From: Greg Kroah-Hartman Date: Mon, 18 May 2020 13:42:00 +0000 (+0200) Subject: 5.6-stable patches X-Git-Tag: v4.4.224~23 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=08a7cd019ff3c212ad0af5c05ea5d2fd3b7629c5;p=thirdparty%2Fkernel%2Fstable-queue.git 5.6-stable patches added patches: arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch arm-dts-imx6dl-yapp4-fix-ursa-board-ethernet-connection.patch cifs-fix-leaked-reference-on-requeued-write.patch drm-amd-amdgpu-add-raven1-part-to-the-gfxoff-quirk-list.patch drm-amd-display-add-basic-atomic-check-for-cursor-plane.patch drm-i915-tgl-fix-interrupt-handling-for-dp-aux-transactions.patch kvm-x86-fix-pkru-save-restore-when-guest-cr4.pke-0-move-it-to-x86.c.patch make-the-reducing-compressed-framebufer-size-message-be-drm_info_once.patch powerpc-32s-fix-build-failure-with-config_ppc_kuap_debug.patch powerpc-vdso32-fallback-on-getres-syscall-when-clock-is-unknown.patch usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch x86-fix-early-boot-crash-on-gcc-10-third-try.patch --- diff --git a/queue-5.6/arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch b/queue-5.6/arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch new file mode 100644 index 00000000000..e2e2659a268 --- /dev/null +++ b/queue-5.6/arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch @@ -0,0 +1,59 @@ +From 90d4d3f4ea45370d482fa609dbae4d2281b4074f Mon Sep 17 00:00:00 2001 +From: Kishon Vijay Abraham I +Date: Fri, 17 Apr 2020 12:13:40 +0530 +Subject: ARM: dts: dra7: Fix bus_dma_limit for PCIe + +From: Kishon Vijay Abraham I + +commit 90d4d3f4ea45370d482fa609dbae4d2281b4074f upstream. + +Even though commit cfb5d65f2595 ("ARM: dts: dra7: Add bus_dma_limit +for L3 bus") added bus_dma_limit for L3 bus, the PCIe controller +gets incorrect value of bus_dma_limit. + +Fix it by adding empty dma-ranges property to axi@0 and axi@1 +(parent device tree node of PCIe controller). + +Cc: stable@kernel.org +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/dra7.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/dra7.dtsi ++++ b/arch/arm/boot/dts/dra7.dtsi +@@ -172,6 +172,7 @@ + #address-cells = <1>; + ranges = <0x51000000 0x51000000 0x3000 + 0x0 0x20000000 0x10000000>; ++ dma-ranges; + /** + * To enable PCI endpoint mode, disable the pcie1_rc + * node and enable pcie1_ep mode. +@@ -185,7 +186,6 @@ + device_type = "pci"; + ranges = <0x81000000 0 0 0x03000 0 0x00010000 + 0x82000000 0 0x20013000 0x13000 0 0xffed000>; +- dma-ranges = <0x02000000 0x0 0x00000000 0x00000000 0x1 0x00000000>; + bus-range = <0x00 0xff>; + #interrupt-cells = <1>; + num-lanes = <1>; +@@ -230,6 +230,7 @@ + #address-cells = <1>; + ranges = <0x51800000 0x51800000 0x3000 + 0x0 0x30000000 0x10000000>; ++ dma-ranges; + status = "disabled"; + pcie2_rc: pcie@51800000 { + reg = <0x51800000 0x2000>, <0x51802000 0x14c>, <0x1000 0x2000>; +@@ -240,7 +241,6 @@ + device_type = "pci"; + ranges = <0x81000000 0 0 0x03000 0 0x00010000 + 0x82000000 0 0x30013000 0x13000 0 0xffed000>; +- dma-ranges = <0x02000000 0x0 0x00000000 0x00000000 0x1 0x00000000>; + bus-range = <0x00 0xff>; + #interrupt-cells = <1>; + num-lanes = <1>; diff --git a/queue-5.6/arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch b/queue-5.6/arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch new file mode 100644 index 00000000000..3851bc305c4 --- /dev/null +++ b/queue-5.6/arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch @@ -0,0 +1,43 @@ +From 0caf34350a25907515d929a9c77b9b206aac6d1e Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 27 Mar 2020 10:36:24 -0300 +Subject: ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries + +From: Fabio Estevam + +commit 0caf34350a25907515d929a9c77b9b206aac6d1e upstream. + +The I2C2 pins are already used and the following errors are seen: + +imx27-pinctrl 10015000.iomuxc: pin MX27_PAD_I2C2_SDA already requested by 10012000.i2c; cannot claim for 1001d000.i2c +imx27-pinctrl 10015000.iomuxc: pin-69 (1001d000.i2c) status -22 +imx27-pinctrl 10015000.iomuxc: could not request pin 69 (MX27_PAD_I2C2_SDA) from group i2c2grp on device 10015000.iomuxc +imx-i2c 1001d000.i2c: Error applying setting, reverse things back +imx-i2c: probe of 1001d000.i2c failed with error -22 + +Fix it by adding the correct I2C1 IOMUX entries for the pinctrl_i2c1 group. + +Cc: +Fixes: 61664d0b432a ("ARM: dts: imx27 phyCARD-S pinctrl") +Signed-off-by: Fabio Estevam +Reviewed-by: Stefan Riedmueller +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts ++++ b/arch/arm/boot/dts/imx27-phytec-phycard-s-rdk.dts +@@ -75,8 +75,8 @@ + imx27-phycard-s-rdk { + pinctrl_i2c1: i2c1grp { + fsl,pins = < +- MX27_PAD_I2C2_SDA__I2C2_SDA 0x0 +- MX27_PAD_I2C2_SCL__I2C2_SCL 0x0 ++ MX27_PAD_I2C_DATA__I2C_DATA 0x0 ++ MX27_PAD_I2C_CLK__I2C_CLK 0x0 + >; + }; + diff --git a/queue-5.6/arm-dts-imx6dl-yapp4-fix-ursa-board-ethernet-connection.patch b/queue-5.6/arm-dts-imx6dl-yapp4-fix-ursa-board-ethernet-connection.patch new file mode 100644 index 00000000000..028ae829c7b --- /dev/null +++ b/queue-5.6/arm-dts-imx6dl-yapp4-fix-ursa-board-ethernet-connection.patch @@ -0,0 +1,39 @@ +From cbe63a8358310244e6007398bd2c7c70c7fd51cd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Vok=C3=A1=C4=8D?= +Date: Tue, 17 Mar 2020 09:46:28 +0100 +Subject: ARM: dts: imx6dl-yapp4: Fix Ursa board Ethernet connection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Vokáč + +commit cbe63a8358310244e6007398bd2c7c70c7fd51cd upstream. + +The Y Soft yapp4 platform supports up to two Ethernet ports. +The Ursa board though has only one Ethernet port populated and that is +the port@2. Since the introduction of this platform into mainline a wrong +port was deleted and the Ethernet could never work. Fix this by deleting +the correct port node. + +Fixes: 87489ec3a77f ("ARM: dts: imx: Add Y Soft IOTA Draco, Hydra and Ursa boards") +Cc: stable@vger.kernel.org +Signed-off-by: Michal Vokáč +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx6dl-yapp4-ursa.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/imx6dl-yapp4-ursa.dts ++++ b/arch/arm/boot/dts/imx6dl-yapp4-ursa.dts +@@ -38,7 +38,7 @@ + }; + + &switch_ports { +- /delete-node/ port@2; ++ /delete-node/ port@3; + }; + + &touchscreen { diff --git a/queue-5.6/cifs-fix-leaked-reference-on-requeued-write.patch b/queue-5.6/cifs-fix-leaked-reference-on-requeued-write.patch new file mode 100644 index 00000000000..6f0d1eac373 --- /dev/null +++ b/queue-5.6/cifs-fix-leaked-reference-on-requeued-write.patch @@ -0,0 +1,40 @@ +From a48137996063d22ffba77e077425f49873856ca5 Mon Sep 17 00:00:00 2001 +From: Adam McCoy +Date: Wed, 13 May 2020 11:53:30 +0000 +Subject: cifs: fix leaked reference on requeued write + +From: Adam McCoy + +commit a48137996063d22ffba77e077425f49873856ca5 upstream. + +Failed async writes that are requeued may not clean up a refcount +on the file, which can result in a leaked open. This scenario arises +very reliably when using persistent handles and a reconnect occurs +while writing. + +cifs_writev_requeue only releases the reference if the write fails +(rc != 0). The server->ops->async_writev operation will take its own +reference, so the initial reference can always be released. + +Signed-off-by: Adam McCoy +Signed-off-by: Steve French +CC: Stable +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifssmb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -2138,8 +2138,8 @@ cifs_writev_requeue(struct cifs_writedat + } + } + ++ kref_put(&wdata2->refcount, cifs_writedata_release); + if (rc) { +- kref_put(&wdata2->refcount, cifs_writedata_release); + if (is_retryable_error(rc)) + continue; + i += nr_pages; diff --git a/queue-5.6/drm-amd-amdgpu-add-raven1-part-to-the-gfxoff-quirk-list.patch b/queue-5.6/drm-amd-amdgpu-add-raven1-part-to-the-gfxoff-quirk-list.patch new file mode 100644 index 00000000000..ca22c91a9b2 --- /dev/null +++ b/queue-5.6/drm-amd-amdgpu-add-raven1-part-to-the-gfxoff-quirk-list.patch @@ -0,0 +1,35 @@ +From 975f543e7522e17b8a4bf34d7daeac44819aee5a Mon Sep 17 00:00:00 2001 +From: Tom St Denis +Date: Thu, 7 May 2020 08:35:40 -0400 +Subject: drm/amd/amdgpu: add raven1 part to the gfxoff quirk list + +From: Tom St Denis + +commit 975f543e7522e17b8a4bf34d7daeac44819aee5a upstream. + +On my raven1 system (rev c6) with VBIOS 113-RAVEN-114 GFXOFF is +not stable (resulting in large block tiling noise in some applications). + +Disabling GFXOFF via the quirk list fixes the problems for me. + +Signed-off-by: Tom St Denis +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -1177,6 +1177,8 @@ static const struct amdgpu_gfxoff_quirk + { 0x1002, 0x15dd, 0x1002, 0x15dd, 0xc8 }, + /* https://bugzilla.kernel.org/show_bug.cgi?id=207171 */ + { 0x1002, 0x15dd, 0x103c, 0x83e7, 0xd3 }, ++ /* GFXOFF is unstable on C6 parts with a VBIOS 113-RAVEN-114 */ ++ { 0x1002, 0x15dd, 0x1002, 0x15dd, 0xc6 }, + { 0, 0, 0, 0, 0 }, + }; + diff --git a/queue-5.6/drm-amd-display-add-basic-atomic-check-for-cursor-plane.patch b/queue-5.6/drm-amd-display-add-basic-atomic-check-for-cursor-plane.patch new file mode 100644 index 00000000000..ed0fcf93bd7 --- /dev/null +++ b/queue-5.6/drm-amd-display-add-basic-atomic-check-for-cursor-plane.patch @@ -0,0 +1,72 @@ +From 626bf90fe03fa080d8df06bb0397c95c53ae8e27 Mon Sep 17 00:00:00 2001 +From: Simon Ser +Date: Mon, 30 Mar 2020 09:23:21 +0000 +Subject: drm/amd/display: add basic atomic check for cursor plane + +From: Simon Ser + +commit 626bf90fe03fa080d8df06bb0397c95c53ae8e27 upstream. + +This patch adds a basic cursor check when an atomic test-only commit is +performed. The position and size of the cursor plane is checked. + +This should fix user-space relying on atomic checks to assign buffers to +planes. + +Signed-off-by: Simon Ser +Reported-by: Roman Gilg +References: https://github.com/emersion/libliftoff/issues/46 +Cc: Alex Deucher +Cc: Harry Wentland +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 26 ++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -7716,6 +7716,7 @@ static int dm_update_plane_state(struct + struct drm_crtc_state *old_crtc_state, *new_crtc_state; + struct dm_crtc_state *dm_new_crtc_state, *dm_old_crtc_state; + struct dm_plane_state *dm_new_plane_state, *dm_old_plane_state; ++ struct amdgpu_crtc *new_acrtc; + bool needs_reset; + int ret = 0; + +@@ -7725,9 +7726,30 @@ static int dm_update_plane_state(struct + dm_new_plane_state = to_dm_plane_state(new_plane_state); + dm_old_plane_state = to_dm_plane_state(old_plane_state); + +- /*TODO Implement atomic check for cursor plane */ +- if (plane->type == DRM_PLANE_TYPE_CURSOR) ++ /*TODO Implement better atomic check for cursor plane */ ++ if (plane->type == DRM_PLANE_TYPE_CURSOR) { ++ if (!enable || !new_plane_crtc || ++ drm_atomic_plane_disabling(plane->state, new_plane_state)) ++ return 0; ++ ++ new_acrtc = to_amdgpu_crtc(new_plane_crtc); ++ ++ if ((new_plane_state->crtc_w > new_acrtc->max_cursor_width) || ++ (new_plane_state->crtc_h > new_acrtc->max_cursor_height)) { ++ DRM_DEBUG_ATOMIC("Bad cursor size %d x %d\n", ++ new_plane_state->crtc_w, new_plane_state->crtc_h); ++ return -EINVAL; ++ } ++ ++ if (new_plane_state->crtc_x <= -new_acrtc->max_cursor_width || ++ new_plane_state->crtc_y <= -new_acrtc->max_cursor_height) { ++ DRM_DEBUG_ATOMIC("Bad cursor position %d, %d\n", ++ new_plane_state->crtc_x, new_plane_state->crtc_y); ++ return -EINVAL; ++ } ++ + return 0; ++ } + + needs_reset = should_reset_plane(state, plane, old_plane_state, + new_plane_state); diff --git a/queue-5.6/drm-i915-tgl-fix-interrupt-handling-for-dp-aux-transactions.patch b/queue-5.6/drm-i915-tgl-fix-interrupt-handling-for-dp-aux-transactions.patch new file mode 100644 index 00000000000..3ca5e66e689 --- /dev/null +++ b/queue-5.6/drm-i915-tgl-fix-interrupt-handling-for-dp-aux-transactions.patch @@ -0,0 +1,60 @@ +From 4457a9db2bdec2360ddb15242341696108167886 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Mon, 4 May 2020 10:58:28 +0300 +Subject: drm/i915/tgl+: Fix interrupt handling for DP AUX transactions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Imre Deak + +commit 4457a9db2bdec2360ddb15242341696108167886 upstream. + +Unmask/enable AUX interrupts on all ports on TGL+. So far the interrupts +worked only on port A, which meant each transaction on other ports took +10ms. + +Cc: # v5.4+ +Signed-off-by: Imre Deak +Reviewed-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20200504075828.20348-1-imre.deak@intel.com +(cherry picked from commit 054318c7e35f1d7d06b216143fff5f32405047ee) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_irq.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_irq.c ++++ b/drivers/gpu/drm/i915/i915_irq.c +@@ -3324,7 +3324,7 @@ static void gen8_de_irq_postinstall(stru + u32 de_pipe_masked = gen8_de_pipe_fault_mask(dev_priv) | + GEN8_PIPE_CDCLK_CRC_DONE; + u32 de_pipe_enables; +- u32 de_port_masked = GEN8_AUX_CHANNEL_A; ++ u32 de_port_masked = gen8_de_port_aux_mask(dev_priv); + u32 de_port_enables; + u32 de_misc_masked = GEN8_DE_EDP_PSR; + enum pipe pipe; +@@ -3332,18 +3332,8 @@ static void gen8_de_irq_postinstall(stru + if (INTEL_GEN(dev_priv) <= 10) + de_misc_masked |= GEN8_DE_MISC_GSE; + +- if (INTEL_GEN(dev_priv) >= 9) { +- de_port_masked |= GEN9_AUX_CHANNEL_B | GEN9_AUX_CHANNEL_C | +- GEN9_AUX_CHANNEL_D; +- if (IS_GEN9_LP(dev_priv)) +- de_port_masked |= BXT_DE_PORT_GMBUS; +- } +- +- if (INTEL_GEN(dev_priv) >= 11) +- de_port_masked |= ICL_AUX_CHANNEL_E; +- +- if (IS_CNL_WITH_PORT_F(dev_priv) || INTEL_GEN(dev_priv) >= 11) +- de_port_masked |= CNL_AUX_CHANNEL_F; ++ if (IS_GEN9_LP(dev_priv)) ++ de_port_masked |= BXT_DE_PORT_GMBUS; + + de_pipe_enables = de_pipe_masked | GEN8_PIPE_VBLANK | + GEN8_PIPE_FIFO_UNDERRUN; diff --git a/queue-5.6/kvm-x86-fix-pkru-save-restore-when-guest-cr4.pke-0-move-it-to-x86.c.patch b/queue-5.6/kvm-x86-fix-pkru-save-restore-when-guest-cr4.pke-0-move-it-to-x86.c.patch new file mode 100644 index 00000000000..caa903683d8 --- /dev/null +++ b/queue-5.6/kvm-x86-fix-pkru-save-restore-when-guest-cr4.pke-0-move-it-to-x86.c.patch @@ -0,0 +1,122 @@ +From 37486135d3a7b03acc7755b63627a130437f066a Mon Sep 17 00:00:00 2001 +From: Babu Moger +Date: Tue, 12 May 2020 18:59:06 -0500 +Subject: KVM: x86: Fix pkru save/restore when guest CR4.PKE=0, move it to x86.c + +From: Babu Moger + +commit 37486135d3a7b03acc7755b63627a130437f066a upstream. + +Though rdpkru and wrpkru are contingent upon CR4.PKE, the PKRU +resource isn't. It can be read with XSAVE and written with XRSTOR. +So, if we don't set the guest PKRU value here(kvm_load_guest_xsave_state), +the guest can read the host value. + +In case of kvm_load_host_xsave_state, guest with CR4.PKE clear could +potentially use XRSTOR to change the host PKRU value. + +While at it, move pkru state save/restore to common code and the +host_pkru field to kvm_vcpu_arch. This will let SVM support protection keys. + +Cc: stable@vger.kernel.org +Reported-by: Jim Mattson +Signed-off-by: Babu Moger +Message-Id: <158932794619.44260.14508381096663848853.stgit@naples-babu.amd.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 1 + + arch/x86/kvm/vmx/vmx.c | 18 ------------------ + arch/x86/kvm/x86.c | 17 +++++++++++++++++ + 3 files changed, 18 insertions(+), 18 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -574,6 +574,7 @@ struct kvm_vcpu_arch { + unsigned long cr4; + unsigned long cr4_guest_owned_bits; + unsigned long cr8; ++ u32 host_pkru; + u32 pkru; + u32 hflags; + u64 efer; +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -1380,7 +1380,6 @@ void vmx_vcpu_load(struct kvm_vcpu *vcpu + + vmx_vcpu_pi_load(vcpu, cpu); + +- vmx->host_pkru = read_pkru(); + vmx->host_debugctlmsr = get_debugctlmsr(); + } + +@@ -6538,11 +6537,6 @@ static void vmx_vcpu_run(struct kvm_vcpu + + kvm_load_guest_xsave_state(vcpu); + +- if (static_cpu_has(X86_FEATURE_PKU) && +- kvm_read_cr4_bits(vcpu, X86_CR4_PKE) && +- vcpu->arch.pkru != vmx->host_pkru) +- __write_pkru(vcpu->arch.pkru); +- + pt_guest_enter(vmx); + + atomic_switch_perf_msrs(vmx); +@@ -6631,18 +6625,6 @@ static void vmx_vcpu_run(struct kvm_vcpu + + pt_guest_exit(vmx); + +- /* +- * eager fpu is enabled if PKEY is supported and CR4 is switched +- * back on host, so it is safe to read guest PKRU from current +- * XSAVE. +- */ +- if (static_cpu_has(X86_FEATURE_PKU) && +- kvm_read_cr4_bits(vcpu, X86_CR4_PKE)) { +- vcpu->arch.pkru = rdpkru(); +- if (vcpu->arch.pkru != vmx->host_pkru) +- __write_pkru(vmx->host_pkru); +- } +- + kvm_load_host_xsave_state(vcpu); + + vmx->nested.nested_run_pending = 0; +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -809,11 +809,25 @@ void kvm_load_guest_xsave_state(struct k + vcpu->arch.ia32_xss != host_xss) + wrmsrl(MSR_IA32_XSS, vcpu->arch.ia32_xss); + } ++ ++ if (static_cpu_has(X86_FEATURE_PKU) && ++ (kvm_read_cr4_bits(vcpu, X86_CR4_PKE) || ++ (vcpu->arch.xcr0 & XFEATURE_MASK_PKRU)) && ++ vcpu->arch.pkru != vcpu->arch.host_pkru) ++ __write_pkru(vcpu->arch.pkru); + } + EXPORT_SYMBOL_GPL(kvm_load_guest_xsave_state); + + void kvm_load_host_xsave_state(struct kvm_vcpu *vcpu) + { ++ if (static_cpu_has(X86_FEATURE_PKU) && ++ (kvm_read_cr4_bits(vcpu, X86_CR4_PKE) || ++ (vcpu->arch.xcr0 & XFEATURE_MASK_PKRU))) { ++ vcpu->arch.pkru = rdpkru(); ++ if (vcpu->arch.pkru != vcpu->arch.host_pkru) ++ __write_pkru(vcpu->arch.host_pkru); ++ } ++ + if (kvm_read_cr4_bits(vcpu, X86_CR4_OSXSAVE)) { + + if (vcpu->arch.xcr0 != host_xcr0) +@@ -3529,6 +3543,9 @@ void kvm_arch_vcpu_load(struct kvm_vcpu + + kvm_x86_ops->vcpu_load(vcpu, cpu); + ++ /* Save host pkru register if supported */ ++ vcpu->arch.host_pkru = read_pkru(); ++ + /* Apply any externally detected TSC adjustments (due to suspend) */ + if (unlikely(vcpu->arch.tsc_offset_adjustment)) { + adjust_tsc_offset_host(vcpu, vcpu->arch.tsc_offset_adjustment); diff --git a/queue-5.6/make-the-reducing-compressed-framebufer-size-message-be-drm_info_once.patch b/queue-5.6/make-the-reducing-compressed-framebufer-size-message-be-drm_info_once.patch new file mode 100644 index 00000000000..84b48b0692e --- /dev/null +++ b/queue-5.6/make-the-reducing-compressed-framebufer-size-message-be-drm_info_once.patch @@ -0,0 +1,50 @@ +From 82152d424b6cb6fc1ede7d03d69c04e786688740 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 6 Jul 2018 15:04:24 -0400 +Subject: Make the "Reducing compressed framebufer size" message be DRM_INFO_ONCE() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Jones + +commit 82152d424b6cb6fc1ede7d03d69c04e786688740 upstream. + +This was sort of annoying me: + +random:~$ dmesg | tail -1 +[523884.039227] [drm] Reducing the compressed framebuffer size. This may lead to less power savings than a non-reduced-size. Try to increase stolen memory size if available in BIOS. +random:~$ dmesg | grep -c "Reducing the compressed" +47 + +This patch makes it DRM_INFO_ONCE() just like the similar message +farther down in that function is pr_info_once(). + +Cc: stable@vger.kernel.org +Signed-off-by: Peter Jones +Acked-by: Rodrigo Vivi +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1745 +Link: https://patchwork.freedesktop.org/patch/msgid/20180706190424.29194-1-pjones@redhat.com +[vsyrjala: Rebase due to per-device logging] +Signed-off-by: Ville Syrjälä +(cherry picked from commit 6b7fc6a3e6af4ff5773949d0fed70d8e7f68d5ce) +[Rodrigo: port back to DRM_INFO_ONCE] +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/display/intel_fbc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_fbc.c ++++ b/drivers/gpu/drm/i915/display/intel_fbc.c +@@ -478,8 +478,7 @@ static int intel_fbc_alloc_cfb(struct dr + if (!ret) + goto err_llb; + else if (ret > 1) { +- DRM_INFO("Reducing the compressed framebuffer size. This may lead to less power savings than a non-reduced-size. Try to increase stolen memory size if available in BIOS.\n"); +- ++ DRM_INFO_ONCE("Reducing the compressed framebuffer size. This may lead to less power savings than a non-reduced-size. Try to increase stolen memory size if available in BIOS.\n"); + } + + fbc->threshold = ret; diff --git a/queue-5.6/powerpc-32s-fix-build-failure-with-config_ppc_kuap_debug.patch b/queue-5.6/powerpc-32s-fix-build-failure-with-config_ppc_kuap_debug.patch new file mode 100644 index 00000000000..fe54c9826bd --- /dev/null +++ b/queue-5.6/powerpc-32s-fix-build-failure-with-config_ppc_kuap_debug.patch @@ -0,0 +1,35 @@ +From 4833ce06e6855d526234618b746ffb71d6612c9a Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Mon, 20 Apr 2020 07:47:05 +0000 +Subject: powerpc/32s: Fix build failure with CONFIG_PPC_KUAP_DEBUG + +From: Christophe Leroy + +commit 4833ce06e6855d526234618b746ffb71d6612c9a upstream. + +gpr2 is not a parametre of kuap_check(), it doesn't exist. + +Use gpr instead. + +Fixes: a68c31fc01ef ("powerpc/32s: Implement Kernel Userspace Access Protection") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/ea599546f2a7771bde551393889e44e6b2632332.1587368807.git.christophe.leroy@c-s.fr +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/book3s/32/kup.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/book3s/32/kup.h ++++ b/arch/powerpc/include/asm/book3s/32/kup.h +@@ -75,7 +75,7 @@ + + .macro kuap_check current, gpr + #ifdef CONFIG_PPC_KUAP_DEBUG +- lwz \gpr2, KUAP(thread) ++ lwz \gpr, KUAP(thread) + 999: twnei \gpr, 0 + EMIT_BUG_ENTRY 999b, __FILE__, __LINE__, (BUGFLAG_WARNING | BUGFLAG_ONCE) + #endif diff --git a/queue-5.6/powerpc-vdso32-fallback-on-getres-syscall-when-clock-is-unknown.patch b/queue-5.6/powerpc-vdso32-fallback-on-getres-syscall-when-clock-is-unknown.patch new file mode 100644 index 00000000000..e41385f88b4 --- /dev/null +++ b/queue-5.6/powerpc-vdso32-fallback-on-getres-syscall-when-clock-is-unknown.patch @@ -0,0 +1,44 @@ +From e963b7a28b2bf2416304e1a15df967fcf662aff5 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Sat, 9 May 2020 09:42:14 +0000 +Subject: powerpc/vdso32: Fallback on getres syscall when clock is unknown + +From: Christophe Leroy + +commit e963b7a28b2bf2416304e1a15df967fcf662aff5 upstream. + +There are other clocks than the standard ones, for instance +per process clocks. Therefore, being above the last standard clock +doesn't mean it is a bad clock. So, fallback to syscall instead +of returning -EINVAL inconditionaly. + +Fixes: e33ffc956b08 ("powerpc/vdso32: implement clock_getres entirely") +Cc: stable@vger.kernel.org # v5.6+ +Reported-by: Aurelien Jarno +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Tested-by: Aurelien Jarno +Link: https://lore.kernel.org/r/7316a9e2c0c2517923eb4b0411c4a08d15e675a4.1589017281.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/vdso32/gettimeofday.S | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kernel/vdso32/gettimeofday.S ++++ b/arch/powerpc/kernel/vdso32/gettimeofday.S +@@ -218,11 +218,11 @@ V_FUNCTION_BEGIN(__kernel_clock_getres) + blr + + /* +- * invalid clock ++ * syscall fallback + */ + 99: +- li r3, EINVAL +- crset so ++ li r0,__NR_clock_getres ++ sc + blr + .cfi_endproc + V_FUNCTION_END(__kernel_clock_getres) diff --git a/queue-5.6/series b/queue-5.6/series index df7eced4002..e6b4f525b1f 100644 --- a/queue-5.6/series +++ b/queue-5.6/series @@ -142,3 +142,17 @@ alsa-usb-audio-add-control-message-quirk-delay-for-kingston-hyperx-headset.patch usb-core-hub-limit-hub_quirk_disable_autosuspend-to-usb5534b.patch usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch usb-cdns3-gadget-prev_req-trb-is-null-for-ep0.patch +usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch +usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch +make-the-reducing-compressed-framebufer-size-message-be-drm_info_once.patch +arm-dts-dra7-fix-bus_dma_limit-for-pcie.patch +arm-dts-imx27-phytec-phycard-s-rdk-fix-the-i2c1-pinctrl-entries.patch +arm-dts-imx6dl-yapp4-fix-ursa-board-ethernet-connection.patch +drm-amd-display-add-basic-atomic-check-for-cursor-plane.patch +drm-amd-amdgpu-add-raven1-part-to-the-gfxoff-quirk-list.patch +drm-i915-tgl-fix-interrupt-handling-for-dp-aux-transactions.patch +powerpc-vdso32-fallback-on-getres-syscall-when-clock-is-unknown.patch +powerpc-32s-fix-build-failure-with-config_ppc_kuap_debug.patch +cifs-fix-leaked-reference-on-requeued-write.patch +kvm-x86-fix-pkru-save-restore-when-guest-cr4.pke-0-move-it-to-x86.c.patch +x86-fix-early-boot-crash-on-gcc-10-third-try.patch diff --git a/queue-5.6/usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch b/queue-5.6/usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch new file mode 100644 index 00000000000..19732650e7a --- /dev/null +++ b/queue-5.6/usb-gadget-fix-illegal-array-access-in-binding-with-udc.patch @@ -0,0 +1,75 @@ +From 15753588bcd4bbffae1cca33c8ced5722477fe1f Mon Sep 17 00:00:00 2001 +From: Kyungtae Kim +Date: Sun, 10 May 2020 05:43:34 +0000 +Subject: USB: gadget: fix illegal array access in binding with UDC + +From: Kyungtae Kim + +commit 15753588bcd4bbffae1cca33c8ced5722477fe1f upstream. + +FuzzUSB (a variant of syzkaller) found an illegal array access +using an incorrect index while binding a gadget with UDC. + +Reference: https://www.spinics.net/lists/linux-usb/msg194331.html + +This bug occurs when a size variable used for a buffer +is misused to access its strcpy-ed buffer. +Given a buffer along with its size variable (taken from user input), +from which, a new buffer is created using kstrdup(). +Due to the original buffer containing 0 value in the middle, +the size of the kstrdup-ed buffer becomes smaller than that of the original. +So accessing the kstrdup-ed buffer with the same size variable +triggers memory access violation. + +The fix makes sure no zero value in the buffer, +by comparing the strlen() of the orignal buffer with the size variable, +so that the access to the kstrdup-ed buffer is safe. + +BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200 +drivers/usb/gadget/configfs.c:266 +Read of size 1 at addr ffff88806a55dd7e by task syz-executor.0/17208 + +CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xce/0x128 lib/dump_stack.c:118 + print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 + __kasan_report+0x131/0x1b0 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:641 + __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132 + gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266 + flush_write_buffer fs/configfs/file.c:251 [inline] + configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283 + __vfs_write+0x85/0x110 fs/read_write.c:494 + vfs_write+0x1cd/0x510 fs/read_write.c:558 + ksys_write+0x18a/0x220 fs/read_write.c:611 + __do_sys_write fs/read_write.c:623 [inline] + __se_sys_write fs/read_write.c:620 [inline] + __x64_sys_write+0x73/0xb0 fs/read_write.c:620 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Signed-off-by: Kyungtae Kim +Reported-and-tested-by: Kyungtae Kim +Cc: Felipe Balbi +Cc: stable +Link: https://lore.kernel.org/r/20200510054326.GA19198@pizza01 +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/configfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -260,6 +260,9 @@ static ssize_t gadget_dev_desc_UDC_store + char *name; + int ret; + ++ if (strlen(page) < len) ++ return -EOVERFLOW; ++ + name = kstrdup(page, GFP_KERNEL); + if (!name) + return -ENOMEM; diff --git a/queue-5.6/usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch b/queue-5.6/usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch index 2036842014f..224021a64f8 100644 --- a/queue-5.6/usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch +++ b/queue-5.6/usb-host-xhci-plat-keep-runtime-active-when-removing-host.patch @@ -108,8 +108,6 @@ Signed-off-by: Li Jun Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20200514110432.25564-3-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Greg Kroah-Hartman - --- drivers/usb/host/xhci-plat.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/queue-5.6/usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch b/queue-5.6/usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch new file mode 100644 index 00000000000..466c1ed10a0 --- /dev/null +++ b/queue-5.6/usb-xhci-fix-null-pointer-dereference-when-enqueuing-trbs-from-urb-sg-list.patch @@ -0,0 +1,74 @@ +From 3c6f8cb92c9178fc0c66b580ea3df1fa3ac1155a Mon Sep 17 00:00:00 2001 +From: Sriharsha Allenki +Date: Thu, 14 May 2020 14:04:31 +0300 +Subject: usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list + +From: Sriharsha Allenki + +commit 3c6f8cb92c9178fc0c66b580ea3df1fa3ac1155a upstream. + +On platforms with IOMMU enabled, multiple SGs can be coalesced into one +by the IOMMU driver. In that case the SG list processing as part of the +completion of a urb on a bulk endpoint can result into a NULL pointer +dereference with the below stack dump. + +<6> Unable to handle kernel NULL pointer dereference at virtual address 0000000c +<6> pgd = c0004000 +<6> [0000000c] *pgd=00000000 +<6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM +<2> PC is at xhci_queue_bulk_tx+0x454/0x80c +<2> LR is at xhci_queue_bulk_tx+0x44c/0x80c +<2> pc : [] lr : [] psr: 000000d3 +<2> sp : ca337c80 ip : 00000000 fp : ffffffff +<2> r10: 00000000 r9 : 50037000 r8 : 00004000 +<2> r7 : 00000000 r6 : 00004000 r5 : 00000000 r4 : 00000000 +<2> r3 : 00000000 r2 : 00000082 r1 : c2c1a200 r0 : 00000000 +<2> Flags: nzcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none +<2> Control: 10c0383d Table: b412c06a DAC: 00000051 +<6> Process usb-storage (pid: 5961, stack limit = 0xca336210) + +<2> [] (xhci_queue_bulk_tx) +<2> [] (xhci_urb_enqueue) +<2> [] (usb_hcd_submit_urb) +<2> [] (usb_sg_wait) +<2> [] (usb_stor_bulk_transfer_sglist) +<2> [] (usb_stor_bulk_srb) +<2> [] (usb_stor_Bulk_transport) +<2> [] (usb_stor_invoke_transport) +<2> [] (usb_stor_control_thread) +<2> [] (kthread) + +The above NULL pointer dereference is the result of block_len and the +sent_len set to zero after the first SG of the list when IOMMU driver +is enabled. Because of this the loop of processing the SGs has run +more than num_sgs which resulted in a sg_next on the last SG of the +list which has SG_END set. + +Fix this by check for the sg before any attributes of the sg are +accessed. + +[modified reason for null pointer dereference in commit message subject -Mathias] +Fixes: f9c589e142d04 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer") +Cc: stable@vger.kernel.org +Signed-off-by: Sriharsha Allenki +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20200514110432.25564-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -3425,8 +3425,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd * + /* New sg entry */ + --num_sgs; + sent_len -= block_len; +- if (num_sgs != 0) { +- sg = sg_next(sg); ++ sg = sg_next(sg); ++ if (num_sgs != 0 && sg) { + block_len = sg_dma_len(sg); + addr = (u64) sg_dma_address(sg); + addr += sent_len; diff --git a/queue-5.6/x86-fix-early-boot-crash-on-gcc-10-third-try.patch b/queue-5.6/x86-fix-early-boot-crash-on-gcc-10-third-try.patch new file mode 100644 index 00000000000..ba8f028fedf --- /dev/null +++ b/queue-5.6/x86-fix-early-boot-crash-on-gcc-10-third-try.patch @@ -0,0 +1,144 @@ +From a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Wed, 22 Apr 2020 18:11:30 +0200 +Subject: x86: Fix early boot crash on gcc-10, third try +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +commit a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e upstream. + +... or the odyssey of trying to disable the stack protector for the +function which generates the stack canary value. + +The whole story started with Sergei reporting a boot crash with a kernel +built with gcc-10: + + Kernel panic — not syncing: stack-protector: Kernel stack is corrupted in: start_secondary + CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5—00235—gfffb08b37df9 #139 + Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M—D3H, BIOS F12 11/14/2013 + Call Trace: + dump_stack + panic + ? start_secondary + __stack_chk_fail + start_secondary + secondary_startup_64 + -—-[ end Kernel panic — not syncing: stack—protector: Kernel stack is corrupted in: start_secondary + +This happens because gcc-10 tail-call optimizes the last function call +in start_secondary() - cpu_startup_entry() - and thus emits a stack +canary check which fails because the canary value changes after the +boot_init_stack_canary() call. + +To fix that, the initial attempt was to mark the one function which +generates the stack canary with: + + __attribute__((optimize("-fno-stack-protector"))) ... start_secondary(void *unused) + +however, using the optimize attribute doesn't work cumulatively +as the attribute does not add to but rather replaces previously +supplied optimization options - roughly all -fxxx options. + +The key one among them being -fno-omit-frame-pointer and thus leading to +not present frame pointer - frame pointer which the kernel needs. + +The next attempt to prevent compilers from tail-call optimizing +the last function call cpu_startup_entry(), shy of carving out +start_secondary() into a separate compilation unit and building it with +-fno-stack-protector, was to add an empty asm(""). + +This current solution was short and sweet, and reportedly, is supported +by both compilers but we didn't get very far this time: future (LTO?) +optimization passes could potentially eliminate this, which leads us +to the third attempt: having an actual memory barrier there which the +compiler cannot ignore or move around etc. + +That should hold for a long time, but hey we said that about the other +two solutions too so... + +Reported-by: Sergei Trofimovich +Signed-off-by: Borislav Petkov +Tested-by: Kalle Valo +Cc: +Link: https://lkml.kernel.org/r/20200314164451.346497-1-slyfox@gentoo.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/stackprotector.h | 7 ++++++- + arch/x86/kernel/smpboot.c | 8 ++++++++ + arch/x86/xen/smp_pv.c | 1 + + include/linux/compiler.h | 6 ++++++ + init/main.c | 2 ++ + 5 files changed, 23 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/stackprotector.h ++++ b/arch/x86/include/asm/stackprotector.h +@@ -55,8 +55,13 @@ + /* + * Initialize the stackprotector canary value. + * +- * NOTE: this must only be called from functions that never return, ++ * NOTE: this must only be called from functions that never return + * and it must always be inlined. ++ * ++ * In addition, it should be called from a compilation unit for which ++ * stack protector is disabled. Alternatively, the caller should not end ++ * with a function call which gets tail-call optimized as that would ++ * lead to checking a modified canary value. + */ + static __always_inline void boot_init_stack_canary(void) + { +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -262,6 +262,14 @@ static void notrace start_secondary(void + + wmb(); + cpu_startup_entry(CPUHP_AP_ONLINE_IDLE); ++ ++ /* ++ * Prevent tail call to cpu_startup_entry() because the stack protector ++ * guard has been changed a couple of function calls up, in ++ * boot_init_stack_canary() and must not be checked before tail calling ++ * another function. ++ */ ++ prevent_tail_call_optimization(); + } + + /** +--- a/arch/x86/xen/smp_pv.c ++++ b/arch/x86/xen/smp_pv.c +@@ -92,6 +92,7 @@ asmlinkage __visible void cpu_bringup_an + cpu_bringup(); + boot_init_stack_canary(); + cpu_startup_entry(CPUHP_AP_ONLINE_IDLE); ++ prevent_tail_call_optimization(); + } + + void xen_smp_intr_free_pv(unsigned int cpu) +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -356,4 +356,10 @@ static inline void *offset_to_ptr(const + /* &a[0] degrades to a pointer: a different type from an array */ + #define __must_be_array(a) BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0])) + ++/* ++ * This is needed in functions which generate the stack canary, see ++ * arch/x86/kernel/smpboot.c::start_secondary() for an example. ++ */ ++#define prevent_tail_call_optimization() mb() ++ + #endif /* __LINUX_COMPILER_H */ +--- a/init/main.c ++++ b/init/main.c +@@ -1032,6 +1032,8 @@ asmlinkage __visible void __init start_k + + /* Do the rest non-__init'ed, we're now alive */ + arch_call_rest_init(); ++ ++ prevent_tail_call_optimization(); + } + + /* Call all constructor functions linked into the kernel. */