From 26c4d3b8d3ef0d86d84507136c77d9ffd24daccf Mon Sep 17 00:00:00 2001 From: "Sasha Levin (Microsoft)" Date: Wed, 17 Apr 2019 10:52:40 -0400 Subject: [PATCH] autosel patches for 5.0 Signed-off-by: Sasha Levin (Microsoft) --- ...reference-in-test-for-device-presenc.patch | 38 +++ ...udio-add-a-check-for-ioremap_nocache.patch | 36 ++ ...smatch-between-snd_opl3_drum_switch-.patch | 39 +++ ...a-sb8-add-a-check-for-request_region.patch | 35 ++ ...ix-use-after-free-in-atalk_proc_exit.patch | 216 ++++++++++++ ..._defconfig-enable-config_blk_dev_ram.patch | 36 ++ ...s-check-that-magic-number-is-correct.patch | 78 +++++ ...obe-make-patch_lock-a-raw_spinlock_t.patch | 67 ++++ ...ay-hd44780-fix-memory-leak-on-remove.patch | 34 ++ queue-5.0/blk-iolatency-include-blk.h.patch | 36 ++ ...-out-of-bounds-when-tracing-smb-tcon.patch | 134 ++++++++ ...turn-einval-when-do-dedupe-operation.patch | 56 ++++ ...ata-when-deleting-an-xattr-that-does.patch | 45 +++ ...ight-cpu-debug-support-for-ca73-cpus.patch | 38 +++ ...for-recursive-locking-from-bottom-ha.patch | 134 ++++++++ ...ing_destroy-cause-psp-km_ring.ring_m.patch | 35 ++ ...nit_mqd-function-to-allocate-object-.patch | 115 +++++++ ...-fix-mixer-shadow-registry-synchroni.patch | 239 +++++++++++++ ...gfs-fix-check-of-pm_runtime_get_sync.patch | 33 ++ ...lt-gf117-fix-speedo-readout-register.patch | 128 +++++++ ...innolux-set-display-off-in-innolux_p.patch | 69 ++++ ...-udl-use-drm_gem_object_put_unlocked.patch | 42 +++ ...issing-brelse-in-add_new_gdb_meta_bg.patch | 49 +++ ...xt4-avoid-panic-during-forced-reboot.patch | 68 ++++ ...4-prohibit-fstrim-in-norecovery-mode.patch | 40 +++ ...ort-real-fs-size-after-failed-resize.patch | 42 +++ ...refcount-once-page-is-tagged-pg_priv.patch | 208 ++++++++++++ ...x-to-dirty-inode-for-i_mode-recovery.patch | 57 ++++ ...-fix-to-use-kvfree-instead-of-kzfree.patch | 81 +++++ ...lesystem-after-roll-forward-recovery.patch | 176 ++++++++++ ...ror-code-mapping-for-objectid_not_fo.patch | 40 +++ ...anic-when-handling-the-inetdev-event.patch | 77 +++++ ...-condition-between-catas-error-reset.patch | 39 +++ ...ap.h-use-offsetof-instead-of-custom-.patch | 59 ++++ ...tify_mark-refcount-leak-in-inotify_u.patch | 48 +++ ...-capability-before-disabling-protect.patch | 40 +++ ...the-right-domain-id-used-by-hardware.patch | 40 +++ ...on-t-clear-eventid-when-freeing-an-m.patch | 48 +++ ...n-t-clear-rising-falling-config-regi.patch | 39 +++ ...n-t-set-rising-configuration-registe.patch | 45 +++ .../lib-div64.c-off-by-one-in-shift.patch | 52 +++ ...d-tests-for-null-pointer-dereference.patch | 91 +++++ queue-5.0/lkdtm-print-real-addresses.patch | 115 +++++++ ...able-usb-power-on-netgear-wndr3400v2.patch | 42 +++ ...-remove-extraneous-__init-annotation.patch | 40 +++ ...fix-null-deref-when-unloading-driver.patch | 245 ++++++++++++++ ...-cleanup-queues-when-detection-fails.patch | 44 +++ ...-cleanup-queues-when-detection-fails.patch | 64 ++++ ...ve-ltr-capability-for-suspend-resume.patch | 129 +++++++ ...wer-management-of-gigabyte-x299-desi.patch | 93 ++++++ ...-fix-memory-leak-in-print_sdt_events.patch | 65 ++++ ...-fix-a-memory-leak-in-collect_config.patch | 58 ++++ ...an-error-in-the-config-template-docu.patch | 41 +++ ...e-restore-mmap-record-type-correctly.patch | 61 ++++ ...store-auxtrace-index-for-directory-d.patch | 43 +++ ...ree-evsel-counts-in-perf_evsel__exit.patch | 81 +++++ ...t-add-missing-map__put-in-error-case.patch | 47 +++ ...forget-to-drop-the-reference-to-the-.patch | 54 +++ ...map-from-names-tree-in-__maps__remov.patch | 45 +++ ...s-purge-all-maps-from-the-names-tree.patch | 61 ++++ queue-5.0/perf-stat-fix-no-scale.patch | 134 ++++++++ ...-memory-leak-in-test__perf_evsel__tp.patch | 59 ++++ ...-memory-leak-of-cpu_map-object-in-th.patch | 68 ++++ ...emory-leak-by-expr__find_other-in-te.patch | 66 ++++ ...x-errors-under-optimization-level-og.patch | 93 ++++++ ...the-evlist-before-perf_session-fixin.patch | 212 ++++++++++++ ...rf-top-fix-error-handling-in-cmd_top.patch | 43 +++ ...top-fix-global-buffer-overflow-issue.patch | 95 ++++++ ...el_pmc_core-quirk-to-ignore-xtal-shu.patch | 129 +++++++ ...m-domains-avoid-a-potential-deadlock.patch | 104 ++++++ ...-oops-during-rmmod-or-insmod-ko-when.patch | 316 ++++++++++++++++++ ...-ec-remove-old-clear_on_resume-quirk.patch | 134 ++++++++ ...-client-call-connect-disconnect-race.patch | 149 +++++++++ ...uffer-overflow-in-cgroup2-property-c.patch | 46 +++ ...hed-cpufreq-fix-32-bit-math-overflow.patch | 175 ++++++++++ ...all-destroy_rcu_head-for-passthrough.patch | 50 +++ ...-running-unbind-operations-when-remo.patch | 71 ++++ ...-null-pointer-crash-due-to-stale-cpu.patch | 89 +++++ queue-5.0/series | 91 +++++ ...fix-crash-in-bcm2835_thermal_debugfs.patch | 60 ++++ ...int340x_thermal-add-additional-uuids.patch | 52 +++ ...mal-int340x_thermal-fix-mode-setting.patch | 40 +++ ...werclamp-fix-__percpu-declaration-of.patch | 46 +++ ...owerclamp-fix-truncated-kthread-name.patch | 34 ++ ...fix-incorrect-check-after-code-merge.patch | 41 +++ ...ostat-return-the-exit-status-of-a-co.patch | 37 ++ ...e-correct-macros-for-cyrix-calls-on-.patch | 108 ++++++ ...art-exclude-gart-aperture-from-kcore.patch | 172 ++++++++++ ...t-potential-null-pointer-dereference.patch | 43 +++ ...ts-make-default-case-in-hw_breakpoin.patch | 48 +++ ...nt-potential-null-pointer-dereferenc.patch | 53 +++ .../x86-mm-don-t-leak-kernel-addresses.patch | 49 +++ 92 files changed, 7257 insertions(+) create mode 100644 queue-5.0/acpi-utils-drop-reference-in-test-for-device-presenc.patch create mode 100644 queue-5.0/alsa-echoaudio-add-a-check-for-ioremap_nocache.patch create mode 100644 queue-5.0/alsa-opl3-fix-mismatch-between-snd_opl3_drum_switch-.patch create mode 100644 queue-5.0/alsa-sb8-add-a-check-for-request_region.patch create mode 100644 queue-5.0/appletalk-fix-use-after-free-in-atalk_proc_exit.patch create mode 100644 queue-5.0/arc-hsdk_defconfig-enable-config_blk_dev_ram.patch create mode 100644 queue-5.0/arc-u-boot-args-check-that-magic-number-is-correct.patch create mode 100644 queue-5.0/arm-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch create mode 100644 queue-5.0/auxdisplay-hd44780-fix-memory-leak-on-remove.patch create mode 100644 queue-5.0/blk-iolatency-include-blk.h.patch create mode 100644 queue-5.0/cifs-fix-slab-out-of-bounds-when-tracing-smb-tcon.patch create mode 100644 queue-5.0/cifs-fix-that-return-einval-when-do-dedupe-operation.patch create mode 100644 queue-5.0/cifs-return-enodata-when-deleting-an-xattr-that-does.patch create mode 100644 queue-5.0/coresight-cpu-debug-support-for-ca73-cpus.patch create mode 100644 queue-5.0/crypto-axis-fix-for-recursive-locking-from-bottom-ha.patch create mode 100644 queue-5.0/drm-amdgpu-psp_ring_destroy-cause-psp-km_ring.ring_m.patch create mode 100644 queue-5.0/drm-amdkfd-use-init_mqd-function-to-allocate-object-.patch create mode 100644 queue-5.0/drm-exynos-mixer-fix-mixer-shadow-registry-synchroni.patch create mode 100644 queue-5.0/drm-nouveau-debugfs-fix-check-of-pm_runtime_get_sync.patch create mode 100644 queue-5.0/drm-nouveau-volt-gf117-fix-speedo-readout-register.patch create mode 100644 queue-5.0/drm-panel-panel-innolux-set-display-off-in-innolux_p.patch create mode 100644 queue-5.0/drm-udl-use-drm_gem_object_put_unlocked.patch create mode 100644 queue-5.0/ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch create mode 100644 queue-5.0/ext4-avoid-panic-during-forced-reboot.patch create mode 100644 queue-5.0/ext4-prohibit-fstrim-in-norecovery-mode.patch create mode 100644 queue-5.0/ext4-report-real-fs-size-after-failed-resize.patch create mode 100644 queue-5.0/f2fs-fix-to-add-refcount-once-page-is-tagged-pg_priv.patch create mode 100644 queue-5.0/f2fs-fix-to-dirty-inode-for-i_mode-recovery.patch create mode 100644 queue-5.0/f2fs-fix-to-use-kvfree-instead-of-kzfree.patch create mode 100644 queue-5.0/f2fs-sync-filesystem-after-roll-forward-recovery.patch create mode 100644 queue-5.0/fix-incorrect-error-code-mapping-for-objectid_not_fo.patch create mode 100644 queue-5.0/i40iw-avoid-panic-when-handling-the-inetdev-event.patch create mode 100644 queue-5.0/ib-mlx4-fix-race-condition-between-catas-error-reset.patch create mode 100644 queue-5.0/include-linux-swap.h-use-offsetof-instead-of-custom-.patch create mode 100644 queue-5.0/inotify-fix-fsnotify_mark-refcount-leak-in-inotify_u.patch create mode 100644 queue-5.0/iommu-vt-d-check-capability-before-disabling-protect.patch create mode 100644 queue-5.0/iommu-vt-d-save-the-right-domain-id-used-by-hardware.patch create mode 100644 queue-5.0/irqchip-mbigen-don-t-clear-eventid-when-freeing-an-m.patch create mode 100644 queue-5.0/irqchip-stm32-don-t-clear-rising-falling-config-regi.patch create mode 100644 queue-5.0/irqchip-stm32-don-t-set-rising-configuration-registe.patch create mode 100644 queue-5.0/lib-div64.c-off-by-one-in-shift.patch create mode 100644 queue-5.0/lkdtm-add-tests-for-null-pointer-dereference.patch create mode 100644 queue-5.0/lkdtm-print-real-addresses.patch create mode 100644 queue-5.0/mips-bcm47xx-enable-usb-power-on-netgear-wndr3400v2.patch create mode 100644 queue-5.0/mmc-davinci-remove-extraneous-__init-annotation.patch create mode 100644 queue-5.0/net-hns3-fix-null-deref-when-unloading-driver.patch create mode 100644 queue-5.0/paride-pcd-cleanup-queues-when-detection-fails.patch create mode 100644 queue-5.0/paride-pf-cleanup-queues-when-detection-fails.patch create mode 100644 queue-5.0/pci-aspm-save-ltr-capability-for-suspend-resume.patch create mode 100644 queue-5.0/pci-blacklist-power-management-of-gigabyte-x299-desi.patch create mode 100644 queue-5.0/perf-build-id-fix-memory-leak-in-print_sdt_events.patch create mode 100644 queue-5.0/perf-config-fix-a-memory-leak-in-collect_config.patch create mode 100644 queue-5.0/perf-config-fix-an-error-in-the-config-template-docu.patch create mode 100644 queue-5.0/perf-core-restore-mmap-record-type-correctly.patch create mode 100644 queue-5.0/perf-data-don-t-store-auxtrace-index-for-directory-d.patch create mode 100644 queue-5.0/perf-evsel-free-evsel-counts-in-perf_evsel__exit.patch create mode 100644 queue-5.0/perf-hist-add-missing-map__put-in-error-case.patch create mode 100644 queue-5.0/perf-list-don-t-forget-to-drop-the-reference-to-the-.patch create mode 100644 queue-5.0/perf-map-remove-map-from-names-tree-in-__maps__remov.patch create mode 100644 queue-5.0/perf-maps-purge-all-maps-from-the-names-tree.patch create mode 100644 queue-5.0/perf-stat-fix-no-scale.patch create mode 100644 queue-5.0/perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp.patch create mode 100644 queue-5.0/perf-tests-fix-a-memory-leak-of-cpu_map-object-in-th.patch create mode 100644 queue-5.0/perf-tests-fix-memory-leak-by-expr__find_other-in-te.patch create mode 100644 queue-5.0/perf-tools-fix-errors-under-optimization-level-og.patch create mode 100644 queue-5.0/perf-top-delete-the-evlist-before-perf_session-fixin.patch create mode 100644 queue-5.0/perf-top-fix-error-handling-in-cmd_top.patch create mode 100644 queue-5.0/perf-top-fix-global-buffer-overflow-issue.patch create mode 100644 queue-5.0/platform-x86-intel_pmc_core-quirk-to-ignore-xtal-shu.patch create mode 100644 queue-5.0/pm-domains-avoid-a-potential-deadlock.patch create mode 100644 queue-5.0/rdma-hns-fix-the-oops-during-rmmod-or-insmod-ko-when.patch create mode 100644 queue-5.0/revert-acpi-ec-remove-old-clear_on_resume-quirk.patch create mode 100644 queue-5.0/rxrpc-fix-client-call-connect-disconnect-race.patch create mode 100644 queue-5.0/sched-core-fix-buffer-overflow-in-cgroup2-property-c.patch create mode 100644 queue-5.0/sched-cpufreq-fix-32-bit-math-overflow.patch create mode 100644 queue-5.0/scsi-core-also-call-destroy_rcu_head-for-passthrough.patch create mode 100644 queue-5.0/scsi-iscsi-flush-running-unbind-operations-when-remo.patch create mode 100644 queue-5.0/scsi-qla2xxx-fix-null-pointer-crash-due-to-stale-cpu.patch create mode 100644 queue-5.0/series create mode 100644 queue-5.0/thermal-bcm2835-fix-crash-in-bcm2835_thermal_debugfs.patch create mode 100644 queue-5.0/thermal-int340x_thermal-add-additional-uuids.patch create mode 100644 queue-5.0/thermal-int340x_thermal-fix-mode-setting.patch create mode 100644 queue-5.0/thermal-intel_powerclamp-fix-__percpu-declaration-of.patch create mode 100644 queue-5.0/thermal-intel_powerclamp-fix-truncated-kthread-name.patch create mode 100644 queue-5.0/thermal-samsung-fix-incorrect-check-after-code-merge.patch create mode 100644 queue-5.0/tools-power-turbostat-return-the-exit-status-of-a-co.patch create mode 100644 queue-5.0/x86-cpu-cyrix-use-correct-macros-for-cyrix-calls-on-.patch create mode 100644 queue-5.0/x86-gart-exclude-gart-aperture-from-kcore.patch create mode 100644 queue-5.0/x86-hpet-prevent-potential-null-pointer-dereference.patch create mode 100644 queue-5.0/x86-hw_breakpoints-make-default-case-in-hw_breakpoin.patch create mode 100644 queue-5.0/x86-hyperv-prevent-potential-null-pointer-dereferenc.patch create mode 100644 queue-5.0/x86-mm-don-t-leak-kernel-addresses.patch diff --git a/queue-5.0/acpi-utils-drop-reference-in-test-for-device-presenc.patch b/queue-5.0/acpi-utils-drop-reference-in-test-for-device-presenc.patch new file mode 100644 index 0000000000..16e2866bc2 --- /dev/null +++ b/queue-5.0/acpi-utils-drop-reference-in-test-for-device-presenc.patch @@ -0,0 +1,38 @@ +From 161be2570ad30afb7d00911ff98c025d7535a777 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Mon, 18 Mar 2019 21:47:09 +0300 +Subject: ACPI / utils: Drop reference in test for device presence + +[ Upstream commit 54e3aca84e571559915998aa6cc05e5ac37c043b ] + +When commit 8661423eea1a ("ACPI / utils: Add new acpi_dev_present +helper") introduced acpi_dev_present(), it missed the fact that +bus_find_device() took a reference on the device found by it and +the callers of acpi_dev_present() don't drop that reference. + +Drop the reference on the device in acpi_dev_present(). + +Fixes: 8661423eea1a ("ACPI / utils: Add new acpi_dev_present helper") +Signed-off-by: Andy Shevchenko +Reviewed-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/utils.c b/drivers/acpi/utils.c +index 78db97687f26..c4b06cc075f9 100644 +--- a/drivers/acpi/utils.c ++++ b/drivers/acpi/utils.c +@@ -800,6 +800,7 @@ bool acpi_dev_present(const char *hid, const char *uid, s64 hrv) + match.hrv = hrv; + + dev = bus_find_device(&acpi_bus_type, NULL, &match, acpi_dev_match_cb); ++ put_device(dev); + return !!dev; + } + EXPORT_SYMBOL(acpi_dev_present); +-- +2.19.1 + diff --git a/queue-5.0/alsa-echoaudio-add-a-check-for-ioremap_nocache.patch b/queue-5.0/alsa-echoaudio-add-a-check-for-ioremap_nocache.patch new file mode 100644 index 0000000000..73a1434008 --- /dev/null +++ b/queue-5.0/alsa-echoaudio-add-a-check-for-ioremap_nocache.patch @@ -0,0 +1,36 @@ +From caa103cba3b7210960abe6a00b97b919d98455bd Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Thu, 14 Mar 2019 22:58:29 -0500 +Subject: ALSA: echoaudio: add a check for ioremap_nocache + +[ Upstream commit 6ade657d6125ec3ec07f95fa51e28138aef6208f ] + +In case ioremap_nocache fails, the fix releases chip and returns +an error code upstream to avoid NULL pointer dereference. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/echoaudio/echoaudio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/sound/pci/echoaudio/echoaudio.c b/sound/pci/echoaudio/echoaudio.c +index 907cf1a46712..3ef2b27ebbe8 100644 +--- a/sound/pci/echoaudio/echoaudio.c ++++ b/sound/pci/echoaudio/echoaudio.c +@@ -1954,6 +1954,11 @@ static int snd_echo_create(struct snd_card *card, + } + chip->dsp_registers = (volatile u32 __iomem *) + ioremap_nocache(chip->dsp_registers_phys, sz); ++ if (!chip->dsp_registers) { ++ dev_err(chip->card->dev, "ioremap failed\n"); ++ snd_echo_free(chip); ++ return -ENOMEM; ++ } + + if (request_irq(pci->irq, snd_echo_interrupt, IRQF_SHARED, + KBUILD_MODNAME, chip)) { +-- +2.19.1 + diff --git a/queue-5.0/alsa-opl3-fix-mismatch-between-snd_opl3_drum_switch-.patch b/queue-5.0/alsa-opl3-fix-mismatch-between-snd_opl3_drum_switch-.patch new file mode 100644 index 0000000000..78cab2cdf6 --- /dev/null +++ b/queue-5.0/alsa-opl3-fix-mismatch-between-snd_opl3_drum_switch-.patch @@ -0,0 +1,39 @@ +From b72edad8fe927ab2da48519d85ba3c8caee18e34 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sun, 17 Mar 2019 23:21:24 +0000 +Subject: ALSA: opl3: fix mismatch between snd_opl3_drum_switch definition and + declaration + +[ Upstream commit b4748e7ab731e436cf5db4786358ada5dd2db6dd ] + +The function snd_opl3_drum_switch declaration in the header file +has the order of the two arguments on_off and vel swapped when +compared to the definition arguments of vel and on_off. Fix this +by swapping them around to match the definition. + +This error predates the git history, so no idea when this error +was introduced. + +Signed-off-by: Colin Ian King +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/drivers/opl3/opl3_voice.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/drivers/opl3/opl3_voice.h b/sound/drivers/opl3/opl3_voice.h +index 5b02bd49fde4..4e4ecc21760b 100644 +--- a/sound/drivers/opl3/opl3_voice.h ++++ b/sound/drivers/opl3/opl3_voice.h +@@ -41,7 +41,7 @@ void snd_opl3_timer_func(struct timer_list *t); + + /* Prototypes for opl3_drums.c */ + void snd_opl3_load_drums(struct snd_opl3 *opl3); +-void snd_opl3_drum_switch(struct snd_opl3 *opl3, int note, int on_off, int vel, struct snd_midi_channel *chan); ++void snd_opl3_drum_switch(struct snd_opl3 *opl3, int note, int vel, int on_off, struct snd_midi_channel *chan); + + /* Prototypes for opl3_oss.c */ + #if IS_ENABLED(CONFIG_SND_SEQUENCER_OSS) +-- +2.19.1 + diff --git a/queue-5.0/alsa-sb8-add-a-check-for-request_region.patch b/queue-5.0/alsa-sb8-add-a-check-for-request_region.patch new file mode 100644 index 0000000000..f91bc0e69e --- /dev/null +++ b/queue-5.0/alsa-sb8-add-a-check-for-request_region.patch @@ -0,0 +1,35 @@ +From 365903ab8535b99ddc8025a110ab24fd02a07da4 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Thu, 14 Mar 2019 23:04:14 -0500 +Subject: ALSA: sb8: add a check for request_region + +[ Upstream commit dcd0feac9bab901d5739de51b3f69840851f8919 ] + +In case request_region fails, the fix returns an error code to +avoid NULL pointer dereference. + +Signed-off-by: Kangjie Lu +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/isa/sb/sb8.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/isa/sb/sb8.c b/sound/isa/sb/sb8.c +index d77dcba276b5..1eb8b61a185b 100644 +--- a/sound/isa/sb/sb8.c ++++ b/sound/isa/sb/sb8.c +@@ -111,6 +111,10 @@ static int snd_sb8_probe(struct device *pdev, unsigned int dev) + + /* block the 0x388 port to avoid PnP conflicts */ + acard->fm_res = request_region(0x388, 4, "SoundBlaster FM"); ++ if (!acard->fm_res) { ++ err = -EBUSY; ++ goto _err; ++ } + + if (port[dev] != SNDRV_AUTO_PORT) { + if ((err = snd_sbdsp_create(card, port[dev], irq[dev], +-- +2.19.1 + diff --git a/queue-5.0/appletalk-fix-use-after-free-in-atalk_proc_exit.patch b/queue-5.0/appletalk-fix-use-after-free-in-atalk_proc_exit.patch new file mode 100644 index 0000000000..be03a1f896 --- /dev/null +++ b/queue-5.0/appletalk-fix-use-after-free-in-atalk_proc_exit.patch @@ -0,0 +1,216 @@ +From cacff829e4a9558d57bafbb9d8b9f2c6a4fc9ed6 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Fri, 1 Mar 2019 10:57:57 +0800 +Subject: appletalk: Fix use-after-free in atalk_proc_exit + +[ Upstream commit 6377f787aeb945cae7abbb6474798de129e1f3ac ] + +KASAN report this: + +BUG: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71 +Read of size 8 at addr ffff8881f41fe5b0 by task syz-executor.0/2806 + +CPU: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xfa/0x1ce lib/dump_stack.c:113 + print_address_description+0x65/0x270 mm/kasan/report.c:187 + kasan_report+0x149/0x18d mm/kasan/report.c:317 + pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71 + remove_proc_entry+0xe8/0x420 fs/proc/generic.c:667 + atalk_proc_exit+0x18/0x820 [appletalk] + atalk_exit+0xf/0x5a [appletalk] + __do_sys_delete_module kernel/module.c:1018 [inline] + __se_sys_delete_module kernel/module.c:961 [inline] + __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fb2de6b9c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200001c0 +RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb2de6ba6bc +R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff + +Allocated by task 2806: + set_track mm/kasan/common.c:85 [inline] + __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496 + slab_post_alloc_hook mm/slab.h:444 [inline] + slab_alloc_node mm/slub.c:2739 [inline] + slab_alloc mm/slub.c:2747 [inline] + kmem_cache_alloc+0xcf/0x250 mm/slub.c:2752 + kmem_cache_zalloc include/linux/slab.h:730 [inline] + __proc_create+0x30f/0xa20 fs/proc/generic.c:408 + proc_mkdir_data+0x47/0x190 fs/proc/generic.c:469 + 0xffffffffc10c01bb + 0xffffffffc10c0166 + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 2806: + set_track mm/kasan/common.c:85 [inline] + __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458 + slab_free_hook mm/slub.c:1409 [inline] + slab_free_freelist_hook mm/slub.c:1436 [inline] + slab_free mm/slub.c:2986 [inline] + kmem_cache_free+0xa6/0x2a0 mm/slub.c:3002 + pde_put+0x6e/0x80 fs/proc/generic.c:647 + remove_proc_entry+0x1d3/0x420 fs/proc/generic.c:684 + 0xffffffffc10c031c + 0xffffffffc10c0166 + do_one_initcall+0xfa/0x5ca init/main.c:887 + do_init_module+0x204/0x5f6 kernel/module.c:3460 + load_module+0x66b2/0x8570 kernel/module.c:3808 + __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 + do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8881f41fe500 + which belongs to the cache proc_dir_entry of size 256 +The buggy address is located 176 bytes inside of + 256-byte region [ffff8881f41fe500, ffff8881f41fe600) +The buggy address belongs to the page: +page:ffffea0007d07f80 count:1 mapcount:0 mapping:ffff8881f6e69a00 index:0x0 +flags: 0x2fffc0000000200(slab) +raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6e69a00 +raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8881f41fe480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff8881f41fe500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff8881f41fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8881f41fe600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ffff8881f41fe680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +It should check the return value of atalk_proc_init fails, +otherwise atalk_exit will trgger use-after-free in pde_subdir_find +while unload the module.This patch fix error cleanup path of atalk_init + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/atalk.h | 2 +- + net/appletalk/atalk_proc.c | 2 +- + net/appletalk/ddp.c | 37 ++++++++++++++++++++++++++------ + net/appletalk/sysctl_net_atalk.c | 5 ++++- + 4 files changed, 37 insertions(+), 9 deletions(-) + +diff --git a/include/linux/atalk.h b/include/linux/atalk.h +index 840cf92307ba..d5cfc0b15b76 100644 +--- a/include/linux/atalk.h ++++ b/include/linux/atalk.h +@@ -158,7 +158,7 @@ extern int sysctl_aarp_retransmit_limit; + extern int sysctl_aarp_resolve_time; + + #ifdef CONFIG_SYSCTL +-extern void atalk_register_sysctl(void); ++extern int atalk_register_sysctl(void); + extern void atalk_unregister_sysctl(void); + #else + static inline int atalk_register_sysctl(void) +diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c +index 8006295f8bd7..dda73991bb54 100644 +--- a/net/appletalk/atalk_proc.c ++++ b/net/appletalk/atalk_proc.c +@@ -255,7 +255,7 @@ int __init atalk_proc_init(void) + goto out; + } + +-void __exit atalk_proc_exit(void) ++void atalk_proc_exit(void) + { + remove_proc_entry("interface", atalk_proc_dir); + remove_proc_entry("route", atalk_proc_dir); +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index 9b6bc5abe946..795fbc6c06aa 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1910,12 +1910,16 @@ static const char atalk_err_snap[] __initconst = + /* Called by proto.c on kernel start up */ + static int __init atalk_init(void) + { +- int rc = proto_register(&ddp_proto, 0); ++ int rc; + +- if (rc != 0) ++ rc = proto_register(&ddp_proto, 0); ++ if (rc) + goto out; + +- (void)sock_register(&atalk_family_ops); ++ rc = sock_register(&atalk_family_ops); ++ if (rc) ++ goto out_proto; ++ + ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv); + if (!ddp_dl) + printk(atalk_err_snap); +@@ -1923,12 +1927,33 @@ static int __init atalk_init(void) + dev_add_pack(<alk_packet_type); + dev_add_pack(&ppptalk_packet_type); + +- register_netdevice_notifier(&ddp_notifier); ++ rc = register_netdevice_notifier(&ddp_notifier); ++ if (rc) ++ goto out_sock; ++ + aarp_proto_init(); +- atalk_proc_init(); +- atalk_register_sysctl(); ++ rc = atalk_proc_init(); ++ if (rc) ++ goto out_aarp; ++ ++ rc = atalk_register_sysctl(); ++ if (rc) ++ goto out_proc; + out: + return rc; ++out_proc: ++ atalk_proc_exit(); ++out_aarp: ++ aarp_cleanup_module(); ++ unregister_netdevice_notifier(&ddp_notifier); ++out_sock: ++ dev_remove_pack(&ppptalk_packet_type); ++ dev_remove_pack(<alk_packet_type); ++ unregister_snap_client(ddp_dl); ++ sock_unregister(PF_APPLETALK); ++out_proto: ++ proto_unregister(&ddp_proto); ++ goto out; + } + module_init(atalk_init); + +diff --git a/net/appletalk/sysctl_net_atalk.c b/net/appletalk/sysctl_net_atalk.c +index c744a853fa5f..d945b7c0176d 100644 +--- a/net/appletalk/sysctl_net_atalk.c ++++ b/net/appletalk/sysctl_net_atalk.c +@@ -45,9 +45,12 @@ static struct ctl_table atalk_table[] = { + + static struct ctl_table_header *atalk_table_header; + +-void atalk_register_sysctl(void) ++int __init atalk_register_sysctl(void) + { + atalk_table_header = register_net_sysctl(&init_net, "net/appletalk", atalk_table); ++ if (!atalk_table_header) ++ return -ENOMEM; ++ return 0; + } + + void atalk_unregister_sysctl(void) +-- +2.19.1 + diff --git a/queue-5.0/arc-hsdk_defconfig-enable-config_blk_dev_ram.patch b/queue-5.0/arc-hsdk_defconfig-enable-config_blk_dev_ram.patch new file mode 100644 index 0000000000..5d51ca5345 --- /dev/null +++ b/queue-5.0/arc-hsdk_defconfig-enable-config_blk_dev_ram.patch @@ -0,0 +1,36 @@ +From 101aa1a568e9095cddfdeeb4f9242dd140aaca63 Mon Sep 17 00:00:00 2001 +From: Corentin Labbe +Date: Mon, 25 Feb 2019 09:45:38 +0000 +Subject: arc: hsdk_defconfig: Enable CONFIG_BLK_DEV_RAM + +[ Upstream commit 0728aeb7ead99a9b0dac2f3c92b3752b4e02ff97 ] + +We have now a HSDK device in our kernelci lab, but kernel builded via +the hsdk_defconfig lacks ramfs supports, so it cannot boot kernelci jobs +yet. + +So this patch enable CONFIG_BLK_DEV_RAM in hsdk_defconfig. + +Signed-off-by: Corentin Labbe +Acked-by: Alexey Brodkin +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/configs/hsdk_defconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arc/configs/hsdk_defconfig b/arch/arc/configs/hsdk_defconfig +index 87b23b7fb781..aefcf7a4e17a 100644 +--- a/arch/arc/configs/hsdk_defconfig ++++ b/arch/arc/configs/hsdk_defconfig +@@ -8,6 +8,7 @@ CONFIG_NAMESPACES=y + # CONFIG_UTS_NS is not set + # CONFIG_PID_NS is not set + CONFIG_BLK_DEV_INITRD=y ++CONFIG_BLK_DEV_RAM=y + CONFIG_EMBEDDED=y + CONFIG_PERF_EVENTS=y + # CONFIG_VM_EVENT_COUNTERS is not set +-- +2.19.1 + diff --git a/queue-5.0/arc-u-boot-args-check-that-magic-number-is-correct.patch b/queue-5.0/arc-u-boot-args-check-that-magic-number-is-correct.patch new file mode 100644 index 0000000000..5e1360e6de --- /dev/null +++ b/queue-5.0/arc-u-boot-args-check-that-magic-number-is-correct.patch @@ -0,0 +1,78 @@ +From ffcca3375f453c6d1ebcdc7ab595eeb7356b1526 Mon Sep 17 00:00:00 2001 +From: Eugeniy Paltsev +Date: Mon, 25 Feb 2019 20:16:01 +0300 +Subject: ARC: u-boot args: check that magic number is correct + +[ Upstream commit edb64bca50cd736c6894cc6081d5263c007ce005 ] + +In case of devboards we really often disable bootloader and load +Linux image in memory via JTAG. Even if kernel tries to verify +uboot_tag and uboot_arg there is sill a chance that we treat some +garbage in registers as valid u-boot arguments in JTAG case. +E.g. it is enough to have '1' in r0 to treat any value in r2 as +a boot command line. + +So check that magic number passed from u-boot is correct and drop +u-boot arguments otherwise. That helps to reduce the possibility +of using garbage as u-boot arguments in JTAG case. + +We can safely check U-boot magic value (0x0) in linux passed via +r1 register as U-boot pass it from the beginning. So there is no +backward-compatibility issues. + +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/kernel/head.S | 1 + + arch/arc/kernel/setup.c | 8 ++++++++ + 2 files changed, 9 insertions(+) + +diff --git a/arch/arc/kernel/head.S b/arch/arc/kernel/head.S +index 30e090625916..a72bbda2f7aa 100644 +--- a/arch/arc/kernel/head.S ++++ b/arch/arc/kernel/head.S +@@ -106,6 +106,7 @@ ENTRY(stext) + ; r2 = pointer to uboot provided cmdline or external DTB in mem + ; These are handled later in handle_uboot_args() + st r0, [@uboot_tag] ++ st r1, [@uboot_magic] + st r2, [@uboot_arg] + + ; setup "current" tsk and optionally cache it in dedicated r25 +diff --git a/arch/arc/kernel/setup.c b/arch/arc/kernel/setup.c +index 7b2340996cf8..7b3a7b3b380c 100644 +--- a/arch/arc/kernel/setup.c ++++ b/arch/arc/kernel/setup.c +@@ -36,6 +36,7 @@ unsigned int intr_to_DE_cnt; + + /* Part of U-boot ABI: see head.S */ + int __initdata uboot_tag; ++int __initdata uboot_magic; + char __initdata *uboot_arg; + + const struct machine_desc *machine_desc; +@@ -497,6 +498,8 @@ static inline bool uboot_arg_invalid(unsigned long addr) + #define UBOOT_TAG_NONE 0 + #define UBOOT_TAG_CMDLINE 1 + #define UBOOT_TAG_DTB 2 ++/* We always pass 0 as magic from U-boot */ ++#define UBOOT_MAGIC_VALUE 0 + + void __init handle_uboot_args(void) + { +@@ -511,6 +514,11 @@ void __init handle_uboot_args(void) + goto ignore_uboot_args; + } + ++ if (uboot_magic != UBOOT_MAGIC_VALUE) { ++ pr_warn(IGNORE_ARGS "non zero uboot magic\n"); ++ goto ignore_uboot_args; ++ } ++ + if (uboot_tag != UBOOT_TAG_NONE && + uboot_arg_invalid((unsigned long)uboot_arg)) { + pr_warn(IGNORE_ARGS "invalid uboot arg: '%px'\n", uboot_arg); +-- +2.19.1 + diff --git a/queue-5.0/arm-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch b/queue-5.0/arm-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch new file mode 100644 index 0000000000..40111d23b0 --- /dev/null +++ b/queue-5.0/arm-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch @@ -0,0 +1,67 @@ +From 8b30593a123e75846f5cb5615c467bc2b04e759b Mon Sep 17 00:00:00 2001 +From: Yang Shi +Date: Wed, 13 Feb 2019 17:14:23 +0100 +Subject: ARM: 8839/1: kprobe: make patch_lock a raw_spinlock_t + +[ Upstream commit 143c2a89e0e5fda6c6fd08d7bc1126438c19ae90 ] + +When running kprobe on -rt kernel, the below bug is caught: + +|BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:931 +|in_atomic(): 1, irqs_disabled(): 128, pid: 14, name: migration/0 +|Preemption disabled at:[<802f2b98>] cpu_stopper_thread+0xc0/0x140 +|CPU: 0 PID: 14 Comm: migration/0 Tainted: G O 4.8.3-rt2 #1 +|Hardware name: Freescale LS1021A +|[<8025a43c>] (___might_sleep) +|[<80b5b324>] (rt_spin_lock) +|[<80b5c31c>] (__patch_text_real) +|[<80b5c3ac>] (patch_text_stop_machine) +|[<802f2920>] (multi_cpu_stop) + +Since patch_text_stop_machine() is called in stop_machine() which +disables IRQ, sleepable lock should be not used in this atomic context, + so replace patch_lock to raw lock. + +Signed-off-by: Yang Shi +Signed-off-by: Sebastian Andrzej Siewior +Reviewed-by: Arnd Bergmann +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/patch.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c +index a50dc00d79a2..d0a05a3bdb96 100644 +--- a/arch/arm/kernel/patch.c ++++ b/arch/arm/kernel/patch.c +@@ -16,7 +16,7 @@ struct patch { + unsigned int insn; + }; + +-static DEFINE_SPINLOCK(patch_lock); ++static DEFINE_RAW_SPINLOCK(patch_lock); + + static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags) + __acquires(&patch_lock) +@@ -33,7 +33,7 @@ static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags) + return addr; + + if (flags) +- spin_lock_irqsave(&patch_lock, *flags); ++ raw_spin_lock_irqsave(&patch_lock, *flags); + else + __acquire(&patch_lock); + +@@ -48,7 +48,7 @@ static void __kprobes patch_unmap(int fixmap, unsigned long *flags) + clear_fixmap(fixmap); + + if (flags) +- spin_unlock_irqrestore(&patch_lock, *flags); ++ raw_spin_unlock_irqrestore(&patch_lock, *flags); + else + __release(&patch_lock); + } +-- +2.19.1 + diff --git a/queue-5.0/auxdisplay-hd44780-fix-memory-leak-on-remove.patch b/queue-5.0/auxdisplay-hd44780-fix-memory-leak-on-remove.patch new file mode 100644 index 0000000000..cf35263dd4 --- /dev/null +++ b/queue-5.0/auxdisplay-hd44780-fix-memory-leak-on-remove.patch @@ -0,0 +1,34 @@ +From 354b64ac73aa1b13774169e87a08b0e3d2fc8a55 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Tue, 12 Mar 2019 16:44:28 +0200 +Subject: auxdisplay: hd44780: Fix memory leak on ->remove() + +[ Upstream commit 41c8d0adf3c4df1867d98cee4a2c4531352a33ad ] + +We have to free on ->remove() the allocated resources on ->probe(). + +Fixes: d47d88361fee ("auxdisplay: Add HD44780 Character LCD support") +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Andy Shevchenko +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/hd44780.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/auxdisplay/hd44780.c b/drivers/auxdisplay/hd44780.c +index 9ad93ea42fdc..3cde351fb5c9 100644 +--- a/drivers/auxdisplay/hd44780.c ++++ b/drivers/auxdisplay/hd44780.c +@@ -280,6 +280,8 @@ static int hd44780_remove(struct platform_device *pdev) + struct charlcd *lcd = platform_get_drvdata(pdev); + + charlcd_unregister(lcd); ++ ++ kfree(lcd); + return 0; + } + +-- +2.19.1 + diff --git a/queue-5.0/blk-iolatency-include-blk.h.patch b/queue-5.0/blk-iolatency-include-blk.h.patch new file mode 100644 index 0000000000..8c27fc382d --- /dev/null +++ b/queue-5.0/blk-iolatency-include-blk.h.patch @@ -0,0 +1,36 @@ +From 883a309561814d44df459be2538492ec53856780 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 20 Mar 2019 13:15:01 -0700 +Subject: blk-iolatency: #include "blk.h" + +[ Upstream commit 373e915cd8e84544609eced57a44fbc084f8d60f ] + +This patch avoids that the following warning is reported when building +with W=1: + +block/blk-iolatency.c:734:5: warning: no previous prototype for 'blk_iolatency_init' [-Wmissing-prototypes] + +Cc: Josef Bacik +Fixes: d70675121546 ("block: introduce blk-iolatency io controller") # v4.19 +Signed-off-by: Bart Van Assche +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-iolatency.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/blk-iolatency.c b/block/blk-iolatency.c +index 2620baa1f699..507212d75ee2 100644 +--- a/block/blk-iolatency.c ++++ b/block/blk-iolatency.c +@@ -75,6 +75,7 @@ + #include + #include "blk-rq-qos.h" + #include "blk-stat.h" ++#include "blk.h" + + #define DEFAULT_SCALE_COOKIE 1000000U + +-- +2.19.1 + diff --git a/queue-5.0/cifs-fix-slab-out-of-bounds-when-tracing-smb-tcon.patch b/queue-5.0/cifs-fix-slab-out-of-bounds-when-tracing-smb-tcon.patch new file mode 100644 index 0000000000..7845b27c5b --- /dev/null +++ b/queue-5.0/cifs-fix-slab-out-of-bounds-when-tracing-smb-tcon.patch @@ -0,0 +1,134 @@ +From f409f8489fbde4570c6372326192f5d2f1363fd2 Mon Sep 17 00:00:00 2001 +From: "Paulo Alcantara (SUSE)" +Date: Thu, 21 Mar 2019 19:31:22 -0300 +Subject: cifs: Fix slab-out-of-bounds when tracing SMB tcon + +[ Upstream commit 68ddb496800acdb46172b4981dc3753ea9b39c25 ] + +This patch fixes the following KASAN report: + +[ 779.044746] BUG: KASAN: slab-out-of-bounds in string+0xab/0x180 +[ 779.044750] Read of size 1 at addr ffff88814f327968 by task trace-cmd/2812 + +[ 779.044756] CPU: 1 PID: 2812 Comm: trace-cmd Not tainted 5.1.0-rc1+ #62 +[ 779.044760] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-0-ga698c89-prebuilt.qemu.org 04/01/2014 +[ 779.044761] Call Trace: +[ 779.044769] dump_stack+0x5b/0x90 +[ 779.044775] ? string+0xab/0x180 +[ 779.044781] print_address_description+0x6c/0x23c +[ 779.044787] ? string+0xab/0x180 +[ 779.044792] ? string+0xab/0x180 +[ 779.044797] kasan_report.cold.3+0x1a/0x32 +[ 779.044803] ? string+0xab/0x180 +[ 779.044809] string+0xab/0x180 +[ 779.044816] ? widen_string+0x160/0x160 +[ 779.044822] ? vsnprintf+0x5bf/0x7f0 +[ 779.044829] vsnprintf+0x4e7/0x7f0 +[ 779.044836] ? pointer+0x4a0/0x4a0 +[ 779.044841] ? seq_buf_vprintf+0x79/0xc0 +[ 779.044848] seq_buf_vprintf+0x62/0xc0 +[ 779.044855] trace_seq_printf+0x113/0x210 +[ 779.044861] ? trace_seq_puts+0x110/0x110 +[ 779.044867] ? trace_raw_output_prep+0xd8/0x110 +[ 779.044876] trace_raw_output_smb3_tcon_class+0x9f/0xc0 +[ 779.044882] print_trace_line+0x377/0x890 +[ 779.044888] ? tracing_buffers_read+0x300/0x300 +[ 779.044893] ? ring_buffer_read+0x58/0x70 +[ 779.044899] s_show+0x6e/0x140 +[ 779.044906] seq_read+0x505/0x6a0 +[ 779.044913] vfs_read+0xaf/0x1b0 +[ 779.044919] ksys_read+0xa1/0x130 +[ 779.044925] ? kernel_write+0xa0/0xa0 +[ 779.044931] ? __do_page_fault+0x3d5/0x620 +[ 779.044938] do_syscall_64+0x63/0x150 +[ 779.044944] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 779.044949] RIP: 0033:0x7f62c2c2db31 +[ 779.044955] Code: fe ff ff 48 8d 3d 17 9e 09 00 48 83 ec 08 e8 96 02 +02 00 66 0f 1f 44 00 00 8b 05 fa fc 2c 00 48 63 ff 85 c0 75 13 31 c0 +0f 05 <48> 3d 00 f0 ff ff 77 57 f3 c3 0f 1f 44 00 00 55 53 48 89 d5 48 +89 +[ 779.044958] RSP: 002b:00007ffd6e116678 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +[ 779.044964] RAX: ffffffffffffffda RBX: 0000560a38be9260 RCX: 00007f62c2c2db31 +[ 779.044966] RDX: 0000000000002000 RSI: 00007ffd6e116710 RDI: 0000000000000003 +[ 779.044966] RDX: 0000000000002000 RSI: 00007ffd6e116710 RDI: 0000000000000003 +[ 779.044969] RBP: 00007f62c2ef5420 R08: 0000000000000000 R09: 0000000000000003 +[ 779.044972] R10: ffffffffffffffa8 R11: 0000000000000246 R12: 00007ffd6e116710 +[ 779.044975] R13: 0000000000002000 R14: 0000000000000d68 R15: 0000000000002000 + +[ 779.044981] Allocated by task 1257: +[ 779.044987] __kasan_kmalloc.constprop.5+0xc1/0xd0 +[ 779.044992] kmem_cache_alloc+0xad/0x1a0 +[ 779.044997] getname_flags+0x6c/0x2a0 +[ 779.045003] user_path_at_empty+0x1d/0x40 +[ 779.045008] do_faccessat+0x12a/0x330 +[ 779.045012] do_syscall_64+0x63/0x150 +[ 779.045017] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 779.045019] Freed by task 1257: +[ 779.045023] __kasan_slab_free+0x12e/0x180 +[ 779.045029] kmem_cache_free+0x85/0x1b0 +[ 779.045034] filename_lookup.part.70+0x176/0x250 +[ 779.045039] do_faccessat+0x12a/0x330 +[ 779.045043] do_syscall_64+0x63/0x150 +[ 779.045048] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 779.045052] The buggy address belongs to the object at ffff88814f326600 +which belongs to the cache names_cache of size 4096 +[ 779.045057] The buggy address is located 872 bytes to the right of +4096-byte region [ffff88814f326600, ffff88814f327600) +[ 779.045058] The buggy address belongs to the page: +[ 779.045062] page:ffffea00053cc800 count:1 mapcount:0 mapping:ffff88815b191b40 index:0x0 compound_mapcount: 0 +[ 779.045067] flags: 0x200000000010200(slab|head) +[ 779.045075] raw: 0200000000010200 dead000000000100 dead000000000200 ffff88815b191b40 +[ 779.045081] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 +[ 779.045083] page dumped because: kasan: bad access detected + +[ 779.045085] Memory state around the buggy address: +[ 779.045089] ffff88814f327800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 779.045093] ffff88814f327880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 779.045097] >ffff88814f327900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 779.045099] ^ +[ 779.045103] ffff88814f327980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 779.045107] ffff88814f327a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 779.045109] ================================================================== +[ 779.045110] Disabling lock debugging due to kernel taint + +Correctly assign tree name str for smb3_tcon event. + +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/trace.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/cifs/trace.h b/fs/cifs/trace.h +index 59be48206932..b49bc925fb4f 100644 +--- a/fs/cifs/trace.h ++++ b/fs/cifs/trace.h +@@ -378,19 +378,19 @@ DECLARE_EVENT_CLASS(smb3_tcon_class, + __field(unsigned int, xid) + __field(__u32, tid) + __field(__u64, sesid) +- __field(const char *, unc_name) ++ __string(name, unc_name) + __field(int, rc) + ), + TP_fast_assign( + __entry->xid = xid; + __entry->tid = tid; + __entry->sesid = sesid; +- __entry->unc_name = unc_name; ++ __assign_str(name, unc_name); + __entry->rc = rc; + ), + TP_printk("xid=%u sid=0x%llx tid=0x%x unc_name=%s rc=%d", + __entry->xid, __entry->sesid, __entry->tid, +- __entry->unc_name, __entry->rc) ++ __get_str(name), __entry->rc) + ) + + #define DEFINE_SMB3_TCON_EVENT(name) \ +-- +2.19.1 + diff --git a/queue-5.0/cifs-fix-that-return-einval-when-do-dedupe-operation.patch b/queue-5.0/cifs-fix-that-return-einval-when-do-dedupe-operation.patch new file mode 100644 index 0000000000..ee368c5ba1 --- /dev/null +++ b/queue-5.0/cifs-fix-that-return-einval-when-do-dedupe-operation.patch @@ -0,0 +1,56 @@ +From 709484bbfc9569a1c591294310cbdc99d076d8da Mon Sep 17 00:00:00 2001 +From: Xiaoli Feng +Date: Sat, 16 Mar 2019 12:11:54 +0800 +Subject: cifs: fix that return -EINVAL when do dedupe operation + +[ Upstream commit b073a08016a10f01dfb0d0b6c7fa89da0d544963 ] + +dedupe_file_range operations is combiled into remap_file_range. +But it's always skipped for dedupe operations in function +cifs_remap_file_range. + +Example to test: +Before this patch: + # dd if=/dev/zero of=cifs/file bs=1M count=1 + # xfs_io -c "dedupe cifs/file 4k 64k 4k" cifs/file + XFS_IOC_FILE_EXTENT_SAME: Invalid argument + +After this patch: + # dd if=/dev/zero of=cifs/file bs=1M count=1 + # xfs_io -c "dedupe cifs/file 4k 64k 4k" cifs/file + XFS_IOC_FILE_EXTENT_SAME: Operation not supported + +Influence for xfstests: +generic/091 +generic/112 +generic/127 +generic/263 +These tests report this error "do_copy_range:: Invalid +argument" instead of "FIDEDUPERANGE: Invalid argument". +Because there are still two bugs cause these test failed. +https://bugzilla.kernel.org/show_bug.cgi?id=202935 +https://bugzilla.kernel.org/show_bug.cgi?id=202785 + +Signed-off-by: Xiaoli Feng +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifsfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c +index 07cad54b84f1..e8e125acd712 100644 +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -1010,7 +1010,7 @@ static loff_t cifs_remap_file_range(struct file *src_file, loff_t off, + unsigned int xid; + int rc; + +- if (remap_flags & ~REMAP_FILE_ADVISORY) ++ if (remap_flags & ~(REMAP_FILE_DEDUP | REMAP_FILE_ADVISORY)) + return -EINVAL; + + cifs_dbg(FYI, "clone range\n"); +-- +2.19.1 + diff --git a/queue-5.0/cifs-return-enodata-when-deleting-an-xattr-that-does.patch b/queue-5.0/cifs-return-enodata-when-deleting-an-xattr-that-does.patch new file mode 100644 index 0000000000..52efe2230a --- /dev/null +++ b/queue-5.0/cifs-return-enodata-when-deleting-an-xattr-that-does.patch @@ -0,0 +1,45 @@ +From d5f8092e43806b6bcc0e7b26cd8fbeacadbd00e0 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Thu, 7 Feb 2019 15:48:44 +1000 +Subject: cifs: return -ENODATA when deleting an xattr that does not exist + +[ Upstream commit 2109464184919f81efd593b4008291448c522815 ] + +BUGZILLA: https://bugzilla.kernel.org/show_bug.cgi?id=202007 + +When deleting an xattr/EA: +SMB2/3 servers will return SUCCESS when clients delete non-existing EAs. +This means that we need to first QUERY the server and check if the EA +exists or not so that we can return -ENODATA correctly when this happens. + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index b29f711ab965..ea56b1cdbdde 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -949,6 +949,16 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon, + resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER; + memset(rsp_iov, 0, sizeof(rsp_iov)); + ++ if (ses->server->ops->query_all_EAs) { ++ if (!ea_value) { ++ rc = ses->server->ops->query_all_EAs(xid, tcon, path, ++ ea_name, NULL, 0, ++ cifs_sb); ++ if (rc == -ENODATA) ++ goto sea_exit; ++ } ++ } ++ + /* Open */ + memset(&open_iov, 0, sizeof(open_iov)); + rqst[0].rq_iov = open_iov; +-- +2.19.1 + diff --git a/queue-5.0/coresight-cpu-debug-support-for-ca73-cpus.patch b/queue-5.0/coresight-cpu-debug-support-for-ca73-cpus.patch new file mode 100644 index 0000000000..96de4b429b --- /dev/null +++ b/queue-5.0/coresight-cpu-debug-support-for-ca73-cpus.patch @@ -0,0 +1,38 @@ +From 86bb855bce40ff5b57253b6a637cf3baff922ae1 Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Tue, 5 Feb 2019 16:24:53 -0700 +Subject: coresight: cpu-debug: Support for CA73 CPUs + +[ Upstream commit a0f890aba2be33377f4eb24e13633c4a76a68f38 ] + +This patch is to add the AMBA device ID for CA73 CPU, so that CPU debug +module can be initialized successfully when a SoC contain CA73 CPUs. + +This patch has been verified on 96boards Hikey960. + +Signed-off-by: Leo Yan +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-cpu-debug.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hwtracing/coresight/coresight-cpu-debug.c b/drivers/hwtracing/coresight/coresight-cpu-debug.c +index 45b2460f3166..e8819d750938 100644 +--- a/drivers/hwtracing/coresight/coresight-cpu-debug.c ++++ b/drivers/hwtracing/coresight/coresight-cpu-debug.c +@@ -668,6 +668,10 @@ static const struct amba_id debug_ids[] = { + .id = 0x000bbd08, + .mask = 0x000fffff, + }, ++ { /* Debug for Cortex-A73 */ ++ .id = 0x000bbd09, ++ .mask = 0x000fffff, ++ }, + { 0, 0 }, + }; + +-- +2.19.1 + diff --git a/queue-5.0/crypto-axis-fix-for-recursive-locking-from-bottom-ha.patch b/queue-5.0/crypto-axis-fix-for-recursive-locking-from-bottom-ha.patch new file mode 100644 index 0000000000..44fbad12d1 --- /dev/null +++ b/queue-5.0/crypto-axis-fix-for-recursive-locking-from-bottom-ha.patch @@ -0,0 +1,134 @@ +From 17121c0ba58312d45e4a90aa7448e9e2d4b2f29f Mon Sep 17 00:00:00 2001 +From: Lars Persson +Date: Wed, 23 Jan 2019 12:59:42 +0100 +Subject: crypto: axis - fix for recursive locking from bottom half + +[ Upstream commit c34a83820f59bb275e5f2d55cd5ea99c64f6ef23 ] + +Clients may submit a new requests from the completion callback +context. The driver was not prepared to receive a request in this +state because it already held the request queue lock and a recursive +lock error is triggered. + +Now all completions are queued up until we are ready to drop the queue +lock and then delivered. + +The fault was triggered by TCP over an IPsec connection in the LTP +test suite: + LTP: starting tcp4_ipsec02 (tcp_ipsec.sh -p ah -m transport -s "100 1000 65535") + BUG: spinlock recursion on CPU#1, genload/943 + lock: 0xbf3c3094, .magic: dead4ead, .owner: genload/943, .owner_cpu: 1 + CPU: 1 PID: 943 Comm: genload Tainted: G O 4.9.62-axis5-devel #6 + Hardware name: Axis ARTPEC-6 Platform + (unwind_backtrace) from [<8010d134>] (show_stack+0x18/0x1c) + (show_stack) from [<803a289c>] (dump_stack+0x84/0x98) + (dump_stack) from [<8016e164>] (do_raw_spin_lock+0x124/0x128) + (do_raw_spin_lock) from [<804de1a4>] (artpec6_crypto_submit+0x2c/0xa0) + (artpec6_crypto_submit) from [<804def38>] (artpec6_crypto_prepare_submit_hash+0xd0/0x54c) + (artpec6_crypto_prepare_submit_hash) from [<7f3165f0>] (ah_output+0x2a4/0x3dc [ah4]) + (ah_output [ah4]) from [<805df9bc>] (xfrm_output_resume+0x178/0x4a4) + (xfrm_output_resume) from [<805d283c>] (xfrm4_output+0xac/0xbc) + (xfrm4_output) from [<80587928>] (ip_queue_xmit+0x140/0x3b4) + (ip_queue_xmit) from [<805a13b4>] (tcp_transmit_skb+0x4c4/0x95c) + (tcp_transmit_skb) from [<8059f218>] (tcp_rcv_state_process+0xdf4/0xdfc) + (tcp_rcv_state_process) from [<805a7530>] (tcp_v4_do_rcv+0x64/0x1ac) + (tcp_v4_do_rcv) from [<805a9724>] (tcp_v4_rcv+0xa34/0xb74) + (tcp_v4_rcv) from [<80581d34>] (ip_local_deliver_finish+0x78/0x2b0) + (ip_local_deliver_finish) from [<8058259c>] (ip_local_deliver+0xe4/0x104) + (ip_local_deliver) from [<805d23ec>] (xfrm4_transport_finish+0xf4/0x144) + (xfrm4_transport_finish) from [<805df564>] (xfrm_input+0x4f4/0x74c) + (xfrm_input) from [<804de420>] (artpec6_crypto_task+0x208/0x38c) + (artpec6_crypto_task) from [<801271b0>] (tasklet_action+0x60/0xec) + (tasklet_action) from [<801266d4>] (__do_softirq+0xcc/0x3a4) + (__do_softirq) from [<80126d20>] (irq_exit+0xf4/0x15c) + (irq_exit) from [<801741e8>] (__handle_domain_irq+0x68/0xbc) + (__handle_domain_irq) from [<801014f0>] (gic_handle_irq+0x50/0x94) + (gic_handle_irq) from [<80657370>] (__irq_usr+0x50/0x80) + +Signed-off-by: Lars Persson +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/axis/artpec6_crypto.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/drivers/crypto/axis/artpec6_crypto.c b/drivers/crypto/axis/artpec6_crypto.c +index f3442c2bdbdc..3c70004240d6 100644 +--- a/drivers/crypto/axis/artpec6_crypto.c ++++ b/drivers/crypto/axis/artpec6_crypto.c +@@ -284,6 +284,7 @@ enum artpec6_crypto_hash_flags { + + struct artpec6_crypto_req_common { + struct list_head list; ++ struct list_head complete_in_progress; + struct artpec6_crypto_dma_descriptors *dma; + struct crypto_async_request *req; + void (*complete)(struct crypto_async_request *req); +@@ -2045,7 +2046,8 @@ static int artpec6_crypto_prepare_aead(struct aead_request *areq) + return artpec6_crypto_dma_map_descs(common); + } + +-static void artpec6_crypto_process_queue(struct artpec6_crypto *ac) ++static void artpec6_crypto_process_queue(struct artpec6_crypto *ac, ++ struct list_head *completions) + { + struct artpec6_crypto_req_common *req; + +@@ -2056,7 +2058,7 @@ static void artpec6_crypto_process_queue(struct artpec6_crypto *ac) + list_move_tail(&req->list, &ac->pending); + artpec6_crypto_start_dma(req); + +- req->req->complete(req->req, -EINPROGRESS); ++ list_add_tail(&req->complete_in_progress, completions); + } + + /* +@@ -2086,6 +2088,11 @@ static void artpec6_crypto_task(unsigned long data) + struct artpec6_crypto *ac = (struct artpec6_crypto *)data; + struct artpec6_crypto_req_common *req; + struct artpec6_crypto_req_common *n; ++ struct list_head complete_done; ++ struct list_head complete_in_progress; ++ ++ INIT_LIST_HEAD(&complete_done); ++ INIT_LIST_HEAD(&complete_in_progress); + + if (list_empty(&ac->pending)) { + pr_debug("Spurious IRQ\n"); +@@ -2119,19 +2126,30 @@ static void artpec6_crypto_task(unsigned long data) + + pr_debug("Completing request %p\n", req); + +- list_del(&req->list); ++ list_move_tail(&req->list, &complete_done); + + artpec6_crypto_dma_unmap_all(req); + artpec6_crypto_copy_bounce_buffers(req); + + ac->pending_count--; + artpec6_crypto_common_destroy(req); +- req->complete(req->req); + } + +- artpec6_crypto_process_queue(ac); ++ artpec6_crypto_process_queue(ac, &complete_in_progress); + + spin_unlock_bh(&ac->queue_lock); ++ ++ /* Perform the completion callbacks without holding the queue lock ++ * to allow new request submissions from the callbacks. ++ */ ++ list_for_each_entry_safe(req, n, &complete_done, list) { ++ req->complete(req->req); ++ } ++ ++ list_for_each_entry_safe(req, n, &complete_in_progress, ++ complete_in_progress) { ++ req->req->complete(req->req, -EINPROGRESS); ++ } + } + + static void artpec6_crypto_complete_crypto(struct crypto_async_request *req) +-- +2.19.1 + diff --git a/queue-5.0/drm-amdgpu-psp_ring_destroy-cause-psp-km_ring.ring_m.patch b/queue-5.0/drm-amdgpu-psp_ring_destroy-cause-psp-km_ring.ring_m.patch new file mode 100644 index 0000000000..4beda1eb8e --- /dev/null +++ b/queue-5.0/drm-amdgpu-psp_ring_destroy-cause-psp-km_ring.ring_m.patch @@ -0,0 +1,35 @@ +From 3acbbda84d55c281707ce611aacda4247c46f909 Mon Sep 17 00:00:00 2001 +From: wentalou +Date: Tue, 18 Dec 2018 15:42:08 +0800 +Subject: drm/amdgpu: psp_ring_destroy cause psp->km_ring.ring_mem NULL + +[ Upstream commit 14d20ec7f31ef96a2e7dcf7880b13dde1d473b56 ] + +psp_ring_destroy inside psp_load_fw cause psp->km_ring.ring_mem NULL. +Call Trace occurred when psp_cmd_submit. +should be psp_ring_stop instead. + +Reviewed-by: Xiangliang Yu +Signed-off-by: Wentao Lou +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +index 3a9b48b227ac..a7208ca0bfe3 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +@@ -546,7 +546,7 @@ static int psp_load_fw(struct amdgpu_device *adev) + struct psp_context *psp = &adev->psp; + + if (amdgpu_sriov_vf(adev) && adev->in_gpu_reset) { +- psp_ring_destroy(psp, PSP_RING_TYPE__KM); ++ psp_ring_stop(psp, PSP_RING_TYPE__KM); /* should not destroy ring, only stop */ + goto skip_memalloc; + } + +-- +2.19.1 + diff --git a/queue-5.0/drm-amdkfd-use-init_mqd-function-to-allocate-object-.patch b/queue-5.0/drm-amdkfd-use-init_mqd-function-to-allocate-object-.patch new file mode 100644 index 0000000000..c04f3f9862 --- /dev/null +++ b/queue-5.0/drm-amdkfd-use-init_mqd-function-to-allocate-object-.patch @@ -0,0 +1,115 @@ +From 8e7f013ee9f9794593d818f10c8f856c32b8ccab Mon Sep 17 00:00:00 2001 +From: Kevin Wang +Date: Fri, 22 Feb 2019 12:36:49 +0800 +Subject: drm/amdkfd: use init_mqd function to allocate object for hid_mqd (CI) + +[ Upstream commit cac734c2dbd2514f14c8c6a17caba1990d83bf1d ] + +if use the legacy method to allocate object, when mqd_hiq need to run +uninit code, it will be cause WARNING call trace. + +eg: (s3 suspend test) +[ 34.918944] Call Trace: +[ 34.918948] [] dump_stack+0x19/0x1b +[ 34.918950] [] __warn+0xd8/0x100 +[ 34.918951] [] warn_slowpath_null+0x1d/0x20 +[ 34.918991] [] uninit_mqd_hiq_sdma+0x4e/0x50 [amdgpu] +[ 34.919028] [] uninitialize+0x37/0xe0 [amdgpu] +[ 34.919064] [] kernel_queue_uninit+0x16/0x30 [amdgpu] +[ 34.919086] [] pm_uninit+0x12/0x20 [amdgpu] +[ 34.919107] [] stop_nocpsch+0x15/0x20 [amdgpu] +[ 34.919129] [] kgd2kfd_suspend.part.4+0x2e/0x50 [amdgpu] +[ 34.919150] [] kgd2kfd_suspend+0x17/0x20 [amdgpu] +[ 34.919171] [] amdgpu_amdkfd_suspend+0x1a/0x20 [amdgpu] +[ 34.919187] [] amdgpu_device_suspend+0x88/0x3a0 [amdgpu] +[ 34.919189] [] ? enqueue_entity+0x2ef/0xbe0 +[ 34.919205] [] amdgpu_pmops_suspend+0x20/0x30 [amdgpu] +[ 34.919207] [] pci_pm_suspend+0x6f/0x150 +[ 34.919208] [] ? pci_pm_freeze+0xf0/0xf0 +[ 34.919210] [] dpm_run_callback+0x46/0x90 +[ 34.919212] [] __device_suspend+0xfb/0x2a0 +[ 34.919213] [] async_suspend+0x1f/0xa0 +[ 34.919214] [] async_run_entry_fn+0x3f/0x130 +[ 34.919216] [] process_one_work+0x17f/0x440 +[ 34.919217] [] worker_thread+0x126/0x3c0 +[ 34.919218] [] ? manage_workers.isra.25+0x2a0/0x2a0 +[ 34.919220] [] kthread+0xd1/0xe0 +[ 34.919221] [] ? insert_kthread_work+0x40/0x40 +[ 34.919222] [] ret_from_fork_nospec_begin+0x7/0x21 +[ 34.919224] [] ? insert_kthread_work+0x40/0x40 +[ 34.919224] ---[ end trace 38cd9f65c963adad ]--- + +Signed-off-by: Kevin Wang +Reviewed-by: Oak Zeng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c | 52 +------------------ + 1 file changed, 1 insertion(+), 51 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c +index 47243165a082..ae90a99909ef 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c +@@ -323,57 +323,7 @@ static int init_mqd_hiq(struct mqd_manager *mm, void **mqd, + struct kfd_mem_obj **mqd_mem_obj, uint64_t *gart_addr, + struct queue_properties *q) + { +- uint64_t addr; +- struct cik_mqd *m; +- int retval; +- +- retval = kfd_gtt_sa_allocate(mm->dev, sizeof(struct cik_mqd), +- mqd_mem_obj); +- +- if (retval != 0) +- return -ENOMEM; +- +- m = (struct cik_mqd *) (*mqd_mem_obj)->cpu_ptr; +- addr = (*mqd_mem_obj)->gpu_addr; +- +- memset(m, 0, ALIGN(sizeof(struct cik_mqd), 256)); +- +- m->header = 0xC0310800; +- m->compute_pipelinestat_enable = 1; +- m->compute_static_thread_mgmt_se0 = 0xFFFFFFFF; +- m->compute_static_thread_mgmt_se1 = 0xFFFFFFFF; +- m->compute_static_thread_mgmt_se2 = 0xFFFFFFFF; +- m->compute_static_thread_mgmt_se3 = 0xFFFFFFFF; +- +- m->cp_hqd_persistent_state = DEFAULT_CP_HQD_PERSISTENT_STATE | +- PRELOAD_REQ; +- m->cp_hqd_quantum = QUANTUM_EN | QUANTUM_SCALE_1MS | +- QUANTUM_DURATION(10); +- +- m->cp_mqd_control = MQD_CONTROL_PRIV_STATE_EN; +- m->cp_mqd_base_addr_lo = lower_32_bits(addr); +- m->cp_mqd_base_addr_hi = upper_32_bits(addr); +- +- m->cp_hqd_ib_control = DEFAULT_MIN_IB_AVAIL_SIZE; +- +- /* +- * Pipe Priority +- * Identifies the pipe relative priority when this queue is connected +- * to the pipeline. The pipe priority is against the GFX pipe and HP3D. +- * In KFD we are using a fixed pipe priority set to CS_MEDIUM. +- * 0 = CS_LOW (typically below GFX) +- * 1 = CS_MEDIUM (typically between HP3D and GFX +- * 2 = CS_HIGH (typically above HP3D) +- */ +- m->cp_hqd_pipe_priority = 1; +- m->cp_hqd_queue_priority = 15; +- +- *mqd = m; +- if (gart_addr) +- *gart_addr = addr; +- retval = mm->update_mqd(mm, m, q); +- +- return retval; ++ return init_mqd(mm, mqd, mqd_mem_obj, gart_addr, q); + } + + static int update_mqd_hiq(struct mqd_manager *mm, void *mqd, +-- +2.19.1 + diff --git a/queue-5.0/drm-exynos-mixer-fix-mixer-shadow-registry-synchroni.patch b/queue-5.0/drm-exynos-mixer-fix-mixer-shadow-registry-synchroni.patch new file mode 100644 index 0000000000..0d5d7f8f84 --- /dev/null +++ b/queue-5.0/drm-exynos-mixer-fix-mixer-shadow-registry-synchroni.patch @@ -0,0 +1,239 @@ +From f79962b69118bc9a36745651ea3ef2ed2fc3432a Mon Sep 17 00:00:00 2001 +From: Andrzej Hajda +Date: Tue, 19 Mar 2019 14:05:11 +0100 +Subject: drm/exynos/mixer: fix MIXER shadow registry synchronisation code + +[ Upstream commit 6a3b45ada960ac475ec2b4103d43e57943b2b8d3 ] + +MIXER on Exynos5 SoCs uses different synchronisation method than Exynos4 +to update internal state (shadow registers). +Apparently the driver implements it incorrectly. The rule should be +as follows: +- do not request updating registers until previous request was finished, + ie. MXR_CFG_LAYER_UPDATE_COUNT must be 0. +- before setting registers synchronisation on VSYNC should be turned off, + ie. MXR_STATUS_SYNC_ENABLE should be reset, +- after finishing MXR_STATUS_SYNC_ENABLE should be set again. +The patch hopefully implements it correctly. +Below sample kernel log from page fault caused by the bug: + +[ 25.670038] exynos-sysmmu 14650000.sysmmu: 14450000.mixer: PAGE FAULT occurred at 0x2247b800 +[ 25.677888] ------------[ cut here ]------------ +[ 25.682164] kernel BUG at ../drivers/iommu/exynos-iommu.c:450! +[ 25.687971] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM +[ 25.693778] Modules linked in: +[ 25.696816] CPU: 5 PID: 1553 Comm: fb-release_test Not tainted 5.0.0-rc7-01157-g5f86b1566bdd #136 +[ 25.705646] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) +[ 25.711710] PC is at exynos_sysmmu_irq+0x1c0/0x264 +[ 25.716470] LR is at lock_is_held_type+0x44/0x64 + +v2: added missing MXR_CFG_LAYER_UPDATE bit setting in mixer_enable_sync + +Reported-by: Marian Mihailescu +Signed-off-by: Andrzej Hajda +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_mixer.c | 110 +++++++++++++++----------- + 1 file changed, 66 insertions(+), 44 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_mixer.c b/drivers/gpu/drm/exynos/exynos_mixer.c +index 0573eab0e190..f35e4ab55b27 100644 +--- a/drivers/gpu/drm/exynos/exynos_mixer.c ++++ b/drivers/gpu/drm/exynos/exynos_mixer.c +@@ -20,6 +20,7 @@ + #include "regs-vp.h" + + #include ++#include + #include + #include + #include +@@ -352,15 +353,62 @@ static void mixer_cfg_vp_blend(struct mixer_context *ctx, unsigned int alpha) + mixer_reg_write(ctx, MXR_VIDEO_CFG, val); + } + +-static void mixer_vsync_set_update(struct mixer_context *ctx, bool enable) ++static bool mixer_is_synced(struct mixer_context *ctx) + { +- /* block update on vsync */ +- mixer_reg_writemask(ctx, MXR_STATUS, enable ? +- MXR_STATUS_SYNC_ENABLE : 0, MXR_STATUS_SYNC_ENABLE); ++ u32 base, shadow; + ++ if (ctx->mxr_ver == MXR_VER_16_0_33_0 || ++ ctx->mxr_ver == MXR_VER_128_0_0_184) ++ return !(mixer_reg_read(ctx, MXR_CFG) & ++ MXR_CFG_LAYER_UPDATE_COUNT_MASK); ++ ++ if (test_bit(MXR_BIT_VP_ENABLED, &ctx->flags) && ++ vp_reg_read(ctx, VP_SHADOW_UPDATE)) ++ return false; ++ ++ base = mixer_reg_read(ctx, MXR_CFG); ++ shadow = mixer_reg_read(ctx, MXR_CFG_S); ++ if (base != shadow) ++ return false; ++ ++ base = mixer_reg_read(ctx, MXR_GRAPHIC_BASE(0)); ++ shadow = mixer_reg_read(ctx, MXR_GRAPHIC_BASE_S(0)); ++ if (base != shadow) ++ return false; ++ ++ base = mixer_reg_read(ctx, MXR_GRAPHIC_BASE(1)); ++ shadow = mixer_reg_read(ctx, MXR_GRAPHIC_BASE_S(1)); ++ if (base != shadow) ++ return false; ++ ++ return true; ++} ++ ++static int mixer_wait_for_sync(struct mixer_context *ctx) ++{ ++ ktime_t timeout = ktime_add_us(ktime_get(), 100000); ++ ++ while (!mixer_is_synced(ctx)) { ++ usleep_range(1000, 2000); ++ if (ktime_compare(ktime_get(), timeout) > 0) ++ return -ETIMEDOUT; ++ } ++ return 0; ++} ++ ++static void mixer_disable_sync(struct mixer_context *ctx) ++{ ++ mixer_reg_writemask(ctx, MXR_STATUS, 0, MXR_STATUS_SYNC_ENABLE); ++} ++ ++static void mixer_enable_sync(struct mixer_context *ctx) ++{ ++ if (ctx->mxr_ver == MXR_VER_16_0_33_0 || ++ ctx->mxr_ver == MXR_VER_128_0_0_184) ++ mixer_reg_writemask(ctx, MXR_CFG, ~0, MXR_CFG_LAYER_UPDATE); ++ mixer_reg_writemask(ctx, MXR_STATUS, ~0, MXR_STATUS_SYNC_ENABLE); + if (test_bit(MXR_BIT_VP_ENABLED, &ctx->flags)) +- vp_reg_write(ctx, VP_SHADOW_UPDATE, enable ? +- VP_SHADOW_UPDATE_ENABLE : 0); ++ vp_reg_write(ctx, VP_SHADOW_UPDATE, VP_SHADOW_UPDATE_ENABLE); + } + + static void mixer_cfg_scan(struct mixer_context *ctx, int width, int height) +@@ -498,7 +546,6 @@ static void vp_video_buffer(struct mixer_context *ctx, + + spin_lock_irqsave(&ctx->reg_slock, flags); + +- vp_reg_write(ctx, VP_SHADOW_UPDATE, 1); + /* interlace or progressive scan mode */ + val = (test_bit(MXR_BIT_INTERLACE, &ctx->flags) ? ~0 : 0); + vp_reg_writemask(ctx, VP_MODE, val, VP_MODE_LINE_SKIP); +@@ -553,11 +600,6 @@ static void vp_video_buffer(struct mixer_context *ctx, + vp_regs_dump(ctx); + } + +-static void mixer_layer_update(struct mixer_context *ctx) +-{ +- mixer_reg_writemask(ctx, MXR_CFG, ~0, MXR_CFG_LAYER_UPDATE); +-} +- + static void mixer_graph_buffer(struct mixer_context *ctx, + struct exynos_drm_plane *plane) + { +@@ -640,11 +682,6 @@ static void mixer_graph_buffer(struct mixer_context *ctx, + mixer_cfg_layer(ctx, win, priority, true); + mixer_cfg_gfx_blend(ctx, win, pixel_alpha, state->base.alpha); + +- /* layer update mandatory for mixer 16.0.33.0 */ +- if (ctx->mxr_ver == MXR_VER_16_0_33_0 || +- ctx->mxr_ver == MXR_VER_128_0_0_184) +- mixer_layer_update(ctx); +- + spin_unlock_irqrestore(&ctx->reg_slock, flags); + + mixer_regs_dump(ctx); +@@ -709,7 +746,7 @@ static void mixer_win_reset(struct mixer_context *ctx) + static irqreturn_t mixer_irq_handler(int irq, void *arg) + { + struct mixer_context *ctx = arg; +- u32 val, base, shadow; ++ u32 val; + + spin_lock(&ctx->reg_slock); + +@@ -723,26 +760,9 @@ static irqreturn_t mixer_irq_handler(int irq, void *arg) + val &= ~MXR_INT_STATUS_VSYNC; + + /* interlace scan need to check shadow register */ +- if (test_bit(MXR_BIT_INTERLACE, &ctx->flags)) { +- if (test_bit(MXR_BIT_VP_ENABLED, &ctx->flags) && +- vp_reg_read(ctx, VP_SHADOW_UPDATE)) +- goto out; +- +- base = mixer_reg_read(ctx, MXR_CFG); +- shadow = mixer_reg_read(ctx, MXR_CFG_S); +- if (base != shadow) +- goto out; +- +- base = mixer_reg_read(ctx, MXR_GRAPHIC_BASE(0)); +- shadow = mixer_reg_read(ctx, MXR_GRAPHIC_BASE_S(0)); +- if (base != shadow) +- goto out; +- +- base = mixer_reg_read(ctx, MXR_GRAPHIC_BASE(1)); +- shadow = mixer_reg_read(ctx, MXR_GRAPHIC_BASE_S(1)); +- if (base != shadow) +- goto out; +- } ++ if (test_bit(MXR_BIT_INTERLACE, &ctx->flags) ++ && !mixer_is_synced(ctx)) ++ goto out; + + drm_crtc_handle_vblank(&ctx->crtc->base); + } +@@ -917,12 +937,14 @@ static void mixer_disable_vblank(struct exynos_drm_crtc *crtc) + + static void mixer_atomic_begin(struct exynos_drm_crtc *crtc) + { +- struct mixer_context *mixer_ctx = crtc->ctx; ++ struct mixer_context *ctx = crtc->ctx; + +- if (!test_bit(MXR_BIT_POWERED, &mixer_ctx->flags)) ++ if (!test_bit(MXR_BIT_POWERED, &ctx->flags)) + return; + +- mixer_vsync_set_update(mixer_ctx, false); ++ if (mixer_wait_for_sync(ctx)) ++ dev_err(ctx->dev, "timeout waiting for VSYNC\n"); ++ mixer_disable_sync(ctx); + } + + static void mixer_update_plane(struct exynos_drm_crtc *crtc, +@@ -964,7 +986,7 @@ static void mixer_atomic_flush(struct exynos_drm_crtc *crtc) + if (!test_bit(MXR_BIT_POWERED, &mixer_ctx->flags)) + return; + +- mixer_vsync_set_update(mixer_ctx, true); ++ mixer_enable_sync(mixer_ctx); + exynos_crtc_handle_event(crtc); + } + +@@ -979,7 +1001,7 @@ static void mixer_enable(struct exynos_drm_crtc *crtc) + + exynos_drm_pipe_clk_enable(crtc, true); + +- mixer_vsync_set_update(ctx, false); ++ mixer_disable_sync(ctx); + + mixer_reg_writemask(ctx, MXR_STATUS, ~0, MXR_STATUS_SOFT_RESET); + +@@ -992,7 +1014,7 @@ static void mixer_enable(struct exynos_drm_crtc *crtc) + + mixer_commit(ctx); + +- mixer_vsync_set_update(ctx, true); ++ mixer_enable_sync(ctx); + + set_bit(MXR_BIT_POWERED, &ctx->flags); + } +-- +2.19.1 + diff --git a/queue-5.0/drm-nouveau-debugfs-fix-check-of-pm_runtime_get_sync.patch b/queue-5.0/drm-nouveau-debugfs-fix-check-of-pm_runtime_get_sync.patch new file mode 100644 index 0000000000..b5fe98199d --- /dev/null +++ b/queue-5.0/drm-nouveau-debugfs-fix-check-of-pm_runtime_get_sync.patch @@ -0,0 +1,33 @@ +From 86d85528a15406a1b493c1659ac0c6d93c60f878 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 28 Feb 2019 20:24:59 +0800 +Subject: drm/nouveau/debugfs: Fix check of pm_runtime_get_sync failure + +[ Upstream commit 909e9c9c428376e2a43d178ed4b0a2d5ba9cb7d3 ] + +pm_runtime_get_sync returns negative on failure. + +Fixes: eaeb9010bb4b ("drm/nouveau/debugfs: Wake up GPU before doing any reclocking") +Signed-off-by: YueHaibing +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c b/drivers/gpu/drm/nouveau/nouveau_debugfs.c +index 88a52f6b39fe..7dfbbbc1beea 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c ++++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c +@@ -181,7 +181,7 @@ nouveau_debugfs_pstate_set(struct file *file, const char __user *ubuf, + } + + ret = pm_runtime_get_sync(drm->dev); +- if (IS_ERR_VALUE(ret) && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) + return ret; + ret = nvif_mthd(ctrl, NVIF_CONTROL_PSTATE_USER, &args, sizeof(args)); + pm_runtime_put_autosuspend(drm->dev); +-- +2.19.1 + diff --git a/queue-5.0/drm-nouveau-volt-gf117-fix-speedo-readout-register.patch b/queue-5.0/drm-nouveau-volt-gf117-fix-speedo-readout-register.patch new file mode 100644 index 0000000000..b83c9f12d3 --- /dev/null +++ b/queue-5.0/drm-nouveau-volt-gf117-fix-speedo-readout-register.patch @@ -0,0 +1,128 @@ +From daa4a292b8f03114432c913010e9e8c7c72df07d Mon Sep 17 00:00:00 2001 +From: Ilia Mirkin +Date: Sun, 13 Jan 2019 17:50:10 -0500 +Subject: drm/nouveau/volt/gf117: fix speedo readout register + +[ Upstream commit fc782242749fa4235592854fafe1a1297583c1fb ] + +GF117 appears to use the same register as GK104 (but still with the +general Fermi readout mechanism). + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108980 +Signed-off-by: Ilia Mirkin +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + .../drm/nouveau/include/nvkm/subdev/volt.h | 1 + + .../gpu/drm/nouveau/nvkm/engine/device/base.c | 2 +- + .../gpu/drm/nouveau/nvkm/subdev/volt/Kbuild | 1 + + .../gpu/drm/nouveau/nvkm/subdev/volt/gf117.c | 60 +++++++++++++++++++ + 4 files changed, 63 insertions(+), 1 deletion(-) + create mode 100644 drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c + +diff --git a/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h b/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h +index 8a0f85f5fc1a..6a765682fbfa 100644 +--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h ++++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h +@@ -38,6 +38,7 @@ int nvkm_volt_set_id(struct nvkm_volt *, u8 id, u8 min_id, u8 temp, + + int nv40_volt_new(struct nvkm_device *, int, struct nvkm_volt **); + int gf100_volt_new(struct nvkm_device *, int, struct nvkm_volt **); ++int gf117_volt_new(struct nvkm_device *, int, struct nvkm_volt **); + int gk104_volt_new(struct nvkm_device *, int, struct nvkm_volt **); + int gk20a_volt_new(struct nvkm_device *, int, struct nvkm_volt **); + int gm20b_volt_new(struct nvkm_device *, int, struct nvkm_volt **); +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c b/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c +index d9edb5785813..d75fa7678483 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c +@@ -1613,7 +1613,7 @@ nvd7_chipset = { + .pci = gf106_pci_new, + .therm = gf119_therm_new, + .timer = nv41_timer_new, +- .volt = gf100_volt_new, ++ .volt = gf117_volt_new, + .ce[0] = gf100_ce_new, + .disp = gf119_disp_new, + .dma = gf119_dma_new, +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild +index bcd179ba11d0..146adcdd316a 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild +@@ -2,6 +2,7 @@ nvkm-y += nvkm/subdev/volt/base.o + nvkm-y += nvkm/subdev/volt/gpio.o + nvkm-y += nvkm/subdev/volt/nv40.o + nvkm-y += nvkm/subdev/volt/gf100.o ++nvkm-y += nvkm/subdev/volt/gf117.o + nvkm-y += nvkm/subdev/volt/gk104.o + nvkm-y += nvkm/subdev/volt/gk20a.o + nvkm-y += nvkm/subdev/volt/gm20b.o +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c +new file mode 100644 +index 000000000000..547a58f0aeac +--- /dev/null ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c +@@ -0,0 +1,60 @@ ++/* ++ * Copyright 2019 Ilia Mirkin ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in ++ * all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR ++ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ++ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR ++ * OTHER DEALINGS IN THE SOFTWARE. ++ * ++ * Authors: Ilia Mirkin ++ */ ++#include "priv.h" ++ ++#include ++ ++static int ++gf117_volt_speedo_read(struct nvkm_volt *volt) ++{ ++ struct nvkm_device *device = volt->subdev.device; ++ struct nvkm_fuse *fuse = device->fuse; ++ ++ if (!fuse) ++ return -EINVAL; ++ ++ return nvkm_fuse_read(fuse, 0x3a8); ++} ++ ++static const struct nvkm_volt_func ++gf117_volt = { ++ .oneinit = gf100_volt_oneinit, ++ .vid_get = nvkm_voltgpio_get, ++ .vid_set = nvkm_voltgpio_set, ++ .speedo_read = gf117_volt_speedo_read, ++}; ++ ++int ++gf117_volt_new(struct nvkm_device *device, int index, struct nvkm_volt **pvolt) ++{ ++ struct nvkm_volt *volt; ++ int ret; ++ ++ ret = nvkm_volt_new_(&gf117_volt, device, index, &volt); ++ *pvolt = volt; ++ if (ret) ++ return ret; ++ ++ return nvkm_voltgpio_init(volt); ++} +-- +2.19.1 + diff --git a/queue-5.0/drm-panel-panel-innolux-set-display-off-in-innolux_p.patch b/queue-5.0/drm-panel-panel-innolux-set-display-off-in-innolux_p.patch new file mode 100644 index 0000000000..a652da350a --- /dev/null +++ b/queue-5.0/drm-panel-panel-innolux-set-display-off-in-innolux_p.patch @@ -0,0 +1,69 @@ +From 64f13c4d535b603f79b9245a9b1d678a308b538b Mon Sep 17 00:00:00 2001 +From: "Hsin-Yi, Wang" +Date: Wed, 9 Jan 2019 14:59:22 +0800 +Subject: drm/panel: panel-innolux: set display off in innolux_panel_unprepare + +[ Upstream commit 46f3ceaffa81e846677bca8668e0ad40e643cffd ] + +Move mipi_dsi_dcs_set_display_off() from innolux_panel_disable() +to innolux_panel_unprepare(), so they are consistent with +innolux_panel_enable() and innolux_panel_prepare(). + +This also fixes some mode check and irq timeout issue in MTK dsi code. + +Since some dsi code (e.g. mtk_dsi) have following call trace: +1. drm_panel_disable(), which calls innolux_panel_disable() +2. switch to cmd mode +3. drm_panel_unprepare(), which calls innolux_panel_unprepare() + +However, mtk_dsi needs to be in cmd mode to be able to send commands +(e.g. mipi_dsi_dcs_set_display_off() and mipi_dsi_dcs_enter_sleep_mode()), +so we need these functions to be called after the switch to cmd mode happens, +i.e. in innolux_panel_unprepare. + +Signed-off-by: Hsin-Yi, Wang +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20190109065922.231753-1-hsinyi@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-innolux-p079zca.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-innolux-p079zca.c b/drivers/gpu/drm/panel/panel-innolux-p079zca.c +index ca4ae45dd307..8e5724b63f1f 100644 +--- a/drivers/gpu/drm/panel/panel-innolux-p079zca.c ++++ b/drivers/gpu/drm/panel/panel-innolux-p079zca.c +@@ -70,18 +70,12 @@ static inline struct innolux_panel *to_innolux_panel(struct drm_panel *panel) + static int innolux_panel_disable(struct drm_panel *panel) + { + struct innolux_panel *innolux = to_innolux_panel(panel); +- int err; + + if (!innolux->enabled) + return 0; + + backlight_disable(innolux->backlight); + +- err = mipi_dsi_dcs_set_display_off(innolux->link); +- if (err < 0) +- DRM_DEV_ERROR(panel->dev, "failed to set display off: %d\n", +- err); +- + innolux->enabled = false; + + return 0; +@@ -95,6 +89,11 @@ static int innolux_panel_unprepare(struct drm_panel *panel) + if (!innolux->prepared) + return 0; + ++ err = mipi_dsi_dcs_set_display_off(innolux->link); ++ if (err < 0) ++ DRM_DEV_ERROR(panel->dev, "failed to set display off: %d\n", ++ err); ++ + err = mipi_dsi_dcs_enter_sleep_mode(innolux->link); + if (err < 0) { + DRM_DEV_ERROR(panel->dev, "failed to enter sleep mode: %d\n", +-- +2.19.1 + diff --git a/queue-5.0/drm-udl-use-drm_gem_object_put_unlocked.patch b/queue-5.0/drm-udl-use-drm_gem_object_put_unlocked.patch new file mode 100644 index 0000000000..d70b8ed77b --- /dev/null +++ b/queue-5.0/drm-udl-use-drm_gem_object_put_unlocked.patch @@ -0,0 +1,42 @@ +From 36a3f090c9e01f88977e845687d1d268c2d91abd Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Fri, 15 Mar 2019 11:37:20 +1000 +Subject: drm/udl: use drm_gem_object_put_unlocked. + +[ Upstream commit 8f3b487685b2acf71b42bb30d68fd9271bec8695 ] + +When Daniel removed struct_mutex he didn't fix this call to the unlocked +variant which is required since we no longer use struct mutex. + +This fixes a bunch of: +WARNING: CPU: 4 PID: 1370 at drivers/gpu/drm/drm_gem.c:931 drm_gem_object_put+0x2b/0x30 [drm] +Modules linked in: udl xt_CHECKSUM ipt_MASQUERADE tun bridge stp llc nf_conntrack_netbios_ns nf_conntrack_broadcast xt_CT ip6t> +CPU: 4 PID: 1370 Comm: Xorg Not tainted 5.0.0+ #2 + +backtraces when you plug in a udl device. + +Fixes: ae358dacd217 (drm/udl: Get rid of dev->struct_mutex usage) +Reviewed-by: Daniel Vetter +Cc: Sean Paul +Signed-off-by: Dave Airlie +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/udl/udl_gem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/udl/udl_gem.c b/drivers/gpu/drm/udl/udl_gem.c +index d5a23295dd80..bb7b58407039 100644 +--- a/drivers/gpu/drm/udl/udl_gem.c ++++ b/drivers/gpu/drm/udl/udl_gem.c +@@ -224,7 +224,7 @@ int udl_gem_mmap(struct drm_file *file, struct drm_device *dev, + *offset = drm_vma_node_offset_addr(&gobj->base.vma_node); + + out: +- drm_gem_object_put(&gobj->base); ++ drm_gem_object_put_unlocked(&gobj->base); + unlock: + mutex_unlock(&udl->gem_lock); + return ret; +-- +2.19.1 + diff --git a/queue-5.0/ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch b/queue-5.0/ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch new file mode 100644 index 0000000000..f68a2abb10 --- /dev/null +++ b/queue-5.0/ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch @@ -0,0 +1,49 @@ +From 92e93f5db96ed148751f131928c09c8dbca0ede1 Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Fri, 15 Mar 2019 00:15:32 -0400 +Subject: ext4: add missing brelse() in add_new_gdb_meta_bg() + +[ Upstream commit d64264d6218e6892edd832dc3a5a5857c2856c53 ] + +Currently in add_new_gdb_meta_bg() there is a missing brelse of gdb_bh +in case ext4_journal_get_write_access() fails. +Additionally kvfree() is missing in the same error path. Fix it by +moving the ext4_journal_get_write_access() before the ext4 sb update as +Ted suggested and release n_group_desc and gdb_bh in case it fails. + +Fixes: 61a9c11e5e7a ("ext4: add missing brelse() add_new_gdb_meta_bg()'s error path") +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 3d9b18505c0c..90061c3d048b 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -932,11 +932,18 @@ static int add_new_gdb_meta_bg(struct super_block *sb, + memcpy(n_group_desc, o_group_desc, + EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *)); + n_group_desc[gdb_num] = gdb_bh; ++ ++ BUFFER_TRACE(gdb_bh, "get_write_access"); ++ err = ext4_journal_get_write_access(handle, gdb_bh); ++ if (err) { ++ kvfree(n_group_desc); ++ brelse(gdb_bh); ++ return err; ++ } ++ + EXT4_SB(sb)->s_group_desc = n_group_desc; + EXT4_SB(sb)->s_gdb_count++; + kvfree(o_group_desc); +- BUFFER_TRACE(gdb_bh, "get_write_access"); +- err = ext4_journal_get_write_access(handle, gdb_bh); + return err; + } + +-- +2.19.1 + diff --git a/queue-5.0/ext4-avoid-panic-during-forced-reboot.patch b/queue-5.0/ext4-avoid-panic-during-forced-reboot.patch new file mode 100644 index 0000000000..b2b5f1fae6 --- /dev/null +++ b/queue-5.0/ext4-avoid-panic-during-forced-reboot.patch @@ -0,0 +1,68 @@ +From dbec735b02040c15e86558f7aef51d9f0179de2f Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 14 Mar 2019 23:46:05 -0400 +Subject: ext4: avoid panic during forced reboot + +[ Upstream commit 1dc1097ff60e4105216da7cd0aa99032b039a994 ] + +When admin calls "reboot -f" - i.e., does a hard system reboot by +directly calling reboot(2) - ext4 filesystem mounted with errors=panic +can panic the system. This happens because the underlying device gets +disabled without unmounting the filesystem and thus some syscall running +in parallel to reboot(2) can result in the filesystem getting IO errors. + +This is somewhat surprising to the users so try improve the behavior by +switching to errors=remount-ro behavior when the system is running +reboot(2). + +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index fb12d3c17c1b..b9bca7298f96 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -430,6 +430,12 @@ static void ext4_journal_commit_callback(journal_t *journal, transaction_t *txn) + spin_unlock(&sbi->s_md_lock); + } + ++static bool system_going_down(void) ++{ ++ return system_state == SYSTEM_HALT || system_state == SYSTEM_POWER_OFF ++ || system_state == SYSTEM_RESTART; ++} ++ + /* Deal with the reporting of failure conditions on a filesystem such as + * inconsistencies detected or read IO failures. + * +@@ -460,7 +466,12 @@ static void ext4_handle_error(struct super_block *sb) + if (journal) + jbd2_journal_abort(journal, -EIO); + } +- if (test_opt(sb, ERRORS_RO)) { ++ /* ++ * We force ERRORS_RO behavior when system is rebooting. Otherwise we ++ * could panic during 'reboot -f' as the underlying device got already ++ * disabled. ++ */ ++ if (test_opt(sb, ERRORS_RO) || system_going_down()) { + ext4_msg(sb, KERN_CRIT, "Remounting filesystem read-only"); + /* + * Make sure updated value of ->s_mount_flags will be visible +@@ -468,8 +479,7 @@ static void ext4_handle_error(struct super_block *sb) + */ + smp_wmb(); + sb->s_flags |= SB_RDONLY; +- } +- if (test_opt(sb, ERRORS_PANIC)) { ++ } else if (test_opt(sb, ERRORS_PANIC)) { + if (EXT4_SB(sb)->s_journal && + !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR)) + return; +-- +2.19.1 + diff --git a/queue-5.0/ext4-prohibit-fstrim-in-norecovery-mode.patch b/queue-5.0/ext4-prohibit-fstrim-in-norecovery-mode.patch new file mode 100644 index 0000000000..303ee6d098 --- /dev/null +++ b/queue-5.0/ext4-prohibit-fstrim-in-norecovery-mode.patch @@ -0,0 +1,40 @@ +From 117f14d00446091115c06157bbb42f6180da1b91 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Sat, 23 Mar 2019 12:10:29 -0400 +Subject: ext4: prohibit fstrim in norecovery mode + +[ Upstream commit 18915b5873f07e5030e6fb108a050fa7c71c59fb ] + +The ext4 fstrim implementation uses the block bitmaps to find free space +that can be discarded. If we haven't replayed the journal, the bitmaps +will be stale and we absolutely *cannot* use stale metadata to zap the +underlying storage. + +Signed-off-by: Darrick J. Wong +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/ioctl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index 2e76fb55d94a..5f24fdc140ad 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -999,6 +999,13 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) + if (!blk_queue_discard(q)) + return -EOPNOTSUPP; + ++ /* ++ * We haven't replayed the journal, so we cannot use our ++ * block-bitmap-guided storage zapping commands. ++ */ ++ if (test_opt(sb, NOLOAD) && ext4_has_feature_journal(sb)) ++ return -EROFS; ++ + if (copy_from_user(&range, (struct fstrim_range __user *)arg, + sizeof(range))) + return -EFAULT; +-- +2.19.1 + diff --git a/queue-5.0/ext4-report-real-fs-size-after-failed-resize.patch b/queue-5.0/ext4-report-real-fs-size-after-failed-resize.patch new file mode 100644 index 0000000000..78998ffe61 --- /dev/null +++ b/queue-5.0/ext4-report-real-fs-size-after-failed-resize.patch @@ -0,0 +1,42 @@ +From ae14679ea60ce45f66b9b39aff0e7252f8c5d2ff Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Fri, 15 Mar 2019 00:22:28 -0400 +Subject: ext4: report real fs size after failed resize + +[ Upstream commit 6c7328400e0488f7d49e19e02290ba343b6811b2 ] + +Currently when the file system resize using ext4_resize_fs() fails it +will report into log that "resized filesystem to ". However this may not be true in the case of failure. Use the +current block count as returned by ext4_blocks_count() to report the +block count. + +Additionally, report a warning that "error occurred during file system +resize" + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 90061c3d048b..e7ae26e36c9c 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -2080,6 +2080,10 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count) + free_flex_gd(flex_gd); + if (resize_inode != NULL) + iput(resize_inode); +- ext4_msg(sb, KERN_INFO, "resized filesystem to %llu", n_blocks_count); ++ if (err) ++ ext4_warning(sb, "error (%d) occurred during " ++ "file system resize", err); ++ ext4_msg(sb, KERN_INFO, "resized filesystem to %llu", ++ ext4_blocks_count(es)); + return err; + } +-- +2.19.1 + diff --git a/queue-5.0/f2fs-fix-to-add-refcount-once-page-is-tagged-pg_priv.patch b/queue-5.0/f2fs-fix-to-add-refcount-once-page-is-tagged-pg_priv.patch new file mode 100644 index 0000000000..d90ff20410 --- /dev/null +++ b/queue-5.0/f2fs-fix-to-add-refcount-once-page-is-tagged-pg_priv.patch @@ -0,0 +1,208 @@ +From 31eb0c57abca7c713394e536ca33848eeba1bf36 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Wed, 6 Mar 2019 17:30:59 +0800 +Subject: f2fs: fix to add refcount once page is tagged PG_private + +[ Upstream commit 240a59156d9bcfabceddb66be449e7b32fb5dc4a ] + +As Gao Xiang reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=202749 + +f2fs may skip pageout() due to incorrect page reference count. + +The problem here is that MM defined the rule [1] very clearly that +once page was set with PG_private flag, we should increment the +refcount in that page, also main flows like pageout(), migrate_page() +will assume there is one additional page reference count if +page_has_private() returns true. + +But currently, f2fs won't add/del refcount when changing PG_private +flag. Anyway, f2fs should follow MM's rule to make MM's related flows +running as expected. + +[1] https://lore.kernel.org/lkml/2b19b3c4-2bc4-15fa-15cc-27a13e5c7af1@aol.com/ + +Reported-by: Gao Xiang +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 4 ++-- + fs/f2fs/data.c | 21 ++++++++------------- + fs/f2fs/dir.c | 2 +- + fs/f2fs/f2fs.h | 21 +++++++++++++++++++++ + fs/f2fs/node.c | 2 +- + fs/f2fs/segment.c | 9 +++------ + 6 files changed, 36 insertions(+), 23 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index ccccf0ce2f06..7743fa83b895 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -406,7 +406,7 @@ static int f2fs_set_meta_page_dirty(struct page *page) + if (!PageDirty(page)) { + __set_page_dirty_nobuffers(page); + inc_page_count(F2FS_P_SB(page), F2FS_DIRTY_META); +- SetPagePrivate(page); ++ f2fs_set_page_private(page, 0); + f2fs_trace_pid(page); + return 1; + } +@@ -957,7 +957,7 @@ void f2fs_update_dirty_page(struct inode *inode, struct page *page) + inode_inc_dirty_pages(inode); + spin_unlock(&sbi->inode_lock[type]); + +- SetPagePrivate(page); ++ f2fs_set_page_private(page, 0); + f2fs_trace_pid(page); + } + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index f91d8630c9a2..c99aab23efea 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -2711,8 +2711,7 @@ void f2fs_invalidate_page(struct page *page, unsigned int offset, + if (IS_ATOMIC_WRITTEN_PAGE(page)) + return f2fs_drop_inmem_page(inode, page); + +- set_page_private(page, 0); +- ClearPagePrivate(page); ++ f2fs_clear_page_private(page); + } + + int f2fs_release_page(struct page *page, gfp_t wait) +@@ -2726,8 +2725,7 @@ int f2fs_release_page(struct page *page, gfp_t wait) + return 0; + + clear_cold_data(page); +- set_page_private(page, 0); +- ClearPagePrivate(page); ++ f2fs_clear_page_private(page); + return 1; + } + +@@ -2795,12 +2793,8 @@ int f2fs_migrate_page(struct address_space *mapping, + return -EAGAIN; + } + +- /* +- * A reference is expected if PagePrivate set when move mapping, +- * however F2FS breaks this for maintaining dirty page counts when +- * truncating pages. So here adjusting the 'extra_count' make it work. +- */ +- extra_count = (atomic_written ? 1 : 0) - page_has_private(page); ++ /* one extra reference was held for atomic_write page */ ++ extra_count = atomic_written ? 1 : 0; + rc = migrate_page_move_mapping(mapping, newpage, + page, mode, extra_count); + if (rc != MIGRATEPAGE_SUCCESS) { +@@ -2821,9 +2815,10 @@ int f2fs_migrate_page(struct address_space *mapping, + get_page(newpage); + } + +- if (PagePrivate(page)) +- SetPagePrivate(newpage); +- set_page_private(newpage, page_private(page)); ++ if (PagePrivate(page)) { ++ f2fs_set_page_private(newpage, page_private(page)); ++ f2fs_clear_page_private(page); ++ } + + if (mode != MIGRATE_SYNC_NO_COPY) + migrate_page_copy(newpage, page); +diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c +index 50d0d36280fa..99a6063c2327 100644 +--- a/fs/f2fs/dir.c ++++ b/fs/f2fs/dir.c +@@ -728,7 +728,7 @@ void f2fs_delete_entry(struct f2fs_dir_entry *dentry, struct page *page, + !f2fs_truncate_hole(dir, page->index, page->index + 1)) { + f2fs_clear_page_cache_dirty_tag(page); + clear_page_dirty_for_io(page); +- ClearPagePrivate(page); ++ f2fs_clear_page_private(page); + ClearPageUptodate(page); + clear_cold_data(page); + inode_dec_dirty_pages(dir); +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 279bc00489cc..6d9186a6528c 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -2825,6 +2825,27 @@ static inline bool is_valid_data_blkaddr(struct f2fs_sb_info *sbi, + return true; + } + ++static inline void f2fs_set_page_private(struct page *page, ++ unsigned long data) ++{ ++ if (PagePrivate(page)) ++ return; ++ ++ get_page(page); ++ SetPagePrivate(page); ++ set_page_private(page, data); ++} ++ ++static inline void f2fs_clear_page_private(struct page *page) ++{ ++ if (!PagePrivate(page)) ++ return; ++ ++ set_page_private(page, 0); ++ ClearPagePrivate(page); ++ f2fs_put_page(page, 0); ++} ++ + /* + * file.c + */ +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index f6ff84e29749..3f99ab288695 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -1961,7 +1961,7 @@ static int f2fs_set_node_page_dirty(struct page *page) + if (!PageDirty(page)) { + __set_page_dirty_nobuffers(page); + inc_page_count(F2FS_P_SB(page), F2FS_DIRTY_NODES); +- SetPagePrivate(page); ++ f2fs_set_page_private(page, 0); + f2fs_trace_pid(page); + return 1; + } +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index e1b1d390b329..b6c8b0696ef6 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -191,8 +191,7 @@ void f2fs_register_inmem_page(struct inode *inode, struct page *page) + + f2fs_trace_pid(page); + +- set_page_private(page, (unsigned long)ATOMIC_WRITTEN_PAGE); +- SetPagePrivate(page); ++ f2fs_set_page_private(page, (unsigned long)ATOMIC_WRITTEN_PAGE); + + new = f2fs_kmem_cache_alloc(inmem_entry_slab, GFP_NOFS); + +@@ -280,8 +279,7 @@ static int __revoke_inmem_pages(struct inode *inode, + ClearPageUptodate(page); + clear_cold_data(page); + } +- set_page_private(page, 0); +- ClearPagePrivate(page); ++ f2fs_clear_page_private(page); + f2fs_put_page(page, 1); + + list_del(&cur->list); +@@ -370,8 +368,7 @@ void f2fs_drop_inmem_page(struct inode *inode, struct page *page) + kmem_cache_free(inmem_entry_slab, cur); + + ClearPageUptodate(page); +- set_page_private(page, 0); +- ClearPagePrivate(page); ++ f2fs_clear_page_private(page); + f2fs_put_page(page, 0); + + trace_f2fs_commit_inmem_page(page, INMEM_INVALIDATE); +-- +2.19.1 + diff --git a/queue-5.0/f2fs-fix-to-dirty-inode-for-i_mode-recovery.patch b/queue-5.0/f2fs-fix-to-dirty-inode-for-i_mode-recovery.patch new file mode 100644 index 0000000000..6a78bf0657 --- /dev/null +++ b/queue-5.0/f2fs-fix-to-dirty-inode-for-i_mode-recovery.patch @@ -0,0 +1,57 @@ +From 57ea2aa470661851e94f0bf9f289cdb0b7ca932d Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Sat, 23 Feb 2019 09:48:27 +0800 +Subject: f2fs: fix to dirty inode for i_mode recovery + +[ Upstream commit ca597bddedd94906cd761d8be6a3ad21292725de ] + +As Seulbae Kim reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=202637 + +We didn't recover permission field correctly after sudden power-cut, +the reason is in setattr we didn't add inode into global dirty list +once i_mode is changed, so latter checkpoint triggered by fsync will +not flush last i_mode into disk, result in this problem, fix it. + +Reported-by: Seulbae Kim +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index ae2b45e75847..30ed43bce110 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -768,7 +768,6 @@ int f2fs_setattr(struct dentry *dentry, struct iattr *attr) + { + struct inode *inode = d_inode(dentry); + int err; +- bool size_changed = false; + + if (unlikely(f2fs_cp_error(F2FS_I_SB(inode)))) + return -EIO; +@@ -843,8 +842,6 @@ int f2fs_setattr(struct dentry *dentry, struct iattr *attr) + down_write(&F2FS_I(inode)->i_sem); + F2FS_I(inode)->last_disk_size = i_size_read(inode); + up_write(&F2FS_I(inode)->i_sem); +- +- size_changed = true; + } + + __setattr_copy(inode, attr); +@@ -858,7 +855,7 @@ int f2fs_setattr(struct dentry *dentry, struct iattr *attr) + } + + /* file size may changed here */ +- f2fs_mark_inode_dirty_sync(inode, size_changed); ++ f2fs_mark_inode_dirty_sync(inode, true); + + /* inode change will produce dirty node pages flushed by checkpoint */ + f2fs_balance_fs(F2FS_I_SB(inode), true); +-- +2.19.1 + diff --git a/queue-5.0/f2fs-fix-to-use-kvfree-instead-of-kzfree.patch b/queue-5.0/f2fs-fix-to-use-kvfree-instead-of-kzfree.patch new file mode 100644 index 0000000000..de16c9dc29 --- /dev/null +++ b/queue-5.0/f2fs-fix-to-use-kvfree-instead-of-kzfree.patch @@ -0,0 +1,81 @@ +From 6b95bfad8187d730a6748ae969d05729925a643b Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 5 Mar 2019 17:52:33 +0800 +Subject: f2fs: fix to use kvfree instead of kzfree + +[ Upstream commit 2a6a7e722e7a78d774ce02b847c5b183a3ff2672 ] + +As Jiqun Li reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=202747 + +System can panic due to using wrong allocate/free function pair +in xattr interface: +- use kvmalloc to allocate memory +- use kzfree to free memory + +Let's fix to use kvfree instead of kzfree, BTW, we are safe to +get rid of kzfree, since there is no such confidential data stored +as xattr, we don't need to zero it before free memory. + +Fixes: 5222595d093e ("f2fs: use kvmalloc, if kmalloc is failed") +Reported-by: Jiqun Li +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/xattr.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c +index 73b92985198b..6b6fe6431a64 100644 +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -347,7 +347,7 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, + *base_addr = txattr_addr; + return 0; + out: +- kzfree(txattr_addr); ++ kvfree(txattr_addr); + return err; + } + +@@ -390,7 +390,7 @@ static int read_all_xattrs(struct inode *inode, struct page *ipage, + *base_addr = txattr_addr; + return 0; + fail: +- kzfree(txattr_addr); ++ kvfree(txattr_addr); + return err; + } + +@@ -517,7 +517,7 @@ int f2fs_getxattr(struct inode *inode, int index, const char *name, + } + error = size; + out: +- kzfree(base_addr); ++ kvfree(base_addr); + return error; + } + +@@ -563,7 +563,7 @@ ssize_t f2fs_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size) + } + error = buffer_size - rest; + cleanup: +- kzfree(base_addr); ++ kvfree(base_addr); + return error; + } + +@@ -694,7 +694,7 @@ static int __f2fs_setxattr(struct inode *inode, int index, + if (!error && S_ISDIR(inode->i_mode)) + set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_CP); + exit: +- kzfree(base_addr); ++ kvfree(base_addr); + return error; + } + +-- +2.19.1 + diff --git a/queue-5.0/f2fs-sync-filesystem-after-roll-forward-recovery.patch b/queue-5.0/f2fs-sync-filesystem-after-roll-forward-recovery.patch new file mode 100644 index 0000000000..a41f3c2af3 --- /dev/null +++ b/queue-5.0/f2fs-sync-filesystem-after-roll-forward-recovery.patch @@ -0,0 +1,176 @@ +From bd2207694b9f0780eabf985b9f1d2a73ce0a3721 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Tue, 22 Jan 2019 14:04:33 -0800 +Subject: f2fs: sync filesystem after roll-forward recovery + +[ Upstream commit 812a95977fd2f0d1f220c716a98a7f22e22f488d ] + +Some works after roll-forward recovery can get an error which will release +all the data structures. Let's flush them in order to make it clean. + +One possible corruption came from: + +[ 90.400500] list_del corruption. prev->next should be ffffffed1f566208, but was (null) +[ 90.675349] Call trace: +[ 90.677869] __list_del_entry_valid+0x94/0xb4 +[ 90.682351] remove_dirty_inode+0xac/0x114 +[ 90.686563] __f2fs_write_data_pages+0x6a8/0x6c8 +[ 90.691302] f2fs_write_data_pages+0x40/0x4c +[ 90.695695] do_writepages+0x80/0xf0 +[ 90.699372] __writeback_single_inode+0xdc/0x4ac +[ 90.704113] writeback_sb_inodes+0x280/0x440 +[ 90.708501] wb_writeback+0x1b8/0x3d0 +[ 90.712267] wb_workfn+0x1a8/0x4d4 +[ 90.715765] process_one_work+0x1c0/0x3d4 +[ 90.719883] worker_thread+0x224/0x344 +[ 90.723739] kthread+0x120/0x130 +[ 90.727055] ret_from_fork+0x10/0x18 + +Reported-by: Sahitya Tummala +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 5 +++-- + fs/f2fs/node.c | 4 +++- + fs/f2fs/super.c | 44 +++++++++++++++++++++++++++++++++----------- + 3 files changed, 39 insertions(+), 14 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index f955cd3e0677..ccccf0ce2f06 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -306,8 +306,9 @@ static int f2fs_write_meta_pages(struct address_space *mapping, + goto skip_write; + + /* collect a number of dirty meta pages and write together */ +- if (wbc->for_kupdate || +- get_pages(sbi, F2FS_DIRTY_META) < nr_pages_to_skip(sbi, META)) ++ if (wbc->sync_mode != WB_SYNC_ALL && ++ get_pages(sbi, F2FS_DIRTY_META) < ++ nr_pages_to_skip(sbi, META)) + goto skip_write; + + /* if locked failed, cp will flush dirty pages instead */ +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index 4f450e573312..f6ff84e29749 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -1920,7 +1920,9 @@ static int f2fs_write_node_pages(struct address_space *mapping, + f2fs_balance_fs_bg(sbi); + + /* collect a number of dirty node pages and write together */ +- if (get_pages(sbi, F2FS_DIRTY_NODES) < nr_pages_to_skip(sbi, NODE)) ++ if (wbc->sync_mode != WB_SYNC_ALL && ++ get_pages(sbi, F2FS_DIRTY_NODES) < ++ nr_pages_to_skip(sbi, NODE)) + goto skip_write; + + if (wbc->sync_mode == WB_SYNC_ALL) +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 5892fa3c885f..144ffba3ec5a 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1460,9 +1460,16 @@ static int f2fs_enable_quotas(struct super_block *sb); + + static int f2fs_disable_checkpoint(struct f2fs_sb_info *sbi) + { ++ unsigned int s_flags = sbi->sb->s_flags; + struct cp_control cpc; +- int err; ++ int err = 0; ++ int ret; + ++ if (s_flags & SB_RDONLY) { ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "checkpoint=disable on readonly fs"); ++ return -EINVAL; ++ } + sbi->sb->s_flags |= SB_ACTIVE; + + f2fs_update_time(sbi, DISABLE_TIME); +@@ -1470,18 +1477,24 @@ static int f2fs_disable_checkpoint(struct f2fs_sb_info *sbi) + while (!f2fs_time_over(sbi, DISABLE_TIME)) { + mutex_lock(&sbi->gc_mutex); + err = f2fs_gc(sbi, true, false, NULL_SEGNO); +- if (err == -ENODATA) ++ if (err == -ENODATA) { ++ err = 0; + break; ++ } + if (err && err != -EAGAIN) +- return err; ++ break; + } + +- err = sync_filesystem(sbi->sb); +- if (err) +- return err; ++ ret = sync_filesystem(sbi->sb); ++ if (ret || err) { ++ err = ret ? ret: err; ++ goto restore_flag; ++ } + +- if (f2fs_disable_cp_again(sbi)) +- return -EAGAIN; ++ if (f2fs_disable_cp_again(sbi)) { ++ err = -EAGAIN; ++ goto restore_flag; ++ } + + mutex_lock(&sbi->gc_mutex); + cpc.reason = CP_PAUSE; +@@ -1490,7 +1503,9 @@ static int f2fs_disable_checkpoint(struct f2fs_sb_info *sbi) + + sbi->unusable_block_count = 0; + mutex_unlock(&sbi->gc_mutex); +- return 0; ++restore_flag: ++ sbi->sb->s_flags = s_flags; /* Restore MS_RDONLY status */ ++ return err; + } + + static void f2fs_enable_checkpoint(struct f2fs_sb_info *sbi) +@@ -3359,7 +3374,7 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) + if (test_opt(sbi, DISABLE_CHECKPOINT)) { + err = f2fs_disable_checkpoint(sbi); + if (err) +- goto free_meta; ++ goto sync_free_meta; + } else if (is_set_ckpt_flags(sbi, CP_DISABLED_FLAG)) { + f2fs_enable_checkpoint(sbi); + } +@@ -3372,7 +3387,7 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) + /* After POR, we can run background GC thread.*/ + err = f2fs_start_gc_thread(sbi); + if (err) +- goto free_meta; ++ goto sync_free_meta; + } + kvfree(options); + +@@ -3394,6 +3409,11 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) + f2fs_update_time(sbi, REQ_TIME); + return 0; + ++sync_free_meta: ++ /* safe to flush all the data */ ++ sync_filesystem(sbi->sb); ++ retry = false; ++ + free_meta: + #ifdef CONFIG_QUOTA + f2fs_truncate_quota_inode_pages(sb); +@@ -3407,6 +3427,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) + * falls into an infinite loop in f2fs_sync_meta_pages(). + */ + truncate_inode_pages_final(META_MAPPING(sbi)); ++ /* evict some inodes being cached by GC */ ++ evict_inodes(sb); + f2fs_unregister_sysfs(sbi); + free_root_inode: + dput(sb->s_root); +-- +2.19.1 + diff --git a/queue-5.0/fix-incorrect-error-code-mapping-for-objectid_not_fo.patch b/queue-5.0/fix-incorrect-error-code-mapping-for-objectid_not_fo.patch new file mode 100644 index 0000000000..e32315ef4d --- /dev/null +++ b/queue-5.0/fix-incorrect-error-code-mapping-for-objectid_not_fo.patch @@ -0,0 +1,40 @@ +From 81a877b568e724d931f8f69379d24c326c73e69c Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Sun, 17 Mar 2019 15:58:38 -0500 +Subject: fix incorrect error code mapping for OBJECTID_NOT_FOUND + +[ Upstream commit 85f9987b236cf46e06ffdb5c225cf1f3c0acb789 ] + +It was mapped to EIO which can be confusing when user space +queries for an object GUID for an object for which the server +file system doesn't support (or hasn't saved one). + +As Amir Goldstein suggested this is similar to ENOATTR +(equivalently ENODATA in Linux errno definitions) so +changing NT STATUS code mapping for OBJECTID_NOT_FOUND +to ENODATA. + +Signed-off-by: Steve French +CC: Amir Goldstein +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2maperror.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c +index 924269cec135..e32c264e3adb 100644 +--- a/fs/cifs/smb2maperror.c ++++ b/fs/cifs/smb2maperror.c +@@ -1036,7 +1036,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = { + {STATUS_UNFINISHED_CONTEXT_DELETED, -EIO, + "STATUS_UNFINISHED_CONTEXT_DELETED"}, + {STATUS_NO_TGT_REPLY, -EIO, "STATUS_NO_TGT_REPLY"}, +- {STATUS_OBJECTID_NOT_FOUND, -EIO, "STATUS_OBJECTID_NOT_FOUND"}, ++ /* Note that ENOATTTR and ENODATA are the same errno */ ++ {STATUS_OBJECTID_NOT_FOUND, -ENODATA, "STATUS_OBJECTID_NOT_FOUND"}, + {STATUS_NO_IP_ADDRESSES, -EIO, "STATUS_NO_IP_ADDRESSES"}, + {STATUS_WRONG_CREDENTIAL_HANDLE, -EIO, + "STATUS_WRONG_CREDENTIAL_HANDLE"}, +-- +2.19.1 + diff --git a/queue-5.0/i40iw-avoid-panic-when-handling-the-inetdev-event.patch b/queue-5.0/i40iw-avoid-panic-when-handling-the-inetdev-event.patch new file mode 100644 index 0000000000..340d0bef73 --- /dev/null +++ b/queue-5.0/i40iw-avoid-panic-when-handling-the-inetdev-event.patch @@ -0,0 +1,77 @@ +From b23dac3c1468058d60ebbfa5bcb7b177f67f55b6 Mon Sep 17 00:00:00 2001 +From: Feng Tang +Date: Thu, 14 Mar 2019 18:37:29 +0800 +Subject: i40iw: Avoid panic when handling the inetdev event + +[ Upstream commit ec4fe4bcc584b55e24e8d1768f5510a62c0fd619 ] + +There is a panic reported that on a system with x722 ethernet, when doing +the operations like: + + # ip link add br0 type bridge + # ip link set eno1 master br0 + # systemctl restart systemd-networkd + +The system will panic "BUG: unable to handle kernel null pointer +dereference at 0000000000000034", with call chain: + + i40iw_inetaddr_event + notifier_call_chain + blocking_notifier_call_chain + notifier_call_chain + __inet_del_ifa + inet_rtm_deladdr + rtnetlink_rcv_msg + netlink_rcv_skb + rtnetlink_rcv + netlink_unicast + netlink_sendmsg + sock_sendmsg + __sys_sendto + +It is caused by "local_ipaddr = ntohl(in->ifa_list->ifa_address)", while +the in->ifa_list is NULL. + +So add a check for the "in->ifa_list == NULL" case, and skip the ARP +operation accordingly. + +Signed-off-by: Feng Tang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/i40iw/i40iw_utils.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/i40iw/i40iw_utils.c b/drivers/infiniband/hw/i40iw/i40iw_utils.c +index 59e978141ad4..e99177533930 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_utils.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_utils.c +@@ -173,7 +173,12 @@ int i40iw_inetaddr_event(struct notifier_block *notifier, + + rcu_read_lock(); + in = __in_dev_get_rcu(upper_dev); +- local_ipaddr = ntohl(in->ifa_list->ifa_address); ++ ++ if (!in->ifa_list) ++ local_ipaddr = 0; ++ else ++ local_ipaddr = ntohl(in->ifa_list->ifa_address); ++ + rcu_read_unlock(); + } else { + local_ipaddr = ntohl(ifa->ifa_address); +@@ -185,6 +190,11 @@ int i40iw_inetaddr_event(struct notifier_block *notifier, + case NETDEV_UP: + /* Fall through */ + case NETDEV_CHANGEADDR: ++ ++ /* Just skip if no need to handle ARP cache */ ++ if (!local_ipaddr) ++ break; ++ + i40iw_manage_arp_cache(iwdev, + netdev->dev_addr, + &local_ipaddr, +-- +2.19.1 + diff --git a/queue-5.0/ib-mlx4-fix-race-condition-between-catas-error-reset.patch b/queue-5.0/ib-mlx4-fix-race-condition-between-catas-error-reset.patch new file mode 100644 index 0000000000..22b1af24c2 --- /dev/null +++ b/queue-5.0/ib-mlx4-fix-race-condition-between-catas-error-reset.patch @@ -0,0 +1,39 @@ +From db5bca17a7453eb45dd46d173a2b9394ca83056b Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Wed, 6 Mar 2019 19:17:56 +0200 +Subject: IB/mlx4: Fix race condition between catas error reset and aliasguid + flows + +[ Upstream commit 587443e7773e150ae29e643ee8f41a1eed226565 ] + +Code review revealed a race condition which could allow the catas error +flow to interrupt the alias guid query post mechanism at random points. +Thiis is fixed by doing cancel_delayed_work_sync() instead of +cancel_delayed_work() during the alias guid mechanism destroy flow. + +Fixes: a0c64a17aba8 ("mlx4: Add alias_guid mechanism") +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/alias_GUID.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx4/alias_GUID.c b/drivers/infiniband/hw/mlx4/alias_GUID.c +index 782499abcd98..2a0b59a4b6eb 100644 +--- a/drivers/infiniband/hw/mlx4/alias_GUID.c ++++ b/drivers/infiniband/hw/mlx4/alias_GUID.c +@@ -804,8 +804,8 @@ void mlx4_ib_destroy_alias_guid_service(struct mlx4_ib_dev *dev) + unsigned long flags; + + for (i = 0 ; i < dev->num_ports; i++) { +- cancel_delayed_work(&dev->sriov.alias_guid.ports_guid[i].alias_guid_work); + det = &sriov->alias_guid.ports_guid[i]; ++ cancel_delayed_work_sync(&det->alias_guid_work); + spin_lock_irqsave(&sriov->alias_guid.ag_work_lock, flags); + while (!list_empty(&det->cb_list)) { + cb_ctx = list_entry(det->cb_list.next, +-- +2.19.1 + diff --git a/queue-5.0/include-linux-swap.h-use-offsetof-instead-of-custom-.patch b/queue-5.0/include-linux-swap.h-use-offsetof-instead-of-custom-.patch new file mode 100644 index 0000000000..649b18df77 --- /dev/null +++ b/queue-5.0/include-linux-swap.h-use-offsetof-instead-of-custom-.patch @@ -0,0 +1,59 @@ +From 0b27d8ebcfd9136a72a791506db0ed8d6903e172 Mon Sep 17 00:00:00 2001 +From: Pi-Hsun Shih +Date: Wed, 13 Mar 2019 11:44:33 -0700 +Subject: include/linux/swap.h: use offsetof() instead of custom __swapoffset + macro + +[ Upstream commit a4046c06be50a4f01d435aa7fe57514818e6cc82 ] + +Use offsetof() to calculate offset of a field to take advantage of +compiler built-in version when possible, and avoid UBSAN warning when +compiling with Clang: + + UBSAN: Undefined behaviour in mm/swapfile.c:3010:38 + member access within null pointer of type 'union swap_header' + CPU: 6 PID: 1833 Comm: swapon Tainted: G S 4.19.23 #43 + Call trace: + dump_backtrace+0x0/0x194 + show_stack+0x20/0x2c + __dump_stack+0x20/0x28 + dump_stack+0x70/0x94 + ubsan_epilogue+0x14/0x44 + ubsan_type_mismatch_common+0xf4/0xfc + __ubsan_handle_type_mismatch_v1+0x34/0x54 + __se_sys_swapon+0x654/0x1084 + __arm64_sys_swapon+0x1c/0x24 + el0_svc_common+0xa8/0x150 + el0_svc_compat_handler+0x2c/0x38 + el0_svc_compat+0x8/0x18 + +Link: http://lkml.kernel.org/r/20190312081902.223764-1-pihsun@chromium.org +Signed-off-by: Pi-Hsun Shih +Acked-by: Michal Hocko +Reviewed-by: Andrew Morton +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/swap.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/swap.h b/include/linux/swap.h +index 622025ac1461..f1146ed21062 100644 +--- a/include/linux/swap.h ++++ b/include/linux/swap.h +@@ -157,9 +157,9 @@ struct swap_extent { + /* + * Max bad pages in the new format.. + */ +-#define __swapoffset(x) ((unsigned long)&((union swap_header *)0)->x) + #define MAX_SWAP_BADPAGES \ +- ((__swapoffset(magic.magic) - __swapoffset(info.badpages)) / sizeof(int)) ++ ((offsetof(union swap_header, magic.magic) - \ ++ offsetof(union swap_header, info.badpages)) / sizeof(int)) + + enum { + SWP_USED = (1 << 0), /* is slot in swap_info[] used? */ +-- +2.19.1 + diff --git a/queue-5.0/inotify-fix-fsnotify_mark-refcount-leak-in-inotify_u.patch b/queue-5.0/inotify-fix-fsnotify_mark-refcount-leak-in-inotify_u.patch new file mode 100644 index 0000000000..2239a46285 --- /dev/null +++ b/queue-5.0/inotify-fix-fsnotify_mark-refcount-leak-in-inotify_u.patch @@ -0,0 +1,48 @@ +From e0ae021d82d7265ab375c5d50d4db4c32f024a6f Mon Sep 17 00:00:00 2001 +From: ZhangXiaoxu +Date: Sat, 2 Mar 2019 09:17:32 +0800 +Subject: inotify: Fix fsnotify_mark refcount leak in + inotify_update_existing_watch() + +[ Upstream commit 62c9d2674b31d4c8a674bee86b7edc6da2803aea ] + +Commit 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for +inotify_add_watch()") forgot to call fsnotify_put_mark() with +IN_MASK_CREATE after fsnotify_find_mark() + +Fixes: 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for inotify_add_watch()") +Signed-off-by: ZhangXiaoxu +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/notify/inotify/inotify_user.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c +index 798f1253141a..3b7b8e95c98a 100644 +--- a/fs/notify/inotify/inotify_user.c ++++ b/fs/notify/inotify/inotify_user.c +@@ -519,8 +519,10 @@ static int inotify_update_existing_watch(struct fsnotify_group *group, + fsn_mark = fsnotify_find_mark(&inode->i_fsnotify_marks, group); + if (!fsn_mark) + return -ENOENT; +- else if (create) +- return -EEXIST; ++ else if (create) { ++ ret = -EEXIST; ++ goto out; ++ } + + i_mark = container_of(fsn_mark, struct inotify_inode_mark, fsn_mark); + +@@ -548,6 +550,7 @@ static int inotify_update_existing_watch(struct fsnotify_group *group, + /* return the wd */ + ret = i_mark->wd; + ++out: + /* match the get from fsnotify_find_mark() */ + fsnotify_put_mark(fsn_mark); + +-- +2.19.1 + diff --git a/queue-5.0/iommu-vt-d-check-capability-before-disabling-protect.patch b/queue-5.0/iommu-vt-d-check-capability-before-disabling-protect.patch new file mode 100644 index 0000000000..a973c143c8 --- /dev/null +++ b/queue-5.0/iommu-vt-d-check-capability-before-disabling-protect.patch @@ -0,0 +1,40 @@ +From f6ca63563ed590c5a9aeed7d52fe2eeb30a86473 Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Wed, 20 Mar 2019 09:58:33 +0800 +Subject: iommu/vt-d: Check capability before disabling protected memory + +[ Upstream commit 5bb71fc790a88d063507dc5d445ab8b14e845591 ] + +The spec states in 10.4.16 that the Protected Memory Enable +Register should be treated as read-only for implementations +not supporting protected memory regions (PLMR and PHMR fields +reported as Clear in the Capability register). + +Cc: Jacob Pan +Cc: mark gross +Suggested-by: Ashok Raj +Fixes: f8bab73515ca5 ("intel-iommu: PMEN support") +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel-iommu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index dbd6824dfffa..68a21c49c562 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -1534,6 +1534,9 @@ static void iommu_disable_protect_mem_regions(struct intel_iommu *iommu) + u32 pmen; + unsigned long flags; + ++ if (!cap_plmr(iommu->cap) && !cap_phmr(iommu->cap)) ++ return; ++ + raw_spin_lock_irqsave(&iommu->register_lock, flags); + pmen = readl(iommu->reg + DMAR_PMEN_REG); + pmen &= ~DMA_PMEN_EPM; +-- +2.19.1 + diff --git a/queue-5.0/iommu-vt-d-save-the-right-domain-id-used-by-hardware.patch b/queue-5.0/iommu-vt-d-save-the-right-domain-id-used-by-hardware.patch new file mode 100644 index 0000000000..73dd8e8257 --- /dev/null +++ b/queue-5.0/iommu-vt-d-save-the-right-domain-id-used-by-hardware.patch @@ -0,0 +1,40 @@ +From 51d1b63e9b19dc67ab5886623146163b089edd86 Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Wed, 20 Mar 2019 09:58:34 +0800 +Subject: iommu/vt-d: Save the right domain ID used by hardware + +[ Upstream commit 84c11e4df5aa4955acaa441f0cf1cb2e50daf64b ] + +The driver sets a default domain id (FLPT_DEFAULT_DID) in the +first level only pasid entry, but saves a different domain id +in @sdev->did. The value saved in @sdev->did will be used to +invalidate the translation caches. Hence, the driver might +result in invalidating the caches with a wrong domain id. + +Cc: Ashok Raj +Cc: Jacob Pan +Fixes: 1c4f88b7f1f92 ("iommu/vt-d: Shared virtual address in scalable mode") +Signed-off-by: Liu Yi L +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel-iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index 68a21c49c562..53b1fbadc496 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -5331,7 +5331,7 @@ int intel_iommu_enable_pasid(struct intel_iommu *iommu, struct intel_svm_dev *sd + + ctx_lo = context[0].lo; + +- sdev->did = domain->iommu_did[iommu->seq_id]; ++ sdev->did = FLPT_DEFAULT_DID; + sdev->sid = PCI_DEVID(info->bus, info->devfn); + + if (!(ctx_lo & CONTEXT_PASIDE)) { +-- +2.19.1 + diff --git a/queue-5.0/irqchip-mbigen-don-t-clear-eventid-when-freeing-an-m.patch b/queue-5.0/irqchip-mbigen-don-t-clear-eventid-when-freeing-an-m.patch new file mode 100644 index 0000000000..9c0aeec062 --- /dev/null +++ b/queue-5.0/irqchip-mbigen-don-t-clear-eventid-when-freeing-an-m.patch @@ -0,0 +1,48 @@ +From d0f38a2f7a4b06718c4be7e2010d89158f9949a0 Mon Sep 17 00:00:00 2001 +From: Jianguo Chen +Date: Wed, 20 Mar 2019 18:54:21 +0000 +Subject: irqchip/mbigen: Don't clear eventid when freeing an MSI + +[ Upstream commit fca269f201a8d9985c0a31fb60b15d4eb57cef80 ] + +mbigen_write_msg clears eventid bits of a mbigen register +when free a interrupt, because msi_domain_deactivate memset +struct msg to zero. Then multiple mbigen pins with zero eventid +will report the same interrupt number. + +The eventid clear call trace: + free_irq + __free_irq + irq_shutdown + irq_domain_deactivate_irq + __irq_domain_deactivate_irq + __irq_domain_deactivate_irq + msi_domain_deactivate + platform_msi_write_msg + mbigen_write_msg + +Signed-off-by: Jianguo Chen +[maz: massaged subject] +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mbigen.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/irqchip/irq-mbigen.c b/drivers/irqchip/irq-mbigen.c +index 567b29c47608..98b6e1d4b1a6 100644 +--- a/drivers/irqchip/irq-mbigen.c ++++ b/drivers/irqchip/irq-mbigen.c +@@ -161,6 +161,9 @@ static void mbigen_write_msg(struct msi_desc *desc, struct msi_msg *msg) + void __iomem *base = d->chip_data; + u32 val; + ++ if (!msg->address_lo && !msg->address_hi) ++ return; ++ + base += get_mbigen_vec_reg(d->hwirq); + val = readl_relaxed(base); + +-- +2.19.1 + diff --git a/queue-5.0/irqchip-stm32-don-t-clear-rising-falling-config-regi.patch b/queue-5.0/irqchip-stm32-don-t-clear-rising-falling-config-regi.patch new file mode 100644 index 0000000000..ff5c8cea35 --- /dev/null +++ b/queue-5.0/irqchip-stm32-don-t-clear-rising-falling-config-regi.patch @@ -0,0 +1,39 @@ +From 3dc1bc00447a571aea08a6d3fdcc09e16fe82ab8 Mon Sep 17 00:00:00 2001 +From: Fabien Dessenne +Date: Thu, 7 Mar 2019 19:40:35 +0100 +Subject: irqchip/stm32: Don't clear rising/falling config registers at init + +[ Upstream commit 0dda09666f50eae9c5b794dd89b1fd8a8d89d714 ] + +Falling and rising configuration and status registers are not banked. +As they are shared with M4 co-processor, they should not be cleared +at probe time, else M4 co-processor configuration will be lost. + +Fixes: f9fc1745501e ("irqchip/stm32: Add host and driver data structures") +Signed-off-by: Loic Pallardy +Signed-off-by: Fabien Dessenne +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-stm32-exti.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/irqchip/irq-stm32-exti.c b/drivers/irqchip/irq-stm32-exti.c +index a93296b9b45d..162a7f547f9e 100644 +--- a/drivers/irqchip/irq-stm32-exti.c ++++ b/drivers/irqchip/irq-stm32-exti.c +@@ -735,11 +735,6 @@ stm32_exti_chip_data *stm32_exti_chip_init(struct stm32_exti_host_data *h_data, + */ + writel_relaxed(0, base + stm32_bank->imr_ofst); + writel_relaxed(0, base + stm32_bank->emr_ofst); +- writel_relaxed(0, base + stm32_bank->rtsr_ofst); +- writel_relaxed(0, base + stm32_bank->ftsr_ofst); +- writel_relaxed(~0UL, base + stm32_bank->rpr_ofst); +- if (stm32_bank->fpr_ofst != UNDEF_REG) +- writel_relaxed(~0UL, base + stm32_bank->fpr_ofst); + + pr_info("%pOF: bank%d\n", h_data->node, bank_idx); + +-- +2.19.1 + diff --git a/queue-5.0/irqchip-stm32-don-t-set-rising-configuration-registe.patch b/queue-5.0/irqchip-stm32-don-t-set-rising-configuration-registe.patch new file mode 100644 index 0000000000..e55c49c038 --- /dev/null +++ b/queue-5.0/irqchip-stm32-don-t-set-rising-configuration-registe.patch @@ -0,0 +1,45 @@ +From 28ab48137fb8b04747a0abd64106e238234d4df4 Mon Sep 17 00:00:00 2001 +From: Fabien Dessenne +Date: Thu, 7 Mar 2019 19:40:36 +0100 +Subject: irqchip/stm32: Don't set rising configuration registers at init + +[ Upstream commit 6a77623d78b307b34d4cf7886da6a907689bf388 ] + +The rising configuration status register (rtsr) is not banked. +As it is shared with the co-processor, it should not be written at probe +time, else the co-processor configuration will be lost. + +Fixes: f9fc1745501e ("irqchip/stm32: Add host and driver data structures") +Signed-off-by: Fabien Dessenne +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-stm32-exti.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/irqchip/irq-stm32-exti.c b/drivers/irqchip/irq-stm32-exti.c +index 162a7f547f9e..7bd1d4cb2e19 100644 +--- a/drivers/irqchip/irq-stm32-exti.c ++++ b/drivers/irqchip/irq-stm32-exti.c +@@ -716,7 +716,6 @@ stm32_exti_chip_data *stm32_exti_chip_init(struct stm32_exti_host_data *h_data, + const struct stm32_exti_bank *stm32_bank; + struct stm32_exti_chip_data *chip_data; + void __iomem *base = h_data->base; +- u32 irqs_mask; + + stm32_bank = h_data->drv_data->exti_banks[bank_idx]; + chip_data = &h_data->chips_data[bank_idx]; +@@ -725,10 +724,6 @@ stm32_exti_chip_data *stm32_exti_chip_init(struct stm32_exti_host_data *h_data, + + raw_spin_lock_init(&chip_data->rlock); + +- /* Determine number of irqs supported */ +- writel_relaxed(~0UL, base + stm32_bank->rtsr_ofst); +- irqs_mask = readl_relaxed(base + stm32_bank->rtsr_ofst); +- + /* + * This IP has no reset, so after hot reboot we should + * clear registers to avoid residue +-- +2.19.1 + diff --git a/queue-5.0/lib-div64.c-off-by-one-in-shift.patch b/queue-5.0/lib-div64.c-off-by-one-in-shift.patch new file mode 100644 index 0000000000..036a35947d --- /dev/null +++ b/queue-5.0/lib-div64.c-off-by-one-in-shift.patch @@ -0,0 +1,52 @@ +From 01811eda0a8bf8ff54bf054f536656242245f533 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Thu, 7 Mar 2019 16:28:18 -0800 +Subject: lib/div64.c: off by one in shift + +[ Upstream commit cdc94a37493135e355dfc0b0e086d84e3eadb50d ] + +fls counts bits starting from 1 to 32 (returns 0 for zero argument). If +we add 1 we shift right one bit more and loose precision from divisor, +what cause function incorect results with some numbers. + +Corrected code was tested in user-space, see bugzilla: + https://bugzilla.kernel.org/show_bug.cgi?id=202391 + +Link: http://lkml.kernel.org/r/1548686944-11891-1-git-send-email-sgruszka@redhat.com +Fixes: 658716d19f8f ("div64_u64(): improve precision on 32bit platforms") +Signed-off-by: Stanislaw Gruszka +Reported-by: Siarhei Volkau +Tested-by: Siarhei Volkau +Acked-by: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/div64.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/div64.c b/lib/div64.c +index 01c8602bb6ff..ee146bb4c558 100644 +--- a/lib/div64.c ++++ b/lib/div64.c +@@ -109,7 +109,7 @@ u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder) + quot = div_u64_rem(dividend, divisor, &rem32); + *remainder = rem32; + } else { +- int n = 1 + fls(high); ++ int n = fls(high); + quot = div_u64(dividend >> n, divisor >> n); + + if (quot != 0) +@@ -147,7 +147,7 @@ u64 div64_u64(u64 dividend, u64 divisor) + if (high == 0) { + quot = div_u64(dividend, divisor); + } else { +- int n = 1 + fls(high); ++ int n = fls(high); + quot = div_u64(dividend >> n, divisor >> n); + + if (quot != 0) +-- +2.19.1 + diff --git a/queue-5.0/lkdtm-add-tests-for-null-pointer-dereference.patch b/queue-5.0/lkdtm-add-tests-for-null-pointer-dereference.patch new file mode 100644 index 0000000000..558077b51c --- /dev/null +++ b/queue-5.0/lkdtm-add-tests-for-null-pointer-dereference.patch @@ -0,0 +1,91 @@ +From 2078b09ba20c41bf9165c33509856c969a3bd9ff Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Fri, 14 Dec 2018 15:26:20 +0000 +Subject: lkdtm: Add tests for NULL pointer dereference + +[ Upstream commit 59a12205d3c32aee4c13ca36889fdf7cfed31126 ] + +Introduce lkdtm tests for NULL pointer dereference: check access or exec +at NULL address, since these errors tend to be reported differently from +the general fault error text. For example from x86: + + pr_alert("BUG: unable to handle kernel %s at %px\n", + address < PAGE_SIZE ? "NULL pointer dereference" : "paging request", + (void *)address); + +Signed-off-by: Christophe Leroy +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/misc/lkdtm/core.c | 2 ++ + drivers/misc/lkdtm/lkdtm.h | 2 ++ + drivers/misc/lkdtm/perms.c | 18 ++++++++++++++++++ + 3 files changed, 22 insertions(+) + +diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c +index 2837dc77478e..f0f9eb30bd2b 100644 +--- a/drivers/misc/lkdtm/core.c ++++ b/drivers/misc/lkdtm/core.c +@@ -152,7 +152,9 @@ static const struct crashtype crashtypes[] = { + CRASHTYPE(EXEC_VMALLOC), + CRASHTYPE(EXEC_RODATA), + CRASHTYPE(EXEC_USERSPACE), ++ CRASHTYPE(EXEC_NULL), + CRASHTYPE(ACCESS_USERSPACE), ++ CRASHTYPE(ACCESS_NULL), + CRASHTYPE(WRITE_RO), + CRASHTYPE(WRITE_RO_AFTER_INIT), + CRASHTYPE(WRITE_KERN), +diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h +index 3c6fd327e166..b69ee004a3f7 100644 +--- a/drivers/misc/lkdtm/lkdtm.h ++++ b/drivers/misc/lkdtm/lkdtm.h +@@ -45,7 +45,9 @@ void lkdtm_EXEC_KMALLOC(void); + void lkdtm_EXEC_VMALLOC(void); + void lkdtm_EXEC_RODATA(void); + void lkdtm_EXEC_USERSPACE(void); ++void lkdtm_EXEC_NULL(void); + void lkdtm_ACCESS_USERSPACE(void); ++void lkdtm_ACCESS_NULL(void); + + /* lkdtm_refcount.c */ + void lkdtm_REFCOUNT_INC_OVERFLOW(void); +diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c +index fa54add6375a..62f76d506f04 100644 +--- a/drivers/misc/lkdtm/perms.c ++++ b/drivers/misc/lkdtm/perms.c +@@ -164,6 +164,11 @@ void lkdtm_EXEC_USERSPACE(void) + vm_munmap(user_addr, PAGE_SIZE); + } + ++void lkdtm_EXEC_NULL(void) ++{ ++ execute_location(NULL, CODE_AS_IS); ++} ++ + void lkdtm_ACCESS_USERSPACE(void) + { + unsigned long user_addr, tmp = 0; +@@ -195,6 +200,19 @@ void lkdtm_ACCESS_USERSPACE(void) + vm_munmap(user_addr, PAGE_SIZE); + } + ++void lkdtm_ACCESS_NULL(void) ++{ ++ unsigned long tmp; ++ unsigned long *ptr = (unsigned long *)NULL; ++ ++ pr_info("attempting bad read at %px\n", ptr); ++ tmp = *ptr; ++ tmp += 0xc0dec0de; ++ ++ pr_info("attempting bad write at %px\n", ptr); ++ *ptr = tmp; ++} ++ + void __init lkdtm_perms_init(void) + { + /* Make sure we can write to __ro_after_init values during __init */ +-- +2.19.1 + diff --git a/queue-5.0/lkdtm-print-real-addresses.patch b/queue-5.0/lkdtm-print-real-addresses.patch new file mode 100644 index 0000000000..662628735f --- /dev/null +++ b/queue-5.0/lkdtm-print-real-addresses.patch @@ -0,0 +1,115 @@ +From 27fc39f6387c153b3fcd6d59fbc3c1b875c9ea57 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Wed, 7 Nov 2018 20:14:10 +0000 +Subject: lkdtm: Print real addresses + +[ Upstream commit 4c411157a42f122051ae3469bee0b5cabe89e139 ] + +Today, when doing a lkdtm test before the readiness of the +random generator, (ptrval) is printed instead of the address +at which it perform the fault: + +[ 1597.337030] lkdtm: Performing direct entry EXEC_USERSPACE +[ 1597.337142] lkdtm: attempting ok execution at (ptrval) +[ 1597.337398] lkdtm: attempting bad execution at (ptrval) +[ 1597.337460] kernel tried to execute user page (77858000) -exploit attempt? (uid: 0) +[ 1597.344769] Unable to handle kernel paging request for instruction fetch +[ 1597.351392] Faulting instruction address: 0x77858000 +[ 1597.356312] Oops: Kernel access of bad area, sig: 11 [#1] + +If the lkdtm test is done later on, it prints an hashed address. + +In both cases this is pointless. The purpose of the test is to +ensure the kernel generates an Oops at the expected address, +so real addresses needs to be printed. This patch fixes that. + +Signed-off-by: Christophe Leroy +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/misc/lkdtm/perms.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c +index 53b85c9d16b8..fa54add6375a 100644 +--- a/drivers/misc/lkdtm/perms.c ++++ b/drivers/misc/lkdtm/perms.c +@@ -47,7 +47,7 @@ static noinline void execute_location(void *dst, bool write) + { + void (*func)(void) = dst; + +- pr_info("attempting ok execution at %p\n", do_nothing); ++ pr_info("attempting ok execution at %px\n", do_nothing); + do_nothing(); + + if (write == CODE_WRITE) { +@@ -55,7 +55,7 @@ static noinline void execute_location(void *dst, bool write) + flush_icache_range((unsigned long)dst, + (unsigned long)dst + EXEC_SIZE); + } +- pr_info("attempting bad execution at %p\n", func); ++ pr_info("attempting bad execution at %px\n", func); + func(); + } + +@@ -66,14 +66,14 @@ static void execute_user_location(void *dst) + /* Intentionally crossing kernel/user memory boundary. */ + void (*func)(void) = dst; + +- pr_info("attempting ok execution at %p\n", do_nothing); ++ pr_info("attempting ok execution at %px\n", do_nothing); + do_nothing(); + + copied = access_process_vm(current, (unsigned long)dst, do_nothing, + EXEC_SIZE, FOLL_WRITE); + if (copied < EXEC_SIZE) + return; +- pr_info("attempting bad execution at %p\n", func); ++ pr_info("attempting bad execution at %px\n", func); + func(); + } + +@@ -82,7 +82,7 @@ void lkdtm_WRITE_RO(void) + /* Explicitly cast away "const" for the test. */ + unsigned long *ptr = (unsigned long *)&rodata; + +- pr_info("attempting bad rodata write at %p\n", ptr); ++ pr_info("attempting bad rodata write at %px\n", ptr); + *ptr ^= 0xabcd1234; + } + +@@ -100,7 +100,7 @@ void lkdtm_WRITE_RO_AFTER_INIT(void) + return; + } + +- pr_info("attempting bad ro_after_init write at %p\n", ptr); ++ pr_info("attempting bad ro_after_init write at %px\n", ptr); + *ptr ^= 0xabcd1234; + } + +@@ -112,7 +112,7 @@ void lkdtm_WRITE_KERN(void) + size = (unsigned long)do_overwritten - (unsigned long)do_nothing; + ptr = (unsigned char *)do_overwritten; + +- pr_info("attempting bad %zu byte write at %p\n", size, ptr); ++ pr_info("attempting bad %zu byte write at %px\n", size, ptr); + memcpy(ptr, (unsigned char *)do_nothing, size); + flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size)); + +@@ -185,11 +185,11 @@ void lkdtm_ACCESS_USERSPACE(void) + + ptr = (unsigned long *)user_addr; + +- pr_info("attempting bad read at %p\n", ptr); ++ pr_info("attempting bad read at %px\n", ptr); + tmp = *ptr; + tmp += 0xc0dec0de; + +- pr_info("attempting bad write at %p\n", ptr); ++ pr_info("attempting bad write at %px\n", ptr); + *ptr = tmp; + + vm_munmap(user_addr, PAGE_SIZE); +-- +2.19.1 + diff --git a/queue-5.0/mips-bcm47xx-enable-usb-power-on-netgear-wndr3400v2.patch b/queue-5.0/mips-bcm47xx-enable-usb-power-on-netgear-wndr3400v2.patch new file mode 100644 index 0000000000..b97467ade0 --- /dev/null +++ b/queue-5.0/mips-bcm47xx-enable-usb-power-on-netgear-wndr3400v2.patch @@ -0,0 +1,42 @@ +From 8b1614965a5fa0d3d1ffdc6d2302112178df6d42 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0tetiar?= +Date: Mon, 11 Mar 2019 22:08:22 +0100 +Subject: mips: bcm47xx: Enable USB power on Netgear WNDR3400v2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit cdb8faa00e3fcdd0ad10add743516d616dc7d38e ] + +Eric has reported on OpenWrt's bug tracking system[1], that he's not +able to use USB devices on his WNDR3400v2 device after the boot, until +he turns on GPIO #21 manually through sysfs. + +1. https://bugs.openwrt.org/index.php?do=details&task_id=2170 + +Cc: Rafał Miłecki +Cc: Hauke Mehrtens +Reported-by: Eric Bohlman +Tested-by: Eric Bohlman +Signed-off-by: Petr Štetiar +Signed-off-by: Paul Burton +Signed-off-by: Sasha Levin +--- + arch/mips/bcm47xx/workarounds.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/bcm47xx/workarounds.c b/arch/mips/bcm47xx/workarounds.c +index 46eddbec8d9f..0ab95dd431b3 100644 +--- a/arch/mips/bcm47xx/workarounds.c ++++ b/arch/mips/bcm47xx/workarounds.c +@@ -24,6 +24,7 @@ void __init bcm47xx_workarounds(void) + case BCM47XX_BOARD_NETGEAR_WNR3500L: + bcm47xx_workarounds_enable_usb_power(12); + break; ++ case BCM47XX_BOARD_NETGEAR_WNDR3400V2: + case BCM47XX_BOARD_NETGEAR_WNDR3400_V3: + bcm47xx_workarounds_enable_usb_power(21); + break; +-- +2.19.1 + diff --git a/queue-5.0/mmc-davinci-remove-extraneous-__init-annotation.patch b/queue-5.0/mmc-davinci-remove-extraneous-__init-annotation.patch new file mode 100644 index 0000000000..756e6252f2 --- /dev/null +++ b/queue-5.0/mmc-davinci-remove-extraneous-__init-annotation.patch @@ -0,0 +1,40 @@ +From ea8240b3ab48cce56f87ed5400209f1008160ba6 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 7 Mar 2019 11:10:11 +0100 +Subject: mmc: davinci: remove extraneous __init annotation + +[ Upstream commit 9ce58dd7d9da3ca0d7cb8c9568f1c6f4746da65a ] + +Building with clang finds a mistaken __init tag: + +WARNING: vmlinux.o(.text+0x5e4250): Section mismatch in reference from the function davinci_mmcsd_probe() to the function .init.text:init_mmcsd_host() +The function davinci_mmcsd_probe() references +the function __init init_mmcsd_host(). +This is often because davinci_mmcsd_probe lacks a __init +annotation or the annotation of init_mmcsd_host is wrong. + +Signed-off-by: Arnd Bergmann +Acked-by: Wolfram Sang +Reviewed-by: Nathan Chancellor +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/davinci_mmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c +index 9e68c3645e22..e6f14257a7d0 100644 +--- a/drivers/mmc/host/davinci_mmc.c ++++ b/drivers/mmc/host/davinci_mmc.c +@@ -1117,7 +1117,7 @@ static inline void mmc_davinci_cpufreq_deregister(struct mmc_davinci_host *host) + { + } + #endif +-static void __init init_mmcsd_host(struct mmc_davinci_host *host) ++static void init_mmcsd_host(struct mmc_davinci_host *host) + { + + mmc_davinci_reset_ctrl(host, 1); +-- +2.19.1 + diff --git a/queue-5.0/net-hns3-fix-null-deref-when-unloading-driver.patch b/queue-5.0/net-hns3-fix-null-deref-when-unloading-driver.patch new file mode 100644 index 0000000000..d78eb6a10f --- /dev/null +++ b/queue-5.0/net-hns3-fix-null-deref-when-unloading-driver.patch @@ -0,0 +1,245 @@ +From 5b03e2a62bf9fb506b584c6c8641f37465834aa1 Mon Sep 17 00:00:00 2001 +From: Huazhong Tan +Date: Thu, 31 Jan 2019 04:55:46 +0800 +Subject: net: hns3: Fix NULL deref when unloading driver + +[ Upstream commit c8a8045b2d0a974149d65bbe6a7acbcde93cf85b ] + +When the driver is unloading, if there is a calling of ndo_open occurs +between phy_disconnect() and unregister_netdev(), it will end up +causing the kernel to eventually hit a NULL deref: + +[14942.417828] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000048 +[14942.529878] Mem abort info: +[14942.551166] ESR = 0x96000006 +[14942.567070] Exception class = DABT (current EL), IL = 32 bits +[14942.623081] SET = 0, FnV = 0 +[14942.639112] EA = 0, S1PTW = 0 +[14942.643628] Data abort info: +[14942.659227] ISV = 0, ISS = 0x00000006 +[14942.674870] CM = 0, WnR = 0 +[14942.679449] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000224ad6ad +[14942.695595] [0000000000000048] pgd=00000021e6673003, pud=00000021dbf01003, pmd=0000000000000000 +[14942.723163] Internal error: Oops: 96000006 [#1] PREEMPT SMP +[14942.729358] Modules linked in: hns3(O) hclge(O) pv680_mii(O) hnae3(O) [last unloaded: hclge] +[14942.738907] CPU: 1 PID: 26629 Comm: kworker/u4:13 Tainted: G O 4.18.0-rc1-12928-ga960791-dirty #145 +[14942.749491] Hardware name: Huawei Technologies Co., Ltd. D05/D05, BIOS Hi1620 FPGA TB BOOT BIOS B763 08/17/2018 +[14942.760392] Workqueue: events_power_efficient phy_state_machine +[14942.766644] pstate: 80c00009 (Nzcv daif +PAN +UAO) +[14942.771918] pc : test_and_set_bit+0x18/0x38 +[14942.776589] lr : netif_carrier_off+0x24/0x70 +[14942.781033] sp : ffff0000121abd20 +[14942.784518] x29: ffff0000121abd20 x28: 0000000000000000 +[14942.790208] x27: ffff0000164d3cd8 x26: ffff8021da68b7b8 +[14942.795832] x25: 0000000000000000 x24: ffff8021eb407800 +[14942.801445] x23: 0000000000000000 x22: 0000000000000000 +[14942.807046] x21: 0000000000000001 x20: 0000000000000000 +[14942.812672] x19: 0000000000000000 x18: ffff000009781708 +[14942.818284] x17: 00000000004970e8 x16: ffff00000816ad48 +[14942.823900] x15: 0000000000000000 x14: 0000000000000008 +[14942.829528] x13: 0000000000000000 x12: 0000000000000f65 +[14942.835149] x11: 0000000000000001 x10: 00000000000009d0 +[14942.840753] x9 : ffff0000121abaa0 x8 : 0000000000000000 +[14942.846360] x7 : ffff000009781708 x6 : 0000000000000003 +[14942.851970] x5 : 0000000000000020 x4 : 0000000000000004 +[14942.857575] x3 : 0000000000000002 x2 : 0000000000000001 +[14942.863180] x1 : 0000000000000048 x0 : 0000000000000000 +[14942.868875] Process kworker/u4:13 (pid: 26629, stack limit = 0x00000000c909dbf3) +[14942.876464] Call trace: +[14942.879200] test_and_set_bit+0x18/0x38 +[14942.883376] phy_link_change+0x38/0x78 +[14942.887378] phy_state_machine+0x3dc/0x4f8 +[14942.891968] process_one_work+0x158/0x470 +[14942.896223] worker_thread+0x50/0x470 +[14942.900219] kthread+0x104/0x130 +[14942.903905] ret_from_fork+0x10/0x1c +[14942.907755] Code: d2800022 8b400c21 f9800031 9ac32044 (c85f7c22) +[14942.914185] ---[ end trace 968c9e12eb740b23 ]--- + +So this patch fixes it by modifying the timing to do phy_connect_direct() +and phy_disconnect(). + +Fixes: 256727da7395 ("net: hns3: Add MDIO support to HNS3 Ethernet driver for hip08 SoC") +Signed-off-by: Huazhong Tan +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hnae3.h | 2 ++ + .../net/ethernet/hisilicon/hns3/hns3_enet.c | 28 +++++++++++++++++++ + .../hisilicon/hns3/hns3pf/hclge_main.c | 20 ++----------- + .../hisilicon/hns3/hns3pf/hclge_mdio.c | 8 ++++-- + .../hisilicon/hns3/hns3pf/hclge_mdio.h | 4 +-- + 5 files changed, 40 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.h b/drivers/net/ethernet/hisilicon/hns3/hnae3.h +index 09c774fe8853..854a55d4332a 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h +@@ -463,6 +463,8 @@ struct hnae3_ae_ops { + int (*set_gro_en)(struct hnae3_handle *handle, int enable); + u16 (*get_global_queue_id)(struct hnae3_handle *handle, u16 queue_id); + void (*set_timer_task)(struct hnae3_handle *handle, bool enable); ++ int (*mac_connect_phy)(struct hnae3_handle *handle); ++ void (*mac_disconnect_phy)(struct hnae3_handle *handle); + }; + + struct hnae3_dcb_ops { +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index d84c50068f66..40b69eaf2cb3 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -3519,6 +3519,25 @@ static int hns3_init_mac_addr(struct net_device *netdev, bool init) + return ret; + } + ++static int hns3_init_phy(struct net_device *netdev) ++{ ++ struct hnae3_handle *h = hns3_get_handle(netdev); ++ int ret = 0; ++ ++ if (h->ae_algo->ops->mac_connect_phy) ++ ret = h->ae_algo->ops->mac_connect_phy(h); ++ ++ return ret; ++} ++ ++static void hns3_uninit_phy(struct net_device *netdev) ++{ ++ struct hnae3_handle *h = hns3_get_handle(netdev); ++ ++ if (h->ae_algo->ops->mac_disconnect_phy) ++ h->ae_algo->ops->mac_disconnect_phy(h); ++} ++ + static int hns3_restore_fd_rules(struct net_device *netdev) + { + struct hnae3_handle *h = hns3_get_handle(netdev); +@@ -3627,6 +3646,10 @@ static int hns3_client_init(struct hnae3_handle *handle) + goto out_init_ring_data; + } + ++ ret = hns3_init_phy(netdev); ++ if (ret) ++ goto out_init_phy; ++ + ret = register_netdev(netdev); + if (ret) { + dev_err(priv->dev, "probe register netdev fail!\n"); +@@ -3651,6 +3674,9 @@ static int hns3_client_init(struct hnae3_handle *handle) + return ret; + + out_reg_netdev_fail: ++ hns3_uninit_phy(netdev); ++out_init_phy: ++ hns3_uninit_all_ring(priv); + out_init_ring_data: + (void)hns3_nic_uninit_vector_data(priv); + out_init_vector_data: +@@ -3685,6 +3711,8 @@ static void hns3_client_uninit(struct hnae3_handle *handle, bool reset) + + hns3_force_clear_all_rx_ring(handle); + ++ hns3_uninit_phy(netdev); ++ + ret = hns3_nic_uninit_vector_data(priv); + if (ret) + netdev_err(netdev, "uninit vector error\n"); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index f7637c08bb3a..cb7571747af7 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -6959,16 +6959,6 @@ static void hclge_get_mdix_mode(struct hnae3_handle *handle, + *tp_mdix = ETH_TP_MDI; + } + +-static int hclge_init_instance_hw(struct hclge_dev *hdev) +-{ +- return hclge_mac_connect_phy(hdev); +-} +- +-static void hclge_uninit_instance_hw(struct hclge_dev *hdev) +-{ +- hclge_mac_disconnect_phy(hdev); +-} +- + static int hclge_init_client_instance(struct hnae3_client *client, + struct hnae3_ae_dev *ae_dev) + { +@@ -6988,13 +6978,6 @@ static int hclge_init_client_instance(struct hnae3_client *client, + if (ret) + goto clear_nic; + +- ret = hclge_init_instance_hw(hdev); +- if (ret) { +- client->ops->uninit_instance(&vport->nic, +- 0); +- goto clear_nic; +- } +- + hnae3_set_client_init_flag(client, ae_dev, 1); + + if (hdev->roce_client && +@@ -7079,7 +7062,6 @@ static void hclge_uninit_client_instance(struct hnae3_client *client, + if (client->type == HNAE3_CLIENT_ROCE) + return; + if (hdev->nic_client && client->ops->uninit_instance) { +- hclge_uninit_instance_hw(hdev); + client->ops->uninit_instance(&vport->nic, 0); + hdev->nic_client = NULL; + vport->nic.client = NULL; +@@ -8012,6 +7994,8 @@ static const struct hnae3_ae_ops hclge_ops = { + .set_gro_en = hclge_gro_en, + .get_global_queue_id = hclge_covert_handle_qid_global, + .set_timer_task = hclge_set_timer_task, ++ .mac_connect_phy = hclge_mac_connect_phy, ++ .mac_disconnect_phy = hclge_mac_disconnect_phy, + }; + + static struct hnae3_ae_algo ae_algo = { +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +index dabb8437f8dc..84f28785ba28 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +@@ -195,8 +195,10 @@ static void hclge_mac_adjust_link(struct net_device *netdev) + netdev_err(netdev, "failed to configure flow control.\n"); + } + +-int hclge_mac_connect_phy(struct hclge_dev *hdev) ++int hclge_mac_connect_phy(struct hnae3_handle *handle) + { ++ struct hclge_vport *vport = hclge_get_vport(handle); ++ struct hclge_dev *hdev = vport->back; + struct net_device *netdev = hdev->vport[0].nic.netdev; + struct phy_device *phydev = hdev->hw.mac.phydev; + __ETHTOOL_DECLARE_LINK_MODE_MASK(mask) = { 0, }; +@@ -229,8 +231,10 @@ int hclge_mac_connect_phy(struct hclge_dev *hdev) + return 0; + } + +-void hclge_mac_disconnect_phy(struct hclge_dev *hdev) ++void hclge_mac_disconnect_phy(struct hnae3_handle *handle) + { ++ struct hclge_vport *vport = hclge_get_vport(handle); ++ struct hclge_dev *hdev = vport->back; + struct phy_device *phydev = hdev->hw.mac.phydev; + + if (!phydev) +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h +index 5fbf7dddb5d9..ef095d9c566f 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h +@@ -5,8 +5,8 @@ + #define __HCLGE_MDIO_H + + int hclge_mac_mdio_config(struct hclge_dev *hdev); +-int hclge_mac_connect_phy(struct hclge_dev *hdev); +-void hclge_mac_disconnect_phy(struct hclge_dev *hdev); ++int hclge_mac_connect_phy(struct hnae3_handle *handle); ++void hclge_mac_disconnect_phy(struct hnae3_handle *handle); + void hclge_mac_start_phy(struct hclge_dev *hdev); + void hclge_mac_stop_phy(struct hclge_dev *hdev); + +-- +2.19.1 + diff --git a/queue-5.0/paride-pcd-cleanup-queues-when-detection-fails.patch b/queue-5.0/paride-pcd-cleanup-queues-when-detection-fails.patch new file mode 100644 index 0000000000..74556c8e6b --- /dev/null +++ b/queue-5.0/paride-pcd-cleanup-queues-when-detection-fails.patch @@ -0,0 +1,44 @@ +From 39c0b55b26850c9b55f1985d75618f47a5343646 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 18 Mar 2019 08:10:32 -0600 +Subject: paride/pcd: cleanup queues when detection fails + +[ Upstream commit 81b74ac68c28fddb3589ad5d4d5e587baf4bb781 ] + +The driver allocates queues for all the units it potentially +supports. But if we fail to detect any drives, then we fail +loading the module without cleaning up those queues. This is +now evident with the switch to blk-mq, though the bug has +been there forever as far as I can tell. + +Also fix cleanup through regular module exit. + +Reported-by: Randy Dunlap +Tested-by: Randy Dunlap +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/paride/pcd.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/paride/pcd.c b/drivers/block/paride/pcd.c +index 96670eefaeb2..377a694dc228 100644 +--- a/drivers/block/paride/pcd.c ++++ b/drivers/block/paride/pcd.c +@@ -749,8 +749,12 @@ static int pcd_detect(void) + return 0; + + printk("%s: No CD-ROM drive found\n", name); +- for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) ++ for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) { ++ blk_cleanup_queue(cd->disk->queue); ++ cd->disk->queue = NULL; ++ blk_mq_free_tag_set(&cd->tag_set); + put_disk(cd->disk); ++ } + pi_unregister_driver(par_drv); + return -1; + } +-- +2.19.1 + diff --git a/queue-5.0/paride-pf-cleanup-queues-when-detection-fails.patch b/queue-5.0/paride-pf-cleanup-queues-when-detection-fails.patch new file mode 100644 index 0000000000..3ef23a8c75 --- /dev/null +++ b/queue-5.0/paride-pf-cleanup-queues-when-detection-fails.patch @@ -0,0 +1,64 @@ +From 6d7c6338d19883131c2e74dc26c5cc546881a664 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 18 Mar 2019 08:08:43 -0600 +Subject: paride/pf: cleanup queues when detection fails + +[ Upstream commit 6ce59025f1182125e75c8d121daf44056b65dd1f ] + +The driver allocates queues for all the units it potentially +supports. But if we fail to detect any drives, then we fail +loading the module without cleaning up those queues. This is +now evident with the switch to blk-mq, though the bug has +been there forever as far as I can tell. + +Also fix cleanup through regular module exit. + +Reported-by: Randy Dunlap +Tested-by: Randy Dunlap +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/paride/pf.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/block/paride/pf.c b/drivers/block/paride/pf.c +index e92e7a8eeeb2..103b617cdc31 100644 +--- a/drivers/block/paride/pf.c ++++ b/drivers/block/paride/pf.c +@@ -761,8 +761,12 @@ static int pf_detect(void) + return 0; + + printk("%s: No ATAPI disk detected\n", name); +- for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) ++ for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) { ++ blk_cleanup_queue(pf->disk->queue); ++ pf->disk->queue = NULL; ++ blk_mq_free_tag_set(&pf->tag_set); + put_disk(pf->disk); ++ } + pi_unregister_driver(par_drv); + return -1; + } +@@ -1047,13 +1051,15 @@ static void __exit pf_exit(void) + int unit; + unregister_blkdev(major, name); + for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) { +- if (!pf->present) +- continue; +- del_gendisk(pf->disk); ++ if (pf->present) ++ del_gendisk(pf->disk); ++ + blk_cleanup_queue(pf->disk->queue); + blk_mq_free_tag_set(&pf->tag_set); + put_disk(pf->disk); +- pi_release(pf->pi); ++ ++ if (pf->present) ++ pi_release(pf->pi); + } + } + +-- +2.19.1 + diff --git a/queue-5.0/pci-aspm-save-ltr-capability-for-suspend-resume.patch b/queue-5.0/pci-aspm-save-ltr-capability-for-suspend-resume.patch new file mode 100644 index 0000000000..e2f486473f --- /dev/null +++ b/queue-5.0/pci-aspm-save-ltr-capability-for-suspend-resume.patch @@ -0,0 +1,129 @@ +From f5358ed8c1d4d747988ba8aeec3fbf71d1505113 Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Wed, 9 Jan 2019 08:22:08 -0600 +Subject: PCI/ASPM: Save LTR Capability for suspend/resume + +[ Upstream commit dbbfadf2319005cf528b0f15f12a05d4e4644303 ] + +Latency Tolerance Reporting (LTR) allows Endpoints and Switch Upstream +Ports to report their latency requirements to upstream components. If ASPM +L1 PM substates are enabled, the LTR information helps determine when a +Link enters L1.2 [1]. + +Software must set the maximum latency values in the LTR Capability based on +characteristics of the platform, then set LTR Mechanism Enable in the +Device Control 2 register in the PCIe Capability. The device can then use +LTR to report its latency tolerance. + +If the device reports a maximum latency value of zero, that means the +device requires the highest possible performance and the ASPM L1.2 substate +is effectively disabled. + +We put devices in D3 for suspend, and we assume their internal state is +lost. On resume, previously we did not restore the LTR Capability, but we +did restore the LTR Mechanism Enable bit, so devices would request the +highest possible performance and ASPM L1.2 wouldn't be used. + +[1] PCIe r4.0, sec 5.5.1 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=201469 +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 53 +++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 51 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 5a94a3cf61cd..e91005d0f20c 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -1233,7 +1233,6 @@ static void pci_restore_pcie_state(struct pci_dev *dev) + pcie_capability_write_word(dev, PCI_EXP_SLTCTL2, cap[i++]); + } + +- + static int pci_save_pcix_state(struct pci_dev *dev) + { + int pos; +@@ -1270,6 +1269,45 @@ static void pci_restore_pcix_state(struct pci_dev *dev) + pci_write_config_word(dev, pos + PCI_X_CMD, cap[i++]); + } + ++static void pci_save_ltr_state(struct pci_dev *dev) ++{ ++ int ltr; ++ struct pci_cap_saved_state *save_state; ++ u16 *cap; ++ ++ if (!pci_is_pcie(dev)) ++ return; ++ ++ ltr = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_LTR); ++ if (!ltr) ++ return; ++ ++ save_state = pci_find_saved_ext_cap(dev, PCI_EXT_CAP_ID_LTR); ++ if (!save_state) { ++ pci_err(dev, "no suspend buffer for LTR; ASPM issues possible after resume\n"); ++ return; ++ } ++ ++ cap = (u16 *)&save_state->cap.data[0]; ++ pci_read_config_word(dev, ltr + PCI_LTR_MAX_SNOOP_LAT, cap++); ++ pci_read_config_word(dev, ltr + PCI_LTR_MAX_NOSNOOP_LAT, cap++); ++} ++ ++static void pci_restore_ltr_state(struct pci_dev *dev) ++{ ++ struct pci_cap_saved_state *save_state; ++ int ltr; ++ u16 *cap; ++ ++ save_state = pci_find_saved_ext_cap(dev, PCI_EXT_CAP_ID_LTR); ++ ltr = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_LTR); ++ if (!save_state || !ltr) ++ return; ++ ++ cap = (u16 *)&save_state->cap.data[0]; ++ pci_write_config_word(dev, ltr + PCI_LTR_MAX_SNOOP_LAT, *cap++); ++ pci_write_config_word(dev, ltr + PCI_LTR_MAX_NOSNOOP_LAT, *cap++); ++} + + /** + * pci_save_state - save the PCI configuration space of a device before suspending +@@ -1291,6 +1329,7 @@ int pci_save_state(struct pci_dev *dev) + if (i != 0) + return i; + ++ pci_save_ltr_state(dev); + pci_save_dpc_state(dev); + return pci_save_vc_state(dev); + } +@@ -1390,7 +1429,12 @@ void pci_restore_state(struct pci_dev *dev) + if (!dev->state_saved) + return; + +- /* PCI Express register must be restored first */ ++ /* ++ * Restore max latencies (in the LTR capability) before enabling ++ * LTR itself (in the PCIe capability). ++ */ ++ pci_restore_ltr_state(dev); ++ + pci_restore_pcie_state(dev); + pci_restore_pasid_state(dev); + pci_restore_pri_state(dev); +@@ -3020,6 +3064,11 @@ void pci_allocate_cap_save_buffers(struct pci_dev *dev) + if (error) + pci_err(dev, "unable to preallocate PCI-X save buffer\n"); + ++ error = pci_add_ext_cap_save_buffer(dev, PCI_EXT_CAP_ID_LTR, ++ 2 * sizeof(u16)); ++ if (error) ++ pci_err(dev, "unable to allocate suspend buffer for LTR\n"); ++ + pci_allocate_vc_save_buffers(dev); + } + +-- +2.19.1 + diff --git a/queue-5.0/pci-blacklist-power-management-of-gigabyte-x299-desi.patch b/queue-5.0/pci-blacklist-power-management-of-gigabyte-x299-desi.patch new file mode 100644 index 0000000000..c53241b9ec --- /dev/null +++ b/queue-5.0/pci-blacklist-power-management-of-gigabyte-x299-desi.patch @@ -0,0 +1,93 @@ +From 8f35d0903b594e330c145bce23cf290024ce718c Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Thu, 31 Jan 2019 19:38:56 +0300 +Subject: PCI: Blacklist power management of Gigabyte X299 DESIGNARE EX PCIe + ports + +[ Upstream commit 85b0cae89d5266e6a7abb2e83c6f716326fc494c ] + +Gigabyte X299 DESIGNARE EX motherboard has one PCIe root port that is +connected to an Alpine Ridge Thunderbolt controller. This port has slot +implemented bit set in the config space but other than that it is not +hotplug capable in the sense we are expecting in Linux (it has +dev->is_hotplug_bridge set to 0): + + 00:1c.4 PCI bridge: Intel Corporation 200 Series PCH PCI Express Root Port #5 + Bus: primary=00, secondary=05, subordinate=46, sec-latency=0 + Memory behind bridge: 78000000-8fffffff [size=384M] + Prefetchable memory behind bridge: 00003800f8000000-00003800ffffffff [size=128M] + ... + Capabilities: [40] Express (v2) Root Port (Slot+), MSI 00 + ... + SltCap: AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug- Surprise- + Slot #8, PowerLimit 25.000W; Interlock- NoCompl+ + SltCtl: Enable: AttnBtn- PwrFlt- MRL- PresDet- CmdCplt- HPIrq- LinkChg- + Control: AttnInd Unknown, PwrInd Unknown, Power- Interlock- + SltSta: Status: AttnBtn- PowerFlt- MRL- CmdCplt- PresDet- Interlock- + Changed: MRL- PresDet+ LinkState+ + +This system is using ACPI based hotplug to notify the OS that it needs to +rescan the PCI bus (ACPI hotplug). + +If there is nothing connected in any of the Thunderbolt ports the root port +will not have any runtime PM active children and is thus automatically +runtime suspended pretty soon after boot by PCI PM core. Now, when a +device is connected the BIOS SMI handler responsible for enumerating newly +added devices is not able to find anything because the port is in D3. + +Prevent this from happening by blacklisting PCI power management of this +particular Gigabyte system. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=202031 +Reported-by: Kedar A Dongre +Signed-off-by: Mika Westerberg +Signed-off-by: Bjorn Helgaas +Reviewed-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index c25acace7d91..5a94a3cf61cd 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2501,6 +2501,25 @@ void pci_config_pm_runtime_put(struct pci_dev *pdev) + pm_runtime_put_sync(parent); + } + ++static const struct dmi_system_id bridge_d3_blacklist[] = { ++#ifdef CONFIG_X86 ++ { ++ /* ++ * Gigabyte X299 root port is not marked as hotplug capable ++ * which allows Linux to power manage it. However, this ++ * confuses the BIOS SMI handler so don't power manage root ++ * ports on that system. ++ */ ++ .ident = "X299 DESIGNARE EX-CF", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Gigabyte Technology Co., Ltd."), ++ DMI_MATCH(DMI_BOARD_NAME, "X299 DESIGNARE EX-CF"), ++ }, ++ }, ++#endif ++ { } ++}; ++ + /** + * pci_bridge_d3_possible - Is it possible to put the bridge into D3 + * @bridge: Bridge to check +@@ -2546,6 +2565,9 @@ bool pci_bridge_d3_possible(struct pci_dev *bridge) + if (bridge->is_hotplug_bridge) + return false; + ++ if (dmi_check_system(bridge_d3_blacklist)) ++ return false; ++ + /* + * It should be safe to put PCIe ports from 2015 or newer + * to D3. +-- +2.19.1 + diff --git a/queue-5.0/perf-build-id-fix-memory-leak-in-print_sdt_events.patch b/queue-5.0/perf-build-id-fix-memory-leak-in-print_sdt_events.patch new file mode 100644 index 0000000000..512955ec6d --- /dev/null +++ b/queue-5.0/perf-build-id-fix-memory-leak-in-print_sdt_events.patch @@ -0,0 +1,65 @@ +From 31cbc2c2ab99018e4da12ea1bad184fad0ead8db Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:46 +0800 +Subject: perf build-id: Fix memory leak in print_sdt_events() + +[ Upstream commit 8bde8516893da5a5fdf06121f74d11b52ab92df5 ] + +Detected with gcc's ASan: + + Direct leak of 4356 byte(s) in 120 object(s) allocated from: + #0 0x7ff1a2b5a070 in __interceptor_strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3b070) + #1 0x55719aef4814 in build_id_cache__origname util/build-id.c:215 + #2 0x55719af649b6 in print_sdt_events util/parse-events.c:2339 + #3 0x55719af66272 in print_events util/parse-events.c:2542 + #4 0x55719ad1ecaa in cmd_list /home/changbin/work/linux/tools/perf/builtin-list.c:58 + #5 0x55719aec745d in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #6 0x55719aec7d1a in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #7 0x55719aec8184 in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #8 0x55719aeca41a in main /home/changbin/work/linux/tools/perf/perf.c:520 + #9 0x7ff1a07ae09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Masami Hiramatsu +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Fixes: 40218daea1db ("perf list: Show SDT and pre-cached events") +Link: http://lkml.kernel.org/r/20190316080556.3075-7-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/build-id.c | 1 + + tools/perf/util/parse-events.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/tools/perf/util/build-id.c b/tools/perf/util/build-id.c +index 04b1d53e4bf9..1d352621bd48 100644 +--- a/tools/perf/util/build-id.c ++++ b/tools/perf/util/build-id.c +@@ -183,6 +183,7 @@ char *build_id_cache__linkname(const char *sbuild_id, char *bf, size_t size) + return bf; + } + ++/* The caller is responsible to free the returned buffer. */ + char *build_id_cache__origname(const char *sbuild_id) + { + char *linkname; +diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c +index 9afd0d2beef5..03860313313c 100644 +--- a/tools/perf/util/parse-events.c ++++ b/tools/perf/util/parse-events.c +@@ -2342,6 +2342,7 @@ void print_sdt_events(const char *subsys_glob, const char *event_glob, + printf(" %-50s [%s]\n", buf, "SDT event"); + free(buf); + } ++ free(path); + } else + printf(" %-50s [%s]\n", nd->s, "SDT event"); + if (nd2) { +-- +2.19.1 + diff --git a/queue-5.0/perf-config-fix-a-memory-leak-in-collect_config.patch b/queue-5.0/perf-config-fix-a-memory-leak-in-collect_config.patch new file mode 100644 index 0000000000..c29032d12d --- /dev/null +++ b/queue-5.0/perf-config-fix-a-memory-leak-in-collect_config.patch @@ -0,0 +1,58 @@ +From 8f66c21c284348b5b00c11b90b06f09489b887d5 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:45 +0800 +Subject: perf config: Fix a memory leak in collect_config() + +[ Upstream commit 54569ba4b06d5baedae4614bde33a25a191473ba ] + +Detected with gcc's ASan: + + Direct leak of 66 byte(s) in 5 object(s) allocated from: + #0 0x7ff3b1f32070 in __interceptor_strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3b070) + #1 0x560c8761034d in collect_config util/config.c:597 + #2 0x560c8760d9cb in get_value util/config.c:169 + #3 0x560c8760dfd7 in perf_parse_file util/config.c:285 + #4 0x560c8760e0d2 in perf_config_from_file util/config.c:476 + #5 0x560c876108fd in perf_config_set__init util/config.c:661 + #6 0x560c87610c72 in perf_config_set__new util/config.c:709 + #7 0x560c87610d2f in perf_config__init util/config.c:718 + #8 0x560c87610e5d in perf_config util/config.c:730 + #9 0x560c875ddea0 in main /home/changbin/work/linux/tools/perf/perf.c:442 + #10 0x7ff3afb8609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Cc: Taeung Song +Fixes: 20105ca1240c ("perf config: Introduce perf_config_set class") +Link: http://lkml.kernel.org/r/20190316080556.3075-6-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/config.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tools/perf/util/config.c b/tools/perf/util/config.c +index 1ea8f898f1a1..9ecdbd5986b3 100644 +--- a/tools/perf/util/config.c ++++ b/tools/perf/util/config.c +@@ -632,11 +632,10 @@ static int collect_config(const char *var, const char *value, + } + + ret = set_value(item, value); +- return ret; + + out_free: + free(key); +- return -1; ++ return ret; + } + + int perf_config_set__collect(struct perf_config_set *set, const char *file_name, +-- +2.19.1 + diff --git a/queue-5.0/perf-config-fix-an-error-in-the-config-template-docu.patch b/queue-5.0/perf-config-fix-an-error-in-the-config-template-docu.patch new file mode 100644 index 0000000000..be1494ba33 --- /dev/null +++ b/queue-5.0/perf-config-fix-an-error-in-the-config-template-docu.patch @@ -0,0 +1,41 @@ +From 1d3e11ef6f1cfb22806b413090dc38469858391c Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:44 +0800 +Subject: perf config: Fix an error in the config template documentation + +[ Upstream commit 9b40dff7ba3caaf0d1919f98e136fa3400bd34aa ] + +The option 'sort-order' should be 'sort_order'. + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Milian Wolff +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Fixes: 893c5c798be9 ("perf config: Show default report configuration in example and docs") +Link: http://lkml.kernel.org/r/20190316080556.3075-5-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Documentation/perf-config.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/Documentation/perf-config.txt b/tools/perf/Documentation/perf-config.txt +index 4ac7775fbc11..4851285ba00c 100644 +--- a/tools/perf/Documentation/perf-config.txt ++++ b/tools/perf/Documentation/perf-config.txt +@@ -114,7 +114,7 @@ Given a $HOME/.perfconfig like this: + + [report] + # Defaults +- sort-order = comm,dso,symbol ++ sort_order = comm,dso,symbol + percent-limit = 0 + queue-size = 0 + children = true +-- +2.19.1 + diff --git a/queue-5.0/perf-core-restore-mmap-record-type-correctly.patch b/queue-5.0/perf-core-restore-mmap-record-type-correctly.patch new file mode 100644 index 0000000000..6168e43098 --- /dev/null +++ b/queue-5.0/perf-core-restore-mmap-record-type-correctly.patch @@ -0,0 +1,61 @@ +From 4d7ab5b7b7fac02c3d8cdf85565ea01910710d48 Mon Sep 17 00:00:00 2001 +From: Stephane Eranian +Date: Thu, 7 Mar 2019 10:52:33 -0800 +Subject: perf/core: Restore mmap record type correctly + +[ Upstream commit d9c1bb2f6a2157b38e8eb63af437cb22701d31ee ] + +On mmap(), perf_events generates a RECORD_MMAP record and then checks +which events are interested in this record. There are currently 2 +versions of mmap records: RECORD_MMAP and RECORD_MMAP2. MMAP2 is larger. +The event configuration controls which version the user level tool +accepts. + +If the event->attr.mmap2=1 field then MMAP2 record is returned. The +perf_event_mmap_output() takes care of this. It checks attr->mmap2 and +corrects the record fields before putting it in the sampling buffer of +the event. At the end the function restores the modified MMAP record +fields. + +The problem is that the function restores the size but not the type. +Thus, if a subsequent event only accepts MMAP type, then it would +instead receive an MMAP2 record with a size of MMAP record. + +This patch fixes the problem by restoring the record type on exit. + +Signed-off-by: Stephane Eranian +Acked-by: Peter Zijlstra (Intel) +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Kan Liang +Fixes: 13d7a2410fa6 ("perf: Add attr->mmap2 attribute to an event") +Link: http://lkml.kernel.org/r/20190307185233.225521-1-eranian@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 26d6edab051a..2e2305a81047 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -7178,6 +7178,7 @@ static void perf_event_mmap_output(struct perf_event *event, + struct perf_output_handle handle; + struct perf_sample_data sample; + int size = mmap_event->event_id.header.size; ++ u32 type = mmap_event->event_id.header.type; + int ret; + + if (!perf_event_mmap_match(event, data)) +@@ -7221,6 +7222,7 @@ static void perf_event_mmap_output(struct perf_event *event, + perf_output_end(&handle); + out: + mmap_event->event_id.header.size = size; ++ mmap_event->event_id.header.type = type; + } + + static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) +-- +2.19.1 + diff --git a/queue-5.0/perf-data-don-t-store-auxtrace-index-for-directory-d.patch b/queue-5.0/perf-data-don-t-store-auxtrace-index-for-directory-d.patch new file mode 100644 index 0000000000..d9a295534a --- /dev/null +++ b/queue-5.0/perf-data-don-t-store-auxtrace-index-for-directory-d.patch @@ -0,0 +1,43 @@ +From 87892f50188c79b2118388e3dbf7255f09046548 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Fri, 8 Mar 2019 14:47:36 +0100 +Subject: perf data: Don't store auxtrace index for directory data file + +[ Upstream commit cd3dd8dd8ff62374d90cb3f2e54b8c94106c7810 ] + +We can't store the auxtrace index when we store into multiple files, +because we keep only offset for it, not the file. + +The auxtrace data will be processed correctly in the 'pipe' mode. + +Signed-off-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Andi Kleen +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: http://lkml.kernel.org/r/20190308134745.5057-3-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-record.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c +index 882285fb9f64..3fd154f1701b 100644 +--- a/tools/perf/builtin-record.c ++++ b/tools/perf/builtin-record.c +@@ -386,7 +386,7 @@ static int record__process_auxtrace(struct perf_tool *tool, + size_t padding; + u8 pad[8] = {0}; + +- if (!perf_data__is_pipe(data)) { ++ if (!perf_data__is_pipe(data) && !perf_data__is_dir(data)) { + off_t file_offset; + int fd = perf_data__fd(data); + int err; +-- +2.19.1 + diff --git a/queue-5.0/perf-evsel-free-evsel-counts-in-perf_evsel__exit.patch b/queue-5.0/perf-evsel-free-evsel-counts-in-perf_evsel__exit.patch new file mode 100644 index 0000000000..661b5f8efd --- /dev/null +++ b/queue-5.0/perf-evsel-free-evsel-counts-in-perf_evsel__exit.patch @@ -0,0 +1,81 @@ +From 4dc6b5f9b92f31e5dc0f02547cff746200757477 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Mon, 18 Mar 2019 16:41:28 -0300 +Subject: perf evsel: Free evsel->counts in perf_evsel__exit() + +[ Upstream commit 42dfa451d825a2ad15793c476f73e7bbc0f9d312 ] + +Using gcc's ASan, Changbin reports: + + ================================================================= + ==7494==ERROR: LeakSanitizer: detected memory leaks + + Direct leak of 48 byte(s) in 1 object(s) allocated from: + #0 0x7f0333a89138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) + #1 0x5625e5330a5e in zalloc util/util.h:23 + #2 0x5625e5330a9b in perf_counts__new util/counts.c:10 + #3 0x5625e5330ca0 in perf_evsel__alloc_counts util/counts.c:47 + #4 0x5625e520d8e5 in __perf_evsel__read_on_cpu util/evsel.c:1505 + #5 0x5625e517a985 in perf_evsel__read_on_cpu /home/work/linux/tools/perf/util/evsel.h:347 + #6 0x5625e517ad1a in test__openat_syscall_event tests/openat-syscall.c:47 + #7 0x5625e51528e6 in run_test tests/builtin-test.c:358 + #8 0x5625e5152baf in test_and_print tests/builtin-test.c:388 + #9 0x5625e51543fe in __cmd_test tests/builtin-test.c:583 + #10 0x5625e515572f in cmd_test tests/builtin-test.c:722 + #11 0x5625e51c3fb8 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #12 0x5625e51c44f7 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #13 0x5625e51c48fb in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #14 0x5625e51c5069 in main /home/changbin/work/linux/tools/perf/perf.c:520 + #15 0x7f033214d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + + Indirect leak of 72 byte(s) in 1 object(s) allocated from: + #0 0x7f0333a89138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) + #1 0x5625e532560d in zalloc util/util.h:23 + #2 0x5625e532566b in xyarray__new util/xyarray.c:10 + #3 0x5625e5330aba in perf_counts__new util/counts.c:15 + #4 0x5625e5330ca0 in perf_evsel__alloc_counts util/counts.c:47 + #5 0x5625e520d8e5 in __perf_evsel__read_on_cpu util/evsel.c:1505 + #6 0x5625e517a985 in perf_evsel__read_on_cpu /home/work/linux/tools/perf/util/evsel.h:347 + #7 0x5625e517ad1a in test__openat_syscall_event tests/openat-syscall.c:47 + #8 0x5625e51528e6 in run_test tests/builtin-test.c:358 + #9 0x5625e5152baf in test_and_print tests/builtin-test.c:388 + #10 0x5625e51543fe in __cmd_test tests/builtin-test.c:583 + #11 0x5625e515572f in cmd_test tests/builtin-test.c:722 + #12 0x5625e51c3fb8 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #13 0x5625e51c44f7 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #14 0x5625e51c48fb in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #15 0x5625e51c5069 in main /home/changbin/work/linux/tools/perf/perf.c:520 + #16 0x7f033214d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + +His patch took care of evsel->prev_raw_counts, but the above backtraces +are about evsel->counts, so fix that instead. + +Reported-by: Changbin Du +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Link: https://lkml.kernel.org/n/tip-hd1x13g59f0nuhe4anxhsmfp@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/evsel.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index 142e1ca94992..50c933044f88 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -1289,6 +1289,7 @@ void perf_evsel__exit(struct perf_evsel *evsel) + { + assert(list_empty(&evsel->node)); + assert(evsel->evlist == NULL); ++ perf_evsel__free_counts(evsel); + perf_evsel__free_fd(evsel); + perf_evsel__free_id(evsel); + perf_evsel__free_config_terms(evsel); +-- +2.19.1 + diff --git a/queue-5.0/perf-hist-add-missing-map__put-in-error-case.patch b/queue-5.0/perf-hist-add-missing-map__put-in-error-case.patch new file mode 100644 index 0000000000..4b634a2528 --- /dev/null +++ b/queue-5.0/perf-hist-add-missing-map__put-in-error-case.patch @@ -0,0 +1,47 @@ +From 5528bd1a72e976198b0ad608b9435aad013d0894 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:49 +0800 +Subject: perf hist: Add missing map__put() in error case + +[ Upstream commit cb6186aeffda4d27e56066c79e9579e7831541d3 ] + +We need to map__put() before returning from failure of +sample__resolve_callchain(). + +Detected with gcc's ASan. + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Krister Johansen +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Fixes: 9c68ae98c6f7 ("perf callchain: Reference count maps") +Link: http://lkml.kernel.org/r/20190316080556.3075-10-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/hist.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c +index 8aad8330e392..e416e76f5600 100644 +--- a/tools/perf/util/hist.c ++++ b/tools/perf/util/hist.c +@@ -1048,8 +1048,10 @@ int hist_entry_iter__add(struct hist_entry_iter *iter, struct addr_location *al, + + err = sample__resolve_callchain(iter->sample, &callchain_cursor, &iter->parent, + iter->evsel, al, max_stack_depth); +- if (err) ++ if (err) { ++ map__put(alm); + return err; ++ } + + err = iter->ops->prepare_entry(iter, al); + if (err) +-- +2.19.1 + diff --git a/queue-5.0/perf-list-don-t-forget-to-drop-the-reference-to-the-.patch b/queue-5.0/perf-list-don-t-forget-to-drop-the-reference-to-the-.patch new file mode 100644 index 0000000000..fe980a7848 --- /dev/null +++ b/queue-5.0/perf-list-don-t-forget-to-drop-the-reference-to-the-.patch @@ -0,0 +1,54 @@ +From eb8f17f9c2b3c916323b8c6f56153690aed4fb27 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:42 +0800 +Subject: perf list: Don't forget to drop the reference to the allocated + thread_map + +[ Upstream commit 39df730b09774bd860e39ea208a48d15078236cb ] + +Detected via gcc's ASan: + + Direct leak of 2048 byte(s) in 64 object(s) allocated from: + 6 #0 0x7f606512e370 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee370) + 7 #1 0x556b0f1d7ddd in thread_map__realloc util/thread_map.c:43 + 8 #2 0x556b0f1d84c7 in thread_map__new_by_tid util/thread_map.c:85 + 9 #3 0x556b0f0e045e in is_event_supported util/parse-events.c:2250 + 10 #4 0x556b0f0e1aa1 in print_hwcache_events util/parse-events.c:2382 + 11 #5 0x556b0f0e3231 in print_events util/parse-events.c:2514 + 12 #6 0x556b0ee0a66e in cmd_list /home/changbin/work/linux/tools/perf/builtin-list.c:58 + 13 #7 0x556b0f01e0ae in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + 14 #8 0x556b0f01e859 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + 15 #9 0x556b0f01edc8 in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + 16 #10 0x556b0f01f71f in main /home/changbin/work/linux/tools/perf/perf.c:520 + 17 #11 0x7f6062ccf09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Fixes: 89896051f8da ("perf tools: Do not put a variable sized type not at the end of a struct") +Link: http://lkml.kernel.org/r/20190316080556.3075-3-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/parse-events.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c +index 920e1e6551dd..9afd0d2beef5 100644 +--- a/tools/perf/util/parse-events.c ++++ b/tools/perf/util/parse-events.c +@@ -2271,6 +2271,7 @@ static bool is_event_supported(u8 type, unsigned config) + perf_evsel__delete(evsel); + } + ++ thread_map__put(tmap); + return ret; + } + +-- +2.19.1 + diff --git a/queue-5.0/perf-map-remove-map-from-names-tree-in-__maps__remov.patch b/queue-5.0/perf-map-remove-map-from-names-tree-in-__maps__remov.patch new file mode 100644 index 0000000000..e64a59769e --- /dev/null +++ b/queue-5.0/perf-map-remove-map-from-names-tree-in-__maps__remov.patch @@ -0,0 +1,45 @@ +From 66e96c25d02945347952a61abe52a15b0e9a626b Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:50 +0800 +Subject: perf map: Remove map from 'names' tree in __maps__remove() + +[ Upstream commit b49265e04410b97b31a5ee66ef6782c1b2d6cd2c ] + +There are two trees for each map inserted by maps__insert(), so remove +it from the 'names' tree in __maps__remove(). + +Detected with gcc's ASan. + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Eric Saint-Etienne +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Fixes: 1e6285699b30 ("perf symbols: Fix slowness due to -ffunction-section") +Link: http://lkml.kernel.org/r/20190316080556.3075-11-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/map.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c +index 6751301a755c..750ecc3dad50 100644 +--- a/tools/perf/util/map.c ++++ b/tools/perf/util/map.c +@@ -911,6 +911,9 @@ static void __maps__remove(struct maps *maps, struct map *map) + { + rb_erase_init(&map->rb_node, &maps->entries); + map__put(map); ++ ++ rb_erase_init(&map->rb_node_name, &maps->names); ++ map__put(map); + } + + void maps__remove(struct maps *maps, struct map *map) +-- +2.19.1 + diff --git a/queue-5.0/perf-maps-purge-all-maps-from-the-names-tree.patch b/queue-5.0/perf-maps-purge-all-maps-from-the-names-tree.patch new file mode 100644 index 0000000000..c567b1af7b --- /dev/null +++ b/queue-5.0/perf-maps-purge-all-maps-from-the-names-tree.patch @@ -0,0 +1,61 @@ +From 6edd1f7725d23709f1084580eb7feeb96cad5160 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:51 +0800 +Subject: perf maps: Purge all maps from the 'names' tree + +[ Upstream commit da3a53a7390a89391bd63bead0c2e9af4c5ef3d6 ] + +Add function __maps__purge_names() to purge all maps from the names +tree. We need to cleanup the names tree in maps__exit(). + +Detected with gcc's ASan. + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Eric Saint-Etienne +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Fixes: 1e6285699b30 ("perf symbols: Fix slowness due to -ffunction-section") +Link: http://lkml.kernel.org/r/20190316080556.3075-12-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/map.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c +index 750ecc3dad50..2b37f56f0549 100644 +--- a/tools/perf/util/map.c ++++ b/tools/perf/util/map.c +@@ -571,10 +571,25 @@ static void __maps__purge(struct maps *maps) + } + } + ++static void __maps__purge_names(struct maps *maps) ++{ ++ struct rb_root *root = &maps->names; ++ struct rb_node *next = rb_first(root); ++ ++ while (next) { ++ struct map *pos = rb_entry(next, struct map, rb_node_name); ++ ++ next = rb_next(&pos->rb_node_name); ++ rb_erase_init(&pos->rb_node_name, root); ++ map__put(pos); ++ } ++} ++ + static void maps__exit(struct maps *maps) + { + down_write(&maps->lock); + __maps__purge(maps); ++ __maps__purge_names(maps); + up_write(&maps->lock); + } + +-- +2.19.1 + diff --git a/queue-5.0/perf-stat-fix-no-scale.patch b/queue-5.0/perf-stat-fix-no-scale.patch new file mode 100644 index 0000000000..88d8879197 --- /dev/null +++ b/queue-5.0/perf-stat-fix-no-scale.patch @@ -0,0 +1,134 @@ +From 71b7c86e0ea89c02d2de3ea69f43de92d7735206 Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Thu, 14 Mar 2019 15:50:01 -0700 +Subject: perf stat: Fix --no-scale + +[ Upstream commit 75998bb263bf48c1c85d78cd2d2f3a97d3747cab ] + +The -c option to enable multiplex scaling has been useless for quite +some time because scaling is default. + +It's only useful as --no-scale to disable scaling. But the non scaling +code path has bitrotted and doesn't print anything because perf output +code relies on value run/ena information. + +Also even when we don't want to scale a value it's still useful to show +its multiplex percentage. + +This patch: + - Fixes help and documentation to show --no-scale instead of -c + - Removes -c, only keeps the long option because -c doesn't support negatives. + - Enables running/enabled even with --no-scale + - And fixes some other problems in the no-scale output. + +Before: + + $ perf stat --no-scale -e cycles true + + Performance counter stats for 'true': + + cycles + + 0.000984154 seconds time elapsed + +After: + + $ ./perf stat --no-scale -e cycles true + + Performance counter stats for 'true': + + 706,070 cycles + + 0.001219821 seconds time elapsed + +Signed-off-by: Andi Kleen +Acked-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +LPU-Reference: 20190314225002.30108-9-andi@firstfloor.org +Link: https://lkml.kernel.org/n/tip-xggjvwcdaj2aqy8ib3i4b1g6@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Documentation/perf-stat.txt | 5 ++--- + tools/perf/builtin-stat.c | 3 ++- + tools/perf/util/evsel.c | 3 +-- + tools/perf/util/stat.c | 12 ++++-------- + 4 files changed, 9 insertions(+), 14 deletions(-) + +diff --git a/tools/perf/Documentation/perf-stat.txt b/tools/perf/Documentation/perf-stat.txt +index 4bc2085e5197..39c05f89104e 100644 +--- a/tools/perf/Documentation/perf-stat.txt ++++ b/tools/perf/Documentation/perf-stat.txt +@@ -72,9 +72,8 @@ report:: + --all-cpus:: + system-wide collection from all CPUs (default if no target is specified) + +--c:: +---scale:: +- scale/normalize counter values ++--no-scale:: ++ Don't scale/normalize counter values + + -d:: + --detailed:: +diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c +index 63a3afc7f32b..a52295dbad2b 100644 +--- a/tools/perf/builtin-stat.c ++++ b/tools/perf/builtin-stat.c +@@ -728,7 +728,8 @@ static struct option stat_options[] = { + "system-wide collection from all CPUs"), + OPT_BOOLEAN('g', "group", &group, + "put the counters into a counter group"), +- OPT_BOOLEAN('c', "scale", &stat_config.scale, "scale/normalize counters"), ++ OPT_BOOLEAN(0, "scale", &stat_config.scale, ++ "Use --no-scale to disable counter scaling for multiplexing"), + OPT_INCR('v', "verbose", &verbose, + "be more verbose (show counter open errors, etc)"), + OPT_INTEGER('r', "repeat", &stat_config.run_count, +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index dbc0466db368..142e1ca94992 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -1341,8 +1341,7 @@ void perf_counts_values__scale(struct perf_counts_values *count, + scaled = 1; + count->val = (u64)((double) count->val * count->ena / count->run + 0.5); + } +- } else +- count->ena = count->run = 0; ++ } + + if (pscaled) + *pscaled = scaled; +diff --git a/tools/perf/util/stat.c b/tools/perf/util/stat.c +index 4d40515307b8..2856cc9d5a31 100644 +--- a/tools/perf/util/stat.c ++++ b/tools/perf/util/stat.c +@@ -291,10 +291,8 @@ process_counter_values(struct perf_stat_config *config, struct perf_evsel *evsel + break; + case AGGR_GLOBAL: + aggr->val += count->val; +- if (config->scale) { +- aggr->ena += count->ena; +- aggr->run += count->run; +- } ++ aggr->ena += count->ena; ++ aggr->run += count->run; + case AGGR_UNSET: + default: + break; +@@ -442,10 +440,8 @@ int create_perf_stat_counter(struct perf_evsel *evsel, + struct perf_event_attr *attr = &evsel->attr; + struct perf_evsel *leader = evsel->leader; + +- if (config->scale) { +- attr->read_format = PERF_FORMAT_TOTAL_TIME_ENABLED | +- PERF_FORMAT_TOTAL_TIME_RUNNING; +- } ++ attr->read_format = PERF_FORMAT_TOTAL_TIME_ENABLED | ++ PERF_FORMAT_TOTAL_TIME_RUNNING; + + /* + * The event is part of non trivial group, let's enable +-- +2.19.1 + diff --git a/queue-5.0/perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp.patch b/queue-5.0/perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp.patch new file mode 100644 index 0000000000..080782a004 --- /dev/null +++ b/queue-5.0/perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp.patch @@ -0,0 +1,59 @@ +From d65728eda9c6d5597e66ffbf25b746d96be0d9e5 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:56 +0800 +Subject: perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test() + +[ Upstream commit d982b33133284fa7efa0e52ae06b88f9be3ea764 ] + + ================================================================= + ==20875==ERROR: LeakSanitizer: detected memory leaks + + Direct leak of 1160 byte(s) in 1 object(s) allocated from: + #0 0x7f1b6fc84138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) + #1 0x55bd50005599 in zalloc util/util.h:23 + #2 0x55bd500068f5 in perf_evsel__newtp_idx util/evsel.c:327 + #3 0x55bd4ff810fc in perf_evsel__newtp /home/work/linux/tools/perf/util/evsel.h:216 + #4 0x55bd4ff81608 in test__perf_evsel__tp_sched_test tests/evsel-tp-sched.c:69 + #5 0x55bd4ff528e6 in run_test tests/builtin-test.c:358 + #6 0x55bd4ff52baf in test_and_print tests/builtin-test.c:388 + #7 0x55bd4ff543fe in __cmd_test tests/builtin-test.c:583 + #8 0x55bd4ff5572f in cmd_test tests/builtin-test.c:722 + #9 0x55bd4ffc4087 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #10 0x55bd4ffc45c6 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #11 0x55bd4ffc49ca in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #12 0x55bd4ffc5138 in main /home/changbin/work/linux/tools/perf/perf.c:520 + #13 0x7f1b6e34809a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + + Indirect leak of 19 byte(s) in 1 object(s) allocated from: + #0 0x7f1b6fc83f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30) + #1 0x7f1b6e3ac30f in vasprintf (/lib/x86_64-linux-gnu/libc.so.6+0x8830f) + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Fixes: 6a6cd11d4e57 ("perf test: Add test for the sched tracepoint format fields") +Link: http://lkml.kernel.org/r/20190316080556.3075-17-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/evsel-tp-sched.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/tests/evsel-tp-sched.c b/tools/perf/tests/evsel-tp-sched.c +index ea7acf403727..71f60c0f9faa 100644 +--- a/tools/perf/tests/evsel-tp-sched.c ++++ b/tools/perf/tests/evsel-tp-sched.c +@@ -85,5 +85,6 @@ int test__perf_evsel__tp_sched_test(struct test *test __maybe_unused, int subtes + if (perf_evsel__test_field(evsel, "target_cpu", 4, true)) + ret = -1; + ++ perf_evsel__delete(evsel); + return ret; + } +-- +2.19.1 + diff --git a/queue-5.0/perf-tests-fix-a-memory-leak-of-cpu_map-object-in-th.patch b/queue-5.0/perf-tests-fix-a-memory-leak-of-cpu_map-object-in-th.patch new file mode 100644 index 0000000000..fa09f31587 --- /dev/null +++ b/queue-5.0/perf-tests-fix-a-memory-leak-of-cpu_map-object-in-th.patch @@ -0,0 +1,68 @@ +From 7368e9cc71232608c2f4b0a5f45936ff82308789 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:54 +0800 +Subject: perf tests: Fix a memory leak of cpu_map object in the + openat_syscall_event_on_all_cpus test + +[ Upstream commit 93faa52e8371f0291ee1ff4994edae2b336b6233 ] + + ================================================================= + ==7497==ERROR: LeakSanitizer: detected memory leaks + + Direct leak of 40 byte(s) in 1 object(s) allocated from: + #0 0x7f0333a88f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30) + #1 0x5625e5326213 in cpu_map__trim_new util/cpumap.c:45 + #2 0x5625e5326703 in cpu_map__read util/cpumap.c:103 + #3 0x5625e53267ef in cpu_map__read_all_cpu_map util/cpumap.c:120 + #4 0x5625e5326915 in cpu_map__new util/cpumap.c:135 + #5 0x5625e517b355 in test__openat_syscall_event_on_all_cpus tests/openat-syscall-all-cpus.c:36 + #6 0x5625e51528e6 in run_test tests/builtin-test.c:358 + #7 0x5625e5152baf in test_and_print tests/builtin-test.c:388 + #8 0x5625e51543fe in __cmd_test tests/builtin-test.c:583 + #9 0x5625e515572f in cmd_test tests/builtin-test.c:722 + #10 0x5625e51c3fb8 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #11 0x5625e51c44f7 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #12 0x5625e51c48fb in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #13 0x5625e51c5069 in main /home/changbin/work/linux/tools/perf/perf.c:520 + #14 0x7f033214d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Fixes: f30a79b012e5 ("perf tools: Add reference counting for cpu_map object") +Link: http://lkml.kernel.org/r/20190316080556.3075-15-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/openat-syscall-all-cpus.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/tests/openat-syscall-all-cpus.c b/tools/perf/tests/openat-syscall-all-cpus.c +index c531e6deb104..493ecb611540 100644 +--- a/tools/perf/tests/openat-syscall-all-cpus.c ++++ b/tools/perf/tests/openat-syscall-all-cpus.c +@@ -45,7 +45,7 @@ int test__openat_syscall_event_on_all_cpus(struct test *test __maybe_unused, int + if (IS_ERR(evsel)) { + tracing_path__strerror_open_tp(errno, errbuf, sizeof(errbuf), "syscalls", "sys_enter_openat"); + pr_debug("%s\n", errbuf); +- goto out_thread_map_delete; ++ goto out_cpu_map_delete; + } + + if (perf_evsel__open(evsel, cpus, threads) < 0) { +@@ -119,6 +119,8 @@ int test__openat_syscall_event_on_all_cpus(struct test *test __maybe_unused, int + perf_evsel__close_fd(evsel); + out_evsel_delete: + perf_evsel__delete(evsel); ++out_cpu_map_delete: ++ cpu_map__put(cpus); + out_thread_map_delete: + thread_map__put(threads); + return err; +-- +2.19.1 + diff --git a/queue-5.0/perf-tests-fix-memory-leak-by-expr__find_other-in-te.patch b/queue-5.0/perf-tests-fix-memory-leak-by-expr__find_other-in-te.patch new file mode 100644 index 0000000000..f751cb2b36 --- /dev/null +++ b/queue-5.0/perf-tests-fix-memory-leak-by-expr__find_other-in-te.patch @@ -0,0 +1,66 @@ +From 46cfb5dec970f28a83254000e30509a89161ec6a Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:55 +0800 +Subject: perf tests: Fix memory leak by expr__find_other() in test__expr() + +[ Upstream commit f97a8991d3b998e518f56794d879f645964de649 ] + + ================================================================= + ==7506==ERROR: LeakSanitizer: detected memory leaks + + Direct leak of 13 byte(s) in 3 object(s) allocated from: + #0 0x7f03339d6070 in __interceptor_strdup (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3b070) + #1 0x5625e53aaef0 in expr__find_other util/expr.y:221 + #2 0x5625e51bcd3f in test__expr tests/expr.c:52 + #3 0x5625e51528e6 in run_test tests/builtin-test.c:358 + #4 0x5625e5152baf in test_and_print tests/builtin-test.c:388 + #5 0x5625e51543fe in __cmd_test tests/builtin-test.c:583 + #6 0x5625e515572f in cmd_test tests/builtin-test.c:722 + #7 0x5625e51c3fb8 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #8 0x5625e51c44f7 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #9 0x5625e51c48fb in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #10 0x5625e51c5069 in main /home/changbin/work/linux/tools/perf/perf.c:520 + #11 0x7f033214d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + +Signed-off-by: Changbin Du +Cc: Alexei Starovoitov +Cc: Andi Kleen +Cc: Daniel Borkmann +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Fixes: 075167363f8b ("perf tools: Add a simple expression parser for JSON") +Link: http://lkml.kernel.org/r/20190316080556.3075-16-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/expr.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/tests/expr.c b/tools/perf/tests/expr.c +index 01f0706995a9..9acc1e80b936 100644 +--- a/tools/perf/tests/expr.c ++++ b/tools/perf/tests/expr.c +@@ -19,7 +19,7 @@ int test__expr(struct test *t __maybe_unused, int subtest __maybe_unused) + const char *p; + const char **other; + double val; +- int ret; ++ int i, ret; + struct parse_ctx ctx; + int num_other; + +@@ -56,6 +56,9 @@ int test__expr(struct test *t __maybe_unused, int subtest __maybe_unused) + TEST_ASSERT_VAL("find other", !strcmp(other[1], "BAZ")); + TEST_ASSERT_VAL("find other", !strcmp(other[2], "BOZO")); + TEST_ASSERT_VAL("find other", other[3] == NULL); ++ ++ for (i = 0; i < num_other; i++) ++ free((void *)other[i]); + free((void *)other); + + return 0; +-- +2.19.1 + diff --git a/queue-5.0/perf-tools-fix-errors-under-optimization-level-og.patch b/queue-5.0/perf-tools-fix-errors-under-optimization-level-og.patch new file mode 100644 index 0000000000..f0d275be4e --- /dev/null +++ b/queue-5.0/perf-tools-fix-errors-under-optimization-level-og.patch @@ -0,0 +1,93 @@ +From 1673419bfacac4a45c81d3adaa4b231713882e49 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:43 +0800 +Subject: perf tools: Fix errors under optimization level '-Og' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 11c1ea6f1a9bc97bf857fd12f72eacb6c69794e2 ] + +Optimization level '-Og' offers a reasonable level of optimization while +maintaining fast compilation and a good debugging experience. This patch +tries to make it work. + + $ make DEBUG=1 EXTRA_CFLAGS='-Og' + bench/epoll-ctl.c: In function ‘do_threads’: + bench/epoll-ctl.c:274:9: error: ‘ret’ may be used uninitialized in this function [-Werror=maybe-uninitialized] + return ret; + ^~~ + ... + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Link: http://lkml.kernel.org/r/20190316080556.3075-4-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 2 +- + tools/perf/bench/epoll-ctl.c | 2 +- + tools/perf/bench/epoll-wait.c | 2 +- + tools/perf/tests/backward-ring-buffer.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 169e347c76f6..9ba1a2e1ed7a 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -627,7 +627,7 @@ bpf_object__init_maps(struct bpf_object *obj, int flags) + bool strict = !(flags & MAPS_RELAX_COMPAT); + int i, map_idx, map_def_sz, nr_maps = 0; + Elf_Scn *scn; +- Elf_Data *data; ++ Elf_Data *data = NULL; + Elf_Data *symbols = obj->efile.symbols; + + if (obj->efile.maps_shndx < 0) +diff --git a/tools/perf/bench/epoll-ctl.c b/tools/perf/bench/epoll-ctl.c +index 0c0a6e824934..2af067859966 100644 +--- a/tools/perf/bench/epoll-ctl.c ++++ b/tools/perf/bench/epoll-ctl.c +@@ -224,7 +224,7 @@ static int do_threads(struct worker *worker, struct cpu_map *cpu) + pthread_attr_t thread_attr, *attrp = NULL; + cpu_set_t cpuset; + unsigned int i, j; +- int ret; ++ int ret = 0; + + if (!noaffinity) + pthread_attr_init(&thread_attr); +diff --git a/tools/perf/bench/epoll-wait.c b/tools/perf/bench/epoll-wait.c +index 5a11534e96a0..fe85448abd45 100644 +--- a/tools/perf/bench/epoll-wait.c ++++ b/tools/perf/bench/epoll-wait.c +@@ -293,7 +293,7 @@ static int do_threads(struct worker *worker, struct cpu_map *cpu) + pthread_attr_t thread_attr, *attrp = NULL; + cpu_set_t cpuset; + unsigned int i, j; +- int ret, events = EPOLLIN; ++ int ret = 0, events = EPOLLIN; + + if (oneshot) + events |= EPOLLONESHOT; +diff --git a/tools/perf/tests/backward-ring-buffer.c b/tools/perf/tests/backward-ring-buffer.c +index 6d598cc071ae..1a9c3becf5ff 100644 +--- a/tools/perf/tests/backward-ring-buffer.c ++++ b/tools/perf/tests/backward-ring-buffer.c +@@ -18,7 +18,7 @@ static void testcase(void) + int i; + + for (i = 0; i < NR_ITERS; i++) { +- char proc_name[10]; ++ char proc_name[15]; + + snprintf(proc_name, sizeof(proc_name), "p:%d\n", i); + prctl(PR_SET_NAME, proc_name); +-- +2.19.1 + diff --git a/queue-5.0/perf-top-delete-the-evlist-before-perf_session-fixin.patch b/queue-5.0/perf-top-delete-the-evlist-before-perf_session-fixin.patch new file mode 100644 index 0000000000..fe0e833392 --- /dev/null +++ b/queue-5.0/perf-top-delete-the-evlist-before-perf_session-fixin.patch @@ -0,0 +1,212 @@ +From ade81011a8f00f467f324afe868f7585f71893ef Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:47 +0800 +Subject: perf top: Delete the evlist before perf_session, fixing + heap-use-after-free issue + +[ Upstream commit 0dba9e4be95b59e77060645ca8e37ca3231061f5 ] + +The evlist should be destroyed before the perf session. + +Detected with gcc's ASan: + + ================================================================= + ==27350==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b000002e38 at pc 0x5611da276999 bp 0x7ffce8f1d1a0 sp 0x7ffce8f1d190 + WRITE of size 8 at 0x62b000002e38 thread T0 + #0 0x5611da276998 in __list_del /home/work/linux/tools/include/linux/list.h:89 + #1 0x5611da276d4a in __list_del_entry /home/work/linux/tools/include/linux/list.h:102 + #2 0x5611da276e77 in list_del_init /home/work/linux/tools/include/linux/list.h:145 + #3 0x5611da2781cd in thread__put util/thread.c:130 + #4 0x5611da2cc0a8 in __thread__zput util/thread.h:68 + #5 0x5611da2d2dcb in hist_entry__delete util/hist.c:1148 + #6 0x5611da2cdf91 in hists__delete_entry util/hist.c:337 + #7 0x5611da2ce19e in hists__delete_entries util/hist.c:365 + #8 0x5611da2db2ab in hists__delete_all_entries util/hist.c:2639 + #9 0x5611da2db325 in hists_evsel__exit util/hist.c:2651 + #10 0x5611da1c5352 in perf_evsel__exit util/evsel.c:1304 + #11 0x5611da1c5390 in perf_evsel__delete util/evsel.c:1309 + #12 0x5611da1b35f0 in perf_evlist__purge util/evlist.c:124 + #13 0x5611da1b38e2 in perf_evlist__delete util/evlist.c:148 + #14 0x5611da069781 in cmd_top /home/changbin/work/linux/tools/perf/builtin-top.c:1645 + #15 0x5611da17d038 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #16 0x5611da17d577 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #17 0x5611da17d97b in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #18 0x5611da17e0e9 in main /home/changbin/work/linux/tools/perf/perf.c:520 + #19 0x7fdcc970f09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + #20 0x5611d9ff35c9 in _start (/home/work/linux/tools/perf/perf+0x3e95c9) + + 0x62b000002e38 is located 11320 bytes inside of 27448-byte region [0x62b000000200,0x62b000006d38) + freed by thread T0 here: + #0 0x7fdccb04ab70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70) + #1 0x5611da260df4 in perf_session__delete util/session.c:201 + #2 0x5611da063de5 in __cmd_top /home/changbin/work/linux/tools/perf/builtin-top.c:1300 + #3 0x5611da06973c in cmd_top /home/changbin/work/linux/tools/perf/builtin-top.c:1642 + #4 0x5611da17d038 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #5 0x5611da17d577 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #6 0x5611da17d97b in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #7 0x5611da17e0e9 in main /home/changbin/work/linux/tools/perf/perf.c:520 + #8 0x7fdcc970f09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + + previously allocated by thread T0 here: + #0 0x7fdccb04b138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138) + #1 0x5611da26010c in zalloc util/util.h:23 + #2 0x5611da260824 in perf_session__new util/session.c:118 + #3 0x5611da0633a6 in __cmd_top /home/changbin/work/linux/tools/perf/builtin-top.c:1192 + #4 0x5611da06973c in cmd_top /home/changbin/work/linux/tools/perf/builtin-top.c:1642 + #5 0x5611da17d038 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #6 0x5611da17d577 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #7 0x5611da17d97b in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #8 0x5611da17e0e9 in main /home/changbin/work/linux/tools/perf/perf.c:520 + #9 0x7fdcc970f09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + + SUMMARY: AddressSanitizer: heap-use-after-free /home/work/linux/tools/include/linux/list.h:89 in __list_del + Shadow bytes around the buggy address: + 0x0c567fff8570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c567fff8580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c567fff8590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c567fff85a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c567fff85b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + =>0x0c567fff85c0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd + 0x0c567fff85d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c567fff85e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c567fff85f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c567fff8600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + 0x0c567fff8610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd + Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + ==27350==ABORTING + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Link: http://lkml.kernel.org/r/20190316080556.3075-8-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-top.c | 42 ++++++++++++++++++---------------------- + 1 file changed, 19 insertions(+), 23 deletions(-) + +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c +index f64e312db787..9b215007924b 100644 +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -1192,23 +1192,19 @@ static int __cmd_top(struct perf_top *top) + pthread_t thread, thread_process; + int ret; + +- top->session = perf_session__new(NULL, false, NULL); +- if (top->session == NULL) +- return -1; +- + if (!top->annotation_opts.objdump_path) { + ret = perf_env__lookup_objdump(&top->session->header.env, + &top->annotation_opts.objdump_path); + if (ret) +- goto out_delete; ++ return ret; + } + + ret = callchain_param__setup_sample_type(&callchain_param); + if (ret) +- goto out_delete; ++ return ret; + + if (perf_session__register_idle_thread(top->session) < 0) +- goto out_delete; ++ return ret; + + if (top->nr_threads_synthesize > 1) + perf_set_multithreaded(); +@@ -1224,13 +1220,18 @@ static int __cmd_top(struct perf_top *top) + + if (perf_hpp_list.socket) { + ret = perf_env__read_cpu_topology_map(&perf_env); +- if (ret < 0) +- goto out_err_cpu_topo; ++ if (ret < 0) { ++ char errbuf[BUFSIZ]; ++ const char *err = str_error_r(-ret, errbuf, sizeof(errbuf)); ++ ++ ui__error("Could not read the CPU topology map: %s\n", err); ++ return ret; ++ } + } + + ret = perf_top__start_counters(top); + if (ret) +- goto out_delete; ++ return ret; + + ret = perf_evlist__apply_drv_configs(evlist, &pos, &err_term); + if (ret) { +@@ -1257,7 +1258,7 @@ static int __cmd_top(struct perf_top *top) + ret = -1; + if (pthread_create(&thread_process, NULL, process_thread, top)) { + ui__error("Could not create process thread.\n"); +- goto out_delete; ++ return ret; + } + + if (pthread_create(&thread, NULL, (use_browser > 0 ? display_thread_tui : +@@ -1301,19 +1302,7 @@ static int __cmd_top(struct perf_top *top) + out_join_thread: + pthread_cond_signal(&top->qe.cond); + pthread_join(thread_process, NULL); +-out_delete: +- perf_session__delete(top->session); +- top->session = NULL; +- + return ret; +- +-out_err_cpu_topo: { +- char errbuf[BUFSIZ]; +- const char *err = str_error_r(-ret, errbuf, sizeof(errbuf)); +- +- ui__error("Could not read the CPU topology map: %s\n", err); +- goto out_delete; +-} + } + + static int +@@ -1644,10 +1633,17 @@ int cmd_top(int argc, const char **argv) + signal(SIGWINCH, winch_sig); + } + ++ top.session = perf_session__new(NULL, false, NULL); ++ if (top.session == NULL) { ++ status = -1; ++ goto out_delete_evlist; ++ } ++ + status = __cmd_top(&top); + + out_delete_evlist: + perf_evlist__delete(top.evlist); ++ perf_session__delete(top.session); + + return status; + } +-- +2.19.1 + diff --git a/queue-5.0/perf-top-fix-error-handling-in-cmd_top.patch b/queue-5.0/perf-top-fix-error-handling-in-cmd_top.patch new file mode 100644 index 0000000000..f797a74852 --- /dev/null +++ b/queue-5.0/perf-top-fix-error-handling-in-cmd_top.patch @@ -0,0 +1,43 @@ +From 1ac7c2e4055e6e62affca080c86b46b01f30dc6e Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:48 +0800 +Subject: perf top: Fix error handling in cmd_top() + +[ Upstream commit 70c819e4bf1c5f492768b399d898d458ccdad2b6 ] + +We should go to the cleanup path, to avoid leaks, detected using gcc's +ASan. + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Link: http://lkml.kernel.org/r/20190316080556.3075-9-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-top.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c +index 9b215007924b..369a3daca1eb 100644 +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -1622,8 +1622,9 @@ int cmd_top(int argc, const char **argv) + annotation_config__init(); + + symbol_conf.try_vmlinux_path = (symbol_conf.vmlinux_name == NULL); +- if (symbol__init(NULL) < 0) +- return -1; ++ status = symbol__init(NULL); ++ if (status < 0) ++ goto out_delete_evlist; + + sort__setup_elide(stdout); + +-- +2.19.1 + diff --git a/queue-5.0/perf-top-fix-global-buffer-overflow-issue.patch b/queue-5.0/perf-top-fix-global-buffer-overflow-issue.patch new file mode 100644 index 0000000000..b8fbf5f79b --- /dev/null +++ b/queue-5.0/perf-top-fix-global-buffer-overflow-issue.patch @@ -0,0 +1,95 @@ +From 5c3a41ba706e56a9e37fb4566db2d049739b67f1 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sat, 16 Mar 2019 16:05:52 +0800 +Subject: perf top: Fix global-buffer-overflow issue + +[ Upstream commit 1e5b0cf8672e622257df024074e6e09bfbcb7750 ] + +The array str[] should have six elements. + + ================================================================= + ==4322==ERROR: AddressSanitizer: global-buffer-overflow on address 0x56463844e300 at pc 0x564637e7ad0d bp 0x7f30c8c89d10 sp 0x7f30c8c89d00 + READ of size 8 at 0x56463844e300 thread T9 + #0 0x564637e7ad0c in __ordered_events__flush util/ordered-events.c:316 + #1 0x564637e7b0e4 in ordered_events__flush util/ordered-events.c:338 + #2 0x564637c6a57d in process_thread /home/changbin/work/linux/tools/perf/builtin-top.c:1073 + #3 0x7f30d173a163 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8163) + #4 0x7f30cfffbdee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11adee) + + 0x56463844e300 is located 32 bytes to the left of global variable 'flags' defined in 'util/trace-event-parse.c:229:26' (0x56463844e320) of size 192 + 0x56463844e300 is located 0 bytes to the right of global variable 'str' defined in 'util/ordered-events.c:268:28' (0x56463844e2e0) of size 32 + SUMMARY: AddressSanitizer: global-buffer-overflow util/ordered-events.c:316 in __ordered_events__flush + Shadow bytes around the buggy address: + 0x0ac947081c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ac947081c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ac947081c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ac947081c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ac947081c50: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00 + =>0x0ac947081c60:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ac947081c70: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 + 0x0ac947081c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ac947081c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ac947081ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0ac947081cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Thread T9 created by T0 here: + #0 0x7f30d179de5f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x4ae5f) + #1 0x564637c6b954 in __cmd_top /home/changbin/work/linux/tools/perf/builtin-top.c:1253 + #2 0x564637c7173c in cmd_top /home/changbin/work/linux/tools/perf/builtin-top.c:1642 + #3 0x564637d85038 in run_builtin /home/changbin/work/linux/tools/perf/perf.c:302 + #4 0x564637d85577 in handle_internal_command /home/changbin/work/linux/tools/perf/perf.c:354 + #5 0x564637d8597b in run_argv /home/changbin/work/linux/tools/perf/perf.c:398 + #6 0x564637d860e9 in main /home/changbin/work/linux/tools/perf/perf.c:520 + #7 0x7f30cff0509a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) + +Signed-off-by: Changbin Du +Reviewed-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Steven Rostedt (VMware) +Cc: Jiri Olsa +Fixes: 16c66bc167cc ("perf top: Add processing thread") +Fixes: 68ca5d07de20 ("perf ordered_events: Add ordered_events__flush_time interface") +Link: http://lkml.kernel.org/r/20190316080556.3075-13-changbin.du@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/ordered-events.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/util/ordered-events.c b/tools/perf/util/ordered-events.c +index ea523d3b248f..989fed6f43b5 100644 +--- a/tools/perf/util/ordered-events.c ++++ b/tools/perf/util/ordered-events.c +@@ -270,6 +270,8 @@ static int __ordered_events__flush(struct ordered_events *oe, enum oe_flush how, + "FINAL", + "ROUND", + "HALF ", ++ "TOP ", ++ "TIME ", + }; + int err; + bool show_progress = false; +-- +2.19.1 + diff --git a/queue-5.0/platform-x86-intel_pmc_core-quirk-to-ignore-xtal-shu.patch b/queue-5.0/platform-x86-intel_pmc_core-quirk-to-ignore-xtal-shu.patch new file mode 100644 index 0000000000..3de5d4b7c8 --- /dev/null +++ b/queue-5.0/platform-x86-intel_pmc_core-quirk-to-ignore-xtal-shu.patch @@ -0,0 +1,129 @@ +From 40e8d0416d296cb2f87dc425e35128b96f47d5b2 Mon Sep 17 00:00:00 2001 +From: Rajneesh Bhardwaj +Date: Thu, 14 Feb 2019 17:27:12 +0530 +Subject: platform/x86: intel_pmc_core: Quirk to ignore XTAL shutdown + +[ Upstream commit 238f9c11351f8af8534ae0318b4d9acc77b09ee8 ] + +On some platforms such as HP Elite-x2-1013-g3, the platform BIOS +enforces XTAL to remain off before S0ix state can be achieved. This may +not be optimum when we want to enable use cases like Low Power Audio, +Wake on Voice etc which always need 24mhz clock. + +This introduces a new quirk to allow S0ix entry when all other +conditions except for XTAL clock are good on a given platform. The extra +power consumed by XTAL clock is about 2mw but it saves much more +platform power compared to the system that remains in just PC10. + +Link: https://bit.ly/2UmnrFf +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201579 +Tested-by: "David E. Box" +Reported-and-tested-by: russianneuromancer +Signed-off-by: Rajneesh Bhardwaj +Signed-off-by: Andy Shevchenko +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_pmc_core.c | 34 +++++++++++++++++++++++++++ + drivers/platform/x86/intel_pmc_core.h | 5 ++++ + 2 files changed, 39 insertions(+) + +diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c +index c37e74ee609d..a9cbe5be277b 100644 +--- a/drivers/platform/x86/intel_pmc_core.c ++++ b/drivers/platform/x86/intel_pmc_core.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -139,6 +140,7 @@ static const struct pmc_reg_map spt_reg_map = { + .pm_cfg_offset = SPT_PMC_PM_CFG_OFFSET, + .pm_read_disable_bit = SPT_PMC_READ_DISABLE_BIT, + .ltr_ignore_max = SPT_NUM_IP_IGN_ALLOWED, ++ .pm_vric1_offset = SPT_PMC_VRIC1_OFFSET, + }; + + /* Cannonlake: PGD PFET Enable Ack Status Register(s) bitmap */ +@@ -751,6 +753,37 @@ static const struct pci_device_id pmc_pci_ids[] = { + { 0, }, + }; + ++/* ++ * This quirk can be used on those platforms where ++ * the platform BIOS enforces 24Mhx Crystal to shutdown ++ * before PMC can assert SLP_S0#. ++ */ ++int quirk_xtal_ignore(const struct dmi_system_id *id) ++{ ++ struct pmc_dev *pmcdev = &pmc; ++ u32 value; ++ ++ value = pmc_core_reg_read(pmcdev, pmcdev->map->pm_vric1_offset); ++ /* 24MHz Crystal Shutdown Qualification Disable */ ++ value |= SPT_PMC_VRIC1_XTALSDQDIS; ++ /* Low Voltage Mode Enable */ ++ value &= ~SPT_PMC_VRIC1_SLPS0LVEN; ++ pmc_core_reg_write(pmcdev, pmcdev->map->pm_vric1_offset, value); ++ return 0; ++} ++ ++static const struct dmi_system_id pmc_core_dmi_table[] = { ++ { ++ .callback = quirk_xtal_ignore, ++ .ident = "HP Elite x2 1013 G3", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "HP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Elite x2 1013 G3"), ++ }, ++ }, ++ {} ++}; ++ + static int __init pmc_core_probe(void) + { + struct pmc_dev *pmcdev = &pmc; +@@ -792,6 +825,7 @@ static int __init pmc_core_probe(void) + return err; + } + ++ dmi_check_system(pmc_core_dmi_table); + pr_info(" initialized\n"); + return 0; + } +diff --git a/drivers/platform/x86/intel_pmc_core.h b/drivers/platform/x86/intel_pmc_core.h +index 1a0104d2cbf0..9bc16d7d2917 100644 +--- a/drivers/platform/x86/intel_pmc_core.h ++++ b/drivers/platform/x86/intel_pmc_core.h +@@ -25,6 +25,7 @@ + #define SPT_PMC_MTPMC_OFFSET 0x20 + #define SPT_PMC_MFPMC_OFFSET 0x38 + #define SPT_PMC_LTR_IGNORE_OFFSET 0x30C ++#define SPT_PMC_VRIC1_OFFSET 0x31c + #define SPT_PMC_MPHY_CORE_STS_0 0x1143 + #define SPT_PMC_MPHY_CORE_STS_1 0x1142 + #define SPT_PMC_MPHY_COM_STS_0 0x1155 +@@ -135,6 +136,9 @@ enum ppfear_regs { + #define SPT_PMC_BIT_MPHY_CMN_LANE2 BIT(2) + #define SPT_PMC_BIT_MPHY_CMN_LANE3 BIT(3) + ++#define SPT_PMC_VRIC1_SLPS0LVEN BIT(13) ++#define SPT_PMC_VRIC1_XTALSDQDIS BIT(22) ++ + /* Cannonlake Power Management Controller register offsets */ + #define CNP_PMC_SLPS0_DBG_OFFSET 0x10B4 + #define CNP_PMC_PM_CFG_OFFSET 0x1818 +@@ -217,6 +221,7 @@ struct pmc_reg_map { + const int pm_read_disable_bit; + const u32 slps0_dbg_offset; + const u32 ltr_ignore_max; ++ const u32 pm_vric1_offset; + }; + + /** +-- +2.19.1 + diff --git a/queue-5.0/pm-domains-avoid-a-potential-deadlock.patch b/queue-5.0/pm-domains-avoid-a-potential-deadlock.patch new file mode 100644 index 0000000000..f7bae77cd7 --- /dev/null +++ b/queue-5.0/pm-domains-avoid-a-potential-deadlock.patch @@ -0,0 +1,104 @@ +From a2a825067376f6b2d33d00da6da702d4e9e8d002 Mon Sep 17 00:00:00 2001 +From: Jiada Wang +Date: Tue, 12 Mar 2019 15:51:28 +0900 +Subject: PM / Domains: Avoid a potential deadlock + +[ Upstream commit 2071ac985d37efe496782c34318dbead93beb02f ] + +Lockdep warns that prepare_lock and genpd->mlock can cause a deadlock +the deadlock scenario is like following: +First thread is probing cs2000 +cs2000_probe() + clk_register() + __clk_core_init() + clk_prepare_lock() ----> acquires prepare_lock + cs2000_recalc_rate() + i2c_smbus_read_byte_data() + rcar_i2c_master_xfer() + dma_request_chan() + rcar_dmac_of_xlate() + rcar_dmac_alloc_chan_resources() + pm_runtime_get_sync() + __pm_runtime_resume() + rpm_resume() + rpm_callback() + genpd_runtime_resume() ----> acquires genpd->mlock + +Second thread is attaching any device to the same PM domain +genpd_add_device() + genpd_lock() ----> acquires genpd->mlock + cpg_mssr_attach_dev() + of_clk_get_from_provider() + __of_clk_get_from_provider() + __clk_create_clk() + clk_prepare_lock() ----> acquires prepare_lock + +Since currently no PM provider access genpd's critical section +in .attach_dev, and .detach_dev callbacks, so there is no need to protect +these two callbacks with genpd->mlock. +This patch avoids a potential deadlock by moving out .attach_dev and .detach_dev +from genpd->mlock, so that genpd->mlock won't be held when prepare_lock is acquired +in .attach_dev and .detach_dev + +Signed-off-by: Jiada Wang +Reviewed-by: Ulf Hansson +Tested-by: Geert Uytterhoeven +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/domain.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c +index 500de1dee967..a00ca6b8117b 100644 +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -1467,12 +1467,12 @@ static int genpd_add_device(struct generic_pm_domain *genpd, struct device *dev, + if (IS_ERR(gpd_data)) + return PTR_ERR(gpd_data); + +- genpd_lock(genpd); +- + ret = genpd->attach_dev ? genpd->attach_dev(genpd, dev) : 0; + if (ret) + goto out; + ++ genpd_lock(genpd); ++ + dev_pm_domain_set(dev, &genpd->domain); + + genpd->device_count++; +@@ -1480,9 +1480,8 @@ static int genpd_add_device(struct generic_pm_domain *genpd, struct device *dev, + + list_add_tail(&gpd_data->base.list_node, &genpd->dev_list); + +- out: + genpd_unlock(genpd); +- ++ out: + if (ret) + genpd_free_dev_data(dev, gpd_data); + else +@@ -1531,15 +1530,15 @@ static int genpd_remove_device(struct generic_pm_domain *genpd, + genpd->device_count--; + genpd->max_off_time_changed = true; + +- if (genpd->detach_dev) +- genpd->detach_dev(genpd, dev); +- + dev_pm_domain_set(dev, NULL); + + list_del_init(&pdd->list_node); + + genpd_unlock(genpd); + ++ if (genpd->detach_dev) ++ genpd->detach_dev(genpd, dev); ++ + genpd_free_dev_data(dev, gpd_data); + + return 0; +-- +2.19.1 + diff --git a/queue-5.0/rdma-hns-fix-the-oops-during-rmmod-or-insmod-ko-when.patch b/queue-5.0/rdma-hns-fix-the-oops-during-rmmod-or-insmod-ko-when.patch new file mode 100644 index 0000000000..c83afab591 --- /dev/null +++ b/queue-5.0/rdma-hns-fix-the-oops-during-rmmod-or-insmod-ko-when.patch @@ -0,0 +1,316 @@ +From 984e9b959be25f9d5f0215e72a3ad22ea0168c38 Mon Sep 17 00:00:00 2001 +From: "Wei Hu (Xavier)" +Date: Sun, 3 Feb 2019 20:43:13 +0800 +Subject: RDMA/hns: Fix the Oops during rmmod or insmod ko when reset occurs + +[ Upstream commit d061effc36f7bd38a12912977a37a50ac9140d11 ] + +In the reset process, the hns3 NIC driver notifies the RoCE driver to +perform reset related processing by calling the .reset_notify() interface +registered by the RoCE driver in hip08 SoC. + +In the current version, if a reset occurs simultaneously during the +execution of rmmod or insmod ko, there may be Oops error as below: + + Internal error: Oops: 86000007 [#1] PREEMPT SMP + Modules linked in: hns_roce(O) hns3(O) hclge(O) hnae3(O) [last unloaded: hns_roce_hw_v2] + CPU: 0 PID: 14 Comm: kworker/0:1 Tainted: G O 4.19.0-ge00d540 #1 + Hardware name: Huawei Technologies Co., Ltd. + Workqueue: events hclge_reset_service_task [hclge] + pstate: 60c00009 (nZCv daif +PAN +UAO) + pc : 0xffff00000100b0b8 + lr : 0xffff00000100aea0 + sp : ffff000009afbab0 + x29: ffff000009afbab0 x28: 0000000000000800 + x27: 0000000000007ff0 x26: ffff80002f90c004 + x25: 00000000000007ff x24: ffff000008f97000 + x23: ffff80003efee0a8 x22: 0000000000001000 + x21: ffff80002f917ff0 x20: ffff8000286ea070 + x19: 0000000000000800 x18: 0000000000000400 + x17: 00000000c4d3225d x16: 00000000000021b8 + x15: 0000000000000400 x14: 0000000000000400 + x13: 0000000000000000 x12: ffff80003fac6e30 + x11: 0000800036303000 x10: 0000000000000001 + x9 : 0000000000000000 x8 : ffff80003016d000 + x7 : 0000000000000000 x6 : 000000000000003f + x5 : 0000000000000040 x4 : 0000000000000000 + x3 : 0000000000000004 x2 : 00000000000007ff + x1 : 0000000000000000 x0 : 0000000000000000 + Process kworker/0:1 (pid: 14, stack limit = 0x00000000af8f0ad9) + Call trace: + 0xffff00000100b0b8 + 0xffff00000100b3a0 + hns_roce_init+0x624/0xc88 [hns_roce] + 0xffff000001002df8 + 0xffff000001006960 + hclge_notify_roce_client+0x74/0xe0 [hclge] + hclge_reset_service_task+0xa58/0xbc0 [hclge] + process_one_work+0x1e4/0x458 + worker_thread+0x40/0x450 + kthread+0x12c/0x130 + ret_from_fork+0x10/0x18 + Code: bad PC value + +In the reset process, we will release the resources firstly, and after the +hardware reset is completed, we will reapply resources and reconfigure the +hardware. + +We can solve this problem by modifying both the NIC and the RoCE +driver. We can modify the concurrent processing in the NIC driver to avoid +calling the .reset_notify and .uninit_instance ops at the same time. And +we need to modify the RoCE driver to record the reset stage and the +driver's init/uninit state, and check the state in the .reset_notify, +.init_instance. and uninit_instance functions to avoid NULL pointer +operation. + +Fixes: cb7a94c9c808 ("RDMA/hns: Add reset process for RoCE in hip08") +Signed-off-by: Wei Hu (Xavier) +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_device.h | 21 ++++ + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 103 +++++++++++++++++--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 + + 3 files changed, 112 insertions(+), 13 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h +index 509e467843f6..f4cac63194d9 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_device.h ++++ b/drivers/infiniband/hw/hns/hns_roce_device.h +@@ -216,6 +216,26 @@ enum { + HNS_ROCE_DB_PER_PAGE = PAGE_SIZE / 4 + }; + ++enum hns_roce_reset_stage { ++ HNS_ROCE_STATE_NON_RST, ++ HNS_ROCE_STATE_RST_BEF_DOWN, ++ HNS_ROCE_STATE_RST_DOWN, ++ HNS_ROCE_STATE_RST_UNINIT, ++ HNS_ROCE_STATE_RST_INIT, ++ HNS_ROCE_STATE_RST_INITED, ++}; ++ ++enum hns_roce_instance_state { ++ HNS_ROCE_STATE_NON_INIT, ++ HNS_ROCE_STATE_INIT, ++ HNS_ROCE_STATE_INITED, ++ HNS_ROCE_STATE_UNINIT, ++}; ++ ++enum { ++ HNS_ROCE_RST_DIRECT_RETURN = 0, ++}; ++ + #define HNS_ROCE_CMD_SUCCESS 1 + + #define HNS_ROCE_PORT_DOWN 0 +@@ -898,6 +918,7 @@ struct hns_roce_dev { + spinlock_t bt_cmd_lock; + bool active; + bool is_reset; ++ unsigned long reset_cnt; + struct hns_roce_ib_iboe iboe; + + struct list_head pgdir_list; +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 543fa1504cd3..7ac06576d791 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -5800,6 +5800,7 @@ MODULE_DEVICE_TABLE(pci, hns_roce_hw_v2_pci_tbl); + static int hns_roce_hw_v2_get_cfg(struct hns_roce_dev *hr_dev, + struct hnae3_handle *handle) + { ++ struct hns_roce_v2_priv *priv = hr_dev->priv; + const struct pci_device_id *id; + int i; + +@@ -5830,10 +5831,13 @@ static int hns_roce_hw_v2_get_cfg(struct hns_roce_dev *hr_dev, + hr_dev->cmd_mod = 1; + hr_dev->loop_idc = 0; + ++ hr_dev->reset_cnt = handle->ae_algo->ops->ae_dev_reset_cnt(handle); ++ priv->handle = handle; ++ + return 0; + } + +-static int hns_roce_hw_v2_init_instance(struct hnae3_handle *handle) ++static int __hns_roce_hw_v2_init_instance(struct hnae3_handle *handle) + { + struct hns_roce_dev *hr_dev; + int ret; +@@ -5850,7 +5854,6 @@ static int hns_roce_hw_v2_init_instance(struct hnae3_handle *handle) + + hr_dev->pci_dev = handle->pdev; + hr_dev->dev = &handle->pdev->dev; +- handle->priv = hr_dev; + + ret = hns_roce_hw_v2_get_cfg(hr_dev, handle); + if (ret) { +@@ -5864,6 +5867,8 @@ static int hns_roce_hw_v2_init_instance(struct hnae3_handle *handle) + goto error_failed_get_cfg; + } + ++ handle->priv = hr_dev; ++ + return 0; + + error_failed_get_cfg: +@@ -5875,7 +5880,7 @@ static int hns_roce_hw_v2_init_instance(struct hnae3_handle *handle) + return ret; + } + +-static void hns_roce_hw_v2_uninit_instance(struct hnae3_handle *handle, ++static void __hns_roce_hw_v2_uninit_instance(struct hnae3_handle *handle, + bool reset) + { + struct hns_roce_dev *hr_dev = (struct hns_roce_dev *)handle->priv; +@@ -5883,24 +5888,78 @@ static void hns_roce_hw_v2_uninit_instance(struct hnae3_handle *handle, + if (!hr_dev) + return; + ++ handle->priv = NULL; + hns_roce_exit(hr_dev); + kfree(hr_dev->priv); + ib_dealloc_device(&hr_dev->ib_dev); + } + ++static int hns_roce_hw_v2_init_instance(struct hnae3_handle *handle) ++{ ++ const struct hnae3_ae_ops *ops = handle->ae_algo->ops; ++ struct device *dev = &handle->pdev->dev; ++ int ret; ++ ++ handle->rinfo.instance_state = HNS_ROCE_STATE_INIT; ++ ++ if (ops->ae_dev_resetting(handle) || ops->get_hw_reset_stat(handle)) { ++ handle->rinfo.instance_state = HNS_ROCE_STATE_NON_INIT; ++ goto reset_chk_err; ++ } ++ ++ ret = __hns_roce_hw_v2_init_instance(handle); ++ if (ret) { ++ handle->rinfo.instance_state = HNS_ROCE_STATE_NON_INIT; ++ dev_err(dev, "RoCE instance init failed! ret = %d\n", ret); ++ if (ops->ae_dev_resetting(handle) || ++ ops->get_hw_reset_stat(handle)) ++ goto reset_chk_err; ++ else ++ return ret; ++ } ++ ++ handle->rinfo.instance_state = HNS_ROCE_STATE_INITED; ++ ++ ++ return 0; ++ ++reset_chk_err: ++ dev_err(dev, "Device is busy in resetting state.\n" ++ "please retry later.\n"); ++ ++ return -EBUSY; ++} ++ ++static void hns_roce_hw_v2_uninit_instance(struct hnae3_handle *handle, ++ bool reset) ++{ ++ if (handle->rinfo.instance_state != HNS_ROCE_STATE_INITED) ++ return; ++ ++ handle->rinfo.instance_state = HNS_ROCE_STATE_UNINIT; ++ ++ __hns_roce_hw_v2_uninit_instance(handle, reset); ++ ++ handle->rinfo.instance_state = HNS_ROCE_STATE_NON_INIT; ++} + static int hns_roce_hw_v2_reset_notify_down(struct hnae3_handle *handle) + { +- struct hns_roce_dev *hr_dev = (struct hns_roce_dev *)handle->priv; ++ struct hns_roce_dev *hr_dev; + struct ib_event event; + +- if (!hr_dev) { +- dev_err(&handle->pdev->dev, +- "Input parameter handle->priv is NULL!\n"); +- return -EINVAL; ++ if (handle->rinfo.instance_state != HNS_ROCE_STATE_INITED) { ++ set_bit(HNS_ROCE_RST_DIRECT_RETURN, &handle->rinfo.state); ++ return 0; + } + ++ handle->rinfo.reset_state = HNS_ROCE_STATE_RST_DOWN; ++ clear_bit(HNS_ROCE_RST_DIRECT_RETURN, &handle->rinfo.state); ++ ++ hr_dev = (struct hns_roce_dev *)handle->priv; ++ if (!hr_dev) ++ return 0; ++ + hr_dev->active = false; +- hr_dev->is_reset = true; + + event.event = IB_EVENT_DEVICE_FATAL; + event.device = &hr_dev->ib_dev; +@@ -5912,17 +5971,29 @@ static int hns_roce_hw_v2_reset_notify_down(struct hnae3_handle *handle) + + static int hns_roce_hw_v2_reset_notify_init(struct hnae3_handle *handle) + { ++ struct device *dev = &handle->pdev->dev; + int ret; + +- ret = hns_roce_hw_v2_init_instance(handle); ++ if (test_and_clear_bit(HNS_ROCE_RST_DIRECT_RETURN, ++ &handle->rinfo.state)) { ++ handle->rinfo.reset_state = HNS_ROCE_STATE_RST_INITED; ++ return 0; ++ } ++ ++ handle->rinfo.reset_state = HNS_ROCE_STATE_RST_INIT; ++ ++ dev_info(&handle->pdev->dev, "In reset process RoCE client reinit.\n"); ++ ret = __hns_roce_hw_v2_init_instance(handle); + if (ret) { + /* when reset notify type is HNAE3_INIT_CLIENT In reset notify + * callback function, RoCE Engine reinitialize. If RoCE reinit + * failed, we should inform NIC driver. + */ + handle->priv = NULL; +- dev_err(&handle->pdev->dev, +- "In reset process RoCE reinit failed %d.\n", ret); ++ dev_err(dev, "In reset process RoCE reinit failed %d.\n", ret); ++ } else { ++ handle->rinfo.reset_state = HNS_ROCE_STATE_RST_INITED; ++ dev_info(dev, "Reset done, RoCE client reinit finished.\n"); + } + + return ret; +@@ -5930,8 +6001,14 @@ static int hns_roce_hw_v2_reset_notify_init(struct hnae3_handle *handle) + + static int hns_roce_hw_v2_reset_notify_uninit(struct hnae3_handle *handle) + { ++ if (test_bit(HNS_ROCE_RST_DIRECT_RETURN, &handle->rinfo.state)) ++ return 0; ++ ++ handle->rinfo.reset_state = HNS_ROCE_STATE_RST_UNINIT; ++ dev_info(&handle->pdev->dev, "In reset process RoCE client uninit.\n"); + msleep(100); +- hns_roce_hw_v2_uninit_instance(handle, false); ++ __hns_roce_hw_v2_uninit_instance(handle, false); ++ + return 0; + } + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +index b72d0443c835..5398aa718cfc 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -1546,6 +1546,7 @@ struct hns_roce_link_table_entry { + #define HNS_ROCE_LINK_TABLE_NXT_PTR_M GENMASK(31, 20) + + struct hns_roce_v2_priv { ++ struct hnae3_handle *handle; + struct hns_roce_v2_cmq cmq; + struct hns_roce_link_table tsq; + struct hns_roce_link_table tpq; +-- +2.19.1 + diff --git a/queue-5.0/revert-acpi-ec-remove-old-clear_on_resume-quirk.patch b/queue-5.0/revert-acpi-ec-remove-old-clear_on_resume-quirk.patch new file mode 100644 index 0000000000..4900b52a56 --- /dev/null +++ b/queue-5.0/revert-acpi-ec-remove-old-clear_on_resume-quirk.patch @@ -0,0 +1,134 @@ +From f498fb3b053fbe31b1bbc4daf7b246946d8f27ea Mon Sep 17 00:00:00 2001 +From: Zhang Rui +Date: Fri, 1 Feb 2019 14:13:41 +0800 +Subject: Revert "ACPI / EC: Remove old CLEAR_ON_RESUME quirk" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit b6a3e1475b0220378ad32bdf4d8692f058b1fc03 ] + +On some Samsung hardware, it is necessary to clear events accumulated by +the EC during sleep. These ECs stop reporting GPEs until they are manually +polled, if too many events are accumulated. +Thus the CLEAR_ON_RESUME quirk is introduced to send EC query commands +unconditionally after resume to clear all the EC query events on those +platforms. + +Later, commit 4c237371f290 ("ACPI / EC: Remove old CLEAR_ON_RESUME quirk") +removes the CLEAR_ON_RESUME quirk because we thought the new EC IRQ +polling logic should handle this case. + +Now it has been proved that the EC IRQ Polling logic does not fix the +issue actually because we got regression report on these Samsung +platforms after removing the quirk. + +Thus revert commit 4c237371f290 ("ACPI / EC: Remove old CLEAR_ON_RESUME +quirk") to introduce back the Samsung quirk in this patch. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=44161 +Tested-by: Ortwin Glück +Tested-by: Francisco Cribari +Tested-by: Balazs Varga +Signed-off-by: Zhang Rui +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 53 insertions(+) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 9d66a47d32fb..49e16f009095 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -194,6 +194,7 @@ static struct workqueue_struct *ec_query_wq; + static int EC_FLAGS_QUERY_HANDSHAKE; /* Needs QR_EC issued when SCI_EVT set */ + static int EC_FLAGS_CORRECT_ECDT; /* Needs ECDT port address correction */ + static int EC_FLAGS_IGNORE_DSDT_GPE; /* Needs ECDT GPE as correction setting */ ++static int EC_FLAGS_CLEAR_ON_RESUME; /* Needs acpi_ec_clear() on boot/resume */ + + /* -------------------------------------------------------------------------- + * Logging/Debugging +@@ -499,6 +500,26 @@ static inline void __acpi_ec_disable_event(struct acpi_ec *ec) + ec_log_drv("event blocked"); + } + ++/* ++ * Process _Q events that might have accumulated in the EC. ++ * Run with locked ec mutex. ++ */ ++static void acpi_ec_clear(struct acpi_ec *ec) ++{ ++ int i, status; ++ u8 value = 0; ++ ++ for (i = 0; i < ACPI_EC_CLEAR_MAX; i++) { ++ status = acpi_ec_query(ec, &value); ++ if (status || !value) ++ break; ++ } ++ if (unlikely(i == ACPI_EC_CLEAR_MAX)) ++ pr_warn("Warning: Maximum of %d stale EC events cleared\n", i); ++ else ++ pr_info("%d stale EC events cleared\n", i); ++} ++ + static void acpi_ec_enable_event(struct acpi_ec *ec) + { + unsigned long flags; +@@ -507,6 +528,10 @@ static void acpi_ec_enable_event(struct acpi_ec *ec) + if (acpi_ec_started(ec)) + __acpi_ec_enable_event(ec); + spin_unlock_irqrestore(&ec->lock, flags); ++ ++ /* Drain additional events if hardware requires that */ ++ if (EC_FLAGS_CLEAR_ON_RESUME) ++ acpi_ec_clear(ec); + } + + #ifdef CONFIG_PM_SLEEP +@@ -1820,6 +1845,31 @@ static int ec_flag_query_handshake(const struct dmi_system_id *id) + } + #endif + ++/* ++ * On some hardware it is necessary to clear events accumulated by the EC during ++ * sleep. These ECs stop reporting GPEs until they are manually polled, if too ++ * many events are accumulated. (e.g. Samsung Series 5/9 notebooks) ++ * ++ * https://bugzilla.kernel.org/show_bug.cgi?id=44161 ++ * ++ * Ideally, the EC should also be instructed NOT to accumulate events during ++ * sleep (which Windows seems to do somehow), but the interface to control this ++ * behaviour is not known at this time. ++ * ++ * Models known to be affected are Samsung 530Uxx/535Uxx/540Uxx/550Pxx/900Xxx, ++ * however it is very likely that other Samsung models are affected. ++ * ++ * On systems which don't accumulate _Q events during sleep, this extra check ++ * should be harmless. ++ */ ++static int ec_clear_on_resume(const struct dmi_system_id *id) ++{ ++ pr_debug("Detected system needing EC poll on resume.\n"); ++ EC_FLAGS_CLEAR_ON_RESUME = 1; ++ ec_event_clearing = ACPI_EC_EVT_TIMING_STATUS; ++ return 0; ++} ++ + /* + * Some ECDTs contain wrong register addresses. + * MSI MS-171F +@@ -1869,6 +1919,9 @@ static const struct dmi_system_id ec_dmi_table[] __initconst = { + ec_honor_ecdt_gpe, "ASUS X580VD", { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_PRODUCT_NAME, "X580VD"),}, NULL}, ++ { ++ ec_clear_on_resume, "Samsung hardware", { ++ DMI_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD.")}, NULL}, + {}, + }; + +-- +2.19.1 + diff --git a/queue-5.0/rxrpc-fix-client-call-connect-disconnect-race.patch b/queue-5.0/rxrpc-fix-client-call-connect-disconnect-race.patch new file mode 100644 index 0000000000..b3db782447 --- /dev/null +++ b/queue-5.0/rxrpc-fix-client-call-connect-disconnect-race.patch @@ -0,0 +1,149 @@ +From 7b93dd452f0b1522cebf0ec8065d8b339bfa6ee4 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Fri, 8 Mar 2019 12:48:39 +0000 +Subject: rxrpc: Fix client call connect/disconnect race + +[ Upstream commit 930c9f9125c85b5134b3e711bc252ecc094708e3 ] + +rxrpc_disconnect_client_call() reads the call's connection ID protocol +value (call->cid) as part of that function's variable declarations. This +is bad because it's not inside the locked section and so may race with +someone granting use of the channel to the call. + +This manifests as an assertion failure (see below) where the call in the +presumed channel (0 because call->cid wasn't set when we read it) doesn't +match the call attached to the channel we were actually granted (if 1, 2 or +3). + +Fix this by moving the read and dependent calculations inside of the +channel_lock section. Also, only set the channel number and pointer +variables if cid is not zero (ie. unset). + +This problem can be induced by injecting an occasional error in +rxrpc_wait_for_channel() before the call to schedule(). + +Make two further changes also: + + (1) Add a trace for wait failure in rxrpc_connect_call(). + + (2) Drop channel_lock before BUG'ing in the case of the assertion failure. + +The failure causes a trace akin to the following: + +rxrpc: Assertion failed - 18446612685268945920(0xffff8880beab8c00) == 18446612685268621312(0xffff8880bea69800) is false +------------[ cut here ]------------ +kernel BUG at net/rxrpc/conn_client.c:824! +... +RIP: 0010:rxrpc_disconnect_client_call+0x2bf/0x99d +... +Call Trace: + rxrpc_connect_call+0x902/0x9b3 + ? wake_up_q+0x54/0x54 + rxrpc_new_client_call+0x3a0/0x751 + ? rxrpc_kernel_begin_call+0x141/0x1bc + ? afs_alloc_call+0x1b5/0x1b5 + rxrpc_kernel_begin_call+0x141/0x1bc + afs_make_call+0x20c/0x525 + ? afs_alloc_call+0x1b5/0x1b5 + ? __lock_is_held+0x40/0x71 + ? lockdep_init_map+0xaf/0x193 + ? lockdep_init_map+0xaf/0x193 + ? __lock_is_held+0x40/0x71 + ? yfs_fs_fetch_data+0x33b/0x34a + yfs_fs_fetch_data+0x33b/0x34a + afs_fetch_data+0xdc/0x3b7 + afs_read_dir+0x52d/0x97f + afs_dir_iterate+0xa0/0x661 + ? iterate_dir+0x63/0x141 + iterate_dir+0xa2/0x141 + ksys_getdents64+0x9f/0x11b + ? filldir+0x111/0x111 + ? do_syscall_64+0x3e/0x1a0 + __x64_sys_getdents64+0x16/0x19 + do_syscall_64+0x7d/0x1a0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 45025bceef17 ("rxrpc: Improve management and caching of client connection objects") +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/trace/events/rxrpc.h | 2 ++ + net/rxrpc/conn_client.c | 20 +++++++++++++++----- + 2 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h +index 5b50fe4906d2..7b60fd186cfe 100644 +--- a/include/trace/events/rxrpc.h ++++ b/include/trace/events/rxrpc.h +@@ -76,6 +76,7 @@ enum rxrpc_client_trace { + rxrpc_client_chan_disconnect, + rxrpc_client_chan_pass, + rxrpc_client_chan_unstarted, ++ rxrpc_client_chan_wait_failed, + rxrpc_client_cleanup, + rxrpc_client_count, + rxrpc_client_discard, +@@ -276,6 +277,7 @@ enum rxrpc_tx_point { + EM(rxrpc_client_chan_disconnect, "ChDisc") \ + EM(rxrpc_client_chan_pass, "ChPass") \ + EM(rxrpc_client_chan_unstarted, "ChUnst") \ ++ EM(rxrpc_client_chan_wait_failed, "ChWtFl") \ + EM(rxrpc_client_cleanup, "Clean ") \ + EM(rxrpc_client_count, "Count ") \ + EM(rxrpc_client_discard, "Discar") \ +diff --git a/net/rxrpc/conn_client.c b/net/rxrpc/conn_client.c +index 5cf6d9f4761d..83797b3949e2 100644 +--- a/net/rxrpc/conn_client.c ++++ b/net/rxrpc/conn_client.c +@@ -704,6 +704,7 @@ int rxrpc_connect_call(struct rxrpc_sock *rx, + + ret = rxrpc_wait_for_channel(call, gfp); + if (ret < 0) { ++ trace_rxrpc_client(call->conn, ret, rxrpc_client_chan_wait_failed); + rxrpc_disconnect_client_call(call); + goto out; + } +@@ -774,16 +775,22 @@ static void rxrpc_set_client_reap_timer(struct rxrpc_net *rxnet) + */ + void rxrpc_disconnect_client_call(struct rxrpc_call *call) + { +- unsigned int channel = call->cid & RXRPC_CHANNELMASK; + struct rxrpc_connection *conn = call->conn; +- struct rxrpc_channel *chan = &conn->channels[channel]; ++ struct rxrpc_channel *chan = NULL; + struct rxrpc_net *rxnet = conn->params.local->rxnet; ++ unsigned int channel = -1; ++ u32 cid; + ++ spin_lock(&conn->channel_lock); ++ ++ cid = call->cid; ++ if (cid) { ++ channel = cid & RXRPC_CHANNELMASK; ++ chan = &conn->channels[channel]; ++ } + trace_rxrpc_client(conn, channel, rxrpc_client_chan_disconnect); + call->conn = NULL; + +- spin_lock(&conn->channel_lock); +- + /* Calls that have never actually been assigned a channel can simply be + * discarded. If the conn didn't get used either, it will follow + * immediately unless someone else grabs it in the meantime. +@@ -807,7 +814,10 @@ void rxrpc_disconnect_client_call(struct rxrpc_call *call) + goto out; + } + +- ASSERTCMP(rcu_access_pointer(chan->call), ==, call); ++ if (rcu_access_pointer(chan->call) != call) { ++ spin_unlock(&conn->channel_lock); ++ BUG(); ++ } + + /* If a client call was exposed to the world, we save the result for + * retransmission. +-- +2.19.1 + diff --git a/queue-5.0/sched-core-fix-buffer-overflow-in-cgroup2-property-c.patch b/queue-5.0/sched-core-fix-buffer-overflow-in-cgroup2-property-c.patch new file mode 100644 index 0000000000..bd33436193 --- /dev/null +++ b/queue-5.0/sched-core-fix-buffer-overflow-in-cgroup2-property-c.patch @@ -0,0 +1,46 @@ +From 65bf764f095d77a383328062c34d730f5f286e06 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Wed, 6 Mar 2019 20:11:42 +0300 +Subject: sched/core: Fix buffer overflow in cgroup2 property cpu.max + +[ Upstream commit 4c47acd824aaaa8fc6dc519fb4e08d1522105b7a ] + +Add limit into sscanf format string for on-stack buffer. + +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Tejun Heo +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: H. Peter Anvin +Cc: Johannes Weiner +Cc: Li Zefan +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Rik van Riel +Cc: Thomas Gleixner +Fixes: 0d5936344f30 ("sched: Implement interface for cgroup unified hierarchy") +Link: https://lkml.kernel.org/r/155189230232.2620.13120481613524200065.stgit@buzz +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 01a2489de94e..62cc29364fba 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -6942,7 +6942,7 @@ static int __maybe_unused cpu_period_quota_parse(char *buf, + { + char tok[21]; /* U64_MAX */ + +- if (!sscanf(buf, "%s %llu", tok, periodp)) ++ if (sscanf(buf, "%20s %llu", tok, periodp) < 1) + return -EINVAL; + + *periodp *= NSEC_PER_USEC; +-- +2.19.1 + diff --git a/queue-5.0/sched-cpufreq-fix-32-bit-math-overflow.patch b/queue-5.0/sched-cpufreq-fix-32-bit-math-overflow.patch new file mode 100644 index 0000000000..6270d27e0f --- /dev/null +++ b/queue-5.0/sched-cpufreq-fix-32-bit-math-overflow.patch @@ -0,0 +1,175 @@ +From 5a1757f5a4d371e92f75c5cc72f874d5c22583a7 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Tue, 5 Mar 2019 09:32:02 +0100 +Subject: sched/cpufreq: Fix 32-bit math overflow + +[ Upstream commit a23314e9d88d89d49e69db08f60b7caa470f04e1 ] + +Vincent Wang reported that get_next_freq() has a mult overflow bug on +32-bit platforms in the IOWAIT boost case, since in that case {util,max} +are in freq units instead of capacity units. + +Solve this by moving the IOWAIT boost to capacity units. And since this +means @max is constant; simplify the code. + +Reported-by: Vincent Wang +Tested-by: Vincent Wang +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Rafael J. Wysocki +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Chunyan Zhang +Cc: Dave Hansen +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Quentin Perret +Cc: Rafael J. Wysocki +Cc: Rik van Riel +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190305083202.GU32494@hirez.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/cpufreq_schedutil.c | 59 ++++++++++++++------------------ + 1 file changed, 25 insertions(+), 34 deletions(-) + +diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c +index 033ec7c45f13..1ccf77f6d346 100644 +--- a/kernel/sched/cpufreq_schedutil.c ++++ b/kernel/sched/cpufreq_schedutil.c +@@ -48,10 +48,10 @@ struct sugov_cpu { + + bool iowait_boost_pending; + unsigned int iowait_boost; +- unsigned int iowait_boost_max; + u64 last_update; + + unsigned long bw_dl; ++ unsigned long min; + unsigned long max; + + /* The field below is for single-CPU policies only: */ +@@ -303,8 +303,7 @@ static bool sugov_iowait_reset(struct sugov_cpu *sg_cpu, u64 time, + if (delta_ns <= TICK_NSEC) + return false; + +- sg_cpu->iowait_boost = set_iowait_boost +- ? sg_cpu->sg_policy->policy->min : 0; ++ sg_cpu->iowait_boost = set_iowait_boost ? sg_cpu->min : 0; + sg_cpu->iowait_boost_pending = set_iowait_boost; + + return true; +@@ -344,14 +343,13 @@ static void sugov_iowait_boost(struct sugov_cpu *sg_cpu, u64 time, + + /* Double the boost at each request */ + if (sg_cpu->iowait_boost) { +- sg_cpu->iowait_boost <<= 1; +- if (sg_cpu->iowait_boost > sg_cpu->iowait_boost_max) +- sg_cpu->iowait_boost = sg_cpu->iowait_boost_max; ++ sg_cpu->iowait_boost = ++ min_t(unsigned int, sg_cpu->iowait_boost << 1, SCHED_CAPACITY_SCALE); + return; + } + + /* First wakeup after IO: start with minimum boost */ +- sg_cpu->iowait_boost = sg_cpu->sg_policy->policy->min; ++ sg_cpu->iowait_boost = sg_cpu->min; + } + + /** +@@ -373,47 +371,38 @@ static void sugov_iowait_boost(struct sugov_cpu *sg_cpu, u64 time, + * This mechanism is designed to boost high frequently IO waiting tasks, while + * being more conservative on tasks which does sporadic IO operations. + */ +-static void sugov_iowait_apply(struct sugov_cpu *sg_cpu, u64 time, +- unsigned long *util, unsigned long *max) ++static unsigned long sugov_iowait_apply(struct sugov_cpu *sg_cpu, u64 time, ++ unsigned long util, unsigned long max) + { +- unsigned int boost_util, boost_max; ++ unsigned long boost; + + /* No boost currently required */ + if (!sg_cpu->iowait_boost) +- return; ++ return util; + + /* Reset boost if the CPU appears to have been idle enough */ + if (sugov_iowait_reset(sg_cpu, time, false)) +- return; ++ return util; + +- /* +- * An IO waiting task has just woken up: +- * allow to further double the boost value +- */ +- if (sg_cpu->iowait_boost_pending) { +- sg_cpu->iowait_boost_pending = false; +- } else { ++ if (!sg_cpu->iowait_boost_pending) { + /* +- * Otherwise: reduce the boost value and disable it when we +- * reach the minimum. ++ * No boost pending; reduce the boost value. + */ + sg_cpu->iowait_boost >>= 1; +- if (sg_cpu->iowait_boost < sg_cpu->sg_policy->policy->min) { ++ if (sg_cpu->iowait_boost < sg_cpu->min) { + sg_cpu->iowait_boost = 0; +- return; ++ return util; + } + } + ++ sg_cpu->iowait_boost_pending = false; ++ + /* +- * Apply the current boost value: a CPU is boosted only if its current +- * utilization is smaller then the current IO boost level. ++ * @util is already in capacity scale; convert iowait_boost ++ * into the same scale so we can compare. + */ +- boost_util = sg_cpu->iowait_boost; +- boost_max = sg_cpu->iowait_boost_max; +- if (*util * boost_max < *max * boost_util) { +- *util = boost_util; +- *max = boost_max; +- } ++ boost = (sg_cpu->iowait_boost * max) >> SCHED_CAPACITY_SHIFT; ++ return max(boost, util); + } + + #ifdef CONFIG_NO_HZ_COMMON +@@ -460,7 +449,7 @@ static void sugov_update_single(struct update_util_data *hook, u64 time, + + util = sugov_get_util(sg_cpu); + max = sg_cpu->max; +- sugov_iowait_apply(sg_cpu, time, &util, &max); ++ util = sugov_iowait_apply(sg_cpu, time, util, max); + next_f = get_next_freq(sg_policy, util, max); + /* + * Do not reduce the frequency if the CPU has not been idle +@@ -500,7 +489,7 @@ static unsigned int sugov_next_freq_shared(struct sugov_cpu *sg_cpu, u64 time) + + j_util = sugov_get_util(j_sg_cpu); + j_max = j_sg_cpu->max; +- sugov_iowait_apply(j_sg_cpu, time, &j_util, &j_max); ++ j_util = sugov_iowait_apply(j_sg_cpu, time, j_util, j_max); + + if (j_util * max > j_max * util) { + util = j_util; +@@ -837,7 +826,9 @@ static int sugov_start(struct cpufreq_policy *policy) + memset(sg_cpu, 0, sizeof(*sg_cpu)); + sg_cpu->cpu = cpu; + sg_cpu->sg_policy = sg_policy; +- sg_cpu->iowait_boost_max = policy->cpuinfo.max_freq; ++ sg_cpu->min = ++ (SCHED_CAPACITY_SCALE * policy->cpuinfo.min_freq) / ++ policy->cpuinfo.max_freq; + } + + for_each_cpu(cpu, policy->cpus) { +-- +2.19.1 + diff --git a/queue-5.0/scsi-core-also-call-destroy_rcu_head-for-passthrough.patch b/queue-5.0/scsi-core-also-call-destroy_rcu_head-for-passthrough.patch new file mode 100644 index 0000000000..890a2d027b --- /dev/null +++ b/queue-5.0/scsi-core-also-call-destroy_rcu_head-for-passthrough.patch @@ -0,0 +1,50 @@ +From fd5f560b09067cebb8e116118624caadbd4a7429 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 18 Mar 2019 09:29:26 -0700 +Subject: scsi: core: Also call destroy_rcu_head() for passthrough requests + +[ Upstream commit db983f6eef57a9d78af79bc32389b7e60eb3c47d ] + +cmd->rcu is initialized by scsi_initialize_rq(). For passthrough +requests, blk_get_request() calls scsi_initialize_rq(). For filesystem +requests, scsi_init_command() calls scsi_initialize_rq(). Make sure +that destroy_rcu_head() is called for passthrough requests. + +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Cc: Ewan D. Milne +Cc: Johannes Thumshirn +Reported-by: Ewan D. Milne +Signed-off-by: Bart Van Assche +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_lib.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 5a6e8e12701a..655ad26106e4 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -598,9 +598,16 @@ static bool scsi_end_request(struct request *req, blk_status_t error, + if (!blk_rq_is_scsi(req)) { + WARN_ON_ONCE(!(cmd->flags & SCMD_INITIALIZED)); + cmd->flags &= ~SCMD_INITIALIZED; +- destroy_rcu_head(&cmd->rcu); + } + ++ /* ++ * Calling rcu_barrier() is not necessary here because the ++ * SCSI error handler guarantees that the function called by ++ * call_rcu() has been called before scsi_end_request() is ++ * called. ++ */ ++ destroy_rcu_head(&cmd->rcu); ++ + /* + * In the MQ case the command gets freed by __blk_mq_end_request, + * so we have to do all cleanup that depends on it earlier. +-- +2.19.1 + diff --git a/queue-5.0/scsi-iscsi-flush-running-unbind-operations-when-remo.patch b/queue-5.0/scsi-iscsi-flush-running-unbind-operations-when-remo.patch new file mode 100644 index 0000000000..5aecc0c859 --- /dev/null +++ b/queue-5.0/scsi-iscsi-flush-running-unbind-operations-when-remo.patch @@ -0,0 +1,71 @@ +From 4d4ecdcff754f734edd4019c363586591dfc4054 Mon Sep 17 00:00:00 2001 +From: Maurizio Lombardi +Date: Mon, 28 Jan 2019 15:24:42 +0100 +Subject: scsi: iscsi: flush running unbind operations when removing a session + +[ Upstream commit 165aa2bfb42904b1bec4bf2fa257c8c603c14a06 ] + +In some cases, the iscsi_remove_session() function is called while an +unbind_work operation is still running. This may cause a situation where +sysfs objects are removed in an incorrect order, triggering a kernel +warning. + +[ 605.249442] ------------[ cut here ]------------ +[ 605.259180] sysfs group 'power' not found for kobject 'target2:0:0' +[ 605.321371] WARNING: CPU: 1 PID: 26794 at fs/sysfs/group.c:235 sysfs_remove_group+0x76/0x80 +[ 605.341266] Modules linked in: dm_service_time target_core_user target_core_pscsi target_core_file target_core_iblock iscsi_target_mod target_core_mod nls_utf8 isofs ppdev bochs_drm nfit ttm libnvdimm drm_kms_helper syscopyarea sysfillrect sysimgblt joydev pcspkr fb_sys_fops drm i2c_piix4 sg parport_pc parport xfs libcrc32c dm_multipath sr_mod sd_mod cdrom ata_generic 8021q garp mrp ata_piix stp crct10dif_pclmul crc32_pclmul llc libata crc32c_intel virtio_net net_failover ghash_clmulni_intel serio_raw failover sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi +[ 605.627479] CPU: 1 PID: 26794 Comm: kworker/u32:2 Not tainted 4.18.0-60.el8.x86_64 #1 +[ 605.721401] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20180724_192412-buildhw-07.phx2.fedoraproject.org-1.fc29 04/01/2014 +[ 605.823651] Workqueue: scsi_wq_2 __iscsi_unbind_session [scsi_transport_iscsi] +[ 605.830940] RIP: 0010:sysfs_remove_group+0x76/0x80 +[ 605.922907] Code: 48 89 df 5b 5d 41 5c e9 38 c4 ff ff 48 89 df e8 e0 bf ff ff eb cb 49 8b 14 24 48 8b 75 00 48 c7 c7 38 73 cb a7 e8 24 77 d7 ff <0f> 0b 5b 5d 41 5c c3 0f 1f 00 0f 1f 44 00 00 41 56 41 55 41 54 55 +[ 606.122304] RSP: 0018:ffffbadcc8d1bda8 EFLAGS: 00010286 +[ 606.218492] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +[ 606.326381] RDX: ffff98bdfe85eb40 RSI: ffff98bdfe856818 RDI: ffff98bdfe856818 +[ 606.514498] RBP: ffffffffa7ab73e0 R08: 0000000000000268 R09: 0000000000000007 +[ 606.529469] R10: 0000000000000000 R11: ffffffffa860d9ad R12: ffff98bdf978e838 +[ 606.630535] R13: ffff98bdc2cd4010 R14: ffff98bdc2cd3ff0 R15: ffff98bdc2cd4000 +[ 606.824707] FS: 0000000000000000(0000) GS:ffff98bdfe840000(0000) knlGS:0000000000000000 +[ 607.018333] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 607.117844] CR2: 00007f84b78ac024 CR3: 000000002c00a003 CR4: 00000000003606e0 +[ 607.117844] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 607.420926] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 607.524236] Call Trace: +[ 607.530591] device_del+0x56/0x350 +[ 607.624393] ? ata_tlink_match+0x30/0x30 [libata] +[ 607.727805] ? attribute_container_device_trigger+0xb4/0xf0 +[ 607.829911] scsi_target_reap_ref_release+0x39/0x50 +[ 607.928572] scsi_remove_target+0x1a2/0x1d0 +[ 608.017350] __iscsi_unbind_session+0xb3/0x160 [scsi_transport_iscsi] +[ 608.117435] process_one_work+0x1a7/0x360 +[ 608.132917] worker_thread+0x30/0x390 +[ 608.222900] ? pwq_unbound_release_workfn+0xd0/0xd0 +[ 608.323989] kthread+0x112/0x130 +[ 608.418318] ? kthread_bind+0x30/0x30 +[ 608.513821] ret_from_fork+0x35/0x40 +[ 608.613909] ---[ end trace 0b98c310c8a6138c ]--- + +Signed-off-by: Maurizio Lombardi +Acked-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 0508831d6fb9..0a82e93566dc 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2200,6 +2200,8 @@ void iscsi_remove_session(struct iscsi_cls_session *session) + scsi_target_unblock(&session->dev, SDEV_TRANSPORT_OFFLINE); + /* flush running scans then delete devices */ + flush_work(&session->scan_work); ++ /* flush running unbind operations */ ++ flush_work(&session->unbind_work); + __iscsi_unbind_session(&session->unbind_work); + + /* hw iscsi may not have removed all connections from session */ +-- +2.19.1 + diff --git a/queue-5.0/scsi-qla2xxx-fix-null-pointer-crash-due-to-stale-cpu.patch b/queue-5.0/scsi-qla2xxx-fix-null-pointer-crash-due-to-stale-cpu.patch new file mode 100644 index 0000000000..ac14da0018 --- /dev/null +++ b/queue-5.0/scsi-qla2xxx-fix-null-pointer-crash-due-to-stale-cpu.patch @@ -0,0 +1,89 @@ +From 5348f4f6f2ef8bbe33a974e8736e2783b5fbc88b Mon Sep 17 00:00:00 2001 +From: Himanshu Madhani +Date: Fri, 15 Mar 2019 15:04:19 -0700 +Subject: scsi: qla2xxx: Fix NULL pointer crash due to stale CPUID + +[ Upstream commit ac444b4f0ace05d7c4c99f6b1e5b0cae0852f025 ] + +This patch fixes crash due to NULL pointer derefrence because CPU pointer +is not set and used by driver. Instead, driver is passes CPU as tag via +ha->isp_ops->{lun_reset|target_reset} + +[ 30.160780] qla2xxx [0000:a0:00.1]-8038:9: Cable is unplugged... +[ 69.984045] qla2xxx [0000:a0:00.0]-8009:8: DEVICE RESET ISSUED nexus=8:0:0 cmd=00000000b0d62f46. +[ 69.992849] BUG: unable to handle kernel NULL pointer dereference at 0000000000000040 +[ 70.000680] PGD 0 P4D 0 +[ 70.003232] Oops: 0000 [#1] SMP PTI +[ 70.006727] CPU: 2 PID: 6714 Comm: sg_reset Kdump: loaded Not tainted 4.18.0-67.el8.x86_64 #1 +[ 70.015258] Hardware name: NEC Express5800/T110j [N8100-2758Y]/MX32-PH0-NJ, BIOS F11 02/13/2019 +[ 70.024016] RIP: 0010:blk_mq_rq_cpu+0x9/0x10 +[ 70.028315] Code: 01 58 01 00 00 48 83 c0 28 48 3d 80 02 00 00 75 ab c3 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 + 8b 47 08 <8b> 40 40 c3 0f 1f 00 0f 1f 44 00 00 48 83 ec 10 48 c7 c6 20 6e 7c +[ 70.047087] RSP: 0018:ffff99a481487d58 EFLAGS: 00010246 +[ 70.052322] RAX: 0000000000000000 RBX: ffffffffc041b08b RCX: 0000000000000000 +[ 70.059466] RDX: 0000000000000000 RSI: ffff8d10b6b16898 RDI: ffff8d10b341e400 +[ 70.066615] RBP: ffffffffc03a6bd0 R08: 0000000000000415 R09: 0000000000aaaaaa +[ 70.073765] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8d10b341e528 +[ 70.080914] R13: ffff8d10aadefc00 R14: ffff8d0f64efa998 R15: ffff8d0f64efa000 +[ 70.088083] FS: 00007f90a201e540(0000) GS:ffff8d10b6b00000(0000) knlGS:0000000000000000 +[ 70.096188] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 70.101959] CR2: 0000000000000040 CR3: 0000000268886005 CR4: 00000000003606e0 +[ 70.109127] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 70.116277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 70.123425] Call Trace: +[ 70.125896] __qla2xxx_eh_generic_reset+0xb1/0x220 [qla2xxx] +[ 70.131572] scsi_ioctl_reset+0x1f5/0x2a0 +[ 70.135600] scsi_ioctl+0x18e/0x397 +[ 70.139099] ? sd_ioctl+0x7c/0x100 [sd_mod] +[ 70.143287] blkdev_ioctl+0x32b/0x9f0 +[ 70.146954] ? __check_object_size+0xa3/0x181 +[ 70.151323] block_ioctl+0x39/0x40 +[ 70.154735] do_vfs_ioctl+0xa4/0x630 +[ 70.158322] ? syscall_trace_enter+0x1d3/0x2c0 +[ 70.162769] ksys_ioctl+0x60/0x90 +[ 70.166104] __x64_sys_ioctl+0x16/0x20 +[ 70.169859] do_syscall_64+0x5b/0x1b0 +[ 70.173532] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 70.178587] RIP: 0033:0x7f90a1b3445b +[ 70.182183] Code: 0f 1e fa 48 8b 05 2d aa 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 + 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d fd a9 2c 00 f7 d8 64 89 01 48 +[ 70.200956] RSP: 002b:00007fffdca88b68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[ 70.208535] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f90a1b3445b +[ 70.215684] RDX: 00007fffdca88b84 RSI: 0000000000002284 RDI: 0000000000000003 +[ 70.222833] RBP: 00007fffdca88ca8 R08: 00007fffdca88b84 R09: 0000000000000000 +[ 70.229981] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffdca88b84 +[ 70.237131] R13: 0000000000000000 R14: 000055ab09b0bd28 R15: 0000000000000000 +[ 70.244284] Modules linked in: nft_chain_route_ipv4 xt_CHECKSUM nft_chain_nat_ipv4 ipt_MASQUERADE nf_nat_ipv4 nf_nat nf_conntrack_ipv4 + nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c ipt_REJECT nf_reject_ipv4 nft_counter nft_compat tun bridge stp llc nf_tables nfnetli +nk devlink sunrpc vfat fat intel_rapl intel_pmc_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm wmi_bmof iTCO_wdt iTCO_ +vendor_support irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ipmi_ssif intel_cstate intel_uncore intel_rapl_perf ipmi_si jo +ydev pcspkr ipmi_devintf sg wmi ipmi_msghandler video acpi_power_meter acpi_pad mei_me i2c_i801 mei ip_tables ext4 mbcache jbd2 sr_mod cd +rom sd_mod qla2xxx ast i2c_algo_bit drm_kms_helper nvme_fc syscopyarea sysfillrect uas sysimgblt fb_sys_fops nvme_fabrics ttm +[ 70.314805] usb_storage nvme_core crc32c_intel scsi_transport_fc ahci drm libahci tg3 libata megaraid_sas pinctrl_cannonlake pinctrl_ +intel +[ 70.327335] CR2: 0000000000000040 + +Fixes: 9cf2bab630765 ("block: kill request ->cpu member") +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_os.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 7e35ce2162d0..503fda4e7e8e 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1459,7 +1459,7 @@ __qla2xxx_eh_generic_reset(char *name, enum nexus_wait_type type, + goto eh_reset_failed; + } + err = 2; +- if (do_reset(fcport, cmd->device->lun, blk_mq_rq_cpu(cmd->request) + 1) ++ if (do_reset(fcport, cmd->device->lun, 1) + != QLA_SUCCESS) { + ql_log(ql_log_warn, vha, 0x800c, + "do_reset failed for cmd=%p.\n", cmd); +-- +2.19.1 + diff --git a/queue-5.0/series b/queue-5.0/series new file mode 100644 index 0000000000..f982f4124f --- /dev/null +++ b/queue-5.0/series @@ -0,0 +1,91 @@ +arc-u-boot-args-check-that-magic-number-is-correct.patch +arc-hsdk_defconfig-enable-config_blk_dev_ram.patch +inotify-fix-fsnotify_mark-refcount-leak-in-inotify_u.patch +perf-core-restore-mmap-record-type-correctly.patch +perf-data-don-t-store-auxtrace-index-for-directory-d.patch +mips-bcm47xx-enable-usb-power-on-netgear-wndr3400v2.patch +ext4-avoid-panic-during-forced-reboot.patch +ext4-add-missing-brelse-in-add_new_gdb_meta_bg.patch +ext4-report-real-fs-size-after-failed-resize.patch +alsa-echoaudio-add-a-check-for-ioremap_nocache.patch +alsa-sb8-add-a-check-for-request_region.patch +auxdisplay-hd44780-fix-memory-leak-on-remove.patch +drm-udl-use-drm_gem_object_put_unlocked.patch +ib-mlx4-fix-race-condition-between-catas-error-reset.patch +i40iw-avoid-panic-when-handling-the-inetdev-event.patch +mmc-davinci-remove-extraneous-__init-annotation.patch +alsa-opl3-fix-mismatch-between-snd_opl3_drum_switch-.patch +paride-pf-cleanup-queues-when-detection-fails.patch +paride-pcd-cleanup-queues-when-detection-fails.patch +thermal-intel_powerclamp-fix-__percpu-declaration-of.patch +thermal-samsung-fix-incorrect-check-after-code-merge.patch +thermal-bcm2835-fix-crash-in-bcm2835_thermal_debugfs.patch +thermal-int340x_thermal-add-additional-uuids.patch +thermal-int340x_thermal-fix-mode-setting.patch +thermal-intel_powerclamp-fix-truncated-kthread-name.patch +scsi-iscsi-flush-running-unbind-operations-when-remo.patch +sched-cpufreq-fix-32-bit-math-overflow.patch +sched-core-fix-buffer-overflow-in-cgroup2-property-c.patch +x86-mm-don-t-leak-kernel-addresses.patch +tools-power-turbostat-return-the-exit-status-of-a-co.patch +scsi-core-also-call-destroy_rcu_head-for-passthrough.patch +scsi-qla2xxx-fix-null-pointer-crash-due-to-stale-cpu.patch +perf-stat-fix-no-scale.patch +perf-list-don-t-forget-to-drop-the-reference-to-the-.patch +perf-tools-fix-errors-under-optimization-level-og.patch +perf-config-fix-an-error-in-the-config-template-docu.patch +perf-config-fix-a-memory-leak-in-collect_config.patch +perf-build-id-fix-memory-leak-in-print_sdt_events.patch +perf-top-delete-the-evlist-before-perf_session-fixin.patch +perf-top-fix-error-handling-in-cmd_top.patch +perf-hist-add-missing-map__put-in-error-case.patch +perf-map-remove-map-from-names-tree-in-__maps__remov.patch +perf-maps-purge-all-maps-from-the-names-tree.patch +perf-top-fix-global-buffer-overflow-issue.patch +perf-evsel-free-evsel-counts-in-perf_evsel__exit.patch +perf-tests-fix-a-memory-leak-of-cpu_map-object-in-th.patch +perf-tests-fix-memory-leak-by-expr__find_other-in-te.patch +perf-tests-fix-a-memory-leak-in-test__perf_evsel__tp.patch +acpi-utils-drop-reference-in-test-for-device-presenc.patch +pm-domains-avoid-a-potential-deadlock.patch +blk-iolatency-include-blk.h.patch +drm-exynos-mixer-fix-mixer-shadow-registry-synchroni.patch +irqchip-stm32-don-t-clear-rising-falling-config-regi.patch +irqchip-stm32-don-t-set-rising-configuration-registe.patch +irqchip-mbigen-don-t-clear-eventid-when-freeing-an-m.patch +x86-hpet-prevent-potential-null-pointer-dereference.patch +x86-hyperv-prevent-potential-null-pointer-dereferenc.patch +x86-cpu-cyrix-use-correct-macros-for-cyrix-calls-on-.patch +drm-nouveau-debugfs-fix-check-of-pm_runtime_get_sync.patch +iommu-vt-d-check-capability-before-disabling-protect.patch +iommu-vt-d-save-the-right-domain-id-used-by-hardware.patch +x86-hw_breakpoints-make-default-case-in-hw_breakpoin.patch +cifs-fix-that-return-einval-when-do-dedupe-operation.patch +fix-incorrect-error-code-mapping-for-objectid_not_fo.patch +cifs-fix-slab-out-of-bounds-when-tracing-smb-tcon.patch +x86-gart-exclude-gart-aperture-from-kcore.patch +ext4-prohibit-fstrim-in-norecovery-mode.patch +lkdtm-print-real-addresses.patch +lkdtm-add-tests-for-null-pointer-dereference.patch +drm-amdgpu-psp_ring_destroy-cause-psp-km_ring.ring_m.patch +drm-panel-panel-innolux-set-display-off-in-innolux_p.patch +net-hns3-fix-null-deref-when-unloading-driver.patch +crypto-axis-fix-for-recursive-locking-from-bottom-ha.patch +revert-acpi-ec-remove-old-clear_on_resume-quirk.patch +rdma-hns-fix-the-oops-during-rmmod-or-insmod-ko-when.patch +coresight-cpu-debug-support-for-ca73-cpus.patch +pci-blacklist-power-management-of-gigabyte-x299-desi.patch +pci-aspm-save-ltr-capability-for-suspend-resume.patch +f2fs-sync-filesystem-after-roll-forward-recovery.patch +drm-nouveau-volt-gf117-fix-speedo-readout-register.patch +platform-x86-intel_pmc_core-quirk-to-ignore-xtal-shu.patch +arm-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch +drm-amdkfd-use-init_mqd-function-to-allocate-object-.patch +appletalk-fix-use-after-free-in-atalk_proc_exit.patch +cifs-return-enodata-when-deleting-an-xattr-that-does.patch +lib-div64.c-off-by-one-in-shift.patch +rxrpc-fix-client-call-connect-disconnect-race.patch +f2fs-fix-to-dirty-inode-for-i_mode-recovery.patch +f2fs-fix-to-use-kvfree-instead-of-kzfree.patch +f2fs-fix-to-add-refcount-once-page-is-tagged-pg_priv.patch +include-linux-swap.h-use-offsetof-instead-of-custom-.patch diff --git a/queue-5.0/thermal-bcm2835-fix-crash-in-bcm2835_thermal_debugfs.patch b/queue-5.0/thermal-bcm2835-fix-crash-in-bcm2835_thermal_debugfs.patch new file mode 100644 index 0000000000..da78b601e8 --- /dev/null +++ b/queue-5.0/thermal-bcm2835-fix-crash-in-bcm2835_thermal_debugfs.patch @@ -0,0 +1,60 @@ +From 494db19f290fd3d107a6e2400a3405ce946aa805 Mon Sep 17 00:00:00 2001 +From: Phil Elwell +Date: Tue, 29 Jan 2019 09:55:57 +0000 +Subject: thermal: bcm2835: Fix crash in bcm2835_thermal_debugfs + +[ Upstream commit 35122495a8c6683e863acf7b05a7036b2be64c7a ] + +"cat /sys/kernel/debug/bcm2835_thermal/regset" causes a NULL pointer +dereference in bcm2835_thermal_debugfs. The driver makes use of the +implementation details of the thermal framework to retrieve a pointer +to its private data from a struct thermal_zone_device, and gets it +wrong - leading to the crash. Instead, store its private data as the +drvdata and retrieve the thermal_zone_device pointer from it. + +Fixes: bcb7dd9ef206 ("thermal: bcm2835: add thermal driver for bcm2835 SoC") + +Signed-off-by: Phil Elwell +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +--- + drivers/thermal/broadcom/bcm2835_thermal.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/thermal/broadcom/bcm2835_thermal.c b/drivers/thermal/broadcom/bcm2835_thermal.c +index 720760cd493f..ba39647a690c 100644 +--- a/drivers/thermal/broadcom/bcm2835_thermal.c ++++ b/drivers/thermal/broadcom/bcm2835_thermal.c +@@ -119,8 +119,7 @@ static const struct debugfs_reg32 bcm2835_thermal_regs[] = { + + static void bcm2835_thermal_debugfs(struct platform_device *pdev) + { +- struct thermal_zone_device *tz = platform_get_drvdata(pdev); +- struct bcm2835_thermal_data *data = tz->devdata; ++ struct bcm2835_thermal_data *data = platform_get_drvdata(pdev); + struct debugfs_regset32 *regset; + + data->debugfsdir = debugfs_create_dir("bcm2835_thermal", NULL); +@@ -266,7 +265,7 @@ static int bcm2835_thermal_probe(struct platform_device *pdev) + + data->tz = tz; + +- platform_set_drvdata(pdev, tz); ++ platform_set_drvdata(pdev, data); + + /* + * Thermal_zone doesn't enable hwmon as default, +@@ -290,8 +289,8 @@ static int bcm2835_thermal_probe(struct platform_device *pdev) + + static int bcm2835_thermal_remove(struct platform_device *pdev) + { +- struct thermal_zone_device *tz = platform_get_drvdata(pdev); +- struct bcm2835_thermal_data *data = tz->devdata; ++ struct bcm2835_thermal_data *data = platform_get_drvdata(pdev); ++ struct thermal_zone_device *tz = data->tz; + + debugfs_remove_recursive(data->debugfsdir); + thermal_zone_of_sensor_unregister(&pdev->dev, tz); +-- +2.19.1 + diff --git a/queue-5.0/thermal-int340x_thermal-add-additional-uuids.patch b/queue-5.0/thermal-int340x_thermal-add-additional-uuids.patch new file mode 100644 index 0000000000..26729467f5 --- /dev/null +++ b/queue-5.0/thermal-int340x_thermal-add-additional-uuids.patch @@ -0,0 +1,52 @@ +From 15da243c43f618869f83337299c000d42c8540bf Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Wed, 10 Oct 2018 01:30:06 -0700 +Subject: thermal/int340x_thermal: Add additional UUIDs + +[ Upstream commit 16fc8eca1975358111dbd7ce65e4ce42d1a848fb ] + +Add more supported DPTF policies than the driver currently exposes. + +Signed-off-by: Matthew Garrett +Cc: Nisha Aram +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +--- + .../intel/int340x_thermal/int3400_thermal.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c +index 61ca7ce3624e..e0f39cacbc18 100644 +--- a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c ++++ b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c +@@ -22,6 +22,13 @@ enum int3400_thermal_uuid { + INT3400_THERMAL_PASSIVE_1, + INT3400_THERMAL_ACTIVE, + INT3400_THERMAL_CRITICAL, ++ INT3400_THERMAL_ADAPTIVE_PERFORMANCE, ++ INT3400_THERMAL_EMERGENCY_CALL_MODE, ++ INT3400_THERMAL_PASSIVE_2, ++ INT3400_THERMAL_POWER_BOSS, ++ INT3400_THERMAL_VIRTUAL_SENSOR, ++ INT3400_THERMAL_COOLING_MODE, ++ INT3400_THERMAL_HARDWARE_DUTY_CYCLING, + INT3400_THERMAL_MAXIMUM_UUID, + }; + +@@ -29,6 +36,13 @@ static char *int3400_thermal_uuids[INT3400_THERMAL_MAXIMUM_UUID] = { + "42A441D6-AE6A-462b-A84B-4A8CE79027D3", + "3A95C389-E4B8-4629-A526-C52C88626BAE", + "97C68AE7-15FA-499c-B8C9-5DA81D606E0A", ++ "63BE270F-1C11-48FD-A6F7-3AF253FF3E2D", ++ "5349962F-71E6-431D-9AE8-0A635B710AEE", ++ "9E04115A-AE87-4D1C-9500-0F3E340BFE75", ++ "F5A35014-C209-46A4-993A-EB56DE7530A1", ++ "6ED722A7-9240-48A5-B479-31EEF723D7CF", ++ "16CAF1B7-DD38-40ED-B1C1-1B8A1913D531", ++ "BE84BABF-C4D4-403D-B495-3128FD44dAC1", + }; + + struct int3400_thermal_priv { +-- +2.19.1 + diff --git a/queue-5.0/thermal-int340x_thermal-fix-mode-setting.patch b/queue-5.0/thermal-int340x_thermal-fix-mode-setting.patch new file mode 100644 index 0000000000..819e28312c --- /dev/null +++ b/queue-5.0/thermal-int340x_thermal-fix-mode-setting.patch @@ -0,0 +1,40 @@ +From eee07f6e6c6c550d3c2604b333ca6dcb4c6d4ed3 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Wed, 10 Oct 2018 01:30:07 -0700 +Subject: thermal/int340x_thermal: fix mode setting + +[ Upstream commit 396ee4d0cd52c13b3f6421b8d324d65da5e7e409 ] + +int3400 only pushes the UUID into the firmware when the mode is flipped +to "enable". The current code only exposes the mode flag if the firmware +supports the PASSIVE_1 UUID, which not all machines do. Remove the +restriction. + +Signed-off-by: Matthew Garrett +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +--- + drivers/thermal/intel/int340x_thermal/int3400_thermal.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c +index e0f39cacbc18..5f3ed24e26ec 100644 +--- a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c ++++ b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c +@@ -313,10 +313,9 @@ static int int3400_thermal_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, priv); + +- if (priv->uuid_bitmap & 1 << INT3400_THERMAL_PASSIVE_1) { +- int3400_thermal_ops.get_mode = int3400_thermal_get_mode; +- int3400_thermal_ops.set_mode = int3400_thermal_set_mode; +- } ++ int3400_thermal_ops.get_mode = int3400_thermal_get_mode; ++ int3400_thermal_ops.set_mode = int3400_thermal_set_mode; ++ + priv->thermal = thermal_zone_device_register("INT3400 Thermal", 0, 0, + priv, &int3400_thermal_ops, + &int3400_thermal_params, 0, 0); +-- +2.19.1 + diff --git a/queue-5.0/thermal-intel_powerclamp-fix-__percpu-declaration-of.patch b/queue-5.0/thermal-intel_powerclamp-fix-__percpu-declaration-of.patch new file mode 100644 index 0000000000..de1ca721d6 --- /dev/null +++ b/queue-5.0/thermal-intel_powerclamp-fix-__percpu-declaration-of.patch @@ -0,0 +1,46 @@ +From 2693057163ddaaa8d3fb9f51f9a7165d96fba599 Mon Sep 17 00:00:00 2001 +From: Luc Van Oostenryck +Date: Sat, 19 Jan 2019 17:15:23 +0100 +Subject: thermal/intel_powerclamp: fix __percpu declaration of worker_data + +[ Upstream commit aa36e3616532f82a920b5ebf4e059fbafae63d88 ] + +This variable is declared as: + static struct powerclamp_worker_data * __percpu worker_data; +In other words, a percpu pointer to struct ... + +But this variable not used like so but as a pointer to a percpu +struct powerclamp_worker_data. + +So fix the declaration as: + static struct powerclamp_worker_data __percpu *worker_data; + +This also quiets Sparse's warnings from __verify_pcpu_ptr(), like: + 494:49: warning: incorrect type in initializer (different address spaces) + 494:49: expected void const [noderef] *__vpp_verify + 494:49: got struct powerclamp_worker_data * + +Signed-off-by: Luc Van Oostenryck +Reviewed-by: Petr Mladek +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +--- + drivers/thermal/intel/intel_powerclamp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/intel/intel_powerclamp.c b/drivers/thermal/intel/intel_powerclamp.c +index 7571f7c2e7c9..b12ecd436e23 100644 +--- a/drivers/thermal/intel/intel_powerclamp.c ++++ b/drivers/thermal/intel/intel_powerclamp.c +@@ -101,7 +101,7 @@ struct powerclamp_worker_data { + bool clamping; + }; + +-static struct powerclamp_worker_data * __percpu worker_data; ++static struct powerclamp_worker_data __percpu *worker_data; + static struct thermal_cooling_device *cooling_dev; + static unsigned long *cpu_clamping_mask; /* bit map for tracking per cpu + * clamping kthread worker +-- +2.19.1 + diff --git a/queue-5.0/thermal-intel_powerclamp-fix-truncated-kthread-name.patch b/queue-5.0/thermal-intel_powerclamp-fix-truncated-kthread-name.patch new file mode 100644 index 0000000000..6cd3a973a6 --- /dev/null +++ b/queue-5.0/thermal-intel_powerclamp-fix-truncated-kthread-name.patch @@ -0,0 +1,34 @@ +From 414addde0a22cacbf74ecca689514d3fc2532ebd Mon Sep 17 00:00:00 2001 +From: Zhang Rui +Date: Mon, 18 Mar 2019 22:26:33 +0800 +Subject: thermal/intel_powerclamp: fix truncated kthread name + +[ Upstream commit e925b5be5751f6a7286bbd9a4cbbc4ac90cc5fa6 ] + +kthread name only allows 15 characters (TASK_COMMON_LEN is 16). +Thus rename the kthreads created by intel_powerclamp driver from +"kidle_inject/ + decimal cpuid" to "kidle_inj/ + decimal cpuid" +to avoid truncated kthead name for cpu 100 and later. + +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +--- + drivers/thermal/intel/intel_powerclamp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/intel/intel_powerclamp.c b/drivers/thermal/intel/intel_powerclamp.c +index b12ecd436e23..ac7256b5f020 100644 +--- a/drivers/thermal/intel/intel_powerclamp.c ++++ b/drivers/thermal/intel/intel_powerclamp.c +@@ -494,7 +494,7 @@ static void start_power_clamp_worker(unsigned long cpu) + struct powerclamp_worker_data *w_data = per_cpu_ptr(worker_data, cpu); + struct kthread_worker *worker; + +- worker = kthread_create_worker_on_cpu(cpu, 0, "kidle_inject/%ld", cpu); ++ worker = kthread_create_worker_on_cpu(cpu, 0, "kidle_inj/%ld", cpu); + if (IS_ERR(worker)) + return; + +-- +2.19.1 + diff --git a/queue-5.0/thermal-samsung-fix-incorrect-check-after-code-merge.patch b/queue-5.0/thermal-samsung-fix-incorrect-check-after-code-merge.patch new file mode 100644 index 0000000000..b2bd7c3660 --- /dev/null +++ b/queue-5.0/thermal-samsung-fix-incorrect-check-after-code-merge.patch @@ -0,0 +1,41 @@ +From 32f9d4e428f7a8d607fbb49b1a2db33fff58d9c5 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Tue, 22 Jan 2019 16:47:41 +0100 +Subject: thermal: samsung: Fix incorrect check after code merge + +[ Upstream commit 3b5236cc5d086dd3ddd01113ee9255421aab9fab ] + +Merge commit 19785cf93b6c ("Merge branch 'linus' of +git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal") +broke the code introduced by commit ffe6e16f14fa ("thermal: exynos: Reduce +severity of too early temperature read"). Restore the original code from +the mentioned commit to finally fix the warning message during boot: + +thermal thermal_zone0: failed to read out thermal zone (-22) + +Reported-by: Marian Mihailescu +Signed-off-by: Marek Szyprowski +Fixes: 19785cf93b6c ("Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal") +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +--- + drivers/thermal/samsung/exynos_tmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/samsung/exynos_tmu.c b/drivers/thermal/samsung/exynos_tmu.c +index 48eef552cba4..fc9399d9c082 100644 +--- a/drivers/thermal/samsung/exynos_tmu.c ++++ b/drivers/thermal/samsung/exynos_tmu.c +@@ -666,7 +666,7 @@ static int exynos_get_temp(void *p, int *temp) + struct exynos_tmu_data *data = p; + int value, ret = 0; + +- if (!data || !data->tmu_read || !data->enabled) ++ if (!data || !data->tmu_read) + return -EINVAL; + else if (!data->enabled) + /* +-- +2.19.1 + diff --git a/queue-5.0/tools-power-turbostat-return-the-exit-status-of-a-co.patch b/queue-5.0/tools-power-turbostat-return-the-exit-status-of-a-co.patch new file mode 100644 index 0000000000..0ebfde6deb --- /dev/null +++ b/queue-5.0/tools-power-turbostat-return-the-exit-status-of-a-co.patch @@ -0,0 +1,37 @@ +From fac09c9a92d327c758ae680676d6a228783f4ac0 Mon Sep 17 00:00:00 2001 +From: David Arcari +Date: Tue, 12 Feb 2019 09:34:39 -0500 +Subject: tools/power turbostat: return the exit status of a command + +[ Upstream commit 2a95496634a017c19641f26f00907af75b962f01 ] + +turbostat failed to return a non-zero exit status even though the +supplied command (turbostat ) failed. Currently when turbostat +forks a command it returns zero instead of the actual exit status of the +command. Modify the code to return the exit status. + +Signed-off-by: David Arcari +Acked-by: Len Brown +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 9327c0ddc3a5..c3fad065c89c 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -5077,6 +5077,9 @@ int fork_it(char **argv) + signal(SIGQUIT, SIG_IGN); + if (waitpid(child_pid, &status, 0) == -1) + err(status, "waitpid"); ++ ++ if (WIFEXITED(status)) ++ status = WEXITSTATUS(status); + } + /* + * n.b. fork_it() does not check for errors from for_all_cpus() +-- +2.19.1 + diff --git a/queue-5.0/x86-cpu-cyrix-use-correct-macros-for-cyrix-calls-on-.patch b/queue-5.0/x86-cpu-cyrix-use-correct-macros-for-cyrix-calls-on-.patch new file mode 100644 index 0000000000..840486735b --- /dev/null +++ b/queue-5.0/x86-cpu-cyrix-use-correct-macros-for-cyrix-calls-on-.patch @@ -0,0 +1,108 @@ +From 763e1fe4eda8282fc23a6364b7fda513695f0b99 Mon Sep 17 00:00:00 2001 +From: Matthew Whitehead +Date: Thu, 14 Mar 2019 16:46:00 -0400 +Subject: x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors + +[ Upstream commit 18fb053f9b827bd98cfc64f2a35df8ab19745a1d ] + +There are comments in processor-cyrix.h advising you to _not_ make calls +using the deprecated macros in this style: + + setCx86_old(CX86_CCR4, getCx86_old(CX86_CCR4) | 0x80); + +This is because it expands the macro into a non-functioning calling +sequence. The calling order must be: + + outb(CX86_CCR2, 0x22); + inb(0x23); + +From the comments: + + * When using the old macros a line like + * setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88); + * gets expanded to: + * do { + * outb((CX86_CCR2), 0x22); + * outb((({ + * outb((CX86_CCR2), 0x22); + * inb(0x23); + * }) | 0x88), 0x23); + * } while (0); + +The new macros fix this problem, so use them instead. Tested on an +actual Geode processor. + +Signed-off-by: Matthew Whitehead +Signed-off-by: Thomas Gleixner +Cc: luto@kernel.org +Link: https://lkml.kernel.org/r/1552596361-8967-2-git-send-email-tedheadster@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/cyrix.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/kernel/cpu/cyrix.c b/arch/x86/kernel/cpu/cyrix.c +index d12226f60168..1d9b8aaea06c 100644 +--- a/arch/x86/kernel/cpu/cyrix.c ++++ b/arch/x86/kernel/cpu/cyrix.c +@@ -124,7 +124,7 @@ static void set_cx86_reorder(void) + setCx86(CX86_CCR3, (ccr3 & 0x0f) | 0x10); /* enable MAPEN */ + + /* Load/Store Serialize to mem access disable (=reorder it) */ +- setCx86_old(CX86_PCR0, getCx86_old(CX86_PCR0) & ~0x80); ++ setCx86(CX86_PCR0, getCx86(CX86_PCR0) & ~0x80); + /* set load/store serialize from 1GB to 4GB */ + ccr3 |= 0xe0; + setCx86(CX86_CCR3, ccr3); +@@ -135,11 +135,11 @@ static void set_cx86_memwb(void) + pr_info("Enable Memory-Write-back mode on Cyrix/NSC processor.\n"); + + /* CCR2 bit 2: unlock NW bit */ +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) & ~0x04); ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) & ~0x04); + /* set 'Not Write-through' */ + write_cr0(read_cr0() | X86_CR0_NW); + /* CCR2 bit 2: lock NW bit and set WT1 */ +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) | 0x14); ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x14); + } + + /* +@@ -153,14 +153,14 @@ static void geode_configure(void) + local_irq_save(flags); + + /* Suspend on halt power saving and enable #SUSP pin */ +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) | 0x88); ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88); + + ccr3 = getCx86(CX86_CCR3); + setCx86(CX86_CCR3, (ccr3 & 0x0f) | 0x10); /* enable MAPEN */ + + + /* FPU fast, DTE cache, Mem bypass */ +- setCx86_old(CX86_CCR4, getCx86_old(CX86_CCR4) | 0x38); ++ setCx86(CX86_CCR4, getCx86(CX86_CCR4) | 0x38); + setCx86(CX86_CCR3, ccr3); /* disable MAPEN */ + + set_cx86_memwb(); +@@ -296,7 +296,7 @@ static void init_cyrix(struct cpuinfo_x86 *c) + /* GXm supports extended cpuid levels 'ala' AMD */ + if (c->cpuid_level == 2) { + /* Enable cxMMX extensions (GX1 Datasheet 54) */ +- setCx86_old(CX86_CCR7, getCx86_old(CX86_CCR7) | 1); ++ setCx86(CX86_CCR7, getCx86(CX86_CCR7) | 1); + + /* + * GXm : 0x30 ... 0x5f GXm datasheet 51 +@@ -319,7 +319,7 @@ static void init_cyrix(struct cpuinfo_x86 *c) + if (dir1 > 7) { + dir0_msn++; /* M II */ + /* Enable MMX extensions (App note 108) */ +- setCx86_old(CX86_CCR7, getCx86_old(CX86_CCR7)|1); ++ setCx86(CX86_CCR7, getCx86(CX86_CCR7)|1); + } else { + /* A 6x86MX - it has the bug. */ + set_cpu_bug(c, X86_BUG_COMA); +-- +2.19.1 + diff --git a/queue-5.0/x86-gart-exclude-gart-aperture-from-kcore.patch b/queue-5.0/x86-gart-exclude-gart-aperture-from-kcore.patch new file mode 100644 index 0000000000..c92f7ace26 --- /dev/null +++ b/queue-5.0/x86-gart-exclude-gart-aperture-from-kcore.patch @@ -0,0 +1,172 @@ +From 2936d7f923733a397409432e87036f42c59eacca Mon Sep 17 00:00:00 2001 +From: Kairui Song +Date: Fri, 8 Mar 2019 11:05:08 +0800 +Subject: x86/gart: Exclude GART aperture from kcore + +[ Upstream commit ffc8599aa9763f39f6736a79da4d1575e7006f9a ] + +On machines where the GART aperture is mapped over physical RAM, +/proc/kcore contains the GART aperture range. Accessing the GART range via +/proc/kcore results in a kernel crash. + +vmcore used to have the same issue, until it was fixed with commit +2a3e83c6f96c ("x86/gart: Exclude GART aperture from vmcore")', leveraging +existing hook infrastructure in vmcore to let /proc/vmcore return zeroes +when attempting to read the aperture region, and so it won't read from the +actual memory. + +Apply the same workaround for kcore. First implement the same hook +infrastructure for kcore, then reuse the hook functions introduced in the +previous vmcore fix. Just with some minor adjustment, rename some functions +for more general usage, and simplify the hook infrastructure a bit as there +is no module usage yet. + +Suggested-by: Baoquan He +Signed-off-by: Kairui Song +Signed-off-by: Thomas Gleixner +Reviewed-by: Jiri Bohac +Acked-by: Baoquan He +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Alexey Dobriyan +Cc: Andrew Morton +Cc: Omar Sandoval +Cc: Dave Young +Link: https://lkml.kernel.org/r/20190308030508.13548-1-kasong@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/aperture_64.c | 20 +++++++++++++------- + fs/proc/kcore.c | 27 +++++++++++++++++++++++++++ + include/linux/kcore.h | 2 ++ + 3 files changed, 42 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/kernel/aperture_64.c b/arch/x86/kernel/aperture_64.c +index 58176b56354e..294ed4392a0e 100644 +--- a/arch/x86/kernel/aperture_64.c ++++ b/arch/x86/kernel/aperture_64.c +@@ -14,6 +14,7 @@ + #define pr_fmt(fmt) "AGP: " fmt + + #include ++#include + #include + #include + #include +@@ -57,7 +58,7 @@ int fallback_aper_force __initdata; + + int fix_aperture __initdata = 1; + +-#ifdef CONFIG_PROC_VMCORE ++#if defined(CONFIG_PROC_VMCORE) || defined(CONFIG_PROC_KCORE) + /* + * If the first kernel maps the aperture over e820 RAM, the kdump kernel will + * use the same range because it will remain configured in the northbridge. +@@ -66,20 +67,25 @@ int fix_aperture __initdata = 1; + */ + static unsigned long aperture_pfn_start, aperture_page_count; + +-static int gart_oldmem_pfn_is_ram(unsigned long pfn) ++static int gart_mem_pfn_is_ram(unsigned long pfn) + { + return likely((pfn < aperture_pfn_start) || + (pfn >= aperture_pfn_start + aperture_page_count)); + } + +-static void exclude_from_vmcore(u64 aper_base, u32 aper_order) ++static void __init exclude_from_core(u64 aper_base, u32 aper_order) + { + aperture_pfn_start = aper_base >> PAGE_SHIFT; + aperture_page_count = (32 * 1024 * 1024) << aper_order >> PAGE_SHIFT; +- WARN_ON(register_oldmem_pfn_is_ram(&gart_oldmem_pfn_is_ram)); ++#ifdef CONFIG_PROC_VMCORE ++ WARN_ON(register_oldmem_pfn_is_ram(&gart_mem_pfn_is_ram)); ++#endif ++#ifdef CONFIG_PROC_KCORE ++ WARN_ON(register_mem_pfn_is_ram(&gart_mem_pfn_is_ram)); ++#endif + } + #else +-static void exclude_from_vmcore(u64 aper_base, u32 aper_order) ++static void exclude_from_core(u64 aper_base, u32 aper_order) + { + } + #endif +@@ -474,7 +480,7 @@ int __init gart_iommu_hole_init(void) + * may have allocated the range over its e820 RAM + * and fixed up the northbridge + */ +- exclude_from_vmcore(last_aper_base, last_aper_order); ++ exclude_from_core(last_aper_base, last_aper_order); + + return 1; + } +@@ -520,7 +526,7 @@ int __init gart_iommu_hole_init(void) + * overlap with the first kernel's memory. We can't access the + * range through vmcore even though it should be part of the dump. + */ +- exclude_from_vmcore(aper_alloc, aper_order); ++ exclude_from_core(aper_alloc, aper_order); + + /* Fix up the north bridges */ + for (i = 0; i < amd_nb_bus_dev_ranges[i].dev_limit; i++) { +diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c +index bbcc185062bb..d29d869abec1 100644 +--- a/fs/proc/kcore.c ++++ b/fs/proc/kcore.c +@@ -54,6 +54,28 @@ static LIST_HEAD(kclist_head); + static DECLARE_RWSEM(kclist_lock); + static int kcore_need_update = 1; + ++/* ++ * Returns > 0 for RAM pages, 0 for non-RAM pages, < 0 on error ++ * Same as oldmem_pfn_is_ram in vmcore ++ */ ++static int (*mem_pfn_is_ram)(unsigned long pfn); ++ ++int __init register_mem_pfn_is_ram(int (*fn)(unsigned long pfn)) ++{ ++ if (mem_pfn_is_ram) ++ return -EBUSY; ++ mem_pfn_is_ram = fn; ++ return 0; ++} ++ ++static int pfn_is_ram(unsigned long pfn) ++{ ++ if (mem_pfn_is_ram) ++ return mem_pfn_is_ram(pfn); ++ else ++ return 1; ++} ++ + /* This doesn't grab kclist_lock, so it should only be used at init time. */ + void __init kclist_add(struct kcore_list *new, void *addr, size_t size, + int type) +@@ -465,6 +487,11 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos) + goto out; + } + m = NULL; /* skip the list anchor */ ++ } else if (!pfn_is_ram(__pa(start) >> PAGE_SHIFT)) { ++ if (clear_user(buffer, tsz)) { ++ ret = -EFAULT; ++ goto out; ++ } + } else if (m->type == KCORE_VMALLOC) { + vread(buf, (char *)start, tsz); + /* we have to zero-fill user buffer even if no read */ +diff --git a/include/linux/kcore.h b/include/linux/kcore.h +index 8c3f8c14eeaa..c843f4a9c512 100644 +--- a/include/linux/kcore.h ++++ b/include/linux/kcore.h +@@ -44,6 +44,8 @@ void kclist_add_remap(struct kcore_list *m, void *addr, void *vaddr, size_t sz) + m->vaddr = (unsigned long)vaddr; + kclist_add(m, addr, sz, KCORE_REMAP); + } ++ ++extern int __init register_mem_pfn_is_ram(int (*fn)(unsigned long pfn)); + #else + static inline + void kclist_add(struct kcore_list *new, void *addr, size_t size, int type) +-- +2.19.1 + diff --git a/queue-5.0/x86-hpet-prevent-potential-null-pointer-dereference.patch b/queue-5.0/x86-hpet-prevent-potential-null-pointer-dereference.patch new file mode 100644 index 0000000000..a2e41a3af4 --- /dev/null +++ b/queue-5.0/x86-hpet-prevent-potential-null-pointer-dereference.patch @@ -0,0 +1,43 @@ +From 480c561b5546a64ca3a811b02768758f5bc8cdc2 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Mon, 18 Mar 2019 21:19:56 -0500 +Subject: x86/hpet: Prevent potential NULL pointer dereference + +[ Upstream commit 2e84f116afca3719c9d0a1a78b47b48f75fd5724 ] + +hpet_virt_address may be NULL when ioremap_nocache fail, but the code lacks +a check. + +Add a check to prevent NULL pointer dereference. + +Signed-off-by: Aditya Pakki +Signed-off-by: Thomas Gleixner +Cc: kjlu@umn.edu +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Kees Cook +Cc: Joe Perches +Cc: Nicolai Stange +Cc: Roland Dreier +Link: https://lkml.kernel.org/r/20190319021958.17275-1-pakki001@umn.edu +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/hpet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c +index dfd3aca82c61..fb32925a2e62 100644 +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -905,6 +905,8 @@ int __init hpet_enable(void) + return 0; + + hpet_set_mapping(); ++ if (!hpet_virt_address) ++ return 0; + + /* + * Read the period and check for a sane value: +-- +2.19.1 + diff --git a/queue-5.0/x86-hw_breakpoints-make-default-case-in-hw_breakpoin.patch b/queue-5.0/x86-hw_breakpoints-make-default-case-in-hw_breakpoin.patch new file mode 100644 index 0000000000..c3e2436272 --- /dev/null +++ b/queue-5.0/x86-hw_breakpoints-make-default-case-in-hw_breakpoin.patch @@ -0,0 +1,48 @@ +From c59bb028007484b243e2fe3696e60c3cee399df7 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 7 Mar 2019 14:27:56 -0700 +Subject: x86/hw_breakpoints: Make default case in hw_breakpoint_arch_parse() + return an error + +[ Upstream commit e898e69d6b9475bf123f99b3c5d1a67bb7cb2361 ] + +When building with -Wsometimes-uninitialized, Clang warns: + +arch/x86/kernel/hw_breakpoint.c:355:2: warning: variable 'align' is used +uninitialized whenever switch default is taken +[-Wsometimes-uninitialized] + +The default cannot be reached because arch_build_bp_info() initializes +hw->len to one of the specified cases. Nevertheless the warning is valid +and returning -EINVAL makes sure that this cannot be broken by future +modifications. + +Suggested-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Signed-off-by: Thomas Gleixner +Reviewed-by: Nick Desaulniers +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: clang-built-linux@googlegroups.com +Link: https://github.com/ClangBuiltLinux/linux/issues/392 +Link: https://lkml.kernel.org/r/20190307212756.4648-1-natechancellor@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/hw_breakpoint.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c +index 34a5c1715148..2882fe1d2a78 100644 +--- a/arch/x86/kernel/hw_breakpoint.c ++++ b/arch/x86/kernel/hw_breakpoint.c +@@ -357,6 +357,7 @@ int hw_breakpoint_arch_parse(struct perf_event *bp, + #endif + default: + WARN_ON_ONCE(1); ++ return -EINVAL; + } + + /* +-- +2.19.1 + diff --git a/queue-5.0/x86-hyperv-prevent-potential-null-pointer-dereferenc.patch b/queue-5.0/x86-hyperv-prevent-potential-null-pointer-dereferenc.patch new file mode 100644 index 0000000000..15704136b8 --- /dev/null +++ b/queue-5.0/x86-hyperv-prevent-potential-null-pointer-dereferenc.patch @@ -0,0 +1,53 @@ +From a4166c299e17de314732633083260ba9ef5b5f24 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Thu, 14 Mar 2019 00:46:51 -0500 +Subject: x86/hyperv: Prevent potential NULL pointer dereference + +[ Upstream commit 534c89c22e26b183d838294f0937ee092c82ad3a ] + +The page allocation in hv_cpu_init() can fail, but the code does not +have a check for that. + +Add a check and return -ENOMEM when the allocation fails. + +[ tglx: Massaged changelog ] + +Signed-off-by: Kangjie Lu +Signed-off-by: Thomas Gleixner +Reviewed-by: Mukesh Ojha +Acked-by: "K. Y. Srinivasan" +Cc: pakki001@umn.edu +Cc: Haiyang Zhang +Cc: Stephen Hemminger +Cc: Sasha Levin +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: linux-hyperv@vger.kernel.org +Link: https://lkml.kernel.org/r/20190314054651.1315-1-kjlu@umn.edu +Signed-off-by: Sasha Levin +--- + arch/x86/hyperv/hv_init.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c +index d3f42b6bbdac..8a9cff1f129d 100644 +--- a/arch/x86/hyperv/hv_init.c ++++ b/arch/x86/hyperv/hv_init.c +@@ -102,9 +102,13 @@ static int hv_cpu_init(unsigned int cpu) + u64 msr_vp_index; + struct hv_vp_assist_page **hvp = &hv_vp_assist_page[smp_processor_id()]; + void **input_arg; ++ struct page *pg; + + input_arg = (void **)this_cpu_ptr(hyperv_pcpu_input_arg); +- *input_arg = page_address(alloc_page(GFP_KERNEL)); ++ pg = alloc_page(GFP_KERNEL); ++ if (unlikely(!pg)) ++ return -ENOMEM; ++ *input_arg = page_address(pg); + + hv_get_vp_index(msr_vp_index); + +-- +2.19.1 + diff --git a/queue-5.0/x86-mm-don-t-leak-kernel-addresses.patch b/queue-5.0/x86-mm-don-t-leak-kernel-addresses.patch new file mode 100644 index 0000000000..68b7552272 --- /dev/null +++ b/queue-5.0/x86-mm-don-t-leak-kernel-addresses.patch @@ -0,0 +1,49 @@ +From 61a5c0ccbca811dd5e252e8f9b7fb9bbc0fd6602 Mon Sep 17 00:00:00 2001 +From: Matteo Croce +Date: Mon, 18 Mar 2019 22:24:03 +0100 +Subject: x86/mm: Don't leak kernel addresses + +[ Upstream commit a3151724437f54076cc10bc02b1c4f0003ae36cd ] + +Since commit: + + ad67b74d2469d9b8 ("printk: hash addresses printed with %p") + +at boot "____ptrval____" is printed instead of actual addresses: + + found SMP MP-table at [mem 0x000f5cc0-0x000f5ccf] mapped at [(____ptrval____)] + +Instead of changing the print to "%px", and leaking a kernel addresses, +just remove the print completely, like in: + + 071929dbdd865f77 ("arm64: Stop printing the virtual memory layout"). + +Signed-off-by: Matteo Croce +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/mpparse.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/mpparse.c b/arch/x86/kernel/mpparse.c +index 3482460d984d..1bfe5c6e6cfe 100644 +--- a/arch/x86/kernel/mpparse.c ++++ b/arch/x86/kernel/mpparse.c +@@ -598,8 +598,8 @@ static int __init smp_scan_config(unsigned long base, unsigned long length) + mpf_base = base; + mpf_found = true; + +- pr_info("found SMP MP-table at [mem %#010lx-%#010lx] mapped at [%p]\n", +- base, base + sizeof(*mpf) - 1, mpf); ++ pr_info("found SMP MP-table at [mem %#010lx-%#010lx]\n", ++ base, base + sizeof(*mpf) - 1); + + memblock_reserve(base, sizeof(*mpf)); + if (mpf->physptr) +-- +2.19.1 + -- 2.39.2