)) + return EFI_ABORTED; +- status = efi_queue_work(SET_TIME, tm, NULL, NULL, NULL, NULL); ++ status = efi_queue_work(EFI_SET_TIME, tm, NULL, NULL, NULL, NULL); + up(&efi_runtime_lock); + return status; + } +@@ -266,7 +266,7 @@ static efi_status_t virt_efi_get_wakeup_time(efi_bool_t *enabled, + + if (down_interruptible(&efi_runtime_lock)) + return EFI_ABORTED; +- status = efi_queue_work(GET_WAKEUP_TIME, enabled, pending, tm, NULL, ++ status = efi_queue_work(EFI_GET_WAKEUP_TIME, enabled, pending, tm, NULL, + NULL); + up(&efi_runtime_lock); + return status; +@@ -278,7 +278,7 @@ static efi_status_t virt_efi_set_wakeup_time(efi_bool_t enabled, efi_time_t *tm) + + if (down_interruptible(&efi_runtime_lock)) + return EFI_ABORTED; +- status = efi_queue_work(SET_WAKEUP_TIME, &enabled, tm, NULL, NULL, ++ status = efi_queue_work(EFI_SET_WAKEUP_TIME, &enabled, tm, NULL, NULL, + NULL); + up(&efi_runtime_lock); + return status; +@@ -294,7 +294,7 @@ static efi_status_t virt_efi_get_variable(efi_char16_t *name, + + if (down_interruptible(&efi_runtime_lock)) + return EFI_ABORTED; +- status = efi_queue_work(GET_VARIABLE, name, vendor, attr, data_size, ++ status = efi_queue_work(EFI_GET_VARIABLE, name, vendor, attr, data_size, + data); + up(&efi_runtime_lock); + return status; +@@ -308,7 +308,7 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size, + + if (down_interruptible(&efi_runtime_lock)) + return EFI_ABORTED; +- status = efi_queue_work(GET_NEXT_VARIABLE, name_size, name, vendor, ++ status = efi_queue_work(EFI_GET_NEXT_VARIABLE, name_size, name, vendor, + NULL, NULL); + up(&efi_runtime_lock); + return status; +@@ -324,7 +324,7 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name, + + if (down_interruptible(&efi_runtime_lock)) + return EFI_ABORTED; +- status = efi_queue_work(SET_VARIABLE, name, vendor, &attr, &data_size, ++ status = efi_queue_work(EFI_SET_VARIABLE, name, vendor, &attr, &data_size, + data); + up(&efi_runtime_lock); + return status; +@@ -359,7 +359,7 @@ static efi_status_t virt_efi_query_variable_info(u32 attr, + + if (down_interruptible(&efi_runtime_lock)) + return EFI_ABORTED; +- status = efi_queue_work(QUERY_VARIABLE_INFO, &attr, storage_space, ++ status = efi_queue_work(EFI_QUERY_VARIABLE_INFO, &attr, storage_space, + remaining_space, max_variable_size, NULL); + up(&efi_runtime_lock); + return status; +@@ -391,7 +391,7 @@ static efi_status_t virt_efi_get_next_high_mono_count(u32 *count) + + if (down_interruptible(&efi_runtime_lock)) + return EFI_ABORTED; +- status = efi_queue_work(GET_NEXT_HIGH_MONO_COUNT, count, NULL, NULL, ++ status = efi_queue_work(EFI_GET_NEXT_HIGH_MONO_COUNT, count, NULL, NULL, + NULL, NULL); + up(&efi_runtime_lock); + return status; +@@ -407,7 +407,7 @@ static void virt_efi_reset_system(int reset_type, + "could not get exclusive access to the firmware\n"); + return; + } +- efi_rts_work.efi_rts_id = RESET_SYSTEM; ++ efi_rts_work.efi_rts_id = EFI_RESET_SYSTEM; + __efi_call_virt(reset_system, reset_type, status, data_size, data); + up(&efi_runtime_lock); + } +@@ -423,7 +423,7 @@ static efi_status_t virt_efi_update_capsule(efi_capsule_header_t **capsules, + + if (down_interruptible(&efi_runtime_lock)) + return EFI_ABORTED; +- status = efi_queue_work(UPDATE_CAPSULE, capsules, &count, &sg_list, ++ status = efi_queue_work(EFI_UPDATE_CAPSULE, capsules, &count, &sg_list, + NULL, NULL); + up(&efi_runtime_lock); + return status; +@@ -441,7 +441,7 @@ static efi_status_t virt_efi_query_capsule_caps(efi_capsule_header_t **capsules, + + if (down_interruptible(&efi_runtime_lock)) + return EFI_ABORTED; +- status = efi_queue_work(QUERY_CAPSULE_CAPS, capsules, &count, ++ status = efi_queue_work(EFI_QUERY_CAPSULE_CAPS, capsules, &count, + max_size, reset_type, NULL); + up(&efi_runtime_lock); + return status; +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 28604a8d0aa9..a86485ac7c87 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -1699,19 +1699,19 @@ extern int efi_tpm_eventlog_init(void); + * fault happened while executing an efi runtime service. + */ + enum efi_rts_ids { +- NONE, +- GET_TIME, +- SET_TIME, +- GET_WAKEUP_TIME, +- SET_WAKEUP_TIME, +- GET_VARIABLE, +- GET_NEXT_VARIABLE, +- SET_VARIABLE, +- QUERY_VARIABLE_INFO, +- GET_NEXT_HIGH_MONO_COUNT, +- RESET_SYSTEM, +- UPDATE_CAPSULE, +- QUERY_CAPSULE_CAPS, ++ EFI_NONE, ++ EFI_GET_TIME, ++ EFI_SET_TIME, ++ EFI_GET_WAKEUP_TIME, ++ EFI_SET_WAKEUP_TIME, ++ EFI_GET_VARIABLE, ++ EFI_GET_NEXT_VARIABLE, ++ EFI_SET_VARIABLE, ++ EFI_QUERY_VARIABLE_INFO, ++ EFI_GET_NEXT_HIGH_MONO_COUNT, ++ EFI_RESET_SYSTEM, ++ EFI_UPDATE_CAPSULE, ++ EFI_QUERY_CAPSULE_CAPS, + }; + + /* +-- +2.19.1 + diff --git a/queue-5.0/efi-memattr-don-t-bail-on-zero-va-if-it-equals-the-r.patch b/queue-5.0/efi-memattr-don-t-bail-on-zero-va-if-it-equals-the-r.patch new file mode 100644 index 00000000000..53e9cbed568 --- /dev/null +++ b/queue-5.0/efi-memattr-don-t-bail-on-zero-va-if-it-equals-the-r.patch @@ -0,0 +1,68 @@ +From 75992d75b9a8e7ae0eb1f82f1d9f6266a4d86a51 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Sat, 2 Feb 2019 10:41:12 +0100 +Subject: efi/memattr: Don't bail on zero VA if it equals the region's PA + +[ Upstream commit 5de0fef0230f3c8d75cff450a71740a7bf2db866 ] + +The EFI memory attributes code cross-references the EFI memory map with +the more granular EFI memory attributes table to ensure that they are in +sync before applying the strict permissions to the regions it describes. + +Since we always install virtual mappings for the EFI runtime regions to +which these strict permissions apply, we currently perform a sanity check +on the EFI memory descriptor, and ensure that the EFI_MEMORY_RUNTIME bit +is set, and that the virtual address has been assigned. + +However, in cases where a runtime region exists at physical address 0x0, +and the virtual mapping equals the physical mapping, e.g., when running +in mixed mode on x86, we encounter a memory descriptor with the runtime +attribute and virtual address 0x0, and incorrectly draw the conclusion +that a runtime region exists for which no virtual mapping was installed, +and give up altogether. The consequence of this is that firmware mappings +retain their read-write-execute permissions, making the system more +vulnerable to attacks. + +So let's only bail if the virtual address of 0x0 has been assigned to a +physical region that does not reside at address 0x0. + +Signed-off-by: Ard Biesheuvel +Acked-by: Sai Praneeth Prakhya +Cc: AKASHI Takahiro +Cc: Alexander Graf +Cc: Bjorn Andersson +Cc: Borislav Petkov +Cc: Heinrich Schuchardt +Cc: Jeffrey Hugo +Cc: Lee Jones +Cc: Leif Lindholm +Cc: Linus Torvalds +Cc: Matt Fleming +Cc: Peter Jones +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Fixes: 10f0d2f577053 ("efi: Implement generic support for the Memory ...") +Link: http://lkml.kernel.org/r/20190202094119.13230-4-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/memattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/efi/memattr.c b/drivers/firmware/efi/memattr.c +index 8986757eafaf..aac972b056d9 100644 +--- a/drivers/firmware/efi/memattr.c ++++ b/drivers/firmware/efi/memattr.c +@@ -94,7 +94,7 @@ static bool entry_is_valid(const efi_memory_desc_t *in, efi_memory_desc_t *out) + + if (!(md->attribute & EFI_MEMORY_RUNTIME)) + continue; +- if (md->virt_addr == 0) { ++ if (md->virt_addr == 0 && md->phys_addr != 0) { + /* no virtual mapping has been installed by the stub */ + break; + } +-- +2.19.1 + diff --git a/queue-5.0/enic-fix-build-warning-without-config_cpumask_offsta.patch b/queue-5.0/enic-fix-build-warning-without-config_cpumask_offsta.patch new file mode 100644 index 00000000000..2a1ada52b17 --- /dev/null +++ b/queue-5.0/enic-fix-build-warning-without-config_cpumask_offsta.patch @@ -0,0 +1,64 @@ +From 8c603780a9b0f0e6a042cda34bffd844d1f0f2c6 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 7 Mar 2019 16:52:24 +0100 +Subject: enic: fix build warning without CONFIG_CPUMASK_OFFSTACK + +[ Upstream commit 43d281662fdb46750d49417559b71069f435298d ] + +The enic driver relies on the CONFIG_CPUMASK_OFFSTACK feature to +dynamically allocate a struct member, but this is normally intended for +local variables. + +Building with clang, I get a warning for a few locations that check the +address of the cpumask_var_t: + +drivers/net/ethernet/cisco/enic/enic_main.c:122:22: error: address of array 'enic->msix[i].affinity_mask' will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion] + +As far as I can tell, the code is still correct, as the truth value of +the pointer is what we need in this configuration. To get rid of +the warning, use cpumask_available() instead of checking the +pointer directly. + +Fixes: 322cf7e3a4e8 ("enic: assign affinity hint to interrupts") +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 9a7f70db20c7..733d9172425b 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -119,7 +119,7 @@ static void enic_init_affinity_hint(struct enic *enic) + + for (i = 0; i < enic->intr_count; i++) { + if (enic_is_err_intr(enic, i) || enic_is_notify_intr(enic, i) || +- (enic->msix[i].affinity_mask && ++ (cpumask_available(enic->msix[i].affinity_mask) && + !cpumask_empty(enic->msix[i].affinity_mask))) + continue; + if (zalloc_cpumask_var(&enic->msix[i].affinity_mask, +@@ -148,7 +148,7 @@ static void enic_set_affinity_hint(struct enic *enic) + for (i = 0; i < enic->intr_count; i++) { + if (enic_is_err_intr(enic, i) || + enic_is_notify_intr(enic, i) || +- !enic->msix[i].affinity_mask || ++ !cpumask_available(enic->msix[i].affinity_mask) || + cpumask_empty(enic->msix[i].affinity_mask)) + continue; + err = irq_set_affinity_hint(enic->msix_entry[i].vector, +@@ -161,7 +161,7 @@ static void enic_set_affinity_hint(struct enic *enic) + for (i = 0; i < enic->wq_count; i++) { + int wq_intr = enic_msix_wq_intr(enic, i); + +- if (enic->msix[wq_intr].affinity_mask && ++ if (cpumask_available(enic->msix[wq_intr].affinity_mask) && + !cpumask_empty(enic->msix[wq_intr].affinity_mask)) + netif_set_xps_queue(enic->netdev, + enic->msix[wq_intr].affinity_mask, +-- +2.19.1 + diff --git a/queue-5.0/ext4-fix-bigalloc-cluster-freeing-when-hole-punching.patch b/queue-5.0/ext4-fix-bigalloc-cluster-freeing-when-hole-punching.patch new file mode 100644 index 00000000000..8d4003a5e91 --- /dev/null +++ b/queue-5.0/ext4-fix-bigalloc-cluster-freeing-when-hole-punching.patch @@ -0,0 +1,65 @@ +From 4053c25fb537c986f66fabc688f9817e56cf338c Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Thu, 28 Feb 2019 23:34:11 -0500 +Subject: ext4: fix bigalloc cluster freeing when hole punching under load + +[ Upstream commit 7bd75230b43727b258a4f7a59d62114cffe1b6c8 ] + +Ext4 may not free clusters correctly when punching holes in bigalloc +file systems under high load conditions. If it's not possible to +extend and restart the journal in ext4_ext_rm_leaf() when preparing to +remove blocks from a punched region, a retry of the entire punch +operation is triggered in ext4_ext_remove_space(). This causes a +partial cluster to be set to the first cluster in the extent found to +the right of the punched region. However, if the punch operation +prior to the retry had made enough progress to delete one or more +extents and a partial cluster candidate for freeing had already been +recorded, the retry would overwrite the partial cluster. The loss of +this information makes it impossible to correctly free the original +partial cluster in all cases. + +This bug can cause generic/476 to fail when run as part of +xfstests-bld's bigalloc and bigalloc_1k test cases. The failure is +reported when e2fsck detects bad iblocks counts greater than expected +in units of whole clusters and also detects a number of negative block +bitmap differences equal to the iblocks discrepancy in cluster units. + +Signed-off-by: Eric Whitney +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/extents.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 240b6dea5441..252bbbb5a2f4 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -2956,14 +2956,17 @@ again: + if (err < 0) + goto out; + +- } else if (sbi->s_cluster_ratio > 1 && end >= ex_end) { ++ } else if (sbi->s_cluster_ratio > 1 && end >= ex_end && ++ partial.state == initial) { + /* +- * If there's an extent to the right its first cluster +- * contains the immediate right boundary of the +- * truncated/punched region. Set partial_cluster to +- * its negative value so it won't be freed if shared +- * with the current extent. The end < ee_block case +- * is handled in ext4_ext_rm_leaf(). ++ * If we're punching, there's an extent to the right. ++ * If the partial cluster hasn't been set, set it to ++ * that extent's first cluster and its state to nofree ++ * so it won't be freed should it contain blocks to be ++ * removed. If it's already set (tofree/nofree), we're ++ * retrying and keep the original partial cluster info ++ * so a cluster marked tofree as a result of earlier ++ * extent removal is not lost. + */ + lblk = ex_end + 1; + err = ext4_ext_search_right(inode, path, &lblk, &pblk, +-- +2.19.1 + diff --git a/queue-5.0/f2fs-do-not-use-mutex-lock-in-atomic-context.patch b/queue-5.0/f2fs-do-not-use-mutex-lock-in-atomic-context.patch new file mode 100644 index 00000000000..182cc1ae889 --- /dev/null +++ b/queue-5.0/f2fs-do-not-use-mutex-lock-in-atomic-context.patch @@ -0,0 +1,107 @@ +From 7375980596678b0a75513fe7ee4539cc66b08a5b Mon Sep 17 00:00:00 2001 +From: Sahitya Tummala +Date: Mon, 4 Feb 2019 13:36:53 +0530 +Subject: f2fs: do not use mutex lock in atomic context + +[ Upstream commit 9083977dabf3833298ddcd40dee28687f1e6b483 ] + +Fix below warning coming because of using mutex lock in atomic context. + +BUG: sleeping function called from invalid context at kernel/locking/mutex.c:98 +in_atomic(): 1, irqs_disabled(): 0, pid: 585, name: sh +Preemption disabled at: __radix_tree_preload+0x28/0x130 +Call trace: + dump_backtrace+0x0/0x2b4 + show_stack+0x20/0x28 + dump_stack+0xa8/0xe0 + ___might_sleep+0x144/0x194 + __might_sleep+0x58/0x8c + mutex_lock+0x2c/0x48 + f2fs_trace_pid+0x88/0x14c + f2fs_set_node_page_dirty+0xd0/0x184 + +Do not use f2fs_radix_tree_insert() to avoid doing cond_resched() with +spin_lock() acquired. + +Signed-off-by: Sahitya Tummala +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/trace.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/fs/f2fs/trace.c b/fs/f2fs/trace.c +index ce2a5eb210b6..d0ab533a9ce8 100644 +--- a/fs/f2fs/trace.c ++++ b/fs/f2fs/trace.c +@@ -14,7 +14,7 @@ + #include "trace.h" + + static RADIX_TREE(pids, GFP_ATOMIC); +-static struct mutex pids_lock; ++static spinlock_t pids_lock; + static struct last_io_info last_io; + + static inline void __print_last_io(void) +@@ -58,23 +58,29 @@ void f2fs_trace_pid(struct page *page) + + set_page_private(page, (unsigned long)pid); + ++retry: + if (radix_tree_preload(GFP_NOFS)) + return; + +- mutex_lock(&pids_lock); ++ spin_lock(&pids_lock); + p = radix_tree_lookup(&pids, pid); + if (p == current) + goto out; + if (p) + radix_tree_delete(&pids, pid); + +- f2fs_radix_tree_insert(&pids, pid, current); ++ if (radix_tree_insert(&pids, pid, current)) { ++ spin_unlock(&pids_lock); ++ radix_tree_preload_end(); ++ cond_resched(); ++ goto retry; ++ } + + trace_printk("%3x:%3x %4x %-16s\n", + MAJOR(inode->i_sb->s_dev), MINOR(inode->i_sb->s_dev), + pid, current->comm); + out: +- mutex_unlock(&pids_lock); ++ spin_unlock(&pids_lock); + radix_tree_preload_end(); + } + +@@ -119,7 +125,7 @@ void f2fs_trace_ios(struct f2fs_io_info *fio, int flush) + + void f2fs_build_trace_ios(void) + { +- mutex_init(&pids_lock); ++ spin_lock_init(&pids_lock); + } + + #define PIDVEC_SIZE 128 +@@ -147,7 +153,7 @@ void f2fs_destroy_trace_ios(void) + pid_t next_pid = 0; + unsigned int found; + +- mutex_lock(&pids_lock); ++ spin_lock(&pids_lock); + while ((found = gang_lookup_pids(pid, next_pid, PIDVEC_SIZE))) { + unsigned idx; + +@@ -155,5 +161,5 @@ void f2fs_destroy_trace_ios(void) + for (idx = 0; idx < found; idx++) + radix_tree_delete(&pids, pid[idx]); + } +- mutex_unlock(&pids_lock); ++ spin_unlock(&pids_lock); + } +-- +2.19.1 + diff --git a/queue-5.0/f2fs-fix-to-adapt-small-inline-xattr-space-in-__find.patch b/queue-5.0/f2fs-fix-to-adapt-small-inline-xattr-space-in-__find.patch new file mode 100644 index 00000000000..da9a69abc68 --- /dev/null +++ b/queue-5.0/f2fs-fix-to-adapt-small-inline-xattr-space-in-__find.patch @@ -0,0 +1,68 @@ +From aaf44b1a84d6442107b21a0bee5a1c26efee752d Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 5 Mar 2019 19:32:26 +0800 +Subject: f2fs: fix to adapt small inline xattr space in __find_inline_xattr() + +[ Upstream commit 2c28aba8b2e2a51749fa66e01b68e1cd5b53e022 ] + +With below testcase, we will fail to find existed xattr entry: + +1. mkfs.f2fs -O extra_attr -O flexible_inline_xattr /dev/zram0 +2. mount -t f2fs -o inline_xattr_size=1 /dev/zram0 /mnt/f2fs/ +3. touch /mnt/f2fs/file +4. setfattr -n "user.name" -v 0 /mnt/f2fs/file +5. getfattr -n "user.name" /mnt/f2fs/file + +/mnt/f2fs/file: user.name: No such attribute + +The reason is for inode which has very small inline xattr size, +__find_inline_xattr() will fail to traverse any entry due to first +entry may not be loaded from xattr node yet, later, we may skip to +check entire xattr datas in __find_xattr(), result in such wrong +condition. + +This patch adds condition to check such case to avoid this issue. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/xattr.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c +index 18d5ffbc5e8c..73b92985198b 100644 +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -224,11 +224,11 @@ static struct f2fs_xattr_entry *__find_inline_xattr(struct inode *inode, + { + struct f2fs_xattr_entry *entry; + unsigned int inline_size = inline_xattr_size(inode); ++ void *max_addr = base_addr + inline_size; + + list_for_each_xattr(entry, base_addr) { +- if ((void *)entry + sizeof(__u32) > base_addr + inline_size || +- (void *)XATTR_NEXT_ENTRY(entry) + sizeof(__u32) > +- base_addr + inline_size) { ++ if ((void *)entry + sizeof(__u32) > max_addr || ++ (void *)XATTR_NEXT_ENTRY(entry) > max_addr) { + *last_addr = entry; + return NULL; + } +@@ -239,6 +239,13 @@ static struct f2fs_xattr_entry *__find_inline_xattr(struct inode *inode, + if (!memcmp(entry->e_name, name, len)) + break; + } ++ ++ /* inline xattr header or entry across max inline xattr size */ ++ if (IS_XATTR_LAST_ENTRY(entry) && ++ (void *)entry + sizeof(__u32) > max_addr) { ++ *last_addr = entry; ++ return NULL; ++ } + return entry; + } + +-- +2.19.1 + diff --git a/queue-5.0/f2fs-fix-to-avoid-deadlock-in-f2fs_read_inline_dir.patch b/queue-5.0/f2fs-fix-to-avoid-deadlock-in-f2fs_read_inline_dir.patch new file mode 100644 index 00000000000..93e1bb37dcb --- /dev/null +++ b/queue-5.0/f2fs-fix-to-avoid-deadlock-in-f2fs_read_inline_dir.patch @@ -0,0 +1,121 @@ +From 96ab3951f02ed0b4c7cf2ab65667ce0fcd1c4548 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 12 Mar 2019 15:44:27 +0800 +Subject: f2fs: fix to avoid deadlock in f2fs_read_inline_dir() + +[ Upstream commit aadcef64b22f668c1a107b86d3521d9cac915c24 ] + +As Jiqun Li reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=202883 + +sometimes, dead lock when make system call SYS_getdents64 with fsync() is +called by another process. + +monkey running on android9.0 + +1. task 9785 held sbi->cp_rwsem and waiting lock_page() +2. task 10349 held mm_sem and waiting sbi->cp_rwsem +3. task 9709 held lock_page() and waiting mm_sem + +so this is a dead lock scenario. + +task stack is show by crash tools as following + +crash_arm64> bt ffffffc03c354080 +PID: 9785 TASK: ffffffc03c354080 CPU: 1 COMMAND: "RxIoScheduler-3" +>> #7 [ffffffc01b50fac0] __lock_page at ffffff80081b11e8 + +crash-arm64> bt 10349 +PID: 10349 TASK: ffffffc018b83080 CPU: 1 COMMAND: "BUGLY_ASYNC_UPL" +>> #3 [ffffffc01f8cfa40] rwsem_down_read_failed at ffffff8008a93afc + PC: 00000033 LR: 00000000 SP: 00000000 PSTATE: ffffffffffffffff + +crash-arm64> bt 9709 +PID: 9709 TASK: ffffffc03e7f3080 CPU: 1 COMMAND: "IntentService[A" +>> #3 [ffffffc001e67850] rwsem_down_read_failed at ffffff8008a93afc +>> #8 [ffffffc001e67b80] el1_ia at ffffff8008084fc4 + PC: ffffff8008274114 [compat_filldir64+120] + LR: ffffff80083584d4 [f2fs_fill_dentries+448] + SP: ffffffc001e67b80 PSTATE: 80400145 + X29: ffffffc001e67b80 X28: 0000000000000000 X27: 000000000000001a + X26: 00000000000093d7 X25: ffffffc070d52480 X24: 0000000000000008 + X23: 0000000000000028 X22: 00000000d43dfd60 X21: ffffffc001e67e90 + X20: 0000000000000011 X19: ffffff80093a4000 X18: 0000000000000000 + X17: 0000000000000000 X16: 0000000000000000 X15: 0000000000000000 + X14: ffffffffffffffff X13: 0000000000000008 X12: 0101010101010101 + X11: 7f7f7f7f7f7f7f7f X10: 6a6a6a6a6a6a6a6a X9: 7f7f7f7f7f7f7f7f + X8: 0000000080808000 X7: ffffff800827409c X6: 0000000080808000 + X5: 0000000000000008 X4: 00000000000093d7 X3: 000000000000001a + X2: 0000000000000011 X1: ffffffc070d52480 X0: 0000000000800238 +>> #9 [ffffffc001e67be0] f2fs_fill_dentries at ffffff80083584d0 + PC: 0000003c LR: 00000000 SP: 00000000 PSTATE: 000000d9 + X12: f48a02ff X11: d4678960 X10: d43dfc00 X9: d4678ae4 + X8: 00000058 X7: d4678994 X6: d43de800 X5: 000000d9 + X4: d43dfc0c X3: d43dfc10 X2: d46799c8 X1: 00000000 + X0: 00001068 + +Below potential deadlock will happen between three threads: +Thread A Thread B Thread C +- f2fs_do_sync_file + - f2fs_write_checkpoint + - down_write(&sbi->node_change) -- 1) + - do_page_fault + - down_write(&mm->mmap_sem) -- 2) + - do_wp_page + - f2fs_vm_page_mkwrite + - getdents64 + - f2fs_read_inline_dir + - lock_page -- 3) + - f2fs_sync_node_pages + - lock_page -- 3) + - __do_map_lock + - down_read(&sbi->node_change) -- 1) + - f2fs_fill_dentries + - dir_emit + - compat_filldir64 + - do_page_fault + - down_read(&mm->mmap_sem) -- 2) + +Since f2fs_readdir is protected by inode.i_rwsem, there should not be +any updates in inode page, we're safe to lookup dents in inode page +without its lock held, so taking off the lock to improve concurrency +of readdir and avoid potential deadlock. + +Reported-by: Jiqun Li +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/inline.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c +index d636cbcf68f2..aacbb864ec1e 100644 +--- a/fs/f2fs/inline.c ++++ b/fs/f2fs/inline.c +@@ -659,6 +659,12 @@ int f2fs_read_inline_dir(struct file *file, struct dir_context *ctx, + if (IS_ERR(ipage)) + return PTR_ERR(ipage); + ++ /* ++ * f2fs_readdir was protected by inode.i_rwsem, it is safe to access ++ * ipage without page's lock held. ++ */ ++ unlock_page(ipage); ++ + inline_dentry = inline_data_addr(inode, ipage); + + make_dentry_ptr_inline(inode, &d, inline_dentry); +@@ -667,7 +673,7 @@ int f2fs_read_inline_dir(struct file *file, struct dir_context *ctx, + if (!err) + ctx->pos = d.max; + +- f2fs_put_page(ipage, 1); ++ f2fs_put_page(ipage, 0); + return err < 0 ? err : 0; + } + +-- +2.19.1 + diff --git a/queue-5.0/f2fs-fix-to-check-inline_xattr_size-boundary-correct.patch b/queue-5.0/f2fs-fix-to-check-inline_xattr_size-boundary-correct.patch new file mode 100644 index 00000000000..e20d8af2d97 --- /dev/null +++ b/queue-5.0/f2fs-fix-to-check-inline_xattr_size-boundary-correct.patch @@ -0,0 +1,111 @@ +From 08f2547cafc1fe78720538ad85baa0d142486eb7 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Fri, 15 Feb 2019 00:08:25 +0800 +Subject: f2fs: fix to check inline_xattr_size boundary correctly + +[ Upstream commit 500e0b28ecd3c5aade98f3c3a339d18dcb166bb6 ] + +We use below condition to check inline_xattr_size boundary: + + if (!F2FS_OPTION(sbi).inline_xattr_size || + F2FS_OPTION(sbi).inline_xattr_size >= + DEF_ADDRS_PER_INODE - + F2FS_TOTAL_EXTRA_ATTR_SIZE - + DEF_INLINE_RESERVED_SIZE - + DEF_MIN_INLINE_SIZE) + +There is there problems in that check: +- we should allow inline_xattr_size equaling to min size of inline +{data,dentry} area. +- F2FS_TOTAL_EXTRA_ATTR_SIZE and inline_xattr_size are based on +different size unit, previous one is 4 bytes, latter one is 1 bytes. +- DEF_MIN_INLINE_SIZE only indicate min size of inline data area, +however, we need to consider min size of inline dentry area as well, +minimal inline dentry should at least contain two entries: '.' and +'..', so that min inline_dentry size is 40 bytes. + +.bitmap 1 * 1 = 1 +.reserved 1 * 1 = 1 +.dentry 11 * 2 = 22 +.filename 8 * 2 = 16 +total 40 + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 1 - + fs/f2fs/super.c | 13 +++++++------ + include/linux/f2fs_fs.h | 13 +++++++------ + 3 files changed, 14 insertions(+), 13 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 12fabd6735dd..279bc00489cc 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -456,7 +456,6 @@ struct f2fs_flush_device { + + /* for inline stuff */ + #define DEF_INLINE_RESERVED_SIZE 1 +-#define DEF_MIN_INLINE_SIZE 1 + static inline int get_extra_isize(struct inode *inode); + static inline int get_inline_xattr_addrs(struct inode *inode); + #define MAX_INLINE_DATA(inode) (sizeof(__le32) * \ +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 93d7427d8883..5892fa3c885f 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -834,12 +834,13 @@ static int parse_options(struct super_block *sb, char *options) + "set with inline_xattr option"); + return -EINVAL; + } +- if (!F2FS_OPTION(sbi).inline_xattr_size || +- F2FS_OPTION(sbi).inline_xattr_size >= +- DEF_ADDRS_PER_INODE - +- F2FS_TOTAL_EXTRA_ATTR_SIZE - +- DEF_INLINE_RESERVED_SIZE - +- DEF_MIN_INLINE_SIZE) { ++ if (F2FS_OPTION(sbi).inline_xattr_size < ++ sizeof(struct f2fs_xattr_header) / sizeof(__le32) || ++ F2FS_OPTION(sbi).inline_xattr_size > ++ DEF_ADDRS_PER_INODE - ++ F2FS_TOTAL_EXTRA_ATTR_SIZE / sizeof(__le32) - ++ DEF_INLINE_RESERVED_SIZE - ++ MIN_INLINE_DENTRY_SIZE / sizeof(__le32)) { + f2fs_msg(sb, KERN_ERR, + "inline xattr size is out of range"); + return -EINVAL; +diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h +index d7711048ef93..c524ad7d31da 100644 +--- a/include/linux/f2fs_fs.h ++++ b/include/linux/f2fs_fs.h +@@ -489,12 +489,12 @@ typedef __le32 f2fs_hash_t; + + /* + * space utilization of regular dentry and inline dentry (w/o extra reservation) +- * regular dentry inline dentry +- * bitmap 1 * 27 = 27 1 * 23 = 23 +- * reserved 1 * 3 = 3 1 * 7 = 7 +- * dentry 11 * 214 = 2354 11 * 182 = 2002 +- * filename 8 * 214 = 1712 8 * 182 = 1456 +- * total 4096 3488 ++ * regular dentry inline dentry (def) inline dentry (min) ++ * bitmap 1 * 27 = 27 1 * 23 = 23 1 * 1 = 1 ++ * reserved 1 * 3 = 3 1 * 7 = 7 1 * 1 = 1 ++ * dentry 11 * 214 = 2354 11 * 182 = 2002 11 * 2 = 22 ++ * filename 8 * 214 = 1712 8 * 182 = 1456 8 * 2 = 16 ++ * total 4096 3488 40 + * + * Note: there are more reserved space in inline dentry than in regular + * dentry, when converting inline dentry we should handle this carefully. +@@ -506,6 +506,7 @@ typedef __le32 f2fs_hash_t; + #define SIZE_OF_RESERVED (PAGE_SIZE - ((SIZE_OF_DIR_ENTRY + \ + F2FS_SLOT_LEN) * \ + NR_DENTRY_IN_BLOCK + SIZE_OF_DENTRY_BITMAP)) ++#define MIN_INLINE_DENTRY_SIZE 40 /* just include '.' and '..' entries */ + + /* One directory entry slot representing F2FS_SLOT_LEN-sized file name */ + struct f2fs_dir_entry { +-- +2.19.1 + diff --git a/queue-5.0/f2fs-fix-to-data-block-override-node-segment-by-mist.patch b/queue-5.0/f2fs-fix-to-data-block-override-node-segment-by-mist.patch new file mode 100644 index 00000000000..38231fa2fe5 --- /dev/null +++ b/queue-5.0/f2fs-fix-to-data-block-override-node-segment-by-mist.patch @@ -0,0 +1,67 @@ +From f22ff541a11ffc6c525020014689054fe7d662d1 Mon Sep 17 00:00:00 2001 +From: zhengliang +Date: Mon, 4 Mar 2019 09:32:25 +0800 +Subject: f2fs: fix to data block override node segment by mistake + +[ Upstream commit a0770e13c8da83bdb64738c0209ab02dd3cfff8b ] + +v4: Rearrange the previous three versions. + +The following scenario could lead to data block override by mistake. + +TASK A | TASK kworker | TASK B | TASK C + | | | +open | | | +write | | | +close | | | + | f2fs_write_data_pages | | + | f2fs_write_cache_pages | | + | f2fs_outplace_write_data | | + | f2fs_allocate_data_block (get block in seg S, | | + | S is full, and only | | + | have this valid data | | + | block) | | + | allocate_segment | | + | locate_dirty_segment (mark S as PRE) | | + | f2fs_submit_page_write (submit but is not | | + | written on dev) | | +unlink | | | + iput_final | | | + f2fs_drop_inode | | | + f2fs_truncate | | | + (not evict) | | | + | | write_checkpoint | + | | flush merged bio but not wait file data writeback | + | | set_prefree_as_free (mark S as FREE) | + | | | update NODE/DATA + | | | allocate_segment (select S) + | writeback done | | + +So we need to guarantee io complete before truncate inode in f2fs_drop_inode. + +Reviewed-by: Chao Yu +Signed-off-by: Zheng Liang +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index c46a1d4318d4..93d7427d8883 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -915,6 +915,10 @@ static int f2fs_drop_inode(struct inode *inode) + sb_start_intwrite(inode->i_sb); + f2fs_i_size_write(inode, 0); + ++ f2fs_submit_merged_write_cond(F2FS_I_SB(inode), ++ inode, NULL, 0, DATA); ++ truncate_inode_pages_final(inode->i_mapping); ++ + if (F2FS_HAS_BLOCKS(inode)) + f2fs_truncate(inode); + +-- +2.19.1 + diff --git a/queue-5.0/f2fs-fix-to-initialize-variable-to-avoid-ubsan-smatc.patch b/queue-5.0/f2fs-fix-to-initialize-variable-to-avoid-ubsan-smatc.patch new file mode 100644 index 00000000000..14594f2209a --- /dev/null +++ b/queue-5.0/f2fs-fix-to-initialize-variable-to-avoid-ubsan-smatc.patch @@ -0,0 +1,99 @@ +From 2101219ae798647ee9f56865ceb4effc4286aa49 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 16 Jan 2019 09:51:28 +0800 +Subject: f2fs: fix to initialize variable to avoid UBSAN/smatch warning + +[ Upstream commit f9aa52a8cbe09fe25244d59c29660bbe635df613 ] + +As Dan Carpenter as below: + +The patch df634f444ee9: "f2fs: use rb_*_cached friends" from Oct 4, +2018, leads to the following static checker warning: + + fs/f2fs/extent_cache.c:606 f2fs_update_extent_tree_range() + error: uninitialized symbol 'leftmost'. + +And also Eric Biggers, and Kyungtae Kim reported, there is an UBSAN +warning described as below: + +We report a bug in linux-4.20.2: "UBSAN: Undefined behaviour in +fs/f2fs/extent_cache.c" + +kernel config: https://kt0755.github.io/etc/config_v4.20_stable +repro: https://kt0755.github.io/etc/repro.4a3e7.c (f2fs is mounted on +/mnt/f2fs/) + +This arose in f2fs_update_extent_tree_range (fs/f2fs/extent_cache.c:605). +It seems that, for some reason, its last argument became "24" +although that was supposed to be bool type. + +========================================= +UBSAN: Undefined behaviour in fs/f2fs/extent_cache.c:605:4 +load of value 24 is not a valid value for type '_Bool' +CPU: 0 PID: 6774 Comm: syz-executor5 Not tainted 4.20.2 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xb1/0x118 lib/dump_stack.c:113 + ubsan_epilogue+0x12/0x94 lib/ubsan.c:159 + __ubsan_handle_load_invalid_value+0x17a/0x1be lib/ubsan.c:457 + f2fs_update_extent_tree_range+0x1d4a/0x1d50 fs/f2fs/extent_cache.c:605 + f2fs_update_extent_cache+0x2b6/0x350 fs/f2fs/extent_cache.c:804 + f2fs_update_data_blkaddr+0x61/0x70 fs/f2fs/data.c:656 + f2fs_outplace_write_data+0x1d6/0x4b0 fs/f2fs/segment.c:3140 + f2fs_convert_inline_page+0x86d/0x2060 fs/f2fs/inline.c:163 + f2fs_convert_inline_inode+0x6b5/0xad0 fs/f2fs/inline.c:208 + f2fs_preallocate_blocks+0x78b/0xb00 fs/f2fs/data.c:982 + f2fs_file_write_iter+0x31b/0xf40 fs/f2fs/file.c:3062 + call_write_iter include/linux/fs.h:1857 [inline] + new_sync_write fs/read_write.c:474 [inline] + __vfs_write+0x538/0x6e0 fs/read_write.c:487 + vfs_write+0x1b3/0x520 fs/read_write.c:549 + ksys_write+0xde/0x1c0 fs/read_write.c:598 + __do_sys_write fs/read_write.c:610 [inline] + __se_sys_write fs/read_write.c:607 [inline] + __x64_sys_write+0x7e/0xc0 fs/read_write.c:607 + do_syscall_64+0xbe/0x4f0 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x4497b9 +Code: e8 8c 9f 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 +89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d +01 f0 ff ff 0f 83 9b 6b fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f1ea15edc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007f1ea15ee6cc RCX: 00000000004497b9 +RDX: 0000000000001000 RSI: 0000000020000140 RDI: 0000000000000013 +RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 000000000000bb50 R14: 00000000006f4bf0 R15: 00007f1ea15ee700 +========================================= + +As I checked, this uninitialized variable won't cause extent cache +corruption, but in order to avoid such kind of warning of both UBSAN +and smatch, fix to initialize related variable. + +Reported-by: Dan Carpenter +Reported-by: Eric Biggers +Reported-by: Kyungtae Kim +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/extent_cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c +index 1cb0fcc67d2d..caf77fe8ac07 100644 +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -506,7 +506,7 @@ static void f2fs_update_extent_tree_range(struct inode *inode, + unsigned int end = fofs + len; + unsigned int pos = (unsigned int)fofs; + bool updated = false; +- bool leftmost; ++ bool leftmost = false; + + if (!et) + return; +-- +2.19.1 + diff --git a/queue-5.0/f2fs-ubsan-set-boolean-value-iostat_enable-correctly.patch b/queue-5.0/f2fs-ubsan-set-boolean-value-iostat_enable-correctly.patch new file mode 100644 index 00000000000..75f810b7dcf --- /dev/null +++ b/queue-5.0/f2fs-ubsan-set-boolean-value-iostat_enable-correctly.patch @@ -0,0 +1,72 @@ +From 037ac8078ea089774c7f5fb41e083ad6a37c606b Mon Sep 17 00:00:00 2001 +From: Sheng Yong +Date: Tue, 15 Jan 2019 20:02:15 +0000 +Subject: f2fs: UBSAN: set boolean value iostat_enable correctly + +[ Upstream commit ac92985864e187a1735502f6a02f54eaa655b2aa ] + +When setting /sys/fs/f2fs//iostat_enable with non-bool value, UBSAN +reports the following warning. + +[ 7562.295484] ================================================================================ +[ 7562.296531] UBSAN: Undefined behaviour in fs/f2fs/f2fs.h:2776:10 +[ 7562.297651] load of value 64 is not a valid value for type '_Bool' +[ 7562.298642] CPU: 1 PID: 7487 Comm: dd Not tainted 4.20.0-rc4+ #79 +[ 7562.298653] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 7562.298662] Call Trace: +[ 7562.298760] dump_stack+0x46/0x5b +[ 7562.298811] ubsan_epilogue+0x9/0x40 +[ 7562.298830] __ubsan_handle_load_invalid_value+0x72/0x90 +[ 7562.298863] f2fs_file_write_iter+0x29f/0x3f0 +[ 7562.298905] __vfs_write+0x115/0x160 +[ 7562.298922] vfs_write+0xa7/0x190 +[ 7562.298934] ksys_write+0x50/0xc0 +[ 7562.298973] do_syscall_64+0x4a/0xe0 +[ 7562.298992] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 7562.299001] RIP: 0033:0x7fa45ec19c00 +[ 7562.299004] Code: 73 01 c3 48 8b 0d 88 92 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d dd eb 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ce 8f 01 00 48 89 04 24 +[ 7562.299044] RSP: 002b:00007ffca52b49e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 7562.299052] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa45ec19c00 +[ 7562.299059] RDX: 0000000000000400 RSI: 000000000093f000 RDI: 0000000000000001 +[ 7562.299065] RBP: 000000000093f000 R08: 0000000000000004 R09: 0000000000000000 +[ 7562.299071] R10: 00007ffca52b47b0 R11: 0000000000000246 R12: 0000000000000400 +[ 7562.299077] R13: 000000000093f000 R14: 000000000093f400 R15: 0000000000000000 +[ 7562.299091] ================================================================================ + +So, if iostat_enable is enabled, set its value as true. + +Signed-off-by: Sheng Yong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/sysfs.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index 0575edbe3ed6..f1ab9000b294 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -278,10 +278,16 @@ out: + return count; + } + +- *ui = t; + +- if (!strcmp(a->attr.name, "iostat_enable") && *ui == 0) +- f2fs_reset_iostat(sbi); ++ if (!strcmp(a->attr.name, "iostat_enable")) { ++ sbi->iostat_enable = !!t; ++ if (!sbi->iostat_enable) ++ f2fs_reset_iostat(sbi); ++ return count; ++ } ++ ++ *ui = (unsigned int)t; ++ + return count; + } + +-- +2.19.1 + diff --git a/queue-5.0/fbdev-fbmem-fix-memory-access-if-logo-is-bigger-than.patch b/queue-5.0/fbdev-fbmem-fix-memory-access-if-logo-is-bigger-than.patch new file mode 100644 index 00000000000..77bd5c3d367 --- /dev/null +++ b/queue-5.0/fbdev-fbmem-fix-memory-access-if-logo-is-bigger-than.patch @@ -0,0 +1,52 @@ +From 45dc668cf062f42ef823ce7c60d0211f3c055eeb Mon Sep 17 00:00:00 2001 +From: Manfred Schlaegl +Date: Fri, 8 Feb 2019 19:24:47 +0100 +Subject: fbdev: fbmem: fix memory access if logo is bigger than the screen + +[ Upstream commit a5399db139cb3ad9b8502d8b1bd02da9ce0b9df0 ] + +There is no clipping on the x or y axis for logos larger that the framebuffer +size. Therefore: a logo bigger than screen size leads to invalid memory access: + +[ 1.254664] Backtrace: +[ 1.254728] [] (cfb_imageblit) from [] (fb_show_logo+0x620/0x684) +[ 1.254763] r10:00000003 r9:00027fd8 r8:c6a40000 r7:c6a36e50 r6:00000000 r5:c06b81e4 +[ 1.254774] r4:c6a3e800 +[ 1.254810] [] (fb_show_logo) from [] (fbcon_switch+0x3fc/0x46c) +[ 1.254842] r10:c6a3e824 r9:c6a3e800 r8:00000000 r7:c6a0c000 r6:c070b014 r5:c6a3e800 +[ 1.254852] r4:c6808c00 +[ 1.254889] [] (fbcon_switch) from [] (redraw_screen+0xf0/0x1e8) +[ 1.254918] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:c070d5a0 r5:00000080 +[ 1.254928] r4:c6808c00 +[ 1.254961] [] (redraw_screen) from [] (do_bind_con_driver+0x194/0x2e4) +[ 1.254991] r9:00000000 r8:00000000 r7:00000014 r6:c070d5a0 r5:c070d5a0 r4:c070d5a0 + +So prevent displaying a logo bigger than screen size and avoid invalid +memory access. + +Signed-off-by: Manfred Schlaegl +Signed-off-by: Martin Kepplinger +Cc: Daniel Vetter +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbmem.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c +index cb43a2258c51..4721491e6c8c 100644 +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -431,6 +431,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, + { + unsigned int x; + ++ if (image->width > info->var.xres || image->height > info->var.yres) ++ return; ++ + if (rotate == FB_ROTATE_UR) { + for (x = 0; + x < num && image->dx + image->width <= info->var.xres; +-- +2.19.1 + diff --git a/queue-5.0/fs-file.c-initialize-init_files.resize_wait.patch b/queue-5.0/fs-file.c-initialize-init_files.resize_wait.patch new file mode 100644 index 00000000000..5f55988dd1b --- /dev/null +++ b/queue-5.0/fs-file.c-initialize-init_files.resize_wait.patch @@ -0,0 +1,80 @@ +From 4462275e8178d58f09a690cc1782538f84c14419 Mon Sep 17 00:00:00 2001 +From: Shuriyc Chu +Date: Tue, 5 Mar 2019 15:41:56 -0800 +Subject: fs/file.c: initialize init_files.resize_wait + +[ Upstream commit 5704a06810682683355624923547b41540e2801a ] + +(Taken from https://bugzilla.kernel.org/show_bug.cgi?id=200647) + +'get_unused_fd_flags' in kthread cause kernel crash. It works fine on +4.1, but causes crash after get 64 fds. It also cause crash on +ubuntu1404/1604/1804, centos7.5, and the crash messages are almost the +same. + +The crash message on centos7.5 shows below: + + start fd 61 + start fd 62 + start fd 63 + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: __wake_up_common+0x2e/0x90 + PGD 0 + Oops: 0000 [#1] SMP + Modules linked in: test(OE) xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter devlink sunrpc kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd sg ppdev pcspkr virtio_balloon parport_pc parport i2c_piix4 joydev ip_tables xfs libcrc32c sr_mod cdrom sd_mod crc_t10dif crct10dif_generic ata_generic pata_acpi virtio_scsi virtio_console virtio_net cirrus drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crct10dif_pclmul crct10dif_common crc32c_intel drm ata_piix serio_raw libata virtio_pci virtio_ring i2c_core + virtio floppy dm_mirror dm_region_hash dm_log dm_mod + CPU: 2 PID: 1820 Comm: test_fd Kdump: loaded Tainted: G OE ------------ 3.10.0-862.3.3.el7.x86_64 #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014 + task: ffff8e92b9431fa0 ti: ffff8e94247a0000 task.ti: ffff8e94247a0000 + RIP: 0010:__wake_up_common+0x2e/0x90 + RSP: 0018:ffff8e94247a2d18 EFLAGS: 00010086 + RAX: 0000000000000000 RBX: ffffffff9d09daa0 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffffff9d09daa0 + RBP: ffff8e94247a2d50 R08: 0000000000000000 R09: ffff8e92b95dfda8 + R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff9d09daa8 + R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000003 + FS: 0000000000000000(0000) GS:ffff8e9434e80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 000000017c686000 CR4: 00000000000207e0 + Call Trace: + __wake_up+0x39/0x50 + expand_files+0x131/0x250 + __alloc_fd+0x47/0x170 + get_unused_fd_flags+0x30/0x40 + test_fd+0x12a/0x1c0 [test] + kthread+0xd1/0xe0 + ret_from_fork_nospec_begin+0x21/0x21 + Code: 66 90 55 48 89 e5 41 57 41 89 f7 41 56 41 89 ce 41 55 41 54 49 89 fc 49 83 c4 08 53 48 83 ec 10 48 8b 47 08 89 55 cc 4c 89 45 d0 <48> 8b 08 49 39 c4 48 8d 78 e8 4c 8d 69 e8 75 08 eb 3b 4c 89 ef + RIP __wake_up_common+0x2e/0x90 + RSP + CR2: 0000000000000000 + +This issue exists since CentOS 7.5 3.10.0-862 and CentOS 7.4 +(3.10.0-693.21.1 ) is ok. Root cause: the item 'resize_wait' is not +initialized before being used. + +Reported-by: Richard Zhang +Reviewed-by: Andrew Morton +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/file.c b/fs/file.c +index 3209ee271c41..a10487aa0a84 100644 +--- a/fs/file.c ++++ b/fs/file.c +@@ -457,6 +457,7 @@ struct files_struct init_files = { + .full_fds_bits = init_files.full_fds_bits_init, + }, + .file_lock = __SPIN_LOCK_UNLOCKED(init_files.file_lock), ++ .resize_wait = __WAIT_QUEUE_HEAD_INITIALIZER(init_files.resize_wait), + }; + + static unsigned int find_next_fd(struct fdtable *fdt, unsigned int start) +-- +2.19.1 + diff --git a/queue-5.0/fs-fix-guard_bio_eod-to-check-for-real-eod-errors.patch b/queue-5.0/fs-fix-guard_bio_eod-to-check-for-real-eod-errors.patch new file mode 100644 index 00000000000..d67989ddea8 --- /dev/null +++ b/queue-5.0/fs-fix-guard_bio_eod-to-check-for-real-eod-errors.patch @@ -0,0 +1,79 @@ +From a793ab272806e33ed53c9385b3adc78d79e2db32 Mon Sep 17 00:00:00 2001 +From: Carlos Maiolino +Date: Tue, 26 Feb 2019 11:51:50 +0100 +Subject: fs: fix guard_bio_eod to check for real EOD errors + +[ Upstream commit dce30ca9e3b676fb288c33c1f4725a0621361185 ] + +guard_bio_eod() can truncate a segment in bio to allow it to do IO on +odd last sectors of a device. + +It already checks if the IO starts past EOD, but it does not consider +the possibility of an IO request starting within device boundaries can +contain more than one segment past EOD. + +In such cases, truncated_bytes can be bigger than PAGE_SIZE, and will +underflow bvec->bv_len. + +Fix this by checking if truncated_bytes is lower than PAGE_SIZE. + +This situation has been found on filesystems such as isofs and vfat, +which doesn't check the device size before mount, if the device is +smaller than the filesystem itself, a readahead on such filesystem, +which spans EOD, can trigger this situation, leading a call to +zero_user() with a wrong size possibly corrupting memory. + +I didn't see any crash, or didn't let the system run long enough to +check if memory corruption will be hit somewhere, but adding +instrumentation to guard_bio_end() to check truncated_bytes size, was +enough to see the error. + +The following script can trigger the error. + +MNT=/mnt +IMG=./DISK.img +DEV=/dev/loop0 + +mkfs.vfat $IMG +mount $IMG $MNT +cp -R /etc $MNT &> /dev/null +umount $MNT + +losetup -D + +losetup --find --show --sizelimit 16247280 $IMG +mount $DEV $MNT + +find $MNT -type f -exec cat {} + >/dev/null + +Kudos to Eric Sandeen for coming up with the reproducer above + +Reviewed-by: Ming Lei +Signed-off-by: Carlos Maiolino +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/buffer.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/buffer.c b/fs/buffer.c +index 48318fb74938..cab7a026876b 100644 +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -3027,6 +3027,13 @@ void guard_bio_eod(int op, struct bio *bio) + /* Uhhuh. We've got a bio that straddles the device size! */ + truncated_bytes = bio->bi_iter.bi_size - (maxsector << 9); + ++ /* ++ * The bio contains more than one segment which spans EOD, just return ++ * and let IO layer turn it into an EIO ++ */ ++ if (truncated_bytes > bvec->bv_len) ++ return; ++ + /* Truncate the bio.. */ + bio->bi_iter.bi_size -= truncated_bytes; + bvec->bv_len -= truncated_bytes; +-- +2.19.1 + diff --git a/queue-5.0/fs-make-splice-and-tee-take-into-account-o_nonblock-.patch b/queue-5.0/fs-make-splice-and-tee-take-into-account-o_nonblock-.patch new file mode 100644 index 00000000000..112407f8290 --- /dev/null +++ b/queue-5.0/fs-make-splice-and-tee-take-into-account-o_nonblock-.patch @@ -0,0 +1,99 @@ +From 2f05bd7c870433744b96e7322f84bf3979ff1cd8 Mon Sep 17 00:00:00 2001 +From: Slavomir Kaslev +Date: Thu, 7 Feb 2019 17:45:19 +0200 +Subject: fs: Make splice() and tee() take into account O_NONBLOCK flag on + pipes + +[ Upstream commit ee5e001196d1345b8fee25925ff5f1d67936081e ] + +The current implementation of splice() and tee() ignores O_NONBLOCK set +on pipe file descriptors and checks only the SPLICE_F_NONBLOCK flag for +blocking on pipe arguments. This is inconsistent since splice()-ing +from/to non-pipe file descriptors does take O_NONBLOCK into +consideration. + +Fix this by promoting O_NONBLOCK, when set on a pipe, to +SPLICE_F_NONBLOCK. + +Some context for how the current implementation of splice() leads to +inconsistent behavior. In the ongoing work[1] to add VM tracing +capability to trace-cmd we stream tracing data over named FIFOs or +vsockets from guests back to the host. + +When we receive SIGINT from user to stop tracing, we set O_NONBLOCK on +the input file descriptor and set SPLICE_F_NONBLOCK for the next call to +splice(). If splice() was blocked waiting on data from the input FIFO, +after SIGINT splice() restarts with the same arguments (no +SPLICE_F_NONBLOCK) and blocks again instead of returning -EAGAIN when no +data is available. + +This differs from the splice() behavior when reading from a vsocket or +when we're doing a traditional read()/write() loop (trace-cmd's +--nosplice argument). + +With this patch applied we get the same behavior in all situations after +setting O_NONBLOCK which also matches the behavior of doing a +read()/write() loop instead of splice(). + +This change does have potential of breaking users who don't expect +EAGAIN from splice() when SPLICE_F_NONBLOCK is not set. OTOH programs +that set O_NONBLOCK and don't anticipate EAGAIN are arguably buggy[2]. + + [1] https://github.com/skaslev/trace-cmd/tree/vsock + [2] https://github.com/torvalds/linux/blob/d47e3da1759230e394096fd742aad423c291ba48/fs/read_write.c#L1425 + +Signed-off-by: Slavomir Kaslev +Reviewed-by: Steven Rostedt (VMware) +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/splice.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/fs/splice.c b/fs/splice.c +index 90c29675d573..f568273ac336 100644 +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -1123,6 +1123,9 @@ static long do_splice(struct file *in, loff_t __user *off_in, + if (ipipe == opipe) + return -EINVAL; + ++ if ((in->f_flags | out->f_flags) & O_NONBLOCK) ++ flags |= SPLICE_F_NONBLOCK; ++ + return splice_pipe_to_pipe(ipipe, opipe, len, flags); + } + +@@ -1148,6 +1151,9 @@ static long do_splice(struct file *in, loff_t __user *off_in, + if (unlikely(ret < 0)) + return ret; + ++ if (in->f_flags & O_NONBLOCK) ++ flags |= SPLICE_F_NONBLOCK; ++ + file_start_write(out); + ret = do_splice_from(ipipe, out, &offset, len, flags); + file_end_write(out); +@@ -1172,6 +1178,9 @@ static long do_splice(struct file *in, loff_t __user *off_in, + offset = in->f_pos; + } + ++ if (out->f_flags & O_NONBLOCK) ++ flags |= SPLICE_F_NONBLOCK; ++ + pipe_lock(opipe); + ret = wait_for_space(opipe, flags); + if (!ret) +@@ -1721,6 +1730,9 @@ static long do_tee(struct file *in, struct file *out, size_t len, + * copying the data. + */ + if (ipipe && opipe && ipipe != opipe) { ++ if ((in->f_flags | out->f_flags) & O_NONBLOCK) ++ flags |= SPLICE_F_NONBLOCK; ++ + /* + * Keep going, unless we encounter an error. The ipipe/opipe + * ordering doesn't really matter. +-- +2.19.1 + diff --git a/queue-5.0/genirq-avoid-summation-loops-for-proc-stat.patch b/queue-5.0/genirq-avoid-summation-loops-for-proc-stat.patch new file mode 100644 index 00000000000..eec11abc0b1 --- /dev/null +++ b/queue-5.0/genirq-avoid-summation-loops-for-proc-stat.patch @@ -0,0 +1,156 @@ +From 34c7fd94c8b6cb6174a920066bb43bae788ad593 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Fri, 8 Feb 2019 14:48:03 +0100 +Subject: genirq: Avoid summation loops for /proc/stat + +[ Upstream commit 1136b0728969901a091f0471968b2b76ed14d9ad ] + +Waiman reported that on large systems with a large amount of interrupts the +readout of /proc/stat takes a long time to sum up the interrupt +statistics. In principle this is not a problem. but for unknown reasons +some enterprise quality software reads /proc/stat with a high frequency. + +The reason for this is that interrupt statistics are accounted per cpu. So +the /proc/stat logic has to sum up the interrupt stats for each interrupt. + +This can be largely avoided for interrupts which are not marked as +'PER_CPU' interrupts by simply adding a per interrupt summation counter +which is incremented along with the per interrupt per cpu counter. + +The PER_CPU interrupts need to avoid that and use only per cpu accounting +because they share the interrupt number and the interrupt descriptor and +concurrent updates would conflict or require unwanted synchronization. + +Reported-by: Waiman Long +Signed-off-by: Thomas Gleixner +Reviewed-by: Waiman Long +Reviewed-by: Marc Zyngier +Reviewed-by: Davidlohr Bueso +Cc: Matthew Wilcox +Cc: Andrew Morton +Cc: Alexey Dobriyan +Cc: Kees Cook +Cc: linux-fsdevel@vger.kernel.org +Cc: Davidlohr Bueso +Cc: Miklos Szeredi +Cc: Daniel Colascione +Cc: Dave Chinner +Cc: Randy Dunlap +Link: https://lkml.kernel.org/r/20190208135020.925487496@linutronix.de + +8<------------- + +v2: Undo the unintentional layout change of struct irq_desc. + + include/linux/irqdesc.h | 1 + + kernel/irq/chip.c | 12 ++++++++++-- + kernel/irq/internals.h | 8 +++++++- + kernel/irq/irqdesc.c | 7 ++++++- + 4 files changed, 24 insertions(+), 4 deletions(-) + +Signed-off-by: Sasha Levin +--- + include/linux/irqdesc.h | 1 + + kernel/irq/chip.c | 12 ++++++++++-- + kernel/irq/internals.h | 8 +++++++- + kernel/irq/irqdesc.c | 7 ++++++- + 4 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/include/linux/irqdesc.h b/include/linux/irqdesc.h +index dd1e40ddac7d..875c41b23f20 100644 +--- a/include/linux/irqdesc.h ++++ b/include/linux/irqdesc.h +@@ -65,6 +65,7 @@ struct irq_desc { + unsigned int core_internal_state__do_not_mess_with_it; + unsigned int depth; /* nested irq disables */ + unsigned int wake_depth; /* nested wake enables */ ++ unsigned int tot_count; + unsigned int irq_count; /* For detecting broken IRQs */ + unsigned long last_unhandled; /* Aging timer for unhandled count */ + unsigned int irqs_unhandled; +diff --git a/kernel/irq/chip.c b/kernel/irq/chip.c +index 34e969069488..e960c4f46ee0 100644 +--- a/kernel/irq/chip.c ++++ b/kernel/irq/chip.c +@@ -855,7 +855,11 @@ void handle_percpu_irq(struct irq_desc *desc) + { + struct irq_chip *chip = irq_desc_get_chip(desc); + +- kstat_incr_irqs_this_cpu(desc); ++ /* ++ * PER CPU interrupts are not serialized. Do not touch ++ * desc->tot_count. ++ */ ++ __kstat_incr_irqs_this_cpu(desc); + + if (chip->irq_ack) + chip->irq_ack(&desc->irq_data); +@@ -884,7 +888,11 @@ void handle_percpu_devid_irq(struct irq_desc *desc) + unsigned int irq = irq_desc_get_irq(desc); + irqreturn_t res; + +- kstat_incr_irqs_this_cpu(desc); ++ /* ++ * PER CPU interrupts are not serialized. Do not touch ++ * desc->tot_count. ++ */ ++ __kstat_incr_irqs_this_cpu(desc); + + if (chip->irq_ack) + chip->irq_ack(&desc->irq_data); +diff --git a/kernel/irq/internals.h b/kernel/irq/internals.h +index ca6afa267070..e74e7eea76cf 100644 +--- a/kernel/irq/internals.h ++++ b/kernel/irq/internals.h +@@ -242,12 +242,18 @@ static inline void irq_state_set_masked(struct irq_desc *desc) + + #undef __irqd_to_state + +-static inline void kstat_incr_irqs_this_cpu(struct irq_desc *desc) ++static inline void __kstat_incr_irqs_this_cpu(struct irq_desc *desc) + { + __this_cpu_inc(*desc->kstat_irqs); + __this_cpu_inc(kstat.irqs_sum); + } + ++static inline void kstat_incr_irqs_this_cpu(struct irq_desc *desc) ++{ ++ __kstat_incr_irqs_this_cpu(desc); ++ desc->tot_count++; ++} ++ + static inline int irq_desc_get_node(struct irq_desc *desc) + { + return irq_common_data_get_node(&desc->irq_common_data); +diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c +index ef8ad36cadcf..84fa255d0329 100644 +--- a/kernel/irq/irqdesc.c ++++ b/kernel/irq/irqdesc.c +@@ -119,6 +119,7 @@ static void desc_set_defaults(unsigned int irq, struct irq_desc *desc, int node, + desc->depth = 1; + desc->irq_count = 0; + desc->irqs_unhandled = 0; ++ desc->tot_count = 0; + desc->name = NULL; + desc->owner = owner; + for_each_possible_cpu(cpu) +@@ -919,11 +920,15 @@ unsigned int kstat_irqs_cpu(unsigned int irq, int cpu) + unsigned int kstat_irqs(unsigned int irq) + { + struct irq_desc *desc = irq_to_desc(irq); +- int cpu; + unsigned int sum = 0; ++ int cpu; + + if (!desc || !desc->kstat_irqs) + return 0; ++ if (!irq_settings_is_per_cpu_devid(desc) && ++ !irq_settings_is_per_cpu(desc)) ++ return desc->tot_count; ++ + for_each_possible_cpu(cpu) + sum += *per_cpu_ptr(desc->kstat_irqs, cpu); + return sum; +-- +2.19.1 + diff --git a/queue-5.0/gpio-gpio-omap-fix-level-interrupt-idling.patch b/queue-5.0/gpio-gpio-omap-fix-level-interrupt-idling.patch new file mode 100644 index 00000000000..99cbd477141 --- /dev/null +++ b/queue-5.0/gpio-gpio-omap-fix-level-interrupt-idling.patch @@ -0,0 +1,87 @@ +From d47fa198b6fc0cd0cce3419995c5c8eca8108d9b Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Fri, 1 Mar 2019 11:02:52 -0800 +Subject: gpio: gpio-omap: fix level interrupt idling + +[ Upstream commit d01849f7deba81f4959fd9e51bf20dbf46987d1c ] + +Tony notes that the GPIO module does not idle when level interrupts are +in use, as the wakeup appears to get stuck. + +After extensive investigation, it appears that the wakeup will only be +cleared if the interrupt status register is cleared while the interrupt +is enabled. However, we are currently clearing it with the interrupt +disabled for level-based interrupts. + +It is acknowledged that this observed behaviour conflicts with a +statement in the TRM: + +CAUTION + After servicing the interrupt, the status bit in the interrupt status + register (GPIOi.GPIO_IRQSTATUS_0 or GPIOi.GPIO_IRQSTATUS_1) must be + reset and the interrupt line released (by setting the corresponding + bit of the interrupt status register to 1) before enabling an + interrupt for the GPIO channel in the interrupt-enable register + (GPIOi.GPIO_IRQSTATUS_SET_0 or GPIOi.GPIO_IRQSTATUS_SET_1) to prevent + the occurrence of unexpected interrupts when enabling an interrupt + for the GPIO channel. + +However, this does not appear to be a practical problem. + +Further, as reported by Grygorii Strashko , +the TI Android kernel tree has an earlier similar patch as "GPIO: OMAP: +Fix the sequence to clear the IRQ status" saying: + + if the status is cleared after disabling the IRQ then sWAKEUP will not + be cleared and gates the module transition + +When we unmask the level interrupt after the interrupt has been handled, +enable the interrupt and only then clear the interrupt. If the interrupt +is still pending, the hardware will re-assert the interrupt status. + +Should the caution note in the TRM prove to be a problem, we could +use a clear-enable-clear sequence instead. + +Cc: Aaro Koskinen +Cc: Keerthy +Cc: Peter Ujfalusi +Signed-off-by: Russell King +[tony@atomide.com: updated comments based on an earlier TI patch] +Signed-off-by: Tony Lindgren +Acked-by: Grygorii Strashko +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-omap.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c +index f4e9921fa966..7f33024b6d83 100644 +--- a/drivers/gpio/gpio-omap.c ++++ b/drivers/gpio/gpio-omap.c +@@ -883,14 +883,16 @@ static void omap_gpio_unmask_irq(struct irq_data *d) + if (trigger) + omap_set_gpio_triggering(bank, offset, trigger); + +- /* For level-triggered GPIOs, the clearing must be done after +- * the HW source is cleared, thus after the handler has run */ +- if (bank->level_mask & BIT(offset)) { +- omap_set_gpio_irqenable(bank, offset, 0); ++ omap_set_gpio_irqenable(bank, offset, 1); ++ ++ /* ++ * For level-triggered GPIOs, clearing must be done after the source ++ * is cleared, thus after the handler has run. OMAP4 needs this done ++ * after enabing the interrupt to clear the wakeup status. ++ */ ++ if (bank->level_mask & BIT(offset)) + omap_clear_gpio_irqstatus(bank, offset); +- } + +- omap_set_gpio_irqenable(bank, offset, 1); + raw_spin_unlock_irqrestore(&bank->lock, flags); + } + +-- +2.19.1 + diff --git a/queue-5.0/gpio-of-apply-regulator-gpio-quirk-only-to-enable-gp.patch b/queue-5.0/gpio-of-apply-regulator-gpio-quirk-only-to-enable-gp.patch new file mode 100644 index 00000000000..fea16298dc3 --- /dev/null +++ b/queue-5.0/gpio-of-apply-regulator-gpio-quirk-only-to-enable-gp.patch @@ -0,0 +1,84 @@ +From 3c163e14f8b2b91cb5d56b94df368d3a78ad6262 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Sat, 16 Feb 2019 14:46:27 +0100 +Subject: gpio: of: Apply regulator-gpio quirk only to enable-gpios + +[ Upstream commit 0e7d6f94016407fd7e1ae472e254d64d4454e9c8 ] + +Since commit d6cd33ad7102 ("regulator: gpio: Convert to use descriptors") +the GPIO regulator had inverted the polarity of the control GPIO. This +problem manifested itself on systems with DT containing the following +description (snippet from salvator-common.dtsi): + + gpios = <&gpio5 1 GPIO_ACTIVE_HIGH>; + gpios-states = <1>; + states = <3300000 1 + 1800000 0>; + +Prior to the aforementioned commit, the gpio-regulator code used +gpio_request_array() to claim the GPIO(s) specified in the "gpios" +DT node, while the commit changed that to devm_gpiod_get_index(). + +The legacy gpio_request_array() calls gpio_request_one() and then +gpiod_request(), which parses the DT flags of the "gpios" node and +populates the GPIO descriptor flags field accordingly. + +The new devm_gpiod_get_index() calls gpiod_get_index(), then +of_find_gpio(), of_get_named_gpiod_flags() with flags != NULL, +and then of_gpio_flags_quirks(). Since commit a603a2b8d86e +("gpio: of: Add special quirk to parse regulator flags"), +of_gpio_flags_quirks() contains a quirk for regulator-gpio +which was never triggered by the legacy gpio_request_array() +code path, but is triggered by devm_gpiod_get_index() code +path. + +This quirk checks whether a GPIO is associated with a fixed +or gpio-regulator and if so, checks two additional conditions. +First, whether such GPIO is active-low, and if so, ignores the +active-low flag. Second, whether the regulator DT node does +have an "enable-active-high" property and if the property is +NOT present, sets the GPIO flags as active-low. + +The second check triggers a problem, since it is applied to all +GPIOs associated with a gpio-regulator, rather than only on the +"enable" GPIOs, as the old code did. This changes the way the +gpio-regulator interprets the DT description of the control +GPIOs. + +The old code using gpio_request_array() explicitly parsed the +"enable-active-high" DT property and only applied it to the +GPIOs described in the "enable-gpios" DT node, and only if +those were present. + +This patch fixes the quirk code by only applying the quirk +to "enable-gpios", thus restoring the old behavior. + +Signed-off-by: Marek Vasut +Cc: Geert Uytterhoeven +Cc: Jan Kotas +Cc: Linus Walleij +Cc: Mark Brown +Cc: Wolfram Sang +Cc: linux-renesas-soc@vger.kernel.org +To: linux-gpio@vger.kernel.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index a6e1891217e2..30542a10014f 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -84,6 +84,7 @@ static void of_gpio_flags_quirks(struct device_node *np, + * Note that active low is the default. + */ + if (IS_ENABLED(CONFIG_REGULATOR) && ++ !strcmp(propname, "enable-gpio") && + (of_device_is_compatible(np, "regulator-fixed") || + of_device_is_compatible(np, "reg-fixed-voltage") || + of_device_is_compatible(np, "regulator-gpio"))) { +-- +2.19.1 + diff --git a/queue-5.0/gpio-of-restrict-enable-gpio-quirk-to-regulator-gpio.patch b/queue-5.0/gpio-of-restrict-enable-gpio-quirk-to-regulator-gpio.patch new file mode 100644 index 00000000000..ea4ae129105 --- /dev/null +++ b/queue-5.0/gpio-of-restrict-enable-gpio-quirk-to-regulator-gpio.patch @@ -0,0 +1,56 @@ +From 3b53350146609579117b3e3826d603f3fc266b58 Mon Sep 17 00:00:00 2001 +From: Thierry Reding +Date: Wed, 20 Feb 2019 11:52:14 +0100 +Subject: gpio: of: Restrict enable-gpio quirk to regulator-gpio + +[ Upstream commit 692ef26e72fcce0c1e73c41683fd3512f3719d55 ] + +Commit 0e7d6f940164 ("gpio: of: Apply regulator-gpio quirk only to +enable-gpios") breaks the device tree ABI specified in the device tree +bindings for fixed regulators (compatible "regulator-fixed"). According +to these bindings the polarity of the GPIO is exclusively controlled by +the presence or absence of the enable-active-high property. As such the +polarity quirk implemented in of_gpio_flags_quirks() must be applied to +the GPIO specified for fixed regulators. + +However, commit 0e7d6f940164 ("gpio: of: Apply regulator-gpio quirk only +to enable-gpios") restricted the quirk to the enable-gpios property for +fixed regulators as well, whereas according to the commit message itself +it should only apply to "regulator-gpio" compatible device tree nodes. + +Fix this by actually implementing what the offending commit intended, +which is to ensure that the quirk is applied to the GPIO specified by +the "enable-gpio" property for the "regulator-gpio" bindings only. + +This fixes a regression on Jetson TX1 where the fixed regulator for the +HDMI +5V pin relies on the flags quirk for the proper polarity. + +Fixes: 0e7d6f940164 ("gpio: of: Apply regulator-gpio quirk only to enable-gpios") +Signed-off-by: Thierry Reding +Tested-by: Marek Vasut +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index 30542a10014f..a1dd2f1c0d02 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -84,10 +84,10 @@ static void of_gpio_flags_quirks(struct device_node *np, + * Note that active low is the default. + */ + if (IS_ENABLED(CONFIG_REGULATOR) && +- !strcmp(propname, "enable-gpio") && + (of_device_is_compatible(np, "regulator-fixed") || + of_device_is_compatible(np, "reg-fixed-voltage") || +- of_device_is_compatible(np, "regulator-gpio"))) { ++ (of_device_is_compatible(np, "regulator-gpio") && ++ strcmp(propname, "enable-gpio") == 0))) { + /* + * The regulator GPIO handles are specified such that the + * presence or absence of "enable-active-high" solely controls +-- +2.19.1 + diff --git a/queue-5.0/h8300-use-cc-cross-prefix-instead-of-hardcoding-h830.patch b/queue-5.0/h8300-use-cc-cross-prefix-instead-of-hardcoding-h830.patch new file mode 100644 index 00000000000..da4a6440802 --- /dev/null +++ b/queue-5.0/h8300-use-cc-cross-prefix-instead-of-hardcoding-h830.patch @@ -0,0 +1,61 @@ +From 2cb3a07a004d15fb30f05fd3ce475d46bf5d4ceb Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Fri, 15 Feb 2019 13:04:26 +0900 +Subject: h8300: use cc-cross-prefix instead of hardcoding h8300-unknown-linux- + +[ Upstream commit fc2b47b55f17fd996f7a01975ce1c33c2f2513f6 ] + +It believe it is a bad idea to hardcode a specific compiler prefix +that may or may not be installed on a user's system. It is annoying +when testing features that should not require compilers at all. + +For example, mrproper, headers_install, etc. should work without +any compiler. + +They look like follows on my machine. + +$ make ARCH=h8300 mrproper +./scripts/gcc-version.sh: line 26: h8300-unknown-linux-gcc: command not found +./scripts/gcc-version.sh: line 27: h8300-unknown-linux-gcc: command not found +make: h8300-unknown-linux-gcc: Command not found +make: h8300-unknown-linux-gcc: Command not found + [ a bunch of the same error messages continue ] + +$ make ARCH=h8300 headers_install +./scripts/gcc-version.sh: line 26: h8300-unknown-linux-gcc: command not found +./scripts/gcc-version.sh: line 27: h8300-unknown-linux-gcc: command not found +make: h8300-unknown-linux-gcc: Command not found + HOSTCC scripts/basic/fixdep +make: h8300-unknown-linux-gcc: Command not found + WRAP arch/h8300/include/generated/uapi/asm/kvm_para.h + [ snip ] + +The solution is to delete this line, or to use cc-cross-prefix like +some architectures do. I chose the latter as a moderate fixup. + +I added an alternative 'h8300-linux-' because it is available at: + +https://mirrors.edge.kernel.org/pub/tools/crosstool/files/bin/x86_64/8.1.0/ + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + arch/h8300/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/h8300/Makefile b/arch/h8300/Makefile +index f801f3708a89..ba0f26cfad61 100644 +--- a/arch/h8300/Makefile ++++ b/arch/h8300/Makefile +@@ -27,7 +27,7 @@ KBUILD_LDFLAGS += $(ldflags-y) + CHECKFLAGS += -msize-long + + ifeq ($(CROSS_COMPILE),) +-CROSS_COMPILE := h8300-unknown-linux- ++CROSS_COMPILE := $(call cc-cross-prefix, h8300-unknown-linux- h8300-linux-) + endif + + core-y += arch/$(ARCH)/kernel/ arch/$(ARCH)/mm/ +-- +2.19.1 + diff --git a/queue-5.0/hid-intel-ish-hid-avoid-binding-wrong-ishtp_cl_devic.patch b/queue-5.0/hid-intel-ish-hid-avoid-binding-wrong-ishtp_cl_devic.patch new file mode 100644 index 00000000000..11108fc2b4f --- /dev/null +++ b/queue-5.0/hid-intel-ish-hid-avoid-binding-wrong-ishtp_cl_devic.patch @@ -0,0 +1,53 @@ +From fde462f71b0cc47b6be846839c62d0f7be3423f5 Mon Sep 17 00:00:00 2001 +From: Hong Liu +Date: Tue, 12 Feb 2019 20:05:20 +0800 +Subject: HID: intel-ish-hid: avoid binding wrong ishtp_cl_device + +[ Upstream commit 0d28f49412405d87d3aae83da255070a46e67627 ] + +When performing a warm reset in ishtp bus driver, the ishtp_cl_device +will not be removed, its fw_client still points to the already freed +ishtp_device.fw_clients array. + +Later after driver finishing ishtp client enumeration, this dangling +pointer may cause driver to bind the wrong ishtp_cl_device to the new +client, causing wrong callback to be called for messages intended for +the new client. + +This helps in development of firmware where frequent switching of +firmwares is required without Linux reboot. + +Signed-off-by: Hong Liu +Tested-by: Hongyan Song +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp/bus.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c +index 728dc6d4561a..a271d6d169b1 100644 +--- a/drivers/hid/intel-ish-hid/ishtp/bus.c ++++ b/drivers/hid/intel-ish-hid/ishtp/bus.c +@@ -675,7 +675,8 @@ int ishtp_cl_device_bind(struct ishtp_cl *cl) + spin_lock_irqsave(&cl->dev->device_list_lock, flags); + list_for_each_entry(cl_device, &cl->dev->device_list, + device_link) { +- if (cl_device->fw_client->client_id == cl->fw_client_id) { ++ if (cl_device->fw_client && ++ cl_device->fw_client->client_id == cl->fw_client_id) { + cl->device = cl_device; + rv = 0; + break; +@@ -735,6 +736,7 @@ void ishtp_bus_remove_all_clients(struct ishtp_device *ishtp_dev, + spin_lock_irqsave(&ishtp_dev->device_list_lock, flags); + list_for_each_entry_safe(cl_device, n, &ishtp_dev->device_list, + device_link) { ++ cl_device->fw_client = NULL; + if (warm_reset && cl_device->reference_count) + continue; + +-- +2.19.1 + diff --git a/queue-5.0/hid-intel-ish-ipc-handle-pimr-before-ish_wakeup-also.patch b/queue-5.0/hid-intel-ish-ipc-handle-pimr-before-ish_wakeup-also.patch new file mode 100644 index 00000000000..ae6358e1c06 --- /dev/null +++ b/queue-5.0/hid-intel-ish-ipc-handle-pimr-before-ish_wakeup-also.patch @@ -0,0 +1,64 @@ +From 96752461d2d3f8b591f20d614909c5e554d4eec4 Mon Sep 17 00:00:00 2001 +From: Song Hongyan +Date: Tue, 22 Jan 2019 09:06:26 +0800 +Subject: HID: intel-ish: ipc: handle PIMR before ish_wakeup also clear PISR + busy_clear bit + +[ Upstream commit 2edefc056e4f0e6ec9508dd1aca2c18fa320efef ] + +Host driver should handle interrupt mask register earlier than wake up ish FW +else there will be conditions when FW interrupt comes, host PIMR register still +not set ready, so move the interrupt mask setting before ish_wakeup. + +Clear PISR busy_clear bit in ish_irq_handler. If not clear, there will be +conditions host driver received a busy_clear interrupt (before the busy_clear +mask bit is ready), it will return IRQ_NONE after check_generated_interrupt, +the interrupt will never be cleared, causing the DEVICE not sending following +IRQ. + +Since PISR clear should not be called for the CHV device we do this change. +After the change, both ISH2HOST interrupt and busy_clear interrupt will be +considered as interrupt from ISH, busy_clear interrupt will return IRQ_HANDLED +from IPC_IS_BUSY check. + +Signed-off-by: Song Hongyan +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ipc/ipc.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/hid/intel-ish-hid/ipc/ipc.c b/drivers/hid/intel-ish-hid/ipc/ipc.c +index 742191bb24c6..45e33c7ba9a6 100644 +--- a/drivers/hid/intel-ish-hid/ipc/ipc.c ++++ b/drivers/hid/intel-ish-hid/ipc/ipc.c +@@ -91,7 +91,10 @@ static bool check_generated_interrupt(struct ishtp_device *dev) + IPC_INT_FROM_ISH_TO_HOST_CHV_AB(pisr_val); + } else { + pisr_val = ish_reg_read(dev, IPC_REG_PISR_BXT); +- interrupt_generated = IPC_INT_FROM_ISH_TO_HOST_BXT(pisr_val); ++ interrupt_generated = !!pisr_val; ++ /* only busy-clear bit is RW, others are RO */ ++ if (pisr_val) ++ ish_reg_write(dev, IPC_REG_PISR_BXT, pisr_val); + } + + return interrupt_generated; +@@ -839,11 +842,11 @@ int ish_hw_start(struct ishtp_device *dev) + { + ish_set_host_rdy(dev); + ++ set_host_ready(dev); ++ + /* After that we can enable ISH DMA operation and wakeup ISHFW */ + ish_wakeup(dev); + +- set_host_ready(dev); +- + /* wait for FW-initiated reset flow */ + if (!dev->recvd_hw_ready) + wait_event_interruptible_timeout(dev->wait_hw_ready, +-- +2.19.1 + diff --git a/queue-5.0/hpet-fix-missing-character-in-the-__setup-code-of-hp.patch b/queue-5.0/hpet-fix-missing-character-in-the-__setup-code-of-hp.patch new file mode 100644 index 00000000000..05d63a8fd0f --- /dev/null +++ b/queue-5.0/hpet-fix-missing-character-in-the-__setup-code-of-hp.patch @@ -0,0 +1,59 @@ +From 0c5f32012f6c293e7cb6a1d2bd08e974bba0f6d2 Mon Sep 17 00:00:00 2001 +From: Buland Singh +Date: Thu, 20 Dec 2018 17:35:24 +0530 +Subject: hpet: Fix missing '=' character in the __setup() code of + hpet_mmap_enable + +[ Upstream commit 24d48a61f2666630da130cc2ec2e526eacf229e3 ] + +Commit '3d035f580699 ("drivers/char/hpet.c: allow user controlled mmap for +user processes")' introduced a new kernel command line parameter hpet_mmap, +that is required to expose the memory map of the HPET registers to +user-space. Unfortunately the kernel command line parameter 'hpet_mmap' is +broken and never takes effect due to missing '=' character in the __setup() +code of hpet_mmap_enable. + +Before this patch: + +dmesg output with the kernel command line parameter hpet_mmap=1 + +[ 0.204152] HPET mmap disabled + +dmesg output with the kernel command line parameter hpet_mmap=0 + +[ 0.204192] HPET mmap disabled + +After this patch: + +dmesg output with the kernel command line parameter hpet_mmap=1 + +[ 0.203945] HPET mmap enabled + +dmesg output with the kernel command line parameter hpet_mmap=0 + +[ 0.204652] HPET mmap disabled + +Fixes: 3d035f580699 ("drivers/char/hpet.c: allow user controlled mmap for user processes") +Signed-off-by: Buland Singh +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/char/hpet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c +index 4a22b4b41aef..9bffcd37cc7b 100644 +--- a/drivers/char/hpet.c ++++ b/drivers/char/hpet.c +@@ -377,7 +377,7 @@ static __init int hpet_mmap_enable(char *str) + pr_info("HPET mmap %s\n", hpet_mmap_enabled ? "enabled" : "disabled"); + return 1; + } +-__setup("hpet_mmap", hpet_mmap_enable); ++__setup("hpet_mmap=", hpet_mmap_enable); + + static int hpet_mmap(struct file *file, struct vm_area_struct *vma) + { +-- +2.19.1 + diff --git a/queue-5.0/hwrng-virtio-avoid-repeated-init-of-completion.patch b/queue-5.0/hwrng-virtio-avoid-repeated-init-of-completion.patch new file mode 100644 index 00000000000..a82ed8f506d --- /dev/null +++ b/queue-5.0/hwrng-virtio-avoid-repeated-init-of-completion.patch @@ -0,0 +1,57 @@ +From 67550901a06a5f12b992dec74369b766ffbfdbb6 Mon Sep 17 00:00:00 2001 +From: David Tolnay +Date: Mon, 7 Jan 2019 14:36:11 -0800 +Subject: hwrng: virtio - Avoid repeated init of completion + +[ Upstream commit aef027db48da56b6f25d0e54c07c8401ada6ce21 ] + +The virtio-rng driver uses a completion called have_data to wait for a +virtio read to be fulfilled by the hypervisor. The completion is reset +before placing a buffer on the virtio queue and completed by the virtio +callback once data has been written into the buffer. + +Prior to this commit, the driver called init_completion on this +completion both during probe as well as when registering virtio buffers +as part of a hwrng read operation. The second of these init_completion +calls should instead be reinit_completion because the have_data +completion has already been inited by probe. As described in +Documentation/scheduler/completion.txt, "Calling init_completion() twice +on the same completion object is most likely a bug". + +This bug was present in the initial implementation of virtio-rng in +f7f510ec1957 ("virtio: An entropy device, as suggested by hpa"). Back +then the have_data completion was a single static completion rather than +a member of one of potentially multiple virtrng_info structs as +implemented later by 08e53fbdb85c ("virtio-rng: support multiple +virtio-rng devices"). The original driver incorrectly used +init_completion rather than INIT_COMPLETION to reset have_data during +read. + +Tested by running `head -c48 /dev/random | hexdump` within crosvm, the +Chrome OS virtual machine monitor, and confirming that the virtio-rng +driver successfully produces random bytes from the host. + +Signed-off-by: David Tolnay +Tested-by: David Tolnay +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index b89df66ea1ae..7abd604e938c 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -73,7 +73,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + + if (!vi->busy) { + vi->busy = true; +- init_completion(&vi->have_data); ++ reinit_completion(&vi->have_data); + register_buffer(vi, buf, size); + } + +-- +2.19.1 + diff --git a/queue-5.0/i2c-allow-recovery-of-the-initial-irq-by-an-i2c-clie.patch b/queue-5.0/i2c-allow-recovery-of-the-initial-irq-by-an-i2c-clie.patch new file mode 100644 index 00000000000..dd1117eaa38 --- /dev/null +++ b/queue-5.0/i2c-allow-recovery-of-the-initial-irq-by-an-i2c-clie.patch @@ -0,0 +1,75 @@ +From 6d768b62c5e5bc17b79a725f26e095f0f8f6875d Mon Sep 17 00:00:00 2001 +From: Jim Broadus +Date: Tue, 19 Feb 2019 11:30:27 -0800 +Subject: i2c: Allow recovery of the initial IRQ by an I2C client device. + +[ Upstream commit 93b6604c5a669d84e45fe5129294875bf82eb1ff ] + +A previous change allowed I2C client devices to discover new IRQs upon +reprobe by clearing the IRQ in i2c_device_remove. However, if an IRQ was +assigned in i2c_new_device, that information is lost. + +For example, the touchscreen and trackpad devices on a Dell Inspiron laptop +are I2C devices whose IRQs are defined by ACPI extended IRQ types. The +client device structures are initialized during an ACPI walk. After +removing the i2c_hid device, modprobe fails. + +This change caches the initial IRQ value in i2c_new_device and then resets +the client device IRQ to the initial value in i2c_device_remove. + +Fixes: 6f108dd70d30 ("i2c: Clear client->irq in i2c_device_remove") +Signed-off-by: Jim Broadus +Reviewed-by: Benjamin Tissoires +Reviewed-by: Charles Keepax +[wsa: this is an easy to backport fix for the regression. We will +refactor the code to handle irq assignments better in general.] +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-base.c | 9 +++++---- + include/linux/i2c.h | 1 + + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c +index 28460f6a60cc..af87a16ac3a5 100644 +--- a/drivers/i2c/i2c-core-base.c ++++ b/drivers/i2c/i2c-core-base.c +@@ -430,7 +430,7 @@ static int i2c_device_remove(struct device *dev) + dev_pm_clear_wake_irq(&client->dev); + device_init_wakeup(&client->dev, false); + +- client->irq = 0; ++ client->irq = client->init_irq; + + return status; + } +@@ -741,10 +741,11 @@ i2c_new_device(struct i2c_adapter *adap, struct i2c_board_info const *info) + client->flags = info->flags; + client->addr = info->addr; + +- client->irq = info->irq; +- if (!client->irq) +- client->irq = i2c_dev_irq_from_resources(info->resources, ++ client->init_irq = info->irq; ++ if (!client->init_irq) ++ client->init_irq = i2c_dev_irq_from_resources(info->resources, + info->num_resources); ++ client->irq = client->init_irq; + + strlcpy(client->name, info->type, sizeof(client->name)); + +diff --git a/include/linux/i2c.h b/include/linux/i2c.h +index 65b4eaed1d96..7e748648c7d3 100644 +--- a/include/linux/i2c.h ++++ b/include/linux/i2c.h +@@ -333,6 +333,7 @@ struct i2c_client { + char name[I2C_NAME_SIZE]; + struct i2c_adapter *adapter; /* the adapter we sit on */ + struct device dev; /* the device structure */ ++ int init_irq; /* irq set at initialization */ + int irq; /* irq issued by device */ + struct list_head detected; + #if IS_ENABLED(CONFIG_I2C_SLAVE) +-- +2.19.1 + diff --git a/queue-5.0/i2c-designware-do-not-allow-i2c_dw_xfer-calls-while-.patch b/queue-5.0/i2c-designware-do-not-allow-i2c_dw_xfer-calls-while-.patch new file mode 100644 index 00000000000..0682a56e972 --- /dev/null +++ b/queue-5.0/i2c-designware-do-not-allow-i2c_dw_xfer-calls-while-.patch @@ -0,0 +1,149 @@ +From 1d2047a553d2710034b44b520410ed59ca03b57c Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 22 Feb 2019 14:08:40 +0100 +Subject: i2c: designware: Do not allow i2c_dw_xfer() calls while suspended + +[ Upstream commit 2751541555382dfa7661bcfaac3ee0fac49f505d ] + +On most Intel Bay- and Cherry-Trail systems the PMIC is connected over I2C +and the PMIC is accessed through various means by the _PS0 and _PS3 ACPI +methods (power on / off methods) of various devices. + +This leads to suspend/resume ordering problems where a device may be +resumed and get its _PS0 method executed before the I2C controller is +resumed. On Cherry Trail this leads to errors like these: + + i2c_designware 808622C1:06: controller timed out + ACPI Error: AE_ERROR, Returned by Handler for [UserDefinedRegion] + ACPI Error: Method parse/execution failed \_SB.P18W._ON, AE_ERROR + video LNXVIDEO:00: Failed to change power state to D0 + +But on Bay Trail this caused I2C reads to seem to succeed, but they end +up returning wrong data, which ends up getting written back by the typical +read-modify-write cycle done to turn on various power-resources. + +Debugging the problems caused by this silent data corruption is quite +nasty. This commit adds a check which disallows i2c_dw_xfer() calls to +happen until the controller's resume method has completed. + +Which turns the silent data corruption into getting these errors in +dmesg instead: + + i2c_designware 80860F41:04: Error i2c_dw_xfer call while suspended + ACPI Error: AE_ERROR, Returned by Handler for [UserDefinedRegion] + ACPI Error: Method parse/execution failed \_SB.PCI0.GFX0._PS0, AE_ERROR + +Which is much better. + +Note the above errors are an example of issues which this patch will +help to debug, the actual fix requires fixing the suspend order and +this has been fixed by a different commit. + +Note the setting / clearing of the suspended flag in the suspend / resume +methods is NOT protected by i2c_lock_bus(). This is intentional as these +methods get called from i2c_dw_xfer() (through pm_runtime_get/put) a nd +i2c_dw_xfer() is called with the i2c_bus_lock held, so otherwise we would +deadlock. This means that there is a theoretical race between a non runtime +suspend and the suspended check in i2c_dw_xfer(), this is not a problem +since normally we should not hit the race and this check is primarily a +debugging tool so hitting the check if there are suspend/resume ordering +problems does not need to be 100% reliable. + +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-designware-core.h | 2 ++ + drivers/i2c/busses/i2c-designware-master.c | 6 ++++++ + drivers/i2c/busses/i2c-designware-pcidrv.c | 7 ++++++- + drivers/i2c/busses/i2c-designware-platdrv.c | 3 +++ + 4 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-designware-core.h b/drivers/i2c/busses/i2c-designware-core.h +index b4a0b2b99a78..6b4ef1d38fb2 100644 +--- a/drivers/i2c/busses/i2c-designware-core.h ++++ b/drivers/i2c/busses/i2c-designware-core.h +@@ -215,6 +215,7 @@ + * @disable_int: function to disable all interrupts + * @init: function to initialize the I2C hardware + * @mode: operation mode - DW_IC_MASTER or DW_IC_SLAVE ++ * @suspended: set to true if the controller is suspended + * + * HCNT and LCNT parameters can be used if the platform knows more accurate + * values than the one computed based only on the input clock frequency. +@@ -270,6 +271,7 @@ struct dw_i2c_dev { + int (*set_sda_hold_time)(struct dw_i2c_dev *dev); + int mode; + struct i2c_bus_recovery_info rinfo; ++ bool suspended; + }; + + #define ACCESS_SWAP 0x00000001 +diff --git a/drivers/i2c/busses/i2c-designware-master.c b/drivers/i2c/busses/i2c-designware-master.c +index 8d1bc44d2530..bb8e3f149979 100644 +--- a/drivers/i2c/busses/i2c-designware-master.c ++++ b/drivers/i2c/busses/i2c-designware-master.c +@@ -426,6 +426,12 @@ i2c_dw_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], int num) + + pm_runtime_get_sync(dev->dev); + ++ if (dev->suspended) { ++ dev_err(dev->dev, "Error %s call while suspended\n", __func__); ++ ret = -ESHUTDOWN; ++ goto done_nolock; ++ } ++ + reinit_completion(&dev->cmd_complete); + dev->msgs = msgs; + dev->msgs_num = num; +diff --git a/drivers/i2c/busses/i2c-designware-pcidrv.c b/drivers/i2c/busses/i2c-designware-pcidrv.c +index d50f80487214..76810deb2de6 100644 +--- a/drivers/i2c/busses/i2c-designware-pcidrv.c ++++ b/drivers/i2c/busses/i2c-designware-pcidrv.c +@@ -176,6 +176,7 @@ static int i2c_dw_pci_suspend(struct device *dev) + struct pci_dev *pdev = to_pci_dev(dev); + struct dw_i2c_dev *i_dev = pci_get_drvdata(pdev); + ++ i_dev->suspended = true; + i_dev->disable(i_dev); + + return 0; +@@ -185,8 +186,12 @@ static int i2c_dw_pci_resume(struct device *dev) + { + struct pci_dev *pdev = to_pci_dev(dev); + struct dw_i2c_dev *i_dev = pci_get_drvdata(pdev); ++ int ret; + +- return i_dev->init(i_dev); ++ ret = i_dev->init(i_dev); ++ i_dev->suspended = false; ++ ++ return ret; + } + #endif + +diff --git a/drivers/i2c/busses/i2c-designware-platdrv.c b/drivers/i2c/busses/i2c-designware-platdrv.c +index 9eaac3be1f63..ead5e7de3e4d 100644 +--- a/drivers/i2c/busses/i2c-designware-platdrv.c ++++ b/drivers/i2c/busses/i2c-designware-platdrv.c +@@ -454,6 +454,8 @@ static int dw_i2c_plat_suspend(struct device *dev) + { + struct dw_i2c_dev *i_dev = dev_get_drvdata(dev); + ++ i_dev->suspended = true; ++ + if (i_dev->shared_with_punit) + return 0; + +@@ -471,6 +473,7 @@ static int dw_i2c_plat_resume(struct device *dev) + i2c_dw_prepare_clk(i_dev, true); + + i_dev->init(i_dev); ++ i_dev->suspended = false; + + return 0; + } +-- +2.19.1 + diff --git a/queue-5.0/i2c-of-try-to-find-an-i2c-adapter-matching-the-paren.patch b/queue-5.0/i2c-of-try-to-find-an-i2c-adapter-matching-the-paren.patch new file mode 100644 index 00000000000..71267d1615a --- /dev/null +++ b/queue-5.0/i2c-of-try-to-find-an-i2c-adapter-matching-the-paren.patch @@ -0,0 +1,63 @@ +From 050845fda91e56c8f1861b0b1926ad732208956a Mon Sep 17 00:00:00 2001 +From: Thierry Reding +Date: Fri, 25 Jan 2019 14:11:42 +0100 +Subject: i2c: of: Try to find an I2C adapter matching the parent + +[ Upstream commit e814e688413aabd7b0d75e2a8ed1caa472951dec ] + +If an I2C adapter doesn't match the provided device tree node, also try +matching the parent's device tree node. This allows finding an adapter +based on the device node of the parent device that was used to register +it. + +This fixes a regression on Tegra124-based Chromebooks (Nyan) where the +eDP controller registers an I2C adapter that is used to read to EDID. +After commit 993a815dcbb2 ("dt-bindings: panel: Add missing .txt +suffix") this stopped working because the I2C adapter could no longer +be found. The approach in this patch fixes the regression without +introducing the issues that the above commit solved. + +Fixes: 17ab7806de0c ("drm: don't link DP aux i2c adapter to the hardware device node") +Signed-off-by: Thierry Reding +Tested-by: Tristan Bastian +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-of.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/i2c-core-of.c b/drivers/i2c/i2c-core-of.c +index 6cb7ad608bcd..0f01cdba9d2c 100644 +--- a/drivers/i2c/i2c-core-of.c ++++ b/drivers/i2c/i2c-core-of.c +@@ -121,6 +121,17 @@ static int of_dev_node_match(struct device *dev, void *data) + return dev->of_node == data; + } + ++static int of_dev_or_parent_node_match(struct device *dev, void *data) ++{ ++ if (dev->of_node == data) ++ return 1; ++ ++ if (dev->parent) ++ return dev->parent->of_node == data; ++ ++ return 0; ++} ++ + /* must call put_device() when done with returned i2c_client device */ + struct i2c_client *of_find_i2c_device_by_node(struct device_node *node) + { +@@ -145,7 +156,8 @@ struct i2c_adapter *of_find_i2c_adapter_by_node(struct device_node *node) + struct device *dev; + struct i2c_adapter *adapter; + +- dev = bus_find_device(&i2c_bus_type, NULL, node, of_dev_node_match); ++ dev = bus_find_device(&i2c_bus_type, NULL, node, ++ of_dev_or_parent_node_match); + if (!dev) + return NULL; + +-- +2.19.1 + diff --git a/queue-5.0/ib-mlx4-increase-the-timeout-for-cm-cache.patch b/queue-5.0/ib-mlx4-increase-the-timeout-for-cm-cache.patch new file mode 100644 index 00000000000..0f7b9cdd961 --- /dev/null +++ b/queue-5.0/ib-mlx4-increase-the-timeout-for-cm-cache.patch @@ -0,0 +1,106 @@ +From e641ba736686e52ce458b5f766da67e1d0bd6c7a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?H=C3=A5kon=20Bugge?= +Date: Sun, 17 Feb 2019 15:45:12 +0100 +Subject: IB/mlx4: Increase the timeout for CM cache +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 2612d723aadcf8281f9bf8305657129bd9f3cd57 ] + +Using CX-3 virtual functions, either from a bare-metal machine or +pass-through from a VM, MAD packets are proxied through the PF driver. + +Since the VF drivers have separate name spaces for MAD Transaction Ids +(TIDs), the PF driver has to re-map the TIDs and keep the book keeping +in a cache. + +Following the RDMA Connection Manager (CM) protocol, it is clear when +an entry has to evicted form the cache. But life is not perfect, +remote peers may die or be rebooted. Hence, it's a timeout to wipe out +a cache entry, when the PF driver assumes the remote peer has gone. + +During workloads where a high number of QPs are destroyed concurrently, +excessive amount of CM DREQ retries has been observed + +The problem can be demonstrated in a bare-metal environment, where two +nodes have instantiated 8 VFs each. This using dual ported HCAs, so we +have 16 vPorts per physical server. + +64 processes are associated with each vPort and creates and destroys +one QP for each of the remote 64 processes. That is, 1024 QPs per +vPort, all in all 16K QPs. The QPs are created/destroyed using the +CM. + +When tearing down these 16K QPs, excessive CM DREQ retries (and +duplicates) are observed. With some cat/paste/awk wizardry on the +infiniband_cm sysfs, we observe as sum of the 16 vPorts on one of the +nodes: + +cm_rx_duplicates: + dreq 2102 +cm_rx_msgs: + drep 1989 + dreq 6195 + rep 3968 + req 4224 + rtu 4224 +cm_tx_msgs: + drep 4093 + dreq 27568 + rep 4224 + req 3968 + rtu 3968 +cm_tx_retries: + dreq 23469 + +Note that the active/passive side is equally distributed between the +two nodes. + +Enabling pr_debug in cm.c gives tons of: + +[171778.814239] mlx4_ib_multiplex_cm_handler: id{slave: +1,sl_cm_id: 0xd393089f} is NULL! + +By increasing the CM_CLEANUP_CACHE_TIMEOUT from 5 to 30 seconds, the +tear-down phase of the application is reduced from approximately 90 to +50 seconds. Retries/duplicates are also significantly reduced: + +cm_rx_duplicates: + dreq 2460 +[] +cm_tx_retries: + dreq 3010 + req 47 + +Increasing the timeout further didn't help, as these duplicates and +retries stems from a too short CMA timeout, which was 20 (~4 seconds) +on the systems. By increasing the CMA timeout to 22 (~17 seconds), the +numbers fell down to about 10 for both of them. + +Adjustment of the CMA timeout is not part of this commit. + +Signed-off-by: HÃ¥kon Bugge +Acked-by: Jack Morgenstein +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/cm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx4/cm.c b/drivers/infiniband/hw/mlx4/cm.c +index fedaf8260105..8c79a480f2b7 100644 +--- a/drivers/infiniband/hw/mlx4/cm.c ++++ b/drivers/infiniband/hw/mlx4/cm.c +@@ -39,7 +39,7 @@ + + #include "mlx4_ib.h" + +-#define CM_CLEANUP_CACHE_TIMEOUT (5 * HZ) ++#define CM_CLEANUP_CACHE_TIMEOUT (30 * HZ) + + struct id_map_entry { + struct rb_node node; +-- +2.19.1 + diff --git a/queue-5.0/ice-fix-ice_remove_rule_internal-vsi_list-handling.patch b/queue-5.0/ice-fix-ice_remove_rule_internal-vsi_list-handling.patch new file mode 100644 index 00000000000..55e4d0d4116 --- /dev/null +++ b/queue-5.0/ice-fix-ice_remove_rule_internal-vsi_list-handling.patch @@ -0,0 +1,81 @@ +From cd708c6e0a4601bc21963663978ca667305ee8b0 Mon Sep 17 00:00:00 2001 +From: Jacob Keller +Date: Fri, 8 Feb 2019 12:50:33 -0800 +Subject: ice: fix ice_remove_rule_internal vsi_list handling + +[ Upstream commit f9264dd687f8d3f9104c9900f8f3e5e419f27c55 ] + +When adding multiple VLANs to the same VSI, the ice_add_vlan code will +share the VSI list, so as not to create multiple unnecessary VSI lists. + +Consider the following flow + + ice_add_vlan(hw, ) + +Where we add three VLAN filters for VIDs 7, 8, and 9, all for VSI 0. + +The ice_add_vlan will create a single vsi_list and share it among all +the filters. + +Later, if we try to remove a VLAN, + + ice_remove_vlan(hw, ) + +Then the removal code will update the vsi_list and remove VSI 0 from it. +But, since the vsi_list is shared, this breaks the list for the other +users who reference it. We actually even free the VSI list memory, and +may result in segmentation faults. + +This is due to the way that VLAN rule share VSI lists with reference +counts, and is caused because we call ice_rem_update_vsi_list even when +the ref_cnt is greater than one. + +To fix this, handle the case where ref_cnt is greater than one +separately. In this case, we need to remove the associated rule without +modifying the vsi_list, since it is currently being referenced by +another rule. Instead, we just need to decrement the VSI list ref_cnt. + +The case for handling sharing of VSI lists with multiple VSIs is not +currently supported by this code. No such rules will be created today, +and this code will require changes if/when such code is added. + +Signed-off-by: Jacob Keller +Reviewed-by: Bruce Allan +Signed-off-by: Anirudh Venkataramanan +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_switch.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_switch.c b/drivers/net/ethernet/intel/ice/ice_switch.c +index 2e5693107fa4..8d602247eb44 100644 +--- a/drivers/net/ethernet/intel/ice/ice_switch.c ++++ b/drivers/net/ethernet/intel/ice/ice_switch.c +@@ -1538,9 +1538,20 @@ ice_remove_rule_internal(struct ice_hw *hw, u8 recp_id, + } else if (!list_elem->vsi_list_info) { + status = ICE_ERR_DOES_NOT_EXIST; + goto exit; ++ } else if (list_elem->vsi_list_info->ref_cnt > 1) { ++ /* a ref_cnt > 1 indicates that the vsi_list is being ++ * shared by multiple rules. Decrement the ref_cnt and ++ * remove this rule, but do not modify the list, as it ++ * is in-use by other rules. ++ */ ++ list_elem->vsi_list_info->ref_cnt--; ++ remove_rule = true; + } else { +- if (list_elem->vsi_list_info->ref_cnt > 1) +- list_elem->vsi_list_info->ref_cnt--; ++ /* a ref_cnt of 1 indicates the vsi_list is only used ++ * by one rule. However, the original removal request is only ++ * for a single VSI. Update the vsi_list first, and only ++ * remove the rule if there are no further VSIs in this list. ++ */ + vsi_handle = f_entry->fltr_info.vsi_handle; + status = ice_rem_update_vsi_list(hw, vsi_handle, list_elem); + if (status) +-- +2.19.1 + diff --git a/queue-5.0/iio-adc-fix-warning-in-qualcomm-pm8xxx-hk-xoadc-driv.patch b/queue-5.0/iio-adc-fix-warning-in-qualcomm-pm8xxx-hk-xoadc-driv.patch new file mode 100644 index 00000000000..fa8c7d5131d --- /dev/null +++ b/queue-5.0/iio-adc-fix-warning-in-qualcomm-pm8xxx-hk-xoadc-driv.patch @@ -0,0 +1,79 @@ +From d386826a32af84f1ac88b7a5a3ee0ea343d63350 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 6 Mar 2019 15:41:29 -0800 +Subject: iio: adc: fix warning in Qualcomm PM8xxx HK/XOADC driver +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit e0f0ae838a25464179d37f355d763f9ec139fc15 ] + +The pm8xxx_get_channel() implementation is unclear, and causes gcc to +suddenly generate odd warnings. The trigger for the warning (at least +for me) was the entirely unrelated commit 79a4e91d1bb2 ("device.h: Add +__cold to dev_ logging functions"), which apparently changes gcc +code generation in the caller function enough to cause this: + + drivers/iio/adc/qcom-pm8xxx-xoadc.c: In function ‘pm8xxx_xoadc_probe’: + drivers/iio/adc/qcom-pm8xxx-xoadc.c:633:8: warning: ‘ch’ may be used uninitialized in this function [-Wmaybe-uninitialized] + ret = pm8xxx_read_channel_rsv(adc, ch, AMUX_RSV4, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + &read_nomux_rsv4, true); + ~~~~~~~~~~~~~~~~~~~~~~~ + drivers/iio/adc/qcom-pm8xxx-xoadc.c:426:27: note: ‘ch’ was declared here + struct pm8xxx_chan_info *ch; + ^~ + +because gcc for some reason then isn't able to see that the termination +condition for the "for( )" loop in that function is also the condition +for returning NULL. + +So it's not _actually_ uninitialized, but the function is admittedly +just unnecessarily oddly written. + +Simplify and clarify the function, making gcc also see that it always +returns a valid initialized value. + +Cc: Joe Perches +Cc: Greg Kroah-Hartman +Cc: Andy Gross +Cc: David Brown +Cc: Jonathan Cameron +Cc: Hartmut Knaack +Cc: Lars-Peter Clausen +Cc: Peter Meerwald-Stadler +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/qcom-pm8xxx-xoadc.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/iio/adc/qcom-pm8xxx-xoadc.c b/drivers/iio/adc/qcom-pm8xxx-xoadc.c +index c30c002f1fef..4735f8a1ca9d 100644 +--- a/drivers/iio/adc/qcom-pm8xxx-xoadc.c ++++ b/drivers/iio/adc/qcom-pm8xxx-xoadc.c +@@ -423,18 +423,14 @@ static irqreturn_t pm8xxx_eoc_irq(int irq, void *d) + static struct pm8xxx_chan_info * + pm8xxx_get_channel(struct pm8xxx_xoadc *adc, u8 chan) + { +- struct pm8xxx_chan_info *ch; + int i; + + for (i = 0; i < adc->nchans; i++) { +- ch = &adc->chans[i]; ++ struct pm8xxx_chan_info *ch = &adc->chans[i]; + if (ch->hwchan->amux_channel == chan) +- break; ++ return ch; + } +- if (i == adc->nchans) +- return NULL; +- +- return ch; ++ return NULL; + } + + static int pm8xxx_read_channel_rsv(struct pm8xxx_xoadc *adc, +-- +2.19.1 + diff --git a/queue-5.0/include-linux-relay.h-fix-percpu-annotation-in-struc.patch b/queue-5.0/include-linux-relay.h-fix-percpu-annotation-in-struc.patch new file mode 100644 index 00000000000..f224bf219a2 --- /dev/null +++ b/queue-5.0/include-linux-relay.h-fix-percpu-annotation-in-struc.patch @@ -0,0 +1,53 @@ +From 53b6f464ed2a2aa21407cdaefb3cf2f0dbbeb2fe Mon Sep 17 00:00:00 2001 +From: Luc Van Oostenryck +Date: Thu, 7 Mar 2019 16:31:28 -0800 +Subject: include/linux/relay.h: fix percpu annotation in struct rchan + +[ Upstream commit 62461ac2e5b6520b6d65fc6d7d7b4b8df4b848d8 ] + +The percpu member of this structure is declared as: + struct ... ** __percpu member; +So its type is: + __percpu pointer to pointer to struct ... + +But looking at how it's used, its type should be: + pointer to __percpu pointer to struct ... +and it should thus be declared as: + struct ... * __percpu *member; + +So fix the placement of '__percpu' in the definition of this +structures. + +This silents a few Sparse's warnings like: + warning: incorrect type in initializer (different address spaces) + expected void const [noderef] *__vpp_verify + got struct sched_domain ** + +Link: http://lkml.kernel.org/r/20190118144902.79065-1-luc.vanoostenryck@gmail.com +Fixes: 017c59c042d01 ("relay: Use per CPU constructs for the relay channel buffer pointers") +Signed-off-by: Luc Van Oostenryck +Cc: Jens Axboe +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/relay.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/relay.h b/include/linux/relay.h +index e1bdf01a86e2..c759f96e39c1 100644 +--- a/include/linux/relay.h ++++ b/include/linux/relay.h +@@ -66,7 +66,7 @@ struct rchan + struct kref kref; /* channel refcount */ + void *private_data; /* for user-defined data */ + size_t last_toobig; /* tried to log event > subbuf size */ +- struct rchan_buf ** __percpu buf; /* per-cpu channel buffers */ ++ struct rchan_buf * __percpu *buf; /* per-cpu channel buffers */ + int is_global; /* One global buffer ? */ + struct list_head list; /* for channel list */ + struct dentry *parent; /* parent dentry passed to open */ +-- +2.19.1 + diff --git a/queue-5.0/input-soc_button_array-fix-mapping-of-the-5th-gpio-i.patch b/queue-5.0/input-soc_button_array-fix-mapping-of-the-5th-gpio-i.patch new file mode 100644 index 00000000000..6de4647cfd0 --- /dev/null +++ b/queue-5.0/input-soc_button_array-fix-mapping-of-the-5th-gpio-i.patch @@ -0,0 +1,55 @@ +From 06340d00f16cfe913de857573fcd6fbf708a4732 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 3 Jan 2019 18:10:45 -0800 +Subject: Input: soc_button_array - fix mapping of the 5th GPIO in a PNP0C40 + device + +[ Upstream commit e9eb788f9442d1b5d93efdb30c3be071ce8a22b1 ] + +The Microsoft documenation for the PNP0C40 device aka the +"Windows-compatible button array" describes the 5th GpioInt listed in +the resources as: '5. Interrupt corresponding to the "Rotation Lock" +button, if supported'. + +Notice this describes the 5th entry as a button while we sofar have been +mapping it to EV_SW, SW_ROTATE_LOCK. On my Point of View TAB P1006W-232 +which actually comes with a rotation-lock button, the button indeed is a +button and not a slider/switch. An image search for other Windows tablets +has found 2 more models with a rotation-lock button and on both of those +it too is a push-button and not a slider/switch. + +Further evidence can be found in the HUT extension HUTRR52 from Microsoft +which adds rotation lock support to the HUT, which describes 2 different +usages: "0xC9 System Display Rotation Lock Button" and +"0xCA System Display Rotation Lock Slider Switch" note that switch is seen +as a separate thing here and the non switch wording is an exact match for +the "Windows-compatible button array" spec wording. + +TL;DR: our current mapping of the 5th GPIO to SW_ROTATE_LOCK is wrong +because the 5th GPIO is for a push-button not a switch. + +This commit fixes this by maping the 5th GPIO to KEY_ROTATE_LOCK_TOGGLE. + +Signed-off-by: Hans de Goede +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/soc_button_array.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/misc/soc_button_array.c b/drivers/input/misc/soc_button_array.c +index 23520df7650f..55cd6e0b409c 100644 +--- a/drivers/input/misc/soc_button_array.c ++++ b/drivers/input/misc/soc_button_array.c +@@ -373,7 +373,7 @@ static struct soc_button_info soc_button_PNP0C40[] = { + { "home", 1, EV_KEY, KEY_LEFTMETA, false, true }, + { "volume_up", 2, EV_KEY, KEY_VOLUMEUP, true, false }, + { "volume_down", 3, EV_KEY, KEY_VOLUMEDOWN, true, false }, +- { "rotation_lock", 4, EV_SW, SW_ROTATE_LOCK, false, false }, ++ { "rotation_lock", 4, EV_KEY, KEY_ROTATE_LOCK_TOGGLE, false, false }, + { } + }; + +-- +2.19.1 + diff --git a/queue-5.0/iommu-io-pgtable-arm-v7s-only-kmemleak_ignore-l2-tab.patch b/queue-5.0/iommu-io-pgtable-arm-v7s-only-kmemleak_ignore-l2-tab.patch new file mode 100644 index 00000000000..a91602e9040 --- /dev/null +++ b/queue-5.0/iommu-io-pgtable-arm-v7s-only-kmemleak_ignore-l2-tab.patch @@ -0,0 +1,51 @@ +From 6fe6df153d3cb03efe670b0237ce7670c0a0c04e Mon Sep 17 00:00:00 2001 +From: Nicolas Boichat +Date: Mon, 28 Jan 2019 17:43:01 +0800 +Subject: iommu/io-pgtable-arm-v7s: Only kmemleak_ignore L2 tables + +[ Upstream commit 032ebd8548c9d05e8d2bdc7a7ec2fe29454b0ad0 ] + +L1 tables are allocated with __get_dma_pages, and therefore already +ignored by kmemleak. + +Without this, the kernel would print this error message on boot, +when the first L1 table is allocated: + +[ 2.810533] kmemleak: Trying to color unknown object at 0xffffffd652388000 as Black +[ 2.818190] CPU: 5 PID: 39 Comm: kworker/5:0 Tainted: G S 4.19.16 #8 +[ 2.831227] Workqueue: events deferred_probe_work_func +[ 2.836353] Call trace: +... +[ 2.852532] paint_ptr+0xa0/0xa8 +[ 2.855750] kmemleak_ignore+0x38/0x6c +[ 2.859490] __arm_v7s_alloc_table+0x168/0x1f4 +[ 2.863922] arm_v7s_alloc_pgtable+0x114/0x17c +[ 2.868354] alloc_io_pgtable_ops+0x3c/0x78 +... + +Fixes: e5fc9753b1a8314 ("iommu/io-pgtable: Add ARMv7 short descriptor support") +Signed-off-by: Nicolas Boichat +Acked-by: Will Deacon +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/io-pgtable-arm-v7s.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/io-pgtable-arm-v7s.c b/drivers/iommu/io-pgtable-arm-v7s.c +index 1b9e40a203e0..18a8330e1882 100644 +--- a/drivers/iommu/io-pgtable-arm-v7s.c ++++ b/drivers/iommu/io-pgtable-arm-v7s.c +@@ -228,7 +228,8 @@ static void *__arm_v7s_alloc_table(int lvl, gfp_t gfp, + if (dma != phys) + goto out_unmap; + } +- kmemleak_ignore(table); ++ if (lvl == 2) ++ kmemleak_ignore(table); + return table; + + out_unmap: +-- +2.19.1 + diff --git a/queue-5.0/iommu-vt-d-disable-ats-support-on-untrusted-devices.patch b/queue-5.0/iommu-vt-d-disable-ats-support-on-untrusted-devices.patch new file mode 100644 index 00000000000..e845a44624d --- /dev/null +++ b/queue-5.0/iommu-vt-d-disable-ats-support-on-untrusted-devices.patch @@ -0,0 +1,47 @@ +From 7ab9e302a12f85255da640d072e99f29394a42d2 Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Fri, 1 Mar 2019 11:23:10 +0800 +Subject: iommu/vt-d: Disable ATS support on untrusted devices + +[ Upstream commit d8b8591054575f33237556c32762d54e30774d28 ] + +Commit fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted +devices") disables ATS support on the devices which have been marked +as untrusted. Unfortunately this is not enough to fix the DMA attack +vulnerabiltiies because IOMMU driver allows translated requests as +long as a device advertises the ATS capability. Hence a malicious +peripheral device could use this to bypass IOMMU. + +This disables the ATS support on untrusted devices by clearing the +internal per-device ATS mark. As the result, IOMMU driver will block +any translated requests from any device marked as untrusted. + +Cc: Jacob Pan +Cc: Mika Westerberg +Suggested-by: Kevin Tian +Suggested-by: Ashok Raj +Fixes: fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted devices") +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel-iommu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index 78188bf7e90d..dbd6824dfffa 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -2485,7 +2485,8 @@ static struct dmar_domain *dmar_insert_one_dev_info(struct intel_iommu *iommu, + if (dev && dev_is_pci(dev)) { + struct pci_dev *pdev = to_pci_dev(info->dev); + +- if (!pci_ats_disabled() && ++ if (!pdev->untrusted && ++ !pci_ats_disabled() && + ecap_dev_iotlb_support(iommu->ecap) && + pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ATS) && + dmar_find_matched_atsr_unit(pdev)) +-- +2.19.1 + diff --git a/queue-5.0/iw_cxgb4-fix-srqidx-leak-during-connection-abort.patch b/queue-5.0/iw_cxgb4-fix-srqidx-leak-during-connection-abort.patch new file mode 100644 index 00000000000..1d142aea7e4 --- /dev/null +++ b/queue-5.0/iw_cxgb4-fix-srqidx-leak-during-connection-abort.patch @@ -0,0 +1,60 @@ +From 88f038dda2362b7fca264cc11dfeb0e85f2a4c45 Mon Sep 17 00:00:00 2001 +From: Raju Rangoju +Date: Wed, 6 Feb 2019 22:54:44 +0530 +Subject: iw_cxgb4: fix srqidx leak during connection abort + +[ Upstream commit f368ff188ae4b3ef6f740a15999ea0373261b619 ] + +When an application aborts the connection by moving QP from RTS to ERROR, +then iw_cxgb4's modify_rc_qp() RTS->ERROR logic sets the +*srqidxp to 0 via t4_set_wq_in_error(&qhp->wq, 0), and aborts the +connection by calling c4iw_ep_disconnect(). + +c4iw_ep_disconnect() does the following: + 1. sends up a close_complete_upcall(ep, -ECONNRESET) to libcxgb4. + 2. sends abort request CPL to hw. + +But, since the close_complete_upcall() is sent before sending the +ABORT_REQ to hw, libcxgb4 would fail to release the srqidx if the +connection holds one. Because, the srqidx is passed up to libcxgb4 only +after corresponding ABORT_RPL is processed by kernel in abort_rpl(). + +This patch handle the corner-case by moving the call to +close_complete_upcall() from c4iw_ep_disconnect() to abort_rpl(). So that +libcxgb4 is notified about the -ECONNRESET only after abort_rpl(), and +libcxgb4 can relinquish the srqidx properly. + +Signed-off-by: Raju Rangoju +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/cm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index 8221813219e5..25a81fbb0d4d 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -1903,8 +1903,10 @@ static int abort_rpl(struct c4iw_dev *dev, struct sk_buff *skb) + } + mutex_unlock(&ep->com.mutex); + +- if (release) ++ if (release) { ++ close_complete_upcall(ep, -ECONNRESET); + release_ep_resources(ep); ++ } + c4iw_put_ep(&ep->com); + return 0; + } +@@ -3606,7 +3608,6 @@ int c4iw_ep_disconnect(struct c4iw_ep *ep, int abrupt, gfp_t gfp) + if (close) { + if (abrupt) { + set_bit(EP_DISC_ABORT, &ep->com.history); +- close_complete_upcall(ep, -ECONNRESET); + ret = send_abort(ep); + } else { + set_bit(EP_DISC_CLOSE, &ep->com.history); +-- +2.19.1 + diff --git a/queue-5.0/iwlwifi-mvm-fix-rfh-config-command-with-10-cpus.patch b/queue-5.0/iwlwifi-mvm-fix-rfh-config-command-with-10-cpus.patch new file mode 100644 index 00000000000..8f563b78cdf --- /dev/null +++ b/queue-5.0/iwlwifi-mvm-fix-rfh-config-command-with-10-cpus.patch @@ -0,0 +1,68 @@ +From a1e22834c17fe180c270d445aabc0539c4f0517b Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 11 Dec 2018 21:20:43 +0100 +Subject: iwlwifi: mvm: fix RFH config command with >=10 CPUs + +[ Upstream commit dbf592f3d14fb7d532cb7c820b1065cf33e02aaa ] + +If we have >=10 (logical) CPUs, our command size exceeds the +internal buffer size and the command fails; fix that by using +IWL_HCMD_DFL_NOCOPY for the command that's allocated anyway. + +While at it, also fix the leak of cmd, and use struct_size() +to calculate its size. + +Signed-off-by: Johannes Berg +Fixes: 8edbfaa19835 ("iwlwifi: mvm: configure multi RX queue") +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +index 0d6c313b6669..19ec55cef802 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -127,13 +127,17 @@ static int iwl_send_rss_cfg_cmd(struct iwl_mvm *mvm) + + static int iwl_configure_rxq(struct iwl_mvm *mvm) + { +- int i, num_queues, size; ++ int i, num_queues, size, ret; + struct iwl_rfh_queue_config *cmd; ++ struct iwl_host_cmd hcmd = { ++ .id = WIDE_ID(DATA_PATH_GROUP, RFH_QUEUE_CONFIG_CMD), ++ .dataflags[0] = IWL_HCMD_DFL_NOCOPY, ++ }; + + /* Do not configure default queue, it is configured via context info */ + num_queues = mvm->trans->num_rx_queues - 1; + +- size = sizeof(*cmd) + num_queues * sizeof(struct iwl_rfh_queue_data); ++ size = struct_size(cmd, data, num_queues); + + cmd = kzalloc(size, GFP_KERNEL); + if (!cmd) +@@ -154,10 +158,14 @@ static int iwl_configure_rxq(struct iwl_mvm *mvm) + cmd->data[i].fr_bd_wid = cpu_to_le32(data.fr_bd_wid); + } + +- return iwl_mvm_send_cmd_pdu(mvm, +- WIDE_ID(DATA_PATH_GROUP, +- RFH_QUEUE_CONFIG_CMD), +- 0, size, cmd); ++ hcmd.data[0] = cmd; ++ hcmd.len[0] = size; ++ ++ ret = iwl_mvm_send_cmd(mvm, &hcmd); ++ ++ kfree(cmd); ++ ++ return ret; + } + + static int iwl_mvm_send_dqa_cmd(struct iwl_mvm *mvm) +-- +2.19.1 + diff --git a/queue-5.0/iwlwifi-pcie-fix-emergency-path.patch b/queue-5.0/iwlwifi-pcie-fix-emergency-path.patch new file mode 100644 index 00000000000..f5066fb3f26 --- /dev/null +++ b/queue-5.0/iwlwifi-pcie-fix-emergency-path.patch @@ -0,0 +1,73 @@ +From e741c4b0333a81ed8fa7b4d2db61504940d9c740 Mon Sep 17 00:00:00 2001 +From: Sara Sharon +Date: Thu, 13 Dec 2018 14:47:40 +0200 +Subject: iwlwifi: pcie: fix emergency path + +[ Upstream commit c6ac9f9fb98851f47b978a9476594fc3c477a34d ] + +Allocator swaps the pending requests with 0 when it starts +working. This means that relying on it n RX path to decide if +to move to emergency is not always a good idea, since it may +be zero, but there are still a lot of unallocated RBs in the +system. Change allocator to decrement the pending requests on +real time. It is more expensive since it accesses the atomic +variable more times, but it gives the RX path a better idea +of the system's status. + +Reported-by: Ilan Peer +Signed-off-by: Sara Sharon +Fixes: 868a1e863f95 ("iwlwifi: pcie: avoid empty free RB queue") +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c +index 9e850c25877b..c596c7b13504 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c +@@ -499,7 +499,7 @@ static void iwl_pcie_rx_allocator(struct iwl_trans *trans) + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); + struct iwl_rb_allocator *rba = &trans_pcie->rba; + struct list_head local_empty; +- int pending = atomic_xchg(&rba->req_pending, 0); ++ int pending = atomic_read(&rba->req_pending); + + IWL_DEBUG_RX(trans, "Pending allocation requests = %d\n", pending); + +@@ -554,11 +554,13 @@ static void iwl_pcie_rx_allocator(struct iwl_trans *trans) + i++; + } + ++ atomic_dec(&rba->req_pending); + pending--; ++ + if (!pending) { +- pending = atomic_xchg(&rba->req_pending, 0); ++ pending = atomic_read(&rba->req_pending); + IWL_DEBUG_RX(trans, +- "Pending allocation requests = %d\n", ++ "Got more pending allocation requests = %d\n", + pending); + } + +@@ -570,12 +572,15 @@ static void iwl_pcie_rx_allocator(struct iwl_trans *trans) + spin_unlock(&rba->lock); + + atomic_inc(&rba->req_ready); ++ + } + + spin_lock(&rba->lock); + /* return unused rbds to the allocator empty list */ + list_splice_tail(&local_empty, &rba->rbd_empty); + spin_unlock(&rba->lock); ++ ++ IWL_DEBUG_RX(trans, "%s, exit.\n", __func__); + } + + /* +-- +2.19.1 + diff --git a/queue-5.0/jbd2-fix-invalid-descriptor-block-checksum.patch b/queue-5.0/jbd2-fix-invalid-descriptor-block-checksum.patch new file mode 100644 index 00000000000..e49b93e51e4 --- /dev/null +++ b/queue-5.0/jbd2-fix-invalid-descriptor-block-checksum.patch @@ -0,0 +1,52 @@ +From e73a2c5c93d2eca3e7a9cd6a59a83ced4a826eae Mon Sep 17 00:00:00 2001 +From: luojiajun +Date: Fri, 1 Mar 2019 00:30:00 -0500 +Subject: jbd2: fix invalid descriptor block checksum + +[ Upstream commit 6e876c3dd205d30b0db6850e97a03d75457df007 ] + +In jbd2_journal_commit_transaction(), if we are in abort mode, +we may flush the buffer without setting descriptor block checksum +by goto start_journal_io. Then fs is mounted, +jbd2_descriptor_block_csum_verify() failed. + +[ 271.379811] EXT4-fs (vdd): shut down requested (2) +[ 271.381827] Aborting journal on device vdd-8. +[ 271.597136] JBD2: Invalid checksum recovering block 22199 in log +[ 271.598023] JBD2: recovery failed +[ 271.598484] EXT4-fs (vdd): error loading journal + +Fix this problem by keep setting descriptor block checksum if the +descriptor buffer is not NULL. + +This checksum problem can be reproduced by xfstests generic/388. + +Signed-off-by: luojiajun +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/jbd2/commit.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c +index 2eb55c3361a8..efd0ce9489ae 100644 +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -694,9 +694,11 @@ void jbd2_journal_commit_transaction(journal_t *journal) + the last tag we set up. */ + + tag->t_flags |= cpu_to_be16(JBD2_FLAG_LAST_TAG); +- +- jbd2_descriptor_block_csum_set(journal, descriptor); + start_journal_io: ++ if (descriptor) ++ jbd2_descriptor_block_csum_set(journal, ++ descriptor); ++ + for (i = 0; i < bufs; i++) { + struct buffer_head *bh = wbuf[i]; + /* +-- +2.19.1 + diff --git a/queue-5.0/jbd2-fix-race-when-writing-superblock.patch b/queue-5.0/jbd2-fix-race-when-writing-superblock.patch new file mode 100644 index 00000000000..b049ee56473 --- /dev/null +++ b/queue-5.0/jbd2-fix-race-when-writing-superblock.patch @@ -0,0 +1,157 @@ +From 163120b4931e714d40c9c58898f35177c8651f88 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 14 Feb 2019 16:27:14 -0500 +Subject: jbd2: fix race when writing superblock + +[ Upstream commit 538bcaa6261b77e71d37f5596c33127c1a3ec3f7 ] + +The jbd2 superblock is lockless now, so there is probably a race +condition between writing it so disk and modifing contents of it, which +may lead to checksum error. The following race is the one case that we +have captured. + +jbd2 fsstress +jbd2_journal_commit_transaction + jbd2_journal_update_sb_log_tail + jbd2_write_superblock + jbd2_superblock_csum_set jbd2_journal_revoke + jbd2_journal_set_features(revork) + modify superblock + submit_bh(checksum incorrect) + +Fix this by locking the buffer head before modifing it. We always +write the jbd2 superblock after we modify it, so this just means +calling the lock_buffer() a little earlier. + +This checksum corruption problem can be reproduced by xfstests +generic/475. + +Reported-by: zhangyi (F) +Suggested-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/journal.c | 52 ++++++++++++++++++++++++----------------------- + 1 file changed, 27 insertions(+), 25 deletions(-) + +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index 8ef6b6daaa7a..88f2a49338a1 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1356,6 +1356,10 @@ static int journal_reset(journal_t *journal) + return jbd2_journal_start_thread(journal); + } + ++/* ++ * This function expects that the caller will have locked the journal ++ * buffer head, and will return with it unlocked ++ */ + static int jbd2_write_superblock(journal_t *journal, int write_flags) + { + struct buffer_head *bh = journal->j_sb_buffer; +@@ -1365,7 +1369,6 @@ static int jbd2_write_superblock(journal_t *journal, int write_flags) + trace_jbd2_write_superblock(journal, write_flags); + if (!(journal->j_flags & JBD2_BARRIER)) + write_flags &= ~(REQ_FUA | REQ_PREFLUSH); +- lock_buffer(bh); + if (buffer_write_io_error(bh)) { + /* + * Oh, dear. A previous attempt to write the journal +@@ -1424,6 +1427,7 @@ int jbd2_journal_update_sb_log_tail(journal_t *journal, tid_t tail_tid, + jbd_debug(1, "JBD2: updating superblock (start %lu, seq %u)\n", + tail_block, tail_tid); + ++ lock_buffer(journal->j_sb_buffer); + sb->s_sequence = cpu_to_be32(tail_tid); + sb->s_start = cpu_to_be32(tail_block); + +@@ -1454,18 +1458,17 @@ static void jbd2_mark_journal_empty(journal_t *journal, int write_op) + journal_superblock_t *sb = journal->j_superblock; + + BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex)); +- read_lock(&journal->j_state_lock); +- /* Is it already empty? */ +- if (sb->s_start == 0) { +- read_unlock(&journal->j_state_lock); ++ lock_buffer(journal->j_sb_buffer); ++ if (sb->s_start == 0) { /* Is it already empty? */ ++ unlock_buffer(journal->j_sb_buffer); + return; + } ++ + jbd_debug(1, "JBD2: Marking journal as empty (seq %d)\n", + journal->j_tail_sequence); + + sb->s_sequence = cpu_to_be32(journal->j_tail_sequence); + sb->s_start = cpu_to_be32(0); +- read_unlock(&journal->j_state_lock); + + jbd2_write_superblock(journal, write_op); + +@@ -1488,9 +1491,8 @@ void jbd2_journal_update_sb_errno(journal_t *journal) + journal_superblock_t *sb = journal->j_superblock; + int errcode; + +- read_lock(&journal->j_state_lock); ++ lock_buffer(journal->j_sb_buffer); + errcode = journal->j_errno; +- read_unlock(&journal->j_state_lock); + if (errcode == -ESHUTDOWN) + errcode = 0; + jbd_debug(1, "JBD2: updating superblock error (errno %d)\n", errcode); +@@ -1894,28 +1896,27 @@ int jbd2_journal_set_features (journal_t *journal, unsigned long compat, + + sb = journal->j_superblock; + ++ /* Load the checksum driver if necessary */ ++ if ((journal->j_chksum_driver == NULL) && ++ INCOMPAT_FEATURE_ON(JBD2_FEATURE_INCOMPAT_CSUM_V3)) { ++ journal->j_chksum_driver = crypto_alloc_shash("crc32c", 0, 0); ++ if (IS_ERR(journal->j_chksum_driver)) { ++ printk(KERN_ERR "JBD2: Cannot load crc32c driver.\n"); ++ journal->j_chksum_driver = NULL; ++ return 0; ++ } ++ /* Precompute checksum seed for all metadata */ ++ journal->j_csum_seed = jbd2_chksum(journal, ~0, sb->s_uuid, ++ sizeof(sb->s_uuid)); ++ } ++ ++ lock_buffer(journal->j_sb_buffer); ++ + /* If enabling v3 checksums, update superblock */ + if (INCOMPAT_FEATURE_ON(JBD2_FEATURE_INCOMPAT_CSUM_V3)) { + sb->s_checksum_type = JBD2_CRC32C_CHKSUM; + sb->s_feature_compat &= + ~cpu_to_be32(JBD2_FEATURE_COMPAT_CHECKSUM); +- +- /* Load the checksum driver */ +- if (journal->j_chksum_driver == NULL) { +- journal->j_chksum_driver = crypto_alloc_shash("crc32c", +- 0, 0); +- if (IS_ERR(journal->j_chksum_driver)) { +- printk(KERN_ERR "JBD2: Cannot load crc32c " +- "driver.\n"); +- journal->j_chksum_driver = NULL; +- return 0; +- } +- +- /* Precompute checksum seed for all metadata */ +- journal->j_csum_seed = jbd2_chksum(journal, ~0, +- sb->s_uuid, +- sizeof(sb->s_uuid)); +- } + } + + /* If enabling v1 checksums, downgrade superblock */ +@@ -1927,6 +1928,7 @@ int jbd2_journal_set_features (journal_t *journal, unsigned long compat, + sb->s_feature_compat |= cpu_to_be32(compat); + sb->s_feature_ro_compat |= cpu_to_be32(ro); + sb->s_feature_incompat |= cpu_to_be32(incompat); ++ unlock_buffer(journal->j_sb_buffer); + + return 1; + #undef COMPAT_FEATURE_ON +-- +2.19.1 + diff --git a/queue-5.0/kasan-fix-kasan_check_read-write-definitions.patch b/queue-5.0/kasan-fix-kasan_check_read-write-definitions.patch new file mode 100644 index 00000000000..b100cb3b60f --- /dev/null +++ b/queue-5.0/kasan-fix-kasan_check_read-write-definitions.patch @@ -0,0 +1,71 @@ +From ba9f8d2b34965b03954b3e2b60c11213e42ae4e7 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 5 Mar 2019 15:41:27 -0800 +Subject: kasan: fix kasan_check_read/write definitions + +[ Upstream commit bcf6f55a0d05eedd8ebb6ecc60ae3f93205ad833 ] + +Building little-endian allmodconfig kernels on arm64 started failing +with the generated atomic.h implementation, since we now try to call +kasan helpers from the EFI stub: + + aarch64-linux-gnu-ld: drivers/firmware/efi/libstub/arm-stub.stub.o: in function `atomic_set': + include/generated/atomic-instrumented.h:44: undefined reference to `__efistub_kasan_check_write' + +I suspect that we get similar problems in other files that explicitly +disable KASAN for some reason but call atomic_t based helper functions. + +We can fix this by checking the predefined __SANITIZE_ADDRESS__ macro +that the compiler sets instead of checking CONFIG_KASAN, but this in +turn requires a small hack in mm/kasan/common.c so we do see the extern +declaration there instead of the inline function. + +Link: http://lkml.kernel.org/r/20181211133453.2835077-1-arnd@arndb.de +Fixes: b1864b828644 ("locking/atomics: build atomic headers as required") +Signed-off-by: Arnd Bergmann +Reported-by: Anders Roxell +Acked-by: Andrey Ryabinin +Cc: Ard Biesheuvel +Cc: Will Deacon +Cc: Mark Rutland +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: Andrey Konovalov +Cc: Stephen Rothwell , +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/kasan-checks.h | 2 +- + mm/kasan/common.c | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/linux/kasan-checks.h b/include/linux/kasan-checks.h +index d314150658a4..a61dc075e2ce 100644 +--- a/include/linux/kasan-checks.h ++++ b/include/linux/kasan-checks.h +@@ -2,7 +2,7 @@ + #ifndef _LINUX_KASAN_CHECKS_H + #define _LINUX_KASAN_CHECKS_H + +-#ifdef CONFIG_KASAN ++#if defined(__SANITIZE_ADDRESS__) || defined(__KASAN_INTERNAL) + void kasan_check_read(const volatile void *p, unsigned int size); + void kasan_check_write(const volatile void *p, unsigned int size); + #else +diff --git a/mm/kasan/common.c b/mm/kasan/common.c +index 09b534fbba17..80bbe62b16cd 100644 +--- a/mm/kasan/common.c ++++ b/mm/kasan/common.c +@@ -14,6 +14,8 @@ + * + */ + ++#define __KASAN_INTERNAL ++ + #include + #include + #include +-- +2.19.1 + diff --git a/queue-5.0/kbuild-invoke-syncconfig-if-include-config-auto.conf.patch b/queue-5.0/kbuild-invoke-syncconfig-if-include-config-auto.conf.patch new file mode 100644 index 00000000000..133f922a4db --- /dev/null +++ b/queue-5.0/kbuild-invoke-syncconfig-if-include-config-auto.conf.patch @@ -0,0 +1,72 @@ +From d71b5320b762613f846d17ed8b2250b67400b0ea Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Fri, 22 Feb 2019 16:40:10 +0900 +Subject: kbuild: invoke syncconfig if include/config/auto.conf.cmd is missing + +[ Upstream commit 9390dff66a52d1a60c6e517d8fa6cdbdffc83cb1 ] + +If include/config/auto.conf.cmd is lost for some reasons, it is not +self-healing, so the top Makefile misses to run syncconfig. +Move include/config/auto.conf.cmd to the target side. + +I used a pattern rule instead of a normal rule here although it is +a bit gross. + +If the rule were written with a normal rule like this, + + include/config/auto.conf \ + include/config/auto.conf.cmd \ + include/config/tristate.conf: $(KCONFIG_CONFIG) + $(Q)$(MAKE) -f $(srctree)/Makefile syncconfig + +... syncconfig would be executed per target. + +Using a pattern rule makes sure that syncconfig is executed just once +because Make assumes the recipe will create all of the targets. + +Here is a quote from the GNU Make manual [1]: + +"Pattern rules may have more than one target. Unlike normal rules, +this does not act as many different rules with the same prerequisites +and recipe. If a pattern rule has multiple targets, make knows that +the rule's recipe is responsible for making all of the targets. The +recipe is executed only once to make all the targets. When searching +for a pattern rule to match a target, the target patterns of a rule +other than the one that matches the target in need of a rule are +incidental: make worries only about giving a recipe and prerequisites +to the file presently in question. However, when this file's recipe is +run, the other targets are marked as having been updated themselves." + +[1]: https://www.gnu.org/software/make/manual/html_node/Pattern-Intro.html + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + Makefile | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index 3ee390feea61..6d542aede778 100644 +--- a/Makefile ++++ b/Makefile +@@ -625,12 +625,15 @@ ifeq ($(may-sync-config),1) + -include include/config/auto.conf.cmd + + # To avoid any implicit rule to kick in, define an empty command +-$(KCONFIG_CONFIG) include/config/auto.conf.cmd: ; ++$(KCONFIG_CONFIG): ; + + # The actual configuration files used during the build are stored in + # include/generated/ and include/config/. Update them if .config is newer than + # include/config/auto.conf (which mirrors .config). +-include/config/%.conf: $(KCONFIG_CONFIG) include/config/auto.conf.cmd ++# ++# This exploits the 'multi-target pattern rule' trick. ++# The syncconfig should be executed only once to make all the targets. ++%/auto.conf %/auto.conf.cmd %/tristate.conf: $(KCONFIG_CONFIG) + $(Q)$(MAKE) -f $(srctree)/Makefile syncconfig + else + # External modules and some install targets need include/generated/autoconf.h +-- +2.19.1 + diff --git a/queue-5.0/kbuild-make-r-r-effective-in-top-makefile-for-old-ma.patch b/queue-5.0/kbuild-make-r-r-effective-in-top-makefile-for-old-ma.patch new file mode 100644 index 00000000000..b14bd8a1a5c --- /dev/null +++ b/queue-5.0/kbuild-make-r-r-effective-in-top-makefile-for-old-ma.patch @@ -0,0 +1,149 @@ +From 8dce0f4dfe882107dbde20cf75461a9f3b55c216 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Fri, 22 Feb 2019 16:40:07 +0900 +Subject: kbuild: make -r/-R effective in top Makefile for old Make versions + +[ Upstream commit 3812b8c5c5d527239ac015f1f2c7654da7fcfbba ] + +Adding -rR to MAKEFLAGS is important because we do not want to +be bothered by built-in implicit rules or variables. + +One problem that used to exist in older GNU Make versions is + + MAKEFLAGS += -rR + +... does not become effective in the current Makefile. When you are +building with O= option, it becomes effective in the top Makefile +since it recurses via 'sub-make' target. Otherwise, the top Makefile +tries implicit rules. That is why we explicitly add empty rules for +Makefiles, but we often miss to do that. + +In fact, adding -d option to older GNU Make versions shows it is +trying a bunch of implicit pattern rules. + + Considering target file `scripts/Makefile.kcov'. + Looking for an implicit rule for `scripts/Makefile.kcov'. + Trying pattern rule with stem `Makefile.kcov'. + Trying implicit prerequisite `scripts/Makefile.kcov.o'. + Trying pattern rule with stem `Makefile.kcov'. + Trying implicit prerequisite `scripts/Makefile.kcov.c'. + Trying pattern rule with stem `Makefile.kcov'. + Trying implicit prerequisite `scripts/Makefile.kcov.cc'. + Trying pattern rule with stem `Makefile.kcov'. + Trying implicit prerequisite `scripts/Makefile.kcov.C'. + ... + +This issue was fixed by GNU Make commit 58dae243526b ("[Savannah #20501] +Handle adding -r/-R to MAKEFLAGS in the makefile"). So, it is no longer +a problem if you use GNU Make 4.0 or later. However, older versions are +still widely used. + +So, I decided to patch the kernel Makefile to invoke sub-make regardless +of O= option. This will allow further cleanups. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + Makefile | 48 ++++++++++++++++++++++++++---------------------- + 1 file changed, 26 insertions(+), 22 deletions(-) + +diff --git a/Makefile b/Makefile +index 6d542aede778..1bc6749f5254 100644 +--- a/Makefile ++++ b/Makefile +@@ -15,19 +15,6 @@ NAME = Shy Crocodile + PHONY := _all + _all: + +-# Do not use make's built-in rules and variables +-# (this increases performance and avoids hard-to-debug behaviour) +-MAKEFLAGS += -rR +- +-# Avoid funny character set dependencies +-unexport LC_ALL +-LC_COLLATE=C +-LC_NUMERIC=C +-export LC_COLLATE LC_NUMERIC +- +-# Avoid interference with shell env settings +-unexport GREP_OPTIONS +- + # We are using a recursive build, so we need to do a little thinking + # to get the ordering right. + # +@@ -44,6 +31,21 @@ unexport GREP_OPTIONS + # descending is started. They are now explicitly listed as the + # prepare rule. + ++ifneq ($(sub-make-done),1) ++ ++# Do not use make's built-in rules and variables ++# (this increases performance and avoids hard-to-debug behaviour) ++MAKEFLAGS += -rR ++ ++# Avoid funny character set dependencies ++unexport LC_ALL ++LC_COLLATE=C ++LC_NUMERIC=C ++export LC_COLLATE LC_NUMERIC ++ ++# Avoid interference with shell env settings ++unexport GREP_OPTIONS ++ + # Beautify output + # --------------------------------------------------------------------------- + # +@@ -112,7 +114,6 @@ export quiet Q KBUILD_VERBOSE + + # KBUILD_SRC is not intended to be used by the regular user (for now), + # it is set on invocation of make with KBUILD_OUTPUT or O= specified. +-ifeq ($(KBUILD_SRC),) + + # OK, Make called in directory where kernel src resides + # Do we want to locate output files in a separate directory? +@@ -142,6 +143,13 @@ $(if $(KBUILD_OUTPUT),, \ + # 'sub-make' below. + MAKEFLAGS += --include-dir=$(CURDIR) + ++else ++ ++# Do not print "Entering directory ..." at all for in-tree build. ++MAKEFLAGS += --no-print-directory ++ ++endif # ifneq ($(KBUILD_OUTPUT),) ++ + PHONY += $(MAKECMDGOALS) sub-make + + $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make +@@ -149,16 +157,12 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make + + # Invoke a second make in the output directory, passing relevant variables + sub-make: +- $(Q)$(MAKE) -C $(KBUILD_OUTPUT) KBUILD_SRC=$(CURDIR) \ ++ $(Q)$(MAKE) sub-make-done=1 \ ++ $(if $(KBUILD_OUTPUT),-C $(KBUILD_OUTPUT) KBUILD_SRC=$(CURDIR)) \ + -f $(CURDIR)/Makefile $(filter-out _all sub-make,$(MAKECMDGOALS)) + +-# Leave processing to above invocation of make +-skip-makefile := 1 +-endif # ifneq ($(KBUILD_OUTPUT),) +-endif # ifeq ($(KBUILD_SRC),) +- ++else # sub-make-done + # We process the rest of the Makefile if this is the final invocation of make +-ifeq ($(skip-makefile),) + + # Do not print "Entering directory ...", + # but we want to display it when entering to the output directory +@@ -1759,7 +1763,7 @@ $(cmd_files): ; # Do not try to update included dependency files + + endif # ifeq ($(config-targets),1) + endif # ifeq ($(mixed-targets),1) +-endif # skip-makefile ++endif # sub-make-done + + PHONY += FORCE + FORCE: +-- +2.19.1 + diff --git a/queue-5.0/kprobes-prohibit-probing-on-bsearch.patch b/queue-5.0/kprobes-prohibit-probing-on-bsearch.patch new file mode 100644 index 00000000000..9387239de67 --- /dev/null +++ b/queue-5.0/kprobes-prohibit-probing-on-bsearch.patch @@ -0,0 +1,56 @@ +From 9aff8a4a73f98af13ce9e836762be78d3f7eacd2 Mon Sep 17 00:00:00 2001 +From: Andrea Righi +Date: Wed, 13 Feb 2019 01:15:34 +0900 +Subject: kprobes: Prohibit probing on bsearch() + +[ Upstream commit 02106f883cd745523f7766d90a739f983f19e650 ] + +Since kprobe breakpoing handler is using bsearch(), probing on this +routine can cause recursive breakpoint problem. + +int3 + ->do_int3() + ->ftrace_int3_handler() + ->ftrace_location() + ->ftrace_location_range() + ->bsearch() -> int3 + +Prohibit probing on bsearch(). + +Signed-off-by: Andrea Righi +Acked-by: Masami Hiramatsu +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/154998813406.31052.8791425358974650922.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + lib/bsearch.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/bsearch.c b/lib/bsearch.c +index 18b445b010c3..82512fe7b33c 100644 +--- a/lib/bsearch.c ++++ b/lib/bsearch.c +@@ -11,6 +11,7 @@ + + #include + #include ++#include + + /* + * bsearch - binary search an array of elements +@@ -53,3 +54,4 @@ void *bsearch(const void *key, const void *base, size_t num, size_t size, + return NULL; + } + EXPORT_SYMBOL(bsearch); ++NOKPROBE_SYMBOL(bsearch); +-- +2.19.1 + diff --git a/queue-5.0/kprobes-prohibit-probing-on-rcu-debug-routine.patch b/queue-5.0/kprobes-prohibit-probing-on-rcu-debug-routine.patch new file mode 100644 index 00000000000..5f00372f194 --- /dev/null +++ b/queue-5.0/kprobes-prohibit-probing-on-rcu-debug-routine.patch @@ -0,0 +1,58 @@ +From d8112b6870b18879c6c9fcbc407028d5f58e6155 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Wed, 13 Feb 2019 01:14:37 +0900 +Subject: kprobes: Prohibit probing on RCU debug routine + +[ Upstream commit a39f15b9644fac3f950f522c39e667c3af25c588 ] + +Since kprobe itself depends on RCU, probing on RCU debug +routine can cause recursive breakpoint bugs. + +Prohibit probing on RCU debug routines. + +int3 + ->do_int3() + ->ist_enter() + ->RCU_LOCKDEP_WARN() + ->debug_lockdep_rcu_enabled() -> int3 + +Signed-off-by: Masami Hiramatsu +Cc: Alexander Shishkin +Cc: Andrea Righi +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/154998807741.31052.11229157537816341591.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/rcu/update.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/rcu/update.c b/kernel/rcu/update.c +index 1971869c4072..f4ca36d92138 100644 +--- a/kernel/rcu/update.c ++++ b/kernel/rcu/update.c +@@ -52,6 +52,7 @@ + #include + #include + #include ++#include + + #define CREATE_TRACE_POINTS + +@@ -249,6 +250,7 @@ int notrace debug_lockdep_rcu_enabled(void) + current->lockdep_recursion == 0; + } + EXPORT_SYMBOL_GPL(debug_lockdep_rcu_enabled); ++NOKPROBE_SYMBOL(debug_lockdep_rcu_enabled); + + /** + * rcu_read_lock_held() - might we be in RCU read-side critical section? +-- +2.19.1 + diff --git a/queue-5.0/leds-lp55xx-fix-null-deref-on-firmware-load-failure.patch b/queue-5.0/leds-lp55xx-fix-null-deref-on-firmware-load-failure.patch new file mode 100644 index 00000000000..54f30b89a49 --- /dev/null +++ b/queue-5.0/leds-lp55xx-fix-null-deref-on-firmware-load-failure.patch @@ -0,0 +1,58 @@ +From 2c96a261343ecb8bbd2460b2ea8c9a832cd9f7f6 Mon Sep 17 00:00:00 2001 +From: Michal Kazior +Date: Mon, 11 Feb 2019 10:29:27 +0100 +Subject: leds: lp55xx: fix null deref on firmware load failure + +[ Upstream commit 5ddb0869bfc1bca6cfc592c74c64a026f936638c ] + +I've stumbled upon a kernel crash and the logs +pointed me towards the lp5562 driver: + +> <4>[306013.841294] lp5562 0-0030: Direct firmware load for lp5562 failed with error -2 +> <4>[306013.894990] lp5562 0-0030: Falling back to user helper +> ... +> <3>[306073.924886] lp5562 0-0030: firmware request failed +> <1>[306073.939456] Unable to handle kernel NULL pointer dereference at virtual address 00000000 +> <4>[306074.251011] PC is at _raw_spin_lock+0x1c/0x58 +> <4>[306074.255539] LR is at release_firmware+0x6c/0x138 +> ... + +After taking a look I noticed firmware_release() +could be called with either NULL or a dangling +pointer. + +Fixes: 10c06d178df11 ("leds-lp55xx: support firmware interface") +Signed-off-by: Michal Kazior +Signed-off-by: Jacek Anaszewski +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-lp55xx-common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/leds/leds-lp55xx-common.c b/drivers/leds/leds-lp55xx-common.c +index 3d79a6380761..723f2f17497a 100644 +--- a/drivers/leds/leds-lp55xx-common.c ++++ b/drivers/leds/leds-lp55xx-common.c +@@ -201,7 +201,7 @@ static void lp55xx_firmware_loaded(const struct firmware *fw, void *context) + + if (!fw) { + dev_err(dev, "firmware request failed\n"); +- goto out; ++ return; + } + + /* handling firmware data is chip dependent */ +@@ -214,9 +214,9 @@ static void lp55xx_firmware_loaded(const struct firmware *fw, void *context) + + mutex_unlock(&chip->lock); + +-out: + /* firmware should be released for other channel use */ + release_firmware(chip->fw); ++ chip->fw = NULL; + } + + static int lp55xx_request_firmware(struct lp55xx_chip *chip) +-- +2.19.1 + diff --git a/queue-5.0/libbpf-force-fixdep-compilation-at-the-start-of-the-.patch b/queue-5.0/libbpf-force-fixdep-compilation-at-the-start-of-the-.patch new file mode 100644 index 00000000000..78f606c8c3c --- /dev/null +++ b/queue-5.0/libbpf-force-fixdep-compilation-at-the-start-of-the-.patch @@ -0,0 +1,120 @@ +From 93152b9c146aa6e62442089cf32f2e1ff114995c Mon Sep 17 00:00:00 2001 +From: Stanislav Fomichev +Date: Wed, 6 Mar 2019 11:59:27 -0800 +Subject: libbpf: force fixdep compilation at the start of the build + +[ Upstream commit 8e2688876c7f7073d925e1f150e86b8ed3338f52 ] + +libbpf targets don't explicitly depend on fixdep target, so when +we do 'make -j$(nproc)', there is a high probability, that some +objects will be built before fixdep binary is available. + +Fix this by running sub-make; this makes sure that fixdep dependency +is properly accounted for. + +For the same issue in perf, see commit abb26210a395 ("perf tools: Force +fixdep compilation at the start of the build"). + +Before: + +$ rm -rf /tmp/bld; mkdir /tmp/bld; make -j$(nproc) O=/tmp/bld -C tools/lib/bpf/ + +Auto-detecting system features: +... libelf: [ on ] +... bpf: [ on ] + + HOSTCC /tmp/bld/fixdep.o + CC /tmp/bld/libbpf.o + CC /tmp/bld/bpf.o + CC /tmp/bld/btf.o + CC /tmp/bld/nlattr.o + CC /tmp/bld/libbpf_errno.o + CC /tmp/bld/str_error.o + CC /tmp/bld/netlink.o + CC /tmp/bld/bpf_prog_linfo.o + CC /tmp/bld/libbpf_probes.o + CC /tmp/bld/xsk.o + HOSTLD /tmp/bld/fixdep-in.o + LINK /tmp/bld/fixdep + LD /tmp/bld/libbpf-in.o + LINK /tmp/bld/libbpf.a + LINK /tmp/bld/libbpf.so + LINK /tmp/bld/test_libbpf + +$ head /tmp/bld/.libbpf.o.cmd + # cannot find fixdep (/usr/local/google/home/sdf/src/linux/xxx//fixdep) + # using basic dep data + +/tmp/bld/libbpf.o: libbpf.c /usr/include/stdc-predef.h \ + /usr/include/stdlib.h /usr/include/features.h \ + /usr/include/x86_64-linux-gnu/sys/cdefs.h \ + /usr/include/x86_64-linux-gnu/bits/wordsize.h \ + /usr/include/x86_64-linux-gnu/gnu/stubs.h \ + /usr/include/x86_64-linux-gnu/gnu/stubs-64.h \ + /usr/lib/gcc/x86_64-linux-gnu/7/include/stddef.h \ + +After: + +$ rm -rf /tmp/bld; mkdir /tmp/bld; make -j$(nproc) O=/tmp/bld -C tools/lib/bpf/ + +Auto-detecting system features: +... libelf: [ on ] +... bpf: [ on ] + + HOSTCC /tmp/bld/fixdep.o + HOSTLD /tmp/bld/fixdep-in.o + LINK /tmp/bld/fixdep + CC /tmp/bld/libbpf.o + CC /tmp/bld/bpf.o + CC /tmp/bld/nlattr.o + CC /tmp/bld/btf.o + CC /tmp/bld/libbpf_errno.o + CC /tmp/bld/str_error.o + CC /tmp/bld/netlink.o + CC /tmp/bld/bpf_prog_linfo.o + CC /tmp/bld/libbpf_probes.o + CC /tmp/bld/xsk.o + LD /tmp/bld/libbpf-in.o + LINK /tmp/bld/libbpf.a + LINK /tmp/bld/libbpf.so + LINK /tmp/bld/test_libbpf + +$ head /tmp/bld/.libbpf.o.cmd +cmd_/tmp/bld/libbpf.o := gcc -Wp,-MD,/tmp/bld/.libbpf.o.d -Wp,-MT,/tmp/bld/libbpf.o -g -Wall -DHAVE_LIBELF_MMAP_SUPPORT -DCOMPAT_NEED_REALLOCARRAY -Wbad-function-cast -Wdeclaration-after-statement -Wformat-security -Wformat-y2k -Winit-self -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wno-system-headers -Wold-style-definition -Wpacked -Wredundant-decls -Wshadow -Wstrict-prototypes -Wswitch-default -Wswitch-enum -Wundef -Wwrite-strings -Wformat -Wstrict-aliasing=3 -Werror -Wall -fPIC -I. -I/usr/local/google/home/sdf/src/linux/tools/include -I/usr/local/google/home/sdf/src/linux/tools/arch/x86/include/uapi -I/usr/local/google/home/sdf/src/linux/tools/include/uapi -fvisibility=hidden -D"BUILD_STR(s)=$(pound)s" -c -o /tmp/bld/libbpf.o libbpf.c + +source_/tmp/bld/libbpf.o := libbpf.c + +deps_/tmp/bld/libbpf.o := \ + /usr/include/stdc-predef.h \ + /usr/include/stdlib.h \ + /usr/include/features.h \ + /usr/include/x86_64-linux-gnu/sys/cdefs.h \ + /usr/include/x86_64-linux-gnu/bits/wordsize.h \ + +Fixes: 7c422f557266 ("tools build: Build fixdep helper from perf and basic libs") +Reported-by: Eric Dumazet +Signed-off-by: Stanislav Fomichev +Acked-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/Makefile b/tools/lib/bpf/Makefile +index 34d9c3619c96..78fd86b85087 100644 +--- a/tools/lib/bpf/Makefile ++++ b/tools/lib/bpf/Makefile +@@ -162,7 +162,8 @@ endif + + TARGETS = $(CMD_TARGETS) + +-all: fixdep all_cmd ++all: fixdep ++ $(Q)$(MAKE) all_cmd + + all_cmd: $(CMD_TARGETS) check + +-- +2.19.1 + diff --git a/queue-5.0/lockdep-lib-tests-fix-run_tests.sh.patch b/queue-5.0/lockdep-lib-tests-fix-run_tests.sh.patch new file mode 100644 index 00000000000..b3ac1836c71 --- /dev/null +++ b/queue-5.0/lockdep-lib-tests-fix-run_tests.sh.patch @@ -0,0 +1,65 @@ +From 6fdaa87fad3867d2034f77d2c10f3b0b0c6f5726 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 14 Feb 2019 15:00:57 -0800 +Subject: lockdep/lib/tests: Fix run_tests.sh + +[ Upstream commit d93ac78bf7b37db36fa00225f8e9a14c7ed1b2ba ] + +Apparently the execute bits were set for the tests/*.sh scripts on my +test setup but these are not set in the kernel tree. Fix this by adding +the interpreter path in front of the script paths. + +Signed-off-by: Bart Van Assche +Signed-off-by: Peter Zijlstra (Intel) +Cc: Andrew Morton +Cc: Johannes Berg +Cc: Linus Torvalds +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Waiman Long +Cc: Will Deacon +Cc: johannes.berg@intel.com +Cc: tj@kernel.org +Fixes: 5ecb8e94b494 ("tools/lib/lockdep/tests: Improve testing accuracy") # v5.0-rc1 +Link: https://lkml.kernel.org/r/20190214230058.196511-23-bvanassche@acm.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + tools/lib/lockdep/run_tests.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/lib/lockdep/run_tests.sh b/tools/lib/lockdep/run_tests.sh +index c8fbd0306960..11f425662b43 100755 +--- a/tools/lib/lockdep/run_tests.sh ++++ b/tools/lib/lockdep/run_tests.sh +@@ -11,7 +11,7 @@ find tests -name '*.c' | sort | while read -r i; do + testname=$(basename "$i" .c) + echo -ne "$testname... " + if gcc -o "tests/$testname" -pthread "$i" liblockdep.a -Iinclude -D__USE_LIBLOCKDEP && +- timeout 1 "tests/$testname" 2>&1 | "tests/${testname}.sh"; then ++ timeout 1 "tests/$testname" 2>&1 | /bin/bash "tests/${testname}.sh"; then + echo "PASSED!" + else + echo "FAILED!" +@@ -24,7 +24,7 @@ find tests -name '*.c' | sort | while read -r i; do + echo -ne "(PRELOAD) $testname... " + if gcc -o "tests/$testname" -pthread -Iinclude "$i" && + timeout 1 ./lockdep "tests/$testname" 2>&1 | +- "tests/${testname}.sh"; then ++ /bin/bash "tests/${testname}.sh"; then + echo "PASSED!" + else + echo "FAILED!" +@@ -37,7 +37,7 @@ find tests -name '*.c' | sort | while read -r i; do + echo -ne "(PRELOAD + Valgrind) $testname... " + if gcc -o "tests/$testname" -pthread -Iinclude "$i" && + { timeout 10 valgrind --read-var-info=yes ./lockdep "./tests/$testname" >& "tests/${testname}.vg.out"; true; } && +- "tests/${testname}.sh" < "tests/${testname}.vg.out" && ++ /bin/bash "tests/${testname}.sh" < "tests/${testname}.vg.out" && + ! grep -Eq '(^==[0-9]*== (Invalid |Uninitialised ))|Mismatched free|Source and destination overlap| UME ' "tests/${testname}.vg.out"; then + echo "PASSED!" + else +-- +2.19.1 + diff --git a/queue-5.0/loop-set-genhd_fl_no_part_scan-after-blkdev_reread_p.patch b/queue-5.0/loop-set-genhd_fl_no_part_scan-after-blkdev_reread_p.patch new file mode 100644 index 00000000000..3138b1b23bb --- /dev/null +++ b/queue-5.0/loop-set-genhd_fl_no_part_scan-after-blkdev_reread_p.patch @@ -0,0 +1,86 @@ +From 5ce9957be2fa701f5e227fc2182e80881dcf71b3 Mon Sep 17 00:00:00 2001 +From: Dongli Zhang +Date: Fri, 22 Feb 2019 22:10:20 +0800 +Subject: loop: set GENHD_FL_NO_PART_SCAN after blkdev_reread_part() + +[ Upstream commit 758a58d0bc67457f1215321a536226654a830eeb ] + +Commit 0da03cab87e6 +("loop: Fix deadlock when calling blkdev_reread_part()") moves +blkdev_reread_part() out of the loop_ctl_mutex. However, +GENHD_FL_NO_PART_SCAN is set before __blkdev_reread_part(). As a result, +__blkdev_reread_part() will fail the check of GENHD_FL_NO_PART_SCAN and +will not rescan the loop device to delete all partitions. + +Below are steps to reproduce the issue: + +step1 # dd if=/dev/zero of=tmp.raw bs=1M count=100 +step2 # losetup -P /dev/loop0 tmp.raw +step3 # parted /dev/loop0 mklabel gpt +step4 # parted -a none -s /dev/loop0 mkpart primary 64s 1 +step5 # losetup -d /dev/loop0 + +Step5 will not be able to delete /dev/loop0p1 (introduced by step4) and +there is below kernel warning message: + +[ 464.414043] __loop_clr_fd: partition scan of loop0 failed (rc=-22) + +This patch sets GENHD_FL_NO_PART_SCAN after blkdev_reread_part(). + +Fixes: 0da03cab87e6 ("loop: Fix deadlock when calling blkdev_reread_part()") +Signed-off-by: Dongli Zhang +Reviewed-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/loop.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index 2faefdd6f420..9a8d83bc1e75 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1089,16 +1089,12 @@ static int __loop_clr_fd(struct loop_device *lo, bool release) + kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE); + } + mapping_set_gfp_mask(filp->f_mapping, gfp); +- lo->lo_state = Lo_unbound; + /* This is safe: open() is still holding a reference. */ + module_put(THIS_MODULE); + blk_mq_unfreeze_queue(lo->lo_queue); + + partscan = lo->lo_flags & LO_FLAGS_PARTSCAN && bdev; + lo_number = lo->lo_number; +- lo->lo_flags = 0; +- if (!part_shift) +- lo->lo_disk->flags |= GENHD_FL_NO_PART_SCAN; + loop_unprepare_queue(lo); + out_unlock: + mutex_unlock(&loop_ctl_mutex); +@@ -1120,6 +1116,23 @@ out_unlock: + /* Device is gone, no point in returning error */ + err = 0; + } ++ ++ /* ++ * lo->lo_state is set to Lo_unbound here after above partscan has ++ * finished. ++ * ++ * There cannot be anybody else entering __loop_clr_fd() as ++ * lo->lo_backing_file is already cleared and Lo_rundown state ++ * protects us from all the other places trying to change the 'lo' ++ * device. ++ */ ++ mutex_lock(&loop_ctl_mutex); ++ lo->lo_flags = 0; ++ if (!part_shift) ++ lo->lo_disk->flags |= GENHD_FL_NO_PART_SCAN; ++ lo->lo_state = Lo_unbound; ++ mutex_unlock(&loop_ctl_mutex); ++ + /* + * Need not hold loop_ctl_mutex to fput backing file. + * Calling fput holding loop_ctl_mutex triggers a circular +-- +2.19.1 + diff --git a/queue-5.0/media-mt9m111-set-initial-frame-size-other-than-0x0.patch b/queue-5.0/media-mt9m111-set-initial-frame-size-other-than-0x0.patch new file mode 100644 index 00000000000..077969b88b4 --- /dev/null +++ b/queue-5.0/media-mt9m111-set-initial-frame-size-other-than-0x0.patch @@ -0,0 +1,39 @@ +From 41a00c61b546cc702dbcfe3918ca7f986ed83137 Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Tue, 15 Jan 2019 12:05:41 -0200 +Subject: media: mt9m111: set initial frame size other than 0x0 + +[ Upstream commit 29856308137de1c21eda89411695f4fc6e9780ff ] + +This driver sets initial frame width and height to 0x0, which is invalid. +So set it to selection rectangle bounds instead. + +This is detected by v4l2-compliance detected. + +Cc: Enrico Scholz +Cc: Michael Grzeschik +Cc: Marco Felsch +Signed-off-by: Akinobu Mita +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/mt9m111.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/i2c/mt9m111.c b/drivers/media/i2c/mt9m111.c +index d639b9bcf64a..7a759b4b88cf 100644 +--- a/drivers/media/i2c/mt9m111.c ++++ b/drivers/media/i2c/mt9m111.c +@@ -1273,6 +1273,8 @@ static int mt9m111_probe(struct i2c_client *client, + mt9m111->rect.top = MT9M111_MIN_DARK_ROWS; + mt9m111->rect.width = MT9M111_MAX_WIDTH; + mt9m111->rect.height = MT9M111_MAX_HEIGHT; ++ mt9m111->width = mt9m111->rect.width; ++ mt9m111->height = mt9m111->rect.height; + mt9m111->fmt = &mt9m111_colour_fmts[0]; + mt9m111->lastpage = -1; + mutex_init(&mt9m111->power_lock); +-- +2.19.1 + diff --git a/queue-5.0/media-mtk-jpeg-correct-return-type-for-mem2mem-buffe.patch b/queue-5.0/media-mtk-jpeg-correct-return-type-for-mem2mem-buffe.patch new file mode 100644 index 00000000000..a05c8d9c319 --- /dev/null +++ b/queue-5.0/media-mtk-jpeg-correct-return-type-for-mem2mem-buffe.patch @@ -0,0 +1,178 @@ +From d30ab5918481e7b69635ff2042a5e2fa59eedd44 Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Fri, 8 Feb 2019 11:17:39 -0500 +Subject: media: mtk-jpeg: Correct return type for mem2mem buffer helpers + +[ Upstream commit 1b275e4e8b70dbff9850874b30831c1bd8d3c504 ] + +Fix the assigned type of mem2mem buffer handling API. +Namely, these functions: + + v4l2_m2m_next_buf + v4l2_m2m_last_buf + v4l2_m2m_buf_remove + v4l2_m2m_next_src_buf + v4l2_m2m_next_dst_buf + v4l2_m2m_last_src_buf + v4l2_m2m_last_dst_buf + v4l2_m2m_src_buf_remove + v4l2_m2m_dst_buf_remove + +return a struct vb2_v4l2_buffer, and not a struct vb2_buffer. + +Fixing this is necessary to fix the mem2mem buffer handling API, +changing the return to the correct struct vb2_v4l2_buffer instead +of a void pointer. + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../media/platform/mtk-jpeg/mtk_jpeg_core.c | 40 +++++++++---------- + 1 file changed, 20 insertions(+), 20 deletions(-) + +diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +index 2a5d5002c27e..f761e4d8bf2a 100644 +--- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c ++++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +@@ -702,7 +702,7 @@ end: + v4l2_m2m_buf_queue(ctx->fh.m2m_ctx, to_vb2_v4l2_buffer(vb)); + } + +-static void *mtk_jpeg_buf_remove(struct mtk_jpeg_ctx *ctx, ++static struct vb2_v4l2_buffer *mtk_jpeg_buf_remove(struct mtk_jpeg_ctx *ctx, + enum v4l2_buf_type type) + { + if (V4L2_TYPE_IS_OUTPUT(type)) +@@ -714,7 +714,7 @@ static void *mtk_jpeg_buf_remove(struct mtk_jpeg_ctx *ctx, + static int mtk_jpeg_start_streaming(struct vb2_queue *q, unsigned int count) + { + struct mtk_jpeg_ctx *ctx = vb2_get_drv_priv(q); +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + int ret = 0; + + ret = pm_runtime_get_sync(ctx->jpeg->dev); +@@ -724,14 +724,14 @@ static int mtk_jpeg_start_streaming(struct vb2_queue *q, unsigned int count) + return 0; + err: + while ((vb = mtk_jpeg_buf_remove(ctx, q->type))) +- v4l2_m2m_buf_done(to_vb2_v4l2_buffer(vb), VB2_BUF_STATE_QUEUED); ++ v4l2_m2m_buf_done(vb, VB2_BUF_STATE_QUEUED); + return ret; + } + + static void mtk_jpeg_stop_streaming(struct vb2_queue *q) + { + struct mtk_jpeg_ctx *ctx = vb2_get_drv_priv(q); +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + + /* + * STREAMOFF is an acknowledgment for source change event. +@@ -743,7 +743,7 @@ static void mtk_jpeg_stop_streaming(struct vb2_queue *q) + struct mtk_jpeg_src_buf *src_buf; + + vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); +- src_buf = mtk_jpeg_vb2_to_srcbuf(vb); ++ src_buf = mtk_jpeg_vb2_to_srcbuf(&vb->vb2_buf); + mtk_jpeg_set_queue_data(ctx, &src_buf->dec_param); + ctx->state = MTK_JPEG_RUNNING; + } else if (V4L2_TYPE_IS_OUTPUT(q->type)) { +@@ -751,7 +751,7 @@ static void mtk_jpeg_stop_streaming(struct vb2_queue *q) + } + + while ((vb = mtk_jpeg_buf_remove(ctx, q->type))) +- v4l2_m2m_buf_done(to_vb2_v4l2_buffer(vb), VB2_BUF_STATE_ERROR); ++ v4l2_m2m_buf_done(vb, VB2_BUF_STATE_ERROR); + + pm_runtime_put_sync(ctx->jpeg->dev); + } +@@ -807,7 +807,7 @@ static void mtk_jpeg_device_run(void *priv) + { + struct mtk_jpeg_ctx *ctx = priv; + struct mtk_jpeg_dev *jpeg = ctx->jpeg; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + enum vb2_buffer_state buf_state = VB2_BUF_STATE_ERROR; + unsigned long flags; + struct mtk_jpeg_src_buf *jpeg_src_buf; +@@ -817,11 +817,11 @@ static void mtk_jpeg_device_run(void *priv) + + src_buf = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + dst_buf = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); +- jpeg_src_buf = mtk_jpeg_vb2_to_srcbuf(src_buf); ++ jpeg_src_buf = mtk_jpeg_vb2_to_srcbuf(&src_buf->vb2_buf); + + if (jpeg_src_buf->flags & MTK_JPEG_BUF_FLAGS_LAST_FRAME) { +- for (i = 0; i < dst_buf->num_planes; i++) +- vb2_set_plane_payload(dst_buf, i, 0); ++ for (i = 0; i < dst_buf->vb2_buf.num_planes; i++) ++ vb2_set_plane_payload(&dst_buf->vb2_buf, i, 0); + buf_state = VB2_BUF_STATE_DONE; + goto dec_end; + } +@@ -833,8 +833,8 @@ static void mtk_jpeg_device_run(void *priv) + return; + } + +- mtk_jpeg_set_dec_src(ctx, src_buf, &bs); +- if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, dst_buf, &fb)) ++ mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); ++ if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, &dst_buf->vb2_buf, &fb)) + goto dec_end; + + spin_lock_irqsave(&jpeg->hw_lock, flags); +@@ -849,8 +849,8 @@ static void mtk_jpeg_device_run(void *priv) + dec_end: + v4l2_m2m_src_buf_remove(ctx->fh.m2m_ctx); + v4l2_m2m_dst_buf_remove(ctx->fh.m2m_ctx); +- v4l2_m2m_buf_done(to_vb2_v4l2_buffer(src_buf), buf_state); +- v4l2_m2m_buf_done(to_vb2_v4l2_buffer(dst_buf), buf_state); ++ v4l2_m2m_buf_done(src_buf, buf_state); ++ v4l2_m2m_buf_done(dst_buf, buf_state); + v4l2_m2m_job_finish(jpeg->m2m_dev, ctx->fh.m2m_ctx); + } + +@@ -921,7 +921,7 @@ static irqreturn_t mtk_jpeg_dec_irq(int irq, void *priv) + { + struct mtk_jpeg_dev *jpeg = priv; + struct mtk_jpeg_ctx *ctx; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + struct mtk_jpeg_src_buf *jpeg_src_buf; + enum vb2_buffer_state buf_state = VB2_BUF_STATE_ERROR; + u32 dec_irq_ret; +@@ -938,7 +938,7 @@ static irqreturn_t mtk_jpeg_dec_irq(int irq, void *priv) + + src_buf = v4l2_m2m_src_buf_remove(ctx->fh.m2m_ctx); + dst_buf = v4l2_m2m_dst_buf_remove(ctx->fh.m2m_ctx); +- jpeg_src_buf = mtk_jpeg_vb2_to_srcbuf(src_buf); ++ jpeg_src_buf = mtk_jpeg_vb2_to_srcbuf(&src_buf->vb2_buf); + + if (dec_irq_ret >= MTK_JPEG_DEC_RESULT_UNDERFLOW) + mtk_jpeg_dec_reset(jpeg->dec_reg_base); +@@ -948,15 +948,15 @@ static irqreturn_t mtk_jpeg_dec_irq(int irq, void *priv) + goto dec_end; + } + +- for (i = 0; i < dst_buf->num_planes; i++) +- vb2_set_plane_payload(dst_buf, i, ++ for (i = 0; i < dst_buf->vb2_buf.num_planes; i++) ++ vb2_set_plane_payload(&dst_buf->vb2_buf, i, + jpeg_src_buf->dec_param.comp_size[i]); + + buf_state = VB2_BUF_STATE_DONE; + + dec_end: +- v4l2_m2m_buf_done(to_vb2_v4l2_buffer(src_buf), buf_state); +- v4l2_m2m_buf_done(to_vb2_v4l2_buffer(dst_buf), buf_state); ++ v4l2_m2m_buf_done(src_buf, buf_state); ++ v4l2_m2m_buf_done(dst_buf, buf_state); + v4l2_m2m_job_finish(jpeg->m2m_dev, ctx->fh.m2m_ctx); + return IRQ_HANDLED; + } +-- +2.19.1 + diff --git a/queue-5.0/media-mx2_emmaprp-correct-return-type-for-mem2mem-bu.patch b/queue-5.0/media-mx2_emmaprp-correct-return-type-for-mem2mem-bu.patch new file mode 100644 index 00000000000..28d7b2786f5 --- /dev/null +++ b/queue-5.0/media-mx2_emmaprp-correct-return-type-for-mem2mem-bu.patch @@ -0,0 +1,61 @@ +From 3df9fc298df367c8dd802fb62da4192ba02d3c55 Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Fri, 8 Feb 2019 11:17:42 -0500 +Subject: media: mx2_emmaprp: Correct return type for mem2mem buffer helpers + +[ Upstream commit 8d20dcefe471763f23ad538369ec65b51993ffff ] + +Fix the assigned type of mem2mem buffer handling API. +Namely, these functions: + + v4l2_m2m_next_buf + v4l2_m2m_last_buf + v4l2_m2m_buf_remove + v4l2_m2m_next_src_buf + v4l2_m2m_next_dst_buf + v4l2_m2m_last_src_buf + v4l2_m2m_last_dst_buf + v4l2_m2m_src_buf_remove + v4l2_m2m_dst_buf_remove + +return a struct vb2_v4l2_buffer, and not a struct vb2_buffer. + +Fixing this is necessary to fix the mem2mem buffer handling API, +changing the return to the correct struct vb2_v4l2_buffer instead +of a void pointer. + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mx2_emmaprp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/mx2_emmaprp.c b/drivers/media/platform/mx2_emmaprp.c +index 27b078cf98e3..f60f499c596b 100644 +--- a/drivers/media/platform/mx2_emmaprp.c ++++ b/drivers/media/platform/mx2_emmaprp.c +@@ -274,7 +274,7 @@ static void emmaprp_device_run(void *priv) + { + struct emmaprp_ctx *ctx = priv; + struct emmaprp_q_data *s_q_data, *d_q_data; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + struct emmaprp_dev *pcdev = ctx->dev; + unsigned int s_width, s_height; + unsigned int d_width, d_height; +@@ -294,8 +294,8 @@ static void emmaprp_device_run(void *priv) + d_height = d_q_data->height; + d_size = d_width * d_height; + +- p_in = vb2_dma_contig_plane_dma_addr(src_buf, 0); +- p_out = vb2_dma_contig_plane_dma_addr(dst_buf, 0); ++ p_in = vb2_dma_contig_plane_dma_addr(&src_buf->vb2_buf, 0); ++ p_out = vb2_dma_contig_plane_dma_addr(&dst_buf->vb2_buf, 0); + if (!p_in || !p_out) { + v4l2_err(&pcdev->v4l2_dev, + "Acquiring kernel pointers to buffers failed\n"); +-- +2.19.1 + diff --git a/queue-5.0/media-ov7740-fix-runtime-pm-initialization.patch b/queue-5.0/media-ov7740-fix-runtime-pm-initialization.patch new file mode 100644 index 00000000000..d86cc90a078 --- /dev/null +++ b/queue-5.0/media-ov7740-fix-runtime-pm-initialization.patch @@ -0,0 +1,81 @@ +From e13603383a8b0ab6b8bb95a2f575207fd2a0c855 Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Sun, 17 Feb 2019 10:17:47 -0500 +Subject: media: ov7740: fix runtime pm initialization + +[ Upstream commit 12aceee1f412c3ddc7750155fec06c906f14ab51 ] + +The runtime PM of this device is enabled after v4l2_ctrl_handler_setup(), +and this makes this device's runtime PM usage count a negative value. + +The ov7740_set_ctrl() tries to do something only if the device's runtime +PM usage counter is nonzero. + +ov7740_set_ctrl() +{ + if (!pm_runtime_get_if_in_use(&client->dev)) + return 0; + + ; + + pm_runtime_put(&client->dev); + + return ret; +} + +However, the ov7740_set_ctrl() is called by v4l2_ctrl_handler_setup() +while the runtime PM of this device is not yet enabled. In this case, +the pm_runtime_get_if_in_use() returns -EINVAL (!= 0). + +Therefore we can't bail out of this function and the usage count is +decreased by pm_runtime_put() without increment. + +This fixes this problem by enabling the runtime PM of this device before +v4l2_ctrl_handler_setup() so that the ov7740_set_ctrl() is always called +when the runtime PM is enabled. + +Cc: Wenyou Yang +Signed-off-by: Akinobu Mita +Tested-by: Eugen Hristev +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov7740.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/ov7740.c b/drivers/media/i2c/ov7740.c +index 177688afd9a6..8835b831cdc0 100644 +--- a/drivers/media/i2c/ov7740.c ++++ b/drivers/media/i2c/ov7740.c +@@ -1101,6 +1101,9 @@ static int ov7740_probe(struct i2c_client *client, + if (ret) + return ret; + ++ pm_runtime_set_active(&client->dev); ++ pm_runtime_enable(&client->dev); ++ + ret = ov7740_detect(ov7740); + if (ret) + goto error_detect; +@@ -1123,8 +1126,6 @@ static int ov7740_probe(struct i2c_client *client, + if (ret) + goto error_async_register; + +- pm_runtime_set_active(&client->dev); +- pm_runtime_enable(&client->dev); + pm_runtime_idle(&client->dev); + + return 0; +@@ -1134,6 +1135,8 @@ error_async_register: + error_init_controls: + ov7740_free_controls(ov7740); + error_detect: ++ pm_runtime_disable(&client->dev); ++ pm_runtime_set_suspended(&client->dev); + ov7740_set_power(ov7740, 0); + media_entity_cleanup(&ov7740->subdev.entity); + +-- +2.19.1 + diff --git a/queue-5.0/media-rcar-vin-allow-independent-vin-link-enablement.patch b/queue-5.0/media-rcar-vin-allow-independent-vin-link-enablement.patch new file mode 100644 index 00000000000..53af3cf517d --- /dev/null +++ b/queue-5.0/media-rcar-vin-allow-independent-vin-link-enablement.patch @@ -0,0 +1,70 @@ +From d312ea07375f9fd4c7d59bb0590f60649ef6b65d Mon Sep 17 00:00:00 2001 +From: Steve Longerbeam +Date: Mon, 14 Jan 2019 20:10:19 -0500 +Subject: media: rcar-vin: Allow independent VIN link enablement +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit c5ff0edb8e2270a75935c73217fb0de1abd2d910 ] + +There is a block of code in rvin_group_link_notify() that prevents +enabling a link to a VIN node if any entity in the media graph is +in use. This prevents enabling a VIN link even if there is an in-use +entity somewhere in the graph that is independent of the link's +pipeline. + +For example, the code block will prevent enabling a link from +the first rcar-csi2 receiver to a VIN node even if there is an +enabled link somewhere far upstream on the second independent +rcar-csi2 receiver pipeline. + +If this code block is meant to prevent modifying a link if any entity +in the graph is actively involved in streaming (because modifying +the CHSEL register fields can disrupt any/all running streams), then +the entities stream counts should be checked rather than the use counts. + +(There is already such a check in __media_entity_setup_link() that verifies +the stream_count of the link's source and sink entities are both zero, +but that is insufficient, since there should be no running streams in +the entire graph). + +Modify the code block to check the entity stream_count instead of the +use_count (and elaborate on the comment). VIN node links can now be +enabled even if there are other independent in-use entities that are +not streaming. + +Fixes: c0cc5aef31 ("media: rcar-vin: add link notify for Gen3") + +Signed-off-by: Steve Longerbeam +Reviewed-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-vin/rcar-core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/rcar-vin/rcar-core.c b/drivers/media/platform/rcar-vin/rcar-core.c +index f0719ce24b97..aef8d8dab6ab 100644 +--- a/drivers/media/platform/rcar-vin/rcar-core.c ++++ b/drivers/media/platform/rcar-vin/rcar-core.c +@@ -131,9 +131,13 @@ static int rvin_group_link_notify(struct media_link *link, u32 flags, + !is_media_entity_v4l2_video_device(link->sink->entity)) + return 0; + +- /* If any entity is in use don't allow link changes. */ ++ /* ++ * Don't allow link changes if any entity in the graph is ++ * streaming, modifying the CHSEL register fields can disrupt ++ * running streams. ++ */ + media_device_for_each_entity(entity, &group->mdev) +- if (entity->use_count) ++ if (entity->stream_count) + return -EBUSY; + + mutex_lock(&group->lock); +-- +2.19.1 + diff --git a/queue-5.0/media-rockchip-rga-correct-return-type-for-mem2mem-b.patch b/queue-5.0/media-rockchip-rga-correct-return-type-for-mem2mem-b.patch new file mode 100644 index 00000000000..7dff2f1bdef --- /dev/null +++ b/queue-5.0/media-rockchip-rga-correct-return-type-for-mem2mem-b.patch @@ -0,0 +1,61 @@ +From 3ffa09c1a55020d662acd17f273fda2bb7bef97c Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Fri, 8 Feb 2019 11:17:43 -0500 +Subject: media: rockchip/rga: Correct return type for mem2mem buffer helpers + +[ Upstream commit da2d3a4e4adabc6ccfb100bc9abd58ee9cd6c4b7 ] + +Fix the assigned type of mem2mem buffer handling API. +Namely, these functions: + + v4l2_m2m_next_buf + v4l2_m2m_last_buf + v4l2_m2m_buf_remove + v4l2_m2m_next_src_buf + v4l2_m2m_next_dst_buf + v4l2_m2m_last_src_buf + v4l2_m2m_last_dst_buf + v4l2_m2m_src_buf_remove + v4l2_m2m_dst_buf_remove + +return a struct vb2_v4l2_buffer, and not a struct vb2_buffer. + +Fixing this is necessary to fix the mem2mem buffer handling API, +changing the return to the correct struct vb2_v4l2_buffer instead +of a void pointer. + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rockchip/rga/rga.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/rockchip/rga/rga.c b/drivers/media/platform/rockchip/rga/rga.c +index 5c653287185f..b096227a9722 100644 +--- a/drivers/media/platform/rockchip/rga/rga.c ++++ b/drivers/media/platform/rockchip/rga/rga.c +@@ -43,7 +43,7 @@ static void device_run(void *prv) + { + struct rga_ctx *ctx = prv; + struct rockchip_rga *rga = ctx->rga; +- struct vb2_buffer *src, *dst; ++ struct vb2_v4l2_buffer *src, *dst; + unsigned long flags; + + spin_lock_irqsave(&rga->ctrl_lock, flags); +@@ -53,8 +53,8 @@ static void device_run(void *prv) + src = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + dst = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); + +- rga_buf_map(src); +- rga_buf_map(dst); ++ rga_buf_map(&src->vb2_buf); ++ rga_buf_map(&dst->vb2_buf); + + rga_hw_start(rga); + +-- +2.19.1 + diff --git a/queue-5.0/media-rockchip-vpu-correct-return-type-for-mem2mem-b.patch b/queue-5.0/media-rockchip-vpu-correct-return-type-for-mem2mem-b.patch new file mode 100644 index 00000000000..6ff82b3878d --- /dev/null +++ b/queue-5.0/media-rockchip-vpu-correct-return-type-for-mem2mem-b.patch @@ -0,0 +1,100 @@ +From 72e63c0e4f2884e166d67c0fad85d37ca3e1cc5b Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Fri, 8 Feb 2019 11:17:47 -0500 +Subject: media: rockchip/vpu: Correct return type for mem2mem buffer helpers + +[ Upstream commit 29701c3612fa025d5e8dc64c7a4ae8dc4763912e ] + +Fix the assigned type of mem2mem buffer handling API. +Namely, these functions: + + v4l2_m2m_next_buf + v4l2_m2m_last_buf + v4l2_m2m_buf_remove + v4l2_m2m_next_src_buf + v4l2_m2m_next_dst_buf + v4l2_m2m_last_src_buf + v4l2_m2m_last_dst_buf + v4l2_m2m_src_buf_remove + v4l2_m2m_dst_buf_remove + +return a struct vb2_v4l2_buffer, and not a struct vb2_buffer. + +Fixing this is necessary to fix the mem2mem buffer handling API, +changing the return to the correct struct vb2_v4l2_buffer instead +of a void pointer. + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/rockchip/vpu/rk3288_vpu_hw_jpeg_enc.c | 6 +++--- + drivers/staging/media/rockchip/vpu/rk3399_vpu_hw_jpeg_enc.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/staging/media/rockchip/vpu/rk3288_vpu_hw_jpeg_enc.c b/drivers/staging/media/rockchip/vpu/rk3288_vpu_hw_jpeg_enc.c +index 5282236d1bb1..06daea66fb49 100644 +--- a/drivers/staging/media/rockchip/vpu/rk3288_vpu_hw_jpeg_enc.c ++++ b/drivers/staging/media/rockchip/vpu/rk3288_vpu_hw_jpeg_enc.c +@@ -80,7 +80,7 @@ rk3288_vpu_jpeg_enc_set_qtable(struct rockchip_vpu_dev *vpu, + void rk3288_vpu_jpeg_enc_run(struct rockchip_vpu_ctx *ctx) + { + struct rockchip_vpu_dev *vpu = ctx->dev; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + struct rockchip_vpu_jpeg_ctx jpeg_ctx; + u32 reg; + +@@ -88,7 +88,7 @@ void rk3288_vpu_jpeg_enc_run(struct rockchip_vpu_ctx *ctx) + dst_buf = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); + + memset(&jpeg_ctx, 0, sizeof(jpeg_ctx)); +- jpeg_ctx.buffer = vb2_plane_vaddr(dst_buf, 0); ++ jpeg_ctx.buffer = vb2_plane_vaddr(&dst_buf->vb2_buf, 0); + jpeg_ctx.width = ctx->dst_fmt.width; + jpeg_ctx.height = ctx->dst_fmt.height; + jpeg_ctx.quality = ctx->jpeg_quality; +@@ -99,7 +99,7 @@ void rk3288_vpu_jpeg_enc_run(struct rockchip_vpu_ctx *ctx) + VEPU_REG_ENC_CTRL); + + rk3288_vpu_set_src_img_ctrl(vpu, ctx); +- rk3288_vpu_jpeg_enc_set_buffers(vpu, ctx, src_buf); ++ rk3288_vpu_jpeg_enc_set_buffers(vpu, ctx, &src_buf->vb2_buf); + rk3288_vpu_jpeg_enc_set_qtable(vpu, + rockchip_vpu_jpeg_get_qtable(&jpeg_ctx, 0), + rockchip_vpu_jpeg_get_qtable(&jpeg_ctx, 1)); +diff --git a/drivers/staging/media/rockchip/vpu/rk3399_vpu_hw_jpeg_enc.c b/drivers/staging/media/rockchip/vpu/rk3399_vpu_hw_jpeg_enc.c +index dbc86d95fe3b..3d438797692e 100644 +--- a/drivers/staging/media/rockchip/vpu/rk3399_vpu_hw_jpeg_enc.c ++++ b/drivers/staging/media/rockchip/vpu/rk3399_vpu_hw_jpeg_enc.c +@@ -111,7 +111,7 @@ rk3399_vpu_jpeg_enc_set_qtable(struct rockchip_vpu_dev *vpu, + void rk3399_vpu_jpeg_enc_run(struct rockchip_vpu_ctx *ctx) + { + struct rockchip_vpu_dev *vpu = ctx->dev; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + struct rockchip_vpu_jpeg_ctx jpeg_ctx; + u32 reg; + +@@ -119,7 +119,7 @@ void rk3399_vpu_jpeg_enc_run(struct rockchip_vpu_ctx *ctx) + dst_buf = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); + + memset(&jpeg_ctx, 0, sizeof(jpeg_ctx)); +- jpeg_ctx.buffer = vb2_plane_vaddr(dst_buf, 0); ++ jpeg_ctx.buffer = vb2_plane_vaddr(&dst_buf->vb2_buf, 0); + jpeg_ctx.width = ctx->dst_fmt.width; + jpeg_ctx.height = ctx->dst_fmt.height; + jpeg_ctx.quality = ctx->jpeg_quality; +@@ -130,7 +130,7 @@ void rk3399_vpu_jpeg_enc_run(struct rockchip_vpu_ctx *ctx) + VEPU_REG_ENCODE_START); + + rk3399_vpu_set_src_img_ctrl(vpu, ctx); +- rk3399_vpu_jpeg_enc_set_buffers(vpu, ctx, src_buf); ++ rk3399_vpu_jpeg_enc_set_buffers(vpu, ctx, &src_buf->vb2_buf); + rk3399_vpu_jpeg_enc_set_qtable(vpu, + rockchip_vpu_jpeg_get_qtable(&jpeg_ctx, 0), + rockchip_vpu_jpeg_get_qtable(&jpeg_ctx, 1)); +-- +2.19.1 + diff --git a/queue-5.0/media-s5p-g2d-correct-return-type-for-mem2mem-buffer.patch b/queue-5.0/media-s5p-g2d-correct-return-type-for-mem2mem-buffer.patch new file mode 100644 index 00000000000..12485023638 --- /dev/null +++ b/queue-5.0/media-s5p-g2d-correct-return-type-for-mem2mem-buffer.patch @@ -0,0 +1,63 @@ +From a70bc6761110ac7f551ed0b95d5c80967bb6b9de Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Fri, 8 Feb 2019 11:17:44 -0500 +Subject: media: s5p-g2d: Correct return type for mem2mem buffer helpers + +[ Upstream commit 30fa627b32230737bc3f678067e2adfecf956987 ] + +Fix the assigned type of mem2mem buffer handling API. +Namely, these functions: + + v4l2_m2m_next_buf + v4l2_m2m_last_buf + v4l2_m2m_buf_remove + v4l2_m2m_next_src_buf + v4l2_m2m_next_dst_buf + v4l2_m2m_last_src_buf + v4l2_m2m_last_dst_buf + v4l2_m2m_src_buf_remove + v4l2_m2m_dst_buf_remove + +return a struct vb2_v4l2_buffer, and not a struct vb2_buffer. + +Fixing this is necessary to fix the mem2mem buffer handling API, +changing the return to the correct struct vb2_v4l2_buffer instead +of a void pointer. + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-g2d/g2d.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/s5p-g2d/g2d.c b/drivers/media/platform/s5p-g2d/g2d.c +index 57ab1d1085d1..971c47165010 100644 +--- a/drivers/media/platform/s5p-g2d/g2d.c ++++ b/drivers/media/platform/s5p-g2d/g2d.c +@@ -513,7 +513,7 @@ static void device_run(void *prv) + { + struct g2d_ctx *ctx = prv; + struct g2d_dev *dev = ctx->dev; +- struct vb2_buffer *src, *dst; ++ struct vb2_v4l2_buffer *src, *dst; + unsigned long flags; + u32 cmd = 0; + +@@ -528,10 +528,10 @@ static void device_run(void *prv) + spin_lock_irqsave(&dev->ctrl_lock, flags); + + g2d_set_src_size(dev, &ctx->in); +- g2d_set_src_addr(dev, vb2_dma_contig_plane_dma_addr(src, 0)); ++ g2d_set_src_addr(dev, vb2_dma_contig_plane_dma_addr(&src->vb2_buf, 0)); + + g2d_set_dst_size(dev, &ctx->out); +- g2d_set_dst_addr(dev, vb2_dma_contig_plane_dma_addr(dst, 0)); ++ g2d_set_dst_addr(dev, vb2_dma_contig_plane_dma_addr(&dst->vb2_buf, 0)); + + g2d_set_rop4(dev, ctx->rop); + g2d_set_flip(dev, ctx->flip); +-- +2.19.1 + diff --git a/queue-5.0/media-s5p-jpeg-check-for-fmt_ver_flag-when-doing-fmt.patch b/queue-5.0/media-s5p-jpeg-check-for-fmt_ver_flag-when-doing-fmt.patch new file mode 100644 index 00000000000..cc1c1e0f6ec --- /dev/null +++ b/queue-5.0/media-s5p-jpeg-check-for-fmt_ver_flag-when-doing-fmt.patch @@ -0,0 +1,86 @@ +From ed82b9c7da5933725e9482cf2308ba6694b1d35c Mon Sep 17 00:00:00 2001 +From: Pawe? Chmiel +Date: Sat, 29 Dec 2018 10:46:01 -0500 +Subject: media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration + +[ Upstream commit 49710c32cd9d6626a77c9f5f978a5f58cb536b35 ] + +Previously when doing format enumeration, it was returning all + formats supported by driver, even if they're not supported by hw. +Add missing check for fmt_ver_flag, so it'll be fixed and only those + supported by hw will be returned. Similar thing is already done + in s5p_jpeg_find_format. + +It was found by using v4l2-compliance tool and checking result + of VIDIOC_ENUM_FMT/FRAMESIZES/FRAMEINTERVALS test +and using v4l2-ctl to get list of all supported formats. + +Tested on s5pv210-galaxys (Samsung i9000 phone). + +Fixes: bb677f3ac434 ("[media] Exynos4 JPEG codec v4l2 driver") + +Signed-off-by: Pawe? Chmiel +Reviewed-by: Jacek Anaszewski +[hverkuil-cisco@xs4all.nl: fix a few alignment issues] +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-jpeg/jpeg-core.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c +index 4b47d9f42117..370942b67d86 100644 +--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c ++++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c +@@ -1293,13 +1293,16 @@ static int s5p_jpeg_querycap(struct file *file, void *priv, + return 0; + } + +-static int enum_fmt(struct s5p_jpeg_fmt *sjpeg_formats, int n, ++static int enum_fmt(struct s5p_jpeg_ctx *ctx, ++ struct s5p_jpeg_fmt *sjpeg_formats, int n, + struct v4l2_fmtdesc *f, u32 type) + { + int i, num = 0; ++ unsigned int fmt_ver_flag = ctx->jpeg->variant->fmt_ver_flag; + + for (i = 0; i < n; ++i) { +- if (sjpeg_formats[i].flags & type) { ++ if (sjpeg_formats[i].flags & type && ++ sjpeg_formats[i].flags & fmt_ver_flag) { + /* index-th format of type type found ? */ + if (num == f->index) + break; +@@ -1326,11 +1329,11 @@ static int s5p_jpeg_enum_fmt_vid_cap(struct file *file, void *priv, + struct s5p_jpeg_ctx *ctx = fh_to_ctx(priv); + + if (ctx->mode == S5P_JPEG_ENCODE) +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, + SJPEG_FMT_FLAG_ENC_CAPTURE); + +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, +- SJPEG_FMT_FLAG_DEC_CAPTURE); ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ SJPEG_FMT_FLAG_DEC_CAPTURE); + } + + static int s5p_jpeg_enum_fmt_vid_out(struct file *file, void *priv, +@@ -1339,11 +1342,11 @@ static int s5p_jpeg_enum_fmt_vid_out(struct file *file, void *priv, + struct s5p_jpeg_ctx *ctx = fh_to_ctx(priv); + + if (ctx->mode == S5P_JPEG_ENCODE) +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, + SJPEG_FMT_FLAG_ENC_OUTPUT); + +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, +- SJPEG_FMT_FLAG_DEC_OUTPUT); ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ SJPEG_FMT_FLAG_DEC_OUTPUT); + } + + static struct s5p_jpeg_q_data *get_q_data(struct s5p_jpeg_ctx *ctx, +-- +2.19.1 + diff --git a/queue-5.0/media-s5p-jpeg-correct-return-type-for-mem2mem-buffe.patch b/queue-5.0/media-s5p-jpeg-correct-return-type-for-mem2mem-buffe.patch new file mode 100644 index 00000000000..640a315dc13 --- /dev/null +++ b/queue-5.0/media-s5p-jpeg-correct-return-type-for-mem2mem-buffe.patch @@ -0,0 +1,199 @@ +From 1b10fa2317793e610344fc0a750935a490a6f70d Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Fri, 8 Feb 2019 11:17:45 -0500 +Subject: media: s5p-jpeg: Correct return type for mem2mem buffer helpers + +[ Upstream commit 4a88f89885c7cf65c62793f385261a6e3315178a ] + +Fix the assigned type of mem2mem buffer handling API. +Namely, these functions: + + v4l2_m2m_next_buf + v4l2_m2m_last_buf + v4l2_m2m_buf_remove + v4l2_m2m_next_src_buf + v4l2_m2m_next_dst_buf + v4l2_m2m_last_src_buf + v4l2_m2m_last_dst_buf + v4l2_m2m_src_buf_remove + v4l2_m2m_dst_buf_remove + +return a struct vb2_v4l2_buffer, and not a struct vb2_buffer. + +Fixing this is necessary to fix the mem2mem buffer handling API, +changing the return to the correct struct vb2_v4l2_buffer instead +of a void pointer. + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-jpeg/jpeg-core.c | 38 ++++++++++----------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c +index 3f9000b70385..4b47d9f42117 100644 +--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c ++++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c +@@ -793,14 +793,14 @@ static void skip(struct s5p_jpeg_buffer *buf, long len); + static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + unsigned int word; + int c, x, components; + + jpeg_buffer.size = 2; /* Ls */ + jpeg_buffer.data = +- (unsigned long)vb2_plane_vaddr(vb, 0) + ctx->out_q.sos + 2; ++ (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2; + jpeg_buffer.curr = 0; + + word = 0; +@@ -830,14 +830,14 @@ static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_parse_huff_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + unsigned int word; + int c, i, n, j; + + for (j = 0; j < ctx->out_q.dht.n; ++j) { + jpeg_buffer.size = ctx->out_q.dht.len[j]; +- jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(vb, 0) + ++ jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + + ctx->out_q.dht.marker[j]; + jpeg_buffer.curr = 0; + +@@ -889,13 +889,13 @@ static void exynos4_jpeg_parse_huff_tbl(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_parse_decode_q_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + int c, x, components; + + jpeg_buffer.size = ctx->out_q.sof_len; + jpeg_buffer.data = +- (unsigned long)vb2_plane_vaddr(vb, 0) + ctx->out_q.sof; ++ (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sof; + jpeg_buffer.curr = 0; + + skip(&jpeg_buffer, 5); /* P, Y, X */ +@@ -920,14 +920,14 @@ static void exynos4_jpeg_parse_decode_q_tbl(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_parse_q_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + unsigned int word; + int c, i, j; + + for (j = 0; j < ctx->out_q.dqt.n; ++j) { + jpeg_buffer.size = ctx->out_q.dqt.len[j]; +- jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(vb, 0) + ++ jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + + ctx->out_q.dqt.marker[j]; + jpeg_buffer.curr = 0; + +@@ -2072,15 +2072,15 @@ static void s5p_jpeg_device_run(void *priv) + { + struct s5p_jpeg_ctx *ctx = priv; + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + unsigned long src_addr, dst_addr, flags; + + spin_lock_irqsave(&ctx->jpeg->slock, flags); + + src_buf = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + dst_buf = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); +- src_addr = vb2_dma_contig_plane_dma_addr(src_buf, 0); +- dst_addr = vb2_dma_contig_plane_dma_addr(dst_buf, 0); ++ src_addr = vb2_dma_contig_plane_dma_addr(&src_buf->vb2_buf, 0); ++ dst_addr = vb2_dma_contig_plane_dma_addr(&dst_buf->vb2_buf, 0); + + s5p_jpeg_reset(jpeg->regs); + s5p_jpeg_poweron(jpeg->regs); +@@ -2153,7 +2153,7 @@ static void exynos4_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; + struct s5p_jpeg_fmt *fmt; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + struct s5p_jpeg_addr jpeg_addr = {}; + u32 pix_size, padding_bytes = 0; + +@@ -2172,7 +2172,7 @@ static void exynos4_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + vb = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); + } + +- jpeg_addr.y = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr.y = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + + if (fmt->colplanes == 2) { + jpeg_addr.cb = jpeg_addr.y + pix_size - padding_bytes; +@@ -2190,7 +2190,7 @@ static void exynos4_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + unsigned int jpeg_addr = 0; + + if (ctx->mode == S5P_JPEG_ENCODE) +@@ -2198,7 +2198,7 @@ static void exynos4_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + else + vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + +- jpeg_addr = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + if (jpeg->variant->version == SJPEG_EXYNOS5433 && + ctx->mode == S5P_JPEG_DECODE) + jpeg_addr += ctx->out_q.sos; +@@ -2314,7 +2314,7 @@ static void exynos3250_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; + struct s5p_jpeg_fmt *fmt; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + struct s5p_jpeg_addr jpeg_addr = {}; + u32 pix_size; + +@@ -2328,7 +2328,7 @@ static void exynos3250_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + fmt = ctx->cap_q.fmt; + } + +- jpeg_addr.y = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr.y = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + + if (fmt->colplanes == 2) { + jpeg_addr.cb = jpeg_addr.y + pix_size; +@@ -2346,7 +2346,7 @@ static void exynos3250_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + static void exynos3250_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + unsigned int jpeg_addr = 0; + + if (ctx->mode == S5P_JPEG_ENCODE) +@@ -2354,7 +2354,7 @@ static void exynos3250_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + else + vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + +- jpeg_addr = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + exynos3250_jpeg_jpgadr(jpeg->regs, jpeg_addr); + } + +-- +2.19.1 + diff --git a/queue-5.0/media-sh_veu-correct-return-type-for-mem2mem-buffer-.patch b/queue-5.0/media-sh_veu-correct-return-type-for-mem2mem-buffer-.patch new file mode 100644 index 00000000000..3eecbbf2f40 --- /dev/null +++ b/queue-5.0/media-sh_veu-correct-return-type-for-mem2mem-buffer-.patch @@ -0,0 +1,57 @@ +From 04bdc4951678902ae826d31a364998fae3c1987f Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Fri, 8 Feb 2019 11:17:46 -0500 +Subject: media: sh_veu: Correct return type for mem2mem buffer helpers + +[ Upstream commit 43c145195c7fc3025ee7ecfc67112ac1c82af7c2 ] + +Fix the assigned type of mem2mem buffer handling API. +Namely, these functions: + + v4l2_m2m_next_buf + v4l2_m2m_last_buf + v4l2_m2m_buf_remove + v4l2_m2m_next_src_buf + v4l2_m2m_next_dst_buf + v4l2_m2m_last_src_buf + v4l2_m2m_last_dst_buf + v4l2_m2m_src_buf_remove + v4l2_m2m_dst_buf_remove + +return a struct vb2_v4l2_buffer, and not a struct vb2_buffer. + +Fixing this is necessary to fix the mem2mem buffer handling API, +changing the return to the correct struct vb2_v4l2_buffer instead +of a void pointer. + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sh_veu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/sh_veu.c b/drivers/media/platform/sh_veu.c +index 09ae64a0004c..d277cc674349 100644 +--- a/drivers/media/platform/sh_veu.c ++++ b/drivers/media/platform/sh_veu.c +@@ -273,13 +273,13 @@ static void sh_veu_process(struct sh_veu_dev *veu, + static void sh_veu_device_run(void *priv) + { + struct sh_veu_dev *veu = priv; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + + src_buf = v4l2_m2m_next_src_buf(veu->m2m_ctx); + dst_buf = v4l2_m2m_next_dst_buf(veu->m2m_ctx); + + if (src_buf && dst_buf) +- sh_veu_process(veu, src_buf, dst_buf); ++ sh_veu_process(veu, &src_buf->vb2_buf, &dst_buf->vb2_buf); + } + + /* ========== video ioctls ========== */ +-- +2.19.1 + diff --git a/queue-5.0/memcg-killed-threads-should-not-invoke-memcg-oom-kil.patch b/queue-5.0/memcg-killed-threads-should-not-invoke-memcg-oom-kil.patch new file mode 100644 index 00000000000..d08ed4544a9 --- /dev/null +++ b/queue-5.0/memcg-killed-threads-should-not-invoke-memcg-oom-kil.patch @@ -0,0 +1,97 @@ +From f4dbd8994fb768c328e5c20da69652aeff4c09cc Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Tue, 5 Mar 2019 15:46:47 -0800 +Subject: memcg: killed threads should not invoke memcg OOM killer + +[ Upstream commit 7775face207922ea62a4e96b9cd45abfdc7b9840 ] + +If a memory cgroup contains a single process with many threads +(including different process group sharing the mm) then it is possible +to trigger a race when the oom killer complains that there are no oom +elible tasks and complain into the log which is both annoying and +confusing because there is no actual problem. The race looks as +follows: + +P1 oom_reaper P2 +try_charge try_charge + mem_cgroup_out_of_memory + mutex_lock(oom_lock) + out_of_memory + oom_kill_process(P1,P2) + wake_oom_reaper + mutex_unlock(oom_lock) + oom_reap_task + mutex_lock(oom_lock) + select_bad_process # no victim + +The problem is more visible with many threads. + +Fix this by checking for fatal_signal_pending from +mem_cgroup_out_of_memory when the oom_lock is already held. + +The oom bypass is safe because we do the same early in the try_charge +path already. The situation migh have changed in the mean time. It +should be safe to check for fatal_signal_pending and tsk_is_oom_victim +but for a better code readability abstract the current charge bypass +condition into should_force_charge and reuse it from that path. " + +Link: http://lkml.kernel.org/r/01370f70-e1f6-ebe4-b95e-0df21a0bc15e@i-love.sakura.ne.jp +Signed-off-by: Tetsuo Handa +Acked-by: Michal Hocko +Acked-by: Johannes Weiner +Cc: David Rientjes +Cc: Kirill Tkhai +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memcontrol.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index af7f18b32389..79a7d2a06bba 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -248,6 +248,12 @@ enum res_type { + iter != NULL; \ + iter = mem_cgroup_iter(NULL, iter, NULL)) + ++static inline bool should_force_charge(void) ++{ ++ return tsk_is_oom_victim(current) || fatal_signal_pending(current) || ++ (current->flags & PF_EXITING); ++} ++ + /* Some nice accessors for the vmpressure. */ + struct vmpressure *memcg_to_vmpressure(struct mem_cgroup *memcg) + { +@@ -1389,8 +1395,13 @@ static bool mem_cgroup_out_of_memory(struct mem_cgroup *memcg, gfp_t gfp_mask, + }; + bool ret; + +- mutex_lock(&oom_lock); +- ret = out_of_memory(&oc); ++ if (mutex_lock_killable(&oom_lock)) ++ return true; ++ /* ++ * A few threads which were not waiting at mutex_lock_killable() can ++ * fail to bail out. Therefore, check again after holding oom_lock. ++ */ ++ ret = should_force_charge() || out_of_memory(&oc); + mutex_unlock(&oom_lock); + return ret; + } +@@ -2209,9 +2220,7 @@ retry: + * bypass the last charges so that they can exit quickly and + * free their memory. + */ +- if (unlikely(tsk_is_oom_victim(current) || +- fatal_signal_pending(current) || +- current->flags & PF_EXITING)) ++ if (unlikely(should_force_charge())) + goto force; + + /* +-- +2.19.1 + diff --git a/queue-5.0/mlxsw-spectrum-avoid-wformat-truncation-warnings.patch b/queue-5.0/mlxsw-spectrum-avoid-wformat-truncation-warnings.patch new file mode 100644 index 00000000000..6af9466f8c2 --- /dev/null +++ b/queue-5.0/mlxsw-spectrum-avoid-wformat-truncation-warnings.patch @@ -0,0 +1,70 @@ +From 85c5974f35581212026c2b54bf3e4304e4bce378 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 21 Feb 2019 20:09:26 -0800 +Subject: mlxsw: spectrum: Avoid -Wformat-truncation warnings + +[ Upstream commit ab2c4e2581ad32c28627235ff0ae8c5a5ea6899f ] + +Give precision identifiers to the two snprintf() formatting the priority +and TC strings to avoid producing these two warnings: + +drivers/net/ethernet/mellanox/mlxsw/spectrum.c: In function +'mlxsw_sp_port_get_prio_strings': +drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2132:37: warning: '%d' +directive output may be truncated writing between 1 and 3 bytes into a +region of size between 0 and 31 [-Wformat-truncation=] + snprintf(*p, ETH_GSTRING_LEN, "%s_%d", + ^~ +drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2132:3: note: 'snprintf' +output between 3 and 36 bytes into a destination of size 32 + snprintf(*p, ETH_GSTRING_LEN, "%s_%d", + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + mlxsw_sp_port_hw_prio_stats[i].str, prio); + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/net/ethernet/mellanox/mlxsw/spectrum.c: In function +'mlxsw_sp_port_get_tc_strings': +drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2143:37: warning: '%d' +directive output may be truncated writing between 1 and 11 bytes into a +region of size between 0 and 31 [-Wformat-truncation=] + snprintf(*p, ETH_GSTRING_LEN, "%s_%d", + ^~ +drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2143:3: note: 'snprintf' +output between 3 and 44 bytes into a destination of size 32 + snprintf(*p, ETH_GSTRING_LEN, "%s_%d", + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + mlxsw_sp_port_hw_tc_stats[i].str, tc); + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Florian Fainelli +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +index b65e274b02e9..cbdee5164be7 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +@@ -2105,7 +2105,7 @@ static void mlxsw_sp_port_get_prio_strings(u8 **p, int prio) + int i; + + for (i = 0; i < MLXSW_SP_PORT_HW_PRIO_STATS_LEN; i++) { +- snprintf(*p, ETH_GSTRING_LEN, "%s_%d", ++ snprintf(*p, ETH_GSTRING_LEN, "%.29s_%.1d", + mlxsw_sp_port_hw_prio_stats[i].str, prio); + *p += ETH_GSTRING_LEN; + } +@@ -2116,7 +2116,7 @@ static void mlxsw_sp_port_get_tc_strings(u8 **p, int tc) + int i; + + for (i = 0; i < MLXSW_SP_PORT_HW_TC_STATS_LEN; i++) { +- snprintf(*p, ETH_GSTRING_LEN, "%s_%d", ++ snprintf(*p, ETH_GSTRING_LEN, "%.29s_%.1d", + mlxsw_sp_port_hw_tc_stats[i].str, tc); + *p += ETH_GSTRING_LEN; + } +-- +2.19.1 + diff --git a/queue-5.0/mm-cma.c-cma_declare_contiguous-correct-err-handling.patch b/queue-5.0/mm-cma.c-cma_declare_contiguous-correct-err-handling.patch new file mode 100644 index 00000000000..06d3cd5887b --- /dev/null +++ b/queue-5.0/mm-cma.c-cma_declare_contiguous-correct-err-handling.patch @@ -0,0 +1,59 @@ +From c9f0554d8f91e1c7e5e5e3cb28f6969d1685001d Mon Sep 17 00:00:00 2001 +From: Peng Fan +Date: Tue, 5 Mar 2019 15:49:50 -0800 +Subject: mm/cma.c: cma_declare_contiguous: correct err handling + +[ Upstream commit 0d3bd18a5efd66097ef58622b898d3139790aa9d ] + +In case cma_init_reserved_mem failed, need to free the memblock +allocated by memblock_reserve or memblock_alloc_range. + +Quote Catalin's comments: + https://lkml.org/lkml/2019/2/26/482 + +Kmemleak is supposed to work with the memblock_{alloc,free} pair and it +ignores the memblock_reserve() as a memblock_alloc() implementation +detail. It is, however, tolerant to memblock_free() being called on +a sub-range or just a different range from a previous memblock_alloc(). +So the original patch looks fine to me. FWIW: + +Link: http://lkml.kernel.org/r/20190227144631.16708-1-peng.fan@nxp.com +Signed-off-by: Peng Fan +Reviewed-by: Catalin Marinas +Reviewed-by: Mike Rapoport +Cc: Laura Abbott +Cc: Joonsoo Kim +Cc: Michal Hocko +Cc: Vlastimil Babka +Cc: Marek Szyprowski +Cc: Andrey Konovalov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/cma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/mm/cma.c b/mm/cma.c +index c7b39dd3b4f6..f4f3a8a57d86 100644 +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -353,12 +353,14 @@ int __init cma_declare_contiguous(phys_addr_t base, + + ret = cma_init_reserved_mem(base, size, order_per_bit, name, res_cma); + if (ret) +- goto err; ++ goto free_mem; + + pr_info("Reserved %ld MiB at %pa\n", (unsigned long)size / SZ_1M, + &base); + return 0; + ++free_mem: ++ memblock_free(base, size); + err: + pr_err("Failed to reserve %ld MiB\n", (unsigned long)size / SZ_1M); + return ret; +-- +2.19.1 + diff --git a/queue-5.0/mm-mempolicy-fix-uninit-memory-access.patch b/queue-5.0/mm-mempolicy-fix-uninit-memory-access.patch new file mode 100644 index 00000000000..7f2614a9ee5 --- /dev/null +++ b/queue-5.0/mm-mempolicy-fix-uninit-memory-access.patch @@ -0,0 +1,95 @@ +From 7c19b7ea435ebbfa366ee36e382b7bfd67c82cab Mon Sep 17 00:00:00 2001 +From: Vlastimil Babka +Date: Tue, 5 Mar 2019 15:46:50 -0800 +Subject: mm, mempolicy: fix uninit memory access + +[ Upstream commit 2e25644e8da4ed3a27e7b8315aaae74660be72dc ] + +Syzbot with KMSAN reports (excerpt): + +================================================================== +BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:353 [inline] +BUG: KMSAN: uninit-value in mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384 +CPU: 1 PID: 17420 Comm: syz-executor4 Not tainted 4.20.0-rc7+ #15 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x173/0x1d0 lib/dump_stack.c:113 + kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613 + __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:295 + mpol_rebind_policy mm/mempolicy.c:353 [inline] + mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384 + update_tasks_nodemask+0x608/0xca0 kernel/cgroup/cpuset.c:1120 + update_nodemasks_hier kernel/cgroup/cpuset.c:1185 [inline] + update_nodemask kernel/cgroup/cpuset.c:1253 [inline] + cpuset_write_resmask+0x2a98/0x34b0 kernel/cgroup/cpuset.c:1728 + +... + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline] + kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158 + kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176 + kmem_cache_alloc+0x572/0xb90 mm/slub.c:2777 + mpol_new mm/mempolicy.c:276 [inline] + do_mbind mm/mempolicy.c:1180 [inline] + kernel_mbind+0x8a7/0x31a0 mm/mempolicy.c:1347 + __do_sys_mbind mm/mempolicy.c:1354 [inline] + +As it's difficult to report where exactly the uninit value resides in +the mempolicy object, we have to guess a bit. mm/mempolicy.c:353 +contains this part of mpol_rebind_policy(): + + if (!mpol_store_user_nodemask(pol) && + nodes_equal(pol->w.cpuset_mems_allowed, *newmask)) + +"mpol_store_user_nodemask(pol)" is testing pol->flags, which I couldn't +ever see being uninitialized after leaving mpol_new(). So I'll guess +it's actually about accessing pol->w.cpuset_mems_allowed on line 354, +but still part of statement starting on line 353. + +For w.cpuset_mems_allowed to be not initialized, and the nodes_equal() +reachable for a mempolicy where mpol_set_nodemask() is called in +do_mbind(), it seems the only possibility is a MPOL_PREFERRED policy +with empty set of nodes, i.e. MPOL_LOCAL equivalent, with MPOL_F_LOCAL +flag. Let's exclude such policies from the nodes_equal() check. Note +the uninit access should be benign anyway, as rebinding this kind of +policy is always a no-op. Therefore no actual need for stable +inclusion. + +Link: http://lkml.kernel.org/r/a71997c3-e8ae-a787-d5ce-3db05768b27c@suse.cz +Link: http://lkml.kernel.org/r/73da3e9c-cc84-509e-17d9-0c434bb9967d@suse.cz +Signed-off-by: Vlastimil Babka +Reported-by: syzbot+b19c2dc2c990ea657a71@syzkaller.appspotmail.com +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: Andrea Arcangeli +Cc: "Kirill A. Shutemov" +Cc: Michal Hocko +Cc: David Rientjes +Cc: Yisheng Xie +Cc: zhong jiang +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/mempolicy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index 6bc9786aad6e..c2275c1e6d2a 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -350,7 +350,7 @@ static void mpol_rebind_policy(struct mempolicy *pol, const nodemask_t *newmask) + { + if (!pol) + return; +- if (!mpol_store_user_nodemask(pol) && ++ if (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) && + nodes_equal(pol->w.cpuset_mems_allowed, *newmask)) + return; + +-- +2.19.1 + diff --git a/queue-5.0/mm-oom-don-t-kill-global-init-via-memory.oom.group.patch b/queue-5.0/mm-oom-don-t-kill-global-init-via-memory.oom.group.patch new file mode 100644 index 00000000000..0719cfca46d --- /dev/null +++ b/queue-5.0/mm-oom-don-t-kill-global-init-via-memory.oom.group.patch @@ -0,0 +1,177 @@ +From 2879ce5b3d275de19c09d1854128031f38f02274 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Tue, 5 Mar 2019 15:48:22 -0800 +Subject: mm,oom: don't kill global init via memory.oom.group + +[ Upstream commit d342a0b38674867ea67fde47b0e1e60ffe9f17a2 ] + +Since setting global init process to some memory cgroup is technically +possible, oom_kill_memcg_member() must check it. + + Tasks in /test1 are going to be killed due to memory.oom.group set + Memory cgroup out of memory: Killed process 1 (systemd) total-vm:43400kB, anon-rss:1228kB, file-rss:3992kB, shmem-rss:0kB + oom_reaper: reaped process 1 (systemd), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB + Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000008b + +#include +#include +#include +#include +#include +#include + +int main(int argc, char *argv[]) +{ + static char buffer[10485760]; + static int pipe_fd[2] = { EOF, EOF }; + unsigned int i; + int fd; + char buf[64] = { }; + if (pipe(pipe_fd)) + return 1; + if (chdir("/sys/fs/cgroup/")) + return 1; + fd = open("cgroup.subtree_control", O_WRONLY); + write(fd, "+memory", 7); + close(fd); + mkdir("test1", 0755); + fd = open("test1/memory.oom.group", O_WRONLY); + write(fd, "1", 1); + close(fd); + fd = open("test1/cgroup.procs", O_WRONLY); + write(fd, "1", 1); + snprintf(buf, sizeof(buf) - 1, "%d", getpid()); + write(fd, buf, strlen(buf)); + close(fd); + snprintf(buf, sizeof(buf) - 1, "%lu", sizeof(buffer) * 5); + fd = open("test1/memory.max", O_WRONLY); + write(fd, buf, strlen(buf)); + close(fd); + for (i = 0; i < 10; i++) + if (fork() == 0) { + char c; + close(pipe_fd[1]); + read(pipe_fd[0], &c, 1); + memset(buffer, 0, sizeof(buffer)); + sleep(3); + _exit(0); + } + close(pipe_fd[0]); + close(pipe_fd[1]); + sleep(3); + return 0; +} + +[ 37.052923][ T9185] a.out invoked oom-killer: gfp_mask=0xcc0(GFP_KERNEL), order=0, oom_score_adj=0 +[ 37.056169][ T9185] CPU: 4 PID: 9185 Comm: a.out Kdump: loaded Not tainted 5.0.0-rc4-next-20190131 #280 +[ 37.059205][ T9185] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018 +[ 37.062954][ T9185] Call Trace: +[ 37.063976][ T9185] dump_stack+0x67/0x95 +[ 37.065263][ T9185] dump_header+0x51/0x570 +[ 37.066619][ T9185] ? trace_hardirqs_on+0x3f/0x110 +[ 37.068171][ T9185] ? _raw_spin_unlock_irqrestore+0x3d/0x70 +[ 37.069967][ T9185] oom_kill_process+0x18d/0x210 +[ 37.071515][ T9185] out_of_memory+0x11b/0x380 +[ 37.072936][ T9185] mem_cgroup_out_of_memory+0xb6/0xd0 +[ 37.074601][ T9185] try_charge+0x790/0x820 +[ 37.076021][ T9185] mem_cgroup_try_charge+0x42/0x1d0 +[ 37.077629][ T9185] mem_cgroup_try_charge_delay+0x11/0x30 +[ 37.079370][ T9185] do_anonymous_page+0x105/0x5e0 +[ 37.080939][ T9185] __handle_mm_fault+0x9cb/0x1070 +[ 37.082485][ T9185] handle_mm_fault+0x1b2/0x3a0 +[ 37.083819][ T9185] ? handle_mm_fault+0x47/0x3a0 +[ 37.085181][ T9185] __do_page_fault+0x255/0x4c0 +[ 37.086529][ T9185] do_page_fault+0x28/0x260 +[ 37.087788][ T9185] ? page_fault+0x8/0x30 +[ 37.088978][ T9185] page_fault+0x1e/0x30 +[ 37.090142][ T9185] RIP: 0033:0x7f8b183aefe0 +[ 37.091433][ T9185] Code: 20 f3 44 0f 7f 44 17 d0 f3 44 0f 7f 47 30 f3 44 0f 7f 44 17 c0 48 01 fa 48 83 e2 c0 48 39 d1 74 a3 66 0f 1f 84 00 00 00 00 00 <66> 44 0f 7f 01 66 44 0f 7f 41 10 66 44 0f 7f 41 20 66 44 0f 7f 41 +[ 37.096917][ T9185] RSP: 002b:00007fffc5d329e8 EFLAGS: 00010206 +[ 37.098615][ T9185] RAX: 00000000006010e0 RBX: 0000000000000008 RCX: 0000000000c30000 +[ 37.100905][ T9185] RDX: 00000000010010c0 RSI: 0000000000000000 RDI: 00000000006010e0 +[ 37.103349][ T9185] RBP: 0000000000000000 R08: 00007f8b188f4740 R09: 0000000000000000 +[ 37.105797][ T9185] R10: 00007fffc5d32420 R11: 00007f8b183aef40 R12: 0000000000000005 +[ 37.108228][ T9185] R13: 0000000000000000 R14: ffffffffffffffff R15: 0000000000000000 +[ 37.110840][ T9185] memory: usage 51200kB, limit 51200kB, failcnt 125 +[ 37.113045][ T9185] memory+swap: usage 0kB, limit 9007199254740988kB, failcnt 0 +[ 37.115808][ T9185] kmem: usage 0kB, limit 9007199254740988kB, failcnt 0 +[ 37.117660][ T9185] Memory cgroup stats for /test1: cache:0KB rss:49484KB rss_huge:30720KB shmem:0KB mapped_file:0KB dirty:0KB writeback:0KB inactive_anon:0KB active_anon:49700KB inactive_file:0KB active_file:0KB unevictable:0KB +[ 37.123371][ T9185] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,oom_memcg=/test1,task_memcg=/test1,task=a.out,pid=9188,uid=0 +[ 37.128158][ T9185] Memory cgroup out of memory: Killed process 9188 (a.out) total-vm:14456kB, anon-rss:10324kB, file-rss:504kB, shmem-rss:0kB +[ 37.132710][ T9185] Tasks in /test1 are going to be killed due to memory.oom.group set +[ 37.132833][ T54] oom_reaper: reaped process 9188 (a.out), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB +[ 37.135498][ T9185] Memory cgroup out of memory: Killed process 1 (systemd) total-vm:43400kB, anon-rss:1228kB, file-rss:3992kB, shmem-rss:0kB +[ 37.143434][ T9185] Memory cgroup out of memory: Killed process 9182 (a.out) total-vm:14456kB, anon-rss:76kB, file-rss:588kB, shmem-rss:0kB +[ 37.144328][ T54] oom_reaper: reaped process 1 (systemd), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB +[ 37.147585][ T9185] Memory cgroup out of memory: Killed process 9183 (a.out) total-vm:14456kB, anon-rss:6228kB, file-rss:512kB, shmem-rss:0kB +[ 37.157222][ T9185] Memory cgroup out of memory: Killed process 9184 (a.out) total-vm:14456kB, anon-rss:6228kB, file-rss:508kB, shmem-rss:0kB +[ 37.157259][ T9185] Memory cgroup out of memory: Killed process 9185 (a.out) total-vm:14456kB, anon-rss:6228kB, file-rss:512kB, shmem-rss:0kB +[ 37.157291][ T9185] Memory cgroup out of memory: Killed process 9186 (a.out) total-vm:14456kB, anon-rss:4180kB, file-rss:508kB, shmem-rss:0kB +[ 37.157306][ T54] oom_reaper: reaped process 9183 (a.out), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB +[ 37.157328][ T9185] Memory cgroup out of memory: Killed process 9187 (a.out) total-vm:14456kB, anon-rss:4180kB, file-rss:512kB, shmem-rss:0kB +[ 37.157452][ T9185] Memory cgroup out of memory: Killed process 9189 (a.out) total-vm:14456kB, anon-rss:6228kB, file-rss:512kB, shmem-rss:0kB +[ 37.158733][ T9185] Memory cgroup out of memory: Killed process 9190 (a.out) total-vm:14456kB, anon-rss:552kB, file-rss:512kB, shmem-rss:0kB +[ 37.160083][ T54] oom_reaper: reaped process 9186 (a.out), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB +[ 37.160187][ T54] oom_reaper: reaped process 9189 (a.out), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB +[ 37.206941][ T54] oom_reaper: reaped process 9185 (a.out), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB +[ 37.212300][ T9185] Memory cgroup out of memory: Killed process 9191 (a.out) total-vm:14456kB, anon-rss:4180kB, file-rss:512kB, shmem-rss:0kB +[ 37.212317][ T54] oom_reaper: reaped process 9190 (a.out), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB +[ 37.218860][ T9185] Memory cgroup out of memory: Killed process 9192 (a.out) total-vm:14456kB, anon-rss:1080kB, file-rss:512kB, shmem-rss:0kB +[ 37.227667][ T54] oom_reaper: reaped process 9192 (a.out), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB +[ 37.292323][ T9193] abrt-hook-ccpp (9193) used greatest stack depth: 10480 bytes left +[ 37.351843][ T1] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000008b +[ 37.354833][ T1] CPU: 7 PID: 1 Comm: systemd Kdump: loaded Not tainted 5.0.0-rc4-next-20190131 #280 +[ 37.357876][ T1] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018 +[ 37.361685][ T1] Call Trace: +[ 37.363239][ T1] dump_stack+0x67/0x95 +[ 37.365010][ T1] panic+0xfc/0x2b0 +[ 37.366853][ T1] do_exit+0xd55/0xd60 +[ 37.368595][ T1] do_group_exit+0x47/0xc0 +[ 37.370415][ T1] get_signal+0x32a/0x920 +[ 37.372449][ T1] ? _raw_spin_unlock_irqrestore+0x3d/0x70 +[ 37.374596][ T1] do_signal+0x32/0x6e0 +[ 37.376430][ T1] ? exit_to_usermode_loop+0x26/0x9b +[ 37.378418][ T1] ? prepare_exit_to_usermode+0xa8/0xd0 +[ 37.380571][ T1] exit_to_usermode_loop+0x3e/0x9b +[ 37.382588][ T1] prepare_exit_to_usermode+0xa8/0xd0 +[ 37.384594][ T1] ? page_fault+0x8/0x30 +[ 37.386453][ T1] retint_user+0x8/0x18 +[ 37.388160][ T1] RIP: 0033:0x7f42c06974a8 +[ 37.389922][ T1] Code: Bad RIP value. +[ 37.391788][ T1] RSP: 002b:00007ffc3effd388 EFLAGS: 00010213 +[ 37.394075][ T1] RAX: 000000000000000e RBX: 00007ffc3effd390 RCX: 0000000000000000 +[ 37.396963][ T1] RDX: 000000000000002a RSI: 00007ffc3effd390 RDI: 0000000000000004 +[ 37.399550][ T1] RBP: 00007ffc3effd680 R08: 0000000000000000 R09: 0000000000000000 +[ 37.402334][ T1] R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000001 +[ 37.404890][ T1] R13: ffffffffffffffff R14: 0000000000000884 R15: 000056460b1ac3b0 + +Link: http://lkml.kernel.org/r/201902010336.x113a4EO027170@www262.sakura.ne.jp +Fixes: 3d8b38eb81cac813 ("mm, oom: introduce memory.oom.group") +Signed-off-by: Tetsuo Handa +Acked-by: Michal Hocko +Cc: Roman Gushchin +Cc: Johannes Weiner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/oom_kill.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/oom_kill.c b/mm/oom_kill.c +index 26ea8636758f..da0e44914085 100644 +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -928,7 +928,8 @@ static void __oom_kill_process(struct task_struct *victim) + */ + static int oom_kill_memcg_member(struct task_struct *task, void *unused) + { +- if (task->signal->oom_score_adj != OOM_SCORE_ADJ_MIN) { ++ if (task->signal->oom_score_adj != OOM_SCORE_ADJ_MIN && ++ !is_global_init(task)) { + get_task_struct(task); + __oom_kill_process(task); + } +-- +2.19.1 + diff --git a/queue-5.0/mm-page_ext.c-fix-an-imbalance-with-kmemleak.patch b/queue-5.0/mm-page_ext.c-fix-an-imbalance-with-kmemleak.patch new file mode 100644 index 00000000000..133a66029f5 --- /dev/null +++ b/queue-5.0/mm-page_ext.c-fix-an-imbalance-with-kmemleak.patch @@ -0,0 +1,82 @@ +From cc9e8ae4112f366770bf19c3d4f776e85842ee13 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Tue, 5 Mar 2019 15:49:46 -0800 +Subject: mm/page_ext.c: fix an imbalance with kmemleak + +[ Upstream commit 0c81585499601acd1d0e1cbf424cabfaee60628c ] + +After offlining a memory block, kmemleak scan will trigger a crash, as +it encounters a page ext address that has already been freed during +memory offlining. At the beginning in alloc_page_ext(), it calls +kmemleak_alloc(), but it does not call kmemleak_free() in +free_page_ext(). + + BUG: unable to handle kernel paging request at ffff888453d00000 + PGD 128a01067 P4D 128a01067 PUD 128a04067 PMD 47e09e067 PTE 800ffffbac2ff060 + Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI + CPU: 1 PID: 1594 Comm: bash Not tainted 5.0.0-rc8+ #15 + Hardware name: HP ProLiant DL180 Gen9/ProLiant DL180 Gen9, BIOS U20 10/25/2017 + RIP: 0010:scan_block+0xb5/0x290 + Code: 85 6e 01 00 00 48 b8 00 00 30 f5 81 88 ff ff 48 39 c3 0f 84 5b 01 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 0f 85 87 01 00 00 <4c> 8b 3b e8 f3 0c fa ff 4c 39 3d 0c 6b 4c 01 0f 87 08 01 00 00 4c + RSP: 0018:ffff8881ec57f8e0 EFLAGS: 00010082 + RAX: 0000000000000000 RBX: ffff888453d00000 RCX: ffffffffa61e5a54 + RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888453d00000 + RBP: ffff8881ec57f920 R08: fffffbfff4ed588d R09: fffffbfff4ed588c + R10: fffffbfff4ed588c R11: ffffffffa76ac463 R12: dffffc0000000000 + R13: ffff888453d00ff9 R14: ffff8881f80cef48 R15: ffff8881f80cef48 + FS: 00007f6c0e3f8740(0000) GS:ffff8881f7680000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffff888453d00000 CR3: 00000001c4244003 CR4: 00000000001606a0 + Call Trace: + scan_gray_list+0x269/0x430 + kmemleak_scan+0x5a8/0x10f0 + kmemleak_write+0x541/0x6ca + full_proxy_write+0xf8/0x190 + __vfs_write+0xeb/0x980 + vfs_write+0x15a/0x4f0 + ksys_write+0xd2/0x1b0 + __x64_sys_write+0x73/0xb0 + do_syscall_64+0xeb/0xaaa + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7f6c0dad73b8 + Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 65 63 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 + RSP: 002b:00007ffd5b863cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f6c0dad73b8 + RDX: 0000000000000005 RSI: 000055a9216e1710 RDI: 0000000000000001 + RBP: 000055a9216e1710 R08: 000000000000000a R09: 00007ffd5b863840 + R10: 000000000000000a R11: 0000000000000246 R12: 00007f6c0dda9780 + R13: 0000000000000005 R14: 00007f6c0dda4740 R15: 0000000000000005 + Modules linked in: nls_iso8859_1 nls_cp437 vfat fat kvm_intel kvm irqbypass efivars ip_tables x_tables xfs sd_mod ahci libahci igb i2c_algo_bit libata i2c_core dm_mirror dm_region_hash dm_log dm_mod efivarfs + CR2: ffff888453d00000 + ---[ end trace ccf646c7456717c5 ]--- + Kernel panic - not syncing: Fatal exception + Shutting down cpus with NMI + Kernel Offset: 0x24c00000 from 0xffffffff81000000 (relocation range: + 0xffffffff80000000-0xffffffffbfffffff) + ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Link: http://lkml.kernel.org/r/20190227173147.75650-1-cai@lca.pw +Signed-off-by: Qian Cai +Reviewed-by: Catalin Marinas +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/page_ext.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/page_ext.c b/mm/page_ext.c +index 8c78b8d45117..f116431c3dee 100644 +--- a/mm/page_ext.c ++++ b/mm/page_ext.c +@@ -273,6 +273,7 @@ static void free_page_ext(void *addr) + table_size = get_entry_size() * PAGES_PER_SECTION; + + BUG_ON(PageReserved(page)); ++ kmemleak_free(addr); + free_pages_exact(addr, table_size); + } + } +-- +2.19.1 + diff --git a/queue-5.0/mm-resource-return-real-error-codes-from-walk-failur.patch b/queue-5.0/mm-resource-return-real-error-codes-from-walk-failur.patch new file mode 100644 index 00000000000..9c085a3107e --- /dev/null +++ b/queue-5.0/mm-resource-return-real-error-codes-from-walk-failur.patch @@ -0,0 +1,80 @@ +From 0dd413585d636d6c4825a2b7b5e13db71df13a70 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Mon, 25 Feb 2019 10:57:30 -0800 +Subject: mm/resource: Return real error codes from walk failures + +[ Upstream commit 5cd401ace914dc68556c6d2fcae0c349444d5f86 ] + +walk_system_ram_range() can return an error code either becuase +*it* failed, or because the 'func' that it calls returned an +error. The memory hotplug does the following: + + ret = walk_system_ram_range(..., func); + if (ret) + return ret; + +and 'ret' makes it out to userspace, eventually. The problem +s, walk_system_ram_range() failues that result from *it* failing +(as opposed to 'func') return -1. That leads to a very odd +-EPERM (-1) return code out to userspace. + +Make walk_system_ram_range() return -EINVAL for internal +failures to keep userspace less confused. + +This return code is compatible with all the callers that I +audited. + +Signed-off-by: Dave Hansen +Reviewed-by: Bjorn Helgaas +Acked-by: Michael Ellerman (powerpc) +Cc: Dan Williams +Cc: Dave Jiang +Cc: Ross Zwisler +Cc: Vishal Verma +Cc: Tom Lendacky +Cc: Andrew Morton +Cc: Michal Hocko +Cc: linux-nvdimm@lists.01.org +Cc: linux-kernel@vger.kernel.org +Cc: linux-mm@kvack.org +Cc: Huang Ying +Cc: Fengguang Wu +Cc: Borislav Petkov +Cc: Yaowei Bai +Cc: Takashi Iwai +Cc: Jerome Glisse +Cc: Benjamin Herrenschmidt +Cc: Paul Mackerras +Cc: linuxppc-dev@lists.ozlabs.org +Cc: Keith Busch +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + kernel/resource.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/resource.c b/kernel/resource.c +index 915c02e8e5dd..ca7ed5158cff 100644 +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -382,7 +382,7 @@ static int __walk_iomem_res_desc(resource_size_t start, resource_size_t end, + int (*func)(struct resource *, void *)) + { + struct resource res; +- int ret = -1; ++ int ret = -EINVAL; + + while (start < end && + !find_next_iomem_res(start, end, flags, desc, first_lvl, &res)) { +@@ -462,7 +462,7 @@ int walk_system_ram_range(unsigned long start_pfn, unsigned long nr_pages, + unsigned long flags; + struct resource res; + unsigned long pfn, end_pfn; +- int ret = -1; ++ int ret = -EINVAL; + + start = (u64) start_pfn << PAGE_SHIFT; + end = ((u64)(start_pfn + nr_pages) << PAGE_SHIFT) - 1; +-- +2.19.1 + diff --git a/queue-5.0/mm-slab.c-kmemleak-no-scan-alien-caches.patch b/queue-5.0/mm-slab.c-kmemleak-no-scan-alien-caches.patch new file mode 100644 index 00000000000..79fd2bab19c --- /dev/null +++ b/queue-5.0/mm-slab.c-kmemleak-no-scan-alien-caches.patch @@ -0,0 +1,151 @@ +From dc57dbefc959f44730430a511d039581cacf4d45 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Tue, 5 Mar 2019 15:42:03 -0800 +Subject: mm/slab.c: kmemleak no scan alien caches + +[ Upstream commit 92d1d07daad65c300c7d0b68bbef8867e9895d54 ] + +Kmemleak throws endless warnings during boot due to in +__alloc_alien_cache(), + + alc = kmalloc_node(memsize, gfp, node); + init_arraycache(&alc->ac, entries, batch); + kmemleak_no_scan(ac); + +Kmemleak does not track the array cache (alc->ac) but the alien cache +(alc) instead, so let it track the latter by lifting kmemleak_no_scan() +out of init_arraycache(). + +There is another place that calls init_arraycache(), but +alloc_kmem_cache_cpus() uses the percpu allocation where will never be +considered as a leak. + + kmemleak: Found object by alias at 0xffff8007b9aa7e38 + CPU: 190 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc2+ #2 + Call trace: + dump_backtrace+0x0/0x168 + show_stack+0x24/0x30 + dump_stack+0x88/0xb0 + lookup_object+0x84/0xac + find_and_get_object+0x84/0xe4 + kmemleak_no_scan+0x74/0xf4 + setup_kmem_cache_node+0x2b4/0x35c + __do_tune_cpucache+0x250/0x2d4 + do_tune_cpucache+0x4c/0xe4 + enable_cpucache+0xc8/0x110 + setup_cpu_cache+0x40/0x1b8 + __kmem_cache_create+0x240/0x358 + create_cache+0xc0/0x198 + kmem_cache_create_usercopy+0x158/0x20c + kmem_cache_create+0x50/0x64 + fsnotify_init+0x58/0x6c + do_one_initcall+0x194/0x388 + kernel_init_freeable+0x668/0x688 + kernel_init+0x18/0x124 + ret_from_fork+0x10/0x18 + kmemleak: Object 0xffff8007b9aa7e00 (size 256): + kmemleak: comm "swapper/0", pid 1, jiffies 4294697137 + kmemleak: min_count = 1 + kmemleak: count = 0 + kmemleak: flags = 0x1 + kmemleak: checksum = 0 + kmemleak: backtrace: + kmemleak_alloc+0x84/0xb8 + kmem_cache_alloc_node_trace+0x31c/0x3a0 + __kmalloc_node+0x58/0x78 + setup_kmem_cache_node+0x26c/0x35c + __do_tune_cpucache+0x250/0x2d4 + do_tune_cpucache+0x4c/0xe4 + enable_cpucache+0xc8/0x110 + setup_cpu_cache+0x40/0x1b8 + __kmem_cache_create+0x240/0x358 + create_cache+0xc0/0x198 + kmem_cache_create_usercopy+0x158/0x20c + kmem_cache_create+0x50/0x64 + fsnotify_init+0x58/0x6c + do_one_initcall+0x194/0x388 + kernel_init_freeable+0x668/0x688 + kernel_init+0x18/0x124 + kmemleak: Not scanning unknown object at 0xffff8007b9aa7e38 + CPU: 190 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc2+ #2 + Call trace: + dump_backtrace+0x0/0x168 + show_stack+0x24/0x30 + dump_stack+0x88/0xb0 + kmemleak_no_scan+0x90/0xf4 + setup_kmem_cache_node+0x2b4/0x35c + __do_tune_cpucache+0x250/0x2d4 + do_tune_cpucache+0x4c/0xe4 + enable_cpucache+0xc8/0x110 + setup_cpu_cache+0x40/0x1b8 + __kmem_cache_create+0x240/0x358 + create_cache+0xc0/0x198 + kmem_cache_create_usercopy+0x158/0x20c + kmem_cache_create+0x50/0x64 + fsnotify_init+0x58/0x6c + do_one_initcall+0x194/0x388 + kernel_init_freeable+0x668/0x688 + kernel_init+0x18/0x124 + ret_from_fork+0x10/0x18 + +Link: http://lkml.kernel.org/r/20190129184518.39808-1-cai@lca.pw +Fixes: 1fe00d50a9e8 ("slab: factor out initialization of array cache") +Signed-off-by: Qian Cai +Reviewed-by: Andrew Morton +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Catalin Marinas +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/slab.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/mm/slab.c b/mm/slab.c +index b3e74b56a468..2f2aa8eaf7d9 100644 +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -550,14 +550,6 @@ static void start_cpu_timer(int cpu) + + static void init_arraycache(struct array_cache *ac, int limit, int batch) + { +- /* +- * The array_cache structures contain pointers to free object. +- * However, when such objects are allocated or transferred to another +- * cache the pointers are not cleared and they could be counted as +- * valid references during a kmemleak scan. Therefore, kmemleak must +- * not scan such objects. +- */ +- kmemleak_no_scan(ac); + if (ac) { + ac->avail = 0; + ac->limit = limit; +@@ -573,6 +565,14 @@ static struct array_cache *alloc_arraycache(int node, int entries, + struct array_cache *ac = NULL; + + ac = kmalloc_node(memsize, gfp, node); ++ /* ++ * The array_cache structures contain pointers to free object. ++ * However, when such objects are allocated or transferred to another ++ * cache the pointers are not cleared and they could be counted as ++ * valid references during a kmemleak scan. Therefore, kmemleak must ++ * not scan such objects. ++ */ ++ kmemleak_no_scan(ac); + init_arraycache(ac, entries, batchcount); + return ac; + } +@@ -667,6 +667,7 @@ static struct alien_cache *__alloc_alien_cache(int node, int entries, + + alc = kmalloc_node(memsize, gfp, node); + if (alc) { ++ kmemleak_no_scan(alc); + init_arraycache(&alc->ac, entries, batch); + spin_lock_init(&alc->lock); + } +-- +2.19.1 + diff --git a/queue-5.0/mm-sparse-fix-a-bad-comparison.patch b/queue-5.0/mm-sparse-fix-a-bad-comparison.patch new file mode 100644 index 00000000000..01be964c3b6 --- /dev/null +++ b/queue-5.0/mm-sparse-fix-a-bad-comparison.patch @@ -0,0 +1,63 @@ +From 11be9f67a50e146cab25e69da4cdb03dbd90d054 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Tue, 5 Mar 2019 15:50:11 -0800 +Subject: mm/sparse: fix a bad comparison + +[ Upstream commit d778015ac95bc036af73342c878ab19250e01fe1 ] + +next_present_section_nr() could only return an unsigned number -1, so +just check it specifically where compilers will convert -1 to unsigned +if needed. + + mm/sparse.c: In function 'sparse_init_nid': + mm/sparse.c:200:20: warning: comparison of unsigned expression >= 0 is always true [-Wtype-limits] + ((section_nr >= 0) && \ + ^~ + mm/sparse.c:478:2: note: in expansion of macro + 'for_each_present_section_nr' + for_each_present_section_nr(pnum_begin, pnum) { + ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + mm/sparse.c:200:20: warning: comparison of unsigned expression >= 0 is always true [-Wtype-limits] + ((section_nr >= 0) && \ + ^~ + mm/sparse.c:497:2: note: in expansion of macro + 'for_each_present_section_nr' + for_each_present_section_nr(pnum_begin, pnum) { + ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + mm/sparse.c: In function 'sparse_init': + mm/sparse.c:200:20: warning: comparison of unsigned expression >= 0 is always true [-Wtype-limits] + ((section_nr >= 0) && \ + ^~ + mm/sparse.c:520:2: note: in expansion of macro + 'for_each_present_section_nr' + for_each_present_section_nr(pnum_begin + 1, pnum_end) { + ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Link: http://lkml.kernel.org/r/20190228181839.86504-1-cai@lca.pw +Fixes: c4e1be9ec113 ("mm, sparsemem: break out of loops early") +Signed-off-by: Qian Cai +Reviewed-by: Andrew Morton +Cc: Dave Hansen +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/sparse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/sparse.c b/mm/sparse.c +index 4763519d4399..b3771f35a0ed 100644 +--- a/mm/sparse.c ++++ b/mm/sparse.c +@@ -197,7 +197,7 @@ static inline int next_present_section_nr(int section_nr) + } + #define for_each_present_section_nr(start, section_nr) \ + for (section_nr = next_present_section_nr(start-1); \ +- ((section_nr >= 0) && \ ++ ((section_nr != -1) && \ + (section_nr <= __highest_present_section_nr)); \ + section_nr = next_present_section_nr(section_nr)) + +-- +2.19.1 + diff --git a/queue-5.0/mm-swap-bounds-check-swap_info-array-accesses-to-avo.patch b/queue-5.0/mm-swap-bounds-check-swap_info-array-accesses-to-avo.patch new file mode 100644 index 00000000000..6bc155167c8 --- /dev/null +++ b/queue-5.0/mm-swap-bounds-check-swap_info-array-accesses-to-avo.patch @@ -0,0 +1,213 @@ +From 3f6734a735641f030eeb1274a1d0f66bc2f59d52 Mon Sep 17 00:00:00 2001 +From: Daniel Jordan +Date: Tue, 5 Mar 2019 15:48:19 -0800 +Subject: mm, swap: bounds check swap_info array accesses to avoid NULL derefs + +[ Upstream commit c10d38cc8d3e43f946b6c2bf4602c86791587f30 ] + +Dan Carpenter reports a potential NULL dereference in +get_swap_page_of_type: + + Smatch complains that the NULL checks on "si" aren't consistent. This + seems like a real bug because we have not ensured that the type is + valid and so "si" can be NULL. + +Add the missing check for NULL, taking care to use a read barrier to +ensure CPU1 observes CPU0's updates in the correct order: + + CPU0 CPU1 + alloc_swap_info() if (type >= nr_swapfiles) + swap_info[type] = p /* handle invalid entry */ + smp_wmb() smp_rmb() + ++nr_swapfiles p = swap_info[type] + +Without smp_rmb, CPU1 might observe CPU0's write to nr_swapfiles before +CPU0's write to swap_info[type] and read NULL from swap_info[type]. + +Ying Huang noticed other places in swapfile.c don't order these reads +properly. Introduce swap_type_to_swap_info to encourage correct usage. + +Use READ_ONCE and WRITE_ONCE to follow the Linux Kernel Memory Model +(see tools/memory-model/Documentation/explanation.txt). + +This ordering need not be enforced in places where swap_lock is held +(e.g. si_swapinfo) because swap_lock serializes updates to nr_swapfiles +and the swap_info array. + +Link: http://lkml.kernel.org/r/20190131024410.29859-1-daniel.m.jordan@oracle.com +Fixes: ec8acf20afb8 ("swap: add per-partition lock for swapfile") +Signed-off-by: Daniel Jordan +Reported-by: Dan Carpenter +Suggested-by: "Huang, Ying" +Reviewed-by: Andrea Parri +Acked-by: Peter Zijlstra (Intel) +Cc: Alan Stern +Cc: Andi Kleen +Cc: Dave Hansen +Cc: Omar Sandoval +Cc: Paul McKenney +Cc: Shaohua Li +Cc: Stephen Rothwell +Cc: Tejun Heo +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/swapfile.c | 51 +++++++++++++++++++++++++++++---------------------- + 1 file changed, 29 insertions(+), 22 deletions(-) + +diff --git a/mm/swapfile.c b/mm/swapfile.c +index dbac1d49469d..67f60e051814 100644 +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -98,6 +98,15 @@ static atomic_t proc_poll_event = ATOMIC_INIT(0); + + atomic_t nr_rotate_swap = ATOMIC_INIT(0); + ++static struct swap_info_struct *swap_type_to_swap_info(int type) ++{ ++ if (type >= READ_ONCE(nr_swapfiles)) ++ return NULL; ++ ++ smp_rmb(); /* Pairs with smp_wmb in alloc_swap_info. */ ++ return READ_ONCE(swap_info[type]); ++} ++ + static inline unsigned char swap_count(unsigned char ent) + { + return ent & ~SWAP_HAS_CACHE; /* may include COUNT_CONTINUED flag */ +@@ -1044,12 +1053,14 @@ noswap: + /* The only caller of this function is now suspend routine */ + swp_entry_t get_swap_page_of_type(int type) + { +- struct swap_info_struct *si; ++ struct swap_info_struct *si = swap_type_to_swap_info(type); + pgoff_t offset; + +- si = swap_info[type]; ++ if (!si) ++ goto fail; ++ + spin_lock(&si->lock); +- if (si && (si->flags & SWP_WRITEOK)) { ++ if (si->flags & SWP_WRITEOK) { + atomic_long_dec(&nr_swap_pages); + /* This is called for allocating swap entry, not cache */ + offset = scan_swap_map(si, 1); +@@ -1060,6 +1071,7 @@ swp_entry_t get_swap_page_of_type(int type) + atomic_long_inc(&nr_swap_pages); + } + spin_unlock(&si->lock); ++fail: + return (swp_entry_t) {0}; + } + +@@ -1071,9 +1083,9 @@ static struct swap_info_struct *__swap_info_get(swp_entry_t entry) + if (!entry.val) + goto out; + type = swp_type(entry); +- if (type >= nr_swapfiles) ++ p = swap_type_to_swap_info(type); ++ if (!p) + goto bad_nofile; +- p = swap_info[type]; + if (!(p->flags & SWP_USED)) + goto bad_device; + offset = swp_offset(entry); +@@ -1697,10 +1709,9 @@ int swap_type_of(dev_t device, sector_t offset, struct block_device **bdev_p) + sector_t swapdev_block(int type, pgoff_t offset) + { + struct block_device *bdev; ++ struct swap_info_struct *si = swap_type_to_swap_info(type); + +- if ((unsigned int)type >= nr_swapfiles) +- return 0; +- if (!(swap_info[type]->flags & SWP_WRITEOK)) ++ if (!si || !(si->flags & SWP_WRITEOK)) + return 0; + return map_swap_entry(swp_entry(type, offset), &bdev); + } +@@ -2258,7 +2269,7 @@ static sector_t map_swap_entry(swp_entry_t entry, struct block_device **bdev) + struct swap_extent *se; + pgoff_t offset; + +- sis = swap_info[swp_type(entry)]; ++ sis = swp_swap_info(entry); + *bdev = sis->bdev; + + offset = swp_offset(entry); +@@ -2700,9 +2711,7 @@ static void *swap_start(struct seq_file *swap, loff_t *pos) + if (!l) + return SEQ_START_TOKEN; + +- for (type = 0; type < nr_swapfiles; type++) { +- smp_rmb(); /* read nr_swapfiles before swap_info[type] */ +- si = swap_info[type]; ++ for (type = 0; (si = swap_type_to_swap_info(type)); type++) { + if (!(si->flags & SWP_USED) || !si->swap_map) + continue; + if (!--l) +@@ -2722,9 +2731,7 @@ static void *swap_next(struct seq_file *swap, void *v, loff_t *pos) + else + type = si->type + 1; + +- for (; type < nr_swapfiles; type++) { +- smp_rmb(); /* read nr_swapfiles before swap_info[type] */ +- si = swap_info[type]; ++ for (; (si = swap_type_to_swap_info(type)); type++) { + if (!(si->flags & SWP_USED) || !si->swap_map) + continue; + ++*pos; +@@ -2831,14 +2838,14 @@ static struct swap_info_struct *alloc_swap_info(void) + } + if (type >= nr_swapfiles) { + p->type = type; +- swap_info[type] = p; ++ WRITE_ONCE(swap_info[type], p); + /* + * Write swap_info[type] before nr_swapfiles, in case a + * racing procfs swap_start() or swap_next() is reading them. + * (We never shrink nr_swapfiles, we never free this entry.) + */ + smp_wmb(); +- nr_swapfiles++; ++ WRITE_ONCE(nr_swapfiles, nr_swapfiles + 1); + } else { + kvfree(p); + p = swap_info[type]; +@@ -3358,7 +3365,7 @@ static int __swap_duplicate(swp_entry_t entry, unsigned char usage) + { + struct swap_info_struct *p; + struct swap_cluster_info *ci; +- unsigned long offset, type; ++ unsigned long offset; + unsigned char count; + unsigned char has_cache; + int err = -EINVAL; +@@ -3366,10 +3373,10 @@ static int __swap_duplicate(swp_entry_t entry, unsigned char usage) + if (non_swap_entry(entry)) + goto out; + +- type = swp_type(entry); +- if (type >= nr_swapfiles) ++ p = swp_swap_info(entry); ++ if (!p) + goto bad_file; +- p = swap_info[type]; ++ + offset = swp_offset(entry); + if (unlikely(offset >= p->max)) + goto out; +@@ -3466,7 +3473,7 @@ int swapcache_prepare(swp_entry_t entry) + + struct swap_info_struct *swp_swap_info(swp_entry_t entry) + { +- return swap_info[swp_type(entry)]; ++ return swap_type_to_swap_info(swp_type(entry)); + } + + struct swap_info_struct *page_swap_info(struct page *page) +-- +2.19.1 + diff --git a/queue-5.0/mm-vmalloc.c-fix-kernel-bug-at-mm-vmalloc.c-512.patch b/queue-5.0/mm-vmalloc.c-fix-kernel-bug-at-mm-vmalloc.c-512.patch new file mode 100644 index 00000000000..224039e8394 --- /dev/null +++ b/queue-5.0/mm-vmalloc.c-fix-kernel-bug-at-mm-vmalloc.c-512.patch @@ -0,0 +1,62 @@ +From 83f382fb888e50394e666acf8c20048b5bfc5da2 Mon Sep 17 00:00:00 2001 +From: "Uladzislau Rezki (Sony)" +Date: Tue, 5 Mar 2019 15:45:59 -0800 +Subject: mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! + +[ Upstream commit afd07389d3f4933c7f7817a92fb5e053d59a3182 ] + +One of the vmalloc stress test case triggers the kernel BUG(): + + + [60.562151] ------------[ cut here ]------------ + [60.562154] kernel BUG at mm/vmalloc.c:512! + [60.562206] invalid opcode: 0000 [#1] PREEMPT SMP PTI + [60.562247] CPU: 0 PID: 430 Comm: vmalloc_test/0 Not tainted 4.20.0+ #161 + [60.562293] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 + [60.562351] RIP: 0010:alloc_vmap_area+0x36f/0x390 + + +it can happen due to big align request resulting in overflowing of +calculated address, i.e. it becomes 0 after ALIGN()'s fixup. + +Fix it by checking if calculated address is within vstart/vend range. + +Link: http://lkml.kernel.org/r/20190124115648.9433-2-urezki@gmail.com +Signed-off-by: Uladzislau Rezki (Sony) +Reviewed-by: Andrew Morton +Cc: Ingo Molnar +Cc: Joel Fernandes +Cc: Matthew Wilcox +Cc: Michal Hocko +Cc: Oleksiy Avramchenko +Cc: Steven Rostedt +Cc: Tejun Heo +Cc: Thomas Garnier +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/vmalloc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/mm/vmalloc.c b/mm/vmalloc.c +index 2cd24186ba84..583630bf247d 100644 +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -498,7 +498,11 @@ nocache: + } + + found: +- if (addr + size > vend) ++ /* ++ * Check also calculated address against the vstart, ++ * because it can be 0 because of big align request. ++ */ ++ if (addr + size > vend || addr < vstart) + goto overflow; + + va->va_start = addr; +-- +2.19.1 + diff --git a/queue-5.0/mmc-omap-fix-the-maximum-timeout-setting.patch b/queue-5.0/mmc-omap-fix-the-maximum-timeout-setting.patch new file mode 100644 index 00000000000..bee6b4b60af --- /dev/null +++ b/queue-5.0/mmc-omap-fix-the-maximum-timeout-setting.patch @@ -0,0 +1,51 @@ +From 6b908c609c62a15dbd5a722a937c98f83eadf5b0 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 3 Feb 2019 00:14:33 +0200 +Subject: mmc: omap: fix the maximum timeout setting + +[ Upstream commit a6327b5e57fdc679c842588c3be046c0b39cc127 ] + +When running OMAP1 kernel on QEMU, MMC access is annoyingly noisy: + + MMC: CTO of 0xff and 0xfe cannot be used! + MMC: CTO of 0xff and 0xfe cannot be used! + MMC: CTO of 0xff and 0xfe cannot be used! + [ad inf.] + +Emulator warnings appear to be valid. The TI document SPRU680 [1] +("OMAP5910 Dual-Core Processor MultiMedia Card/Secure Data Memory Card +(MMC/SD) Reference Guide") page 36 states that the maximum timeout is 253 +cycles and "0xff and 0xfe cannot be used". + +Fix by using 0xfd as the maximum timeout. + +Tested using QEMU 2.5 (Siemens SX1 machine, OMAP310), and also checked on +real hardware using Palm TE (OMAP310), Nokia 770 (OMAP1710) and Nokia N810 +(OMAP2420) that MMC works as before. + +[1] http://www.ti.com/lit/ug/spru680/spru680.pdf + +Fixes: 730c9b7e6630f ("[MMC] Add OMAP MMC host driver") +Signed-off-by: Aaro Koskinen +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/omap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/omap.c b/drivers/mmc/host/omap.c +index c60a7625b1fa..b2873a2432b6 100644 +--- a/drivers/mmc/host/omap.c ++++ b/drivers/mmc/host/omap.c +@@ -920,7 +920,7 @@ static inline void set_cmd_timeout(struct mmc_omap_host *host, struct mmc_reques + reg &= ~(1 << 5); + OMAP_MMC_WRITE(host, SDIO, reg); + /* Set maximum timeout */ +- OMAP_MMC_WRITE(host, CTO, 0xff); ++ OMAP_MMC_WRITE(host, CTO, 0xfd); + } + + static inline void set_data_timeout(struct mmc_omap_host *host, struct mmc_request *req) +-- +2.19.1 + diff --git a/queue-5.0/mt76-fix-a-leaked-reference-by-adding-a-missing-of_n.patch b/queue-5.0/mt76-fix-a-leaked-reference-by-adding-a-missing-of_n.patch new file mode 100644 index 00000000000..d4b9388e910 --- /dev/null +++ b/queue-5.0/mt76-fix-a-leaked-reference-by-adding-a-missing-of_n.patch @@ -0,0 +1,81 @@ +From 538d838c7ca452e1adf0f8c76d609487dd5f0031 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Fri, 22 Feb 2019 15:15:40 +0800 +Subject: mt76: fix a leaked reference by adding a missing of_node_put + +[ Upstream commit 34e022d8b780a03902d82fb3997ba7c7b1f40c81 ] + +The call to of_find_node_by_phandle returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/net/wireless/mediatek/mt76/eeprom.c:58:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 48, but without a corresponding object release within this function. +./drivers/net/wireless/mediatek/mt76/eeprom.c:61:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 48, but without a corresponding object release within this function. +./drivers/net/wireless/mediatek/mt76/eeprom.c:67:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 48, but without a corresponding object release within this function. +./drivers/net/wireless/mediatek/mt76/eeprom.c:70:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 48, but without a corresponding object release within this function. +./drivers/net/wireless/mediatek/mt76/eeprom.c:72:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 48, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Felix Fietkau +Cc: Lorenzo Bianconi +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Matthias Brugger +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-mediatek@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/eeprom.c | 24 ++++++++++++++------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/eeprom.c b/drivers/net/wireless/mediatek/mt76/eeprom.c +index 530e5593765c..a1529920d877 100644 +--- a/drivers/net/wireless/mediatek/mt76/eeprom.c ++++ b/drivers/net/wireless/mediatek/mt76/eeprom.c +@@ -54,22 +54,30 @@ mt76_get_of_eeprom(struct mt76_dev *dev, int len) + part = np->name; + + mtd = get_mtd_device_nm(part); +- if (IS_ERR(mtd)) +- return PTR_ERR(mtd); ++ if (IS_ERR(mtd)) { ++ ret = PTR_ERR(mtd); ++ goto out_put_node; ++ } + +- if (size <= sizeof(*list)) +- return -EINVAL; ++ if (size <= sizeof(*list)) { ++ ret = -EINVAL; ++ goto out_put_node; ++ } + + offset = be32_to_cpup(list); + ret = mtd_read(mtd, offset, len, &retlen, dev->eeprom.data); + put_mtd_device(mtd); + if (ret) +- return ret; ++ goto out_put_node; + +- if (retlen < len) +- return -EINVAL; ++ if (retlen < len) { ++ ret = -EINVAL; ++ goto out_put_node; ++ } + +- return 0; ++out_put_node: ++ of_node_put(np); ++ return ret; + #else + return -ENOENT; + #endif +-- +2.19.1 + diff --git a/queue-5.0/mt76-usb-do-not-run-mt76u_queues_deinit-twice.patch b/queue-5.0/mt76-usb-do-not-run-mt76u_queues_deinit-twice.patch new file mode 100644 index 00000000000..b80aa92e757 --- /dev/null +++ b/queue-5.0/mt76-usb-do-not-run-mt76u_queues_deinit-twice.patch @@ -0,0 +1,97 @@ +From b9aef39732fe32ed861bd56290c4efbbb04bba72 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Sun, 10 Feb 2019 22:49:15 +0100 +Subject: mt76: usb: do not run mt76u_queues_deinit twice + +[ Upstream commit b3098121c42caaf3aea239b8655cf52d45be116f ] + +Do not call mt76u_queues_deinit routine in mt76u_alloc_queues error path +since it will be run in mt76x0u_register_device or +mt76x2u_register_device error path. Current implementation triggers the +following kernel warning: + +[ 67.005516] WARNING: CPU: 2 PID: 761 at lib/refcount.c:187 refcount_sub_and_test_checked+0xa4/0xb8 +[ 67.019513] refcount_t: underflow; use-after-free. +[ 67.099872] Hardware name: BCM2835 +[ 67.106268] Backtrace: +[ 67.111584] [<8010c91c>] (dump_backtrace) from [<8010cc00>] (show_stack+0x20/0x24) +[ 67.124974] r6:60000013 r5:ffffffff r4:00000000 r3:a50bade6 +[ 67.132226] [<8010cbe0>] (show_stack) from [<807ca5f4>] (dump_stack+0xc8/0x114) +[ 67.141225] [<807ca52c>] (dump_stack) from [<8011e65c>] (__warn+0xf4/0x120) +[ 67.149849] r9:000000bb r8:804d0138 r7:00000009 r6:8099dc84 r5:00000000 r4:b66c7b58 +[ 67.160767] [<8011e568>] (__warn) from [<8011e6d0>] (warn_slowpath_fmt+0x48/0x50) +[ 67.171436] r9:7f65e128 r8:80d1419c r7:80c0bac4 r6:b97b3044 r5:b7368e00 r4:00000000 +[ 67.182433] [<8011e68c>] (warn_slowpath_fmt) from [<804d0138>] (refcount_sub_and_test_checked+0xa4/0xb8) +[ 67.195221] r3:80c91c25 r2:8099dc94 +[ 67.200370] r4:00000000 +[ 67.204397] [<804d0094>] (refcount_sub_and_test_checked) from [<804d0164>] (refcount_dec_and_test_checked+0x18/0x1c) +[ 67.218046] r4:b7368e00 r3:00000001 +[ 67.223125] [<804d014c>] (refcount_dec_and_test_checked) from [<805db49c>] (usb_free_urb+0x20/0x4c) +[ 67.235358] [<805db47c>] (usb_free_urb) from [<7f639804>] (mt76u_buf_free+0x98/0xac [mt76_usb]) +[ 67.247302] r4:00000001 r3:00000001 +[ 67.252468] [<7f63976c>] (mt76u_buf_free [mt76_usb]) from [<7f639ef8>] (mt76u_queues_deinit+0x44/0x100 [mt76_usb]) +[ 67.266102] r8:b8fe8600 r7:b5dac480 r6:b5dace20 r5:00000001 r4:00000000 r3:00000080 +[ 67.277132] [<7f639eb4>] (mt76u_queues_deinit [mt76_usb]) from [<7f65c040>] (mt76x0u_cleanup+0x40/0x4c [mt76x0u]) +[ 67.290737] r7:b5dac480 r6:b8fe8600 r5:ffffffea r4:b5dace20 +[ 67.298069] [<7f65c000>] (mt76x0u_cleanup [mt76x0u]) from [<7f65c564>] (mt76x0u_probe+0x1f0/0x354 [mt76x0u]) +[ 67.311174] r4:b5dace20 r3:00000000 +[ 67.316312] [<7f65c374>] (mt76x0u_probe [mt76x0u]) from [<805e0b6c>] (usb_probe_interface+0x104/0x240) +[ 67.328915] r7:00000000 r6:7f65e034 r5:b6634800 r4:b8fe8620 +[ 67.336276] [<805e0a68>] (usb_probe_interface) from [<8056a8bc>] (really_probe+0x224/0x2f8) +[ 67.347965] r10:b65f0a00 r9:00000019 r8:7f65e034 r7:80d3e124 r6:00000000 r5:80d3e120 +[ 67.359175] r4:b8fe8620 r3:805e0a68 +[ 67.364384] [<8056a698>] (really_probe) from [<8056ab60>] (driver_probe_device+0x6c/0x180) +[ 67.375974] r10:b65f0a00 r9:7f65e2c0 r8:b8fe8620 r7:00000000 r6:7f65e034 r5:7f65e034 +[ 67.387170] r4:b8fe8620 r3:00000000 +[ 67.392378] [<8056aaf4>] (driver_probe_device) from [<8056ad54>] (__driver_attach+0xe0/0xe4) +[ 67.404097] r9:7f65e2c0 r8:7f65d22c r7:00000000 r6:b8fe8654 r5:7f65e034 r4:b8fe8620 +[ 67.415122] [<8056ac74>] (__driver_attach) from [<8056880c>] (bus_for_each_dev+0x68/0xa0) +[ 67.426628] r6:8056ac74 r5:7f65e034 r4:00000000 r3:00000027 +[ 67.434017] [<805687a4>] (bus_for_each_dev) from [<8056a1cc>] (driver_attach+0x28/0x30) +[ 67.445394] r6:80c6ddc8 r5:b7368f80 r4:7f65e034 +[ 67.451703] [<8056a1a4>] (driver_attach) from [<80569c24>] (bus_add_driver+0x194/0x21c) +[ 67.463081] [<80569a90>] (bus_add_driver) from [<8056b504>] (driver_register+0x8c/0x124) +[ 67.474560] r7:80c6ddc8 r6:7f65e034 r5:00000000 r4:7f65e034 +[ 67.481964] [<8056b478>] (driver_register) from [<805df510>] (usb_register_driver+0x74/0x140) +[ 67.493901] r5:00000000 r4:7f65e000 +[ 67.499131] [<805df49c>] (usb_register_driver) from [<7f661024>] (mt76x0_driver_init+0x24/0x1000 [mt76x0u]) +[ 67.512258] r9:00000001 r8:7f65e308 r7:00000000 r6:80c08d48 r5:7f661000 r4:7f65e2c0 +[ 67.523404] [<7f661000>] (mt76x0_driver_init [mt76x0u]) from [<80102f6c>] (do_one_initcall+0x4c/0x210) +[ 67.536142] [<80102f20>] (do_one_initcall) from [<801ae63c>] (do_init_module+0x6c/0x21c) +[ 67.547639] r8:7f65e308 r7:80c08d48 r6:b65f0ac0 r5:7f65e2c0 r4:7f65e2c0 +[ 67.556129] [<801ae5d0>] (do_init_module) from [<801ad68c>] (load_module+0x1d10/0x2304) + +Fixes: b40b15e1521f ("mt76: add usb support to mt76 layer") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/usb.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/usb.c b/drivers/net/wireless/mediatek/mt76/usb.c +index 09923cedd039..61cde0f9f58f 100644 +--- a/drivers/net/wireless/mediatek/mt76/usb.c ++++ b/drivers/net/wireless/mediatek/mt76/usb.c +@@ -837,16 +837,9 @@ int mt76u_alloc_queues(struct mt76_dev *dev) + + err = mt76u_alloc_rx(dev); + if (err < 0) +- goto err; +- +- err = mt76u_alloc_tx(dev); +- if (err < 0) +- goto err; ++ return err; + +- return 0; +-err: +- mt76u_queues_deinit(dev); +- return err; ++ return mt76u_alloc_tx(dev); + } + EXPORT_SYMBOL_GPL(mt76u_alloc_queues); + +-- +2.19.1 + diff --git a/queue-5.0/mt7601u-bump-supported-eeprom-version.patch b/queue-5.0/mt7601u-bump-supported-eeprom-version.patch new file mode 100644 index 00000000000..4174e837f4f --- /dev/null +++ b/queue-5.0/mt7601u-bump-supported-eeprom-version.patch @@ -0,0 +1,61 @@ +From b95f14a8b03e583a4e82681a20fdaba854d7c02e Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Tue, 22 Jan 2019 13:47:54 +0100 +Subject: mt7601u: bump supported EEPROM version + +[ Upstream commit 3bd1505fed71d834f45e87b32ff07157fdda47e0 ] + +As reported by Michael eeprom 0d is supported and work with the driver. + +Dump of /sys/kernel/debug/ieee80211/phy1/mt7601u/eeprom_param +with 0d EEPORM looks like this: + +RSSI offset: 0 0 +Reference temp: f9 +LNA gain: 8 +Reg channels: 1-14 +Per rate power: + raw:05 bw20:05 bw40:05 + raw:05 bw20:05 bw40:05 + raw:03 bw20:03 bw40:03 + raw:03 bw20:03 bw40:03 + raw:04 bw20:04 bw40:04 + raw:00 bw20:00 bw40:00 + raw:00 bw20:00 bw40:00 + raw:00 bw20:00 bw40:00 + raw:02 bw20:02 bw40:02 + raw:00 bw20:00 bw40:00 +Per channel power: + tx_power ch1:09 ch2:09 + tx_power ch3:0a ch4:0a + tx_power ch5:0a ch6:0a + tx_power ch7:0b ch8:0b + tx_power ch9:0b ch10:0b + tx_power ch11:0b ch12:0b + tx_power ch13:0b ch14:0b + +Reported-and-tested-by: Michael +Signed-off-by: Stanislaw Gruszka +Acked-by: Jakub Kicinski +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt7601u/eeprom.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt7601u/eeprom.h b/drivers/net/wireless/mediatek/mt7601u/eeprom.h +index 662d12703b69..57b503ae63f1 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/eeprom.h ++++ b/drivers/net/wireless/mediatek/mt7601u/eeprom.h +@@ -17,7 +17,7 @@ + + struct mt7601u_dev; + +-#define MT7601U_EE_MAX_VER 0x0c ++#define MT7601U_EE_MAX_VER 0x0d + #define MT7601U_EEPROM_SIZE 256 + + #define MT7601U_DEFAULT_TX_POWER 6 +-- +2.19.1 + diff --git a/queue-5.0/mwifiex-don-t-advertise-ibss-features-without-fw-sup.patch b/queue-5.0/mwifiex-don-t-advertise-ibss-features-without-fw-sup.patch new file mode 100644 index 00000000000..e95799a0c32 --- /dev/null +++ b/queue-5.0/mwifiex-don-t-advertise-ibss-features-without-fw-sup.patch @@ -0,0 +1,66 @@ +From 859e135b4d47fa4584db87d4d0e849b82c77407d Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Thu, 14 Feb 2019 16:31:29 -0800 +Subject: mwifiex: don't advertise IBSS features without FW support + +[ Upstream commit 6f21ab30469d670de620f758330aca9f3433f693 ] + +As it is, doing something like + + # iw phy phy0 interface add foobar type ibss + +on a firmware that doesn't have ad-hoc support just yields failures of +HostCmd_CMD_SET_BSS_MODE, which happened to return a '-1' error code +(-EPERM? not really right...) and sometimes may even crash the firmware +along the way. + +Let's parse the firmware capability flag while registering the wiphy, so +we don't allow attempting IBSS at all, and we get a proper -EOPNOTSUPP +from nl80211 instead. + +Fixes: e267e71e68ae ("mwifiex: Disable adhoc feature based on firmware capability") +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +index 1467af22e394..883752f640b4 100644 +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -4310,11 +4310,13 @@ int mwifiex_register_cfg80211(struct mwifiex_adapter *adapter) + wiphy->mgmt_stypes = mwifiex_mgmt_stypes; + wiphy->max_remain_on_channel_duration = 5000; + wiphy->interface_modes = BIT(NL80211_IFTYPE_STATION) | +- BIT(NL80211_IFTYPE_ADHOC) | + BIT(NL80211_IFTYPE_P2P_CLIENT) | + BIT(NL80211_IFTYPE_P2P_GO) | + BIT(NL80211_IFTYPE_AP); + ++ if (ISSUPP_ADHOC_ENABLED(adapter->fw_cap_info)) ++ wiphy->interface_modes |= BIT(NL80211_IFTYPE_ADHOC); ++ + wiphy->bands[NL80211_BAND_2GHZ] = &mwifiex_band_2ghz; + if (adapter->config_bands & BAND_A) + wiphy->bands[NL80211_BAND_5GHZ] = &mwifiex_band_5ghz; +@@ -4374,11 +4376,13 @@ int mwifiex_register_cfg80211(struct mwifiex_adapter *adapter) + wiphy->available_antennas_tx = BIT(adapter->number_of_antenna) - 1; + wiphy->available_antennas_rx = BIT(adapter->number_of_antenna) - 1; + +- wiphy->features |= NL80211_FEATURE_HT_IBSS | +- NL80211_FEATURE_INACTIVITY_TIMER | ++ wiphy->features |= NL80211_FEATURE_INACTIVITY_TIMER | + NL80211_FEATURE_LOW_PRIORITY_SCAN | + NL80211_FEATURE_NEED_OBSS_SCAN; + ++ if (ISSUPP_ADHOC_ENABLED(adapter->fw_cap_info)) ++ wiphy->features |= NL80211_FEATURE_HT_IBSS; ++ + if (ISSUPP_RANDOM_MAC(adapter->fw_cap_info)) + wiphy->features |= NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR | + NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR | +-- +2.19.1 + diff --git a/queue-5.0/net-dsa-mv88e6xxx-add-lockdep-classes-to-fix-false-p.patch b/queue-5.0/net-dsa-mv88e6xxx-add-lockdep-classes-to-fix-false-p.patch new file mode 100644 index 00000000000..49ad5955804 --- /dev/null +++ b/queue-5.0/net-dsa-mv88e6xxx-add-lockdep-classes-to-fix-false-p.patch @@ -0,0 +1,119 @@ +From 882937690adba1711c0598fa8ce5444a2393067c Mon Sep 17 00:00:00 2001 +From: Andrew Lunn +Date: Sat, 23 Feb 2019 17:43:56 +0100 +Subject: net: dsa: mv88e6xxx: Add lockdep classes to fix false positive splat + +[ Upstream commit f6d9758b12660484b6639364cc406da92a918c96 ] + +The following false positive lockdep splat has been observed. + +====================================================== +WARNING: possible circular locking dependency detected +4.20.0+ #302 Not tainted +------------------------------------------------------ +systemd-udevd/160 is trying to acquire lock: +edea6080 (&chip->reg_lock){+.+.}, at: __setup_irq+0x640/0x704 + +but task is already holding lock: +edff0340 (&desc->request_mutex){+.+.}, at: __setup_irq+0xa0/0x704 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (&desc->request_mutex){+.+.}: + mutex_lock_nested+0x1c/0x24 + __setup_irq+0xa0/0x704 + request_threaded_irq+0xd0/0x150 + mv88e6xxx_probe+0x41c/0x694 [mv88e6xxx] + mdio_probe+0x2c/0x54 + really_probe+0x200/0x2c4 + driver_probe_device+0x5c/0x174 + __driver_attach+0xd8/0xdc + bus_for_each_dev+0x58/0x7c + bus_add_driver+0xe4/0x1f0 + driver_register+0x7c/0x110 + mdio_driver_register+0x24/0x58 + do_one_initcall+0x74/0x2e8 + do_init_module+0x60/0x1d0 + load_module+0x1968/0x1ff4 + sys_finit_module+0x8c/0x98 + ret_fast_syscall+0x0/0x28 + 0xbedf2ae8 + +-> #0 (&chip->reg_lock){+.+.}: + __mutex_lock+0x50/0x8b8 + mutex_lock_nested+0x1c/0x24 + __setup_irq+0x640/0x704 + request_threaded_irq+0xd0/0x150 + mv88e6xxx_g2_irq_setup+0xcc/0x1b4 [mv88e6xxx] + mv88e6xxx_probe+0x44c/0x694 [mv88e6xxx] + mdio_probe+0x2c/0x54 + really_probe+0x200/0x2c4 + driver_probe_device+0x5c/0x174 + __driver_attach+0xd8/0xdc + bus_for_each_dev+0x58/0x7c + bus_add_driver+0xe4/0x1f0 + driver_register+0x7c/0x110 + mdio_driver_register+0x24/0x58 + do_one_initcall+0x74/0x2e8 + do_init_module+0x60/0x1d0 + load_module+0x1968/0x1ff4 + sys_finit_module+0x8c/0x98 + ret_fast_syscall+0x0/0x28 + 0xbedf2ae8 + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&desc->request_mutex); + lock(&chip->reg_lock); + lock(&desc->request_mutex); + lock(&chip->reg_lock); + +&desc->request_mutex refer to two different mutex. #1 is the GPIO for +the chip interrupt. #2 is the chained interrupt between global 1 and +global 2. + +Add lockdep classes to the GPIO interrupt to avoid this. + +Reported-by: Russell King +Signed-off-by: Andrew Lunn +Signed-off-by: David S. Miller + +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 4a0ec8e87c7a..6cba05a80892 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -442,12 +442,20 @@ out_mapping: + + static int mv88e6xxx_g1_irq_setup(struct mv88e6xxx_chip *chip) + { ++ static struct lock_class_key lock_key; ++ static struct lock_class_key request_key; + int err; + + err = mv88e6xxx_g1_irq_setup_common(chip); + if (err) + return err; + ++ /* These lock classes tells lockdep that global 1 irqs are in ++ * a different category than their parent GPIO, so it won't ++ * report false recursion. ++ */ ++ irq_set_lockdep_class(chip->irq, &lock_key, &request_key); ++ + err = request_threaded_irq(chip->irq, NULL, + mv88e6xxx_g1_irq_thread_fn, + IRQF_ONESHOT | IRQF_SHARED, +-- +2.19.1 + diff --git a/queue-5.0/net-dsa-mv88e6xxx-default-cmode-to-1000basex-only-on.patch b/queue-5.0/net-dsa-mv88e6xxx-default-cmode-to-1000basex-only-on.patch new file mode 100644 index 00000000000..f6336f32a8a --- /dev/null +++ b/queue-5.0/net-dsa-mv88e6xxx-default-cmode-to-1000basex-only-on.patch @@ -0,0 +1,46 @@ +From 78143aed7dd25524f8ef328f3ee33f280905f112 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Mon, 25 Feb 2019 12:39:54 +0100 +Subject: net: dsa: mv88e6xxx: Default CMODE to 1000BaseX only on 6390X +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 65b034cf5c1766492aa107958149b440889480be ] + +Commit 787799a9d555 sets the SERDES interfaces of 6390 and 6390X to +1000BaseX, but this is only needed on 6390X, since there are SERDES +interfaces which can be used on lower ports on 6390. + +This commit fixes this by returning to previous behaviour on 6390. +(Previous behaviour means that CMODE is not set at all if requested mode +is NA). + +This is needed on Turris MOX, where the 88e6190 is connected to CPU in +2500BaseX mode. + +Fixes: 787799a9d555 ("net: dsa: mv88e6xxx: Default ports 9/10 6390X CMODE to 1000BaseX") +Signed-off-by: Marek Behún +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/port.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/dsa/mv88e6xxx/port.c b/drivers/net/dsa/mv88e6xxx/port.c +index 41eee62fed25..c44b2822e4dd 100644 +--- a/drivers/net/dsa/mv88e6xxx/port.c ++++ b/drivers/net/dsa/mv88e6xxx/port.c +@@ -480,6 +480,8 @@ int mv88e6390_port_set_cmode(struct mv88e6xxx_chip *chip, int port, + phy_interface_t mode) + { + switch (mode) { ++ case PHY_INTERFACE_MODE_NA: ++ return 0; + case PHY_INTERFACE_MODE_XGMII: + case PHY_INTERFACE_MODE_XAUI: + case PHY_INTERFACE_MODE_RXAUI: +-- +2.19.1 + diff --git a/queue-5.0/net-hns3-fix-setting-of-the-hns-reset_type-for-rdma-.patch b/queue-5.0/net-hns3-fix-setting-of-the-hns-reset_type-for-rdma-.patch new file mode 100644 index 00000000000..c252006a289 --- /dev/null +++ b/queue-5.0/net-hns3-fix-setting-of-the-hns-reset_type-for-rdma-.patch @@ -0,0 +1,126 @@ +From a78baf9554c74fccceee1103b676e5e1d1047b08 Mon Sep 17 00:00:00 2001 +From: Shiju Jose +Date: Sat, 23 Feb 2019 17:22:18 +0800 +Subject: net: hns3: fix setting of the hns reset_type for rdma hw errors + +[ Upstream commit eb4c2ccbad6c688be791e0c08640a40124558c03 ] + +Presently the hns reset_type for the roce errors is set +in the hclge_log_and_clear_rocee_ras_error function. +This function is also called to detect and clear roce errors +while enabling the rdma error interrupts. However there is no hns +reset requested for this case. This can cause issue of wrong +reset_type used with subsequent hns reset as the +reset_type set in the above case was not cleared. + +This patch moves setting of hns reset_type for the roce errors from +hclge_log_and_clear_rocee_ras_error function +to hclge_handle_rocee_ras_error. + +Fixes: 630ba007f475 ("net: hns3: add handling of RDMA RAS errors") +Reported-by: Huazhong Tan +Reported-by: Xiaofei Tan +Signed-off-by: Shiju Jose +Signed-off-by: Peng Li +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../hisilicon/hns3/hns3pf/hclge_err.c | 36 ++++++++++--------- + 1 file changed, 20 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c +index efb6c1a25171..3ea72e4d9dc4 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c +@@ -1094,10 +1094,10 @@ static int hclge_log_rocee_ovf_error(struct hclge_dev *hdev) + return 0; + } + +-static int hclge_log_and_clear_rocee_ras_error(struct hclge_dev *hdev) ++static enum hnae3_reset_type ++hclge_log_and_clear_rocee_ras_error(struct hclge_dev *hdev) + { +- enum hnae3_reset_type reset_type = HNAE3_FUNC_RESET; +- struct hnae3_ae_dev *ae_dev = hdev->ae_dev; ++ enum hnae3_reset_type reset_type = HNAE3_NONE_RESET; + struct device *dev = &hdev->pdev->dev; + struct hclge_desc desc[2]; + unsigned int status; +@@ -1110,17 +1110,20 @@ static int hclge_log_and_clear_rocee_ras_error(struct hclge_dev *hdev) + if (ret) { + dev_err(dev, "failed(%d) to query ROCEE RAS INT SRC\n", ret); + /* reset everything for now */ +- HCLGE_SET_DEFAULT_RESET_REQUEST(HNAE3_GLOBAL_RESET); +- return ret; ++ return HNAE3_GLOBAL_RESET; + } + + status = le32_to_cpu(desc[0].data[0]); + +- if (status & HCLGE_ROCEE_RERR_INT_MASK) ++ if (status & HCLGE_ROCEE_RERR_INT_MASK) { + dev_warn(dev, "ROCEE RAS AXI rresp error\n"); ++ reset_type = HNAE3_FUNC_RESET; ++ } + +- if (status & HCLGE_ROCEE_BERR_INT_MASK) ++ if (status & HCLGE_ROCEE_BERR_INT_MASK) { + dev_warn(dev, "ROCEE RAS AXI bresp error\n"); ++ reset_type = HNAE3_FUNC_RESET; ++ } + + if (status & HCLGE_ROCEE_ECC_INT_MASK) { + dev_warn(dev, "ROCEE RAS 2bit ECC error\n"); +@@ -1132,9 +1135,9 @@ static int hclge_log_and_clear_rocee_ras_error(struct hclge_dev *hdev) + if (ret) { + dev_err(dev, "failed(%d) to process ovf error\n", ret); + /* reset everything for now */ +- HCLGE_SET_DEFAULT_RESET_REQUEST(HNAE3_GLOBAL_RESET); +- return ret; ++ return HNAE3_GLOBAL_RESET; + } ++ reset_type = HNAE3_FUNC_RESET; + } + + /* clear error status */ +@@ -1143,12 +1146,10 @@ static int hclge_log_and_clear_rocee_ras_error(struct hclge_dev *hdev) + if (ret) { + dev_err(dev, "failed(%d) to clear ROCEE RAS error\n", ret); + /* reset everything for now */ +- reset_type = HNAE3_GLOBAL_RESET; ++ return HNAE3_GLOBAL_RESET; + } + +- HCLGE_SET_DEFAULT_RESET_REQUEST(reset_type); +- +- return ret; ++ return reset_type; + } + + static int hclge_config_rocee_ras_interrupt(struct hclge_dev *hdev, bool en) +@@ -1178,15 +1179,18 @@ static int hclge_config_rocee_ras_interrupt(struct hclge_dev *hdev, bool en) + return ret; + } + +-static int hclge_handle_rocee_ras_error(struct hnae3_ae_dev *ae_dev) ++static void hclge_handle_rocee_ras_error(struct hnae3_ae_dev *ae_dev) + { ++ enum hnae3_reset_type reset_type = HNAE3_NONE_RESET; + struct hclge_dev *hdev = ae_dev->priv; + + if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state) || + hdev->pdev->revision < 0x21) +- return HNAE3_NONE_RESET; ++ return; + +- return hclge_log_and_clear_rocee_ras_error(hdev); ++ reset_type = hclge_log_and_clear_rocee_ras_error(hdev); ++ if (reset_type != HNAE3_NONE_RESET) ++ HCLGE_SET_DEFAULT_RESET_REQUEST(reset_type); + } + + static const struct hclge_hw_blk hw_blk[] = { +-- +2.19.1 + diff --git a/queue-5.0/net-marvell-mvpp2-fix-stuck-in-band-sgmii-negotiatio.patch b/queue-5.0/net-marvell-mvpp2-fix-stuck-in-band-sgmii-negotiatio.patch new file mode 100644 index 00000000000..5ad2cfd59f6 --- /dev/null +++ b/queue-5.0/net-marvell-mvpp2-fix-stuck-in-band-sgmii-negotiatio.patch @@ -0,0 +1,82 @@ +From 85e3f7ac997c2110865a11ea07e23d66382c045a Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Fri, 8 Feb 2019 15:35:43 +0000 +Subject: net: marvell: mvpp2: fix stuck in-band SGMII negotiation + +[ Upstream commit 316734fdcf70900a83065360cff11a5826919067 ] + +It appears that the mvpp22 can get stuck with SGMII negotiation. The +symptoms are that in-band negotiation never completes and the partner +(eg, PHY) never reports SGMII link up, or if it supports negotiation +bypass, goes into negotiation bypass mode (which will happen when the +PHY sees that the MAC is alive but gets no response.) + +Triggering the PHY end of the link to re-negotiate results in the +bypass bit clearing on the PHY, and then re-setting - indicating that +the problem is at the mvpp22 GMAC end. + +Asserting the GMAC reset and de-asserting it resolves the issue. +Arrange to assert the GMAC reset at probe time, and deassert it only +after we have configured the GMAC for the appropriate mode. This +resolves the issue. + +Tested-by: Sven Auhagen +Signed-off-by: Russell King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 16066c2d5b3a..931beac3359d 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -1380,13 +1380,9 @@ static void mvpp2_port_reset(struct mvpp2_port *port) + for (i = 0; i < ARRAY_SIZE(mvpp2_ethtool_regs); i++) + mvpp2_read_count(port, &mvpp2_ethtool_regs[i]); + +- val = readl(port->base + MVPP2_GMAC_CTRL_2_REG) & +- ~MVPP2_GMAC_PORT_RESET_MASK; ++ val = readl(port->base + MVPP2_GMAC_CTRL_2_REG) | ++ MVPP2_GMAC_PORT_RESET_MASK; + writel(val, port->base + MVPP2_GMAC_CTRL_2_REG); +- +- while (readl(port->base + MVPP2_GMAC_CTRL_2_REG) & +- MVPP2_GMAC_PORT_RESET_MASK) +- continue; + } + + /* Change maximum receive size of the port */ +@@ -4543,12 +4539,15 @@ static void mvpp2_gmac_config(struct mvpp2_port *port, unsigned int mode, + const struct phylink_link_state *state) + { + u32 an, ctrl0, ctrl2, ctrl4; ++ u32 old_ctrl2; + + an = readl(port->base + MVPP2_GMAC_AUTONEG_CONFIG); + ctrl0 = readl(port->base + MVPP2_GMAC_CTRL_0_REG); + ctrl2 = readl(port->base + MVPP2_GMAC_CTRL_2_REG); + ctrl4 = readl(port->base + MVPP22_GMAC_CTRL_4_REG); + ++ old_ctrl2 = ctrl2; ++ + /* Force link down */ + an &= ~MVPP2_GMAC_FORCE_LINK_PASS; + an |= MVPP2_GMAC_FORCE_LINK_DOWN; +@@ -4621,6 +4620,12 @@ static void mvpp2_gmac_config(struct mvpp2_port *port, unsigned int mode, + writel(ctrl2, port->base + MVPP2_GMAC_CTRL_2_REG); + writel(ctrl4, port->base + MVPP22_GMAC_CTRL_4_REG); + writel(an, port->base + MVPP2_GMAC_AUTONEG_CONFIG); ++ ++ if (old_ctrl2 & MVPP2_GMAC_PORT_RESET_MASK) { ++ while (readl(port->base + MVPP2_GMAC_CTRL_2_REG) & ++ MVPP2_GMAC_PORT_RESET_MASK) ++ continue; ++ } + } + + static void mvpp2_mac_config(struct net_device *dev, unsigned int mode, +-- +2.19.1 + diff --git a/queue-5.0/net-mlx5-avoid-panic-when-setting-vport-mac-getting-.patch b/queue-5.0/net-mlx5-avoid-panic-when-setting-vport-mac-getting-.patch new file mode 100644 index 00000000000..b028ad68ef6 --- /dev/null +++ b/queue-5.0/net-mlx5-avoid-panic-when-setting-vport-mac-getting-.patch @@ -0,0 +1,80 @@ +From 795e06c39cd56dd2ee78dd3e7855b5779cf59ca2 Mon Sep 17 00:00:00 2001 +From: Tonghao Zhang +Date: Mon, 4 Mar 2019 00:27:15 -0800 +Subject: net/mlx5: Avoid panic when setting vport mac, getting vport config + +[ Upstream commit 6e77c413e8e73d0f36b5358b601389d75ec4451c ] + +If we try to set VFs mac address on a VF (not PF) net device, +the kernel will be crash. The commands are show as below: + +$ echo 2 > /sys/class/net/$MLX_PF0/device/sriov_numvfs +$ ip link set $MLX_VF0 vf 0 mac 00:11:22:33:44:00 + +[exception RIP: mlx5_eswitch_set_vport_mac+41] +[ffffb8b7079e3688] do_setlink at ffffffff8f67f85b +[ffffb8b7079e37a8] __rtnl_newlink at ffffffff8f683778 +[ffffb8b7079e3b68] rtnl_newlink at ffffffff8f683a63 +[ffffb8b7079e3b90] rtnetlink_rcv_msg at ffffffff8f67d812 +[ffffb8b7079e3c10] netlink_rcv_skb at ffffffff8f6b88ab +[ffffb8b7079e3c60] netlink_unicast at ffffffff8f6b808f +[ffffb8b7079e3ca0] netlink_sendmsg at ffffffff8f6b8412 +[ffffb8b7079e3d18] sock_sendmsg at ffffffff8f6452f6 +[ffffb8b7079e3d30] ___sys_sendmsg at ffffffff8f645860 +[ffffb8b7079e3eb0] __sys_sendmsg at ffffffff8f647a38 +[ffffb8b7079e3f38] do_syscall_64 at ffffffff8f00401b +[ffffb8b7079e3f50] entry_SYSCALL_64_after_hwframe at ffffffff8f80008c + +and + +[exception RIP: mlx5_eswitch_get_vport_config+12] +[ffffa70607e57678] mlx5e_get_vf_config at ffffffffc03c7f8f [mlx5_core] +[ffffa70607e57688] do_setlink at ffffffffbc67fa59 +[ffffa70607e577a8] __rtnl_newlink at ffffffffbc683778 +[ffffa70607e57b68] rtnl_newlink at ffffffffbc683a63 +[ffffa70607e57b90] rtnetlink_rcv_msg at ffffffffbc67d812 +[ffffa70607e57c10] netlink_rcv_skb at ffffffffbc6b88ab +[ffffa70607e57c60] netlink_unicast at ffffffffbc6b808f +[ffffa70607e57ca0] netlink_sendmsg at ffffffffbc6b8412 +[ffffa70607e57d18] sock_sendmsg at ffffffffbc6452f6 +[ffffa70607e57d30] ___sys_sendmsg at ffffffffbc645860 +[ffffa70607e57eb0] __sys_sendmsg at ffffffffbc647a38 +[ffffa70607e57f38] do_syscall_64 at ffffffffbc00401b +[ffffa70607e57f50] entry_SYSCALL_64_after_hwframe at ffffffffbc80008c + +Fixes: a8d70a054a718 ("net/mlx5: E-Switch, Disallow vlan/spoofcheck setup if not being esw manager") +Cc: Eli Cohen +Signed-off-by: Tonghao Zhang +Reviewed-by: Roi Dayan +Acked-by: Saeed Mahameed +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 3e8ed5586821..13c48883ed61 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1812,7 +1812,7 @@ int mlx5_eswitch_set_vport_mac(struct mlx5_eswitch *esw, + u64 node_guid; + int err = 0; + +- if (!MLX5_CAP_GEN(esw->dev, vport_group_manager)) ++ if (!esw || !MLX5_CAP_GEN(esw->dev, vport_group_manager)) + return -EPERM; + if (!LEGAL_VPORT(esw, vport) || is_multicast_ether_addr(mac)) + return -EINVAL; +@@ -1886,7 +1886,7 @@ int mlx5_eswitch_get_vport_config(struct mlx5_eswitch *esw, + { + struct mlx5_vport *evport; + +- if (!MLX5_CAP_GEN(esw->dev, vport_group_manager)) ++ if (!esw || !MLX5_CAP_GEN(esw->dev, vport_group_manager)) + return -EPERM; + if (!LEGAL_VPORT(esw, vport)) + return -EINVAL; +-- +2.19.1 + diff --git a/queue-5.0/net-mlx5-avoid-panic-when-setting-vport-rate.patch b/queue-5.0/net-mlx5-avoid-panic-when-setting-vport-rate.patch new file mode 100644 index 00000000000..5ff98e0205c --- /dev/null +++ b/queue-5.0/net-mlx5-avoid-panic-when-setting-vport-rate.patch @@ -0,0 +1,81 @@ +From 5676fdb5229e72483bddc98221d7121fd3b25714 Mon Sep 17 00:00:00 2001 +From: Tonghao Zhang +Date: Mon, 4 Mar 2019 00:27:16 -0800 +Subject: net/mlx5: Avoid panic when setting vport rate + +[ Upstream commit 24319258660a84dd77f4be026a55b10a12524919 ] + +If we try to set VFs rate on a VF (not PF) net device, the kernel +will be crash. The commands are show as below: + +$ echo 2 > /sys/class/net/$MLX_PF0/device/sriov_numvfs +$ ip link set $MLX_VF0 vf 0 max_tx_rate 2 min_tx_rate 1 + +If not applied the first patch ("net/mlx5: Avoid panic when setting +vport mac, getting vport config"), the command: + +$ ip link set $MLX_VF0 vf 0 rate 100 + +can also crash the kernel. + +[ 1650.006388] RIP: 0010:mlx5_eswitch_set_vport_rate+0x1f/0x260 [mlx5_core] +[ 1650.007092] do_setlink+0x982/0xd20 +[ 1650.007129] __rtnl_newlink+0x528/0x7d0 +[ 1650.007374] rtnl_newlink+0x43/0x60 +[ 1650.007407] rtnetlink_rcv_msg+0x2a2/0x320 +[ 1650.007484] netlink_rcv_skb+0xcb/0x100 +[ 1650.007519] netlink_unicast+0x17f/0x230 +[ 1650.007554] netlink_sendmsg+0x2d2/0x3d0 +[ 1650.007592] sock_sendmsg+0x36/0x50 +[ 1650.007625] ___sys_sendmsg+0x280/0x2a0 +[ 1650.007963] __sys_sendmsg+0x58/0xa0 +[ 1650.007998] do_syscall_64+0x5b/0x180 +[ 1650.009438] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: c9497c98901c ("net/mlx5: Add support for setting VF min rate") +Cc: Mohamad Haj Yahia +Signed-off-by: Tonghao Zhang +Reviewed-by: Roi Dayan +Acked-by: Saeed Mahameed +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 5b492b67f4e1..3e8ed5586821 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -2059,19 +2059,24 @@ static int normalize_vports_min_rate(struct mlx5_eswitch *esw, u32 divider) + int mlx5_eswitch_set_vport_rate(struct mlx5_eswitch *esw, int vport, + u32 max_rate, u32 min_rate) + { +- u32 fw_max_bw_share = MLX5_CAP_QOS(esw->dev, max_tsar_bw_share); +- bool min_rate_supported = MLX5_CAP_QOS(esw->dev, esw_bw_share) && +- fw_max_bw_share >= MLX5_MIN_BW_SHARE; +- bool max_rate_supported = MLX5_CAP_QOS(esw->dev, esw_rate_limit); + struct mlx5_vport *evport; ++ u32 fw_max_bw_share; + u32 previous_min_rate; + u32 divider; ++ bool min_rate_supported; ++ bool max_rate_supported; + int err = 0; + + if (!ESW_ALLOWED(esw)) + return -EPERM; + if (!LEGAL_VPORT(esw, vport)) + return -EINVAL; ++ ++ fw_max_bw_share = MLX5_CAP_QOS(esw->dev, max_tsar_bw_share); ++ min_rate_supported = MLX5_CAP_QOS(esw->dev, esw_bw_share) && ++ fw_max_bw_share >= MLX5_MIN_BW_SHARE; ++ max_rate_supported = MLX5_CAP_QOS(esw->dev, esw_rate_limit); ++ + if ((min_rate && !min_rate_supported) || (max_rate && !max_rate_supported)) + return -EOPNOTSUPP; + +-- +2.19.1 + diff --git a/queue-5.0/net-mlx5e-fix-access-to-non-existing-receive-queue.patch b/queue-5.0/net-mlx5e-fix-access-to-non-existing-receive-queue.patch new file mode 100644 index 00000000000..42796e8d0ed --- /dev/null +++ b/queue-5.0/net-mlx5e-fix-access-to-non-existing-receive-queue.patch @@ -0,0 +1,43 @@ +From ccd99c07f746e1f684272aad9376420eeff3c546 Mon Sep 17 00:00:00 2001 +From: Tariq Toukan +Date: Tue, 5 Mar 2019 16:45:09 +0200 +Subject: net/mlx5e: Fix access to non-existing receive queue + +[ Upstream commit c475e11e82d16133304321bae285c5c1d4cfc856 ] + +In case number of channels is changed while interface is down, +RSS indirection table is mistakenly not modified accordingly, +causing access to out-of-range non-existing object. + +Fix by updating the RSS indireciton table also in the early +return flow of interface down. + +Fixes: fb35c534b788 ("net/mlx5e: Fix NULL pointer derefernce in set channels error flow") +Fixes: bbeb53b8b2c9 ("net/mlx5e: Move RSS params to a dedicated struct") +Reported-by: Or Gerlitz +Tested-by: Maria Pasechnik +Signed-off-by: Tariq Toukan +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 47233b9a4f81..e6099f51d25f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -357,6 +357,9 @@ int mlx5e_ethtool_set_channels(struct mlx5e_priv *priv, + + if (!test_bit(MLX5E_STATE_OPENED, &priv->state)) { + priv->channels.params = new_channels.params; ++ if (!netif_is_rxfh_configured(priv->netdev)) ++ mlx5e_build_default_indir_rqt(priv->rss_params.indirection_rqt, ++ MLX5E_INDIR_RQT_SIZE, count); + goto out; + } + +-- +2.19.1 + diff --git a/queue-5.0/net-phy-consider-latched-link-down-status-in-polling.patch b/queue-5.0/net-phy-consider-latched-link-down-status-in-polling.patch new file mode 100644 index 00000000000..3221f924c25 --- /dev/null +++ b/queue-5.0/net-phy-consider-latched-link-down-status-in-polling.patch @@ -0,0 +1,85 @@ +From eb8c0b2f40148ccc8fa923278a9a5fa603c60e15 Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Wed, 6 Feb 2019 19:39:52 +0100 +Subject: net: phy: consider latched link-down status in polling mode + +[ Upstream commit 93c0970493c71f264e6c3c7caf1ff24a9e1de786 ] + +The link status value latches link-down events. To get the current +status we read the register twice in genphy_update_link(). There's +a potential risk that we miss a link-down event in polling mode. +This may cause issues if the user e.g. connects his machine to a +different network. + +On the other hand reading the latched value may cause issues in +interrupt mode. Following scenario: + +- After boot link goes up +- phy_start() is called triggering an aneg restart, hence link goes + down and link-down info is latched. +- After aneg has finished link goes up and triggers an interrupt. + Interrupt handler reads link status, means it reads the latched + "link is down" info. But there won't be another interrupt as long + as link stays up, therefore phylib will never recognize that link + is up. + +Deal with both scenarios by reading the register twice in interrupt +mode only. + +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy-c45.c | 10 ++++++++-- + drivers/net/phy/phy_device.c | 13 +++++++++---- + 2 files changed, 17 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/phy/phy-c45.c b/drivers/net/phy/phy-c45.c +index 03af927fa5ad..e39bf0428dd9 100644 +--- a/drivers/net/phy/phy-c45.c ++++ b/drivers/net/phy/phy-c45.c +@@ -147,9 +147,15 @@ int genphy_c45_read_link(struct phy_device *phydev, u32 mmd_mask) + mmd_mask &= ~BIT(devad); + + /* The link state is latched low so that momentary link +- * drops can be detected. Do not double-read the status +- * register if the link is down. ++ * drops can be detected. Do not double-read the status ++ * in polling mode to detect such short link drops. + */ ++ if (!phy_polling_mode(phydev)) { ++ val = phy_read_mmd(phydev, devad, MDIO_STAT1); ++ if (val < 0) ++ return val; ++ } ++ + val = phy_read_mmd(phydev, devad, MDIO_STAT1); + if (val < 0) + return val; +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 739434fe04fa..adf79614c2db 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1683,10 +1683,15 @@ int genphy_update_link(struct phy_device *phydev) + { + int status; + +- /* Do a fake read */ +- status = phy_read(phydev, MII_BMSR); +- if (status < 0) +- return status; ++ /* The link state is latched low so that momentary link ++ * drops can be detected. Do not double-read the status ++ * in polling mode to detect such short link drops. ++ */ ++ if (!phy_polling_mode(phydev)) { ++ status = phy_read(phydev, MII_BMSR); ++ if (status < 0) ++ return status; ++ } + + /* Read link and autonegotiation status */ + status = phy_read(phydev, MII_BMSR); +-- +2.19.1 + diff --git a/queue-5.0/net-stmmac-avoid-one-more-sometimes-uninitialized-cl.patch b/queue-5.0/net-stmmac-avoid-one-more-sometimes-uninitialized-cl.patch new file mode 100644 index 00000000000..92b32eff496 --- /dev/null +++ b/queue-5.0/net-stmmac-avoid-one-more-sometimes-uninitialized-cl.patch @@ -0,0 +1,51 @@ +From 14e5adf4645778709e5d717f55df3ac3c267f084 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 7 Mar 2019 21:02:39 -0700 +Subject: net: stmmac: Avoid one more sometimes uninitialized Clang warning + +[ Upstream commit 1f5d861f7fefa971b2c6e766f77932c86419a319 ] + +When building with -Wsometimes-uninitialized, Clang warns: + +drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c:111:2: error: variable +'ns' is used uninitialized whenever 'if' condition is false +[-Werror,-Wsometimes-uninitialized] +drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c:111:2: error: variable +'ns' is used uninitialized whenever '&&' condition is false +[-Werror,-Wsometimes-uninitialized] + +Clang is concerned with the use of stmmac_do_void_callback (which +stmmac_get_systime wraps), as it may fail to initialize these values if +the if condition was ever false (meaning the callback doesn't exist). +It's not wrong because the callback is what initializes ns. While it's +unlikely that the callback is going to disappear at some point and make +that condition false, we can easily avoid this warning by zero +initializing the variable. + +Link: https://github.com/ClangBuiltLinux/linux/issues/384 +Fixes: df103170854e ("net: stmmac: Avoid sometimes uninitialized Clang warnings") +Suggested-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +index 2293e21f789f..cc60b3fb0892 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +@@ -105,7 +105,7 @@ static int stmmac_get_time(struct ptp_clock_info *ptp, struct timespec64 *ts) + struct stmmac_priv *priv = + container_of(ptp, struct stmmac_priv, ptp_clock_ops); + unsigned long flags; +- u64 ns; ++ u64 ns = 0; + + spin_lock_irqsave(&priv->ptp_lock, flags); + stmmac_get_systime(priv, priv->ptpaddr, &ns); +-- +2.19.1 + diff --git a/queue-5.0/net-stmmac-avoid-sometimes-uninitialized-clang-warni.patch b/queue-5.0/net-stmmac-avoid-sometimes-uninitialized-clang-warni.patch new file mode 100644 index 00000000000..d71ad1aee6c --- /dev/null +++ b/queue-5.0/net-stmmac-avoid-sometimes-uninitialized-clang-warni.patch @@ -0,0 +1,70 @@ +From adddc2f6db936525669667128fb7ce0f2f8b6d7a Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 7 Mar 2019 11:00:28 -0700 +Subject: net: stmmac: Avoid sometimes uninitialized Clang warnings + +[ Upstream commit df103170854e87124ee7bdd2bca64b178e653f97 ] + +When building with -Wsometimes-uninitialized, Clang warns: + +drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:495:3: warning: variable 'ns' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized] +drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:495:3: warning: variable 'ns' is used uninitialized whenever '&&' condition is false [-Wsometimes-uninitialized] +drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:532:3: warning: variable 'ns' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized] +drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:532:3: warning: variable 'ns' is used uninitialized whenever '&&' condition is false [-Wsometimes-uninitialized] +drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:741:3: warning: variable 'sec_inc' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized] +drivers/net/ethernet/stmicro/stmmac/stmmac_main.c:741:3: warning: variable 'sec_inc' is used uninitialized whenever '&&' condition is false [-Wsometimes-uninitialized] + +Clang is concerned with the use of stmmac_do_void_callback (which +stmmac_get_timestamp and stmmac_config_sub_second_increment wrap), +as it may fail to initialize these values if the if condition was ever +false (meaning the callbacks don't exist). It's not wrong because the +callbacks (get_timestamp and config_sub_second_increment respectively) +are the ones that initialize the variables. While it's unlikely that the +callbacks are ever going to disappear and make that condition false, we +can easily avoid this warning by zero initialize the variables. + +Link: https://github.com/ClangBuiltLinux/linux/issues/384 +Suggested-by: Nick Desaulniers +Reviewed-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 685d20472358..019ab99e65bb 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -474,7 +474,7 @@ static void stmmac_get_tx_hwtstamp(struct stmmac_priv *priv, + struct dma_desc *p, struct sk_buff *skb) + { + struct skb_shared_hwtstamps shhwtstamp; +- u64 ns; ++ u64 ns = 0; + + if (!priv->hwts_tx_en) + return; +@@ -513,7 +513,7 @@ static void stmmac_get_rx_hwtstamp(struct stmmac_priv *priv, struct dma_desc *p, + { + struct skb_shared_hwtstamps *shhwtstamp = NULL; + struct dma_desc *desc = p; +- u64 ns; ++ u64 ns = 0; + + if (!priv->hwts_rx_en) + return; +@@ -558,8 +558,8 @@ static int stmmac_hwtstamp_ioctl(struct net_device *dev, struct ifreq *ifr) + u32 snap_type_sel = 0; + u32 ts_master_en = 0; + u32 ts_event_en = 0; ++ u32 sec_inc = 0; + u32 value = 0; +- u32 sec_inc; + bool xmac; + + xmac = priv->plat->has_gmac4 || priv->plat->has_xgmac; +-- +2.19.1 + diff --git a/queue-5.0/netfilter-conntrack-fix-cloned-unconfirmed-skb-_nfct.patch b/queue-5.0/netfilter-conntrack-fix-cloned-unconfirmed-skb-_nfct.patch new file mode 100644 index 00000000000..e180f7f4b90 --- /dev/null +++ b/queue-5.0/netfilter-conntrack-fix-cloned-unconfirmed-skb-_nfct.patch @@ -0,0 +1,131 @@ +From e58cadaee7cff645a291e0157f4f7640067ebf0f Mon Sep 17 00:00:00 2001 +From: Chieh-Min Wang +Date: Tue, 12 Feb 2019 00:59:55 +0100 +Subject: netfilter: conntrack: fix cloned unconfirmed skb->_nfct race in + __nf_conntrack_confirm + +[ Upstream commit 13f5251fd17088170c18844534682d9cab5ff5aa ] + +For bridge(br_flood) or broadcast/multicast packets, they could clone +skb with unconfirmed conntrack which break the rule that unconfirmed +skb->_nfct is never shared. With nfqueue running on my system, the race +can be easily reproduced with following warning calltrace: + +[13257.707525] CPU: 0 PID: 12132 Comm: main Tainted: P W 4.4.60 #7744 +[13257.707568] Hardware name: Qualcomm (Flattened Device Tree) +[13257.714700] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[13257.720253] [] (show_stack) from [] (dump_stack+0x94/0xa8) +[13257.728240] [] (dump_stack) from [] (warn_slowpath_common+0x94/0xb0) +[13257.735268] [] (warn_slowpath_common) from [] (warn_slowpath_null+0x1c/0x24) +[13257.743519] [] (warn_slowpath_null) from [] (__nf_conntrack_confirm+0xa8/0x618) +[13257.752284] [] (__nf_conntrack_confirm) from [] (ipv4_confirm+0xb8/0xfc) +[13257.761049] [] (ipv4_confirm) from [] (nf_iterate+0x48/0xa8) +[13257.769725] [] (nf_iterate) from [] (nf_hook_slow+0x30/0xb0) +[13257.777108] [] (nf_hook_slow) from [] (br_nf_post_routing+0x274/0x31c) +[13257.784486] [] (br_nf_post_routing) from [] (nf_iterate+0x48/0xa8) +[13257.792556] [] (nf_iterate) from [] (nf_hook_slow+0x30/0xb0) +[13257.800458] [] (nf_hook_slow) from [] (br_forward_finish+0x94/0xa4) +[13257.808010] [] (br_forward_finish) from [] (br_nf_forward_finish+0x150/0x1ac) +[13257.815736] [] (br_nf_forward_finish) from [] (nf_reinject+0x108/0x170) +[13257.824762] [] (nf_reinject) from [] (nfqnl_recv_verdict+0x3d8/0x420) +[13257.832924] [] (nfqnl_recv_verdict) from [] (nfnetlink_rcv_msg+0x158/0x248) +[13257.841256] [] (nfnetlink_rcv_msg) from [] (netlink_rcv_skb+0x54/0xb0) +[13257.849762] [] (netlink_rcv_skb) from [] (netlink_unicast+0x148/0x23c) +[13257.858093] [] (netlink_unicast) from [] (netlink_sendmsg+0x2ec/0x368) +[13257.866348] [] (netlink_sendmsg) from [] (sock_sendmsg+0x34/0x44) +[13257.874590] [] (sock_sendmsg) from [] (___sys_sendmsg+0x1ec/0x200) +[13257.882489] [] (___sys_sendmsg) from [] (__sys_sendmsg+0x3c/0x64) +[13257.890300] [] (__sys_sendmsg) from [] (ret_fast_syscall+0x0/0x34) + +The original code just triggered the warning but do nothing. It will +caused the shared conntrack moves to the dying list and the packet be +droppped (nf_ct_resolve_clash returns NF_DROP for dying conntrack). + +- Reproduce steps: + ++----------------------------+ +| br0(bridge) | +| | ++-+---------+---------+------+ + | eth0| | eth1| | eth2| + | | | | | | + +--+--+ +--+--+ +---+-+ + | | | + | | | + +--+-+ +-+--+ +--+-+ + | PC1| | PC2| | PC3| + +----+ +----+ +----+ + +iptables -A FORWARD -m mark --mark 0x1000000/0x1000000 -j NFQUEUE --queue-num 100 --queue-bypass + +ps: Our nfq userspace program will set mark on packets whose connection +has already been processed. + +PC1 sends broadcast packets simulated by hping3: + +hping3 --rand-source --udp 192.168.1.255 -i u100 + +- Broadcast racing flow chart is as follow: + +br_handle_frame + BR_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, br_handle_frame_finish) + // skb->_nfct (unconfirmed conntrack) is constructed at PRE_ROUTING stage + br_handle_frame_finish + // check if this packet is broadcast + br_flood_forward + br_flood + list_for_each_entry_rcu(p, &br->port_list, list) // iterate through each port + maybe_deliver + deliver_clone + skb = skb_clone(skb) + __br_forward + BR_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD,...) + // queue in our nfq and received by our userspace program + // goto __nf_conntrack_confirm with process context on CPU 1 + br_pass_frame_up + BR_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,...) + // goto __nf_conntrack_confirm with softirq context on CPU 0 + +Because conntrack confirm can happen at both INPUT and POSTROUTING +stage. So with NFQUEUE running, skb->_nfct with the same unconfirmed +conntrack could race on different core. + +This patch fixes a repeating kernel splat, now it is only displayed +once. + +Signed-off-by: Chieh-Min Wang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index db4d46332e86..9dd4c2048a2b 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -901,10 +901,18 @@ __nf_conntrack_confirm(struct sk_buff *skb) + * REJECT will give spurious warnings here. + */ + +- /* No external references means no one else could have +- * confirmed us. ++ /* Another skb with the same unconfirmed conntrack may ++ * win the race. This may happen for bridge(br_flood) ++ * or broadcast/multicast packets do skb_clone with ++ * unconfirmed conntrack. + */ +- WARN_ON(nf_ct_is_confirmed(ct)); ++ if (unlikely(nf_ct_is_confirmed(ct))) { ++ WARN_ON_ONCE(1); ++ nf_conntrack_double_unlock(hash, reply_hash); ++ local_bh_enable(); ++ return NF_DROP; ++ } ++ + pr_debug("Confirming conntrack %p\n", ct); + /* We have to check the DYING flag after unlink to prevent + * a race against nf_ct_get_next_corpse() possibly called from +-- +2.19.1 + diff --git a/queue-5.0/netfilter-conntrack-tcp-only-close-if-rst-matches-ex.patch b/queue-5.0/netfilter-conntrack-tcp-only-close-if-rst-matches-ex.patch new file mode 100644 index 00000000000..c17f5dee049 --- /dev/null +++ b/queue-5.0/netfilter-conntrack-tcp-only-close-if-rst-matches-ex.patch @@ -0,0 +1,213 @@ +From a09890475beefc37aaa1177046431215d17c493e Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 21 Feb 2019 17:09:31 +0100 +Subject: netfilter: conntrack: tcp: only close if RST matches exact sequence + +[ Upstream commit be0502a3f2e94211a8809a09ecbc3a017189b8fb ] + +TCP resets cause instant transition from established to closed state +provided the reset is in-window. Endpoints that implement RFC 5961 +require resets to match the next expected sequence number. +RST segments that are in-window (but that do not match RCV.NXT) are +ignored, and a "challenge ACK" is sent back. + +Main problem for conntrack is that its a middlebox, i.e. whereas an end +host might have ACK'd SEQ (and would thus accept an RST with this +sequence number), conntrack might not have seen this ACK (yet). + +Therefore we can't simply flag RSTs with non-exact match as invalid. + +This updates RST processing as follows: + +1. If the connection is in a state other than ESTABLISHED, nothing is + changed, RST is subject to normal in-window check. + +2. If the RSTs sequence number either matches exactly RCV.NXT, + connection state moves to CLOSE. + +3. The same applies if the RST sequence number aligns with a previous + packet in the same direction. + +In all other cases, the connection remains in ESTABLISHED state. +If the normal-in-window check passes, the timeout will be lowered +to that of CLOSE. + +If the peer sends a challenge ack, connection timeout will be reset. + +If the challenge ACK triggers another RST (RST was valid after all), +this 2nd RST will match expected sequence and conntrack state changes to +CLOSE. + +If no challenge ACK is received, the connection will time out after +CLOSE seconds (10 seconds by default), just like without this patch. + +Packetdrill test case: + +0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0.000 bind(3, ..., ...) = 0 +0.000 listen(3, 1) = 0 + +0.100 < S 0:0(0) win 32792 +0.100 > S. 0:0(0) ack 1 win 64240 +0.200 < . 1:1(0) ack 1 win 257 +0.200 accept(3, ..., ...) = 4 + +// Receive a segment. +0.210 < P. 1:1001(1000) ack 1 win 46 +0.210 > . 1:1(0) ack 1001 + +// Application writes 1000 bytes. +0.250 write(4, ..., 1000) = 1000 +0.250 > P. 1:1001(1000) ack 1001 + +// First reset, old sequence. Conntrack (correctly) considers this +// invalid due to failed window validation (regardless of this patch). +0.260 < R 2:2(0) ack 1001 win 260 + +// 2nd reset, but too far ahead sequence. Same: correctly handled +// as invalid. +0.270 < R 99990001:99990001(0) ack 1001 win 260 + +// in-window, but not exact sequence. +// Current Linux kernels might reply with a challenge ack, and do not +// remove connection. +// Without this patch, conntrack state moves to CLOSE. +// With patch, timeout is lowered like CLOSE, but connection stays +// in ESTABLISHED state. +0.280 < R 1010:1010(0) ack 1001 win 260 + +// Expect challenge ACK +0.281 > . 1001:1001(0) ack 1001 win 501 + +// With or without this patch, RST will cause connection +// to move to CLOSE (sequence number matches) +// 0.282 < R 1001:1001(0) ack 1001 win 260 + +// ACK +0.300 < . 1001:1001(0) ack 1001 win 257 + +// more data could be exchanged here, connection +// is still established + +// Client closes the connection. +0.610 < F. 1001:1001(0) ack 1001 win 260 +0.650 > . 1001:1001(0) ack 1002 + +// Close the connection without reading outstanding data +0.700 close(4) = 0 + +// so one more reset. Will be deemed acceptable with patch as well: +// connection is already closing. +0.701 > R. 1001:1001(0) ack 1002 win 501 +// End packetdrill test case. + +With patch, this generates following conntrack events: + [NEW] 120 SYN_SENT src=10.0.2.1 dst=10.0.0.1 sport=5437 dport=80 [UNREPLIED] +[UPDATE] 60 SYN_RECV src=10.0.2.1 dst=10.0.0.1 sport=5437 dport=80 +[UPDATE] 432000 ESTABLISHED src=10.0.2.1 dst=10.0.0.1 sport=5437 dport=80 [ASSURED] +[UPDATE] 120 FIN_WAIT src=10.0.2.1 dst=10.0.0.1 sport=5437 dport=80 [ASSURED] +[UPDATE] 60 CLOSE_WAIT src=10.0.2.1 dst=10.0.0.1 sport=5437 dport=80 [ASSURED] +[UPDATE] 10 CLOSE src=10.0.2.1 dst=10.0.0.1 sport=5437 dport=80 [ASSURED] + +Without patch, first RST moves connection to close, whereas socket state +does not change until FIN is received. + [NEW] 120 SYN_SENT src=10.0.2.1 dst=10.0.0.1 sport=5141 dport=80 [UNREPLIED] +[UPDATE] 60 SYN_RECV src=10.0.2.1 dst=10.0.0.1 sport=5141 dport=80 +[UPDATE] 432000 ESTABLISHED src=10.0.2.1 dst=10.0.0.1 sport=5141 dport=80 [ASSURED] +[UPDATE] 10 CLOSE src=10.0.2.1 dst=10.0.0.1 sport=5141 dport=80 [ASSURED] + +Cc: Jozsef Kadlecsik +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_tcp.c | 50 ++++++++++++++++++++------ + 1 file changed, 40 insertions(+), 10 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c +index 4dcbd51a8e97..74fb3fa34db4 100644 +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -828,6 +828,12 @@ static noinline bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb, + return true; + } + ++static bool nf_conntrack_tcp_established(const struct nf_conn *ct) ++{ ++ return ct->proto.tcp.state == TCP_CONNTRACK_ESTABLISHED && ++ test_bit(IPS_ASSURED_BIT, &ct->status); ++} ++ + /* Returns verdict for packet, or -1 for invalid. */ + static int tcp_packet(struct nf_conn *ct, + struct sk_buff *skb, +@@ -1030,16 +1036,38 @@ static int tcp_packet(struct nf_conn *ct, + new_state = TCP_CONNTRACK_ESTABLISHED; + break; + case TCP_CONNTRACK_CLOSE: +- if (index == TCP_RST_SET +- && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET) +- && before(ntohl(th->seq), ct->proto.tcp.seen[!dir].td_maxack)) { +- /* Invalid RST */ +- spin_unlock_bh(&ct->lock); +- nf_ct_l4proto_log_invalid(skb, ct, "invalid rst"); +- return -NF_ACCEPT; ++ if (index != TCP_RST_SET) ++ break; ++ ++ if (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET) { ++ u32 seq = ntohl(th->seq); ++ ++ if (before(seq, ct->proto.tcp.seen[!dir].td_maxack)) { ++ /* Invalid RST */ ++ spin_unlock_bh(&ct->lock); ++ nf_ct_l4proto_log_invalid(skb, ct, "invalid rst"); ++ return -NF_ACCEPT; ++ } ++ ++ if (!nf_conntrack_tcp_established(ct) || ++ seq == ct->proto.tcp.seen[!dir].td_maxack) ++ break; ++ ++ /* Check if rst is part of train, such as ++ * foo:80 > bar:4379: P, 235946583:235946602(19) ack 42 ++ * foo:80 > bar:4379: R, 235946602:235946602(0) ack 42 ++ */ ++ if (ct->proto.tcp.last_index == TCP_ACK_SET && ++ ct->proto.tcp.last_dir == dir && ++ seq == ct->proto.tcp.last_end) ++ break; ++ ++ /* ... RST sequence number doesn't match exactly, keep ++ * established state to allow a possible challenge ACK. ++ */ ++ new_state = old_state; + } +- if (index == TCP_RST_SET +- && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ++ if (((test_bit(IPS_SEEN_REPLY_BIT, &ct->status) + && ct->proto.tcp.last_index == TCP_SYN_SET) + || (!test_bit(IPS_ASSURED_BIT, &ct->status) + && ct->proto.tcp.last_index == TCP_ACK_SET)) +@@ -1055,7 +1083,7 @@ static int tcp_packet(struct nf_conn *ct, + * segments we ignored. */ + goto in_window; + } +- /* Just fall through */ ++ break; + default: + /* Keep compilers happy. */ + break; +@@ -1090,6 +1118,8 @@ static int tcp_packet(struct nf_conn *ct, + if (ct->proto.tcp.retrans >= tn->tcp_max_retrans && + timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS]) + timeout = timeouts[TCP_CONNTRACK_RETRANS]; ++ else if (unlikely(index == TCP_RST_SET)) ++ timeout = timeouts[TCP_CONNTRACK_CLOSE]; + else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) & + IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED && + timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK]) +-- +2.19.1 + diff --git a/queue-5.0/netfilter-nf_tables-check-the-result-of-dereferencin.patch b/queue-5.0/netfilter-nf_tables-check-the-result-of-dereferencin.patch new file mode 100644 index 00000000000..8d720f8e673 --- /dev/null +++ b/queue-5.0/netfilter-nf_tables-check-the-result-of-dereferencin.patch @@ -0,0 +1,70 @@ +From 929a76111bc090de5908888351a7f9da91a07b35 Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Tue, 26 Feb 2019 17:13:56 +0800 +Subject: netfilter: nf_tables: check the result of dereferencing + base_chain->stats + +[ Upstream commit a9f5e78c403d2d62ade4f4c85040efc85f4049b8 ] + +Check the result of dereferencing base_chain->stats, instead of result +of this_cpu_ptr with NULL. + +base_chain->stats maybe be changed to NULL when a chain is updated and a +new NULL counter can be attached. + +And we do not need to check returning of this_cpu_ptr since +base_chain->stats is from percpu allocator if it is non-NULL, +this_cpu_ptr returns a valid value. + +And fix two sparse error by replacing rcu_access_pointer and +rcu_dereference with READ_ONCE under rcu_read_lock. + +Thanks for Eric's help to finish this patch. + +Fixes: 009240940e84c1 ("netfilter: nf_tables: don't assume chain stats are set when jumplabel is set") +Signed-off-by: Eric Dumazet +Signed-off-by: Zhang Yu +Signed-off-by: Li RongQing +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_core.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c +index a50500232b0a..7e8dae82ca52 100644 +--- a/net/netfilter/nf_tables_core.c ++++ b/net/netfilter/nf_tables_core.c +@@ -98,21 +98,23 @@ static noinline void nft_update_chain_stats(const struct nft_chain *chain, + const struct nft_pktinfo *pkt) + { + struct nft_base_chain *base_chain; ++ struct nft_stats __percpu *pstats; + struct nft_stats *stats; + + base_chain = nft_base_chain(chain); +- if (!rcu_access_pointer(base_chain->stats)) +- return; + +- local_bh_disable(); +- stats = this_cpu_ptr(rcu_dereference(base_chain->stats)); +- if (stats) { ++ rcu_read_lock(); ++ pstats = READ_ONCE(base_chain->stats); ++ if (pstats) { ++ local_bh_disable(); ++ stats = this_cpu_ptr(pstats); + u64_stats_update_begin(&stats->syncp); + stats->pkts++; + stats->bytes += pkt->skb->len; + u64_stats_update_end(&stats->syncp); ++ local_bh_enable(); + } +- local_bh_enable(); ++ rcu_read_unlock(); + } + + struct nft_jumpstack { +-- +2.19.1 + diff --git a/queue-5.0/netfilter-physdev-relax-br_netfilter-dependency.patch b/queue-5.0/netfilter-physdev-relax-br_netfilter-dependency.patch new file mode 100644 index 00000000000..6901caf69c2 --- /dev/null +++ b/queue-5.0/netfilter-physdev-relax-br_netfilter-dependency.patch @@ -0,0 +1,95 @@ +From d7f40e80189e5a047b1ca7f708b88b4a4042e255 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 11 Jan 2019 14:46:15 +0100 +Subject: netfilter: physdev: relax br_netfilter dependency + +[ Upstream commit 8e2f311a68494a6677c1724bdcb10bada21af37c ] + +Following command: + iptables -D FORWARD -m physdev ... +causes connectivity loss in some setups. + +Reason is that iptables userspace will probe kernel for the module revision +of the physdev patch, and physdev has an artificial dependency on +br_netfilter (xt_physdev use makes no sense unless a br_netfilter module +is loaded). + +This causes the "phydev" module to be loaded, which in turn enables the +"call-iptables" infrastructure. + +bridged packets might then get dropped by the iptables ruleset. + +The better fix would be to change the "call-iptables" defaults to 0 and +enforce explicit setting to 1, but that breaks backwards compatibility. + +This does the next best thing: add a request_module call to checkentry. +This was a stray '-D ... -m physdev' won't activate br_netfilter +anymore. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/br_netfilter.h | 1 - + net/bridge/br_netfilter_hooks.c | 5 ----- + net/netfilter/xt_physdev.c | 9 +++++++-- + 3 files changed, 7 insertions(+), 8 deletions(-) + +diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h +index 4cd56808ac4e..89808ce293c4 100644 +--- a/include/net/netfilter/br_netfilter.h ++++ b/include/net/netfilter/br_netfilter.h +@@ -43,7 +43,6 @@ static inline struct rtable *bridge_parent_rtable(const struct net_device *dev) + } + + struct net_device *setup_pre_routing(struct sk_buff *skb); +-void br_netfilter_enable(void); + + #if IS_ENABLED(CONFIG_IPV6) + int br_validate_ipv6(struct net *net, struct sk_buff *skb); +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index c93c35bb73dd..40d058378b52 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -881,11 +881,6 @@ static const struct nf_br_ops br_ops = { + .br_dev_xmit_hook = br_nf_dev_xmit, + }; + +-void br_netfilter_enable(void) +-{ +-} +-EXPORT_SYMBOL_GPL(br_netfilter_enable); +- + /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because + * br_dev_queue_push_xmit is called afterwards */ + static const struct nf_hook_ops br_nf_ops[] = { +diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c +index 4034d70bff39..b2e39cb6a590 100644 +--- a/net/netfilter/xt_physdev.c ++++ b/net/netfilter/xt_physdev.c +@@ -96,8 +96,7 @@ match_outdev: + static int physdev_mt_check(const struct xt_mtchk_param *par) + { + const struct xt_physdev_info *info = par->matchinfo; +- +- br_netfilter_enable(); ++ static bool brnf_probed __read_mostly; + + if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || + info->bitmask & ~XT_PHYSDEV_OP_MASK) +@@ -111,6 +110,12 @@ static int physdev_mt_check(const struct xt_mtchk_param *par) + if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) + return -EINVAL; + } ++ ++ if (!brnf_probed) { ++ brnf_probed = true; ++ request_module("br_netfilter"); ++ } ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-5.0/nvme-fc-fix-numa_node-when-dev-is-null.patch b/queue-5.0/nvme-fc-fix-numa_node-when-dev-is-null.patch new file mode 100644 index 00000000000..25d6947c0af --- /dev/null +++ b/queue-5.0/nvme-fc-fix-numa_node-when-dev-is-null.patch @@ -0,0 +1,47 @@ +From 64736fb84b5fd37ebaeb7136c0d9b66fae5710da Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Wed, 13 Mar 2019 18:55:01 +0100 +Subject: nvme-fc: fix numa_node when dev is null + +[ Upstream commit 06f3d71ea071b70e62bcc146cd9ff7ed1f9d4e43 ] + +A recent change added a numa_node field to the nvme controller +and has the transport assign the node using dev_to_node(). +However, fcloop registers with a NULL device struct, so the +dev_to_node() call oops. + +Revise the assignment to assign no node when device struct is null. + +Fixes: 103e515efa89b ("nvme: add a numa_node field to struct nvme_ctrl") +Reported-by: Mike Snitzer +Signed-off-by: James Smart +Reviewed-by: Sagi Grimberg +Reviewed-by: Hannes Reinecke +Reviewed-by: Mike Snitzer +[hch: small coding style fixup] +Signed-off-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/fc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index 89accc76d71c..c37d5bbd72ab 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -3018,7 +3018,10 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + + ctrl->ctrl.opts = opts; + ctrl->ctrl.nr_reconnects = 0; +- ctrl->ctrl.numa_node = dev_to_node(lport->dev); ++ if (lport->dev) ++ ctrl->ctrl.numa_node = dev_to_node(lport->dev); ++ else ++ ctrl->ctrl.numa_node = NUMA_NO_NODE; + INIT_LIST_HEAD(&ctrl->ctrl_list); + ctrl->lport = lport; + ctrl->rport = rport; +-- +2.19.1 + diff --git a/queue-5.0/nvme-loop-init-nvmet_ctrl-fatal_err_work-when-alloca.patch b/queue-5.0/nvme-loop-init-nvmet_ctrl-fatal_err_work-when-alloca.patch new file mode 100644 index 00000000000..e6edeccfe75 --- /dev/null +++ b/queue-5.0/nvme-loop-init-nvmet_ctrl-fatal_err_work-when-alloca.patch @@ -0,0 +1,99 @@ +From c6f3b7ef60e0c7aea0ee00cef5e0eb31bd09ebd3 Mon Sep 17 00:00:00 2001 +From: Yufen Yu +Date: Wed, 13 Mar 2019 18:54:59 +0100 +Subject: nvme-loop: init nvmet_ctrl fatal_err_work when allocate + +[ Upstream commit d11de63f2b519f0a162b834013b6d3a46dbf3886 ] + +After commit 4d43d395fe (workqueue: Try to catch flush_work() without +INIT_WORK()), it can cause warning when delete nvme-loop device, trace +like: + +[ 76.601272] Call Trace: +[ 76.601646] ? del_timer+0x72/0xa0 +[ 76.602156] __cancel_work_timer+0x1ae/0x270 +[ 76.602791] cancel_work_sync+0x14/0x20 +[ 76.603407] nvmet_ctrl_free+0x1b7/0x2f0 [nvmet] +[ 76.604091] ? free_percpu+0x168/0x300 +[ 76.604652] nvmet_sq_destroy+0x106/0x240 [nvmet] +[ 76.605346] nvme_loop_destroy_admin_queue+0x30/0x60 [nvme_loop] +[ 76.606220] nvme_loop_shutdown_ctrl+0xc3/0xf0 [nvme_loop] +[ 76.607026] nvme_loop_delete_ctrl_host+0x19/0x30 [nvme_loop] +[ 76.607871] nvme_do_delete_ctrl+0x75/0xb0 +[ 76.608477] nvme_sysfs_delete+0x7d/0xc0 +[ 76.609057] dev_attr_store+0x24/0x40 +[ 76.609603] sysfs_kf_write+0x4c/0x60 +[ 76.610144] kernfs_fop_write+0x19a/0x260 +[ 76.610742] __vfs_write+0x1c/0x60 +[ 76.611246] vfs_write+0xfa/0x280 +[ 76.611739] ksys_write+0x6e/0x120 +[ 76.612238] __x64_sys_write+0x1e/0x30 +[ 76.612787] do_syscall_64+0xbf/0x3a0 +[ 76.613329] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +We fix it by moving fatal_err_work init to nvmet_alloc_ctrl(), which may +more reasonable. + +Signed-off-by: Yufen Yu +Reviewed-by: Sagi Grimberg +Reviewed-by: Bart Van Assche +Signed-off-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index 88d260f31835..02c63c463222 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -1171,6 +1171,15 @@ static void nvmet_release_p2p_ns_map(struct nvmet_ctrl *ctrl) + put_device(ctrl->p2p_client); + } + ++static void nvmet_fatal_error_handler(struct work_struct *work) ++{ ++ struct nvmet_ctrl *ctrl = ++ container_of(work, struct nvmet_ctrl, fatal_err_work); ++ ++ pr_err("ctrl %d fatal error occurred!\n", ctrl->cntlid); ++ ctrl->ops->delete_ctrl(ctrl); ++} ++ + u16 nvmet_alloc_ctrl(const char *subsysnqn, const char *hostnqn, + struct nvmet_req *req, u32 kato, struct nvmet_ctrl **ctrlp) + { +@@ -1213,6 +1222,7 @@ u16 nvmet_alloc_ctrl(const char *subsysnqn, const char *hostnqn, + INIT_WORK(&ctrl->async_event_work, nvmet_async_event_work); + INIT_LIST_HEAD(&ctrl->async_events); + INIT_RADIX_TREE(&ctrl->p2p_ns_map, GFP_KERNEL); ++ INIT_WORK(&ctrl->fatal_err_work, nvmet_fatal_error_handler); + + memcpy(ctrl->subsysnqn, subsysnqn, NVMF_NQN_SIZE); + memcpy(ctrl->hostnqn, hostnqn, NVMF_NQN_SIZE); +@@ -1316,21 +1326,11 @@ void nvmet_ctrl_put(struct nvmet_ctrl *ctrl) + kref_put(&ctrl->ref, nvmet_ctrl_free); + } + +-static void nvmet_fatal_error_handler(struct work_struct *work) +-{ +- struct nvmet_ctrl *ctrl = +- container_of(work, struct nvmet_ctrl, fatal_err_work); +- +- pr_err("ctrl %d fatal error occurred!\n", ctrl->cntlid); +- ctrl->ops->delete_ctrl(ctrl); +-} +- + void nvmet_ctrl_fatal_error(struct nvmet_ctrl *ctrl) + { + mutex_lock(&ctrl->lock); + if (!(ctrl->csts & NVME_CSTS_CFS)) { + ctrl->csts |= NVME_CSTS_CFS; +- INIT_WORK(&ctrl->fatal_err_work, nvmet_fatal_error_handler); + schedule_work(&ctrl->fatal_err_work); + } + mutex_unlock(&ctrl->lock); +-- +2.19.1 + diff --git a/queue-5.0/ocfs2-fix-a-panic-problem-caused-by-o2cb_ctl.patch b/queue-5.0/ocfs2-fix-a-panic-problem-caused-by-o2cb_ctl.patch new file mode 100644 index 00000000000..a3bf0b86a95 --- /dev/null +++ b/queue-5.0/ocfs2-fix-a-panic-problem-caused-by-o2cb_ctl.patch @@ -0,0 +1,70 @@ +From 59c8d52d66c0a0580ecde7308b0ffac6694c8e5c Mon Sep 17 00:00:00 2001 +From: Jia Guo +Date: Tue, 5 Mar 2019 15:41:41 -0800 +Subject: ocfs2: fix a panic problem caused by o2cb_ctl + +[ Upstream commit cc725ef3cb202ef2019a3c67c8913efa05c3cce6 ] + +In the process of creating a node, it will cause NULL pointer +dereference in kernel if o2cb_ctl failed in the interval (mkdir, +o2cb_set_node_attribute(node_num)] in function o2cb_add_node. + +The node num is initialized to 0 in function o2nm_node_group_make_item, +o2nm_node_group_drop_item will mistake the node number 0 for a valid +node number when we delete the node before the node number is set +correctly. If the local node number of the current host happens to be +0, cluster->cl_local_node will be set to O2NM_INVALID_NODE_NUM while +o2hb_thread still running. The panic stack is generated as follows: + + o2hb_thread + \-o2hb_do_disk_heartbeat + \-o2hb_check_own_slot + |-slot = ®->hr_slots[o2nm_this_node()]; + //o2nm_this_node() return O2NM_INVALID_NODE_NUM + +We need to check whether the node number is set when we delete the node. + +Link: http://lkml.kernel.org/r/133d8045-72cc-863e-8eae-5013f9f6bc51@huawei.com +Signed-off-by: Jia Guo +Reviewed-by: Joseph Qi +Acked-by: Jun Piao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/cluster/nodemanager.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c +index 0e4166cc23a0..4ac775e32240 100644 +--- a/fs/ocfs2/cluster/nodemanager.c ++++ b/fs/ocfs2/cluster/nodemanager.c +@@ -621,13 +621,15 @@ static void o2nm_node_group_drop_item(struct config_group *group, + struct o2nm_node *node = to_o2nm_node(item); + struct o2nm_cluster *cluster = to_o2nm_cluster(group->cg_item.ci_parent); + +- o2net_disconnect_node(node); ++ if (cluster->cl_nodes[node->nd_num] == node) { ++ o2net_disconnect_node(node); + +- if (cluster->cl_has_local && +- (cluster->cl_local_node == node->nd_num)) { +- cluster->cl_has_local = 0; +- cluster->cl_local_node = O2NM_INVALID_NODE_NUM; +- o2net_stop_listening(node); ++ if (cluster->cl_has_local && ++ (cluster->cl_local_node == node->nd_num)) { ++ cluster->cl_has_local = 0; ++ cluster->cl_local_node = O2NM_INVALID_NODE_NUM; ++ o2net_stop_listening(node); ++ } + } + + /* XXX call into net to stop this node from trading messages */ +-- +2.19.1 + diff --git a/queue-5.0/page_poison-play-nicely-with-kasan.patch b/queue-5.0/page_poison-play-nicely-with-kasan.patch new file mode 100644 index 00000000000..07b2bd4995a --- /dev/null +++ b/queue-5.0/page_poison-play-nicely-with-kasan.patch @@ -0,0 +1,93 @@ +From 3b1ae9aa52ca157666786fce323f14c2f0e63698 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Tue, 5 Mar 2019 15:41:24 -0800 +Subject: page_poison: play nicely with KASAN + +[ Upstream commit 4117992df66a26fa33908b4969e04801534baab1 ] + +KASAN does not play well with the page poisoning (CONFIG_PAGE_POISONING). +It triggers false positives in the allocation path: + + BUG: KASAN: use-after-free in memchr_inv+0x2ea/0x330 + Read of size 8 at addr ffff88881f800000 by task swapper/0 + CPU: 0 PID: 0 Comm: swapper Not tainted 5.0.0-rc1+ #54 + Call Trace: + dump_stack+0xe0/0x19a + print_address_description.cold.2+0x9/0x28b + kasan_report.cold.3+0x7a/0xb5 + __asan_report_load8_noabort+0x19/0x20 + memchr_inv+0x2ea/0x330 + kernel_poison_pages+0x103/0x3d5 + get_page_from_freelist+0x15e7/0x4d90 + +because KASAN has not yet unpoisoned the shadow page for allocation +before it checks memchr_inv() but only found a stale poison pattern. + +Also, false positives in free path, + + BUG: KASAN: slab-out-of-bounds in kernel_poison_pages+0x29e/0x3d5 + Write of size 4096 at addr ffff8888112cc000 by task swapper/0/1 + CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc1+ #55 + Call Trace: + dump_stack+0xe0/0x19a + print_address_description.cold.2+0x9/0x28b + kasan_report.cold.3+0x7a/0xb5 + check_memory_region+0x22d/0x250 + memset+0x28/0x40 + kernel_poison_pages+0x29e/0x3d5 + __free_pages_ok+0x75f/0x13e0 + +due to KASAN adds poisoned redzones around slab objects, but the page +poisoning needs to poison the whole page. + +Link: http://lkml.kernel.org/r/20190114233405.67843-1-cai@lca.pw +Signed-off-by: Qian Cai +Acked-by: Andrey Ryabinin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/page_alloc.c | 2 +- + mm/page_poison.c | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 11dc3c0e8728..20dd3283bb1b 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1945,8 +1945,8 @@ inline void post_alloc_hook(struct page *page, unsigned int order, + + arch_alloc_page(page, order); + kernel_map_pages(page, 1 << order, 1); +- kernel_poison_pages(page, 1 << order, 1); + kasan_alloc_pages(page, order); ++ kernel_poison_pages(page, 1 << order, 1); + set_page_owner(page, order, gfp_flags); + } + +diff --git a/mm/page_poison.c b/mm/page_poison.c +index f0c15e9017c0..21d4f97cb49b 100644 +--- a/mm/page_poison.c ++++ b/mm/page_poison.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + + static bool want_page_poisoning __read_mostly; + +@@ -40,7 +41,10 @@ static void poison_page(struct page *page) + { + void *addr = kmap_atomic(page); + ++ /* KASAN still think the page is in-use, so skip it. */ ++ kasan_disable_current(); + memset(addr, PAGE_POISON, PAGE_SIZE); ++ kasan_enable_current(); + kunmap_atomic(addr); + } + +-- +2.19.1 + diff --git a/queue-5.0/pci-mediatek-fix-memory-mapped-io-range-size-computa.patch b/queue-5.0/pci-mediatek-fix-memory-mapped-io-range-size-computa.patch new file mode 100644 index 00000000000..480c450fc05 --- /dev/null +++ b/queue-5.0/pci-mediatek-fix-memory-mapped-io-range-size-computa.patch @@ -0,0 +1,78 @@ +From 015f6e1934b2fabfb2bdcde3eb454597fb5c32a6 Mon Sep 17 00:00:00 2001 +From: Honghui Zhang +Date: Fri, 1 Feb 2019 13:36:06 +0800 +Subject: PCI: mediatek: Fix memory mapped IO range size computation + +[ Upstream commit c61df57343bf05743f8abbb31eec9a6f05820dd1 ] + +Mediatek's HW assigns a MMIO address range (typically starts from +0x20000000 to 0x2fffffff for both mt2712 and mt7622) for PCI usage. + +This MMIO address space represents the address space that can +be allocated to PCI devices through Base Address Registers. + +Even though the full MMIO address range is available to be allocated, it +should be enabled by the PCIE_AHB_TRANS_BASE register in the host +controller and the size that is enabled is determined by AHB2PCIE_SIZE +bits in this register. + +Owing to a bug in the MMIO window size computation, current code does +not enable the full size of the available MMIO address range in the +PCI host controller; if the PCI devices BARs requested size exceeds the +size enabled through the PCIE_AHB_TRANS_BASE register the requests +targeting the disabled address address space will be blocked by the root +complex causing a system error. + +Existing code has never run into a system error in production because +even half of the enabled MMIO range (128MB) is big enough for typical +devices BAR requests (4MB) but the full MMIO address range should +be enabled regardless. + +Fix the MMIO window size computation by using resource_size(mem) instead +of mem->end - mem->start. + +Since the MMIO window size for both MT2712 and MT7622 is 0x10000000, +this change will update the parameter passed to fls() from 0xfffffff to +0x10000000 and calculate the whole memory mapped IO range size +correctly. + +Detected through coccinelle semantic patch (and related warning): + +scripts/coccinelle/api/resource_size.cocci: + +pcie-mediatek.c:720:13-16: WARNING: Suspicious code. resource_size is maybe missing with mem + +Signed-off-by: Honghui Zhang +[lorenzo.pieralisi@arm.com: rewrote the commit log] +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-mediatek.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/controller/pcie-mediatek.c b/drivers/pci/controller/pcie-mediatek.c +index 55e471c18e8d..c42fe5c4319f 100644 +--- a/drivers/pci/controller/pcie-mediatek.c ++++ b/drivers/pci/controller/pcie-mediatek.c +@@ -654,7 +654,6 @@ static int mtk_pcie_startup_port_v2(struct mtk_pcie_port *port) + struct resource *mem = &pcie->mem; + const struct mtk_pcie_soc *soc = port->pcie->soc; + u32 val; +- size_t size; + int err; + + /* MT7622 platforms need to enable LTSSM and ASPM from PCIe subsys */ +@@ -706,8 +705,8 @@ static int mtk_pcie_startup_port_v2(struct mtk_pcie_port *port) + mtk_pcie_enable_msi(port); + + /* Set AHB to PCIe translation windows */ +- size = mem->end - mem->start; +- val = lower_32_bits(mem->start) | AHB2PCIE_SIZE(fls(size)); ++ val = lower_32_bits(mem->start) | ++ AHB2PCIE_SIZE(fls(resource_size(mem))); + writel(val, port->base + PCIE_AHB_TRANS_BASE0_L); + + val = upper_32_bits(mem->start); +-- +2.19.1 + diff --git a/queue-5.0/pci-pciehp-assign-ctrl-slot_ctrl-before-writing-it-t.patch b/queue-5.0/pci-pciehp-assign-ctrl-slot_ctrl-before-writing-it-t.patch new file mode 100644 index 00000000000..0d1de83c118 --- /dev/null +++ b/queue-5.0/pci-pciehp-assign-ctrl-slot_ctrl-before-writing-it-t.patch @@ -0,0 +1,54 @@ +From 4a34e9a432e3201276aeab5335b85e80fe30e61b Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Mon, 7 Jan 2019 16:09:40 +0300 +Subject: PCI: pciehp: Assign ctrl->slot_ctrl before writing it to hardware + +[ Upstream commit 25bd879ec16ad3b83a5b1c3f16faa55e696bfccb ] + +Shameerali reported that running v4.20-rc1 as QEMU guest, the PCIe hotplug +port times out during boot: + + pciehp 0000:00:01.0:pcie004: Timeout on hotplug command 0x03f1 (issued 1016 msec ago) + pciehp 0000:00:01.0:pcie004: Timeout on hotplug command 0x03f1 (issued 1024 msec ago) + pciehp 0000:00:01.0:pcie004: Failed to check link status + pciehp 0000:00:01.0:pcie004: Timeout on hotplug command 0x02f1 (issued 2520 msec ago) + +The issue was bisected down to commit 720d6a671a6e ("PCI: pciehp: Do not +handle events if interrupts are masked") and was further analyzed by the +reporter to be caused by the fact that pciehp first updates the hardware +and only then cache the ctrl->slot_ctrl in pcie_do_write_cmd(). If the +interrupt happens before we cache the value, pciehp_isr() reads value 0 and +decides that the interrupt was not meant for it causing the above timeout +to trigger. + +Fix by moving ctrl->slot_ctrl assignment to happen before it is written to +the hardware. + +Fixes: 720d6a671a6e ("PCI: pciehp: Do not handle events if interrupts are masked") +Link: https://lore.kernel.org/linux-pci/5FC3163CFD30C246ABAA99954A238FA8387DD344@FRAEML521-MBX.china.huawei.com +Reported-by: Shameerali Kolothum Thodi +Signed-off-by: Mika Westerberg +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pciehp_hpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c +index c0fb64ace05a..8bfcb8cd0900 100644 +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -156,9 +156,9 @@ static void pcie_do_write_cmd(struct controller *ctrl, u16 cmd, + slot_ctrl |= (cmd & mask); + ctrl->cmd_busy = 1; + smp_mb(); ++ ctrl->slot_ctrl = slot_ctrl; + pcie_capability_write_word(pdev, PCI_EXP_SLTCTL, slot_ctrl); + ctrl->cmd_started = jiffies; +- ctrl->slot_ctrl = slot_ctrl; + + /* + * Controllers with the Intel CF118 and similar errata advertise +-- +2.19.1 + diff --git a/queue-5.0/pci-pme-fix-hotplug-sysfs-remove-deadlock-in-pcie_pm.patch b/queue-5.0/pci-pme-fix-hotplug-sysfs-remove-deadlock-in-pcie_pm.patch new file mode 100644 index 00000000000..0aba7d872e3 --- /dev/null +++ b/queue-5.0/pci-pme-fix-hotplug-sysfs-remove-deadlock-in-pcie_pm.patch @@ -0,0 +1,143 @@ +From 4e54d3a7c6174d04687b5426b22989b687425ac6 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Thu, 28 Feb 2019 13:56:27 -0600 +Subject: PCI/PME: Fix hotplug/sysfs remove deadlock in pcie_pme_remove() + +[ Upstream commit 95c80bc6952b6a5badc7b702d23e5bf14d251e7c ] + +Dongdong reported a deadlock triggered by a hotplug event during a sysfs +"remove" operation: + + pciehp 0000:00:0c.0:pcie004: Slot(0-1): Link Up + # echo 1 > 0000:00:0c.0/remove + + PME and hotplug share an MSI/MSI-X vector. The sysfs "remove" side is: + + remove_store + pci_stop_and_remove_bus_device_locked + pci_lock_rescan_remove + pci_stop_and_remove_bus_device + ... + pcie_pme_remove + pcie_pme_suspend + synchronize_irq # wait for hotplug IRQ handler + pci_unlock_rescan_remove + + The hotplug side is: + + pciehp_ist + pciehp_handle_presence_or_link_change + pciehp_configure_device + pci_lock_rescan_remove # wait for pci_unlock_rescan_remove() + + INFO: task bash:10913 blocked for more than 120 seconds. + + # ps -ax |grep D + PID TTY STAT TIME COMMAND + 10913 ttyAMA0 Ds+ 0:00 -bash + 14022 ? D 0:00 [irq/745-pciehp] + + # cat /proc/14022/stack + __switch_to+0x94/0xd8 + pci_lock_rescan_remove+0x20/0x28 + pciehp_configure_device+0x30/0x140 + pciehp_handle_presence_or_link_change+0x324/0x458 + pciehp_ist+0x1dc/0x1e0 + + # cat /proc/10913/stack + __switch_to+0x94/0xd8 + synchronize_irq+0x8c/0xc0 + pcie_pme_suspend+0xa4/0x118 + pcie_pme_remove+0x20/0x40 + pcie_port_remove_service+0x3c/0x58 + ... + pcie_port_device_remove+0x2c/0x48 + pcie_portdrv_remove+0x68/0x78 + pci_device_remove+0x48/0x120 + ... + pci_stop_bus_device+0x84/0xc0 + pci_stop_and_remove_bus_device_locked+0x24/0x40 + remove_store+0xa4/0xb8 + dev_attr_store+0x44/0x60 + sysfs_kf_write+0x58/0x80 + +It is incorrect to call pcie_pme_suspend() from pcie_pme_remove() for two +reasons. + +First, pcie_pme_suspend() calls synchronize_irq(), which will wait for the +native hotplug interrupt handler as well as for the PME one, because they +share one IRQ (as per the spec). That may deadlock if hotplug is signaled +while pcie_pme_remove() is running and the latter calls +pci_lock_rescan_remove() before the former. + +Second, if pcie_pme_suspend() figures out that wakeup needs to be enabled +for the port, it will return without disabling the interrupt as expected by +pcie_pme_remove() which was overlooked by commit c7b5a4e6e8fb ("PCI / PM: +Fix native PME handling during system suspend/resume"). + +To fix that, rework pcie_pme_remove() to disable the PME interrupt, clear +its status and prevent the PME worker function from re-enabling it before +calling free_irq() on it, which should be sufficient. + +Fixes: c7b5a4e6e8fb ("PCI / PM: Fix native PME handling during system suspend/resume") +Link: https://lore.kernel.org/linux-pci/c7697e7c-e1af-13e4-8491-0a3996e6ab5d@huawei.com +Reported-by: Dongdong Liu +Signed-off-by: Rafael J. Wysocki +[bhelgaas: add URL and deadlock details from Dongdong] +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/pme.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/drivers/pci/pcie/pme.c b/drivers/pci/pcie/pme.c +index 1a8b85051b1b..efa5b552914b 100644 +--- a/drivers/pci/pcie/pme.c ++++ b/drivers/pci/pcie/pme.c +@@ -363,6 +363,16 @@ static bool pcie_pme_check_wakeup(struct pci_bus *bus) + return false; + } + ++static void pcie_pme_disable_interrupt(struct pci_dev *port, ++ struct pcie_pme_service_data *data) ++{ ++ spin_lock_irq(&data->lock); ++ pcie_pme_interrupt_enable(port, false); ++ pcie_clear_root_pme_status(port); ++ data->noirq = true; ++ spin_unlock_irq(&data->lock); ++} ++ + /** + * pcie_pme_suspend - Suspend PCIe PME service device. + * @srv: PCIe service device to suspend. +@@ -387,11 +397,7 @@ static int pcie_pme_suspend(struct pcie_device *srv) + return 0; + } + +- spin_lock_irq(&data->lock); +- pcie_pme_interrupt_enable(port, false); +- pcie_clear_root_pme_status(port); +- data->noirq = true; +- spin_unlock_irq(&data->lock); ++ pcie_pme_disable_interrupt(port, data); + + synchronize_irq(srv->irq); + +@@ -427,9 +433,11 @@ static int pcie_pme_resume(struct pcie_device *srv) + */ + static void pcie_pme_remove(struct pcie_device *srv) + { +- pcie_pme_suspend(srv); ++ struct pcie_pme_service_data *data = get_service_data(srv); ++ ++ pcie_pme_disable_interrupt(srv->port, data); + free_irq(srv->irq, srv); +- kfree(get_service_data(srv)); ++ kfree(data); + } + + static struct pcie_port_service_driver pcie_pme_driver = { +-- +2.19.1 + diff --git a/queue-5.0/perf-annotate-fix-getting-source-line-failure.patch b/queue-5.0/perf-annotate-fix-getting-source-line-failure.patch new file mode 100644 index 00000000000..ea07b249740 --- /dev/null +++ b/queue-5.0/perf-annotate-fix-getting-source-line-failure.patch @@ -0,0 +1,176 @@ +From c93b587c336ca0d390760030fe552e1db4f70f4d Mon Sep 17 00:00:00 2001 +From: Wei Li +Date: Thu, 21 Feb 2019 17:57:16 +0800 +Subject: perf annotate: Fix getting source line failure + +[ Upstream commit 11db1ad4513d6205d2519e1a30ff4cef746e3243 ] + +The output of "perf annotate -l --stdio xxx" changed since commit 425859ff0de33 +("perf annotate: No need to calculate notes->start twice") removed notes->start +assignment in symbol__calc_lines(). It will get failed in +find_address_in_section() from symbol__tty_annotate() subroutine as the +a2l->addr is wrong. So the annotate summary doesn't report the line number of +source code correctly. + +Before fix: + + liwei@euler:~/main_code/hulk_work/hulk/tools/perf$ cat common_while_1.c + void hotspot_1(void) + { + volatile int i; + + for (i = 0; i < 0x10000000; i++); + for (i = 0; i < 0x10000000; i++); + for (i = 0; i < 0x10000000; i++); + } + + int main(void) + { + hotspot_1(); + + return 0; + } + liwei@euler:~/main_code/hulk_work/hulk/tools/perf$ gcc common_while_1.c -g -o common_while_1 + + liwei@euler:~/main_code/hulk_work/hulk/tools/perf$ sudo ./perf record ./common_while_1 + [ perf record: Woken up 2 times to write data ] + [ perf record: Captured and wrote 0.488 MB perf.data (12498 samples) ] + liwei@euler:~/main_code/hulk_work/hulk/tools/perf$ sudo ./perf annotate -l -s hotspot_1 --stdio + + Sorted summary for file /home/liwei/main_code/hulk_work/hulk/tools/perf/common_while_1 + ---------------------------------------------- + + 19.30 common_while_1[32] + 19.03 common_while_1[4e] + 19.01 common_while_1[16] + 5.04 common_while_1[13] + 4.99 common_while_1[4b] + 4.78 common_while_1[2c] + 4.77 common_while_1[10] + 4.66 common_while_1[2f] + 4.59 common_while_1[51] + 4.59 common_while_1[35] + 4.52 common_while_1[19] + 4.20 common_while_1[56] + 0.51 common_while_1[48] + Percent | Source code & Disassembly of common_while_1 for cycles:ppp (12480 samples, percent: local period) + ----------------------------------------------------------------------------------------------------------------- + : + : + : + : Disassembly of section .text: + : + : 00000000000005fa : + : hotspot_1(): + : void hotspot_1(void) + : { + 0.00 : 5fa: push %rbp + 0.00 : 5fb: mov %rsp,%rbp + : volatile int i; + : + : for (i = 0; i < 0x10000000; i++); + 0.00 : 5fe: movl $0x0,-0x4(%rbp) + 0.00 : 605: jmp 610 + 0.00 : 607: mov -0x4(%rbp),%eax + common_while_1[10] 4.77 : 60a: add $0x1,%eax + common_while_1[13] 5.04 : 60d: mov %eax,-0x4(%rbp) + common_while_1[16] 19.01 : 610: mov -0x4(%rbp),%eax + common_while_1[19] 4.52 : 613: cmp $0xfffffff,%eax + 0.00 : 618: jle 607 + : for (i = 0; i < 0x10000000; i++); + ... + +After fix: + + liwei@euler:~/main_code/hulk_work/hulk/tools/perf$ sudo ./perf record ./common_while_1 + [ perf record: Woken up 2 times to write data ] + [ perf record: Captured and wrote 0.488 MB perf.data (12500 samples) ] + liwei@euler:~/main_code/hulk_work/hulk/tools/perf$ sudo ./perf annotate -l -s hotspot_1 --stdio + + Sorted summary for file /home/liwei/main_code/hulk_work/hulk/tools/perf/common_while_1 + ---------------------------------------------- + + 33.34 common_while_1.c:5 + 33.34 common_while_1.c:6 + 33.32 common_while_1.c:7 + Percent | Source code & Disassembly of common_while_1 for cycles:ppp (12482 samples, percent: local period) + ----------------------------------------------------------------------------------------------------------------- + : + : + : + : Disassembly of section .text: + : + : 00000000000005fa : + : hotspot_1(): + : void hotspot_1(void) + : { + 0.00 : 5fa: push %rbp + 0.00 : 5fb: mov %rsp,%rbp + : volatile int i; + : + : for (i = 0; i < 0x10000000; i++); + 0.00 : 5fe: movl $0x0,-0x4(%rbp) + 0.00 : 605: jmp 610 + 0.00 : 607: mov -0x4(%rbp),%eax + common_while_1.c:5 4.70 : 60a: add $0x1,%eax + 4.89 : 60d: mov %eax,-0x4(%rbp) + common_while_1.c:5 19.03 : 610: mov -0x4(%rbp),%eax + common_while_1.c:5 4.72 : 613: cmp $0xfffffff,%eax + 0.00 : 618: jle 607 + : for (i = 0; i < 0x10000000; i++); + 0.00 : 61a: movl $0x0,-0x4(%rbp) + 0.00 : 621: jmp 62c + 0.00 : 623: mov -0x4(%rbp),%eax + common_while_1.c:6 4.54 : 626: add $0x1,%eax + 4.73 : 629: mov %eax,-0x4(%rbp) + common_while_1.c:6 19.54 : 62c: mov -0x4(%rbp),%eax + common_while_1.c:6 4.54 : 62f: cmp $0xfffffff,%eax + ... + +Signed-off-by: Wei Li +Acked-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Jin Yao +Cc: Namhyung Kim +Cc: Peter Zijlstra +Fixes: 425859ff0de33 ("perf annotate: No need to calculate notes->start twice") +Link: http://lkml.kernel.org/r/20190221095716.39529-1-liwei391@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index 70de8f6b3aee..9142fd294e76 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -1889,6 +1889,7 @@ int symbol__annotate(struct symbol *sym, struct map *map, + struct annotation_options *options, + struct arch **parch) + { ++ struct annotation *notes = symbol__annotation(sym); + struct annotate_args args = { + .privsize = privsize, + .evsel = evsel, +@@ -1919,6 +1920,7 @@ int symbol__annotate(struct symbol *sym, struct map *map, + + args.ms.map = map; + args.ms.sym = sym; ++ notes->start = map__rip_2objdump(map, sym->start); + + return symbol__disassemble(sym, &args); + } +@@ -2794,8 +2796,6 @@ int symbol__annotate2(struct symbol *sym, struct map *map, struct perf_evsel *ev + + symbol__calc_percent(sym, evsel); + +- notes->start = map__rip_2objdump(map, sym->start); +- + annotation__set_offsets(notes, size); + annotation__mark_jump_targets(notes, sym); + annotation__compute_ipc(notes, size); +-- +2.19.1 + diff --git a/queue-5.0/perf-aux-make-perf_event-accessible-to-setup_aux.patch b/queue-5.0/perf-aux-make-perf_event-accessible-to-setup_aux.patch new file mode 100644 index 00000000000..5b900927757 --- /dev/null +++ b/queue-5.0/perf-aux-make-perf_event-accessible-to-setup_aux.patch @@ -0,0 +1,174 @@ +From c08cad55b4ed8d2e7431966579dc17cd207b5896 Mon Sep 17 00:00:00 2001 +From: Mathieu Poirier +Date: Thu, 31 Jan 2019 11:47:08 -0700 +Subject: perf/aux: Make perf_event accessible to setup_aux() + +[ Upstream commit 840018668ce2d96783356204ff282d6c9b0e5f66 ] + +When pmu::setup_aux() is called the coresight PMU needs to know which +sink to use for the session by looking up the information in the +event's attr::config2 field. + +As such simply replace the cpu information by the complete perf_event +structure and change all affected customers. + +Signed-off-by: Mathieu Poirier +Reviewed-by: Suzuki Poulouse +Acked-by: Peter Zijlstra +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexei Starovoitov +Cc: Greg Kroah-Hartman +Cc: H. Peter Anvin +Cc: Heiko Carstens +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Martin Schwidefsky +Cc: Namhyung Kim +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-s390@vger.kernel.org +Link: http://lkml.kernel.org/r/20190131184714.20388-2-mathieu.poirier@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_sf.c | 6 +++--- + arch/x86/events/intel/bts.c | 4 +++- + arch/x86/events/intel/pt.c | 5 +++-- + drivers/hwtracing/coresight/coresight-etm-perf.c | 6 +++--- + drivers/perf/arm_spe_pmu.c | 6 +++--- + include/linux/perf_event.h | 2 +- + kernel/events/ring_buffer.c | 2 +- + 7 files changed, 17 insertions(+), 14 deletions(-) + +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index bfabeb1889cc..1266194afb02 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -1600,7 +1600,7 @@ static void aux_sdb_init(unsigned long sdb) + + /* + * aux_buffer_setup() - Setup AUX buffer for diagnostic mode sampling +- * @cpu: On which to allocate, -1 means current ++ * @event: Event the buffer is setup for, event->cpu == -1 means current + * @pages: Array of pointers to buffer pages passed from perf core + * @nr_pages: Total pages + * @snapshot: Flag for snapshot mode +@@ -1612,8 +1612,8 @@ static void aux_sdb_init(unsigned long sdb) + * + * Return the private AUX buffer structure if success or NULL if fails. + */ +-static void *aux_buffer_setup(int cpu, void **pages, int nr_pages, +- bool snapshot) ++static void *aux_buffer_setup(struct perf_event *event, void **pages, ++ int nr_pages, bool snapshot) + { + struct sf_buffer *sfb; + struct aux_buffer *aux; +diff --git a/arch/x86/events/intel/bts.c b/arch/x86/events/intel/bts.c +index a01ef1b0f883..7cdd7b13bbda 100644 +--- a/arch/x86/events/intel/bts.c ++++ b/arch/x86/events/intel/bts.c +@@ -77,10 +77,12 @@ static size_t buf_size(struct page *page) + } + + static void * +-bts_buffer_setup_aux(int cpu, void **pages, int nr_pages, bool overwrite) ++bts_buffer_setup_aux(struct perf_event *event, void **pages, ++ int nr_pages, bool overwrite) + { + struct bts_buffer *buf; + struct page *page; ++ int cpu = event->cpu; + int node = (cpu == -1) ? cpu : cpu_to_node(cpu); + unsigned long offset; + size_t size = nr_pages << PAGE_SHIFT; +diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c +index 9494ca68fd9d..c0e86ff21f81 100644 +--- a/arch/x86/events/intel/pt.c ++++ b/arch/x86/events/intel/pt.c +@@ -1114,10 +1114,11 @@ static int pt_buffer_init_topa(struct pt_buffer *buf, unsigned long nr_pages, + * Return: Our private PT buffer structure. + */ + static void * +-pt_buffer_setup_aux(int cpu, void **pages, int nr_pages, bool snapshot) ++pt_buffer_setup_aux(struct perf_event *event, void **pages, ++ int nr_pages, bool snapshot) + { + struct pt_buffer *buf; +- int node, ret; ++ int node, ret, cpu = event->cpu; + + if (!nr_pages) + return NULL; +diff --git a/drivers/hwtracing/coresight/coresight-etm-perf.c b/drivers/hwtracing/coresight/coresight-etm-perf.c +index abe8249b893b..f21eb28b6782 100644 +--- a/drivers/hwtracing/coresight/coresight-etm-perf.c ++++ b/drivers/hwtracing/coresight/coresight-etm-perf.c +@@ -177,15 +177,15 @@ static void etm_free_aux(void *data) + schedule_work(&event_data->work); + } + +-static void *etm_setup_aux(int event_cpu, void **pages, ++static void *etm_setup_aux(struct perf_event *event, void **pages, + int nr_pages, bool overwrite) + { +- int cpu; ++ int cpu = event->cpu; + cpumask_t *mask; + struct coresight_device *sink; + struct etm_event_data *event_data = NULL; + +- event_data = alloc_event_data(event_cpu); ++ event_data = alloc_event_data(cpu); + if (!event_data) + return NULL; + INIT_WORK(&event_data->work, free_event_data); +diff --git a/drivers/perf/arm_spe_pmu.c b/drivers/perf/arm_spe_pmu.c +index 8e46a9dad2fa..7cb766dafe85 100644 +--- a/drivers/perf/arm_spe_pmu.c ++++ b/drivers/perf/arm_spe_pmu.c +@@ -824,10 +824,10 @@ static void arm_spe_pmu_read(struct perf_event *event) + { + } + +-static void *arm_spe_pmu_setup_aux(int cpu, void **pages, int nr_pages, +- bool snapshot) ++static void *arm_spe_pmu_setup_aux(struct perf_event *event, void **pages, ++ int nr_pages, bool snapshot) + { +- int i; ++ int i, cpu = event->cpu; + struct page **pglist; + struct arm_spe_pmu_buf *buf; + +diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h +index e1a051724f7e..7cbbd891bfcd 100644 +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -409,7 +409,7 @@ struct pmu { + /* + * Set up pmu-private data structures for an AUX area + */ +- void *(*setup_aux) (int cpu, void **pages, ++ void *(*setup_aux) (struct perf_event *event, void **pages, + int nr_pages, bool overwrite); + /* optional */ + +diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c +index 5ab4fe3b1dcc..878c62ec0190 100644 +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -658,7 +658,7 @@ int rb_alloc_aux(struct ring_buffer *rb, struct perf_event *event, + goto out; + } + +- rb->aux_priv = event->pmu->setup_aux(event->cpu, rb->aux_pages, nr_pages, ++ rb->aux_priv = event->pmu->setup_aux(event, rb->aux_pages, nr_pages, + overwrite); + if (!rb->aux_priv) + goto out; +-- +2.19.1 + diff --git a/queue-5.0/perf-beauty-msg_flags-add-missing-s-lost-when-adding.patch b/queue-5.0/perf-beauty-msg_flags-add-missing-s-lost-when-adding.patch new file mode 100644 index 00000000000..bb563c8337c --- /dev/null +++ b/queue-5.0/perf-beauty-msg_flags-add-missing-s-lost-when-adding.patch @@ -0,0 +1,69 @@ +From 2b358fd80b62a8ee632e196d052b11e09bf4cad3 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Fri, 1 Mar 2019 15:45:35 -0300 +Subject: perf beauty msg_flags: Add missing %s lost when adding prefix + suppression logic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit c3b81a500f35241a4c16febe0a015e572cf2c492 ] + +When the prefix suppresion/enabling logic was added, I forgot to add an +extra %, which ended up chopping off the strings: + +Before: + + # perf trace -e *mmsg --map-dump syscalls + [299] = 1, + [307] = 1, + DNS Res~ver #3/14587 sendmmsg(106, 0x7f252b0fcaf0, 2, MSG_) = 2 + chronyd/1053 recvmmsg(4, 0x558542ca5740, 4, MSG_, NULL) = 1 + DNS Res~ver #2/14445 sendmmsg(106, 0x7f252ab09af0, 2, MSG_) = 2 + DNS Res~ver #2/14444 sendmmsg(146, 0x7f2521a7aaf0, 2, MSG_) = 2 + DNS Res~ver #2/14445 sendmmsg(106, 0x7f252ab09af0, 2, MSG_) = 2 + DNS Res~ver #3/14587 sendmmsg(148, 0x7f252b0fcaf0, 2, MSG_) = 2 + DNS Res~ver #2/14444 sendmmsg(146, 0x7f2521a7aaf0, 2, MSG_) = 2 + ^C# + +After: + + # perf trace -e *mmsg --map-dump syscalls + [299] = 1, + [307] = 1, + NetworkManager/17467 sendmmsg(22, 0x7f28927f9bb0, 2, MSG_NOSIGNAL) = 2 + pool/17478 sendmmsg(10, 0x7f2769f95e90, 2, MSG_NOSIGNAL) = 2 + DNS Res~ver #3/14587 sendmmsg(121, 0x7f252b0fcaf0, 2, MSG_NOSIGNAL) = 2 + chronyd/1053 recvmmsg(4, 0x558542ca5740, 4, MSG_DONTWAIT, NULL) = 1 + Socket Thread/17433 sendmmsg(121, 0x7f252668baf0, 2, MSG_NOSIGNAL) = 2 + ^C# + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Luis Cláudio Gonçalves +Cc: Namhyung Kim +Cc: Wang Nan +Fixes: c65c83ffe904 ("perf trace: Allow asking for not suppressing common string prefixes") +Link: https://lkml.kernel.org/n/tip-t2eu1rqx710k6jr4814mlzg7@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/trace/beauty/msg_flags.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/trace/beauty/msg_flags.c b/tools/perf/trace/beauty/msg_flags.c +index d66c66315987..ea68db08b8e7 100644 +--- a/tools/perf/trace/beauty/msg_flags.c ++++ b/tools/perf/trace/beauty/msg_flags.c +@@ -29,7 +29,7 @@ static size_t syscall_arg__scnprintf_msg_flags(char *bf, size_t size, + return scnprintf(bf, size, "NONE"); + #define P_MSG_FLAG(n) \ + if (flags & MSG_##n) { \ +- printed += scnprintf(bf + printed, size - printed, "%s%s", printed ? "|" : "", show_prefix ? prefix : "", #n); \ ++ printed += scnprintf(bf + printed, size - printed, "%s%s%s", printed ? "|" : "", show_prefix ? prefix : "", #n); \ + flags &= ~MSG_##n; \ + } + +-- +2.19.1 + diff --git a/queue-5.0/perf-beauty-waitid-options-fix-up-prefix-showing-log.patch b/queue-5.0/perf-beauty-waitid-options-fix-up-prefix-showing-log.patch new file mode 100644 index 00000000000..ab92fa4e016 --- /dev/null +++ b/queue-5.0/perf-beauty-waitid-options-fix-up-prefix-showing-log.patch @@ -0,0 +1,80 @@ +From a6b8da94c85b54dfa9684fe0dc5eae5e77d3f704 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Tue, 12 Feb 2019 10:51:31 -0300 +Subject: perf beauty waitid options: Fix up prefix showing logic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 1da7e0022784b0e05b49bf73521fa2cc4633af85 ] + +When introducing the possibility for selecting if the common prefix to +options such as the waitid ones, i.e. all 'waitid' options start with +'W', so, to make it make it more compact if configured to suppress it, +'perf trace' will do so, other examples include mmap's PROT_ prefix for +its 'prot' argument, etc, which, when showing the syscall argument name +ends up producing duplicated info that clutters the screen, i.e.: + + # perf trace -e mmap --max-events 2 sleep 1 + 0.000 ( 0.014 ms): sleep/20886 mmap(len: 112595, prot: PROT_READ, flags: MAP_PRIVATE, fd: 3) = 0x7f3e986d2000 + 0.041 ( 0.005 ms): sleep/20886 mmap(len: 8192, prot: PROT_READ|PROT_WRITE, flags: MAP_PRIVATE|MAP_ANONYMOUS) = 0x7f3e986d0000 + # + +So it is possible to suppress that and make it more compact by having +this in your ~/.perfconfig: + + # cat ~/.perfconfig + [trace] + show_prefix = no + # + + # perf trace -e mmap --max-events 2 sleep 1 + 0.000 ( 0.014 ms): sleep/8009 mmap(len: 112595, prot: READ, flags: PRIVATE, fd: 3) = 0x7ff2373de000 + 0.040 ( 0.005 ms): sleep/8009 mmap(len: 8192, prot: READ|WRITE, flags: PRIVATE|ANONYMOUS) = 0x7ff2373dc000 + # + +To have it look more like strace's output, we instead want to suppress +the arg name and show the prefix, so use: + + # cat ~/.perfconfig + [trace] + show_prefix = yes + show_arg_names = no + # + # perf trace -e mmap --max-events 2 sleep 1 + 0.000 ( 0.006 ms): sleep/15513 mmap(NULL, 112595, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f7a9b6d3000 + 0.020 ( 0.002 ms): sleep/15513 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS) = 0x7f7a9b6d1000 + # + +When this logic was introduced a bug came with it when processing the +waitid 'option' arg that ended up expecting 3 strings when just two were +being provided, fix it. + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Luis Cláudio Gonçalves +Cc: Namhyung Kim +Cc: Wang Nan +Fixes: c65c83ffe904 ("perf trace: Allow asking for not suppressing common string prefixes") +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/trace/beauty/waitid_options.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/trace/beauty/waitid_options.c b/tools/perf/trace/beauty/waitid_options.c +index 6897fab40dcc..d4d10b33ba0e 100644 +--- a/tools/perf/trace/beauty/waitid_options.c ++++ b/tools/perf/trace/beauty/waitid_options.c +@@ -11,7 +11,7 @@ static size_t syscall_arg__scnprintf_waitid_options(char *bf, size_t size, + + #define P_OPTION(n) \ + if (options & W##n) { \ +- printed += scnprintf(bf + printed, size - printed, "%s%s%s", printed ? "|" : "", show_prefix ? prefix : #n); \ ++ printed += scnprintf(bf + printed, size - printed, "%s%s%s", printed ? "|" : "", show_prefix ? prefix : "", #n); \ + options &= ~W##n; \ + } + +-- +2.19.1 + diff --git a/queue-5.0/perf-c2c-fix-c2c-report-for-empty-numa-node.patch b/queue-5.0/perf-c2c-fix-c2c-report-for-empty-numa-node.patch new file mode 100644 index 00000000000..75d25ad9a74 --- /dev/null +++ b/queue-5.0/perf-c2c-fix-c2c-report-for-empty-numa-node.patch @@ -0,0 +1,63 @@ +From 2627365447acb23c76b05d5bc6780449c060f491 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Tue, 5 Mar 2019 16:25:29 +0100 +Subject: perf c2c: Fix c2c report for empty numa node + +[ Upstream commit e34c940245437f36d2c492edd1f8237eff391064 ] + +Ravi Bangoria reported that we fail with an empty NUMA node with the +following message: + + $ lscpu + NUMA node0 CPU(s): + NUMA node1 CPU(s): 0-4 + + $ sudo ./perf c2c report + node/cpu topology bugFailed setup nodes + +Fix this by detecting the empty node and keeping its CPU set empty. + +Reported-by: Nageswara R Sastry +Signed-off-by: Jiri Olsa +Tested-by: Ravi Bangoria +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jonas Rabenstein +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20190305152536.21035-2-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-c2c.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c +index d340d2e42776..13758a0b367b 100644 +--- a/tools/perf/builtin-c2c.c ++++ b/tools/perf/builtin-c2c.c +@@ -2055,6 +2055,12 @@ static int setup_nodes(struct perf_session *session) + if (!set) + return -ENOMEM; + ++ nodes[node] = set; ++ ++ /* empty node, skip */ ++ if (cpu_map__empty(map)) ++ continue; ++ + for (cpu = 0; cpu < map->nr; cpu++) { + set_bit(map->map[cpu], set); + +@@ -2063,8 +2069,6 @@ static int setup_nodes(struct perf_session *session) + + cpu2node[map->map[cpu]] = node; + } +- +- nodes[node] = set; + } + + setup_nodes_header(); +-- +2.19.1 + diff --git a/queue-5.0/perf-coresight-do-not-test-for-libopencsd-by-default.patch b/queue-5.0/perf-coresight-do-not-test-for-libopencsd-by-default.patch new file mode 100644 index 00000000000..cbe07477998 --- /dev/null +++ b/queue-5.0/perf-coresight-do-not-test-for-libopencsd-by-default.patch @@ -0,0 +1,172 @@ +From 91ea5d62b3750f7253f8851a0adc91feb80b86da Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Tue, 12 Feb 2019 14:37:15 -0300 +Subject: perf coresight: Do not test for libopencsd by default + +[ Upstream commit 1c3b28fd7ae80c8f6bf1a09e1848e20a953c9ce4 ] + +Since it is not yet that generally available, avoid testing for the +presence of libcoresight in the fast path test-all.bin feature test. + + # dnf search opencsd + No matches found. + # dnf search OpenCSD + No matches found. + # cat /etc/fedora-release + Fedora release 29 (Twenty Nine) + # + +I.e. right now, in my system test-all.bin is failing all the time since +Fedora29 doesn't have libopencsd available: + + $ cat /tmp/build/perf/feature/test-all.make.output + In file included from test-all.c:174: + test-libopencsd.c:2:10: fatal error: opencsd/c_api/opencsd_c_api.h: No such file or directory + #include + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + compilation terminated. + +See: + + 6ab2b762befd ("perf build: Disable libbabeltrace check by default") + +For the rationale, as soon as libopencsd becomes more generally packaged +and available, we do the same thing we did with babeltrace, enabling it +by default, as done in: + + 24787afbcd01 ("perf tools: Enable LIBBABELTRACE by default") + +For now, to explicitely ask for opencsd, make sure you have it installed +and use: + + make -C tools/perf CORESIGHT=1 + +The feature test output will be there as an empty file: + + $ ls -la /tmp/build/perf/feature/test-libopencsd.make.output + +Because the binary used for the feature check was successfully built: + + $ ls -la /tmp/build/perf/feature/test-libopencsd.bin + -rwxrwxr-x. 1 acme acme 18336 Feb 12 14:49 /tmp/build/perf/feature/test-libopencsd.bin + $ ldd /tmp/build/perf/feature/test-libopencsd.bin + linux-vdso.so.1 (0x00007fffe18cc000) + libopencsd_c_api.so.0 => /lib64/libopencsd_c_api.so.0 (0x00007fb8e67f6000) + libopencsd.so.0 => /lib64/libopencsd.so.0 (0x00007fb8e676f000) + libc.so.6 => /lib64/libc.so.6 (0x00007fb8e65a9000) + libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fb8e6411000) + libm.so.6 => /lib64/libm.so.6 (0x00007fb8e628d000) + libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fb8e6272000) + /lib64/ld-linux-x86-64.so.2 (0x00007fb8e6828000) + $ + +And the resulting perf binary will be linked with it: + + -rw-rw-r--. 1 acme acme 0 Feb 12 14:49 /tmp/build/perf/feature/test-libopencsd.make.output + $ ldd ~/bin/perf | grep opencsd + libopencsd_c_api.so.0 => /lib64/libopencsd_c_api.so.0 (0x00007fd43097f000) + libopencsd.so.0 => /lib64/libopencsd.so.0 (0x00007fd4308f8000) + $ + +To make sure this gets built before pushing things upstream I have a +ubuntu:19.04-x-arm64 container that has: + + [root@quaco x-arm64]# grep CORESIGHT Dockerfile + ENV EXTRA_MAKE_ARGS=CORESIGHT=1 + [root@quaco x-arm64]# + +So that I always build with libopencsd before pushing things upstream. + +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Kim Phillips +Cc: linux-arm-kernel@lists.infradead.org +Cc: Mathieu Poirier +Cc: Mike Leach +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Suzuki Poulouse +Link: https://lkml.kernel.org/n/tip-20vyy39jw9jgrijesi30fgox@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/build/Makefile.feature | 2 +- + tools/build/feature/test-all.c | 5 ----- + tools/perf/Makefile.config | 3 ++- + tools/perf/Makefile.perf | 2 +- + 4 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/tools/build/Makefile.feature b/tools/build/Makefile.feature +index 5467c6bf9ceb..bb9dca65eb5f 100644 +--- a/tools/build/Makefile.feature ++++ b/tools/build/Makefile.feature +@@ -70,7 +70,6 @@ FEATURE_TESTS_BASIC := \ + sched_getcpu \ + sdt \ + setns \ +- libopencsd \ + libaio + + # FEATURE_TESTS_BASIC + FEATURE_TESTS_EXTRA is the complete list +@@ -84,6 +83,7 @@ FEATURE_TESTS_EXTRA := \ + libbabeltrace \ + libbfd-liberty \ + libbfd-liberty-z \ ++ libopencsd \ + libunwind-debug-frame \ + libunwind-debug-frame-arm \ + libunwind-debug-frame-aarch64 \ +diff --git a/tools/build/feature/test-all.c b/tools/build/feature/test-all.c +index 93f485098161..e903b86b742f 100644 +--- a/tools/build/feature/test-all.c ++++ b/tools/build/feature/test-all.c +@@ -170,10 +170,6 @@ + # include "test-setns.c" + #undef main + +-#define main main_test_libopencsd +-# include "test-libopencsd.c" +-#undef main +- + #define main main_test_libaio + # include "test-libaio.c" + #undef main +@@ -221,7 +217,6 @@ int main(int argc, char *argv[]) + main_test_sched_getcpu(); + main_test_sdt(); + main_test_setns(); +- main_test_libopencsd(); + main_test_libaio(); + main_test_reallocarray(); + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index e6360d47e73a..cf4a8329c4c0 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -388,7 +388,8 @@ ifeq ($(feature-setns), 1) + $(call detected,CONFIG_SETNS) + endif + +-ifndef NO_CORESIGHT ++ifdef CORESIGHT ++ $(call feature_check,libopencsd) + ifeq ($(feature-libopencsd), 1) + CFLAGS += -DHAVE_CSTRACE_SUPPORT $(LIBOPENCSD_CFLAGS) + LDFLAGS += $(LIBOPENCSD_LDFLAGS) +diff --git a/tools/perf/Makefile.perf b/tools/perf/Makefile.perf +index 0ee6795d82cc..77f8f069f1e7 100644 +--- a/tools/perf/Makefile.perf ++++ b/tools/perf/Makefile.perf +@@ -102,7 +102,7 @@ include ../scripts/utilities.mak + # When selected, pass LLVM_CONFIG=/path/to/llvm-config to `make' if + # llvm-config is not in $PATH. + # +-# Define NO_CORESIGHT if you do not want support for CoreSight trace decoding. ++# Define CORESIGHT if you DO WANT support for CoreSight trace decoding. + # + # Define NO_AIO if you do not want support of Posix AIO based trace + # streaming for record mode. Currently Posix AIO trace streaming is +-- +2.19.1 + diff --git a/queue-5.0/perf-report-add-s390-diagnosic-sampling-descriptor-s.patch b/queue-5.0/perf-report-add-s390-diagnosic-sampling-descriptor-s.patch new file mode 100644 index 00000000000..c05cabe6fd7 --- /dev/null +++ b/queue-5.0/perf-report-add-s390-diagnosic-sampling-descriptor-s.patch @@ -0,0 +1,63 @@ +From e80732f638d79c880a7d7a68fe654f3a8b3a1d06 Mon Sep 17 00:00:00 2001 +From: Thomas Richter +Date: Mon, 11 Feb 2019 11:06:27 +0100 +Subject: perf report: Add s390 diagnosic sampling descriptor size + +[ Upstream commit 2187d87eacd46f6214ce3dc9cfd7a558375a4153 ] + +On IBM z13 machine types 2964 and 2965 the descriptor +sizes for sampling and diagnostic sampling entries +might be missing in the trailer entry and are set to zero. + +This leads to a perf report failure when processing diagnostic +sampling entries. + +This patch adds missing descriptor sizes when the trailer entry +contains zero for these fields. + +Output before: + [root@s38lp82 perf]# ./perf report --stdio | fgrep Samples + 0xabbf0 [0x8]: failed to process type: 68 + Error: + failed to process sample + [root@s38lp82 perf]# + +Output after: + [root@s38lp82 perf]# ./perf report --stdio | fgrep Samples + # Total Lost Samples: 0 + # Samples: 3K of event 'SF_CYCLES_BASIC_DIAG' + # Samples: 162 of event 'CF_DIAG' + [root@s38lp82 perf]# + +Fixes: 2b1444f2e28b ("perf report: Add raw report support for s390 auxiliary trace") + +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Cc: Heiko Carstens +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20190211100627.85714-1-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/s390-cpumsf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/perf/util/s390-cpumsf.c b/tools/perf/util/s390-cpumsf.c +index 68b2570304ec..08073a4d59a4 100644 +--- a/tools/perf/util/s390-cpumsf.c ++++ b/tools/perf/util/s390-cpumsf.c +@@ -301,6 +301,11 @@ static bool s390_cpumsf_validate(int machine_type, + *dsdes = 85; + *bsdes = 32; + break; ++ case 2964: ++ case 2965: ++ *dsdes = 112; ++ *bsdes = 32; ++ break; + default: + /* Illegal trailer entry */ + return false; +-- +2.19.1 + diff --git a/queue-5.0/perf-report-don-t-shadow-inlined-symbol-with-differe.patch b/queue-5.0/perf-report-don-t-shadow-inlined-symbol-with-differe.patch new file mode 100644 index 00000000000..5f13b210bcd --- /dev/null +++ b/queue-5.0/perf-report-don-t-shadow-inlined-symbol-with-differe.patch @@ -0,0 +1,71 @@ +From dc63c0732f908916231e6adab3ca62d9b9ad59a0 Mon Sep 17 00:00:00 2001 +From: He Kuang +Date: Tue, 19 Feb 2019 21:05:31 +0800 +Subject: perf report: Don't shadow inlined symbol with different addr range + +[ Upstream commit 7346195e8643482968f547483e0d823ec1982fab ] + +We can't assume inlined symbols with the same name are equal, because +their address range may be different. This will cause the symbols with +different addresses be shadowed when adding to the hist entry, and lead +to ERANGE error when checking the symbol address during sample parse, +the addr should be within the range of [sym.start, sym.end]. + +The error message is like: "0x36aea60 [0x8]: failed to process type: 68". + +The second parameter of symbol__new() is the length of the fake symbol +for the inline frame, which is the subtraction of the end and start +address of base_sym. + +Signed-off-by: He Kuang +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Milian Wolff +Cc: Namhyung Kim +Cc: Peter Zijlstra +Fixes: aa441895f7b4 ("perf report: Compare symbol name for inlined frames when sorting") +Link: http://lkml.kernel.org/r/20190219130531.15692-1-hekuang@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/sort.c | 10 ++++++++-- + tools/perf/util/srcline.c | 2 +- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/sort.c b/tools/perf/util/sort.c +index 6c1a83768eb0..d0334c33da54 100644 +--- a/tools/perf/util/sort.c ++++ b/tools/perf/util/sort.c +@@ -230,8 +230,14 @@ static int64_t _sort__sym_cmp(struct symbol *sym_l, struct symbol *sym_r) + if (sym_l == sym_r) + return 0; + +- if (sym_l->inlined || sym_r->inlined) +- return strcmp(sym_l->name, sym_r->name); ++ if (sym_l->inlined || sym_r->inlined) { ++ int ret = strcmp(sym_l->name, sym_r->name); ++ ++ if (ret) ++ return ret; ++ if ((sym_l->start <= sym_r->end) && (sym_l->end >= sym_r->start)) ++ return 0; ++ } + + if (sym_l->start != sym_r->start) + return (int64_t)(sym_r->start - sym_l->start); +diff --git a/tools/perf/util/srcline.c b/tools/perf/util/srcline.c +index dc86597d0cc4..ccf42c4e83f0 100644 +--- a/tools/perf/util/srcline.c ++++ b/tools/perf/util/srcline.c +@@ -104,7 +104,7 @@ static struct symbol *new_inline_sym(struct dso *dso, + } else { + /* create a fake symbol for the inline frame */ + inline_sym = symbol__new(base_sym ? base_sym->start : 0, +- base_sym ? base_sym->end : 0, ++ base_sym ? (base_sym->end - base_sym->start) : 0, + base_sym ? base_sym->binding : 0, + base_sym ? base_sym->type : 0, + funcname); +-- +2.19.1 + diff --git a/queue-5.0/perf-script-handle-missing-fields-with-f.patch b/queue-5.0/perf-script-handle-missing-fields-with-f.patch new file mode 100644 index 00000000000..566d37f13ac --- /dev/null +++ b/queue-5.0/perf-script-handle-missing-fields-with-f.patch @@ -0,0 +1,82 @@ +From 39224860ca6a28b1b51fb33ad132c0056dd8013d Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Sun, 24 Feb 2019 07:37:12 -0800 +Subject: perf script: Handle missing fields with -F +.. + +[ Upstream commit 4b6ac811bce46c83811b83cdf87b41251596b9fc ] + +When using -F + syntax to add a field the existing defaults are +currently all marked user_set. This can cause errors when some field is +missing in the perf.data + +This patch tracks the actually user set fields separately, so that we don't +error out in this case. + +Before: + + % perf record true + % perf script -F +metric + Samples for 'cycles:ppp' event do not have CPU attribute set. Cannot print 'cpu' field. + % + +After: + + 5 perf record true + % perf script -F +metric + perf 28936 278636.237688: 1 cycles:ppp: ffffffff8117da99 perf_event_exec+0x59 (/lib/modules/4.20.0-odilo/build/vmlinux) + ... + % + +Signed-off-by: Andi Kleen +Tested-by: Arnaldo Carvalho de Melo +Acked-by: Jiri Olsa +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Stephane Eranian +Link: http://lkml.kernel.org/r/20190224153722.27020-2-andi@firstfloor.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-script.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c +index ac221f137ed2..cff4d10daf49 100644 +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -148,6 +148,7 @@ static struct { + unsigned int print_ip_opts; + u64 fields; + u64 invalid_fields; ++ u64 user_set_fields; + } output[OUTPUT_TYPE_MAX] = { + + [PERF_TYPE_HARDWARE] = { +@@ -344,7 +345,7 @@ static int perf_evsel__do_check_stype(struct perf_evsel *evsel, + if (attr->sample_type & sample_type) + return 0; + +- if (output[type].user_set) { ++ if (output[type].user_set_fields & field) { + if (allow_user_set) + return 0; + evname = perf_evsel__name(evsel); +@@ -2627,10 +2628,13 @@ parse: + pr_warning("\'%s\' not valid for %s events. Ignoring.\n", + all_output_options[i].str, event_type(j)); + } else { +- if (change == REMOVE) ++ if (change == REMOVE) { + output[j].fields &= ~all_output_options[i].field; +- else ++ output[j].user_set_fields &= ~all_output_options[i].field; ++ } else { + output[j].fields |= all_output_options[i].field; ++ output[j].user_set_fields |= all_output_options[i].field; ++ } + output[j].user_set = true; + output[j].wildcard_set = true; + } +-- +2.19.1 + diff --git a/queue-5.0/perf-script-python-add-trace_context-extension-modul.patch b/queue-5.0/perf-script-python-add-trace_context-extension-modul.patch new file mode 100644 index 00000000000..adc8f59e57c --- /dev/null +++ b/queue-5.0/perf-script-python-add-trace_context-extension-modul.patch @@ -0,0 +1,122 @@ +From e0c2a01d68eec99ed0ebf3b541eb16face3f9fca Mon Sep 17 00:00:00 2001 +From: Tony Jones +Date: Wed, 23 Jan 2019 16:52:24 -0800 +Subject: perf script python: Add trace_context extension module to sys.modules +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit cc437642255224e4140fed1f3e3156fc8ad91903 ] + +In Python3, the result of PyModule_Create (called from +scripts/python/Perf-Trace-Util/Context.c) is not automatically added to +sys.modules. See: https://bugs.python.org/issue4592 + +Below is the observed behavior without the fix: + + # ldd /usr/bin/perf | grep -i python + libpython3.6m.so.1.0 => /usr/lib64/libpython3.6m.so.1.0 (0x00007f8e1dfb2000) + + # perf record /bin/false + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.015 MB perf.data (17 samples) ] + + # perf script -g python | cat + generated Python script: perf-script.py + + # perf script -s ./perf-script.py + Traceback (most recent call last): + File "./perf-script.py", line 18, in + from perf_trace_context import * + ModuleNotFoundError: No module named 'perf_trace_context' + Error running python script ./perf-script.py + # + +Committer notes: + +To build with python3 use: + + $ make -C tools/perf PYTHON=python3 + +Use a non-const variable to pass the 'name' arg to +PyImport_AppendInittab(), as python2.6 has that as 'char *', which ends +up trowing this in some environments: + + CC /tmp/build/perf/util/parse-branch-options.o + util/scripting-engines/trace-event-python.c: In function 'python_start_script': + util/scripting-engines/trace-event-python.c:1520:2: error: passing argument 1 of 'PyImport_AppendInittab' discards 'const' qualifier from pointer target type [-Werror] + PyImport_AppendInittab("perf_trace_context", initfunc); + ^ + In file included from /usr/include/python2.6/Python.h:130:0, + from util/scripting-engines/trace-event-python.c:22: + /usr/include/python2.6/import.h:54:17: note: expected 'char *' but argument is of type 'const char *' + PyAPI_FUNC(int) PyImport_AppendInittab(char *name, void (*initfunc)(void)); + ^ + cc1: all warnings being treated as errors + +Signed-off-by: Tony Jones +Acked-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Cc: Jaroslav Å karvada +Cc: Jonathan Corbet +Cc: Ravi Bangoria +Cc: Seeteena Thoufeek +Fixes: 66dfdff03d19 ("perf tools: Add Python 3 support") +Link: http://lkml.kernel.org/r/20190124005229.16146-2-tonyj@suse.de +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + .../perf/util/scripting-engines/trace-event-python.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/scripting-engines/trace-event-python.c b/tools/perf/util/scripting-engines/trace-event-python.c +index 2fe3cc43526f..7059d1be2d09 100644 +--- a/tools/perf/util/scripting-engines/trace-event-python.c ++++ b/tools/perf/util/scripting-engines/trace-event-python.c +@@ -1493,34 +1493,40 @@ static void _free_command_line(wchar_t **command_line, int num) + static int python_start_script(const char *script, int argc, const char **argv) + { + struct tables *tables = &tables_global; ++ PyMODINIT_FUNC (*initfunc)(void); + #if PY_MAJOR_VERSION < 3 + const char **command_line; + #else + wchar_t **command_line; + #endif +- char buf[PATH_MAX]; ++ /* ++ * Use a non-const name variable to cope with python 2.6's ++ * PyImport_AppendInittab prototype ++ */ ++ char buf[PATH_MAX], name[19] = "perf_trace_context"; + int i, err = 0; + FILE *fp; + + #if PY_MAJOR_VERSION < 3 ++ initfunc = initperf_trace_context; + command_line = malloc((argc + 1) * sizeof(const char *)); + command_line[0] = script; + for (i = 1; i < argc + 1; i++) + command_line[i] = argv[i - 1]; + #else ++ initfunc = PyInit_perf_trace_context; + command_line = malloc((argc + 1) * sizeof(wchar_t *)); + command_line[0] = Py_DecodeLocale(script, NULL); + for (i = 1; i < argc + 1; i++) + command_line[i] = Py_DecodeLocale(argv[i - 1], NULL); + #endif + ++ PyImport_AppendInittab(name, initfunc); + Py_Initialize(); + + #if PY_MAJOR_VERSION < 3 +- initperf_trace_context(); + PySys_SetArgv(argc + 1, (char **)command_line); + #else +- PyInit_perf_trace_context(); + PySys_SetArgv(argc + 1, command_line); + #endif + +-- +2.19.1 + diff --git a/queue-5.0/perf-script-python-use-pybytes-for-attr-in-trace-eve.patch b/queue-5.0/perf-script-python-use-pybytes-for-attr-in-trace-eve.patch new file mode 100644 index 00000000000..352595a391a --- /dev/null +++ b/queue-5.0/perf-script-python-use-pybytes-for-attr-in-trace-eve.patch @@ -0,0 +1,62 @@ +From 9799aa449f68c9280c1cb799db92445906badaae Mon Sep 17 00:00:00 2001 +From: Tony Jones +Date: Wed, 23 Jan 2019 16:52:25 -0800 +Subject: perf script python: Use PyBytes for attr in trace-event-python +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 72e0b15cb24a497d7d0d4707cf51ff40c185ae8c ] + +With Python3. PyUnicode_FromStringAndSize is unsafe to call on attr and will +return NULL. Use _PyBytes_FromStringAndSize (as with raw_buf). + +Below is the observed behavior without the fix. Note it is first necessary +to apply the prior fix (Add trace_context extension module to sys,modules): + + # ldd /usr/bin/perf | grep -i python + libpython3.6m.so.1.0 => /usr/lib64/libpython3.6m.so.1.0 (0x00007f8e1dfb2000) + + # perf record -e raw_syscalls:sys_enter /bin/false + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.018 MB perf.data (21 samples) ] + + # perf script -g python | cat + generated Python script: perf-script.py + + # perf script -s ./perf-script.py + in trace_begin + Segmentation fault (core dumped) + +Signed-off-by: Tony Jones +Acked-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Cc: Jaroslav Å karvada +Cc: Jonathan Corbet +Cc: Ravi Bangoria +Cc: Seeteena Thoufeek +Fixes: 66dfdff03d19 ("perf tools: Add Python 3 support") +Link: http://lkml.kernel.org/r/20190124005229.16146-3-tonyj@suse.de +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/scripting-engines/trace-event-python.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tools/perf/util/scripting-engines/trace-event-python.c b/tools/perf/util/scripting-engines/trace-event-python.c +index 87ef16a1b17e..2fe3cc43526f 100644 +--- a/tools/perf/util/scripting-engines/trace-event-python.c ++++ b/tools/perf/util/scripting-engines/trace-event-python.c +@@ -733,8 +733,7 @@ static PyObject *get_perf_sample_dict(struct perf_sample *sample, + Py_FatalError("couldn't create Python dictionary"); + + pydict_set_item_string_decref(dict, "ev_name", _PyUnicode_FromString(perf_evsel__name(evsel))); +- pydict_set_item_string_decref(dict, "attr", _PyUnicode_FromStringAndSize( +- (const char *)&evsel->attr, sizeof(evsel->attr))); ++ pydict_set_item_string_decref(dict, "attr", _PyBytes_FromStringAndSize((const char *)&evsel->attr, sizeof(evsel->attr))); + + pydict_set_item_string_decref(dict_sample, "pid", + _PyLong_FromLong(sample->pid)); +-- +2.19.1 + diff --git a/queue-5.0/perf-test-fix-failure-of-evsel-tp-sched-test-on-s390.patch b/queue-5.0/perf-test-fix-failure-of-evsel-tp-sched-test-on-s390.patch new file mode 100644 index 00000000000..a1d9d4c2199 --- /dev/null +++ b/queue-5.0/perf-test-fix-failure-of-evsel-tp-sched-test-on-s390.patch @@ -0,0 +1,120 @@ +From 1922a7df9234b20e788b16efbd6686a039fd72e4 Mon Sep 17 00:00:00 2001 +From: Thomas Richter +Date: Tue, 19 Feb 2019 16:36:39 +0100 +Subject: perf test: Fix failure of 'evsel-tp-sched' test on s390 + +[ Upstream commit 03d309711d687460d1345de8a0363f45b1c8cd11 ] + +Commit 489338a717a0 ("perf tests evsel-tp-sched: Fix bitwise operator") +causes test case 14 "Parse sched tracepoints fields" to fail on s390. + +This test succeeds on x86. + +In fact this test now fails on all architectures with type char treated +as type unsigned char. + +The root cause is the signed-ness of character arrays in the tracepoints +sched_switch for structure members prev_comm and next_comm. + +On s390 the output of: + + [root@m35lp76 perf]# cat /sys/kernel/debug/tracing/events/sched/sched_switch/format + name: sched_switch + ID: 287 + format: + field:unsigned short common_type; offset:0; size:2; signed:0; + ... + field:char prev_comm[16]; offset:8; size:16; signed:0; + ... + field:char next_comm[16]; offset:40; size:16; signed:0; + +reveals the character arrays prev_comm and next_comm are per +default unsigned char and have values in the range of 0..255. + +On x86 both fields are signed as this output shows: + [root@f29]# cat /sys/kernel/debug/tracing/events/sched/sched_switch/format + name: sched_switch + ID: 287 + format: + field:unsigned short common_type; offset:0; size:2; signed:0; + ... + field:char prev_comm[16]; offset:8; size:16; signed:1; + ... + field:char next_comm[16]; offset:40; size:16; signed:1; + +and the character arrays prev_comm and next_comm are per default signed +char and have values in the range of -1..127. The implementation of +type char is architecture specific. + +Since the character arrays in both tracepoints sched_switch and +sched_wakeup should contain ascii characters, simply omit the check for +signedness in the test case. + +Output before: + + [root@m35lp76 perf]# ./perf test -F 14 + 14: Parse sched tracepoints fields : + --- start --- + sched:sched_switch: "prev_comm" signedness(0) is wrong, should be 1 + sched:sched_switch: "next_comm" signedness(0) is wrong, should be 1 + sched:sched_wakeup: "comm" signedness(0) is wrong, should be 1 + ---- end ---- + 14: Parse sched tracepoints fields : FAILED! + [root@m35lp76 perf]# + +Output after: + + [root@m35lp76 perf]# ./perf test -Fv 14 + 14: Parse sched tracepoints fields : + --- start --- + ---- end ---- + Parse sched tracepoints fields: Ok + [root@m35lp76 perf]# + +Fixes: 489338a717a0 ("perf tests evsel-tp-sched: Fix bitwise operator") + +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20190219153639.31267-1-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/evsel-tp-sched.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/tests/evsel-tp-sched.c b/tools/perf/tests/evsel-tp-sched.c +index 5cbba70bcdd0..ea7acf403727 100644 +--- a/tools/perf/tests/evsel-tp-sched.c ++++ b/tools/perf/tests/evsel-tp-sched.c +@@ -43,7 +43,7 @@ int test__perf_evsel__tp_sched_test(struct test *test __maybe_unused, int subtes + return -1; + } + +- if (perf_evsel__test_field(evsel, "prev_comm", 16, true)) ++ if (perf_evsel__test_field(evsel, "prev_comm", 16, false)) + ret = -1; + + if (perf_evsel__test_field(evsel, "prev_pid", 4, true)) +@@ -55,7 +55,7 @@ int test__perf_evsel__tp_sched_test(struct test *test __maybe_unused, int subtes + if (perf_evsel__test_field(evsel, "prev_state", sizeof(long), true)) + ret = -1; + +- if (perf_evsel__test_field(evsel, "next_comm", 16, true)) ++ if (perf_evsel__test_field(evsel, "next_comm", 16, false)) + ret = -1; + + if (perf_evsel__test_field(evsel, "next_pid", 4, true)) +@@ -73,7 +73,7 @@ int test__perf_evsel__tp_sched_test(struct test *test __maybe_unused, int subtes + return -1; + } + +- if (perf_evsel__test_field(evsel, "comm", 16, true)) ++ if (perf_evsel__test_field(evsel, "comm", 16, false)) + ret = -1; + + if (perf_evsel__test_field(evsel, "pid", 4, true)) +-- +2.19.1 + diff --git a/queue-5.0/perf-trace-check-if-the-fd-is-negative-when-mapping-.patch b/queue-5.0/perf-trace-check-if-the-fd-is-negative-when-mapping-.patch new file mode 100644 index 00000000000..b716c4028e0 --- /dev/null +++ b/queue-5.0/perf-trace-check-if-the-fd-is-negative-when-mapping-.patch @@ -0,0 +1,75 @@ +From 0e922cd8b549ea6bad39a08a97d12436e4385f33 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Tue, 12 Feb 2019 10:18:36 -0300 +Subject: perf trace: Check if the 'fd' is negative when mapping it to pathname +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 051074867434cc520c08f188479d4757dcfdaef8 ] + +We were crashing when processing a negative fd: + + Program received signal SIGSEGV, Segmentation fault. + 0x0000000000609bbf in syscall_arg__scnprintf_ioctl_cmd (bf=0x1172eca "", size=2038, arg=0x7fffffff8360) at trace/beauty/ioctl.c:182 + 182 if (file->dev_maj == USB_DEVICE_MAJOR) + Missing separate debuginfos, use: dnf debuginfo-install bzip2-libs-1.0.6-28.fc29.x86_64 elfutils-libelf-0.174-5.fc29.x86_64 elfutils-libs-0.174-5.fc29.x86_64 glib2-2.58.3-1.fc29.x86_64 libbabeltrace-1.5.6-1.fc29.x86_64 libunwind-1.2.1-6.fc29.x86_64 libuuid-2.32.1-1.fc29.x86_64 libxcrypt-4.4.3-2.fc29.x86_64 numactl-libs-2.0.12-1.fc29.x86_64 openssl-libs-1.1.1a-1.fc29.x86_64 pcre-8.42-6.fc29.x86_64 perl-libs-5.28.1-427.fc29.x86_64 popt-1.16-15.fc29.x86_64 python2-libs-2.7.15-11.fc29.x86_64 slang-2.3.2-4.fc29.x86_64 xz-libs-5.2.4-3.fc29.x86_64 + (gdb) bt + #0 0x0000000000609bbf in syscall_arg__scnprintf_ioctl_cmd (bf=0x1172eca "", size=2038, arg=0x7fffffff8360) at trace/beauty/ioctl.c:182 + #1 0x000000000048e295 in syscall__scnprintf_val (sc=0x123b500, bf=0x1172eca "", size=2038, arg=0x7fffffff8360, val=21519) + at builtin-trace.c:1594 + #2 0x000000000048e60d in syscall__scnprintf_args (sc=0x123b500, bf=0x1172ec6 "-1, ", size=2042, args=0x7ffff6a7c034 "\377\377\377\377", + augmented_args=0x7ffff6a7c064, augmented_args_size=4, trace=0x7fffffffa8d0, thread=0x1175cd0) at builtin-trace.c:1661 + #3 0x000000000048f04e in trace__sys_enter (trace=0x7fffffffa8d0, evsel=0xb260b0, event=0x7ffff6a7bfe8, sample=0x7fffffff84f0) + at builtin-trace.c:1880 + #4 0x00000000004915a4 in trace__handle_event (trace=0x7fffffffa8d0, event=0x7ffff6a7bfe8, sample=0x7fffffff84f0) at builtin-trace.c:2590 + #5 0x0000000000491eed in __trace__deliver_event (trace=0x7fffffffa8d0, event=0x7ffff6a7bfe8) at builtin-trace.c:2818 + #6 0x0000000000492030 in trace__deliver_event (trace=0x7fffffffa8d0, event=0x7ffff6a7bfe8) at builtin-trace.c:2845 + #7 0x0000000000492896 in trace__run (trace=0x7fffffffa8d0, argc=0, argv=0x7fffffffdb58) at builtin-trace.c:3040 + #8 0x000000000049603a in cmd_trace (argc=0, argv=0x7fffffffdb58) at builtin-trace.c:3952 + #9 0x00000000004d5103 in main (argc=1, argv=0x7fffffffdb58) at perf.c:474 + (gdb) p fd + $1 = -1 + (gdb) p file + $7 = (struct file *) 0xfffffffffffffff0 + (gdb) p ((struct thread_trace *)arg->thread)->files.table + fd + $8 = (struct file *) 0xfffffffffffffff0 + (gdb) + +Check for that and return NULL instead. + +This problem was introduced recently, the other codepaths leading to +thread_trace__files_entry() check for negative fds, like thread__fd_path(), +but we need to do it at thread_trace__files_entry() as more users are now +calling it directly. + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Luis Cláudio Gonçalves +Cc: Namhyung Kim +Cc: Wang Nan +Fixes: 2d473389f87a ("perf trace beauty: Export function to get the files for a thread") +Link: https://lkml.kernel.org/n/tip-oq7bvaaf07gsd4yqty3107u2@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index b36061cd1ab8..2776ff8c3e81 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -1039,6 +1039,9 @@ static const size_t trace__entry_str_size = 2048; + + static struct file *thread_trace__files_entry(struct thread_trace *ttrace, int fd) + { ++ if (fd < 0) ++ return NULL; ++ + if (fd > ttrace->files.max) { + struct file *nfiles = realloc(ttrace->files.table, (fd + 1) * sizeof(struct file)); + +-- +2.19.1 + diff --git a/queue-5.0/perf-trace-fixup-etcsnoop-example.patch b/queue-5.0/perf-trace-fixup-etcsnoop-example.patch new file mode 100644 index 00000000000..bcff8ca78f6 --- /dev/null +++ b/queue-5.0/perf-trace-fixup-etcsnoop-example.patch @@ -0,0 +1,51 @@ +From c48ba9cd4af202ec184f50fe0b0bade8db4fcd25 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Thu, 24 Jan 2019 15:39:15 +0100 +Subject: perf trace: Fixup etcsnoop example +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 1d59cb1bbd4cbe5a8f8032242cdacea5658129cf ] + +Where we don't have "raw_syscalls:sys_enter", so we need to look for a +"*syscalls:sys_enter*" to initialize the offsets for the +__augmented_syscalls__ evsel, which is the case with etcsnoop, that was +segfaulting, fixed: + + # trace -e /home/acme/git/perf/tools/perf/examples/bpf/etcsnoop.c + 0.000 ( ): gnome-shell/2105 openat(dfd: CWD, filename: "/etc/localtime") ... + 631.834 ( ): cat/6521 openat(dfd: CWD, filename: "/etc/ld.so.cache", flags: RDONLY|CLOEXEC) ... + 632.637 ( ): bash/6521 openat(dfd: CWD, filename: "/etc/passwd") ... + ^C# + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Luis Cláudio Gonçalves +Cc: Namhyung Kim +Cc: Wang Nan +Fixes: b9b6a2ea2baf ("perf trace: Do not hardcode the size of the tracepoint common_ fields") +Link: https://lkml.kernel.org/n/tip-0tjwcit8qitsmh4nyvf2b0jo@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index 2776ff8c3e81..91cdbf504535 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -3868,7 +3868,8 @@ int cmd_trace(int argc, const char **argv) + goto init_augmented_syscall_tp; + } + +- if (strcmp(perf_evsel__name(evsel), "raw_syscalls:sys_enter") == 0) { ++ if (trace.syscalls.events.augmented->priv == NULL && ++ strstr(perf_evsel__name(evsel), "syscalls:sys_enter")) { + struct perf_evsel *augmented = trace.syscalls.events.augmented; + if (perf_evsel__init_augmented_syscall_tp(augmented, evsel) || + perf_evsel__init_augmented_syscall_tp_args(augmented)) +-- +2.19.1 + diff --git a/queue-5.0/pinctrl-meson-fix-g12a-ao-pull-registers-base-addres.patch b/queue-5.0/pinctrl-meson-fix-g12a-ao-pull-registers-base-addres.patch new file mode 100644 index 00000000000..8124a53b5d7 --- /dev/null +++ b/queue-5.0/pinctrl-meson-fix-g12a-ao-pull-registers-base-addres.patch @@ -0,0 +1,89 @@ +From 545aa6760df61896b756e860eb3d6af5918e3377 Mon Sep 17 00:00:00 2001 +From: Xingyu Chen +Date: Thu, 17 Jan 2019 11:23:14 +0100 +Subject: pinctrl: meson: fix G12A ao pull registers base address + +[ Upstream commit e66dd48e8b0dee104d16417d30361074b08baca8 ] + +Since Meson G12A SoC, Introduce new ao registers AO_RTI_PULL_UP_EN_REG +and AO_GPIO_O. + +These bits of controlling output level are remapped to the new register +AO_GPIO_O, and the AO_GPIO_O_EN_N support only controlling output enable. + +These bits of controlling pull enable are remapped to the new register +AO_RTI_PULL_UP_EN_REG, and the AO_RTI_PULL_UP_REG support only controlling +pull type(up/down). + +The new layout of ao gpio/pull registers is as follows: +- AO_GPIO_O_EN_N [offset: 0x9 << 2] +- AO_GPIO_I [offset: 0xa << 2] +- AO_RTI_PULL_UP_REG [offset: 0xb << 2] +- AO_RTI_PULL_UP_EN_REG [offset: 0xc << 2] +- AO_GPIO_O [offset: 0xd << 2] + +From above, we can see ao GPIO registers region has been separated by the +ao pull registers. In order to ensure the continuity of the region on +software, the ao GPIO and ao pull registers use the same base address, but +can be identified by the offset. + +Fixes: 29ae0952e85f ("pinctrl: meson-g12a: add pinctrl driver support") +Signed-off-by: Xingyu Chen +Signed-off-by: Jianxin Pan +Signed-off-by: Jerome Brunet +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/meson/pinctrl-meson.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/pinctrl/meson/pinctrl-meson.c b/drivers/pinctrl/meson/pinctrl-meson.c +index ea87d739f534..a4ae1ac5369e 100644 +--- a/drivers/pinctrl/meson/pinctrl-meson.c ++++ b/drivers/pinctrl/meson/pinctrl-meson.c +@@ -31,6 +31,9 @@ + * In some cases the register ranges for pull enable and pull + * direction are the same and thus there are only 3 register ranges. + * ++ * Since Meson G12A SoC, the ao register ranges for gpio, pull enable ++ * and pull direction are the same, so there are only 2 register ranges. ++ * + * For the pull and GPIO configuration every bank uses a contiguous + * set of bits in the register sets described above; the same register + * can be shared by more banks with different offsets. +@@ -488,23 +491,22 @@ static int meson_pinctrl_parse_dt(struct meson_pinctrl *pc, + return PTR_ERR(pc->reg_mux); + } + +- pc->reg_pull = meson_map_resource(pc, gpio_np, "pull"); +- if (IS_ERR(pc->reg_pull)) { +- dev_err(pc->dev, "pull registers not found\n"); +- return PTR_ERR(pc->reg_pull); ++ pc->reg_gpio = meson_map_resource(pc, gpio_np, "gpio"); ++ if (IS_ERR(pc->reg_gpio)) { ++ dev_err(pc->dev, "gpio registers not found\n"); ++ return PTR_ERR(pc->reg_gpio); + } + ++ pc->reg_pull = meson_map_resource(pc, gpio_np, "pull"); ++ /* Use gpio region if pull one is not present */ ++ if (IS_ERR(pc->reg_pull)) ++ pc->reg_pull = pc->reg_gpio; ++ + pc->reg_pullen = meson_map_resource(pc, gpio_np, "pull-enable"); + /* Use pull region if pull-enable one is not present */ + if (IS_ERR(pc->reg_pullen)) + pc->reg_pullen = pc->reg_pull; + +- pc->reg_gpio = meson_map_resource(pc, gpio_np, "gpio"); +- if (IS_ERR(pc->reg_gpio)) { +- dev_err(pc->dev, "gpio registers not found\n"); +- return PTR_ERR(pc->reg_gpio); +- } +- + return 0; + } + +-- +2.19.1 + diff --git a/queue-5.0/pinctrl-meson-meson8b-add-the-eth_rxd2-and-eth_rxd3-.patch b/queue-5.0/pinctrl-meson-meson8b-add-the-eth_rxd2-and-eth_rxd3-.patch new file mode 100644 index 00000000000..a219caf0bd3 --- /dev/null +++ b/queue-5.0/pinctrl-meson-meson8b-add-the-eth_rxd2-and-eth_rxd3-.patch @@ -0,0 +1,80 @@ +From 05070f630d7ada2f079461770feb622ef7f5d9c3 Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sat, 12 Jan 2019 13:59:13 +0100 +Subject: pinctrl: meson: meson8b: add the eth_rxd2 and eth_rxd3 pins + +[ Upstream commit 6daae00243e622dd3feec7965bfe421ad6dd317e ] + +Gigabit Ethernet requires the Ethernet TXD0..3 and RXD0..3 data lines. +Add the missing eth_rxd2 and eth_rxd3 definitions so we don't have to +rely on the bootloader to set them up correctly. + +The vendor u-boot sources for Odroid-C1 use the following Ethernet +pinmux configuration: + SET_CBUS_REG_MASK(PERIPHS_PIN_MUX_6, 0x3f4f); + SET_CBUS_REG_MASK(PERIPHS_PIN_MUX_7, 0xf00000); +This translates to the following pin groups in the mainline kernel: +- register 6 bit 0: eth_rxd1 (DIF_0_P) +- register 6 bit 1: eth_rxd0 (DIF_0_N) +- register 6 bit 2: eth_rx_dv (DIF_1_P) +- register 6 bit 3: eth_rx_clk (DIF_1_N) +- register 6 bit 6: eth_tx_en (DIF_3_P) +- register 6 bit 8: eth_ref_clk (DIF_3_N) +- register 6 bit 9: eth_mdc (DIF_4_P) +- register 6 bit 10: eth_mdio_en (DIF_4_N) +- register 6 bit 11: eth_tx_clk (GPIOH_9) +- register 6 bit 12: eth_txd2 (GPIOH_8) +- register 6 bit 13: eth_txd3 (GPIOH_7) +- register 7 bit 20: eth_txd0_0 (GPIOH_6) +- register 7 bit 21: eth_txd1_0 (GPIOH_5) +- register 7 bit 22: eth_rxd3 (DIF_2_P) +- register 7 bit 23: eth_rxd2 (DIF_2_N) + +All functions except eth_rxd2 and eth_rxd3 are already supported by the +pinctrl-meson8b driver. + +Suggested-by: Jianxin Pan +Signed-off-by: Martin Blumenstingl +Reviewed-by: Kevin Hilman +Tested-by: Emiliano Ingrassia +Reviewed-by: Emiliano Ingrassia +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/meson/pinctrl-meson8b.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/meson/pinctrl-meson8b.c b/drivers/pinctrl/meson/pinctrl-meson8b.c +index 0f140a802137..7f76000cc12e 100644 +--- a/drivers/pinctrl/meson/pinctrl-meson8b.c ++++ b/drivers/pinctrl/meson/pinctrl-meson8b.c +@@ -346,6 +346,8 @@ static const unsigned int eth_rx_dv_pins[] = { DIF_1_P }; + static const unsigned int eth_rx_clk_pins[] = { DIF_1_N }; + static const unsigned int eth_txd0_1_pins[] = { DIF_2_P }; + static const unsigned int eth_txd1_1_pins[] = { DIF_2_N }; ++static const unsigned int eth_rxd3_pins[] = { DIF_2_P }; ++static const unsigned int eth_rxd2_pins[] = { DIF_2_N }; + static const unsigned int eth_tx_en_pins[] = { DIF_3_P }; + static const unsigned int eth_ref_clk_pins[] = { DIF_3_N }; + static const unsigned int eth_mdc_pins[] = { DIF_4_P }; +@@ -599,6 +601,8 @@ static struct meson_pmx_group meson8b_cbus_groups[] = { + GROUP(eth_ref_clk, 6, 8), + GROUP(eth_mdc, 6, 9), + GROUP(eth_mdio_en, 6, 10), ++ GROUP(eth_rxd3, 7, 22), ++ GROUP(eth_rxd2, 7, 23), + }; + + static struct meson_pmx_group meson8b_aobus_groups[] = { +@@ -748,7 +752,7 @@ static const char * const ethernet_groups[] = { + "eth_tx_clk", "eth_tx_en", "eth_txd1_0", "eth_txd1_1", + "eth_txd0_0", "eth_txd0_1", "eth_rx_clk", "eth_rx_dv", + "eth_rxd1", "eth_rxd0", "eth_mdio_en", "eth_mdc", "eth_ref_clk", +- "eth_txd2", "eth_txd3" ++ "eth_txd2", "eth_txd3", "eth_rxd3", "eth_rxd2" + }; + + static const char * const i2c_a_groups[] = { +-- +2.19.1 + diff --git a/queue-5.0/pinctrl-sh-pfc-r8a77990-fix-mod_sel-bit-numbering.patch b/queue-5.0/pinctrl-sh-pfc-r8a77990-fix-mod_sel-bit-numbering.patch new file mode 100644 index 00000000000..ba6eb219332 --- /dev/null +++ b/queue-5.0/pinctrl-sh-pfc-r8a77990-fix-mod_sel-bit-numbering.patch @@ -0,0 +1,121 @@ +From 1f2d8453b48095880804f3f7101d9b51f6194c2e Mon Sep 17 00:00:00 2001 +From: Takeshi Kihara +Date: Wed, 12 Dec 2018 19:19:34 +0900 +Subject: pinctrl: sh-pfc: r8a77990: Fix MOD_SEL bit numbering + +[ Upstream commit 3e3eebeacad79bda8a9664c86c04f5201e86fece ] + +MOD_SEL register bit numbering was different from R-Car E3 SoC and +R-Car H3/M3-[WN] SoCs. + +MOD_SEL 1-bit H3/M3-[WN] E3 +=============== ========== ===== +Set Value = H'0 b'0 b'0 +Set Value = H'1 b'1 b'1 + +MOD_SEL 2-bits H3/M3-[WN] E3 +=============== ========== ===== +Set Value = H'0 b'00 b'00 +Set Value = H'1 b'01 b'10 +Set Value = H'2 b'10 b'01 +Set Value = H'3 b'11 b'11 + +MOD_SEL 3-bits H3/M3-[WN] E3 +=============== ========== ===== +Set Value = H'0 b'000 b'000 +Set Value = H'1 b'001 b'100 +Set Value = H'2 b'010 b'010 +Set Value = H'3 b'011 b'110 +Set Value = H'4 b'100 b'001 +Set Value = H'5 b'101 b'101 +Set Value = H'6 b'110 b'011 +Set Value = H'7 b'111 b'111 + +This patch replaces the #define name and value of MOD_SEL. + +Signed-off-by: Takeshi Kihara +Fixes: 6d4036a1e3b3 ("pinctrl: sh-pfc: Initial R8A77990 PFC support") +[shimoda: Split a patch per SoC and revise the commit log] +Signed-off-by: Yoshihiro Shimoda +[geert: Use macros to do the actual reordering] +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Yoshihiro Shimoda +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/sh-pfc/pfc-r8a77990.c | 32 +++++++++++++++------------ + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/drivers/pinctrl/sh-pfc/pfc-r8a77990.c b/drivers/pinctrl/sh-pfc/pfc-r8a77990.c +index e40908dc37e0..1ce286f7b286 100644 +--- a/drivers/pinctrl/sh-pfc/pfc-r8a77990.c ++++ b/drivers/pinctrl/sh-pfc/pfc-r8a77990.c +@@ -391,29 +391,33 @@ FM(IP12_23_20) IP12_23_20 FM(IP13_23_20) IP13_23_20 FM(IP14_23_20) IP14_23_20 FM + FM(IP12_27_24) IP12_27_24 FM(IP13_27_24) IP13_27_24 FM(IP14_27_24) IP14_27_24 FM(IP15_27_24) IP15_27_24 \ + FM(IP12_31_28) IP12_31_28 FM(IP13_31_28) IP13_31_28 FM(IP14_31_28) IP14_31_28 FM(IP15_31_28) IP15_31_28 + ++/* The bit numbering in MOD_SEL fields is reversed */ ++#define REV4(f0, f1, f2, f3) f0 f2 f1 f3 ++#define REV8(f0, f1, f2, f3, f4, f5, f6, f7) f0 f4 f2 f6 f1 f5 f3 f7 ++ + /* MOD_SEL0 */ /* 0 */ /* 1 */ /* 2 */ /* 3 */ /* 4 */ /* 5 */ /* 6 */ /* 7 */ +-#define MOD_SEL0_30_29 FM(SEL_ADGB_0) FM(SEL_ADGB_1) FM(SEL_ADGB_2) F_(0, 0) ++#define MOD_SEL0_30_29 REV4(FM(SEL_ADGB_0), FM(SEL_ADGB_1), FM(SEL_ADGB_2), F_(0, 0)) + #define MOD_SEL0_28 FM(SEL_DRIF0_0) FM(SEL_DRIF0_1) +-#define MOD_SEL0_27_26 FM(SEL_FM_0) FM(SEL_FM_1) FM(SEL_FM_2) F_(0, 0) ++#define MOD_SEL0_27_26 REV4(FM(SEL_FM_0), FM(SEL_FM_1), FM(SEL_FM_2), F_(0, 0)) + #define MOD_SEL0_25 FM(SEL_FSO_0) FM(SEL_FSO_1) + #define MOD_SEL0_24 FM(SEL_HSCIF0_0) FM(SEL_HSCIF0_1) + #define MOD_SEL0_23 FM(SEL_HSCIF1_0) FM(SEL_HSCIF1_1) + #define MOD_SEL0_22 FM(SEL_HSCIF2_0) FM(SEL_HSCIF2_1) +-#define MOD_SEL0_21_20 FM(SEL_I2C1_0) FM(SEL_I2C1_1) FM(SEL_I2C1_2) FM(SEL_I2C1_3) +-#define MOD_SEL0_19_18_17 FM(SEL_I2C2_0) FM(SEL_I2C2_1) FM(SEL_I2C2_2) FM(SEL_I2C2_3) FM(SEL_I2C2_4) F_(0, 0) F_(0, 0) F_(0, 0) ++#define MOD_SEL0_21_20 REV4(FM(SEL_I2C1_0), FM(SEL_I2C1_1), FM(SEL_I2C1_2), FM(SEL_I2C1_3)) ++#define MOD_SEL0_19_18_17 REV8(FM(SEL_I2C2_0), FM(SEL_I2C2_1), FM(SEL_I2C2_2), FM(SEL_I2C2_3), FM(SEL_I2C2_4), F_(0, 0), F_(0, 0), F_(0, 0)) + #define MOD_SEL0_16 FM(SEL_NDFC_0) FM(SEL_NDFC_1) + #define MOD_SEL0_15 FM(SEL_PWM0_0) FM(SEL_PWM0_1) + #define MOD_SEL0_14 FM(SEL_PWM1_0) FM(SEL_PWM1_1) +-#define MOD_SEL0_13_12 FM(SEL_PWM2_0) FM(SEL_PWM2_1) FM(SEL_PWM2_2) F_(0, 0) +-#define MOD_SEL0_11_10 FM(SEL_PWM3_0) FM(SEL_PWM3_1) FM(SEL_PWM3_2) F_(0, 0) ++#define MOD_SEL0_13_12 REV4(FM(SEL_PWM2_0), FM(SEL_PWM2_1), FM(SEL_PWM2_2), F_(0, 0)) ++#define MOD_SEL0_11_10 REV4(FM(SEL_PWM3_0), FM(SEL_PWM3_1), FM(SEL_PWM3_2), F_(0, 0)) + #define MOD_SEL0_9 FM(SEL_PWM4_0) FM(SEL_PWM4_1) + #define MOD_SEL0_8 FM(SEL_PWM5_0) FM(SEL_PWM5_1) + #define MOD_SEL0_7 FM(SEL_PWM6_0) FM(SEL_PWM6_1) +-#define MOD_SEL0_6_5 FM(SEL_REMOCON_0) FM(SEL_REMOCON_1) FM(SEL_REMOCON_2) F_(0, 0) ++#define MOD_SEL0_6_5 REV4(FM(SEL_REMOCON_0), FM(SEL_REMOCON_1), FM(SEL_REMOCON_2), F_(0, 0)) + #define MOD_SEL0_4 FM(SEL_SCIF_0) FM(SEL_SCIF_1) + #define MOD_SEL0_3 FM(SEL_SCIF0_0) FM(SEL_SCIF0_1) + #define MOD_SEL0_2 FM(SEL_SCIF2_0) FM(SEL_SCIF2_1) +-#define MOD_SEL0_1_0 FM(SEL_SPEED_PULSE_IF_0) FM(SEL_SPEED_PULSE_IF_1) FM(SEL_SPEED_PULSE_IF_2) F_(0, 0) ++#define MOD_SEL0_1_0 REV4(FM(SEL_SPEED_PULSE_IF_0), FM(SEL_SPEED_PULSE_IF_1), FM(SEL_SPEED_PULSE_IF_2), F_(0, 0)) + + /* MOD_SEL1 */ /* 0 */ /* 1 */ /* 2 */ /* 3 */ /* 4 */ /* 5 */ /* 6 */ /* 7 */ + #define MOD_SEL1_31 FM(SEL_SIMCARD_0) FM(SEL_SIMCARD_1) +@@ -422,18 +426,18 @@ FM(IP12_31_28) IP12_31_28 FM(IP13_31_28) IP13_31_28 FM(IP14_31_28) IP14_31_28 FM + #define MOD_SEL1_28 FM(SEL_USB_20_CH0_0) FM(SEL_USB_20_CH0_1) + #define MOD_SEL1_26 FM(SEL_DRIF2_0) FM(SEL_DRIF2_1) + #define MOD_SEL1_25 FM(SEL_DRIF3_0) FM(SEL_DRIF3_1) +-#define MOD_SEL1_24_23_22 FM(SEL_HSCIF3_0) FM(SEL_HSCIF3_1) FM(SEL_HSCIF3_2) FM(SEL_HSCIF3_3) FM(SEL_HSCIF3_4) F_(0, 0) F_(0, 0) F_(0, 0) +-#define MOD_SEL1_21_20_19 FM(SEL_HSCIF4_0) FM(SEL_HSCIF4_1) FM(SEL_HSCIF4_2) FM(SEL_HSCIF4_3) FM(SEL_HSCIF4_4) F_(0, 0) F_(0, 0) F_(0, 0) ++#define MOD_SEL1_24_23_22 REV8(FM(SEL_HSCIF3_0), FM(SEL_HSCIF3_1), FM(SEL_HSCIF3_2), FM(SEL_HSCIF3_3), FM(SEL_HSCIF3_4), F_(0, 0), F_(0, 0), F_(0, 0)) ++#define MOD_SEL1_21_20_19 REV8(FM(SEL_HSCIF4_0), FM(SEL_HSCIF4_1), FM(SEL_HSCIF4_2), FM(SEL_HSCIF4_3), FM(SEL_HSCIF4_4), F_(0, 0), F_(0, 0), F_(0, 0)) + #define MOD_SEL1_18 FM(SEL_I2C6_0) FM(SEL_I2C6_1) + #define MOD_SEL1_17 FM(SEL_I2C7_0) FM(SEL_I2C7_1) + #define MOD_SEL1_16 FM(SEL_MSIOF2_0) FM(SEL_MSIOF2_1) + #define MOD_SEL1_15 FM(SEL_MSIOF3_0) FM(SEL_MSIOF3_1) +-#define MOD_SEL1_14_13 FM(SEL_SCIF3_0) FM(SEL_SCIF3_1) FM(SEL_SCIF3_2) F_(0, 0) +-#define MOD_SEL1_12_11 FM(SEL_SCIF4_0) FM(SEL_SCIF4_1) FM(SEL_SCIF4_2) F_(0, 0) +-#define MOD_SEL1_10_9 FM(SEL_SCIF5_0) FM(SEL_SCIF5_1) FM(SEL_SCIF5_2) F_(0, 0) ++#define MOD_SEL1_14_13 REV4(FM(SEL_SCIF3_0), FM(SEL_SCIF3_1), FM(SEL_SCIF3_2), F_(0, 0)) ++#define MOD_SEL1_12_11 REV4(FM(SEL_SCIF4_0), FM(SEL_SCIF4_1), FM(SEL_SCIF4_2), F_(0, 0)) ++#define MOD_SEL1_10_9 REV4(FM(SEL_SCIF5_0), FM(SEL_SCIF5_1), FM(SEL_SCIF5_2), F_(0, 0)) + #define MOD_SEL1_8 FM(SEL_VIN4_0) FM(SEL_VIN4_1) + #define MOD_SEL1_7 FM(SEL_VIN5_0) FM(SEL_VIN5_1) +-#define MOD_SEL1_6_5 FM(SEL_ADGC_0) FM(SEL_ADGC_1) FM(SEL_ADGC_2) F_(0, 0) ++#define MOD_SEL1_6_5 REV4(FM(SEL_ADGC_0), FM(SEL_ADGC_1), FM(SEL_ADGC_2), F_(0, 0)) + #define MOD_SEL1_4 FM(SEL_SSI9_0) FM(SEL_SSI9_1) + + #define PINMUX_MOD_SELS \ +-- +2.19.1 + diff --git a/queue-5.0/pinctrl-sh-pfc-r8a77995-fix-mod_sel-bit-numbering.patch b/queue-5.0/pinctrl-sh-pfc-r8a77995-fix-mod_sel-bit-numbering.patch new file mode 100644 index 00000000000..74ebf118342 --- /dev/null +++ b/queue-5.0/pinctrl-sh-pfc-r8a77995-fix-mod_sel-bit-numbering.patch @@ -0,0 +1,79 @@ +From 7d9737be3cdc7d1c26028f8b27e153b709636a12 Mon Sep 17 00:00:00 2001 +From: Takeshi Kihara +Date: Wed, 12 Dec 2018 19:19:35 +0900 +Subject: pinctrl: sh-pfc: r8a77995: Fix MOD_SEL bit numbering + +[ Upstream commit 5219aa33caec2f7b68eda2b7e4ab8e276f323254 ] + +MOD_SEL register bit numbering was different from R-Car D3 SoC and +R-Car H3/M3-[WN] SoCs. + +MOD_SEL 1-bit H3/M3-[WN] D3 +=============== ========== ===== +Set Value = H'0 b'0 b'0 +Set Value = H'1 b'1 b'1 + +MOD_SEL 2-bits H3/M3-[WN] D3 +=============== ========== ===== +Set Value = H'0 b'00 b'00 +Set Value = H'1 b'01 b'10 +Set Value = H'2 b'10 b'01 +Set Value = H'3 b'11 b'11 + +MOD_SEL 3-bits H3/M3-[WN] D3 +=============== ========== ===== +Set Value = H'0 b'000 b'000 +Set Value = H'1 b'001 b'100 +Set Value = H'2 b'010 b'010 +Set Value = H'3 b'011 b'110 +Set Value = H'4 b'100 b'001 +Set Value = H'5 b'101 b'101 +Set Value = H'6 b'110 b'011 +Set Value = H'7 b'111 b'111 + +This patch replaces the #define name and value of MOD_SEL. + +Signed-off-by: Takeshi Kihara +Fixes: 794a67117646 ("pinctrl: sh-pfc: Initial R8A77995 PFC support") +[shimoda: split a patch per SoC and revise the commit log] +Signed-off-by: Yoshihiro Shimoda +[geert: Use a macro to do the actual reordering] +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Simon Horman +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/sh-pfc/pfc-r8a77995.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/sh-pfc/pfc-r8a77995.c b/drivers/pinctrl/sh-pfc/pfc-r8a77995.c +index 84d78db381e3..9e377e3b9cb3 100644 +--- a/drivers/pinctrl/sh-pfc/pfc-r8a77995.c ++++ b/drivers/pinctrl/sh-pfc/pfc-r8a77995.c +@@ -381,6 +381,9 @@ FM(IP12_23_20) IP12_23_20 \ + FM(IP12_27_24) IP12_27_24 \ + FM(IP12_31_28) IP12_31_28 \ + ++/* The bit numbering in MOD_SEL fields is reversed */ ++#define REV4(f0, f1, f2, f3) f0 f2 f1 f3 ++ + /* MOD_SEL0 */ /* 0 */ /* 1 */ /* 2 */ /* 3 */ + #define MOD_SEL0_30 FM(SEL_MSIOF2_0) FM(SEL_MSIOF2_1) + #define MOD_SEL0_29 FM(SEL_I2C3_0) FM(SEL_I2C3_1) +@@ -388,10 +391,10 @@ FM(IP12_31_28) IP12_31_28 \ + #define MOD_SEL0_27 FM(SEL_MSIOF3_0) FM(SEL_MSIOF3_1) + #define MOD_SEL0_26 FM(SEL_HSCIF3_0) FM(SEL_HSCIF3_1) + #define MOD_SEL0_25 FM(SEL_SCIF4_0) FM(SEL_SCIF4_1) +-#define MOD_SEL0_24_23 FM(SEL_PWM0_0) FM(SEL_PWM0_1) FM(SEL_PWM0_2) F_(0, 0) +-#define MOD_SEL0_22_21 FM(SEL_PWM1_0) FM(SEL_PWM1_1) FM(SEL_PWM1_2) F_(0, 0) +-#define MOD_SEL0_20_19 FM(SEL_PWM2_0) FM(SEL_PWM2_1) FM(SEL_PWM2_2) F_(0, 0) +-#define MOD_SEL0_18_17 FM(SEL_PWM3_0) FM(SEL_PWM3_1) FM(SEL_PWM3_2) F_(0, 0) ++#define MOD_SEL0_24_23 REV4(FM(SEL_PWM0_0), FM(SEL_PWM0_1), FM(SEL_PWM0_2), F_(0, 0)) ++#define MOD_SEL0_22_21 REV4(FM(SEL_PWM1_0), FM(SEL_PWM1_1), FM(SEL_PWM1_2), F_(0, 0)) ++#define MOD_SEL0_20_19 REV4(FM(SEL_PWM2_0), FM(SEL_PWM2_1), FM(SEL_PWM2_2), F_(0, 0)) ++#define MOD_SEL0_18_17 REV4(FM(SEL_PWM3_0), FM(SEL_PWM3_1), FM(SEL_PWM3_2), F_(0, 0)) + #define MOD_SEL0_15 FM(SEL_IRQ_0_0) FM(SEL_IRQ_0_1) + #define MOD_SEL0_14 FM(SEL_IRQ_1_0) FM(SEL_IRQ_1_1) + #define MOD_SEL0_13 FM(SEL_IRQ_2_0) FM(SEL_IRQ_2_1) +-- +2.19.1 + diff --git a/queue-5.0/platform-mellanox-mlxreg-hotplug-fix-kasan-warning.patch b/queue-5.0/platform-mellanox-mlxreg-hotplug-fix-kasan-warning.patch new file mode 100644 index 00000000000..73f8acff114 --- /dev/null +++ b/queue-5.0/platform-mellanox-mlxreg-hotplug-fix-kasan-warning.patch @@ -0,0 +1,166 @@ +From 462f03fb67e359ec8026a12ae793f02131b4987e Mon Sep 17 00:00:00 2001 +From: Vadim Pasternak +Date: Sun, 17 Feb 2019 18:15:30 +0000 +Subject: platform/mellanox: mlxreg-hotplug: Fix KASAN warning + +[ Upstream commit e4c275f77624961b56cce397814d9d770a45ac59 ] + +Fix the following KASAN warning produced when booting a 64-bit kernel: +[ 13.334750] BUG: KASAN: stack-out-of-bounds in find_first_bit+0x19/0x70 +[ 13.342166] Read of size 8 at addr ffff880235067178 by task kworker/2:1/42 +[ 13.342176] CPU: 2 PID: 42 Comm: kworker/2:1 Not tainted 4.20.0-rc1+ #106 +[ 13.342179] Hardware name: Mellanox Technologies Ltd. MSN2740/Mellanox x86 SFF board, BIOS 5.6.5 06/07/2016 +[ 13.342190] Workqueue: events deferred_probe_work_func +[ 13.342194] Call Trace: +[ 13.342206] dump_stack+0xc7/0x15b +[ 13.342214] ? show_regs_print_info+0x5/0x5 +[ 13.342220] ? kmsg_dump_rewind_nolock+0x59/0x59 +[ 13.342234] ? _raw_write_lock_irqsave+0x100/0x100 +[ 13.351593] print_address_description+0x73/0x260 +[ 13.351603] kasan_report+0x260/0x380 +[ 13.351611] ? find_first_bit+0x19/0x70 +[ 13.351619] find_first_bit+0x19/0x70 +[ 13.351630] mlxreg_hotplug_work_handler+0x73c/0x920 [mlxreg_hotplug] +[ 13.351639] ? __lock_text_start+0x8/0x8 +[ 13.351646] ? _raw_write_lock_irqsave+0x80/0x100 +[ 13.351656] ? mlxreg_hotplug_remove+0x1e0/0x1e0 [mlxreg_hotplug] +[ 13.351663] ? regmap_volatile+0x40/0xb0 +[ 13.351668] ? regcache_write+0x4c/0x90 +[ 13.351676] ? mlxplat_mlxcpld_reg_write+0x24/0x30 [mlx_platform] +[ 13.351681] ? _regmap_write+0xea/0x220 +[ 13.351688] ? __mutex_lock_slowpath+0x10/0x10 +[ 13.351696] ? devm_add_action+0x70/0x70 +[ 13.351701] ? mutex_unlock+0x1d/0x40 +[ 13.351710] mlxreg_hotplug_probe+0x82e/0x989 [mlxreg_hotplug] +[ 13.351723] ? mlxreg_hotplug_work_handler+0x920/0x920 [mlxreg_hotplug] +[ 13.351731] ? sysfs_do_create_link_sd.isra.2+0xf4/0x190 +[ 13.351737] ? sysfs_rename_link_ns+0xf0/0xf0 +[ 13.351743] ? devres_close_group+0x2b0/0x2b0 +[ 13.351749] ? pinctrl_put+0x20/0x20 +[ 13.351755] ? acpi_dev_pm_attach+0x2c/0xd0 +[ 13.351763] platform_drv_probe+0x70/0xd0 +[ 13.351771] really_probe+0x480/0x6e0 +[ 13.351778] ? device_attach+0x10/0x10 +[ 13.351784] ? __lock_text_start+0x8/0x8 +[ 13.351790] ? _raw_write_lock_irqsave+0x80/0x100 +[ 13.351797] ? _raw_write_lock_irqsave+0x80/0x100 +[ 13.351806] ? __driver_attach+0x190/0x190 +[ 13.351812] driver_probe_device+0x17d/0x1a0 +[ 13.351819] ? __driver_attach+0x190/0x190 +[ 13.351825] bus_for_each_drv+0xd6/0x130 +[ 13.351831] ? bus_rescan_devices+0x20/0x20 +[ 13.351837] ? __mutex_lock_slowpath+0x10/0x10 +[ 13.351845] __device_attach+0x18c/0x230 +[ 13.351852] ? device_bind_driver+0x70/0x70 +[ 13.351859] ? __mutex_lock_slowpath+0x10/0x10 +[ 13.351866] bus_probe_device+0xea/0x110 +[ 13.351874] deferred_probe_work_func+0x1c9/0x290 +[ 13.351882] ? driver_deferred_probe_add+0x1d0/0x1d0 +[ 13.351889] ? preempt_notifier_dec+0x20/0x20 +[ 13.351897] ? read_word_at_a_time+0xe/0x20 +[ 13.351904] ? strscpy+0x151/0x290 +[ 13.351912] ? set_work_pool_and_clear_pending+0x9c/0xf0 +[ 13.351918] ? __switch_to_asm+0x34/0x70 +[ 13.351924] ? __switch_to_asm+0x40/0x70 +[ 13.351929] ? __switch_to_asm+0x34/0x70 +[ 13.351935] ? __switch_to_asm+0x40/0x70 +[ 13.351942] process_one_work+0x5cc/0xa00 +[ 13.351952] ? pwq_dec_nr_in_flight+0x1e0/0x1e0 +[ 13.351960] ? pci_mmcfg_check_reserved+0x80/0xb8 +[ 13.351967] ? run_rebalance_domains+0x250/0x250 +[ 13.351980] ? stack_access_ok+0x35/0x80 +[ 13.351986] ? deref_stack_reg+0xa1/0xe0 +[ 13.351994] ? schedule+0xcd/0x250 +[ 13.352000] ? worker_enter_idle+0x2d6/0x330 +[ 13.352006] ? __schedule+0xeb0/0xeb0 +[ 13.352014] ? fork_usermode_blob+0x130/0x130 +[ 13.352019] ? mutex_lock+0xa7/0x100 +[ 13.352026] ? _raw_spin_lock_irq+0x98/0xf0 +[ 13.352032] ? _raw_read_unlock_irqrestore+0x30/0x30 +[ 13.352037] i2c i2c-2: Added multiplexed i2c bus 11 +[ 13.352043] worker_thread+0x181/0xa80 +[ 13.352052] ? __switch_to_asm+0x34/0x70 +[ 13.352058] ? __switch_to_asm+0x40/0x70 +[ 13.352064] ? process_one_work+0xa00/0xa00 +[ 13.352070] ? __switch_to_asm+0x34/0x70 +[ 13.352076] ? __switch_to_asm+0x40/0x70 +[ 13.352081] ? __switch_to_asm+0x34/0x70 +[ 13.352086] ? __switch_to_asm+0x40/0x70 +[ 13.352092] ? __switch_to_asm+0x34/0x70 +[ 13.352097] ? __switch_to_asm+0x40/0x70 +[ 13.352105] ? __schedule+0x3d6/0xeb0 +[ 13.352112] ? migrate_swap_stop+0x470/0x470 +[ 13.352119] ? save_stack+0x89/0xb0 +[ 13.352127] ? kmem_cache_alloc_trace+0xe5/0x570 +[ 13.352132] ? kthread+0x59/0x1d0 +[ 13.352138] ? ret_from_fork+0x35/0x40 +[ 13.352154] ? __schedule+0xeb0/0xeb0 +[ 13.352161] ? remove_wait_queue+0x150/0x150 +[ 13.352169] ? _raw_write_lock_irqsave+0x80/0x100 +[ 13.352175] ? __lock_text_start+0x8/0x8 +[ 13.352183] ? process_one_work+0xa00/0xa00 +[ 13.352188] kthread+0x1a4/0x1d0 +[ 13.352195] ? kthread_create_worker_on_cpu+0xc0/0xc0 +[ 13.352202] ret_from_fork+0x35/0x40 + +[ 13.353879] The buggy address belongs to the page: +[ 13.353885] page:ffffea0008d419c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +[ 13.353890] flags: 0x2ffff8000000000() +[ 13.353897] raw: 02ffff8000000000 ffffea0008d419c8 ffffea0008d419c8 0000000000000000 +[ 13.353903] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +[ 13.353905] page dumped because: kasan: bad access detected + +[ 13.353908] Memory state around the buggy address: +[ 13.353912] ffff880235067000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 13.353917] ffff880235067080: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 +[ 13.353921] >ffff880235067100: f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 +[ 13.353923] ^ +[ 13.353927] ffff880235067180: f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 00 00 00 00 00 +[ 13.353931] ffff880235067200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 13.353933] ================================================================== + +The warning is caused by the below loop: + for_each_set_bit(bit, (unsigned long *)&asserted, 8) { +while "asserted" is declared as 'unsigned'. + +The casting of 32-bit unsigned integer pointer to a 64-bit unsigned long +pointer. There are two problems here. +It causes the access of four extra byte, which can corrupt memory +The 32-bit pointer address may not be 64-bit aligned. + +The fix changes variable "asserted" to "unsigned long". + +Fixes: 1f976f6978bf ("platform/x86: Move Mellanox platform hotplug driver to platform/mellanox") +Signed-off-by: Vadim Pasternak +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxreg-hotplug.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/mellanox/mlxreg-hotplug.c b/drivers/platform/mellanox/mlxreg-hotplug.c +index b6d44550d98c..eca16d00e310 100644 +--- a/drivers/platform/mellanox/mlxreg-hotplug.c ++++ b/drivers/platform/mellanox/mlxreg-hotplug.c +@@ -248,7 +248,8 @@ mlxreg_hotplug_work_helper(struct mlxreg_hotplug_priv_data *priv, + struct mlxreg_core_item *item) + { + struct mlxreg_core_data *data; +- u32 asserted, regval, bit; ++ unsigned long asserted; ++ u32 regval, bit; + int ret; + + /* +@@ -281,7 +282,7 @@ mlxreg_hotplug_work_helper(struct mlxreg_hotplug_priv_data *priv, + asserted = item->cache ^ regval; + item->cache = regval; + +- for_each_set_bit(bit, (unsigned long *)&asserted, 8) { ++ for_each_set_bit(bit, &asserted, 8) { + data = item->data + bit; + if (regval & BIT(bit)) { + if (item->inversed) +-- +2.19.1 + diff --git a/queue-5.0/platform-x86-ideapad-laptop-fix-no_hw_rfkill_list-fo.patch b/queue-5.0/platform-x86-ideapad-laptop-fix-no_hw_rfkill_list-fo.patch new file mode 100644 index 00000000000..bb199313122 --- /dev/null +++ b/queue-5.0/platform-x86-ideapad-laptop-fix-no_hw_rfkill_list-fo.patch @@ -0,0 +1,59 @@ +From dcf2eb6ef263cba36bf9a8ad9d7c03413b9f4a95 Mon Sep 17 00:00:00 2001 +From: Yang Fan +Date: Sat, 19 Jan 2019 19:16:33 +0800 +Subject: platform/x86: ideapad-laptop: Fix no_hw_rfkill_list for Lenovo + RESCUER R720-15IKBN + +[ Upstream commit 4d9b2864a415fec39150bc13efc730c7eb88711e ] + +Commit ae7c8cba3221 ("platform/x86: ideapad-laptop: add lenovo RESCUER +R720-15IKBN to no_hw_rfkill_list") added + DMI_MATCH(DMI_BOARD_NAME, "80WW") +for Lenovo RESCUER R720-15IKBN. + +But DMI_BOARD_NAME does not match 80WW on Lenovo RESCUER R720-15IKBN, +thus cause Wireless LAN still be hard blocked. + +On Lenovo RESCUER R720-15IKBN: + ~$ cat /sys/class/dmi/id/sys_vendor + LENOVO + ~$ cat /sys/class/dmi/id/board_name + Provence-5R3 + ~$ cat /sys/class/dmi/id/product_name + 80WW + ~$ cat /sys/class/dmi/id/product_version + Lenovo R720-15IKBN + +So on Lenovo RESCUER R720-15IKBN: + DMI_SYS_VENDOR should match "LENOVO", + DMI_BOARD_NAME should match "Provence-5R3", + DMI_PRODUCT_NAME should match "80WW", + DMI_PRODUCT_VERSION should match "Lenovo R720-15IKBN". + +Fix it, and in according with other entries in no_hw_rfkill_list, +use DMI_PRODUCT_VERSION instead of DMI_BOARD_NAME. + +Fixes: ae7c8cba3221 ("platform/x86: ideapad-laptop: add lenovo RESCUER R720-15IKBN to no_hw_rfkill_list") +Signed-off-by: Yang Fan +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/ideapad-laptop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c +index 1589dffab9fa..8b53a9ceb897 100644 +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -989,7 +989,7 @@ static const struct dmi_system_id no_hw_rfkill_list[] = { + .ident = "Lenovo RESCUER R720-15IKBN", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_BOARD_NAME, "80WW"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo R720-15IKBN"), + }, + }, + { +-- +2.19.1 + diff --git a/queue-5.0/platform-x86-intel-hid-missing-power-button-release-.patch b/queue-5.0/platform-x86-intel-hid-missing-power-button-release-.patch new file mode 100644 index 00000000000..b281ffc5873 --- /dev/null +++ b/queue-5.0/platform-x86-intel-hid-missing-power-button-release-.patch @@ -0,0 +1,68 @@ +From 66a46ca245885aa648f806209d98eb766168f4c2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A9r=C3=B4me=20de=20Bretagne?= + +Date: Sun, 6 Jan 2019 18:56:44 +0100 +Subject: platform/x86: intel-hid: Missing power button release on some Dell + models +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit e97a34563d18606ee5db93e495382a967f999cd4 ] + +Power button suspend for some Dell models was added in: + +commit 821b85366284 ("platform/x86: intel-hid: Power button suspend on Dell Latitude 7275") + +by checking against the power button press notification (0xCE) to report +the power button press event. The corresponding power button release +notification (0xCF) was caught and ignored to stop it from being reported +as an "unknown event" in the logs. + +The missing button release event is creating issues on Android-x86, as +reported on the project mailing list for a Dell Latitude 5175 model, since +the events are expected in down/up pairs. + +Report the power button release event to fix this issue. + +Link: https://groups.google.com/forum/#!topic/android-x86/aSwZK9Nf9Ro +Tested-by: Tristian Celestin +Tested-by: Jérôme de Bretagne +Signed-off-by: Jérôme de Bretagne +Reviewed-by: Mario Limonciello +[dvhart: corrected commit reference format per checkpatch] +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel-hid.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/intel-hid.c b/drivers/platform/x86/intel-hid.c +index e28bcf61b126..bc0d55a59015 100644 +--- a/drivers/platform/x86/intel-hid.c ++++ b/drivers/platform/x86/intel-hid.c +@@ -363,7 +363,7 @@ wakeup: + * the 5-button array, but still send notifies with power button + * event code to this device object on power button actions. + * +- * Report the power button press; catch and ignore the button release. ++ * Report the power button press and release. + */ + if (!priv->array) { + if (event == 0xce) { +@@ -372,8 +372,11 @@ wakeup: + return; + } + +- if (event == 0xcf) ++ if (event == 0xcf) { ++ input_report_key(priv->input_dev, KEY_POWER, 0); ++ input_sync(priv->input_dev); + return; ++ } + } + + /* 0xC0 is for HID events, other values are for 5 button array */ +-- +2.19.1 + diff --git a/queue-5.0/platform-x86-intel_pmc_core-fix-pch-ip-sts-reading.patch b/queue-5.0/platform-x86-intel_pmc_core-fix-pch-ip-sts-reading.patch new file mode 100644 index 00000000000..a9040e27551 --- /dev/null +++ b/queue-5.0/platform-x86-intel_pmc_core-fix-pch-ip-sts-reading.patch @@ -0,0 +1,63 @@ +From 456abcadc6eb38e7f8a33e02f5b46ba6ab9937bd Mon Sep 17 00:00:00 2001 +From: Rajneesh Bhardwaj +Date: Fri, 1 Feb 2019 13:02:26 +0530 +Subject: platform/x86: intel_pmc_core: Fix PCH IP sts reading + +[ Upstream commit 0e68eeea9894feeba2edf7ec63e4551b87f39621 ] + +A previous commit "platform/x86: intel_pmc_core: Make the driver PCH +family agnostic " provided +better abstraction to this driver but has some fundamental issues. + +e.g. the following condition + +for (index = 0; index < pmcdev->map->ppfear_buckets && + index < PPFEAR_MAX_NUM_ENTRIES; index++, iter++) + +is wrong because for CNL, PPFEAR_MAX_NUM_ENTRIES is hardcoded as 5 which +is _wrong_ and even though ppfear_buckets is 8, the loop fails to read +all eight registers needed for CNL PCH i.e. PPFEAR0 and PPFEAR1. This +patch refactors the pfear show logic to correctly read PCH IP power +gating status for Cannonlake and beyond. + +Cc: "David E. Box" +Cc: Srinivas Pandruvada +Fixes: c977b98bbef5 ("platform/x86: intel_pmc_core: Make the driver PCH family agnostic") +Signed-off-by: Rajneesh Bhardwaj +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_pmc_core.c | 3 ++- + drivers/platform/x86/intel_pmc_core.h | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c +index 22dbf115782e..c37e74ee609d 100644 +--- a/drivers/platform/x86/intel_pmc_core.c ++++ b/drivers/platform/x86/intel_pmc_core.c +@@ -380,7 +380,8 @@ static int pmc_core_ppfear_show(struct seq_file *s, void *unused) + index < PPFEAR_MAX_NUM_ENTRIES; index++, iter++) + pf_regs[index] = pmc_core_reg_read_byte(pmcdev, iter); + +- for (index = 0; map[index].name; index++) ++ for (index = 0; map[index].name && ++ index < pmcdev->map->ppfear_buckets * 8; index++) + pmc_core_display_map(s, index, pf_regs[index / 8], map); + + return 0; +diff --git a/drivers/platform/x86/intel_pmc_core.h b/drivers/platform/x86/intel_pmc_core.h +index 89554cba5758..1a0104d2cbf0 100644 +--- a/drivers/platform/x86/intel_pmc_core.h ++++ b/drivers/platform/x86/intel_pmc_core.h +@@ -32,7 +32,7 @@ + #define SPT_PMC_SLP_S0_RES_COUNTER_STEP 0x64 + #define PMC_BASE_ADDR_MASK ~(SPT_PMC_MMIO_REG_LEN - 1) + #define MTPMC_MASK 0xffff0000 +-#define PPFEAR_MAX_NUM_ENTRIES 5 ++#define PPFEAR_MAX_NUM_ENTRIES 12 + #define SPT_PPFEAR_NUM_ENTRIES 5 + #define SPT_PMC_READ_DISABLE_BIT 0x16 + #define SPT_PMC_MSG_FULL_STS_BIT 0x18 +-- +2.19.1 + diff --git a/queue-5.0/powerpc-44x-force-pci-on-for-currituck.patch b/queue-5.0/powerpc-44x-force-pci-on-for-currituck.patch new file mode 100644 index 00000000000..259e90d6dce --- /dev/null +++ b/queue-5.0/powerpc-44x-force-pci-on-for-currituck.patch @@ -0,0 +1,50 @@ +From 56847fb612b4a13cb7bed07563c091794d461734 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Thu, 7 Feb 2019 13:43:26 +1100 +Subject: powerpc/44x: Force PCI on for CURRITUCK + +[ Upstream commit aa7150ba378650d0e9d84b8e4d805946965a5926 ] + +The recent rework of PCI kconfig symbols exposed an existing bug in +the CURRITUCK kconfig logic. + +It selects PPC4xx_PCI_EXPRESS which depends on PCI, but PCI is user +selectable and might be disabled, leading to a warning: + + WARNING: unmet direct dependencies detected for PPC4xx_PCI_EXPRESS + Depends on [n]: PCI [=n] && 4xx [=y] + Selected by [y]: + - CURRITUCK [=y] && PPC_47x [=y] + +Prior to commit eb01d42a7778 ("PCI: consolidate PCI config entry in +drivers/pci") PCI was enabled by default for currituck_defconfig so we +didn't see the warning. The bad logic was still there, it just +required someone disabling PCI in their .config to hit it. + +Fix it by forcing PCI on for CURRITUCK, which seems was always the +expectation anyway. + +Fixes: eb01d42a7778 ("PCI: consolidate PCI config entry in drivers/pci") +Reported-by: Randy Dunlap +Reviewed-by: Christoph Hellwig +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/44x/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/44x/Kconfig b/arch/powerpc/platforms/44x/Kconfig +index 4a9a72d01c3c..35be81fd2dc2 100644 +--- a/arch/powerpc/platforms/44x/Kconfig ++++ b/arch/powerpc/platforms/44x/Kconfig +@@ -180,6 +180,7 @@ config CURRITUCK + depends on PPC_47x + select SWIOTLB + select 476FPE ++ select FORCE_PCI + select PPC4xx_PCI_EXPRESS + help + This option enables support for the IBM Currituck (476fpe) evaluation board +-- +2.19.1 + diff --git a/queue-5.0/powerpc-64s-clear-on-stack-exception-marker-upon-exc.patch b/queue-5.0/powerpc-64s-clear-on-stack-exception-marker-upon-exc.patch new file mode 100644 index 00000000000..5794de02fc3 --- /dev/null +++ b/queue-5.0/powerpc-64s-clear-on-stack-exception-marker-upon-exc.patch @@ -0,0 +1,80 @@ +From 494054dfa5a0324ae2f161ea4d61f29cae2b684e Mon Sep 17 00:00:00 2001 +From: Nicolai Stange +Date: Tue, 22 Jan 2019 10:57:21 -0500 +Subject: powerpc/64s: Clear on-stack exception marker upon exception return + +[ Upstream commit eddd0b332304d554ad6243942f87c2fcea98c56b ] + +The ppc64 specific implementation of the reliable stacktracer, +save_stack_trace_tsk_reliable(), bails out and reports an "unreliable +trace" whenever it finds an exception frame on the stack. Stack frames +are classified as exception frames if the STACK_FRAME_REGS_MARKER +magic, as written by exception prologues, is found at a particular +location. + +However, as observed by Joe Lawrence, it is possible in practice that +non-exception stack frames can alias with prior exception frames and +thus, that the reliable stacktracer can find a stale +STACK_FRAME_REGS_MARKER on the stack. It in turn falsely reports an +unreliable stacktrace and blocks any live patching transition to +finish. Said condition lasts until the stack frame is +overwritten/initialized by function call or other means. + +In principle, we could mitigate this by making the exception frame +classification condition in save_stack_trace_tsk_reliable() stronger: +in addition to testing for STACK_FRAME_REGS_MARKER, we could also take +into account that for all exceptions executing on the kernel stack + - their stack frames's backlink pointers always match what is saved + in their pt_regs instance's ->gpr[1] slot and that + - their exception frame size equals STACK_INT_FRAME_SIZE, a value + uncommonly large for non-exception frames. + +However, while these are currently true, relying on them would make +the reliable stacktrace implementation more sensitive towards future +changes in the exception entry code. Note that false negatives, i.e. +not detecting exception frames, would silently break the live patching +consistency model. + +Furthermore, certain other places (diagnostic stacktraces, perf, xmon) +rely on STACK_FRAME_REGS_MARKER as well. + +Make the exception exit code clear the on-stack +STACK_FRAME_REGS_MARKER for those exceptions running on the "normal" +kernel stack and returning to kernelspace: because the topmost frame +is ignored by the reliable stack tracer anyway, returns to userspace +don't need to take care of clearing the marker. + +Furthermore, as I don't have the ability to test this on Book 3E or 32 +bits, limit the change to Book 3S and 64 bits. + +Fixes: df78d3f61480 ("powerpc/livepatch: Implement reliable stack tracing for the consistency model") +Reported-by: Joe Lawrence +Signed-off-by: Nicolai Stange +Signed-off-by: Joe Lawrence +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/entry_64.S | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S +index 435927f549c4..a2c168b395d2 100644 +--- a/arch/powerpc/kernel/entry_64.S ++++ b/arch/powerpc/kernel/entry_64.S +@@ -1002,6 +1002,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR) + ld r2,_NIP(r1) + mtspr SPRN_SRR0,r2 + ++ /* ++ * Leaving a stale exception_marker on the stack can confuse ++ * the reliable stack unwinder later on. Clear it. ++ */ ++ li r2,0 ++ std r2,STACK_FRAME_OVERHEAD-16(r1) ++ + ld r0,GPR0(r1) + ld r2,GPR2(r1) + ld r3,GPR3(r1) +-- +2.19.1 + diff --git a/queue-5.0/powerpc-hugetlb-handle-mmap_min_addr-correctly-in-ge.patch b/queue-5.0/powerpc-hugetlb-handle-mmap_min_addr-correctly-in-ge.patch new file mode 100644 index 00000000000..6176e2b6f4b --- /dev/null +++ b/queue-5.0/powerpc-hugetlb-handle-mmap_min_addr-correctly-in-ge.patch @@ -0,0 +1,70 @@ +From 394daf69bf25d661ad65051a33b1a576cc264e16 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Tue, 26 Feb 2019 10:09:34 +0530 +Subject: powerpc/hugetlb: Handle mmap_min_addr correctly in get_unmapped_area + callback + +[ Upstream commit 5330367fa300742a97e20e953b1f77f48392faae ] + +After we ALIGN up the address we need to make sure we didn't overflow +and resulted in zero address. In that case, we need to make sure that +the returned address is greater than mmap_min_addr. + +This fixes selftest va_128TBswitch --run-hugetlb reporting failures when +run as non root user for + +mmap(-1, MAP_HUGETLB) + +The bug is that a non-root user requesting address -1 will be given address 0 +which will then fail, whereas they should have been given something else that +would have succeeded. + +We also avoid the first mmap(-1, MAP_HUGETLB) returning NULL address as mmap address +with this change. So we think this is not a security issue, because it only affects +whether we choose an address below mmap_min_addr, not whether we +actually allow that address to be mapped. ie. there are existing capability +checks to prevent a user mapping below mmap_min_addr and those will still be +honoured even without this fix. + +Fixes: 484837601d4d ("powerpc/mm: Add radix support for hugetlb") +Reviewed-by: Laurent Dufour +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/hugetlbpage-radix.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/mm/hugetlbpage-radix.c b/arch/powerpc/mm/hugetlbpage-radix.c +index 2486bee0f93e..97c7a39ebc00 100644 +--- a/arch/powerpc/mm/hugetlbpage-radix.c ++++ b/arch/powerpc/mm/hugetlbpage-radix.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + #include + #include ++#include + #include + #include + #include +@@ -73,7 +74,7 @@ radix__hugetlb_get_unmapped_area(struct file *file, unsigned long addr, + if (addr) { + addr = ALIGN(addr, huge_page_size(h)); + vma = find_vma(mm, addr); +- if (high_limit - len >= addr && ++ if (high_limit - len >= addr && addr >= mmap_min_addr && + (!vma || addr + len <= vm_start_gap(vma))) + return addr; + } +@@ -83,7 +84,7 @@ radix__hugetlb_get_unmapped_area(struct file *file, unsigned long addr, + */ + info.flags = VM_UNMAPPED_AREA_TOPDOWN; + info.length = len; +- info.low_limit = PAGE_SIZE; ++ info.low_limit = max(PAGE_SIZE, mmap_min_addr); + info.high_limit = mm->mmap_base + (high_limit - DEFAULT_MAP_WINDOW); + info.align_mask = PAGE_MASK & ~huge_page_mask(h); + info.align_offset = 0; +-- +2.19.1 + diff --git a/queue-5.0/powerpc-powernv-ioda-fix-locked_vm-counting-for-memo.patch b/queue-5.0/powerpc-powernv-ioda-fix-locked_vm-counting-for-memo.patch new file mode 100644 index 00000000000..2b67959e7a1 --- /dev/null +++ b/queue-5.0/powerpc-powernv-ioda-fix-locked_vm-counting-for-memo.patch @@ -0,0 +1,89 @@ +From 8d0880474dd0e972a1411584f18a137692b45455 Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Wed, 13 Feb 2019 14:38:18 +1100 +Subject: powerpc/powernv/ioda: Fix locked_vm counting for memory used by IOMMU + tables + +[ Upstream commit 11f5acce2fa43b015a8120fa7620fa4efd0a2952 ] + +We store 2 multilevel tables in iommu_table - one for the hardware and +one with the corresponding userspace addresses. Before allocating +the tables, the iommu_table_group_ops::get_table_size() hook returns +the combined size of the two and VFIO SPAPR TCE IOMMU driver adjusts +the locked_vm counter correctly. When the table is actually allocated, +the amount of allocated memory is stored in iommu_table::it_allocated_size +and used to decrement the locked_vm counter when we release the memory +used by the table; .get_table_size() and .create_table() calculate it +independently but the result is expected to be the same. + +However the allocator does not add the userspace table size to +.it_allocated_size so when we destroy the table because of VFIO PCI +unplug (i.e. VFIO container is gone but the userspace keeps running), +we decrement locked_vm by just a half of size of memory we are +releasing. + +To make things worse, since we enabled on-demand allocation of +indirect levels, it_allocated_size contains only the amount of memory +actually allocated at the table creation time which can just be a +fraction. It is not a problem with incrementing locked_vm (as +get_table_size() value is used) but it is with decrementing. + +As the result, we leak locked_vm and may not be able to allocate more +IOMMU tables after few iterations of hotplug/unplug. + +This sets it_allocated_size in the pnv_pci_ioda2_ops::create_table() +hook to what pnv_pci_ioda2_get_table_size() returns so from now on we +have a single place which calculates the maximum memory a table can +occupy. The original meaning of it_allocated_size is somewhat lost now +though. + +We do not ditch it_allocated_size whatsoever here and we do not call +get_table_size() from vfio_iommu_spapr_tce.c when decrementing +locked_vm as we may have multiple IOMMU groups per container and even +though they all are supposed to have the same get_table_size() +implementation, there is a small chance for failure or confusion. + +Fixes: 090bad39b237 ("powerpc/powernv: Add indirect levels to it_userspace") +Signed-off-by: Alexey Kardashevskiy +Reviewed-by: David Gibson +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/pci-ioda-tce.c | 1 - + arch/powerpc/platforms/powernv/pci-ioda.c | 7 ++++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/platforms/powernv/pci-ioda-tce.c b/arch/powerpc/platforms/powernv/pci-ioda-tce.c +index 697449afb3f7..e28f03e1eb5e 100644 +--- a/arch/powerpc/platforms/powernv/pci-ioda-tce.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda-tce.c +@@ -313,7 +313,6 @@ long pnv_pci_ioda2_table_alloc_pages(int nid, __u64 bus_offset, + page_shift); + tbl->it_level_size = 1ULL << (level_shift - 3); + tbl->it_indirect_levels = levels - 1; +- tbl->it_allocated_size = total_allocated; + tbl->it_userspace = uas; + tbl->it_nid = nid; + +diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platforms/powernv/pci-ioda.c +index 145373f0e5dc..2d62c58f9a4c 100644 +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -2594,8 +2594,13 @@ static long pnv_pci_ioda2_create_table_userspace( + int num, __u32 page_shift, __u64 window_size, __u32 levels, + struct iommu_table **ptbl) + { +- return pnv_pci_ioda2_create_table(table_group, ++ long ret = pnv_pci_ioda2_create_table(table_group, + num, page_shift, window_size, levels, true, ptbl); ++ ++ if (!ret) ++ (*ptbl)->it_allocated_size = pnv_pci_ioda2_get_table_size( ++ page_shift, window_size, levels); ++ return ret; + } + + static void pnv_ioda2_take_ownership(struct iommu_table_group *table_group) +-- +2.19.1 + diff --git a/queue-5.0/powerpc-pseries-perform-full-re-add-of-cpu-for-topol.patch b/queue-5.0/powerpc-pseries-perform-full-re-add-of-cpu-for-topol.patch new file mode 100644 index 00000000000..ed70624d673 --- /dev/null +++ b/queue-5.0/powerpc-pseries-perform-full-re-add-of-cpu-for-topol.patch @@ -0,0 +1,110 @@ +From fdf2bacd7b3315d8a6a28504ffaf8090096fa5eb Mon Sep 17 00:00:00 2001 +From: Nathan Fontenot +Date: Mon, 29 Oct 2018 13:43:36 -0500 +Subject: powerpc/pseries: Perform full re-add of CPU for topology update + post-migration + +[ Upstream commit 81b61324922c67f73813d8a9c175f3c153f6a1c6 ] + +On pseries systems, performing a partition migration can result in +altering the nodes a CPU is assigned to on the destination system. For +exampl, pre-migration on the source system CPUs are in node 1 and 3, +post-migration on the destination system CPUs are in nodes 2 and 3. + +Handling the node change for a CPU can cause corruption in the slab +cache if we hit a timing where a CPUs node is changed while cache_reap() +is invoked. The corruption occurs because the slab cache code appears +to rely on the CPU and slab cache pages being on the same node. + +The current dynamic updating of a CPUs node done in arch/powerpc/mm/numa.c +does not prevent us from hitting this scenario. + +Changing the device tree property update notification handler that +recognizes an affinity change for a CPU to do a full DLPAR remove and +add of the CPU instead of dynamically changing its node resolves this +issue. + +Signed-off-by: Nathan Fontenot +Signed-off-by: Michael W. Bringmann +Tested-by: Michael W. Bringmann +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/topology.h | 2 ++ + arch/powerpc/mm/numa.c | 9 +-------- + arch/powerpc/platforms/pseries/hotplug-cpu.c | 19 +++++++++++++++++++ + 3 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/arch/powerpc/include/asm/topology.h b/arch/powerpc/include/asm/topology.h +index a4a718dbfec6..f85e2b01c3df 100644 +--- a/arch/powerpc/include/asm/topology.h ++++ b/arch/powerpc/include/asm/topology.h +@@ -132,6 +132,8 @@ static inline void shared_proc_topology_init(void) {} + #define topology_sibling_cpumask(cpu) (per_cpu(cpu_sibling_map, cpu)) + #define topology_core_cpumask(cpu) (per_cpu(cpu_core_map, cpu)) + #define topology_core_id(cpu) (cpu_to_core_id(cpu)) ++ ++int dlpar_cpu_readd(int cpu); + #endif + #endif + +diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c +index 87f0dd004295..b5d1c45c1475 100644 +--- a/arch/powerpc/mm/numa.c ++++ b/arch/powerpc/mm/numa.c +@@ -1460,13 +1460,6 @@ static void reset_topology_timer(void) + + #ifdef CONFIG_SMP + +-static void stage_topology_update(int core_id) +-{ +- cpumask_or(&cpu_associativity_changes_mask, +- &cpu_associativity_changes_mask, cpu_sibling_mask(core_id)); +- reset_topology_timer(); +-} +- + static int dt_update_callback(struct notifier_block *nb, + unsigned long action, void *data) + { +@@ -1479,7 +1472,7 @@ static int dt_update_callback(struct notifier_block *nb, + !of_prop_cmp(update->prop->name, "ibm,associativity")) { + u32 core_id; + of_property_read_u32(update->dn, "reg", &core_id); +- stage_topology_update(core_id); ++ rc = dlpar_cpu_readd(core_id); + rc = NOTIFY_OK; + } + break; +diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c +index 2f8e62163602..97feb6e79f1a 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c ++++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c +@@ -802,6 +802,25 @@ static int dlpar_cpu_add_by_count(u32 cpus_to_add) + return rc; + } + ++int dlpar_cpu_readd(int cpu) ++{ ++ struct device_node *dn; ++ struct device *dev; ++ u32 drc_index; ++ int rc; ++ ++ dev = get_cpu_device(cpu); ++ dn = dev->of_node; ++ ++ rc = of_property_read_u32(dn, "ibm,my-drc-index", &drc_index); ++ ++ rc = dlpar_cpu_remove_by_index(drc_index); ++ if (!rc) ++ rc = dlpar_cpu_add(drc_index); ++ ++ return rc; ++} ++ + int dlpar_cpu(struct pseries_hp_errorlog *hp_elog) + { + u32 count, drc_index; +-- +2.19.1 + diff --git a/queue-5.0/powerpc-ptrace-mitigate-potential-spectre-v1.patch b/queue-5.0/powerpc-ptrace-mitigate-potential-spectre-v1.patch new file mode 100644 index 00000000000..c4429339e9e --- /dev/null +++ b/queue-5.0/powerpc-ptrace-mitigate-potential-spectre-v1.patch @@ -0,0 +1,78 @@ +From 0ab537366025139cfd303c05a3c3e0ef4c39a32b Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Wed, 30 Jan 2019 10:46:00 -0200 +Subject: powerpc/ptrace: Mitigate potential Spectre v1 + +[ Upstream commit ebb0e13ead2ddc186a80b1b0235deeefc5a1a667 ] + +'regno' is directly controlled by user space, hence leading to a potential +exploitation of the Spectre variant 1 vulnerability. + +On PTRACE_SETREGS and PTRACE_GETREGS requests, user space passes the +register number that would be read or written. This register number is +called 'regno' which is part of the 'addr' syscall parameter. + +This 'regno' value is checked against the maximum pt_regs structure size, +and then used to dereference it, which matches the initial part of a +Spectre v1 (and Spectre v1.1) attack. The dereferenced value, then, +is returned to userspace in the GETREGS case. + +This patch sanitizes 'regno' before using it to dereference pt_reg. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Breno Leitao +Acked-by: Gustavo A. R. Silva +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/ptrace.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c +index 53151698bfe0..d9ac7d94656e 100644 +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -274,6 +275,8 @@ static int set_user_trap(struct task_struct *task, unsigned long trap) + */ + int ptrace_get_reg(struct task_struct *task, int regno, unsigned long *data) + { ++ unsigned int regs_max; ++ + if ((task->thread.regs == NULL) || !data) + return -EIO; + +@@ -297,7 +300,9 @@ int ptrace_get_reg(struct task_struct *task, int regno, unsigned long *data) + } + #endif + +- if (regno < (sizeof(struct user_pt_regs) / sizeof(unsigned long))) { ++ regs_max = sizeof(struct user_pt_regs) / sizeof(unsigned long); ++ if (regno < regs_max) { ++ regno = array_index_nospec(regno, regs_max); + *data = ((unsigned long *)task->thread.regs)[regno]; + return 0; + } +@@ -321,6 +326,7 @@ int ptrace_put_reg(struct task_struct *task, int regno, unsigned long data) + return set_user_dscr(task, data); + + if (regno <= PT_MAX_PUT_REG) { ++ regno = array_index_nospec(regno, PT_MAX_PUT_REG + 1); + ((unsigned long *)task->thread.regs)[regno] = data; + return 0; + } +-- +2.19.1 + diff --git a/queue-5.0/powerpc-xmon-fix-opcode-being-uninitialized-in-print.patch b/queue-5.0/powerpc-xmon-fix-opcode-being-uninitialized-in-print.patch new file mode 100644 index 00000000000..1c0e2a90f6f --- /dev/null +++ b/queue-5.0/powerpc-xmon-fix-opcode-being-uninitialized-in-print.patch @@ -0,0 +1,59 @@ +From 4addb13d2f2c43fb88053dc471f1ef0810bb207e Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 25 Feb 2019 22:38:55 -0700 +Subject: powerpc/xmon: Fix opcode being uninitialized in print_insn_powerpc + +[ Upstream commit e7140639b1de65bba435a6bd772d134901141f86 ] + +When building with -Wsometimes-uninitialized, Clang warns: + + arch/powerpc/xmon/ppc-dis.c:157:7: warning: variable 'opcode' is used + uninitialized whenever 'if' condition is false + [-Wsometimes-uninitialized] + if (cpu_has_feature(CPU_FTRS_POWER9)) + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + arch/powerpc/xmon/ppc-dis.c:167:7: note: uninitialized use occurs here + if (opcode == NULL) + ^~~~~~ + arch/powerpc/xmon/ppc-dis.c:157:3: note: remove the 'if' if its + condition is always true + if (cpu_has_feature(CPU_FTRS_POWER9)) + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + arch/powerpc/xmon/ppc-dis.c:132:38: note: initialize the variable + 'opcode' to silence this warning + const struct powerpc_opcode *opcode; + ^ + = NULL + 1 warning generated. + +This warning seems to make no sense on the surface because opcode is set +to NULL right below this statement. However, there is a comma instead of +semicolon to end the dialect assignment, meaning that the opcode +assignment only happens in the if statement. Properly terminate that +line so that Clang no longer warns. + +Fixes: 5b102782c7f4 ("powerpc/xmon: Enable disassembly files (compilation changes)") +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/xmon/ppc-dis.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/xmon/ppc-dis.c b/arch/powerpc/xmon/ppc-dis.c +index 9deea5ee13f6..27f1e6415036 100644 +--- a/arch/powerpc/xmon/ppc-dis.c ++++ b/arch/powerpc/xmon/ppc-dis.c +@@ -158,7 +158,7 @@ int print_insn_powerpc (unsigned long insn, unsigned long memaddr) + dialect |= (PPC_OPCODE_POWER5 | PPC_OPCODE_POWER6 | PPC_OPCODE_POWER7 + | PPC_OPCODE_POWER8 | PPC_OPCODE_POWER9 | PPC_OPCODE_HTM + | PPC_OPCODE_ALTIVEC | PPC_OPCODE_ALTIVEC2 +- | PPC_OPCODE_VSX | PPC_OPCODE_VSX3), ++ | PPC_OPCODE_VSX | PPC_OPCODE_VSX3); + + /* Get the major opcode of the insn. */ + opcode = NULL; +-- +2.19.1 + diff --git a/queue-5.0/regulator-act8865-fix-act8600_sudcdc_voltage_ranges-.patch b/queue-5.0/regulator-act8865-fix-act8600_sudcdc_voltage_ranges-.patch new file mode 100644 index 00000000000..e8782330494 --- /dev/null +++ b/queue-5.0/regulator-act8865-fix-act8600_sudcdc_voltage_ranges-.patch @@ -0,0 +1,55 @@ +From f4bec99933c17c5507b27e2750db1bac6a528678 Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Thu, 10 Jan 2019 17:26:16 +0800 +Subject: regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting + +[ Upstream commit f01a7beb6791f1c419424c1a6958b7d0a289c974 ] + +The act8600_sudcdc_voltage_ranges setting does not match the datasheet. + +The problems in below entry: + REGULATOR_LINEAR_RANGE(19000000, 191, 255, 400000), + +1. The off-by-one min_sel causes wrong volatage calculation. + The min_sel should be 192. +2. According to the datasheet[1] Table 7. (on page 43): + The selector 248 (0b11111000) ~ 255 (0b11111111) are 41.400V. + +Also fix off-by-one for ACT8600_SUDCDC_VOLTAGE_NUM. + +[1] https://active-semi.com/wp-content/uploads/ACT8600_Datasheet.pdf + +Fixes: df3a950e4e73 ("regulator: act8865: Add act8600 support") +Signed-off-by: Axel Lin +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/act8865-regulator.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/regulator/act8865-regulator.c b/drivers/regulator/act8865-regulator.c +index 21e20483bd91..e0239cf3f56d 100644 +--- a/drivers/regulator/act8865-regulator.c ++++ b/drivers/regulator/act8865-regulator.c +@@ -131,7 +131,7 @@ + * ACT8865 voltage number + */ + #define ACT8865_VOLTAGE_NUM 64 +-#define ACT8600_SUDCDC_VOLTAGE_NUM 255 ++#define ACT8600_SUDCDC_VOLTAGE_NUM 256 + + struct act8865 { + struct regmap *regmap; +@@ -222,7 +222,8 @@ static const struct regulator_linear_range act8600_sudcdc_voltage_ranges[] = { + REGULATOR_LINEAR_RANGE(3000000, 0, 63, 0), + REGULATOR_LINEAR_RANGE(3000000, 64, 159, 100000), + REGULATOR_LINEAR_RANGE(12600000, 160, 191, 200000), +- REGULATOR_LINEAR_RANGE(19000000, 191, 255, 400000), ++ REGULATOR_LINEAR_RANGE(19000000, 192, 247, 400000), ++ REGULATOR_LINEAR_RANGE(41400000, 248, 255, 0), + }; + + static struct regulator_ops act8865_ops = { +-- +2.19.1 + diff --git a/queue-5.0/regulator-core-take-lock-before-applying-system-load.patch b/queue-5.0/regulator-core-take-lock-before-applying-system-load.patch new file mode 100644 index 00000000000..87c3a19c2af --- /dev/null +++ b/queue-5.0/regulator-core-take-lock-before-applying-system-load.patch @@ -0,0 +1,102 @@ +From ed193227464a8a4cc60fad311bef1fd4c3c63739 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Fri, 15 Feb 2019 11:55:33 +0100 +Subject: regulator: core: Take lock before applying system load + +[ Upstream commit e5e21f70bfd3a201e627b48aed82793d1bcd6f78 ] + +Take the regulator lock before applying system load. + +Fixes the following lockdep splat: + +[ 5.583581] WARNING: CPU: 1 PID: 16 at drivers/regulator/core.c:925 drms_uA_update+0x114/0x360 +[ 5.588467] Modules linked in: +[ 5.596833] CPU: 1 PID: 16 Comm: kworker/1:0 Not tainted 5.0.0-rc6-next-20190213-00002-g0fce66ab480f #18 +[ 5.599933] Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT) +[ 5.609544] Workqueue: events qcom_channel_state_worker +[ 5.616209] pstate: 60000005 (nZCv daif -PAN -UAO) +[ 5.621152] pc : drms_uA_update+0x114/0x360 +[ 5.626006] lr : drms_uA_update+0x110/0x360 +[ 5.630084] sp : ffff0000124b3490 +[ 5.634242] x29: ffff0000124b3490 x28: ffff800005326e00 +[ 5.637735] x27: ffff0000124b35f8 x26: 000000000032bc48 +[ 5.643117] x25: ffff800004c7e800 x24: ffff800004c6d500 +[ 5.648411] x23: ffff800004c38a80 x22: 00000000000000d1 +[ 5.653706] x21: 00000000001ab3f0 x20: ffff800004c7e800 +[ 5.659001] x19: ffff0000114c3000 x18: ffffffffffffffff +[ 5.664297] x17: 0000000000000000 x16: 0000000000000000 +[ 5.669592] x15: ffff0000114c3808 x14: 0720072007200720 +[ 5.674888] x13: 00000000199c9b28 x12: ffff80002bcccc40 +[ 5.680183] x11: ffff000012286000 x10: ffff0000114c3808 +[ 5.685477] x9 : 0720072007200720 x8 : ffff000010e9e808 +[ 5.690772] x7 : ffff0000106da568 x6 : 0000000000000000 +[ 5.696067] x5 : 0000000000000000 x4 : 0000000000000000 +[ 5.701362] x3 : 0000000000000004 x2 : 0000000000000000 +[ 5.706658] x1 : 0000000000000000 x0 : 0000000000000000 +[ 5.711952] Call trace: +[ 5.717223] drms_uA_update+0x114/0x360 +[ 5.719405] regulator_register+0xb30/0x1140 +[ 5.723230] devm_regulator_register+0x4c/0xa8 +[ 5.727745] rpm_reg_probe+0xfc/0x1b0 +[ 5.731992] platform_drv_probe+0x50/0xa0 +[ 5.735727] really_probe+0x20c/0x2b8 +[ 5.739718] driver_probe_device+0x58/0x100 +[ 5.743368] __device_attach_driver+0x90/0xd0 +[ 5.747363] bus_for_each_drv+0x64/0xc8 +[ 5.751870] __device_attach+0xd8/0x138 +[ 5.755516] device_initial_probe+0x10/0x18 +[ 5.759341] bus_probe_device+0x98/0xa0 +[ 5.763502] device_add+0x3d0/0x640 +[ 5.767319] of_device_add+0x48/0x58 +[ 5.770793] of_platform_device_create_pdata+0xb0/0x128 +[ 5.774629] of_platform_bus_create+0x174/0x370 +[ 5.779569] of_platform_populate+0x78/0xe0 +[ 5.784082] qcom_smd_rpm_probe+0x80/0xa0 +[ 5.788245] rpmsg_dev_probe+0x114/0x1a0 +[ 5.792411] really_probe+0x20c/0x2b8 +[ 5.796401] driver_probe_device+0x58/0x100 +[ 5.799964] __device_attach_driver+0x90/0xd0 +[ 5.803960] bus_for_each_drv+0x64/0xc8 +[ 5.808468] __device_attach+0xd8/0x138 +[ 5.812115] device_initial_probe+0x10/0x18 +[ 5.815936] bus_probe_device+0x98/0xa0 +[ 5.820099] device_add+0x3d0/0x640 +[ 5.823916] device_register+0x1c/0x28 +[ 5.827391] rpmsg_register_device+0x4c/0x90 +[ 5.831216] qcom_channel_state_worker+0x170/0x298 +[ 5.835651] process_one_work+0x294/0x6e8 +[ 5.840241] worker_thread+0x40/0x450 +[ 5.844318] kthread+0x11c/0x120 +[ 5.847961] ret_from_fork+0x10/0x18 +[ 5.851260] irq event stamp: 9090 +[ 5.854820] hardirqs last enabled at (9089): [] console_unlock+0x3e0/0x5b0 +[ 5.858086] hardirqs last disabled at (9090): [] do_debug_exception+0x104/0x140 +[ 5.866596] softirqs last enabled at (9086): [] __do_softirq+0x474/0x574 +[ 5.875446] softirqs last disabled at (9079): [] irq_exit+0x13c/0x148 +[ 5.883598] ---[ end trace 6984ef7f081afa21 ]--- + +Fixes: fa94e48e13a1 ("regulator: core: Apply system load even if no consumer loads") +Signed-off-by: Niklas Cassel +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index b9d7b45c7295..e2caf11598c7 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1349,7 +1349,9 @@ static int set_machine_constraints(struct regulator_dev *rdev, + * We'll only apply the initial system load if an + * initial mode wasn't specified. + */ ++ regulator_lock(rdev); + drms_uA_update(rdev); ++ regulator_unlock(rdev); + } + + if ((rdev->constraints->ramp_delay || rdev->constraints->ramp_disable) +-- +2.19.1 + diff --git a/queue-5.0/regulator-mcp16502-include-linux-gpio-consumer.h-to-.patch b/queue-5.0/regulator-mcp16502-include-linux-gpio-consumer.h-to-.patch new file mode 100644 index 00000000000..1fa1f919c4e --- /dev/null +++ b/queue-5.0/regulator-mcp16502-include-linux-gpio-consumer.h-to-.patch @@ -0,0 +1,49 @@ +From c1b342ee7b0568d7f40c400804308e3871a6b89d Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Sun, 27 Jan 2019 16:51:22 +0800 +Subject: regulator: mcp16502: Include linux/gpio/consumer.h to fix build error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit f3c6a1a194317f3a31ee2b2067bb0a41de64bc8b ] + +Fix below build error: +drivers/regulator/mcp16502.c: In function ‘mcp16502_gpio_set_mode’: +drivers/regulator/mcp16502.c:135:3: error: implicit declaration of function ‘gpiod_set_value’; did you mean ‘gpio_set_value’? [-Werror=implicit-function-declaration] + gpiod_set_value(mcp->lpm, 0); + ^~~~~~~~~~~~~~~ + gpio_set_value +drivers/regulator/mcp16502.c: In function ‘mcp16502_probe’: +drivers/regulator/mcp16502.c:486:13: error: implicit declaration of function ‘devm_gpiod_get’; did you mean ‘devm_gpio_free’? [-Werror=implicit-function-declaration] + mcp->lpm = devm_gpiod_get(dev, "lpm", GPIOD_OUT_LOW); + ^~~~~~~~~~~~~~ + devm_gpio_free +drivers/regulator/mcp16502.c:486:40: error: ‘GPIOD_OUT_LOW’ undeclared (first use in this function); did you mean ‘GPIOF_INIT_LOW’? + mcp->lpm = devm_gpiod_get(dev, "lpm", GPIOD_OUT_LOW); + ^~~~~~~~~~~~~ + GPIOF_INIT_LOW + +Signed-off-by: Axel Lin +Acked-by: Nicolas Ferre +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/mcp16502.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/mcp16502.c b/drivers/regulator/mcp16502.c +index 3479ae009b0b..0fc4963bd5b0 100644 +--- a/drivers/regulator/mcp16502.c ++++ b/drivers/regulator/mcp16502.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + #define VDD_LOW_SEL 0x0D + #define VDD_HIGH_SEL 0x3F +-- +2.19.1 + diff --git a/queue-5.0/s390-ism-ignore-some-errors-during-deregistration.patch b/queue-5.0/s390-ism-ignore-some-errors-during-deregistration.patch new file mode 100644 index 00000000000..44a9cc37cde --- /dev/null +++ b/queue-5.0/s390-ism-ignore-some-errors-during-deregistration.patch @@ -0,0 +1,76 @@ +From 20552b43929ba46812905ad11c2c40cbd00b8049 Mon Sep 17 00:00:00 2001 +From: Sebastian Ott +Date: Thu, 14 Feb 2019 14:46:23 +0100 +Subject: s390/ism: ignore some errors during deregistration + +[ Upstream commit 0ff06c44efeede4acd068847d3bf8cf894b6c664 ] + +Prior to dma unmap/free operations the ism driver tries to ensure +that the memory is no longer accessed by the HW. When errors +during deregistration of memory regions from the HW occur the ism +driver will not unmap/free this memory. + +When we receive notification from the hypervisor that a PCI function +has been detached we can no longer access the device and would never +unmap/free these memory regions which led to complaints by the DMA +debug API. + +Treat this kind of errors during the deregistration of memory regions +from the HW as success since it is already ensured that the memory +is no longer accessed by HW. + +Reported-by: Karsten Graul +Reported-by: Hans Wippel +Signed-off-by: Sebastian Ott +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ism_drv.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/s390/net/ism_drv.c b/drivers/s390/net/ism_drv.c +index ed8e58f09054..3e132592c1fe 100644 +--- a/drivers/s390/net/ism_drv.c ++++ b/drivers/s390/net/ism_drv.c +@@ -141,10 +141,13 @@ static int register_ieq(struct ism_dev *ism) + + static int unregister_sba(struct ism_dev *ism) + { ++ int ret; ++ + if (!ism->sba) + return 0; + +- if (ism_cmd_simple(ism, ISM_UNREG_SBA)) ++ ret = ism_cmd_simple(ism, ISM_UNREG_SBA); ++ if (ret && ret != ISM_ERROR) + return -EIO; + + dma_free_coherent(&ism->pdev->dev, PAGE_SIZE, +@@ -158,10 +161,13 @@ static int unregister_sba(struct ism_dev *ism) + + static int unregister_ieq(struct ism_dev *ism) + { ++ int ret; ++ + if (!ism->ieq) + return 0; + +- if (ism_cmd_simple(ism, ISM_UNREG_IEQ)) ++ ret = ism_cmd_simple(ism, ISM_UNREG_IEQ); ++ if (ret && ret != ISM_ERROR) + return -EIO; + + dma_free_coherent(&ism->pdev->dev, PAGE_SIZE, +@@ -287,7 +293,7 @@ static int ism_unregister_dmb(struct smcd_dev *smcd, struct smcd_dmb *dmb) + cmd.request.dmb_tok = dmb->dmb_tok; + + ret = ism_cmd(ism, &cmd); +- if (ret) ++ if (ret && ret != ISM_ERROR) + goto out; + + ism_free_dmb(ism, dmb); +-- +2.19.1 + diff --git a/queue-5.0/sched-core-use-read_once-write_once-in-move_queued_t.patch b/queue-5.0/sched-core-use-read_once-write_once-in-move_queued_t.patch new file mode 100644 index 00000000000..00043cfe757 --- /dev/null +++ b/queue-5.0/sched-core-use-read_once-write_once-in-move_queued_t.patch @@ -0,0 +1,115 @@ +From 4035abd9db87e34e7f4c018caff10c69a1df332a Mon Sep 17 00:00:00 2001 +From: Andrea Parri +Date: Mon, 21 Jan 2019 16:52:40 +0100 +Subject: sched/core: Use READ_ONCE()/WRITE_ONCE() in + move_queued_task()/task_rq_lock() + +[ Upstream commit c546951d9c9300065bad253ecdf1ac59ce9d06c8 ] + +move_queued_task() synchronizes with task_rq_lock() as follows: + + move_queued_task() task_rq_lock() + + [S] ->on_rq = MIGRATING [L] rq = task_rq() + WMB (__set_task_cpu()) ACQUIRE (rq->lock); + [S] ->cpu = new_cpu [L] ->on_rq + +where "[L] rq = task_rq()" is ordered before "ACQUIRE (rq->lock)" by an +address dependency and, in turn, "ACQUIRE (rq->lock)" is ordered before +"[L] ->on_rq" by the ACQUIRE itself. + +Use READ_ONCE() to load ->cpu in task_rq() (c.f., task_cpu()) to honor +this address dependency. Also, mark the accesses to ->cpu and ->on_rq +with READ_ONCE()/WRITE_ONCE() to comply with the LKMM. + +Signed-off-by: Andrea Parri +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alan Stern +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Link: https://lkml.kernel.org/r/20190121155240.27173-1-andrea.parri@amarulasolutions.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + include/linux/sched.h | 4 ++-- + kernel/sched/core.c | 9 +++++---- + kernel/sched/sched.h | 6 +++--- + 3 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/include/linux/sched.h b/include/linux/sched.h +index f9b43c989577..9b35aff09f70 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1748,9 +1748,9 @@ static __always_inline bool need_resched(void) + static inline unsigned int task_cpu(const struct task_struct *p) + { + #ifdef CONFIG_THREAD_INFO_IN_TASK +- return p->cpu; ++ return READ_ONCE(p->cpu); + #else +- return task_thread_info(p)->cpu; ++ return READ_ONCE(task_thread_info(p)->cpu); + #endif + } + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index d8d76a65cfdd..01a2489de94e 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -107,11 +107,12 @@ struct rq *task_rq_lock(struct task_struct *p, struct rq_flags *rf) + * [L] ->on_rq + * RELEASE (rq->lock) + * +- * If we observe the old CPU in task_rq_lock, the acquire of ++ * If we observe the old CPU in task_rq_lock(), the acquire of + * the old rq->lock will fully serialize against the stores. + * +- * If we observe the new CPU in task_rq_lock, the acquire will +- * pair with the WMB to ensure we must then also see migrating. ++ * If we observe the new CPU in task_rq_lock(), the address ++ * dependency headed by '[L] rq = task_rq()' and the acquire ++ * will pair with the WMB to ensure we then also see migrating. + */ + if (likely(rq == task_rq(p) && !task_on_rq_migrating(p))) { + rq_pin_lock(rq, rf); +@@ -928,7 +929,7 @@ static struct rq *move_queued_task(struct rq *rq, struct rq_flags *rf, + { + lockdep_assert_held(&rq->lock); + +- p->on_rq = TASK_ON_RQ_MIGRATING; ++ WRITE_ONCE(p->on_rq, TASK_ON_RQ_MIGRATING); + dequeue_task(rq, p, DEQUEUE_NOCLOCK); + set_task_cpu(p, new_cpu); + rq_unlock(rq, rf); +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index d04530bf251f..425a5589e5f6 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -1460,9 +1460,9 @@ static inline void __set_task_cpu(struct task_struct *p, unsigned int cpu) + */ + smp_wmb(); + #ifdef CONFIG_THREAD_INFO_IN_TASK +- p->cpu = cpu; ++ WRITE_ONCE(p->cpu, cpu); + #else +- task_thread_info(p)->cpu = cpu; ++ WRITE_ONCE(task_thread_info(p)->cpu, cpu); + #endif + p->wake_cpu = cpu; + #endif +@@ -1563,7 +1563,7 @@ static inline int task_on_rq_queued(struct task_struct *p) + + static inline int task_on_rq_migrating(struct task_struct *p) + { +- return p->on_rq == TASK_ON_RQ_MIGRATING; ++ return READ_ONCE(p->on_rq) == TASK_ON_RQ_MIGRATING; + } + + /* +-- +2.19.1 + diff --git a/queue-5.0/sched-debug-initialize-sd_sysctl_cpus-if-config_cpum.patch b/queue-5.0/sched-debug-initialize-sd_sysctl_cpus-if-config_cpum.patch new file mode 100644 index 00000000000..2a74d677e56 --- /dev/null +++ b/queue-5.0/sched-debug-initialize-sd_sysctl_cpus-if-config_cpum.patch @@ -0,0 +1,65 @@ +From da837aadc9c46f5ee706100dae25dea3a4ac7668 Mon Sep 17 00:00:00 2001 +From: Hidetoshi Seto +Date: Tue, 29 Jan 2019 10:12:45 -0500 +Subject: sched/debug: Initialize sd_sysctl_cpus if !CONFIG_CPUMASK_OFFSTACK + +[ Upstream commit 1ca4fa3ab604734e38e2a3000c9abf788512ffa7 ] + +register_sched_domain_sysctl() copies the cpu_possible_mask into +sd_sysctl_cpus, but only if sd_sysctl_cpus hasn't already been +allocated (ie, CONFIG_CPUMASK_OFFSTACK is set). However, when +CONFIG_CPUMASK_OFFSTACK is not set, sd_sysctl_cpus is left +uninitialized (all zeroes) and the kernel may fail to initialize +sched_domain sysctl entries for all possible CPUs. + +This is visible to the user if the kernel is booted with maxcpus=n, or +if ACPI tables have been modified to leave CPUs offline, and then +checking for missing /proc/sys/kernel/sched_domain/cpu* entries. + +Fix this by separating the allocation and initialization, and adding a +flag to initialize the possible CPU entries while system booting only. + +Tested-by: Syuuichirou Ishii +Tested-by: Tarumizu, Kohei +Signed-off-by: Hidetoshi Seto +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Masayoshi Mizuma +Acked-by: Joe Lawrence +Cc: Linus Torvalds +Cc: Masayoshi Mizuma +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190129151245.5073-1-msys.mizuma@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/debug.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c +index de3de997e245..8039d62ae36e 100644 +--- a/kernel/sched/debug.c ++++ b/kernel/sched/debug.c +@@ -315,6 +315,7 @@ void register_sched_domain_sysctl(void) + { + static struct ctl_table *cpu_entries; + static struct ctl_table **cpu_idx; ++ static bool init_done = false; + char buf[32]; + int i; + +@@ -344,7 +345,10 @@ void register_sched_domain_sysctl(void) + if (!cpumask_available(sd_sysctl_cpus)) { + if (!alloc_cpumask_var(&sd_sysctl_cpus, GFP_KERNEL)) + return; ++ } + ++ if (!init_done) { ++ init_done = true; + /* init to possible to not have holes in @cpu_entries */ + cpumask_copy(sd_sysctl_cpus, cpu_possible_mask); + } +-- +2.19.1 + diff --git a/queue-5.0/sched-topology-fix-percpu-data-types-in-struct-sd_da.patch b/queue-5.0/sched-topology-fix-percpu-data-types-in-struct-sd_da.patch new file mode 100644 index 00000000000..6a6ac1f8cec --- /dev/null +++ b/queue-5.0/sched-topology-fix-percpu-data-types-in-struct-sd_da.patch @@ -0,0 +1,81 @@ +From 09db244bfef134996829aa42b0d57caf0f73daf1 Mon Sep 17 00:00:00 2001 +From: Luc Van Oostenryck +Date: Fri, 18 Jan 2019 15:49:36 +0100 +Subject: sched/topology: Fix percpu data types in struct sd_data & struct + s_data + +[ Upstream commit 99687cdbb3f6c8e32bcc7f37496e811f30460e48 ] + +The percpu members of struct sd_data and s_data are declared as: + + struct ... ** __percpu member; + +So their type is: + + __percpu pointer to pointer to struct ... + +But looking at how they're used, their type should be: + + pointer to __percpu pointer to struct ... + +and they should thus be declared as: + + struct ... * __percpu *member; + +So fix the placement of '__percpu' in the definition of these +structures. + +This addresses a bunch of Sparse's warnings like: + + warning: incorrect type in initializer (different address spaces) + expected void const [noderef] *__vpp_verify + got struct sched_domain ** + +Signed-off-by: Luc Van Oostenryck +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190118144936.79158-1-luc.vanoostenryck@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + include/linux/sched/topology.h | 8 ++++---- + kernel/sched/topology.c | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/linux/sched/topology.h b/include/linux/sched/topology.h +index c31d3a47a47c..57c7ed3fe465 100644 +--- a/include/linux/sched/topology.h ++++ b/include/linux/sched/topology.h +@@ -176,10 +176,10 @@ typedef int (*sched_domain_flags_f)(void); + #define SDTL_OVERLAP 0x01 + + struct sd_data { +- struct sched_domain **__percpu sd; +- struct sched_domain_shared **__percpu sds; +- struct sched_group **__percpu sg; +- struct sched_group_capacity **__percpu sgc; ++ struct sched_domain *__percpu *sd; ++ struct sched_domain_shared *__percpu *sds; ++ struct sched_group *__percpu *sg; ++ struct sched_group_capacity *__percpu *sgc; + }; + + struct sched_domain_topology_level { +diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c +index 3f35ba1d8fde..efca2489d881 100644 +--- a/kernel/sched/topology.c ++++ b/kernel/sched/topology.c +@@ -676,7 +676,7 @@ cpu_attach_domain(struct sched_domain *sd, struct root_domain *rd, int cpu) + } + + struct s_data { +- struct sched_domain ** __percpu sd; ++ struct sched_domain * __percpu *sd; + struct root_domain *rd; + }; + +-- +2.19.1 + diff --git a/queue-5.0/scsi-core-replace-gfp_atomic-with-gfp_kernel-in-scsi.patch b/queue-5.0/scsi-core-replace-gfp_atomic-with-gfp_kernel-in-scsi.patch new file mode 100644 index 00000000000..fe32bb9352c --- /dev/null +++ b/queue-5.0/scsi-core-replace-gfp_atomic-with-gfp_kernel-in-scsi.patch @@ -0,0 +1,114 @@ +From 18f9903245c45b20544c1b29bf583e20ae58731d Mon Sep 17 00:00:00 2001 +From: Benjamin Block +Date: Thu, 21 Feb 2019 10:18:00 +0100 +Subject: scsi: core: replace GFP_ATOMIC with GFP_KERNEL in scsi_scan.c + +[ Upstream commit 1749ef00f7312679f76d5e9104c5d1e22a829038 ] + +We had a test-report where, under memory pressure, adding LUNs to the +systems would fail (the tests add LUNs strictly in sequence): + +[ 5525.853432] scsi 0:0:1:1088045124: Direct-Access IBM 2107900 .148 PQ: 0 ANSI: 5 +[ 5525.853826] scsi 0:0:1:1088045124: alua: supports implicit TPGS +[ 5525.853830] scsi 0:0:1:1088045124: alua: device naa.6005076303ffd32700000000000044da port group 0 rel port 43 +[ 5525.853931] sd 0:0:1:1088045124: Attached scsi generic sg10 type 0 +[ 5525.854075] sd 0:0:1:1088045124: [sdk] Disabling DIF Type 1 protection +[ 5525.855495] sd 0:0:1:1088045124: [sdk] 2097152 512-byte logical blocks: (1.07 GB/1.00 GiB) +[ 5525.855606] sd 0:0:1:1088045124: [sdk] Write Protect is off +[ 5525.855609] sd 0:0:1:1088045124: [sdk] Mode Sense: ed 00 00 08 +[ 5525.855795] sd 0:0:1:1088045124: [sdk] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA +[ 5525.857838] sdk: sdk1 +[ 5525.859468] sd 0:0:1:1088045124: [sdk] Attached SCSI disk +[ 5525.865073] sd 0:0:1:1088045124: alua: transition timeout set to 60 seconds +[ 5525.865078] sd 0:0:1:1088045124: alua: port group 00 state A preferred supports tolusnA +[ 5526.015070] sd 0:0:1:1088045124: alua: port group 00 state A preferred supports tolusnA +[ 5526.015213] sd 0:0:1:1088045124: alua: port group 00 state A preferred supports tolusnA +[ 5526.587439] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured +[ 5526.588562] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured + +Looking at the code of scsi_alloc_sdev(), and all the calling contexts, +there seems to be no reason to use GFP_ATMOIC here. All the different +call-contexts use a mutex at some point, and nothing in between that +requires no sleeping, as far as I could see. Additionally, the code that +later allocates the block queue for the device (scsi_mq_alloc_queue()) +already uses GFP_KERNEL. + +There are similar allocations in two other functions: +scsi_probe_and_add_lun(), and scsi_add_lun(),; that can also be done with +GFP_KERNEL. + +Here is the contexts for the three functions so far: + + scsi_alloc_sdev() + scsi_probe_and_add_lun() + scsi_sequential_lun_scan() + __scsi_scan_target() + scsi_scan_target() + mutex_lock() + scsi_scan_channel() + scsi_scan_host_selected() + mutex_lock() + scsi_report_lun_scan() + __scsi_scan_target() + ... + __scsi_add_device() + mutex_lock() + __scsi_scan_target() + ... + scsi_report_lun_scan() + ... + scsi_get_host_dev() + mutex_lock() + + scsi_probe_and_add_lun() + ... + + scsi_add_lun() + scsi_probe_and_add_lun() + ... + +So replace all these, and give them a bit of a better chance to succeed, +with more chances of reclaim. + +Signed-off-by: Benjamin Block +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_scan.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c +index dd0d516f65e2..53380e07b40e 100644 +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -220,7 +220,7 @@ static struct scsi_device *scsi_alloc_sdev(struct scsi_target *starget, + struct Scsi_Host *shost = dev_to_shost(starget->dev.parent); + + sdev = kzalloc(sizeof(*sdev) + shost->transportt->device_size, +- GFP_ATOMIC); ++ GFP_KERNEL); + if (!sdev) + goto out; + +@@ -788,7 +788,7 @@ static int scsi_add_lun(struct scsi_device *sdev, unsigned char *inq_result, + */ + sdev->inquiry = kmemdup(inq_result, + max_t(size_t, sdev->inquiry_len, 36), +- GFP_ATOMIC); ++ GFP_KERNEL); + if (sdev->inquiry == NULL) + return SCSI_SCAN_NO_RESPONSE; + +@@ -1079,7 +1079,7 @@ static int scsi_probe_and_add_lun(struct scsi_target *starget, + if (!sdev) + goto out; + +- result = kmalloc(result_len, GFP_ATOMIC | ++ result = kmalloc(result_len, GFP_KERNEL | + ((shost->unchecked_isa_dma) ? __GFP_DMA : 0)); + if (!result) + goto out_free_sdev; +-- +2.19.1 + diff --git a/queue-5.0/scsi-fcoe-make-use-of-fip_mode-enum-complete.patch b/queue-5.0/scsi-fcoe-make-use-of-fip_mode-enum-complete.patch new file mode 100644 index 00000000000..f613e6ec48e --- /dev/null +++ b/queue-5.0/scsi-fcoe-make-use-of-fip_mode-enum-complete.patch @@ -0,0 +1,149 @@ +From 49a18e93fe3da32feb2acd25d6b2808bc14ec97b Mon Sep 17 00:00:00 2001 +From: Sedat Dilek +Date: Fri, 15 Feb 2019 13:19:20 +0100 +Subject: scsi: fcoe: make use of fip_mode enum complete + +[ Upstream commit 8beb90aaf334a6efa3e924339926b5f93a234dbb ] + +commit 1917d42d14b7 ("fcoe: use enum for fip_mode") introduces a separate +enum for the fip_mode that shall be used during initialisation handling +until it is passed to fcoe_ctrl_link_up to set the initial fip_state. That +change was incomplete and gcc quietly converted in various places between +the fip_mode and the fip_state enum values with implicit enum conversions, +which fortunately cannot cause any issues in the actual code's execution. + +clang however warns about these implicit enum conversions in the scsi +drivers. This commit consolidates the use of the two enums, guided by +clang's enum-conversion warnings. + +This commit now completes the use of the fip_mode: It expects and uses +fip_mode in {bnx2fc,fcoe}_interface_create and fcoe_ctlr_init, and it calls +fcoe_ctrl_set_set() with the correct values in fcoe_ctlr_link_up(). It +also breaks the association between FIP_MODE_AUTO and FIP_ST_AUTO to +indicate these two enums are distinct. + +Link: https://github.com/ClangBuiltLinux/linux/issues/151 +Fixes: 1917d42d14b7 ("fcoe: use enum for fip_mode") +Reported-by: Dmitry Golovin +Original-by: Lukas Bulwahn +CC: Lukas Bulwahn +CC: Nick Desaulniers +CC: Nathan Chancellor +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Suggested-by: Johannes Thumshirn +Signed-off-by: Sedat Dilek +Signed-off-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 2 +- + drivers/scsi/fcoe/fcoe.c | 2 +- + drivers/scsi/fcoe/fcoe_ctlr.c | 7 +++++-- + drivers/scsi/fcoe/fcoe_transport.c | 2 +- + drivers/scsi/qedf/qedf_main.c | 2 +- + include/scsi/libfcoe.h | 4 ++-- + 6 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +index 2e4e7159ebf9..a75e74ad1698 100644 +--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +@@ -1438,7 +1438,7 @@ bind_err: + static struct bnx2fc_interface * + bnx2fc_interface_create(struct bnx2fc_hba *hba, + struct net_device *netdev, +- enum fip_state fip_mode) ++ enum fip_mode fip_mode) + { + struct fcoe_ctlr_device *ctlr_dev; + struct bnx2fc_interface *interface; +diff --git a/drivers/scsi/fcoe/fcoe.c b/drivers/scsi/fcoe/fcoe.c +index cd19be3f3405..8ba8862d3292 100644 +--- a/drivers/scsi/fcoe/fcoe.c ++++ b/drivers/scsi/fcoe/fcoe.c +@@ -389,7 +389,7 @@ static int fcoe_interface_setup(struct fcoe_interface *fcoe, + * Returns: pointer to a struct fcoe_interface or NULL on error + */ + static struct fcoe_interface *fcoe_interface_create(struct net_device *netdev, +- enum fip_state fip_mode) ++ enum fip_mode fip_mode) + { + struct fcoe_ctlr_device *ctlr_dev; + struct fcoe_ctlr *ctlr; +diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c +index 54da3166da8d..7dc4ffa24430 100644 +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -147,7 +147,7 @@ static void fcoe_ctlr_map_dest(struct fcoe_ctlr *fip) + * fcoe_ctlr_init() - Initialize the FCoE Controller instance + * @fip: The FCoE controller to initialize + */ +-void fcoe_ctlr_init(struct fcoe_ctlr *fip, enum fip_state mode) ++void fcoe_ctlr_init(struct fcoe_ctlr *fip, enum fip_mode mode) + { + fcoe_ctlr_set_state(fip, FIP_ST_LINK_WAIT); + fip->mode = mode; +@@ -454,7 +454,10 @@ void fcoe_ctlr_link_up(struct fcoe_ctlr *fip) + mutex_unlock(&fip->ctlr_mutex); + fc_linkup(fip->lp); + } else if (fip->state == FIP_ST_LINK_WAIT) { +- fcoe_ctlr_set_state(fip, fip->mode); ++ if (fip->mode == FIP_MODE_NON_FIP) ++ fcoe_ctlr_set_state(fip, FIP_ST_NON_FIP); ++ else ++ fcoe_ctlr_set_state(fip, FIP_ST_AUTO); + switch (fip->mode) { + default: + LIBFCOE_FIP_DBG(fip, "invalid mode %d\n", fip->mode); +diff --git a/drivers/scsi/fcoe/fcoe_transport.c b/drivers/scsi/fcoe/fcoe_transport.c +index f4909cd206d3..f15d5e1d56b1 100644 +--- a/drivers/scsi/fcoe/fcoe_transport.c ++++ b/drivers/scsi/fcoe/fcoe_transport.c +@@ -873,7 +873,7 @@ static int fcoe_transport_create(const char *buffer, + int rc = -ENODEV; + struct net_device *netdev = NULL; + struct fcoe_transport *ft = NULL; +- enum fip_state fip_mode = (enum fip_state)(long)kp->arg; ++ enum fip_mode fip_mode = (enum fip_mode)kp->arg; + + mutex_lock(&ft_mutex); + +diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c +index 9bbc19fc190b..9f9431a4cc0e 100644 +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -1418,7 +1418,7 @@ static struct libfc_function_template qedf_lport_template = { + + static void qedf_fcoe_ctlr_setup(struct qedf_ctx *qedf) + { +- fcoe_ctlr_init(&qedf->ctlr, FIP_ST_AUTO); ++ fcoe_ctlr_init(&qedf->ctlr, FIP_MODE_AUTO); + + qedf->ctlr.send = qedf_fip_send; + qedf->ctlr.get_src_addr = qedf_get_src_mac; +diff --git a/include/scsi/libfcoe.h b/include/scsi/libfcoe.h +index cb8a273732cf..bb8092fa1e36 100644 +--- a/include/scsi/libfcoe.h ++++ b/include/scsi/libfcoe.h +@@ -79,7 +79,7 @@ enum fip_state { + * It must not change after fcoe_ctlr_init() sets it. + */ + enum fip_mode { +- FIP_MODE_AUTO = FIP_ST_AUTO, ++ FIP_MODE_AUTO, + FIP_MODE_NON_FIP, + FIP_MODE_FABRIC, + FIP_MODE_VN2VN, +@@ -250,7 +250,7 @@ struct fcoe_rport { + }; + + /* FIP API functions */ +-void fcoe_ctlr_init(struct fcoe_ctlr *, enum fip_state); ++void fcoe_ctlr_init(struct fcoe_ctlr *, enum fip_mode); + void fcoe_ctlr_destroy(struct fcoe_ctlr *); + void fcoe_ctlr_link_up(struct fcoe_ctlr *); + int fcoe_ctlr_link_down(struct fcoe_ctlr *); +-- +2.19.1 + diff --git a/queue-5.0/scsi-hisi_sas-fix-a-timeout-race-of-driver-internal-.patch b/queue-5.0/scsi-hisi_sas-fix-a-timeout-race-of-driver-internal-.patch new file mode 100644 index 00000000000..bcaddad720f --- /dev/null +++ b/queue-5.0/scsi-hisi_sas-fix-a-timeout-race-of-driver-internal-.patch @@ -0,0 +1,61 @@ +From bae9c0852c89b9b2862cab026d18bdc6ee98d697 Mon Sep 17 00:00:00 2001 +From: Xiang Chen +Date: Thu, 28 Feb 2019 22:50:58 +0800 +Subject: scsi: hisi_sas: Fix a timeout race of driver internal and SMP IO + +[ Upstream commit 4790595723d4b833b18c994973d39f9efb842887 ] + +For internal IO and SMP IO, there is a time-out timer for them. In the +timer handler, it checks whether IO is done according to the flag +task->task_state_lock. + +There is an issue which may cause system suspended: internal IO or SMP IO +is sent, but at that time because of hardware exception (such as inject +2Bit ECC error), so IO is not completed and also not timeout. But, at that +time, the SAS controller reset occurs to recover system. It will release +the resource and set the status of IO to be SAS_TASK_STATE_DONE, so when IO +timeout, it will never complete the completion of IO and wait for ever. + +[ 729.123632] Call trace: +[ 729.126791] [] __switch_to+0x94/0xa8 +[ 729.133106] [] __schedule+0x1e8/0x7fc +[ 729.138975] [] schedule+0x34/0x8c +[ 729.144401] [] schedule_timeout+0x1d8/0x3cc +[ 729.150690] [] wait_for_common+0xdc/0x1a0 +[ 729.157101] [] wait_for_completion+0x28/0x34 +[ 729.165973] [] hisi_sas_internal_task_abort+0x2a0/0x424 [hisi_sas_test_main] +[ 729.176447] [] hisi_sas_abort_task+0x244/0x2d8 [hisi_sas_test_main] +[ 729.185258] [] sas_eh_handle_sas_errors+0x1c8/0x7b8 +[ 729.192391] [] sas_scsi_recover_host+0x130/0x398 +[ 729.199237] [] scsi_error_handler+0x148/0x5c0 +[ 729.206009] [] kthread+0x10c/0x138 +[ 729.211563] [] ret_from_fork+0x10/0x18 + +To solve the issue, callback function task_done of those IOs need to be +called when on SAS controller reset. + +Signed-off-by: Xiang Chen +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index 88ae415e907a..62d158574281 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -873,7 +873,8 @@ static void hisi_sas_do_release_task(struct hisi_hba *hisi_hba, struct sas_task + spin_lock_irqsave(&task->task_state_lock, flags); + task->task_state_flags &= + ~(SAS_TASK_STATE_PENDING | SAS_TASK_AT_INITIATOR); +- task->task_state_flags |= SAS_TASK_STATE_DONE; ++ if (!slot->is_internal && task->task_proto != SAS_PROTOCOL_SMP) ++ task->task_state_flags |= SAS_TASK_STATE_DONE; + spin_unlock_irqrestore(&task->task_state_lock, flags); + } + +-- +2.19.1 + diff --git a/queue-5.0/scsi-hisi_sas-set-phy-linkrate-when-disconnected.patch b/queue-5.0/scsi-hisi_sas-set-phy-linkrate-when-disconnected.patch new file mode 100644 index 00000000000..6d88b697cd5 --- /dev/null +++ b/queue-5.0/scsi-hisi_sas-set-phy-linkrate-when-disconnected.patch @@ -0,0 +1,81 @@ +From cce536aba418bb3aeaea1de7f07cc5e202f6b902 Mon Sep 17 00:00:00 2001 +From: John Garry +Date: Thu, 28 Feb 2019 22:51:00 +0800 +Subject: scsi: hisi_sas: Set PHY linkrate when disconnected + +[ Upstream commit efdcad62e7b8a02fcccc5ccca57806dce1482ac8 ] + +When the PHY comes down, we currently do not set the negotiated linkrate: + +root@(none)$ pwd +/sys/class/sas_phy/phy-0:0 +root@(none)$ more enable +1 +root@(none)$ more negotiated_linkrate +12.0 Gbit +root@(none)$ echo 0 > enable +root@(none)$ more negotiated_linkrate +12.0 Gbit +root@(none)$ + +This patch fixes the driver code to set it properly when the PHY comes +down. + +If the PHY had been enabled, then set unknown; otherwise, flag as disabled. + +The logical place to set the negotiated linkrate for this scenario is PHY +down routine, which is called from the PHY down ISR. + +However, it is not possible to know if the PHY comes down due to PHY +disable or loss of link, as sas_phy.enabled member is not set until after +the transport disable routine is complete, which races with the PHY down +ISR. + +As an imperfect solution, use sas_phy_data.enable as the flag to know if +the PHY is down due to disable. It's imperfect, as sas_phy_data is internal +to libsas. + +I can't see another way without adding a new field to hisi_sas_phy and +managing it, or changing SCSI SAS transport. + +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index bc17fa0d8375..88ae415e907a 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -10,6 +10,7 @@ + */ + + #include "hisi_sas.h" ++#include "../libsas/sas_internal.h" + #define DRV_NAME "hisi_sas" + + #define DEV_IS_GONE(dev) \ +@@ -1972,9 +1973,18 @@ static int hisi_sas_write_gpio(struct sas_ha_struct *sha, u8 reg_type, + + static void hisi_sas_phy_disconnected(struct hisi_sas_phy *phy) + { ++ struct asd_sas_phy *sas_phy = &phy->sas_phy; ++ struct sas_phy *sphy = sas_phy->phy; ++ struct sas_phy_data *d = sphy->hostdata; ++ + phy->phy_attached = 0; + phy->phy_type = 0; + phy->port = NULL; ++ ++ if (d->enable) ++ sphy->negotiated_linkrate = SAS_LINK_RATE_UNKNOWN; ++ else ++ sphy->negotiated_linkrate = SAS_PHY_DISABLED; + } + + void hisi_sas_phy_down(struct hisi_hba *hisi_hba, int phy_no, int rdy) +-- +2.19.1 + diff --git a/queue-5.0/scsi-megaraid_sas-return-error-when-create-dma-pool-.patch b/queue-5.0/scsi-megaraid_sas-return-error-when-create-dma-pool-.patch new file mode 100644 index 00000000000..91659aad7e5 --- /dev/null +++ b/queue-5.0/scsi-megaraid_sas-return-error-when-create-dma-pool-.patch @@ -0,0 +1,79 @@ +From 36530ece0e69910c451f64441bd062f3f82f74b8 Mon Sep 17 00:00:00 2001 +From: Jason Yan +Date: Fri, 15 Feb 2019 19:50:27 +0800 +Subject: scsi: megaraid_sas: return error when create DMA pool failed + +[ Upstream commit bcf3b67d16a4c8ffae0aa79de5853435e683945c ] + +when create DMA pool for cmd frames failed, we should return -ENOMEM, +instead of 0. +In some case in: + + megasas_init_adapter_fusion() + + -->megasas_alloc_cmds() + -->megasas_create_frame_pool + create DMA pool failed, + --> megasas_free_cmds() [1] + + -->megasas_alloc_cmds_fusion() + failed, then goto fail_alloc_cmds. + -->megasas_free_cmds() [2] + +we will call megasas_free_cmds twice, [1] will kfree cmd_list, +[2] will use cmd_list.it will cause a problem: + +Unable to handle kernel NULL pointer dereference at virtual address +00000000 +pgd = ffffffc000f70000 +[00000000] *pgd=0000001fbf893003, *pud=0000001fbf893003, +*pmd=0000001fbf894003, *pte=006000006d000707 +Internal error: Oops: 96000005 [#1] SMP + Modules linked in: + CPU: 18 PID: 1 Comm: swapper/0 Not tainted + task: ffffffdfb9290000 ti: ffffffdfb923c000 task.ti: ffffffdfb923c000 + PC is at megasas_free_cmds+0x30/0x70 + LR is at megasas_free_cmds+0x24/0x70 + ... + Call trace: + [] megasas_free_cmds+0x30/0x70 + [] megasas_init_adapter_fusion+0x2f4/0x4d8 + [] megasas_init_fw+0x2dc/0x760 + [] megasas_probe_one+0x3c0/0xcd8 + [] local_pci_probe+0x4c/0xb4 + [] pci_device_probe+0x11c/0x14c + [] driver_probe_device+0x1ec/0x430 + [] __driver_attach+0xa8/0xb0 + [] bus_for_each_dev+0x74/0xc8 + [] driver_attach+0x28/0x34 + [] bus_add_driver+0x16c/0x248 + [] driver_register+0x6c/0x138 + [] __pci_register_driver+0x5c/0x6c + [] megasas_init+0xc0/0x1a8 + [] do_one_initcall+0xe8/0x1ec + [] kernel_init_freeable+0x1c8/0x284 + [] kernel_init+0x1c/0xe4 + +Signed-off-by: Jason Yan +Acked-by: Sumit Saxena +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index fcbff83c0097..c9811d1aa007 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -4188,6 +4188,7 @@ int megasas_alloc_cmds(struct megasas_instance *instance) + if (megasas_create_frame_pool(instance)) { + dev_printk(KERN_DEBUG, &instance->pdev->dev, "Error creating frame DMA pool\n"); + megasas_free_cmds(instance); ++ return -ENOMEM; + } + + return 0; +-- +2.19.1 + diff --git a/queue-5.0/selftests-bpf-skip-verifier-tests-for-unsupported-pr.patch b/queue-5.0/selftests-bpf-skip-verifier-tests-for-unsupported-pr.patch new file mode 100644 index 00000000000..cea28c7ec83 --- /dev/null +++ b/queue-5.0/selftests-bpf-skip-verifier-tests-for-unsupported-pr.patch @@ -0,0 +1,71 @@ +From f6b3e488d6e87e1e87e9e094517616a13233eb7f Mon Sep 17 00:00:00 2001 +From: Stanislav Fomichev +Date: Mon, 28 Jan 2019 09:21:16 -0800 +Subject: selftests/bpf: skip verifier tests for unsupported program types + +[ Upstream commit 8184d44c9a577a2f1842ed6cc844bfd4a9981d8e ] + +Use recently introduced bpf_probe_prog_type() to skip tests in the +test_verifier() if bpf_verify_program() fails. The skipped test is +indicated in the output. + +Example: + +... +679/p bpf_get_stack return R0 within range SKIP (unsupported program +type 5) +680/p ld_abs: invalid op 1 OK +... +Summary: 863 PASSED, 165 SKIPPED, 3 FAILED + +Signed-off-by: Stanislav Fomichev +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_verifier.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c +index 2fd90d456892..9a967983abed 100644 +--- a/tools/testing/selftests/bpf/test_verifier.c ++++ b/tools/testing/selftests/bpf/test_verifier.c +@@ -34,6 +34,7 @@ + #include + + #include ++#include + + #ifdef HAVE_GENHDR + # include "autoconf.h" +@@ -59,6 +60,7 @@ + + #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled" + static bool unpriv_disabled = false; ++static int skips; + + struct bpf_test { + const char *descr; +@@ -15946,6 +15948,11 @@ static void do_test_single(struct bpf_test *test, bool unpriv, + pflags |= BPF_F_ANY_ALIGNMENT; + fd_prog = bpf_verify_program(prog_type, prog, prog_len, pflags, + "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1); ++ if (fd_prog < 0 && !bpf_probe_prog_type(prog_type, 0)) { ++ printf("SKIP (unsupported program type %d)\n", prog_type); ++ skips++; ++ goto close_fds; ++ } + + expected_ret = unpriv && test->result_unpriv != UNDEF ? + test->result_unpriv : test->result; +@@ -16099,7 +16106,7 @@ static bool test_as_unpriv(struct bpf_test *test) + + static int do_test(bool unpriv, unsigned int from, unsigned int to) + { +- int i, passes = 0, errors = 0, skips = 0; ++ int i, passes = 0, errors = 0; + + for (i = from; i < to; i++) { + struct bpf_test *test = &tests[i]; +-- +2.19.1 + diff --git a/queue-5.0/selftests-bpf-suppress-readelf-stderr-when-probing-f.patch b/queue-5.0/selftests-bpf-suppress-readelf-stderr-when-probing-f.patch new file mode 100644 index 00000000000..f55fccae67f --- /dev/null +++ b/queue-5.0/selftests-bpf-suppress-readelf-stderr-when-probing-f.patch @@ -0,0 +1,57 @@ +From 2367684d939107d8ca438b485ec4547407455c32 Mon Sep 17 00:00:00 2001 +From: Stanislav Fomichev +Date: Thu, 24 Jan 2019 08:54:29 -0800 +Subject: selftests/bpf: suppress readelf stderr when probing for BTF support + +[ Upstream commit 2f0921262ba943fe9d9f59037a033927d8c4789b ] + +Before: +$ make -s -C tools/testing/selftests/bpf +readelf: Error: Missing knowledge of 32-bit reloc types used in DWARF +sections of machine number 247 +readelf: Warning: unable to apply unsupported reloc type 10 to section +.debug_info +readelf: Warning: unable to apply unsupported reloc type 1 to section +.debug_info +readelf: Warning: unable to apply unsupported reloc type 10 to section +.debug_info + +After: +$ make -s -C tools/testing/selftests/bpf + +v2: +* use llvm-readelf instead of redirecting binutils' readelf stderr to + /dev/null + +Signed-off-by: Stanislav Fomichev +Acked-by: Song Liu +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile +index 41ab7a3668b3..936f726f7cd9 100644 +--- a/tools/testing/selftests/bpf/Makefile ++++ b/tools/testing/selftests/bpf/Makefile +@@ -96,6 +96,7 @@ $(BPFOBJ): force + CLANG ?= clang + LLC ?= llc + LLVM_OBJCOPY ?= llvm-objcopy ++LLVM_READELF ?= llvm-readelf + BTF_PAHOLE ?= pahole + + PROBE := $(shell $(LLC) -march=bpf -mcpu=probe -filetype=null /dev/null 2>&1) +@@ -132,7 +133,7 @@ BTF_PAHOLE_PROBE := $(shell $(BTF_PAHOLE) --help 2>&1 | grep BTF) + BTF_OBJCOPY_PROBE := $(shell $(LLVM_OBJCOPY) --help 2>&1 | grep -i 'usage.*llvm') + BTF_LLVM_PROBE := $(shell echo "int main() { return 0; }" | \ + $(CLANG) -target bpf -O2 -g -c -x c - -o ./llvm_btf_verify.o; \ +- readelf -S ./llvm_btf_verify.o | grep BTF; \ ++ $(LLVM_READELF) -S ./llvm_btf_verify.o | grep BTF; \ + /bin/rm -f ./llvm_btf_verify.o) + + ifneq ($(BTF_LLVM_PROBE),) +-- +2.19.1 + diff --git a/queue-5.0/selftests-ir-fix-warning-s-directive-output-may-be-t.patch b/queue-5.0/selftests-ir-fix-warning-s-directive-output-may-be-t.patch new file mode 100644 index 00000000000..278a10c4739 --- /dev/null +++ b/queue-5.0/selftests-ir-fix-warning-s-directive-output-may-be-t.patch @@ -0,0 +1,61 @@ +From b39f8f3c56519dc93765f463a6b7f664e3768556 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Thu, 31 Jan 2019 11:54:16 -0700 +Subject: =?UTF-8?q?selftests:=20ir:=20fix=20warning:=20"%s"=20directive=20?= + =?UTF-8?q?output=20may=20be=20truncated=20=E2=80=99=20directive=20output?= + =?UTF-8?q?=20may=20be=20truncated?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit ed675ed9da6d951322efd72d739d6b5ce1c18f02 ] + +Fix the following warning by sizing the buffer to max. of sysfs +path max. size + d_name max. size. + +gcc -Wall -O2 -I../../../include/uapi ir_loopback.c -o ../tools/testing/selftests/ir/ir_loopback +ir_loopback.c: In function ‘lirc_open’: +ir_loopback.c:71:37: warning: ‘%s’ directive output may be truncated writing up to 255 bytes into a region of size 95 [-Wformat-truncation=] + snprintf(buf, sizeof(buf), "/dev/%s", dent->d_name); + ^~ +In file included from /usr/include/stdio.h:862:0, + from ir_loopback.c:14: +/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 6 and 261 bytes into a destination of size 100 + return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + __bos (__s), __fmt, __va_arg_pack ()); + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Shuah Khan +Acked-by: Sean Young +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/ir/ir_loopback.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/ir/ir_loopback.c b/tools/testing/selftests/ir/ir_loopback.c +index 858c19caf224..8cdf1b89ac9c 100644 +--- a/tools/testing/selftests/ir/ir_loopback.c ++++ b/tools/testing/selftests/ir/ir_loopback.c +@@ -27,6 +27,8 @@ + + #define TEST_SCANCODES 10 + #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0])) ++#define SYSFS_PATH_MAX 256 ++#define DNAME_PATH_MAX 256 + + static const struct { + enum rc_proto proto; +@@ -56,7 +58,7 @@ static const struct { + int lirc_open(const char *rc) + { + struct dirent *dent; +- char buf[100]; ++ char buf[SYSFS_PATH_MAX + DNAME_PATH_MAX]; + DIR *d; + int fd; + +-- +2.19.1 + diff --git a/queue-5.0/selftests-skip-seccomp-get_metadata-test-if-not-real.patch b/queue-5.0/selftests-skip-seccomp-get_metadata-test-if-not-real.patch new file mode 100644 index 00000000000..195aab05975 --- /dev/null +++ b/queue-5.0/selftests-skip-seccomp-get_metadata-test-if-not-real.patch @@ -0,0 +1,45 @@ +From 9d2c63062d019970e8b8716b9b4f31646b0d1c6b Mon Sep 17 00:00:00 2001 +From: Tycho Andersen +Date: Fri, 18 Jan 2019 17:12:15 -0700 +Subject: selftests: skip seccomp get_metadata test if not real root + +[ Upstream commit 3aa415dd2128e478ea3225b59308766de0e94d6b ] + +The get_metadata() test requires real root, so let's skip it if we're not +real root. + +Note that I used XFAIL here because that's what the test does later if +CONFIG_CHEKCKPOINT_RESTORE happens to not be enabled. After looking at the +code, there doesn't seem to be a nice way to skip tests defined as TEST(), +since there's no return code (I tried exit(KSFT_SKIP), but that didn't work +either...). So let's do it this way to be consistent, and easier to fix +when someone comes along and fixes it. + +Signed-off-by: Tycho Andersen +Acked-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c +index 7e632b465ab4..6d7a81306f8a 100644 +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -2971,6 +2971,12 @@ TEST(get_metadata) + struct seccomp_metadata md; + long ret; + ++ /* Only real root can get metadata. */ ++ if (geteuid()) { ++ XFAIL(return, "get_metadata requires real root"); ++ return; ++ } ++ + ASSERT_EQ(0, pipe(pipefd)); + + pid = fork(); +-- +2.19.1 + diff --git a/queue-5.0/selinux-do-not-override-context-on-context-mounts.patch b/queue-5.0/selinux-do-not-override-context-on-context-mounts.patch new file mode 100644 index 00000000000..db62b1b090e --- /dev/null +++ b/queue-5.0/selinux-do-not-override-context-on-context-mounts.patch @@ -0,0 +1,100 @@ +From 2648dd6dd5a337a50ac4d207dd049953a60ed395 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Fri, 21 Dec 2018 21:18:53 +0100 +Subject: selinux: do not override context on context mounts + +[ Upstream commit 53e0c2aa9a59a48e3798ef193d573ade85aa80f5 ] + +Ignore all selinux_inode_notifysecctx() calls on mounts with SBLABEL_MNT +flag unset. This is achived by returning -EOPNOTSUPP for this case in +selinux_inode_setsecurtity() (because that function should not be called +in such case anyway) and translating this error to 0 in +selinux_inode_notifysecctx(). + +This fixes behavior of kernfs-based filesystems when mounted with the +'context=' option. Before this patch, if a node's context had been +explicitly set to a non-default value and later the filesystem has been +remounted with the 'context=' option, then this node would show up as +having the manually-set context and not the mount-specified one. + +Steps to reproduce: + # mount -t cgroup2 cgroup2 /sys/fs/cgroup/unified + # chcon unconfined_u:object_r:user_home_t:s0 /sys/fs/cgroup/unified/cgroup.stat + # ls -lZ /sys/fs/cgroup/unified + total 0 + -r--r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.controllers + -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.max.depth + -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.max.descendants + -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.procs + -r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat + -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.subtree_control + -rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.threads + # umount /sys/fs/cgroup/unified + # mount -o context=system_u:object_r:tmpfs_t:s0 -t cgroup2 cgroup2 /sys/fs/cgroup/unified + +Result before: + # ls -lZ /sys/fs/cgroup/unified + total 0 + -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.controllers + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.depth + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.descendants + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.procs + -r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.subtree_control + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.threads + +Result after: + # ls -lZ /sys/fs/cgroup/unified + total 0 + -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.controllers + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.depth + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.descendants + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.procs + -r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.stat + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.subtree_control + -rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.threads + +Signed-off-by: Ondrej Mosnacek +Reviewed-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/hooks.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index cf20dd36a30f..07b11b5aaf1f 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3244,12 +3244,16 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name, + const void *value, size_t size, int flags) + { + struct inode_security_struct *isec = inode_security_novalidate(inode); ++ struct superblock_security_struct *sbsec = inode->i_sb->s_security; + u32 newsid; + int rc; + + if (strcmp(name, XATTR_SELINUX_SUFFIX)) + return -EOPNOTSUPP; + ++ if (!(sbsec->flags & SBLABEL_MNT)) ++ return -EOPNOTSUPP; ++ + if (!value || !size) + return -EACCES; + +@@ -6398,7 +6402,10 @@ static void selinux_inode_invalidate_secctx(struct inode *inode) + */ + static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) + { +- return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); ++ int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ++ ctx, ctxlen, 0); ++ /* Do not return error when suppressing label (SBLABEL_MNT not set). */ ++ return rc == -EOPNOTSUPP ? 0 : rc; + } + + /* +-- +2.19.1 + diff --git a/queue-5.0/serial-8250_pxa-honor-the-port-number-from-devicetre.patch b/queue-5.0/serial-8250_pxa-honor-the-port-number-from-devicetre.patch new file mode 100644 index 00000000000..c17c572cee4 --- /dev/null +++ b/queue-5.0/serial-8250_pxa-honor-the-port-number-from-devicetre.patch @@ -0,0 +1,43 @@ +From 973956e4c17d45b59da89dade74dd3fb7ce13363 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Sun, 24 Feb 2019 12:58:02 +0100 +Subject: serial: 8250_pxa: honor the port number from devicetree + +[ Upstream commit fe9ed6d2483fda55465f32924fb15bce0fac3fac ] + +Like the other OF-enabled drivers, use the port number from the firmware if +the devicetree specifies an alias: + + aliases { + ... + serial2 = &uart2; /* Should be ttyS2 */ + } + +This is how the deprecated pxa.c driver behaved, switching to 8250_pxa +messes up the numbering. + +Signed-off-by: Lubomir Rintel +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_pxa.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/8250/8250_pxa.c b/drivers/tty/serial/8250/8250_pxa.c +index b9bcbe20a2be..c47188860e32 100644 +--- a/drivers/tty/serial/8250/8250_pxa.c ++++ b/drivers/tty/serial/8250/8250_pxa.c +@@ -113,6 +113,10 @@ static int serial_pxa_probe(struct platform_device *pdev) + if (ret) + return ret; + ++ ret = of_alias_get_id(pdev->dev.of_node, "serial"); ++ if (ret >= 0) ++ uart.port.line = ret; ++ + uart.port.type = PORT_XSCALE; + uart.port.iotype = UPIO_MEM32; + uart.port.mapbase = mmres->start; +-- +2.19.1 + diff --git a/queue-5.0/series b/queue-5.0/series index f62d75d90d3..9c23201e474 100644 --- a/queue-5.0/series +++ b/queue-5.0/series @@ -1 +1,246 @@ ext4-cleanup-bh-release-code-in-ext4_ind_remove_space.patch +cifs-fix-posix-lock-leak-and-invalid-ptr-deref.patch +nvme-fc-fix-numa_node-when-dev-is-null.patch +nvme-loop-init-nvmet_ctrl-fatal_err_work-when-alloca.patch +h8300-use-cc-cross-prefix-instead-of-hardcoding-h830.patch +f2fs-fix-to-adapt-small-inline-xattr-space-in-__find.patch +f2fs-fix-to-avoid-deadlock-in-f2fs_read_inline_dir.patch +apparmor-fix-double-free-when-unpack-of-secmark-rule.patch +tracing-kdb-fix-ftdump-to-not-sleep.patch +net-mlx5e-fix-access-to-non-existing-receive-queue.patch +net-mlx5-avoid-panic-when-setting-vport-rate.patch +net-mlx5-avoid-panic-when-setting-vport-mac-getting-.patch +xsk-fix-to-reject-invalid-flags-in-xsk_bind.patch +clk-ti-clkctrl-fix-clkdm_name-regression-for-ti_clk_.patch +gpio-gpio-omap-fix-level-interrupt-idling.patch +include-linux-relay.h-fix-percpu-annotation-in-struc.patch +sysctl-handle-overflow-for-file-max.patch +net-stmmac-avoid-sometimes-uninitialized-clang-warni.patch +enic-fix-build-warning-without-config_cpumask_offsta.patch +libbpf-force-fixdep-compilation-at-the-start-of-the-.patch +scsi-hisi_sas-set-phy-linkrate-when-disconnected.patch +scsi-hisi_sas-fix-a-timeout-race-of-driver-internal-.patch +iio-adc-fix-warning-in-qualcomm-pm8xxx-hk-xoadc-driv.patch +x86-hyperv-fix-kernel-panic-when-kexec-on-hyperv.patch +perf-c2c-fix-c2c-report-for-empty-numa-node.patch +mm-sparse-fix-a-bad-comparison.patch +mm-cma.c-cma_declare_contiguous-correct-err-handling.patch +mm-page_ext.c-fix-an-imbalance-with-kmemleak.patch +mm-swap-bounds-check-swap_info-array-accesses-to-avo.patch +docs-core-api-mm-fix-user-memory-accessors-formattin.patch +mm-oom-don-t-kill-global-init-via-memory.oom.group.patch +memcg-killed-threads-should-not-invoke-memcg-oom-kil.patch +mm-mempolicy-fix-uninit-memory-access.patch +mm-vmalloc.c-fix-kernel-bug-at-mm-vmalloc.c-512.patch +mm-slab.c-kmemleak-no-scan-alien-caches.patch +ocfs2-fix-a-panic-problem-caused-by-o2cb_ctl.patch +f2fs-do-not-use-mutex-lock-in-atomic-context.patch +f2fs-fix-to-data-block-override-node-segment-by-mist.patch +fs-file.c-initialize-init_files.resize_wait.patch +page_poison-play-nicely-with-kasan.patch +kasan-fix-kasan_check_read-write-definitions.patch +cifs-use-correct-format-characters.patch +dm-thin-add-sanity-checks-to-thin-pool-and-external-.patch +f2fs-fix-to-check-inline_xattr_size-boundary-correct.patch +cifs-accept-validate-negotiate-if-server-return-nt_s.patch +cifs-fix-null-pointer-dereference-of-devname.patch +fs-make-splice-and-tee-take-into-account-o_nonblock-.patch +perf-beauty-msg_flags-add-missing-s-lost-when-adding.patch +netfilter-nf_tables-check-the-result-of-dereferencin.patch +pci-mediatek-fix-memory-mapped-io-range-size-computa.patch +netfilter-conntrack-tcp-only-close-if-rst-matches-ex.patch +iommu-vt-d-disable-ats-support-on-untrusted-devices.patch +jbd2-fix-invalid-descriptor-block-checksum.patch +ext4-fix-bigalloc-cluster-freeing-when-hole-punching.patch +fs-fix-guard_bio_eod-to-check-for-real-eod-errors.patch +tools-lib-traceevent-fix-buffer-overflow-in-arg_eval.patch +mm-resource-return-real-error-codes-from-walk-failur.patch +pci-pme-fix-hotplug-sysfs-remove-deadlock-in-pcie_pm.patch +wil6210-check-null-pointer-in-_wil_cfg80211_merge_ex.patch +mt76-fix-a-leaked-reference-by-adding-a-missing-of_n.patch +ath10k-fix-the-wrong-updation-of-bw-in-tx_stats-debu.patch +lockdep-lib-tests-fix-run_tests.sh.patch +crypto-crypto4xx-add-missing-of_node_put-after-of_de.patch +crypto-cavium-zip-fix-collision-with-generic-cra_dri.patch +tools-bpf-selftests-add-map-lookup-to-test_map_in_ma.patch +usb-chipidea-grab-the-legacy-usb-phy-by-phandle-firs.patch +powerpc-powernv-ioda-fix-locked_vm-counting-for-memo.patch +scsi-core-replace-gfp_atomic-with-gfp_kernel-in-scsi.patch +kbuild-invoke-syncconfig-if-include-config-auto.conf.patch +kbuild-make-r-r-effective-in-top-makefile-for-old-ma.patch +btrfs-save-drop_progress-if-we-drop-refs-at-all.patch +drm-amd-display-fix-reference-counting-for-struct-dc.patch +ath10k-don-t-report-unset-rssi-values-to-mac80211.patch +powerpc-xmon-fix-opcode-being-uninitialized-in-print.patch +coresight-etm4x-add-support-to-enable-etmv4.2.patch +serial-8250_pxa-honor-the-port-number-from-devicetre.patch +arm-8840-1-use-a-raw_spinlock_t-in-unwind.patch +arm-8845-1-use-unified-assembler-in-c-files.patch +iommu-io-pgtable-arm-v7s-only-kmemleak_ignore-l2-tab.patch +powerpc-hugetlb-handle-mmap_min_addr-correctly-in-ge.patch +net-dsa-mv88e6xxx-default-cmode-to-1000basex-only-on.patch +ice-fix-ice_remove_rule_internal-vsi_list-handling.patch +perf-script-handle-missing-fields-with-f.patch +btrfs-qgroup-make-qgroup-async-transaction-commit-mo.patch +btrfs-don-t-enospc-all-tickets-on-flush-failure.patch +mmc-omap-fix-the-maximum-timeout-setting.patch +net-dsa-mv88e6xxx-add-lockdep-classes-to-fix-false-p.patch +net-hns3-fix-setting-of-the-hns-reset_type-for-rdma-.patch +veth-fix-wformat-truncation.patch +e1000e-fix-wformat-truncation-warnings.patch +mlxsw-spectrum-avoid-wformat-truncation-warnings.patch +i2c-allow-recovery-of-the-initial-irq-by-an-i2c-clie.patch +platform-x86-ideapad-laptop-fix-no_hw_rfkill_list-fo.patch +platform-mellanox-mlxreg-hotplug-fix-kasan-warning.patch +loop-set-genhd_fl_no_part_scan-after-blkdev_reread_p.patch +i2c-designware-do-not-allow-i2c_dw_xfer-calls-while-.patch +ib-mlx4-increase-the-timeout-for-cm-cache.patch +clk-fractional-divider-check-parent-rate-only-if-fla.patch +perf-annotate-fix-getting-source-line-failure.patch +powerpc-44x-force-pci-on-for-currituck.patch +asoc-qcom-fix-of-node-refcount-unbalance-in-qcom_snd.patch +cpufreq-acpi-cpufreq-report-if-cpu-doesn-t-support-b.patch +efi-cper-fix-possible-out-of-bounds-access.patch +s390-ism-ignore-some-errors-during-deregistration.patch +scsi-megaraid_sas-return-error-when-create-dma-pool-.patch +scsi-fcoe-make-use-of-fip_mode-enum-complete.patch +drm-amd-display-clear-stream-mode_changed-after-comm.patch +perf-test-fix-failure-of-evsel-tp-sched-test-on-s390.patch +mwifiex-don-t-advertise-ibss-features-without-fw-sup.patch +perf-report-don-t-shadow-inlined-symbol-with-differe.patch +soc-imx-sgtl5000-add-missing-put_device.patch +media-ov7740-fix-runtime-pm-initialization.patch +media-sh_veu-correct-return-type-for-mem2mem-buffer-.patch +media-s5p-jpeg-correct-return-type-for-mem2mem-buffe.patch +media-rockchip-rga-correct-return-type-for-mem2mem-b.patch +media-s5p-g2d-correct-return-type-for-mem2mem-buffer.patch +media-mx2_emmaprp-correct-return-type-for-mem2mem-bu.patch +media-mtk-jpeg-correct-return-type-for-mem2mem-buffe.patch +media-rockchip-vpu-correct-return-type-for-mem2mem-b.patch +mt76-usb-do-not-run-mt76u_queues_deinit-twice.patch +gpio-of-apply-regulator-gpio-quirk-only-to-enable-gp.patch +xen-gntdev-do-not-destroy-context-while-dma-bufs-are.patch +vfs-fix-preadv64v2-and-pwritev64v2-compat-syscalls-w.patch +hid-intel-ish-hid-avoid-binding-wrong-ishtp_cl_devic.patch +cgroup-rstat-don-t-flush-subtree-root-unless-necessa.patch +efi-fix-build-error-due-to-enum-collision-between-ef.patch +drm-sched-fix-entities-with-0-rqs.patch +regulator-core-take-lock-before-applying-system-load.patch +jbd2-fix-race-when-writing-superblock.patch +leds-lp55xx-fix-null-deref-on-firmware-load-failure.patch +tools-build-add-lrt-to-feature_check_ldflags-libaio.patch +tools-build-add-test-reallocarray.c-to-test-all.c-to.patch +perf-beauty-waitid-options-fix-up-prefix-showing-log.patch +perf-trace-check-if-the-fd-is-negative-when-mapping-.patch +perf-report-add-s390-diagnosic-sampling-descriptor-s.patch +perf-coresight-do-not-test-for-libopencsd-by-default.patch +iwlwifi-pcie-fix-emergency-path.patch +acpi-video-refactor-and-fix-dmi_is_desktop.patch +selftests-ir-fix-warning-s-directive-output-may-be-t.patch +selftests-skip-seccomp-get_metadata-test-if-not-real.patch +kprobes-prohibit-probing-on-bsearch.patch +kprobes-prohibit-probing-on-rcu-debug-routine.patch +netfilter-conntrack-fix-cloned-unconfirmed-skb-_nfct.patch +arm-8833-1-ensure-that-neon-code-always-compiles-wit.patch +arm-dts-meson8b-fix-the-ethernet-data-line-signals-i.patch +alsa-pcm-check-if-ops-are-defined-before-suspending-.patch +ath10k-fix-shadow-register-implementation-for-wcn399.patch +usb-f_fs-avoid-crash-due-to-out-of-scope-stack-ptr-a.patch +sched-topology-fix-percpu-data-types-in-struct-sd_da.patch +bcache-fix-input-overflow-to-cache-set-sysfs-file-io.patch +bcache-fix-input-overflow-to-sequential_cutoff.patch +bcache-fix-potential-div-zero-error-of-writeback_rat.patch +bcache-improve-sysfs_strtoul_clamp.patch +genirq-avoid-summation-loops-for-proc-stat.patch +net-marvell-mvpp2-fix-stuck-in-band-sgmii-negotiatio.patch +iw_cxgb4-fix-srqidx-leak-during-connection-abort.patch +net-phy-consider-latched-link-down-status-in-polling.patch +fbdev-fbmem-fix-memory-access-if-logo-is-bigger-than.patch +cdrom-fix-race-condition-in-cdrom_sysctl_register.patch +drm-rcar-du-add-missing-of_node_put.patch +drm-amd-display-don-t-re-program-planes-for-dpms-cha.patch +bpf-test_maps-fix-possible-out-of-bound-access-warni.patch +x86-kexec-fill-in-acpi_rsdp_addr-from-the-first-kern.patch +powerpc-ptrace-mitigate-potential-spectre-v1.patch +drm-amd-display-disconnect-mpcc-when-changing-tg.patch +perf-aux-make-perf_event-accessible-to-setup_aux.patch +e1000e-fix-cyclic-resets-at-link-up-with-active-tx.patch +e1000e-exclude-device-from-suspend-direct-complete-o.patch +platform-x86-intel_pmc_core-fix-pch-ip-sts-reading.patch +i2c-of-try-to-find-an-i2c-adapter-matching-the-paren.patch +staging-spi-mt7621-add-return-code-check-on-device_r.patch +iwlwifi-mvm-fix-rfh-config-command-with-10-cpus.patch +asoc-fsl-asoc-card-fix-object-reference-leaks-in-fsl.patch +sched-debug-initialize-sd_sysctl_cpus-if-config_cpum.patch +efi-memattr-don-t-bail-on-zero-va-if-it-equals-the-r.patch +sched-core-use-read_once-write_once-in-move_queued_t.patch +drm-vkms-bugfix-racing-hrtimer-vblank-handle.patch +drm-vkms-bugfix-extra-vblank-frame.patch +arm-dts-lpc32xx-remove-leading-0x-and-0s-from-bindin.patch +efi-arm-arm64-allow-setvirtualaddressmap-to-be-omitt.patch +soc-qcom-gsbi-fix-error-handling-in-gsbi_probe.patch +drm-msm-dpu-convert-to-a-chained-irq-chip.patch +mt7601u-bump-supported-eeprom-version.patch +arm-8830-1-nommu-toggle-only-bits-in-exc_return-we-a.patch +arm-avoid-cortex-a9-livelock-on-tight-dmb-loops.patch +block-bfq-fix-in-service-queue-check-for-queue-mergi.patch +block-bfq-fix-queue-removal-from-weights-tree.patch +bpf-fix-missing-prototype-warnings.patch +selftests-bpf-skip-verifier-tests-for-unsupported-pr.patch +powerpc-64s-clear-on-stack-exception-marker-upon-exc.patch +cgroup-pids-turn-cgroup_subsys-free-into-cgroup_subs.patch +backlight-pwm_bl-use-gpiod_get_value_cansleep-to-get.patch +tty-increase-the-default-flip-buffer-limit-to-2-640k.patch +powerpc-pseries-perform-full-re-add-of-cpu-for-topol.patch +drm-amd-display-enable-vblank-interrupt-during-crc-c.patch +alsa-dice-add-support-for-solid-state-logic-duende-c.patch +regulator-mcp16502-include-linux-gpio-consumer.h-to-.patch +usb-dwc3-gadget-fix-otg-events-when-gadget-driver-is.patch +platform-x86-intel-hid-missing-power-button-release-.patch +perf-trace-fixup-etcsnoop-example.patch +perf-script-python-use-pybytes-for-attr-in-trace-eve.patch +perf-script-python-add-trace_context-extension-modul.patch +media-mt9m111-set-initial-frame-size-other-than-0x0.patch +hwrng-virtio-avoid-repeated-init-of-completion.patch +soc-tegra-fuse-fix-illegal-free-of-io-base-address.patch +selftests-bpf-suppress-readelf-stderr-when-probing-f.patch +hid-intel-ish-ipc-handle-pimr-before-ish_wakeup-also.patch +f2fs-ubsan-set-boolean-value-iostat_enable-correctly.patch +f2fs-fix-to-initialize-variable-to-avoid-ubsan-smatc.patch +hpet-fix-missing-character-in-the-__setup-code-of-hp.patch +pinctrl-meson-fix-g12a-ao-pull-registers-base-addres.patch +pinctrl-sh-pfc-r8a77990-fix-mod_sel-bit-numbering.patch +pinctrl-sh-pfc-r8a77995-fix-mod_sel-bit-numbering.patch +cpu-hotplug-mute-hotplug-lockdep-during-init.patch +dmaengine-imx-dma-fix-warning-comparison-of-distinct.patch +dmaengine-qcom_hidma-assign-channel-cookie-correctly.patch +dmaengine-qcom_hidma-initialize-tx-flags-in-hidma_pr.patch +netfilter-physdev-relax-br_netfilter-dependency.patch +media-rcar-vin-allow-independent-vin-link-enablement.patch +media-s5p-jpeg-check-for-fmt_ver_flag-when-doing-fmt.patch +pci-pciehp-assign-ctrl-slot_ctrl-before-writing-it-t.patch +audit-hand-taken-context-to-audit_kill_trees-for-sys.patch +regulator-act8865-fix-act8600_sudcdc_voltage_ranges-.patch +pinctrl-meson-meson8b-add-the-eth_rxd2-and-eth_rxd3-.patch +drm-auto-set-allow_fb_modifiers-when-given-modifiers.patch +drm-nouveau-stop-using-drm_crtc_force_disable.patch +x86-build-specify-elf_i386-linker-emulation-explicit.patch +selinux-do-not-override-context-on-context-mounts.patch +brcmfmac-use-firmware_request_nowarn-for-the-clm_blo.patch +wlcore-fix-memory-leak-in-case-wl12xx_fetch_firmware.patch +x86-build-mark-per-cpu-symbols-as-absolute-explicitl.patch +drm-fb-helper-fix-leaks-in-error-path-of-drm_fb_help.patch +clk-meson-clean-up-clock-registration.patch +arm-shmobile-fix-r-car-gen2-regulator-quirk.patch +clk-rockchip-fix-frac-settings-of-gpll-clock-for-rk3.patch +dmaengine-tegra-avoid-overflow-of-byte-tracking.patch +staging-iio-adt7316-fix-dac_bits-assignment.patch +input-soc_button_array-fix-mapping-of-the-5th-gpio-i.patch +asoc-simple-card-utils-check-reg-property-on-asoc_si.patch +drm-reorder-set_property_atomic-to-avoid-returning-w.patch +drm-dp-mst-configure-no_stop_bit-correctly-for-remot.patch +net-stmmac-avoid-one-more-sometimes-uninitialized-cl.patch +appletalk-fix-compile-regression.patch +gpio-of-restrict-enable-gpio-quirk-to-regulator-gpio.patch +acpi-video-extend-chassis-type-detection-with-a-lunc.patch +bcache-fix-potential-div-zero-error-of-writeback_rat.patch-17972 diff --git a/queue-5.0/soc-imx-sgtl5000-add-missing-put_device.patch b/queue-5.0/soc-imx-sgtl5000-add-missing-put_device.patch new file mode 100644 index 00000000000..64f3a8f6097 --- /dev/null +++ b/queue-5.0/soc-imx-sgtl5000-add-missing-put_device.patch @@ -0,0 +1,56 @@ +From e0ce644b237b4f3b731094628a3d80b66ac28fa7 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Mon, 18 Feb 2019 15:13:47 +0000 +Subject: SoC: imx-sgtl5000: add missing put_device() + +[ Upstream commit 8fa857da9744f513036df1c43ab57f338941ae7d ] + +The of_find_device_by_node() takes a reference to the underlying device +structure, we should release that reference. + +Detected by coccinelle with the following warnings: +./sound/soc/fsl/imx-sgtl5000.c:169:1-7: ERROR: missing put_device; +call of_find_device_by_node on line 105, but without a corresponding +object release within this function. +./sound/soc/fsl/imx-sgtl5000.c:177:1-7: ERROR: missing put_device; +call of_find_device_by_node on line 105, but without a corresponding +object release within this function. + +Signed-off-by: Wen Yang +Cc: Timur Tabi +Cc: Nicolin Chen +Cc: Xiubo Li +Cc: Fabio Estevam +Cc: Liam Girdwood +Cc: Mark Brown +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: Shawn Guo +Cc: Sascha Hauer +Cc: Pengutronix Kernel Team +Cc: NXP Linux Team +Cc: alsa-devel@alsa-project.org +Cc: linuxppc-dev@lists.ozlabs.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-sgtl5000.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/fsl/imx-sgtl5000.c b/sound/soc/fsl/imx-sgtl5000.c +index c29200cf755a..9b9a7ec52905 100644 +--- a/sound/soc/fsl/imx-sgtl5000.c ++++ b/sound/soc/fsl/imx-sgtl5000.c +@@ -108,6 +108,7 @@ static int imx_sgtl5000_probe(struct platform_device *pdev) + ret = -EPROBE_DEFER; + goto fail; + } ++ put_device(&ssi_pdev->dev); + codec_dev = of_find_i2c_device_by_node(codec_np); + if (!codec_dev) { + dev_err(&pdev->dev, "failed to find codec platform device\n"); +-- +2.19.1 + diff --git a/queue-5.0/soc-qcom-gsbi-fix-error-handling-in-gsbi_probe.patch b/queue-5.0/soc-qcom-gsbi-fix-error-handling-in-gsbi_probe.patch new file mode 100644 index 00000000000..2bbc60d78f0 --- /dev/null +++ b/queue-5.0/soc-qcom-gsbi-fix-error-handling-in-gsbi_probe.patch @@ -0,0 +1,48 @@ +From 563555bf2db4554b16961aa8c7f5d6decb219cdd Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Sat, 8 Dec 2018 01:57:04 +0300 +Subject: soc: qcom: gsbi: Fix error handling in gsbi_probe() + +[ Upstream commit 8cd09a3dd3e176c62da67efcd477a44a8d87185e ] + +If of_platform_populate() fails in gsbi_probe(), +gsbi->hclk is left undisabled. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Bjorn Andersson +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/qcom_gsbi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/qcom/qcom_gsbi.c b/drivers/soc/qcom/qcom_gsbi.c +index 09c669e70d63..038abc377fdb 100644 +--- a/drivers/soc/qcom/qcom_gsbi.c ++++ b/drivers/soc/qcom/qcom_gsbi.c +@@ -138,7 +138,7 @@ static int gsbi_probe(struct platform_device *pdev) + struct resource *res; + void __iomem *base; + struct gsbi_info *gsbi; +- int i; ++ int i, ret; + u32 mask, gsbi_num; + const struct crci_config *config = NULL; + +@@ -221,7 +221,10 @@ static int gsbi_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, gsbi); + +- return of_platform_populate(node, NULL, NULL, &pdev->dev); ++ ret = of_platform_populate(node, NULL, NULL, &pdev->dev); ++ if (ret) ++ clk_disable_unprepare(gsbi->hclk); ++ return ret; + } + + static int gsbi_remove(struct platform_device *pdev) +-- +2.19.1 + diff --git a/queue-5.0/soc-tegra-fuse-fix-illegal-free-of-io-base-address.patch b/queue-5.0/soc-tegra-fuse-fix-illegal-free-of-io-base-address.patch new file mode 100644 index 00000000000..79016ca53f3 --- /dev/null +++ b/queue-5.0/soc-tegra-fuse-fix-illegal-free-of-io-base-address.patch @@ -0,0 +1,108 @@ +From ae133d5439e00ad3ae5e2e66235624dbd64896c7 Mon Sep 17 00:00:00 2001 +From: Timo Alho +Date: Sun, 30 Dec 2018 17:58:08 +0200 +Subject: soc/tegra: fuse: Fix illegal free of IO base address + +[ Upstream commit 51294bf6b9e897d595466dcda5a3f2751906a200 ] + +On cases where device tree entries for fuse and clock provider are in +different order, fuse driver needs to defer probing. This leads to +freeing incorrect IO base address as the fuse->base variable gets +overwritten once during first probe invocation. This leads to the +following spew during boot: + +[ 3.082285] Trying to vfree() nonexistent vm area (00000000cfe8fd94) +[ 3.082308] WARNING: CPU: 5 PID: 126 at /hdd/l4t/kernel/stable/mm/vmalloc.c:1511 __vunmap+0xcc/0xd8 +[ 3.082318] Modules linked in: +[ 3.082330] CPU: 5 PID: 126 Comm: kworker/5:1 Tainted: G S 4.19.7-tegra-gce119d3 #1 +[ 3.082340] Hardware name: quill (DT) +[ 3.082353] Workqueue: events deferred_probe_work_func +[ 3.082364] pstate: 40000005 (nZcv daif -PAN -UAO) +[ 3.082372] pc : __vunmap+0xcc/0xd8 +[ 3.082379] lr : __vunmap+0xcc/0xd8 +[ 3.082385] sp : ffff00000a1d3b60 +[ 3.082391] x29: ffff00000a1d3b60 x28: 0000000000000000 +[ 3.082402] x27: 0000000000000000 x26: ffff000008e8b610 +[ 3.082413] x25: 0000000000000000 x24: 0000000000000009 +[ 3.082423] x23: ffff000009221a90 x22: ffff000009f6d000 +[ 3.082432] x21: 0000000000000000 x20: 0000000000000000 +[ 3.082442] x19: ffff000009f6d000 x18: ffffffffffffffff +[ 3.082452] x17: 0000000000000000 x16: 0000000000000000 +[ 3.082462] x15: ffff0000091396c8 x14: 0720072007200720 +[ 3.082471] x13: 0720072007200720 x12: 0720072907340739 +[ 3.082481] x11: 0764076607380765 x10: 0766076307300730 +[ 3.082491] x9 : 0730073007300730 x8 : 0730073007280720 +[ 3.082501] x7 : 0761076507720761 x6 : 0000000000000102 +[ 3.082510] x5 : 0000000000000000 x4 : 0000000000000000 +[ 3.082519] x3 : ffffffffffffffff x2 : ffff000009150ff8 +[ 3.082528] x1 : 3d95b1429fff5200 x0 : 0000000000000000 +[ 3.082538] Call trace: +[ 3.082545] __vunmap+0xcc/0xd8 +[ 3.082552] vunmap+0x24/0x30 +[ 3.082561] __iounmap+0x2c/0x38 +[ 3.082569] tegra_fuse_probe+0xc8/0x118 +[ 3.082577] platform_drv_probe+0x50/0xa0 +[ 3.082585] really_probe+0x1b0/0x288 +[ 3.082593] driver_probe_device+0x58/0x100 +[ 3.082601] __device_attach_driver+0x98/0xf0 +[ 3.082609] bus_for_each_drv+0x64/0xc8 +[ 3.082616] __device_attach+0xd8/0x130 +[ 3.082624] device_initial_probe+0x10/0x18 +[ 3.082631] bus_probe_device+0x90/0x98 +[ 3.082638] deferred_probe_work_func+0x74/0xb0 +[ 3.082649] process_one_work+0x1e0/0x318 +[ 3.082656] worker_thread+0x228/0x450 +[ 3.082664] kthread+0x128/0x130 +[ 3.082672] ret_from_fork+0x10/0x18 +[ 3.082678] ---[ end trace 0810fe6ba772c1c7 ]--- + +Fix this by retaining the value of fuse->base until driver has +successfully probed. + +Signed-off-by: Timo Alho +Acked-by: Jon Hunter +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/fuse/fuse-tegra.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c +index a33ee8ef8b6b..51625703399e 100644 +--- a/drivers/soc/tegra/fuse/fuse-tegra.c ++++ b/drivers/soc/tegra/fuse/fuse-tegra.c +@@ -137,13 +137,17 @@ static int tegra_fuse_probe(struct platform_device *pdev) + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + fuse->phys = res->start; + fuse->base = devm_ioremap_resource(&pdev->dev, res); +- if (IS_ERR(fuse->base)) +- return PTR_ERR(fuse->base); ++ if (IS_ERR(fuse->base)) { ++ err = PTR_ERR(fuse->base); ++ fuse->base = base; ++ return err; ++ } + + fuse->clk = devm_clk_get(&pdev->dev, "fuse"); + if (IS_ERR(fuse->clk)) { + dev_err(&pdev->dev, "failed to get FUSE clock: %ld", + PTR_ERR(fuse->clk)); ++ fuse->base = base; + return PTR_ERR(fuse->clk); + } + +@@ -152,8 +156,10 @@ static int tegra_fuse_probe(struct platform_device *pdev) + + if (fuse->soc->probe) { + err = fuse->soc->probe(fuse); +- if (err < 0) ++ if (err < 0) { ++ fuse->base = base; + return err; ++ } + } + + if (tegra_fuse_create_sysfs(&pdev->dev, fuse->soc->info->size, +-- +2.19.1 + diff --git a/queue-5.0/staging-iio-adt7316-fix-dac_bits-assignment.patch b/queue-5.0/staging-iio-adt7316-fix-dac_bits-assignment.patch new file mode 100644 index 00000000000..7642e18f4d5 --- /dev/null +++ b/queue-5.0/staging-iio-adt7316-fix-dac_bits-assignment.patch @@ -0,0 +1,80 @@ +From a3628bb7e948fb6f7b069475abb33700fff936b9 Mon Sep 17 00:00:00 2001 +From: Jeremy Fertic +Date: Sat, 22 Dec 2018 21:57:40 -0700 +Subject: staging: iio: adt7316: fix dac_bits assignment + +[ Upstream commit e9de475723de5bf207a5b7b88bdca863393e42c8 ] + +The value of dac_bits is used in adt7316_show_DAC() and adt7316_store_DAC(), +and it should be either 8, 10, or 12 bits depending on the device in use. The +driver currently only assigns a value to dac_bits in +adt7316_store_da_high_resolution(). The purpose of the dac high resolution +option is not to change dac resolution for normal operation. Instead, it +is specific to an optional feature where one or two of the four dacs can +be set to output voltage proportional to temperature. If the user chooses +to set dac a and/or dac b to output voltage proportional to temperature, +the da_high_resolution attribute can optionally be enabled to use 10 bit +resolution rather than the default 8 bits. This is only available on the +10 and 12 bit dac devices. If the user attempts to read or write dacs a +or b under these settings, the driver's current behaviour is to return an +error. Dacs c and d continue to operate normally under these conditions. +With the above in mind, remove the dac_bits assignments from this function +since the value of dac_bits as used in the driver is not dependent on this +dac high resolution option. + +Since the dac_bits assignments discussed above are currently the only ones +in this driver, the default value of dac_bits is 0. This results in incorrect +calculations when the dacs are read or written in adt7316_show_DAC() and +adt7316_store_DAC(). To correct this, assign a value to dac_bits in +adt7316_probe() to ensure correct operation as soon as the device is +registered and available to userspace. + +Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver") +Signed-off-by: Jeremy Fertic +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/staging/iio/addac/adt7316.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/staging/iio/addac/adt7316.c b/drivers/staging/iio/addac/adt7316.c +index dc93e85808e0..7839d869d25d 100644 +--- a/drivers/staging/iio/addac/adt7316.c ++++ b/drivers/staging/iio/addac/adt7316.c +@@ -651,17 +651,10 @@ static ssize_t adt7316_store_da_high_resolution(struct device *dev, + u8 config3; + int ret; + +- chip->dac_bits = 8; +- +- if (buf[0] == '1') { ++ if (buf[0] == '1') + config3 = chip->config3 | ADT7316_DA_HIGH_RESOLUTION; +- if (chip->id == ID_ADT7316 || chip->id == ID_ADT7516) +- chip->dac_bits = 12; +- else if (chip->id == ID_ADT7317 || chip->id == ID_ADT7517) +- chip->dac_bits = 10; +- } else { ++ else + config3 = chip->config3 & (~ADT7316_DA_HIGH_RESOLUTION); +- } + + ret = chip->bus.write(chip->bus.client, ADT7316_CONFIG3, config3); + if (ret) +@@ -2123,6 +2116,13 @@ int adt7316_probe(struct device *dev, struct adt7316_bus *bus, + else + return -ENODEV; + ++ if (chip->id == ID_ADT7316 || chip->id == ID_ADT7516) ++ chip->dac_bits = 12; ++ else if (chip->id == ID_ADT7317 || chip->id == ID_ADT7517) ++ chip->dac_bits = 10; ++ else ++ chip->dac_bits = 8; ++ + chip->ldac_pin = devm_gpiod_get_optional(dev, "adi,ldac", GPIOD_OUT_LOW); + if (IS_ERR(chip->ldac_pin)) { + ret = PTR_ERR(chip->ldac_pin); +-- +2.19.1 + diff --git a/queue-5.0/staging-spi-mt7621-add-return-code-check-on-device_r.patch b/queue-5.0/staging-spi-mt7621-add-return-code-check-on-device_r.patch new file mode 100644 index 00000000000..2e4545e4436 --- /dev/null +++ b/queue-5.0/staging-spi-mt7621-add-return-code-check-on-device_r.patch @@ -0,0 +1,50 @@ +From d880bdf39a9f911257622304f04262e885016f90 Mon Sep 17 00:00:00 2001 +From: Stefan Roese +Date: Fri, 1 Feb 2019 11:17:09 +0100 +Subject: staging: spi: mt7621: Add return code check on device_reset() + +[ Upstream commit 46c337872f34bc6387b0c29a4964f562c70139e3 ] + +This patch adds a return code check on device_reset() and removes the +compile warning. + +Signed-off-by: Stefan Roese +Cc: Mark Brown +Cc: Sankalp Negi +Cc: Chuanhong Guo +Cc: John Crispin +Reviewed-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/mt7621-spi/spi-mt7621.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/mt7621-spi/spi-mt7621.c b/drivers/staging/mt7621-spi/spi-mt7621.c +index 513b6e79b985..e1f50efd0922 100644 +--- a/drivers/staging/mt7621-spi/spi-mt7621.c ++++ b/drivers/staging/mt7621-spi/spi-mt7621.c +@@ -330,6 +330,7 @@ static int mt7621_spi_probe(struct platform_device *pdev) + int status = 0; + struct clk *clk; + struct mt7621_spi_ops *ops; ++ int ret; + + match = of_match_device(mt7621_spi_match, &pdev->dev); + if (!match) +@@ -377,7 +378,11 @@ static int mt7621_spi_probe(struct platform_device *pdev) + rs->pending_write = 0; + dev_info(&pdev->dev, "sys_freq: %u\n", rs->sys_freq); + +- device_reset(&pdev->dev); ++ ret = device_reset(&pdev->dev); ++ if (ret) { ++ dev_err(&pdev->dev, "SPI reset failed!\n"); ++ return ret; ++ } + + mt7621_spi_reset(rs); + +-- +2.19.1 + diff --git a/queue-5.0/sysctl-handle-overflow-for-file-max.patch b/queue-5.0/sysctl-handle-overflow-for-file-max.patch new file mode 100644 index 00000000000..400116fbc9a --- /dev/null +++ b/queue-5.0/sysctl-handle-overflow-for-file-max.patch @@ -0,0 +1,70 @@ +From 6478b9088d5d64b1b4b1166239917b6cec14ae86 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Thu, 7 Mar 2019 16:29:43 -0800 +Subject: sysctl: handle overflow for file-max + +[ Upstream commit 32a5ad9c22852e6bd9e74bdec5934ef9d1480bc5 ] + +Currently, when writing + + echo 18446744073709551616 > /proc/sys/fs/file-max + +/proc/sys/fs/file-max will overflow and be set to 0. That quickly +crashes the system. + +This commit sets the max and min value for file-max. The max value is +set to long int. Any higher value cannot currently be used as the +percpu counters are long ints and not unsigned integers. + +Note that the file-max value is ultimately parsed via +__do_proc_doulongvec_minmax(). This function does not report error when +min or max are exceeded. Which means if a value largen that long int is +written userspace will not receive an error instead the old value will be +kept. There is an argument to be made that this should be changed and +__do_proc_doulongvec_minmax() should return an error when a dedicated min +or max value are exceeded. However this has the potential to break +userspace so let's defer this to an RFC patch. + +Link: http://lkml.kernel.org/r/20190107222700.15954-3-christian@brauner.io +Signed-off-by: Christian Brauner +Acked-by: Kees Cook +Cc: Alexey Dobriyan +Cc: Al Viro +Cc: Dominik Brodowski +Cc: "Eric W. Biederman" +Cc: Joe Lawrence +Cc: Luis Chamberlain +Cc: Waiman Long +[christian@brauner.io: v4] + Link: http://lkml.kernel.org/r/20190210203943.8227-3-christian@brauner.io +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/sysctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index d80bee8ff12e..28ec71d914c7 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -127,6 +127,7 @@ static int __maybe_unused one = 1; + static int __maybe_unused two = 2; + static int __maybe_unused four = 4; + static unsigned long one_ul = 1; ++static unsigned long long_max = LONG_MAX; + static int one_hundred = 100; + static int one_thousand = 1000; + #ifdef CONFIG_PRINTK +@@ -1722,6 +1723,8 @@ static struct ctl_table fs_table[] = { + .maxlen = sizeof(files_stat.max_files), + .mode = 0644, + .proc_handler = proc_doulongvec_minmax, ++ .extra1 = &zero, ++ .extra2 = &long_max, + }, + { + .procname = "nr_open", +-- +2.19.1 + diff --git a/queue-5.0/tools-bpf-selftests-add-map-lookup-to-test_map_in_ma.patch b/queue-5.0/tools-bpf-selftests-add-map-lookup-to-test_map_in_ma.patch new file mode 100644 index 00000000000..df5d3cbaeb9 --- /dev/null +++ b/queue-5.0/tools-bpf-selftests-add-map-lookup-to-test_map_in_ma.patch @@ -0,0 +1,61 @@ +From 2b94b6983de214d94616f1bfb63bd4f51c8d1bf0 Mon Sep 17 00:00:00 2001 +From: Yonghong Song +Date: Wed, 27 Feb 2019 13:22:57 -0800 +Subject: tools/bpf: selftests: add map lookup to test_map_in_map bpf prog + +[ Upstream commit 9eca5083757b679b37f210092c871916c2c222d0 ] + +The bpf_map_lookup_elem is added in the bpf program. +Without previous patch, the test change will trigger the +following error: + $ ./test_maps + ... + ; value_p = bpf_map_lookup_elem(map, &key); + 20: (bf) r1 = r7 + 21: (bf) r2 = r8 + 22: (85) call bpf_map_lookup_elem#1 + ; if (!value_p || *value_p != 123) + 23: (15) if r0 == 0x0 goto pc+16 + R0=map_value(id=2,off=0,ks=4,vs=4,imm=0) R6=inv1 R7=map_ptr(id=0,off=0,ks=4,vs=4,imm=0) + R8=fp-8,call_-1 R10=fp0,call_-1 fp-8=mmmmmmmm + ; if (!value_p || *value_p != 123) + 24: (61) r1 = *(u32 *)(r0 +0) + R0=map_value(id=2,off=0,ks=4,vs=4,imm=0) R6=inv1 R7=map_ptr(id=0,off=0,ks=4,vs=4,imm=0) + R8=fp-8,call_-1 R10=fp0,call_-1 fp-8=mmmmmmmm + bpf_spin_lock cannot be accessed directly by load/store + +With the kernel fix in the previous commit, the error goes away. + +Signed-off-by: Yonghong Song +Acked-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_map_in_map.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/bpf/test_map_in_map.c b/tools/testing/selftests/bpf/test_map_in_map.c +index ce923e67e08e..2985f262846e 100644 +--- a/tools/testing/selftests/bpf/test_map_in_map.c ++++ b/tools/testing/selftests/bpf/test_map_in_map.c +@@ -27,6 +27,7 @@ SEC("xdp_mimtest") + int xdp_mimtest0(struct xdp_md *ctx) + { + int value = 123; ++ int *value_p; + int key = 0; + void *map; + +@@ -35,6 +36,9 @@ int xdp_mimtest0(struct xdp_md *ctx) + return XDP_DROP; + + bpf_map_update_elem(map, &key, &value, 0); ++ value_p = bpf_map_lookup_elem(map, &key); ++ if (!value_p || *value_p != 123) ++ return XDP_DROP; + + map = bpf_map_lookup_elem(&mim_hash, &key); + if (!map) +-- +2.19.1 + diff --git a/queue-5.0/tools-build-add-lrt-to-feature_check_ldflags-libaio.patch b/queue-5.0/tools-build-add-lrt-to-feature_check_ldflags-libaio.patch new file mode 100644 index 00000000000..76c57c3108e --- /dev/null +++ b/queue-5.0/tools-build-add-lrt-to-feature_check_ldflags-libaio.patch @@ -0,0 +1,48 @@ +From 77853e5bb7d2e939d1a9dc28bb7da767c89bad94 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Tue, 12 Feb 2019 11:20:56 -0300 +Subject: tools build: Add -lrt to FEATURE_CHECK_LDFLAGS-libaio + +[ Upstream commit aa8f9c517ebce7a0959da064ef2660ea03f133f8 ] + +Since we need it to resolve the AIO symbols, otherwise we fail with: + + $ cat /tmp/build/perf/feature/test-all.make.output + /usr/bin/ld: /tmp/ccEqrj36.o: undefined reference to symbol 'aio_return64@@GLIBC_2.2.5' + /usr/bin/ld: //usr/lib64/librt.so.1: error adding symbols: DSO missing from command line + collect2: error: ld returned 1 exit status + $ + +When we added the aio support in 'perf record' only the test-libaio.bin +target got the -lrt, i.e. the feature detection slow path. Fix it. + +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Fixes: 2a07d814747b ("tools build feature: Check if libaio is available") +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index b441c88cafa1..e6360d47e73a 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -218,6 +218,8 @@ FEATURE_CHECK_LDFLAGS-libpython := $(PYTHON_EMBED_LDOPTS) + FEATURE_CHECK_CFLAGS-libpython-version := $(PYTHON_EMBED_CCOPTS) + FEATURE_CHECK_LDFLAGS-libpython-version := $(PYTHON_EMBED_LDOPTS) + ++FEATURE_CHECK_LDFLAGS-libaio = -lrt ++ + CFLAGS += -fno-omit-frame-pointer + CFLAGS += -ggdb3 + CFLAGS += -funwind-tables +-- +2.19.1 + diff --git a/queue-5.0/tools-build-add-test-reallocarray.c-to-test-all.c-to.patch b/queue-5.0/tools-build-add-test-reallocarray.c-to-test-all.c-to.patch new file mode 100644 index 00000000000..84408d27565 --- /dev/null +++ b/queue-5.0/tools-build-add-test-reallocarray.c-to-test-all.c-to.patch @@ -0,0 +1,188 @@ +From 8844287a89e68134a041638815cd0fba766d57c0 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Thu, 14 Feb 2019 12:01:04 -0300 +Subject: tools build: Add test-reallocarray.c to test-all.c to fix the build + +[ Upstream commit a96c03e8cdcf123384319f312d0a08a7a760bb35 ] + +When a test is in the FEATURE_TESTS_BASIC list in tools/build/Makefile.feature +must be added to tools/build/feature/test-all.c, because the successfull +compilation and linking of that test-all.bin file means that all the +features listed in FEATURE_TESTS_BASIC are present in the system, so we +don't have to go on feature by feature test building them. + +Since reallocarray() is expected to be present in modern systems, it has +a place in FEATURE_TESTS_BASIC, so that we speed up the build process +building just that file. + +For older systems, such as ubuntu:16.04 (build failure reported by Jin +Yao) debian:8, and for the current flagship RHEL distro, RHEL7, the +build will fail as test-all.bin (without test-reallocarray.c included) +passes but reallocarray() isn't present, making the build fail with: + + CC /tmp/build/perf/libbpf.o + MKDIR /tmp/build/perf/fs/ + CC /tmp/build/perf/fs/tracing_path.o + LD /tmp/build/perf/fd/libapi-in.o + CC /tmp/build/perf/bpf.o + libbpf.c: In function 'bpf_object__add_program': + libbpf.c:367:10: error: implicit declaration of function 'reallocarray' [-Werror=implicit-function-declaration] + progs = reallocarray(progs, nr_progs + 1, sizeof(progs[0])); + ^ + libbpf.c:367:2: error: nested extern declaration of 'reallocarray' [-Werror=nested-externs] + progs = reallocarray(progs, nr_progs + 1, sizeof(progs[0])); + ^ + libbpf.c:367:8: error: assignment makes pointer from integer without a cast [-Werror=int-conversion] + progs = reallocarray(progs, nr_progs + 1, sizeof(progs[0])); + ^ + libbpf.c: In function 'bpf_object__elf_collect': + libbpf.c:887:10: error: assignment makes pointer from integer without a cast [-Werror=int-conversion] + reloc = reallocarray(reloc, nr_reloc, + ^ + libbpf.c: In function 'bpf_program__reloc_text': + libbpf.c:1394:12: error: assignment makes pointer from integer without a cast [-Werror=int-conversion] + new_insn = reallocarray(prog->insns, new_cnt, sizeof(*insn)); + ^ + CC /tmp/build/perf/nlattr.o + +Even with: + + $ grep reallocarray /tmp/build/perf/FEATURE-DUMP + feature-reallocarray=1 + $ + +Which ubuntu:16.04.5 LTS doesn't have: + + perfbuilder@38a153a1bba8:/$ head -2 /etc/os-release + NAME="Ubuntu" + VERSION="16.04.5 LTS (Xenial Xerus)" + perfbuilder@38a153a1bba8:/$ find /usr/include/ -name "*.h" | xargs grep -w reallocarray + perfbuilder@38a153a1bba8:/$ + +Fix it by including it to test-all.c, which ends up forcing the +individual tests to be triggered and for the build process to notice +that indeed reallocarray() is not there: + + perfbuilder@38a153a1bba8:/$ cat /tmp/build/perf/feature/test-all.make.output + In file included from test-all.c:178:0: + test-reallocarray.c: In function 'main_test_reallocarray': + test-reallocarray.c:7:11: error: implicit declaration of function 'reallocarray' [-Werror=implicit-function-declaration] + return !!reallocarray(NULL, 1, 1); + ^ + cc1: all warnings being treated as errors + perfbuilder@38a153a1bba8:/$ + +That is the only test that is failing on Ubuntu 16.03.5 LTS, so all +tests are forced: + + perfbuilder@38a153a1bba8:/tmp/build/perf/feature$ ls -lSr *.make.output + + -rw-r--r--. 1 perfbuilder perfbuilder 0 Feb 14 15:00 test-dwarf.make.output + -rw-r--r--. 1 perfbuilder perfbuilder 0 Feb 14 14:16 test-cplus-demangle.make.output + -rw-r--r--. 1 perfbuilder perfbuilder 0 Feb 14 15:00 test-bpf.make.output + -rw-r--r--. 1 perfbuilder perfbuilder 0 Feb 14 15:00 test-backtrace.make.output + -rw-r--r--. 1 perfbuilder perfbuilder 104 Feb 14 15:00 test-bionic.make.output + -rw-r--r--. 1 perfbuilder perfbuilder 107 Feb 14 15:00 test-libunwind-x86.make.output + -rw-r--r--. 1 perfbuilder perfbuilder 115 Feb 14 15:00 test-libunwind-aarch64.make.output + -rw-r--r--. 1 perfbuilder perfbuilder 122 Feb 14 15:00 test-libbabeltrace.make.output + -rw-r--r--. 1 perfbuilder perfbuilder 254 Feb 14 15:00 test-reallocarray.make.output + -rw-r--r--. 1 perfbuilder perfbuilder 312 Feb 14 15:00 test-all.make.output + perfbuilder@38a153a1bba8:/tmp/build/perf/feature$ + +And that reallocarray() one shows: + + perfbuilder@38a153a1bba8:/tmp/build/perf/feature$ cat test-reallocarray.make.output + test-reallocarray.c: In function 'main': + test-reallocarray.c:7:11: error: implicit declaration of function 'reallocarray' [-Werror=implicit-function-declaration] + return !!reallocarray(NULL, 1, 1); + ^ + cc1: all warnings being treated as errors + perfbuilder@38a153a1bba8:/tmp/build/perf/feature$ + +Which now generates the expected result: + + perfbuilder@38a153a1bba8:~$ grep reallocarray /tmp/build/perf/FEATURE-DUMP + feature-reallocarray=0 + perfbuilder@38a153a1bba8:~$ + +The fallback mechanism kicks in and libbpf and perf are again buildable +in systems without reallocarray(): + + $ cat tools/include/tools/libc_compat.h + // SPDX-License-Identifier: (LGPL-2.0+ OR BSD-2-Clause) + /* Copyright (C) 2018 Netronome Systems, Inc. */ + + #ifndef __TOOLS_LIBC_COMPAT_H + #define __TOOLS_LIBC_COMPAT_H + + #include + #include + + #ifdef COMPAT_NEED_REALLOCARRAY + static inline void *reallocarray(void *ptr, size_t nmemb, size_t size) + { + size_t bytes; + + if (unlikely(check_mul_overflow(nmemb, size, &bytes))) + return NULL; + return realloc(ptr, bytes); + } + #endif + #endif + $ + +Reported-by: Jin Yao +Acked-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexei Starovoitov +Cc: Andrii Nakryiko +Cc: Daniel Borkmann +Cc: Jakub Kicinski +Cc: Namhyung Kim +Cc: Song Liu +Cc: Yonghong Song +Fixes: 531b014e7a2f ("tools: bpf: make use of reallocarray") +Link: https://lkml.kernel.org/n/tip-aonqku8axii8rxki5g11w40b@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/build/feature/test-all.c | 5 +++++ + tools/build/feature/test-reallocarray.c | 2 ++ + 2 files changed, 7 insertions(+) + +diff --git a/tools/build/feature/test-all.c b/tools/build/feature/test-all.c +index 20cdaa4fc112..93f485098161 100644 +--- a/tools/build/feature/test-all.c ++++ b/tools/build/feature/test-all.c +@@ -178,6 +178,10 @@ + # include "test-libaio.c" + #undef main + ++#define main main_test_reallocarray ++# include "test-reallocarray.c" ++#undef main ++ + int main(int argc, char *argv[]) + { + main_test_libpython(); +@@ -219,6 +223,7 @@ int main(int argc, char *argv[]) + main_test_setns(); + main_test_libopencsd(); + main_test_libaio(); ++ main_test_reallocarray(); + + return 0; + } +diff --git a/tools/build/feature/test-reallocarray.c b/tools/build/feature/test-reallocarray.c +index 8170de35150d..8f6743e31da7 100644 +--- a/tools/build/feature/test-reallocarray.c ++++ b/tools/build/feature/test-reallocarray.c +@@ -6,3 +6,5 @@ int main(void) + { + return !!reallocarray(NULL, 1, 1); + } ++ ++#undef _GNU_SOURCE +-- +2.19.1 + diff --git a/queue-5.0/tools-lib-traceevent-fix-buffer-overflow-in-arg_eval.patch b/queue-5.0/tools-lib-traceevent-fix-buffer-overflow-in-arg_eval.patch new file mode 100644 index 00000000000..749cac23b80 --- /dev/null +++ b/queue-5.0/tools-lib-traceevent-fix-buffer-overflow-in-arg_eval.patch @@ -0,0 +1,47 @@ +From 33703d197538caf03f8f67404db0b181e33c3bd2 Mon Sep 17 00:00:00 2001 +From: Tony Jones +Date: Wed, 27 Feb 2019 17:55:32 -0800 +Subject: tools lib traceevent: Fix buffer overflow in arg_eval + +[ Upstream commit 7c5b019e3a638a5a290b0ec020f6ca83d2ec2aaa ] + +Fix buffer overflow observed when running perf test. + +The overflow is when trying to evaluate "1ULL << (64 - 1)" which is +resulting in -9223372036854775808 which overflows the 20 character +buffer. + +If is possible this bug has been reported before but I still don't see +any fix checked in: + +See: https://www.spinics.net/lists/linux-perf-users/msg07714.html + +Reported-by: Michael Sartain +Reported-by: Mathias Krause +Signed-off-by: Tony Jones +Acked-by: Steven Rostedt (VMware) +Cc: Frederic Weisbecker +Fixes: f7d82350e597 ("tools/events: Add files to create libtraceevent.a") +Link: http://lkml.kernel.org/r/20190228015532.8941-1-tonyj@suse.de +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/traceevent/event-parse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c +index abd4fa5d3088..87494c7c619d 100644 +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -2457,7 +2457,7 @@ static int arg_num_eval(struct tep_print_arg *arg, long long *val) + static char *arg_eval (struct tep_print_arg *arg) + { + long long val; +- static char buf[20]; ++ static char buf[24]; + + switch (arg->type) { + case TEP_PRINT_ATOM: +-- +2.19.1 + diff --git a/queue-5.0/tracing-kdb-fix-ftdump-to-not-sleep.patch b/queue-5.0/tracing-kdb-fix-ftdump-to-not-sleep.patch new file mode 100644 index 00000000000..ac55bd25c45 --- /dev/null +++ b/queue-5.0/tracing-kdb-fix-ftdump-to-not-sleep.patch @@ -0,0 +1,143 @@ +From 93d13ec6392a2515b6034added1deb43d4cdd399 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Fri, 8 Mar 2019 11:32:04 -0800 +Subject: tracing: kdb: Fix ftdump to not sleep + +[ Upstream commit 31b265b3baaf55f209229888b7ffea523ddab366 ] + +As reported back in 2016-11 [1], the "ftdump" kdb command triggers a +BUG for "sleeping function called from invalid context". + +kdb's "ftdump" command wants to call ring_buffer_read_prepare() in +atomic context. A very simple solution for this is to add allocation +flags to ring_buffer_read_prepare() so kdb can call it without +triggering the allocation error. This patch does that. + +Note that in the original email thread about this, it was suggested +that perhaps the solution for kdb was to either preallocate the buffer +ahead of time or create our own iterator. I'm hoping that this +alternative of adding allocation flags to ring_buffer_read_prepare() +can be considered since it means I don't need to duplicate more of the +core trace code into "trace_kdb.c" (for either creating my own +iterator or re-preparing a ring allocator whose memory was already +allocated). + +NOTE: another option for kdb is to actually figure out how to make it +reuse the existing ftrace_dump() function and totally eliminate the +duplication. This sounds very appealing and actually works (the "sr +z" command can be seen to properly dump the ftrace buffer). The +downside here is that ftrace_dump() fully consumes the trace buffer. +Unless that is changed I'd rather not use it because it means "ftdump +| grep xyz" won't be very useful to search the ftrace buffer since it +will throw away the whole trace on the first grep. A future patch to +dump only the last few lines of the buffer will also be hard to +implement. + +[1] https://lkml.kernel.org/r/20161117191605.GA21459@google.com + +Link: http://lkml.kernel.org/r/20190308193205.213659-1-dianders@chromium.org + +Reported-by: Brian Norris +Signed-off-by: Douglas Anderson +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + include/linux/ring_buffer.h | 2 +- + kernel/trace/ring_buffer.c | 5 +++-- + kernel/trace/trace.c | 6 ++++-- + kernel/trace/trace_kdb.c | 6 ++++-- + 4 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/include/linux/ring_buffer.h b/include/linux/ring_buffer.h +index 5b9ae62272bb..503778920448 100644 +--- a/include/linux/ring_buffer.h ++++ b/include/linux/ring_buffer.h +@@ -128,7 +128,7 @@ ring_buffer_consume(struct ring_buffer *buffer, int cpu, u64 *ts, + unsigned long *lost_events); + + struct ring_buffer_iter * +-ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu); ++ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu, gfp_t flags); + void ring_buffer_read_prepare_sync(void); + void ring_buffer_read_start(struct ring_buffer_iter *iter); + void ring_buffer_read_finish(struct ring_buffer_iter *iter); +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 06e864a334bb..b49affb4666b 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -4205,6 +4205,7 @@ EXPORT_SYMBOL_GPL(ring_buffer_consume); + * ring_buffer_read_prepare - Prepare for a non consuming read of the buffer + * @buffer: The ring buffer to read from + * @cpu: The cpu buffer to iterate over ++ * @flags: gfp flags to use for memory allocation + * + * This performs the initial preparations necessary to iterate + * through the buffer. Memory is allocated, buffer recording +@@ -4222,7 +4223,7 @@ EXPORT_SYMBOL_GPL(ring_buffer_consume); + * This overall must be paired with ring_buffer_read_finish. + */ + struct ring_buffer_iter * +-ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu) ++ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu, gfp_t flags) + { + struct ring_buffer_per_cpu *cpu_buffer; + struct ring_buffer_iter *iter; +@@ -4230,7 +4231,7 @@ ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu) + if (!cpumask_test_cpu(cpu, buffer->cpumask)) + return NULL; + +- iter = kmalloc(sizeof(*iter), GFP_KERNEL); ++ iter = kmalloc(sizeof(*iter), flags); + if (!iter) + return NULL; + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 5f40db27aaf2..89158aa93fa6 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -3904,7 +3904,8 @@ __tracing_open(struct inode *inode, struct file *file, bool snapshot) + if (iter->cpu_file == RING_BUFFER_ALL_CPUS) { + for_each_tracing_cpu(cpu) { + iter->buffer_iter[cpu] = +- ring_buffer_read_prepare(iter->trace_buffer->buffer, cpu); ++ ring_buffer_read_prepare(iter->trace_buffer->buffer, ++ cpu, GFP_KERNEL); + } + ring_buffer_read_prepare_sync(); + for_each_tracing_cpu(cpu) { +@@ -3914,7 +3915,8 @@ __tracing_open(struct inode *inode, struct file *file, bool snapshot) + } else { + cpu = iter->cpu_file; + iter->buffer_iter[cpu] = +- ring_buffer_read_prepare(iter->trace_buffer->buffer, cpu); ++ ring_buffer_read_prepare(iter->trace_buffer->buffer, ++ cpu, GFP_KERNEL); + ring_buffer_read_prepare_sync(); + ring_buffer_read_start(iter->buffer_iter[cpu]); + tracing_iter_reset(iter, cpu); +diff --git a/kernel/trace/trace_kdb.c b/kernel/trace/trace_kdb.c +index d953c163a079..810d78a8d14c 100644 +--- a/kernel/trace/trace_kdb.c ++++ b/kernel/trace/trace_kdb.c +@@ -51,14 +51,16 @@ static void ftrace_dump_buf(int skip_lines, long cpu_file) + if (cpu_file == RING_BUFFER_ALL_CPUS) { + for_each_tracing_cpu(cpu) { + iter.buffer_iter[cpu] = +- ring_buffer_read_prepare(iter.trace_buffer->buffer, cpu); ++ ring_buffer_read_prepare(iter.trace_buffer->buffer, ++ cpu, GFP_ATOMIC); + ring_buffer_read_start(iter.buffer_iter[cpu]); + tracing_iter_reset(&iter, cpu); + } + } else { + iter.cpu_file = cpu_file; + iter.buffer_iter[cpu_file] = +- ring_buffer_read_prepare(iter.trace_buffer->buffer, cpu_file); ++ ring_buffer_read_prepare(iter.trace_buffer->buffer, ++ cpu_file, GFP_ATOMIC); + ring_buffer_read_start(iter.buffer_iter[cpu_file]); + tracing_iter_reset(&iter, cpu_file); + } +-- +2.19.1 + diff --git a/queue-5.0/tty-increase-the-default-flip-buffer-limit-to-2-640k.patch b/queue-5.0/tty-increase-the-default-flip-buffer-limit-to-2-640k.patch new file mode 100644 index 00000000000..3b20288221a --- /dev/null +++ b/queue-5.0/tty-increase-the-default-flip-buffer-limit-to-2-640k.patch @@ -0,0 +1,51 @@ +From d15c67896093ae1d2db2c9bad849d728b1e14feb Mon Sep 17 00:00:00 2001 +From: Manfred Schlaegl +Date: Mon, 28 Jan 2019 19:01:10 +0100 +Subject: tty: increase the default flip buffer limit to 2*640K + +[ Upstream commit 7ab57b76ebf632bf2231ccabe26bea33868118c6 ] + +We increase the default limit for buffer memory allocation by a factor of +10 to 640K to prevent data loss when using fast serial interfaces. + +For example when using RS485 without flow-control at speeds of 1Mbit/s +an upwards we've run into problems such as applications being too slow +to read out this buffer (on embedded devices based on imx53 or imx6). + +If you want to write transmitted data to a slow SD card and thus have +realtime requirements, this limit can become a problem. + +That shouldn't be the case and 640K buffers fix such problems for us. + +This value is a maximum limit for allocation only. It has no effect +on systems that currently run fine. When transmission is slow enough +applications and hardware can keep up and increasing this limit +doesn't change anything. + +It only _allows_ to allocate more than 2*64K in cases we currently fail to +allocate memory despite having some. + +Signed-off-by: Manfred Schlaegl +Signed-off-by: Martin Kepplinger +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/tty_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c +index 77070c2d1240..ec145a59f199 100644 +--- a/drivers/tty/tty_buffer.c ++++ b/drivers/tty/tty_buffer.c +@@ -26,7 +26,7 @@ + * Byte threshold to limit memory consumption for flip buffers. + * The actual memory limit is > 2x this amount. + */ +-#define TTYB_DEFAULT_MEM_LIMIT 65536 ++#define TTYB_DEFAULT_MEM_LIMIT (640 * 1024UL) + + /* + * We default to dicing tty buffer allocations to this many characters +-- +2.19.1 + diff --git a/queue-5.0/usb-chipidea-grab-the-legacy-usb-phy-by-phandle-firs.patch b/queue-5.0/usb-chipidea-grab-the-legacy-usb-phy-by-phandle-firs.patch new file mode 100644 index 00000000000..338a4bffbbc --- /dev/null +++ b/queue-5.0/usb-chipidea-grab-the-legacy-usb-phy-by-phandle-firs.patch @@ -0,0 +1,57 @@ +From 8f72e9eed3747cf2301c80cf2b52c46db2bcc725 Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Wed, 27 Feb 2019 06:51:36 +0000 +Subject: usb: chipidea: Grab the (legacy) USB PHY by phandle first + +[ Upstream commit 68ef236274793066b9ba3154b16c0acc1c891e5c ] + +According to the chipidea driver bindings, the USB PHY is specified via +the "phys" phandle node. However, this only takes effect for USB PHYs +that use the common PHY framework. For legacy USB PHYs, a simple lookup +based on the USB PHY type is done instead. + +This does not play out well when more than one USB PHY is registered, +since the first registered PHY matching the type will always be +returned regardless of what the driver was bound to. + +Fix this by looking up the PHY based on the "phys" phandle node. +Although generic PHYs are rather matched by their "phys-name" and not +the "phys" phandle directly, there is no helper for similar lookup on +legacy PHYs and it's probably not worth the effort to add it. + +When no legacy USB PHY is found by phandle, fallback to grabbing any +registered USB2 PHY. This ensures backward compatibility if some users +were actually relying on this mechanism. + +Signed-off-by: Paul Kocialkowski +Signed-off-by: Peter Chen +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/chipidea/core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c +index 7bfcbb23c2a4..016e4004fe9d 100644 +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -954,8 +954,15 @@ static int ci_hdrc_probe(struct platform_device *pdev) + } else if (ci->platdata->usb_phy) { + ci->usb_phy = ci->platdata->usb_phy; + } else { ++ ci->usb_phy = devm_usb_get_phy_by_phandle(dev->parent, "phys", ++ 0); + ci->phy = devm_phy_get(dev->parent, "usb-phy"); +- ci->usb_phy = devm_usb_get_phy(dev->parent, USB_PHY_TYPE_USB2); ++ ++ /* Fallback to grabbing any registered USB2 PHY */ ++ if (IS_ERR(ci->usb_phy) && ++ PTR_ERR(ci->usb_phy) != -EPROBE_DEFER) ++ ci->usb_phy = devm_usb_get_phy(dev->parent, ++ USB_PHY_TYPE_USB2); + + /* if both generic PHY and USB PHY layers aren't enabled */ + if (PTR_ERR(ci->phy) == -ENOSYS && +-- +2.19.1 + diff --git a/queue-5.0/usb-dwc3-gadget-fix-otg-events-when-gadget-driver-is.patch b/queue-5.0/usb-dwc3-gadget-fix-otg-events-when-gadget-driver-is.patch new file mode 100644 index 00000000000..c1bb0fcca2a --- /dev/null +++ b/queue-5.0/usb-dwc3-gadget-fix-otg-events-when-gadget-driver-is.patch @@ -0,0 +1,46 @@ +From 0fa02d9061e62b58491516ba493cc1fc02766fb1 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Thu, 10 Jan 2019 17:04:28 +0200 +Subject: usb: dwc3: gadget: Fix OTG events when gadget driver isn't loaded + +[ Upstream commit 169e3b68cadb5775daca009ced4faf01ffd97dcf ] + +On v3.10a in dual-role mode, if port is in device mode +and gadget driver isn't loaded, the OTG event interrupts don't +come through. + +It seems that if the core is configured to be OTG2.0 only, +then we can't leave the DCFG.DEVSPD at Super-speed (default) +if we expect OTG to work properly. It must be set to High-speed. + +Fix this issue by configuring DCFG.DEVSPD to the supported +maximum speed at gadget init. Device tree still needs to provide +correct supported maximum speed for this to work. + +This issue wasn't present on v2.40a but is seen on v3.10a. +It doesn't cause any side effects on v2.40a. + +Signed-off-by: Roger Quadros +Signed-off-by: Sekhar Nori +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 6c9b76bcc2e1..8d1dbe36db92 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -3339,6 +3339,8 @@ int dwc3_gadget_init(struct dwc3 *dwc) + goto err4; + } + ++ dwc3_gadget_set_speed(&dwc->gadget, dwc->maximum_speed); ++ + return 0; + + err4: +-- +2.19.1 + diff --git a/queue-5.0/usb-f_fs-avoid-crash-due-to-out-of-scope-stack-ptr-a.patch b/queue-5.0/usb-f_fs-avoid-crash-due-to-out-of-scope-stack-ptr-a.patch new file mode 100644 index 00000000000..091538735c0 --- /dev/null +++ b/queue-5.0/usb-f_fs-avoid-crash-due-to-out-of-scope-stack-ptr-a.patch @@ -0,0 +1,101 @@ +From ed982246c270e39ea9b4c2647690515c947f01a6 Mon Sep 17 00:00:00 2001 +From: John Stultz +Date: Tue, 5 Feb 2019 10:24:40 -0800 +Subject: usb: f_fs: Avoid crash due to out-of-scope stack ptr access + +[ Upstream commit 54f64d5c983f939901dacc8cfc0983727c5c742e ] + +Since the 5.0 merge window opened, I've been seeing frequent +crashes on suspend and reboot with the trace: + +[ 36.911170] Unable to handle kernel paging request at virtual address ffffff801153d660 +[ 36.912769] Unable to handle kernel paging request at virtual address ffffff800004b564 +... +[ 36.950666] Call trace: +[ 36.950670] queued_spin_lock_slowpath+0x1cc/0x2c8 +[ 36.950681] _raw_spin_lock_irqsave+0x64/0x78 +[ 36.950692] complete+0x28/0x70 +[ 36.950703] ffs_epfile_io_complete+0x3c/0x50 +[ 36.950713] usb_gadget_giveback_request+0x34/0x108 +[ 36.950721] dwc3_gadget_giveback+0x50/0x68 +[ 36.950723] dwc3_thread_interrupt+0x358/0x1488 +[ 36.950731] irq_thread_fn+0x30/0x88 +[ 36.950734] irq_thread+0x114/0x1b0 +[ 36.950739] kthread+0x104/0x130 +[ 36.950747] ret_from_fork+0x10/0x1c + +I isolated this down to in ffs_epfile_io(): +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/usb/gadget/function/f_fs.c#n1065 + +Where the completion done is setup on the stack: + DECLARE_COMPLETION_ONSTACK(done); + +Then later we setup a request and queue it, and wait for it: + if (unlikely(wait_for_completion_interruptible(&done))) { + /* + * To avoid race condition with ffs_epfile_io_complete, + * dequeue the request first then check + * status. usb_ep_dequeue API should guarantee no race + * condition with req->complete callback. + */ + usb_ep_dequeue(ep->ep, req); + interrupted = ep->status < 0; + } + +The problem is, that we end up being interrupted, dequeue the +request, and exit. + +But then the irq triggers and we try calling complete() on the +context pointer which points to now random stack space, which +results in the panic. + +Alan Stern pointed out there is a bug here, in that the snippet +above "assumes that usb_ep_dequeue() waits until the request has +been completed." And that: + + wait_for_completion(&done); + +Is needed right after the usb_ep_dequeue(). + +Thus this patch implements that change. With it I no longer see +the crashes on suspend or reboot. + +This issue seems to have been uncovered by behavioral changes in +the dwc3 driver in commit fec9095bdef4e ("usb: dwc3: gadget: +remove wait_end_transfer"). + +Cc: Alan Stern +Cc: Felipe Balbi +Cc: Zeng Tao +Cc: Jack Pham +Cc: Thinh Nguyen +Cc: Chen Yu +Cc: Jerry Zhang +Cc: Lars-Peter Clausen +Cc: Vincent Pelletier +Cc: Andrzej Pietrasiewicz +Cc: Greg Kroah-Hartman +Cc: Linux USB List +Suggested-by: Alan Stern +Signed-off-by: John Stultz +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 1e5430438703..0f8d16de7a37 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1082,6 +1082,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) + * condition with req->complete callback. + */ + usb_ep_dequeue(ep->ep, req); ++ wait_for_completion(&done); + interrupted = ep->status < 0; + } + +-- +2.19.1 + diff --git a/queue-5.0/veth-fix-wformat-truncation.patch b/queue-5.0/veth-fix-wformat-truncation.patch new file mode 100644 index 00000000000..0d1d3eb4a56 --- /dev/null +++ b/queue-5.0/veth-fix-wformat-truncation.patch @@ -0,0 +1,51 @@ +From 7adc62d0b8f2429b65ffe0abe70729202542f3a2 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 21 Feb 2019 20:09:29 -0800 +Subject: veth: Fix -Wformat-truncation + +[ Upstream commit abdf47aab4123ece48877cab4153db44fe4dc340 ] + +Provide a precision hint to snprintf() in order to eliminate a +-Wformat-truncation warning provided below. A maximum of 11 characters +is allowed to reach a maximum of 32 - 1 characters given a possible +maximum value of queues using up to UINT_MAX which occupies 10 +characters. Incidentally 11 is the number of characters for +"xdp_packets" which is the largest string we append. + +drivers/net/veth.c: In function 'veth_get_strings': +drivers/net/veth.c:118:47: warning: '%s' directive output may be +truncated writing up to 31 bytes into a region of size between 12 and 21 +[-Wformat-truncation=] + snprintf(p, ETH_GSTRING_LEN, "rx_queue_%u_%s", + ^~ +drivers/net/veth.c:118:5: note: 'snprintf' output between 12 and 52 +bytes into a destination of size 32 + snprintf(p, ETH_GSTRING_LEN, "rx_queue_%u_%s", + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + i, veth_rq_stats_desc[j].desc); + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index f412ea1cef18..b203d1867959 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -115,7 +115,8 @@ static void veth_get_strings(struct net_device *dev, u32 stringset, u8 *buf) + p += sizeof(ethtool_stats_keys); + for (i = 0; i < dev->real_num_rx_queues; i++) { + for (j = 0; j < VETH_RQ_STATS_LEN; j++) { +- snprintf(p, ETH_GSTRING_LEN, "rx_queue_%u_%s", ++ snprintf(p, ETH_GSTRING_LEN, ++ "rx_queue_%u_%.11s", + i, veth_rq_stats_desc[j].desc); + p += ETH_GSTRING_LEN; + } +-- +2.19.1 + diff --git a/queue-5.0/vfs-fix-preadv64v2-and-pwritev64v2-compat-syscalls-w.patch b/queue-5.0/vfs-fix-preadv64v2-and-pwritev64v2-compat-syscalls-w.patch new file mode 100644 index 00000000000..aa8b7f6c3fd --- /dev/null +++ b/queue-5.0/vfs-fix-preadv64v2-and-pwritev64v2-compat-syscalls-w.patch @@ -0,0 +1,55 @@ +From 71246ae90b4803615cd3a876e6dde6a3bee97645 Mon Sep 17 00:00:00 2001 +From: Aurelien Jarno +Date: Thu, 6 Dec 2018 20:05:34 +0100 +Subject: vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 + +[ Upstream commit cc4b1242d7e3b42eed73881fc749944146493e4f ] + +The preadv2 and pwritev2 syscalls are supposed to emulate the readv and +writev syscalls when offset == -1. Therefore the compat code should +check for offset before calling do_compat_preadv64 and +do_compat_pwritev64. This is the case for the preadv2 and pwritev2 +syscalls, but handling of offset == -1 is missing in their 64-bit +equivalent. + +This patch fixes that, calling do_compat_readv and do_compat_writev when +offset == -1. This fixes the following glibc tests on x32: + - misc/tst-preadvwritev2 + - misc/tst-preadvwritev64v2 + +Cc: Alexander Viro +Cc: H.J. Lu +Signed-off-by: Aurelien Jarno +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/read_write.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/read_write.c b/fs/read_write.c +index ff3c5e6f87cf..27b69b85d49f 100644 +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -1238,6 +1238,9 @@ COMPAT_SYSCALL_DEFINE5(preadv64v2, unsigned long, fd, + const struct compat_iovec __user *,vec, + unsigned long, vlen, loff_t, pos, rwf_t, flags) + { ++ if (pos == -1) ++ return do_compat_readv(fd, vec, vlen, flags); ++ + return do_compat_preadv64(fd, vec, vlen, pos, flags); + } + #endif +@@ -1344,6 +1347,9 @@ COMPAT_SYSCALL_DEFINE5(pwritev64v2, unsigned long, fd, + const struct compat_iovec __user *,vec, + unsigned long, vlen, loff_t, pos, rwf_t, flags) + { ++ if (pos == -1) ++ return do_compat_writev(fd, vec, vlen, flags); ++ + return do_compat_pwritev64(fd, vec, vlen, pos, flags); + } + #endif +-- +2.19.1 + diff --git a/queue-5.0/wil6210-check-null-pointer-in-_wil_cfg80211_merge_ex.patch b/queue-5.0/wil6210-check-null-pointer-in-_wil_cfg80211_merge_ex.patch new file mode 100644 index 00000000000..acea97c0c36 --- /dev/null +++ b/queue-5.0/wil6210-check-null-pointer-in-_wil_cfg80211_merge_ex.patch @@ -0,0 +1,68 @@ +From a8f57d9c6abae4585ad97a607a1374ede33765a5 Mon Sep 17 00:00:00 2001 +From: Alexei Avshalom Lazar +Date: Fri, 22 Feb 2019 16:21:05 +0200 +Subject: wil6210: check null pointer in _wil_cfg80211_merge_extra_ies + +[ Upstream commit de77a53c2d1e8fb3621e63e8e1f0f0c9a1a99ff7 ] + +ies1 or ies2 might be null when code inside +_wil_cfg80211_merge_extra_ies access them. +Add explicit check for null and make sure ies1/ies2 are not +accessed in such a case. + +spos might be null and be accessed inside +_wil_cfg80211_merge_extra_ies. +Add explicit check for null in the while condition statement +and make sure spos is not accessed in such a case. + +Signed-off-by: Alexei Avshalom Lazar +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wil6210/cfg80211.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c +index 9b2f9f543952..5a44f9d0ff02 100644 +--- a/drivers/net/wireless/ath/wil6210/cfg80211.c ++++ b/drivers/net/wireless/ath/wil6210/cfg80211.c +@@ -1580,6 +1580,12 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len, + u8 *buf, *dpos; + const u8 *spos; + ++ if (!ies1) ++ ies1_len = 0; ++ ++ if (!ies2) ++ ies2_len = 0; ++ + if (ies1_len == 0 && ies2_len == 0) { + *merged_ies = NULL; + *merged_len = 0; +@@ -1589,17 +1595,19 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len, + buf = kmalloc(ies1_len + ies2_len, GFP_KERNEL); + if (!buf) + return -ENOMEM; +- memcpy(buf, ies1, ies1_len); ++ if (ies1) ++ memcpy(buf, ies1, ies1_len); + dpos = buf + ies1_len; + spos = ies2; +- while (spos + 1 < ies2 + ies2_len) { ++ while (spos && (spos + 1 < ies2 + ies2_len)) { + /* IE tag at offset 0, length at offset 1 */ + u16 ielen = 2 + spos[1]; + + if (spos + ielen > ies2 + ies2_len) + break; + if (spos[0] == WLAN_EID_VENDOR_SPECIFIC && +- !_wil_cfg80211_find_ie(ies1, ies1_len, spos, ielen)) { ++ (!ies1 || !_wil_cfg80211_find_ie(ies1, ies1_len, ++ spos, ielen))) { + memcpy(dpos, spos, ielen); + dpos += ielen; + } +-- +2.19.1 + diff --git a/queue-5.0/wlcore-fix-memory-leak-in-case-wl12xx_fetch_firmware.patch b/queue-5.0/wlcore-fix-memory-leak-in-case-wl12xx_fetch_firmware.patch new file mode 100644 index 00000000000..464b62d1d08 --- /dev/null +++ b/queue-5.0/wlcore-fix-memory-leak-in-case-wl12xx_fetch_firmware.patch @@ -0,0 +1,59 @@ +From c0d09140cec395f8dbeaf7405660ddac69647baa Mon Sep 17 00:00:00 2001 +From: Zumeng Chen +Date: Wed, 19 Dec 2018 15:50:29 +0800 +Subject: wlcore: Fix memory leak in case wl12xx_fetch_firmware failure + +[ Upstream commit ba2ffc96321c8433606ceeb85c9e722b8113e5a7 ] + +Release fw_status, raw_fw_status, and tx_res_if when wl12xx_fetch_firmware +failed instead of meaningless goto out to avoid the following memory leak +reports(Only the last one listed): + +unreferenced object 0xc28a9a00 (size 512): + comm "kworker/0:4", pid 31298, jiffies 2783204 (age 203.290s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<6624adab>] kmemleak_alloc+0x40/0x74 + [<500ddb31>] kmem_cache_alloc_trace+0x1ac/0x270 + [] wl12xx_chip_wakeup+0xc4/0x1fc [wlcore] + [<76c5db53>] wl1271_op_add_interface+0x4a4/0x8f4 [wlcore] + [] drv_add_interface+0xa4/0x1a0 [mac80211] + [<65bac325>] ieee80211_reconfig+0x9c0/0x1644 [mac80211] + [<2817c80e>] ieee80211_restart_work+0x90/0xc8 [mac80211] + [<7e1d425a>] process_one_work+0x284/0x42c + [<55f9432e>] worker_thread+0x2fc/0x48c + [] kthread+0x148/0x160 + [<63144b13>] ret_from_fork+0x14/0x2c + [< (null)>] (null) + [<1f6e7715>] 0xffffffff + +Signed-off-by: Zumeng Chen +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c +index 26b187336875..2e12de813a5b 100644 +--- a/drivers/net/wireless/ti/wlcore/main.c ++++ b/drivers/net/wireless/ti/wlcore/main.c +@@ -1085,8 +1085,11 @@ static int wl12xx_chip_wakeup(struct wl1271 *wl, bool plt) + goto out; + + ret = wl12xx_fetch_firmware(wl, plt); +- if (ret < 0) +- goto out; ++ if (ret < 0) { ++ kfree(wl->fw_status); ++ kfree(wl->raw_fw_status); ++ kfree(wl->tx_res_if); ++ } + + out: + return ret; +-- +2.19.1 + diff --git a/queue-5.0/x86-build-mark-per-cpu-symbols-as-absolute-explicitl.patch b/queue-5.0/x86-build-mark-per-cpu-symbols-as-absolute-explicitl.patch new file mode 100644 index 00000000000..0d32e6542fc --- /dev/null +++ b/queue-5.0/x86-build-mark-per-cpu-symbols-as-absolute-explicitl.patch @@ -0,0 +1,80 @@ +From 5f5a867d31258fb8371baa062f08752e33c6e5c5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafael=20=C3=81vila=20de=20Esp=C3=ADndola?= + +Date: Wed, 19 Dec 2018 11:01:43 -0800 +Subject: x86/build: Mark per-CPU symbols as absolute explicitly for LLD +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit d071ae09a4a1414c1433d5ae9908959a7325b0ad ] + +Accessing per-CPU variables is done by finding the offset of the +variable in the per-CPU block and adding it to the address of the +respective CPU's block. + +Section 3.10.8 of ld.bfd's documentation states: + + For expressions involving numbers, relative addresses and absolute + addresses, ld follows these rules to evaluate terms: + + Other binary operations, that is, between two relative addresses + not in the same section, or between a relative address and an + absolute address, first convert any non-absolute term to an + absolute address before applying the operator." + +Note that LLVM's linker does not adhere to the GNU ld's implementation +and as such requires implicitly-absolute terms to be explicitly marked +as absolute in the linker script. If not, it fails currently with: + + ld.lld: error: ./arch/x86/kernel/vmlinux.lds:153: at least one side of the expression must be absolute + ld.lld: error: ./arch/x86/kernel/vmlinux.lds:154: at least one side of the expression must be absolute + Makefile:1040: recipe for target 'vmlinux' failed + +This is not a functional change for ld.bfd which converts the term to an +absolute symbol anyways as specified above. + +Based on a previous submission by Tri Vo . + +Reported-by: Dmitry Golovin +Signed-off-by: Rafael Ávila de Espíndola +[ Update commit message per Boris' and Michael's suggestions. ] +Signed-off-by: Nick Desaulniers +[ Massage commit message more, fix typos. ] +Signed-off-by: Borislav Petkov +Tested-by: Dmitry Golovin +Cc: "H. Peter Anvin" +Cc: Andy Lutomirski +Cc: Brijesh Singh +Cc: Cao Jin +Cc: Ingo Molnar +Cc: Joerg Roedel +Cc: Masahiro Yamada +Cc: Masami Hiramatsu +Cc: Thomas Gleixner +Cc: Tri Vo +Cc: dima@golovin.in +Cc: morbo@google.com +Cc: x86-ml +Link: https://lkml.kernel.org/r/20181219190145.252035-1-ndesaulniers@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/vmlinux.lds.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S +index 0d618ee634ac..ee3b5c7d662e 100644 +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -401,7 +401,7 @@ SECTIONS + * Per-cpu symbols which need to be offset from __per_cpu_load + * for the boot processor. + */ +-#define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load ++#define INIT_PER_CPU(x) init_per_cpu__##x = ABSOLUTE(x) + __per_cpu_load + INIT_PER_CPU(gdt_page); + INIT_PER_CPU(irq_stack_union); + +-- +2.19.1 + diff --git a/queue-5.0/x86-build-specify-elf_i386-linker-emulation-explicit.patch b/queue-5.0/x86-build-specify-elf_i386-linker-emulation-explicit.patch new file mode 100644 index 00000000000..01d3595f1b1 --- /dev/null +++ b/queue-5.0/x86-build-specify-elf_i386-linker-emulation-explicit.patch @@ -0,0 +1,91 @@ +From b4c04f942a5259cc854be9b9b414177cd801f996 Mon Sep 17 00:00:00 2001 +From: George Rimar +Date: Fri, 11 Jan 2019 12:10:12 -0800 +Subject: x86/build: Specify elf_i386 linker emulation explicitly for i386 + objects + +[ Upstream commit 927185c124d62a9a4d35878d7f6d432a166b74e3 ] + +The kernel uses the OUTPUT_FORMAT linker script command in it's linker +scripts. Most of the time, the -m option is passed to the linker with +correct architecture, but sometimes (at least for x86_64) the -m option +contradicts the OUTPUT_FORMAT directive. + +Specifically, arch/x86/boot and arch/x86/realmode/rm produce i386 object +files, but are linked with the -m elf_x86_64 linker flag when building +for x86_64. + +The GNU linker manpage doesn't explicitly state any tie-breakers between +-m and OUTPUT_FORMAT. But with BFD and Gold linkers, OUTPUT_FORMAT +overrides the emulation value specified with the -m option. + +LLVM lld has a different behavior, however. When supplied with +contradicting -m and OUTPUT_FORMAT values it fails with the following +error message: + + ld.lld: error: arch/x86/realmode/rm/header.o is incompatible with elf_x86_64 + +Therefore, just add the correct -m after the incorrect one (it overrides +it), so the linker invocation looks like this: + + ld -m elf_x86_64 -z max-page-size=0x200000 -m elf_i386 --emit-relocs -T \ + realmode.lds header.o trampoline_64.o stack.o reboot.o -o realmode.elf + +This is not a functional change for GNU ld, because (although not +explicitly documented) OUTPUT_FORMAT overrides -m EMULATION. + +Tested by building x86_64 kernel with GNU gcc/ld toolchain and booting +it in QEMU. + + [ bp: massage and clarify text. ] + +Suggested-by: Dmitry Golovin +Signed-off-by: George Rimar +Signed-off-by: Tri Vo +Signed-off-by: Borislav Petkov +Tested-by: Tri Vo +Tested-by: Nick Desaulniers +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Michael Matz +Cc: Thomas Gleixner +Cc: morbo@google.com +Cc: ndesaulniers@google.com +Cc: ruiu@google.com +Cc: x86-ml +Link: https://lkml.kernel.org/r/20190111201012.71210-1-trong@android.com +Signed-off-by: Sasha Levin +--- + arch/x86/boot/Makefile | 2 +- + arch/x86/realmode/rm/Makefile | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile +index 9b5adae9cc40..e2839b5c246c 100644 +--- a/arch/x86/boot/Makefile ++++ b/arch/x86/boot/Makefile +@@ -100,7 +100,7 @@ $(obj)/zoffset.h: $(obj)/compressed/vmlinux FORCE + AFLAGS_header.o += -I$(objtree)/$(obj) + $(obj)/header.o: $(obj)/zoffset.h + +-LDFLAGS_setup.elf := -T ++LDFLAGS_setup.elf := -m elf_i386 -T + $(obj)/setup.elf: $(src)/setup.ld $(SETUP_OBJS) FORCE + $(call if_changed,ld) + +diff --git a/arch/x86/realmode/rm/Makefile b/arch/x86/realmode/rm/Makefile +index 4463fa72db94..96cb20de08af 100644 +--- a/arch/x86/realmode/rm/Makefile ++++ b/arch/x86/realmode/rm/Makefile +@@ -47,7 +47,7 @@ $(obj)/pasyms.h: $(REALMODE_OBJS) FORCE + targets += realmode.lds + $(obj)/realmode.lds: $(obj)/pasyms.h + +-LDFLAGS_realmode.elf := --emit-relocs -T ++LDFLAGS_realmode.elf := -m elf_i386 --emit-relocs -T + CPPFLAGS_realmode.lds += -P -C -I$(objtree)/$(obj) + + targets += realmode.elf +-- +2.19.1 + diff --git a/queue-5.0/x86-hyperv-fix-kernel-panic-when-kexec-on-hyperv.patch b/queue-5.0/x86-hyperv-fix-kernel-panic-when-kexec-on-hyperv.patch new file mode 100644 index 00000000000..11ad707e33c --- /dev/null +++ b/queue-5.0/x86-hyperv-fix-kernel-panic-when-kexec-on-hyperv.patch @@ -0,0 +1,74 @@ +From 5ba8b093e94a4da78fc5b3b5d1c7b0761f243fc8 Mon Sep 17 00:00:00 2001 +From: Kairui Song +Date: Wed, 6 Mar 2019 19:18:27 +0800 +Subject: x86/hyperv: Fix kernel panic when kexec on HyperV + +[ Upstream commit 179fb36abb097976997f50733d5b122a29158cba ] + +After commit 68bb7bfb7985 ("X86/Hyper-V: Enable IPI enlightenments"), +kexec fails with a kernel panic: + +kexec_core: Starting new kernel +BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 +Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v3.0 03/02/2018 +RIP: 0010:0xffffc9000001d000 + +Call Trace: + ? __send_ipi_mask+0x1c6/0x2d0 + ? hv_send_ipi_mask_allbutself+0x6d/0xb0 + ? mp_save_irq+0x70/0x70 + ? __ioapic_read_entry+0x32/0x50 + ? ioapic_read_entry+0x39/0x50 + ? clear_IO_APIC_pin+0xb8/0x110 + ? native_stop_other_cpus+0x6e/0x170 + ? native_machine_shutdown+0x22/0x40 + ? kernel_kexec+0x136/0x156 + +That happens if hypercall based IPIs are used because the hypercall page is +reset very early upon kexec reboot, but kexec sends IPIs to stop CPUs, +which invokes the hypercall and dereferences the unusable page. + +To fix his, reset hv_hypercall_pg to NULL before the page is reset to avoid +any misuse, IPI sending will fall back to the non hypercall based +method. This only happens on kexec / kdump so just setting the pointer to +NULL is good enough. + +Fixes: 68bb7bfb7985 ("X86/Hyper-V: Enable IPI enlightenments") +Signed-off-by: Kairui Song +Signed-off-by: Thomas Gleixner +Cc: "K. Y. Srinivasan" +Cc: Haiyang Zhang +Cc: Stephen Hemminger +Cc: Sasha Levin +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Vitaly Kuznetsov +Cc: Dave Young +Cc: devel@linuxdriverproject.org +Link: https://lkml.kernel.org/r/20190306111827.14131-1-kasong@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/hyperv/hv_init.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c +index 7abb09e2eeb8..d3f42b6bbdac 100644 +--- a/arch/x86/hyperv/hv_init.c ++++ b/arch/x86/hyperv/hv_init.c +@@ -406,6 +406,13 @@ void hyperv_cleanup(void) + /* Reset our OS id */ + wrmsrl(HV_X64_MSR_GUEST_OS_ID, 0); + ++ /* ++ * Reset hypercall page reference before reset the page, ++ * let hypercall operations fail safely rather than ++ * panic the kernel for using invalid hypercall page ++ */ ++ hv_hypercall_pg = NULL; ++ + /* Reset the hypercall page */ + hypercall_msr.as_uint64 = 0; + wrmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64); +-- +2.19.1 + diff --git a/queue-5.0/x86-kexec-fill-in-acpi_rsdp_addr-from-the-first-kern.patch b/queue-5.0/x86-kexec-fill-in-acpi_rsdp_addr-from-the-first-kern.patch new file mode 100644 index 00000000000..cdda09a3550 --- /dev/null +++ b/queue-5.0/x86-kexec-fill-in-acpi_rsdp_addr-from-the-first-kern.patch @@ -0,0 +1,76 @@ +From 106d4cad1c578b6896fa7d1266ba4f9c8abcd91c Mon Sep 17 00:00:00 2001 +From: Kairui Song +Date: Tue, 5 Feb 2019 01:38:52 +0800 +Subject: x86/kexec: Fill in acpi_rsdp_addr from the first kernel + +[ Upstream commit ccec81e4251f5a5421e02874e394338a897056ca ] + +When efi=noruntime or efi=oldmap is used on the kernel command line, EFI +services won't be available in the second kernel, therefore the second +kernel will not be able to get the ACPI RSDP address from firmware by +calling EFI services and so it won't boot. + +Commit + + e6e094e053af ("x86/acpi, x86/boot: Take RSDP address from boot params if available") + +added an acpi_rsdp_addr field to boot_params which stores the RSDP +address for other kernel users. + +Recently, after + + 3a63f70bf4c3 ("x86/boot: Early parse RSDP and save it in boot_params") + +the acpi_rsdp_addr will always be filled with a valid RSDP address. + +So fill in that value into the second kernel's boot_params thus ensuring +that the second kernel receives the RSDP value from the first kernel. + + [ bp: massage commit message. ] + +Signed-off-by: Kairui Song +Signed-off-by: Borislav Petkov +Cc: AKASHI Takahiro +Cc: Andrew Morton +Cc: Baoquan He +Cc: Chao Fan +Cc: Dave Young +Cc: David Howells +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: kexec@lists.infradead.org +Cc: Philipp Rudo +Cc: Thomas Gleixner +Cc: x86-ml +Cc: Yannik Sembritzki +Link: https://lkml.kernel.org/r/20190204173852.4863-1-kasong@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/kexec-bzimage64.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c +index 53917a3ebf94..1f3b77367948 100644 +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -218,6 +218,9 @@ setup_boot_parameters(struct kimage *image, struct boot_params *params, + params->screen_info.ext_mem_k = 0; + params->alt_mem_k = 0; + ++ /* Always fill in RSDP: it is either 0 or a valid value */ ++ params->acpi_rsdp_addr = boot_params.acpi_rsdp_addr; ++ + /* Default APM info */ + memset(¶ms->apm_bios_info, 0, sizeof(params->apm_bios_info)); + +@@ -256,7 +259,6 @@ setup_boot_parameters(struct kimage *image, struct boot_params *params, + setup_efi_state(params, params_load_addr, efi_map_offset, efi_map_sz, + efi_setup_data_offset); + #endif +- + /* Setup EDD info */ + memcpy(params->eddbuf, boot_params.eddbuf, + EDDMAXNR * sizeof(struct edd_info)); +-- +2.19.1 + diff --git a/queue-5.0/xen-gntdev-do-not-destroy-context-while-dma-bufs-are.patch b/queue-5.0/xen-gntdev-do-not-destroy-context-while-dma-bufs-are.patch new file mode 100644 index 00000000000..41abf15e74c --- /dev/null +++ b/queue-5.0/xen-gntdev-do-not-destroy-context-while-dma-bufs-are.patch @@ -0,0 +1,114 @@ +From 2dbb717082dd8c856d8631c96579df555e28d746 Mon Sep 17 00:00:00 2001 +From: Oleksandr Andrushchenko +Date: Thu, 14 Feb 2019 16:23:20 +0200 +Subject: xen/gntdev: Do not destroy context while dma-bufs are in use + +[ Upstream commit fa13e665e02874c0a5f4d06d6967ae34a6cb3d6a ] + +If there are exported DMA buffers which are still in use and +grant device is closed by either normal user-space close or by +a signal this leads to the grant device context to be destroyed, +thus making it not possible to correctly destroy those exported +buffers when they are returned back to gntdev and makes the module +crash: + +[ 339.617540] [] dmabuf_exp_ops_release+0x40/0xa8 +[ 339.617560] [] dma_buf_release+0x60/0x190 +[ 339.617577] [] __fput+0x88/0x1d0 +[ 339.617589] [] ____fput+0xc/0x18 +[ 339.617607] [] task_work_run+0x9c/0xc0 +[ 339.617622] [] do_notify_resume+0xfc/0x108 + +Fix this by referencing gntdev on each DMA buffer export and +unreferencing on buffer release. + +Signed-off-by: Oleksandr Andrushchenko +Reviewed-by: Boris Ostrovsky@oracle.com> +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/gntdev-dmabuf.c | 12 +++++++++++- + drivers/xen/gntdev-dmabuf.h | 2 +- + drivers/xen/gntdev.c | 2 +- + 3 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/xen/gntdev-dmabuf.c b/drivers/xen/gntdev-dmabuf.c +index cba6b586bfbd..d97fcfc5e558 100644 +--- a/drivers/xen/gntdev-dmabuf.c ++++ b/drivers/xen/gntdev-dmabuf.c +@@ -80,6 +80,12 @@ struct gntdev_dmabuf_priv { + struct list_head imp_list; + /* This is the lock which protects dma_buf_xxx lists. */ + struct mutex lock; ++ /* ++ * We reference this file while exporting dma-bufs, so ++ * the grant device context is not destroyed while there are ++ * external users alive. ++ */ ++ struct file *filp; + }; + + /* DMA buffer export support. */ +@@ -311,6 +317,7 @@ static void dmabuf_exp_release(struct kref *kref) + + dmabuf_exp_wait_obj_signal(gntdev_dmabuf->priv, gntdev_dmabuf); + list_del(&gntdev_dmabuf->next); ++ fput(gntdev_dmabuf->priv->filp); + kfree(gntdev_dmabuf); + } + +@@ -423,6 +430,7 @@ static int dmabuf_exp_from_pages(struct gntdev_dmabuf_export_args *args) + mutex_lock(&args->dmabuf_priv->lock); + list_add(&gntdev_dmabuf->next, &args->dmabuf_priv->exp_list); + mutex_unlock(&args->dmabuf_priv->lock); ++ get_file(gntdev_dmabuf->priv->filp); + return 0; + + fail: +@@ -834,7 +842,7 @@ long gntdev_ioctl_dmabuf_imp_release(struct gntdev_priv *priv, + return dmabuf_imp_release(priv->dmabuf_priv, op.fd); + } + +-struct gntdev_dmabuf_priv *gntdev_dmabuf_init(void) ++struct gntdev_dmabuf_priv *gntdev_dmabuf_init(struct file *filp) + { + struct gntdev_dmabuf_priv *priv; + +@@ -847,6 +855,8 @@ struct gntdev_dmabuf_priv *gntdev_dmabuf_init(void) + INIT_LIST_HEAD(&priv->exp_wait_list); + INIT_LIST_HEAD(&priv->imp_list); + ++ priv->filp = filp; ++ + return priv; + } + +diff --git a/drivers/xen/gntdev-dmabuf.h b/drivers/xen/gntdev-dmabuf.h +index 7220a53d0fc5..3d9b9cf9d5a1 100644 +--- a/drivers/xen/gntdev-dmabuf.h ++++ b/drivers/xen/gntdev-dmabuf.h +@@ -14,7 +14,7 @@ + struct gntdev_dmabuf_priv; + struct gntdev_priv; + +-struct gntdev_dmabuf_priv *gntdev_dmabuf_init(void); ++struct gntdev_dmabuf_priv *gntdev_dmabuf_init(struct file *filp); + + void gntdev_dmabuf_fini(struct gntdev_dmabuf_priv *priv); + +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c +index 5efc5eee9544..7cf9c51318aa 100644 +--- a/drivers/xen/gntdev.c ++++ b/drivers/xen/gntdev.c +@@ -600,7 +600,7 @@ static int gntdev_open(struct inode *inode, struct file *flip) + mutex_init(&priv->lock); + + #ifdef CONFIG_XEN_GNTDEV_DMABUF +- priv->dmabuf_priv = gntdev_dmabuf_init(); ++ priv->dmabuf_priv = gntdev_dmabuf_init(flip); + if (IS_ERR(priv->dmabuf_priv)) { + ret = PTR_ERR(priv->dmabuf_priv); + kfree(priv); +-- +2.19.1 + diff --git a/queue-5.0/xsk-fix-to-reject-invalid-flags-in-xsk_bind.patch b/queue-5.0/xsk-fix-to-reject-invalid-flags-in-xsk_bind.patch new file mode 100644 index 00000000000..c1ec06b09ad --- /dev/null +++ b/queue-5.0/xsk-fix-to-reject-invalid-flags-in-xsk_bind.patch @@ -0,0 +1,53 @@ +From 44b921647368ef849e3c3f4ef744bf925dba300b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= +Date: Fri, 8 Mar 2019 08:57:26 +0100 +Subject: xsk: fix to reject invalid flags in xsk_bind +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit f54ba391d88f5a5d032175b4c308c176e34b80b7 ] + +Passing a non-existing flag in the sxdp_flags member of struct +sockaddr_xdp was, incorrectly, silently ignored. This patch addresses +that behavior, and rejects any non-existing flags. + +We have examined existing user space code, and to our best knowledge, +no one is relying on the current incorrect behavior. AF_XDP is still +in its infancy, so from our perspective, the risk of breakage is very +low, and addressing this problem now is important. + +Fixes: 965a99098443 ("xsk: add support for bind for Rx") +Signed-off-by: Björn Töpel +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + net/xdp/xsk.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index 85e4fe4f18cc..f3031c8907d9 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -407,6 +407,10 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len) + if (sxdp->sxdp_family != AF_XDP) + return -EINVAL; + ++ flags = sxdp->sxdp_flags; ++ if (flags & ~(XDP_SHARED_UMEM | XDP_COPY | XDP_ZEROCOPY)) ++ return -EINVAL; ++ + mutex_lock(&xs->mutex); + if (xs->dev) { + err = -EBUSY; +@@ -425,7 +429,6 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len) + } + + qid = sxdp->sxdp_queue_id; +- flags = sxdp->sxdp_flags; + + if (flags & XDP_SHARED_UMEM) { + struct xdp_sock *umem_xs; +-- +2.19.1 + -- 2.47.2