From: Greg Kroah-Hartman Date: Mon, 26 Feb 2018 15:53:04 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v3.18.97~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=534a89aa3490f47e184df385b7acc17312861a72;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: arm64-disable-unhandled-signal-log-messages-by-default.patch cfg80211-fix-cfg80211_beacon_dup.patch iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch usb-gadget-f_fs-process-all-descriptors-during-bind.patch x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch xtensa-fix-high-memory-reserved-memory-collision.patch --- diff --git a/queue-3.18/arm64-disable-unhandled-signal-log-messages-by-default.patch b/queue-3.18/arm64-disable-unhandled-signal-log-messages-by-default.patch new file mode 100644 index 00000000000..60533da8dca --- /dev/null +++ b/queue-3.18/arm64-disable-unhandled-signal-log-messages-by-default.patch @@ -0,0 +1,59 @@ +From 5ee39a71fd89ab7240c5339d04161c44a8e03269 Mon Sep 17 00:00:00 2001 +From: Michael Weiser +Date: Thu, 1 Feb 2018 23:13:38 +0100 +Subject: arm64: Disable unhandled signal log messages by default + +From: Michael Weiser + +commit 5ee39a71fd89ab7240c5339d04161c44a8e03269 upstream. + +aarch64 unhandled signal kernel messages are very verbose, suggesting +them to be more of a debugging aid: + +sigsegv[33]: unhandled level 2 translation fault (11) at 0x00000000, esr +0x92000046, in sigsegv[400000+71000] +CPU: 1 PID: 33 Comm: sigsegv Tainted: G W 4.15.0-rc3+ #3 +Hardware name: linux,dummy-virt (DT) +pstate: 60000000 (nZCv daif -PAN -UAO) +pc : 0x4003f4 +lr : 0x4006bc +sp : 0000fffffe94a060 +x29: 0000fffffe94a070 x28: 0000000000000000 +x27: 0000000000000000 x26: 0000000000000000 +x25: 0000000000000000 x24: 00000000004001b0 +x23: 0000000000486ac8 x22: 00000000004001c8 +x21: 0000000000000000 x20: 0000000000400be8 +x19: 0000000000400b30 x18: 0000000000484728 +x17: 000000000865ffc8 x16: 000000000000270f +x15: 00000000000000b0 x14: 0000000000000002 +x13: 0000000000000001 x12: 0000000000000000 +x11: 0000000000000000 x10: 0008000020008008 +x9 : 000000000000000f x8 : ffffffffffffffff +x7 : 0004000000000000 x6 : ffffffffffffffff +x5 : 0000000000000000 x4 : 0000000000000000 +x3 : 00000000004003e4 x2 : 0000fffffe94a1e8 +x1 : 000000000000000a x0 : 0000000000000000 + +Disable them by default, so they can be enabled using +/proc/sys/debug/exception-trace. + +Cc: +Signed-off-by: Michael Weiser +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/traps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/traps.c ++++ b/arch/arm64/kernel/traps.c +@@ -45,7 +45,7 @@ static const char *handler[]= { + "Error" + }; + +-int show_unhandled_signals = 1; ++int show_unhandled_signals = 0; + + /* + * Dump out the contents of some memory nicely... diff --git a/queue-3.18/cfg80211-fix-cfg80211_beacon_dup.patch b/queue-3.18/cfg80211-fix-cfg80211_beacon_dup.patch new file mode 100644 index 00000000000..282e9e2d882 --- /dev/null +++ b/queue-3.18/cfg80211-fix-cfg80211_beacon_dup.patch @@ -0,0 +1,38 @@ +From bee92d06157fc39d5d7836a061c7d41289a55797 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 2 Feb 2018 16:31:23 +0100 +Subject: cfg80211: fix cfg80211_beacon_dup + +From: Arnd Bergmann + +commit bee92d06157fc39d5d7836a061c7d41289a55797 upstream. + +gcc-8 warns about some obviously incorrect code: + +net/mac80211/cfg.c: In function 'cfg80211_beacon_dup': +net/mac80211/cfg.c:2896:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict] + +From the context, I conclude that we want to copy from beacon into +new_beacon, as we do in the rest of the function. + +Cc: stable@vger.kernel.org +Fixes: 73da7d5bab79 ("mac80211: add channel switch command and beacon callbacks") +Signed-off-by: Arnd Bergmann +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2769,7 +2769,7 @@ cfg80211_beacon_dup(struct cfg80211_beac + } + if (beacon->probe_resp_len) { + new_beacon->probe_resp_len = beacon->probe_resp_len; +- beacon->probe_resp = pos; ++ new_beacon->probe_resp = pos; + memcpy(pos, beacon->probe_resp, beacon->probe_resp_len); + pos += beacon->probe_resp_len; + } diff --git a/queue-3.18/iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch b/queue-3.18/iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch new file mode 100644 index 00000000000..9aaa65fbacf --- /dev/null +++ b/queue-3.18/iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch @@ -0,0 +1,97 @@ +From f027e0b3a774e10302207e91d304bbf99e3a8b36 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Wed, 14 Feb 2018 15:43:00 +0100 +Subject: iio: adis_lib: Initialize trigger before requesting interrupt + +From: Lars-Peter Clausen + +commit f027e0b3a774e10302207e91d304bbf99e3a8b36 upstream. + +The adis_probe_trigger() creates a new IIO trigger and requests an +interrupt associated with the trigger. The interrupt uses the generic +iio_trigger_generic_data_rdy_poll() function as its interrupt handler. + +Currently the driver initializes some fields of the trigger structure after +the interrupt has been requested. But an interrupt can fire as soon as it +has been requested. This opens up a race condition. + +iio_trigger_generic_data_rdy_poll() will access the trigger data structure +and dereference the ops field. If the ops field is not yet initialized this +will result in a NULL pointer deref. + +It is not expected that the device generates an interrupt at this point, so +typically this issue did not surface unless e.g. due to a hardware +misconfiguration (wrong interrupt number, wrong polarity, etc.). + +But some newer devices from the ADIS family start to generate periodic +interrupts in their power-on reset configuration and unfortunately the +interrupt can not be masked in the device. This makes the race condition +much more visible and the following crash has been observed occasionally +when booting a system using the ADIS16460. + + Unable to handle kernel NULL pointer dereference at virtual address 00000008 + pgd = c0004000 + [00000008] *pgd=00000000 + Internal error: Oops: 5 [#1] PREEMPT SMP ARM + Modules linked in: + CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.0-04126-gf9739f0-dirty #257 + Hardware name: Xilinx Zynq Platform + task: ef04f640 task.stack: ef050000 + PC is at iio_trigger_notify_done+0x30/0x68 + LR is at iio_trigger_generic_data_rdy_poll+0x18/0x20 + pc : [] lr : [] psr: 60000193 + sp : ef051bb8 ip : 00000000 fp : ef106400 + r10: c081d80a r9 : ef3bfa00 r8 : 00000087 + r7 : ef051bec r6 : 00000000 r5 : ef3bfa00 r4 : ee92ab00 + r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : ee97e400 + Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none + Control: 18c5387d Table: 0000404a DAC: 00000051 + Process swapper/0 (pid: 1, stack limit = 0xef050210) + [] (iio_trigger_notify_done) from [] (__handle_irq_event_percpu+0x88/0x118) + [] (__handle_irq_event_percpu) from [] (handle_irq_event_percpu+0x1c/0x58) + [] (handle_irq_event_percpu) from [] (handle_irq_event+0x38/0x5c) + [] (handle_irq_event) from [] (handle_level_irq+0xa4/0x130) + [] (handle_level_irq) from [] (generic_handle_irq+0x24/0x34) + [] (generic_handle_irq) from [] (zynq_gpio_irqhandler+0xb8/0x13c) + [] (zynq_gpio_irqhandler) from [] (generic_handle_irq+0x24/0x34) + [] (generic_handle_irq) from [] (__handle_domain_irq+0x5c/0xb4) + [] (__handle_domain_irq) from [] (gic_handle_irq+0x48/0x8c) + [] (gic_handle_irq) from [] (__irq_svc+0x6c/0xa8) + +To fix this make sure that the trigger is fully initialized before +requesting the interrupt. + +Fixes: ccd2b52f4ac6 ("staging:iio: Add common ADIS library") +Reported-by: Robin Getz +Signed-off-by: Lars-Peter Clausen +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/imu/adis_trigger.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/iio/imu/adis_trigger.c ++++ b/drivers/iio/imu/adis_trigger.c +@@ -47,6 +47,10 @@ int adis_probe_trigger(struct adis *adis + if (adis->trig == NULL) + return -ENOMEM; + ++ adis->trig->dev.parent = &adis->spi->dev; ++ adis->trig->ops = &adis_trigger_ops; ++ iio_trigger_set_drvdata(adis->trig, adis); ++ + ret = request_irq(adis->spi->irq, + &iio_trigger_generic_data_rdy_poll, + IRQF_TRIGGER_RISING, +@@ -55,9 +59,6 @@ int adis_probe_trigger(struct adis *adis + if (ret) + goto error_free_trig; + +- adis->trig->dev.parent = &adis->spi->dev; +- adis->trig->ops = &adis_trigger_ops; +- iio_trigger_set_drvdata(adis->trig, adis); + ret = iio_trigger_register(adis->trig); + + indio_dev->trig = iio_trigger_get(adis->trig); diff --git a/queue-3.18/iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch b/queue-3.18/iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch new file mode 100644 index 00000000000..b93c43a09e3 --- /dev/null +++ b/queue-3.18/iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch @@ -0,0 +1,33 @@ +From 4cd140bda6494543f1c1b0ccceceaa44b676eef6 Mon Sep 17 00:00:00 2001 +From: Stefan Windfeldt-Prytz +Date: Thu, 15 Feb 2018 15:02:53 +0100 +Subject: iio: buffer: check if a buffer has been set up when poll is called + +From: Stefan Windfeldt-Prytz + +commit 4cd140bda6494543f1c1b0ccceceaa44b676eef6 upstream. + +If no iio buffer has been set up and poll is called return 0. +Without this check there will be a null pointer dereference when +calling poll on a iio driver without an iio buffer. + +Cc: stable@vger.kernel.org +Signed-off-by: Stefan Windfeldt-Prytz +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -92,7 +92,7 @@ unsigned int iio_buffer_poll(struct file + struct iio_dev *indio_dev = filp->private_data; + struct iio_buffer *rb = indio_dev->buffer; + +- if (!indio_dev->info) ++ if (!indio_dev->info || rb == NULL) + return 0; + + poll_wait(filp, &rb->pollq, wait); diff --git a/queue-3.18/irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch b/queue-3.18/irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch new file mode 100644 index 00000000000..5b4e9a92d2d --- /dev/null +++ b/queue-3.18/irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch @@ -0,0 +1,40 @@ +From 21ec30c0ef5234fb1039cc7c7737d885bf875a9e Mon Sep 17 00:00:00 2001 +From: Shanker Donthineni +Date: Wed, 31 Jan 2018 18:03:42 -0600 +Subject: irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq() + +From: Shanker Donthineni + +commit 21ec30c0ef5234fb1039cc7c7737d885bf875a9e upstream. + +A DMB instruction can be used to ensure the relative order of only +memory accesses before and after the barrier. Since writes to system +registers are not memory operations, barrier DMB is not sufficient +for observability of memory accesses that occur before ICC_SGI1R_EL1 +writes. + +A DSB instruction ensures that no instructions that appear in program +order after the DSB instruction, can execute until the DSB instruction +has completed. + +Cc: stable@vger.kernel.org +Acked-by: Will Deacon , +Signed-off-by: Shanker Donthineni +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-gic-v3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -503,7 +503,7 @@ static void gic_raise_softirq(const stru + * Ensure that stores to Normal memory are visible to the + * other CPUs before issuing the IPI. + */ +- smp_wmb(); ++ wmb(); + + for_each_cpu_mask(cpu, *mask) { + u64 cluster_id = cpu_logical_map(cpu) & ~0xffUL; diff --git a/queue-3.18/scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch b/queue-3.18/scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch new file mode 100644 index 00000000000..8b08330a60e --- /dev/null +++ b/queue-3.18/scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch @@ -0,0 +1,42 @@ +From c39813652700f3df552b6557530f1e5f782dbe2f Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Tue, 23 Jan 2018 20:11:32 -0600 +Subject: scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info + +From: Tyrel Datwyler + +commit c39813652700f3df552b6557530f1e5f782dbe2f upstream. + +The fcp_rsp_info structure as defined in the FC spec has an initial 3 +bytes reserved field. The ibmvfc driver mistakenly defined this field as +4 bytes resulting in the rsp_code field being defined in what should be +the start of the second reserved field and thus always being reported as +zero by the driver. + +Ideally, we should wire ibmvfc up with libfc for the sake of code +deduplication, and ease of maintaining standardized structures in a +single place. However, for now simply fixup the definition in ibmvfc for +backporting to distros on older kernels. Wiring up with libfc will be +done in a followup patch. + +Cc: +Reported-by: Hannes Reinecke +Signed-off-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ibmvscsi/ibmvfc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/ibmvscsi/ibmvfc.h ++++ b/drivers/scsi/ibmvscsi/ibmvfc.h +@@ -366,7 +366,7 @@ enum ibmvfc_fcp_rsp_info_codes { + }; + + struct ibmvfc_fcp_rsp_info { +- __be16 reserved; ++ u8 reserved[3]; + u8 rsp_code; + u8 reserved2[4]; + }__attribute__((packed, aligned (2))); diff --git a/queue-3.18/series b/queue-3.18/series index 4992c4689f4..a0e56b4927f 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -1,2 +1,12 @@ netfilter-drop-outermost-socket-lock-in-getsockopt.patch pci-keystone-fix-interrupt-controller-node-lookup.patch +xtensa-fix-high-memory-reserved-memory-collision.patch +scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch +cfg80211-fix-cfg80211_beacon_dup.patch +iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch +iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch +x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch +irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch +arm64-disable-unhandled-signal-log-messages-by-default.patch +usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch +usb-gadget-f_fs-process-all-descriptors-during-bind.patch diff --git a/queue-3.18/usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch b/queue-3.18/usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch new file mode 100644 index 00000000000..eae7bce4375 --- /dev/null +++ b/queue-3.18/usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch @@ -0,0 +1,41 @@ +From 6180026341e852a250e1f97ebdcf71684a3c81b9 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Fri, 12 Jan 2018 18:18:05 -0800 +Subject: usb: dwc3: gadget: Set maxpacket size for ep0 IN + +From: Thinh Nguyen + +commit 6180026341e852a250e1f97ebdcf71684a3c81b9 upstream. + +There are 2 control endpoint structures for DWC3. However, the driver +only updates the OUT direction control endpoint structure during +ConnectDone event. DWC3 driver needs to update the endpoint max packet +size for control IN endpoint as well. If the max packet size is not +properly set, then the driver will incorrectly calculate the data +transfer size and fail to send ZLP for HS/FS 3-stage control read +transfer. + +The fix is simply to update the max packet size for the ep0 IN direction +during ConnectDone event. + +Cc: stable@vger.kernel.org +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2345,6 +2345,8 @@ static void dwc3_gadget_conndone_interru + break; + } + ++ dwc->eps[1]->endpoint.maxpacket = dwc->gadget.ep0->maxpacket; ++ + /* Enable USB2 LPM Capability */ + + if ((dwc->revision > DWC3_REVISION_194A) diff --git a/queue-3.18/usb-gadget-f_fs-process-all-descriptors-during-bind.patch b/queue-3.18/usb-gadget-f_fs-process-all-descriptors-during-bind.patch new file mode 100644 index 00000000000..3ecb29dd595 --- /dev/null +++ b/queue-3.18/usb-gadget-f_fs-process-all-descriptors-during-bind.patch @@ -0,0 +1,55 @@ +From 6cf439e0d37463e42784271179c8a308fd7493c6 Mon Sep 17 00:00:00 2001 +From: Jack Pham +Date: Wed, 24 Jan 2018 00:11:53 -0800 +Subject: usb: gadget: f_fs: Process all descriptors during bind + +From: Jack Pham + +commit 6cf439e0d37463e42784271179c8a308fd7493c6 upstream. + +During _ffs_func_bind(), the received descriptors are evaluated +to prepare for binding with the gadget in order to allocate +endpoints and optionally set up OS descriptors. However, the +high- and super-speed descriptors are only parsed based on +whether the gadget_is_dualspeed() and gadget_is_superspeed() +calls are true, respectively. + +This is a problem in case a userspace program always provides +all of the {full,high,super,OS} descriptors when configuring a +function. Then, for example if a gadget device is not capable +of SuperSpeed, the call to ffs_do_descs() for the SS descriptors +is skipped, resulting in an incorrect offset calculation for +the vla_ptr when moving on to the OS descriptors that follow. +This causes ffs_do_os_descs() to fail as it is now looking at +the SS descriptors' offset within the raw_descs buffer instead. + +_ffs_func_bind() should evaluate the descriptors unconditionally, +so remove the checks for gadget speed. + +Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support") +Cc: stable@vger.kernel.org +Co-Developed-by: Mayank Rana +Signed-off-by: Mayank Rana +Signed-off-by: Jack Pham +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -2727,10 +2727,8 @@ static int _ffs_func_bind(struct usb_con + struct ffs_data *ffs = func->ffs; + + const int full = !!func->ffs->fs_descs_count; +- const int high = gadget_is_dualspeed(func->gadget) && +- func->ffs->hs_descs_count; +- const int super = gadget_is_superspeed(func->gadget) && +- func->ffs->ss_descs_count; ++ const int high = !!func->ffs->hs_descs_count; ++ const int super = !!func->ffs->ss_descs_count; + + int fs_len, hs_len, ss_len, ret, i; + diff --git a/queue-3.18/x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch b/queue-3.18/x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch new file mode 100644 index 00000000000..4c9fdaa4afe --- /dev/null +++ b/queue-3.18/x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch @@ -0,0 +1,68 @@ +From 85c615eb52222bc5fab6c7190d146bc59fac289e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 20 Feb 2018 21:58:21 +0100 +Subject: x86/oprofile: Fix bogus GCC-8 warning in nmi_setup() + +From: Arnd Bergmann + +commit 85c615eb52222bc5fab6c7190d146bc59fac289e upstream. + +GCC-8 shows a warning for the x86 oprofile code that copies per-CPU +data from CPU 0 to all other CPUs, which when building a non-SMP +kernel turns into a memcpy() with identical source and destination +pointers: + + arch/x86/oprofile/nmi_int.c: In function 'mux_clone': + arch/x86/oprofile/nmi_int.c:285:2: error: 'memcpy' source argument is the same as destination [-Werror=restrict] + memcpy(per_cpu(cpu_msrs, cpu).multiplex, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + per_cpu(cpu_msrs, 0).multiplex, + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + sizeof(struct op_msr) * model->num_virt_counters); + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + arch/x86/oprofile/nmi_int.c: In function 'nmi_setup': + arch/x86/oprofile/nmi_int.c:466:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict] + arch/x86/oprofile/nmi_int.c:470:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict] + +I have analyzed a number of such warnings now: some are valid and the +GCC warning is welcome. Others turned out to be false-positives, and +GCC was changed to not warn about those any more. This is a corner case +that is a false-positive but the GCC developers feel it's better to keep +warning about it. + +In this case, it seems best to work around it by telling GCC +a little more clearly that this code path is never hit with +an IS_ENABLED() configuration check. + +Cc:stable as we also want old kernels to build cleanly with GCC-8. + +Signed-off-by: Arnd Bergmann +Cc: Jessica Yu +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Martin Sebor +Cc: Peter Zijlstra +Cc: Robert Richter +Cc: Thomas Gleixner +Cc: oprofile-list@lists.sf.net +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20180220205826.2008875-1-arnd@arndb.de +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84095 +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/oprofile/nmi_int.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/oprofile/nmi_int.c ++++ b/arch/x86/oprofile/nmi_int.c +@@ -471,7 +471,7 @@ static int nmi_setup(void) + goto fail; + + for_each_possible_cpu(cpu) { +- if (!cpu) ++ if (!IS_ENABLED(CONFIG_SMP) || !cpu) + continue; + + memcpy(per_cpu(cpu_msrs, cpu).counters, diff --git a/queue-3.18/xtensa-fix-high-memory-reserved-memory-collision.patch b/queue-3.18/xtensa-fix-high-memory-reserved-memory-collision.patch new file mode 100644 index 00000000000..b544f270282 --- /dev/null +++ b/queue-3.18/xtensa-fix-high-memory-reserved-memory-collision.patch @@ -0,0 +1,133 @@ +From 6ac5a11dc674bc5016ea716e8082fff61f524dc1 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Tue, 13 Feb 2018 15:31:05 -0800 +Subject: xtensa: fix high memory/reserved memory collision + +From: Max Filippov + +commit 6ac5a11dc674bc5016ea716e8082fff61f524dc1 upstream. + +Xtensa memory initialization code frees high memory pages without +checking whether they are in the reserved memory regions or not. That +results in invalid value of totalram_pages and duplicate page usage by +CMA and highmem. It produces a bunch of BUGs at startup looking like +this: + +BUG: Bad page state in process swapper pfn:70800 +page:be60c000 count:0 mapcount:-127 mapping: (null) index:0x1 +flags: 0x80000000() +raw: 80000000 00000000 00000001 ffffff80 00000000 be60c014 be60c014 0000000a +page dumped because: nonzero mapcount +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Tainted: G B 4.16.0-rc1-00015-g7928b2cbe55b-dirty #23 +Stack: + bd839d33 00000000 00000018 ba97b64c a106578c bd839d70 be60c000 00000000 + a1378054 bd86a000 00000003 ba97b64c a1066166 bd839da0 be60c000 ffe00000 + a1066b58 bd839dc0 be504000 00000000 000002f4 bd838000 00000000 0000001e +Call Trace: + [] bad_page+0xac/0xd0 + [] free_pages_check_bad+0x34/0x4c + [] __free_pages_ok+0xae/0x14c + [] __free_pages+0x30/0x64 + [] init_cma_reserved_pageblock+0x35/0x44 + [] cma_init_reserved_areas+0xf4/0x148 + [] do_one_initcall+0x80/0xf8 + [] kernel_init_freeable+0xda/0x13c + [] kernel_init+0x9/0xd0 + [] ret_from_kernel_thread+0xc/0x18 + +Only free high memory pages that are not reserved. + +Cc: stable@vger.kernel.org +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/mm/init.c | 70 +++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 63 insertions(+), 7 deletions(-) + +--- a/arch/xtensa/mm/init.c ++++ b/arch/xtensa/mm/init.c +@@ -307,19 +307,75 @@ void __init zones_init(void) + free_area_init_node(0, zones_size, ARCH_PFN_OFFSET, NULL); + } + ++#ifdef CONFIG_HIGHMEM ++static void __init free_area_high(unsigned long pfn, unsigned long end) ++{ ++ for (; pfn < end; pfn++) ++ free_highmem_page(pfn_to_page(pfn)); ++} ++ ++static void __init free_highpages(void) ++{ ++ unsigned long max_low = max_low_pfn; ++ struct memblock_region *mem, *res; ++ ++ reset_all_zones_managed_pages(); ++ /* set highmem page free */ ++ for_each_memblock(memory, mem) { ++ unsigned long start = memblock_region_memory_base_pfn(mem); ++ unsigned long end = memblock_region_memory_end_pfn(mem); ++ ++ /* Ignore complete lowmem entries */ ++ if (end <= max_low) ++ continue; ++ ++ if (memblock_is_nomap(mem)) ++ continue; ++ ++ /* Truncate partial highmem entries */ ++ if (start < max_low) ++ start = max_low; ++ ++ /* Find and exclude any reserved regions */ ++ for_each_memblock(reserved, res) { ++ unsigned long res_start, res_end; ++ ++ res_start = memblock_region_reserved_base_pfn(res); ++ res_end = memblock_region_reserved_end_pfn(res); ++ ++ if (res_end < start) ++ continue; ++ if (res_start < start) ++ res_start = start; ++ if (res_start > end) ++ res_start = end; ++ if (res_end > end) ++ res_end = end; ++ if (res_start != start) ++ free_area_high(start, res_start); ++ start = res_end; ++ if (start == end) ++ break; ++ } ++ ++ /* And now free anything which remains */ ++ if (start < end) ++ free_area_high(start, end); ++ } ++} ++#else ++static void __init free_highpages(void) ++{ ++} ++#endif ++ + /* + * Initialize memory pages. + */ + + void __init mem_init(void) + { +-#ifdef CONFIG_HIGHMEM +- unsigned long tmp; +- +- reset_all_zones_managed_pages(); +- for (tmp = max_low_pfn; tmp < max_pfn; tmp++) +- free_highmem_page(pfn_to_page(tmp)); +-#endif ++ free_highpages(); + + max_mapnr = max_pfn - ARCH_PFN_OFFSET; + high_memory = (void *)__va(max_low_pfn << PAGE_SHIFT);