From: Sasha Levin Date: Wed, 17 Jun 2020 17:38:03 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v5.7.4~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6ec73142e7abd50771783418b203dd84a3416b40;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/arm-8978-1-mm-make-act_mm-respect-thread_size.patch b/queue-4.4/arm-8978-1-mm-make-act_mm-respect-thread_size.patch new file mode 100644 index 00000000000..a684d3c435a --- /dev/null +++ b/queue-4.4/arm-8978-1-mm-make-act_mm-respect-thread_size.patch @@ -0,0 +1,65 @@ +From 9f063b3f22a18a0e02ea088deb3dfa26ad032dba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2020 12:59:12 +0100 +Subject: ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE + +From: Linus Walleij + +[ Upstream commit e1de94380af588bdf6ad6f0cc1f75004c35bc096 ] + +Recent work with KASan exposed the folling hard-coded bitmask +in arch/arm/mm/proc-macros.S: + + bic rd, sp, #8128 + bic rd, rd, #63 + +This forms the bitmask 0x1FFF that is coinciding with +(PAGE_SIZE << THREAD_SIZE_ORDER) - 1, this code was assuming +that THREAD_SIZE is always 8K (8192). + +As KASan was increasing THREAD_SIZE_ORDER to 2, I ran into +this bug. + +Fix it by this little oneline suggested by Ard: + + bic rd, sp, #(THREAD_SIZE - 1) & ~63 + +Where THREAD_SIZE is defined using THREAD_SIZE_ORDER. + +We have to also include since the THREAD_SIZE +expands to use the _AC() macro. + +Cc: Ard Biesheuvel +Cc: Florian Fainelli +Suggested-by: Ard Biesheuvel +Signed-off-by: Linus Walleij +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/proc-macros.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mm/proc-macros.S b/arch/arm/mm/proc-macros.S +index e6bfdcc381f8..1da55d34f4d6 100644 +--- a/arch/arm/mm/proc-macros.S ++++ b/arch/arm/mm/proc-macros.S +@@ -4,6 +4,7 @@ + * VMA_VM_FLAGS + * VM_EXEC + */ ++#include + #include + #include + +@@ -30,7 +31,7 @@ + * act_mm - get current->active_mm + */ + .macro act_mm, rd +- bic \rd, sp, #8128 ++ bic \rd, sp, #(THREAD_SIZE - 1) & ~63 + bic \rd, \rd, #63 + ldr \rd, [\rd, #TI_TASK] + ldr \rd, [\rd, #TSK_ACTIVE_MM] +-- +2.25.1 + diff --git a/queue-4.4/bluetooth-add-sco-fallback-for-invalid-lmp-parameter.patch b/queue-4.4/bluetooth-add-sco-fallback-for-invalid-lmp-parameter.patch new file mode 100644 index 00000000000..9e0816adf4b --- /dev/null +++ b/queue-4.4/bluetooth-add-sco-fallback-for-invalid-lmp-parameter.patch @@ -0,0 +1,113 @@ +From f632ddb46ed044a6edbc114872100bce49eb53af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 May 2020 17:27:04 +0800 +Subject: Bluetooth: Add SCO fallback for invalid LMP parameters error + +From: Hsin-Yu Chao + +[ Upstream commit 56b5453a86203a44726f523b4133c1feca49ce7c ] + +Bluetooth PTS test case HFP/AG/ACC/BI-12-I accepts SCO connection +with invalid parameter at the first SCO request expecting AG to +attempt another SCO request with the use of "safe settings" for +given codec, base on section 5.7.1.2 of HFP 1.7 specification. + +This patch addresses it by adding "Invalid LMP Parameters" (0x1e) +to the SCO fallback case. Verified with below log: + +< HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17 + Handle: 256 + Transmit bandwidth: 8000 + Receive bandwidth: 8000 + Max latency: 13 + Setting: 0x0003 + Input Coding: Linear + Input Data Format: 1's complement + Input Sample Size: 8-bit + # of bits padding at MSB: 0 + Air Coding Format: Transparent Data + Retransmission effort: Optimize for link quality (0x02) + Packet type: 0x0380 + 3-EV3 may not be used + 2-EV5 may not be used + 3-EV5 may not be used +> HCI Event: Command Status (0x0f) plen 4 + Setup Synchronous Connection (0x01|0x0028) ncmd 1 + Status: Success (0x00) +> HCI Event: Number of Completed Packets (0x13) plen 5 + Num handles: 1 + Handle: 256 + Count: 1 +> HCI Event: Max Slots Change (0x1b) plen 3 + Handle: 256 + Max slots: 1 +> HCI Event: Synchronous Connect Complete (0x2c) plen 17 + Status: Invalid LMP Parameters / Invalid LL Parameters (0x1e) + Handle: 0 + Address: 00:1B:DC:F2:21:59 (OUI 00-1B-DC) + Link type: eSCO (0x02) + Transmission interval: 0x00 + Retransmission window: 0x02 + RX packet length: 0 + TX packet length: 0 + Air mode: Transparent (0x03) +< HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17 + Handle: 256 + Transmit bandwidth: 8000 + Receive bandwidth: 8000 + Max latency: 8 + Setting: 0x0003 + Input Coding: Linear + Input Data Format: 1's complement + Input Sample Size: 8-bit + # of bits padding at MSB: 0 + Air Coding Format: Transparent Data + Retransmission effort: Optimize for link quality (0x02) + Packet type: 0x03c8 + EV3 may be used + 2-EV3 may not be used + 3-EV3 may not be used + 2-EV5 may not be used + 3-EV5 may not be used +> HCI Event: Command Status (0x0f) plen 4 + Setup Synchronous Connection (0x01|0x0028) ncmd 1 + Status: Success (0x00) +> HCI Event: Max Slots Change (0x1b) plen 3 + Handle: 256 + Max slots: 5 +> HCI Event: Max Slots Change (0x1b) plen 3 + Handle: 256 + Max slots: 1 +> HCI Event: Synchronous Connect Complete (0x2c) plen 17 + Status: Success (0x00) + Handle: 257 + Address: 00:1B:DC:F2:21:59 (OUI 00-1B-DC) + Link type: eSCO (0x02) + Transmission interval: 0x06 + Retransmission window: 0x04 + RX packet length: 30 + TX packet length: 30 + Air mode: Transparent (0x03) + +Signed-off-by: Hsin-Yu Chao +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 37fe2b158c2a..1d957c7f1783 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3761,6 +3761,7 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, + case 0x11: /* Unsupported Feature or Parameter Value */ + case 0x1c: /* SCO interval rejected */ + case 0x1a: /* Unsupported Remote Feature */ ++ case 0x1e: /* Invalid LMP Parameters */ + case 0x1f: /* Unspecified error */ + case 0x20: /* Unsupported LMP Parameter value */ + if (conn->out) { +-- +2.25.1 + diff --git a/queue-4.4/btrfs-do-not-ignore-error-from-btrfs_next_leaf-when-.patch b/queue-4.4/btrfs-do-not-ignore-error-from-btrfs_next_leaf-when-.patch new file mode 100644 index 00000000000..1b553d0201f --- /dev/null +++ b/queue-4.4/btrfs-do-not-ignore-error-from-btrfs_next_leaf-when-.patch @@ -0,0 +1,49 @@ +From 05ff45649d5dde3539a1a383aeae0dbb9f4d2a87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 May 2020 12:15:09 +0100 +Subject: btrfs: do not ignore error from btrfs_next_leaf() when inserting + checksums + +From: Filipe Manana + +[ Upstream commit 7e4a3f7ed5d54926ec671bbb13e171cfe179cc50 ] + +We are currently treating any non-zero return value from btrfs_next_leaf() +the same way, by going to the code that inserts a new checksum item in the +tree. However if btrfs_next_leaf() returns an error (a value < 0), we +should just stop and return the error, and not behave as if nothing has +happened, since in that case we do not have a way to know if there is a +next leaf or we are currently at the last leaf already. + +So fix that by returning the error from btrfs_next_leaf(). + +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/file-item.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/file-item.c b/fs/btrfs/file-item.c +index 58ece6558430..fb5c97ea670f 100644 +--- a/fs/btrfs/file-item.c ++++ b/fs/btrfs/file-item.c +@@ -742,10 +742,12 @@ again: + nritems = btrfs_header_nritems(path->nodes[0]); + if (!nritems || (path->slots[0] >= nritems - 1)) { + ret = btrfs_next_leaf(root, path); +- if (ret == 1) ++ if (ret < 0) { ++ goto out; ++ } else if (ret > 0) { + found_next = 1; +- if (ret != 0) + goto insert; ++ } + slot = path->slots[0]; + } + btrfs_item_key_to_cpu(path->nodes[0], &found_key, slot); +-- +2.25.1 + diff --git a/queue-4.4/clocksource-dw_apb_timer_of-fix-missing-clockevent-t.patch b/queue-4.4/clocksource-dw_apb_timer_of-fix-missing-clockevent-t.patch new file mode 100644 index 00000000000..20ad216527d --- /dev/null +++ b/queue-4.4/clocksource-dw_apb_timer_of-fix-missing-clockevent-t.patch @@ -0,0 +1,73 @@ +From a72e8bb3fa367c496ad193acd45c820d1bbbc1a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 23:48:15 +0300 +Subject: clocksource: dw_apb_timer_of: Fix missing clockevent timers + +From: Serge Semin + +[ Upstream commit 6d2e16a3181bafb77b535095c39ad1c8b9558c8c ] + +Commit 100214889973 ("clocksource: dw_apb_timer_of: use +clocksource_of_init") replaced a publicly available driver +initialization method with one called by the timer_probe() method +available after CLKSRC_OF. In current implementation it traverses +all the timers available in the system and calls their initialization +methods if corresponding devices were either in dtb or in acpi. But +if before the commit any number of available timers would be installed +as clockevent and clocksource devices, after that there would be at most +two. The rest are just ignored since default case branch doesn't do +anything. I don't see a reason of such behaviour, neither the commit +message explains it. Moreover this might be wrong if on some platforms +these timers might be used for different purpose, as virtually CPU-local +clockevent timers and as an independent broadcast timer. So in order +to keep the compatibility with the platforms where the order of the +timers detection has some meaning, lets add the secondly discovered +timer to be of clocksource/sched_clock type, while the very first and +the others would provide the clockevents service. + +Fixes: 100214889973 ("clocksource: dw_apb_timer_of: use clocksource_of_init") +Signed-off-by: Serge Semin +Cc: Alexey Malahov +Cc: Thomas Bogendoerfer +Cc: Paul Burton +Cc: Ralf Baechle +Cc: Alessandro Zummo +Cc: Alexandre Belloni +Cc: Arnd Bergmann +Cc: Rob Herring +Cc: linux-mips@vger.kernel.org +Cc: linux-rtc@vger.kernel.org +Cc: devicetree@vger.kernel.org +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20200521204818.25436-7-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Sasha Levin +--- + drivers/clocksource/dw_apb_timer_of.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/clocksource/dw_apb_timer_of.c b/drivers/clocksource/dw_apb_timer_of.c +index a19a3f619cc7..99e5fd59964b 100644 +--- a/drivers/clocksource/dw_apb_timer_of.c ++++ b/drivers/clocksource/dw_apb_timer_of.c +@@ -134,16 +134,14 @@ static int num_called; + static void __init dw_apb_timer_init(struct device_node *timer) + { + switch (num_called) { +- case 0: +- pr_debug("%s: found clockevent timer\n", __func__); +- add_clockevent(timer); +- break; + case 1: + pr_debug("%s: found clocksource timer\n", __func__); + add_clocksource(timer); + init_sched_clock(); + break; + default: ++ pr_debug("%s: found clockevent timer\n", __func__); ++ add_clockevent(timer); + break; + } + +-- +2.25.1 + diff --git a/queue-4.4/cpuidle-fix-three-reference-count-leaks.patch b/queue-4.4/cpuidle-fix-three-reference-count-leaks.patch new file mode 100644 index 00000000000..511e18b3e7c --- /dev/null +++ b/queue-4.4/cpuidle-fix-three-reference-count-leaks.patch @@ -0,0 +1,57 @@ +From 94edd28fdc57d40c732fd37f9a72d2a7e841643f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 13:20:46 -0500 +Subject: cpuidle: Fix three reference count leaks + +From: Qiushi Wu + +[ Upstream commit c343bf1ba5efcbf2266a1fe3baefec9cc82f867f ] + +kobject_init_and_add() takes reference even when it fails. +If this function returns an error, kobject_put() must be called to +properly clean up the memory associated with the object. + +Previous commit "b8eb718348b8" fixed a similar problem. + +Signed-off-by: Qiushi Wu +[ rjw: Subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/sysfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c +index 9e98a5fbbc1d..e7e92ed34f0c 100644 +--- a/drivers/cpuidle/sysfs.c ++++ b/drivers/cpuidle/sysfs.c +@@ -412,7 +412,7 @@ static int cpuidle_add_state_sysfs(struct cpuidle_device *device) + ret = kobject_init_and_add(&kobj->kobj, &ktype_state_cpuidle, + &kdev->kobj, "state%d", i); + if (ret) { +- kfree(kobj); ++ kobject_put(&kobj->kobj); + goto error_state; + } + kobject_uevent(&kobj->kobj, KOBJ_ADD); +@@ -542,7 +542,7 @@ static int cpuidle_add_driver_sysfs(struct cpuidle_device *dev) + ret = kobject_init_and_add(&kdrv->kobj, &ktype_driver_cpuidle, + &kdev->kobj, "driver"); + if (ret) { +- kfree(kdrv); ++ kobject_put(&kdrv->kobj); + return ret; + } + +@@ -636,7 +636,7 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev) + error = kobject_init_and_add(&kdev->kobj, &ktype_cpuidle, &cpu_dev->kobj, + "cpuidle"); + if (error) { +- kfree(kdev); ++ kobject_put(&kdev->kobj); + return error; + } + +-- +2.25.1 + diff --git a/queue-4.4/e1000-distribute-switch-variables-for-initialization.patch b/queue-4.4/e1000-distribute-switch-variables-for-initialization.patch new file mode 100644 index 00000000000..908df19717c --- /dev/null +++ b/queue-4.4/e1000-distribute-switch-variables-for-initialization.patch @@ -0,0 +1,67 @@ +From 952175a7b945c840f798bf33652034cb6654c0fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Feb 2020 22:23:02 -0800 +Subject: e1000: Distribute switch variables for initialization +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit a34c7f5156654ebaf7eaace102938be7ff7036cb ] + +Variables declared in a switch statement before any case statements +cannot be automatically initialized with compiler instrumentation (as +they are not part of any execution flow). With GCC's proposed automatic +stack variable initialization feature, this triggers a warning (and they +don't get initialized). Clang's automatic stack variable initialization +(via CONFIG_INIT_STACK_ALL=y) doesn't throw a warning, but it also +doesn't initialize such variables[1]. Note that these warnings (or silent +skipping) happen before the dead-store elimination optimization phase, +so even when the automatic initializations are later elided in favor of +direct initializations, the warnings remain. + +To avoid these problems, move such variables into the "case" where +they're used or lift them up into the main function body. + +drivers/net/ethernet/intel/e1000/e1000_main.c: In function ‘e1000_xmit_frame’: +drivers/net/ethernet/intel/e1000/e1000_main.c:3143:18: warning: statement will never be executed [-Wswitch-unreachable] + 3143 | unsigned int pull_size; + | ^~~~~~~~~ + +[1] https://bugs.llvm.org/show_bug.cgi?id=44916 + +Signed-off-by: Kees Cook +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index 1f84f2fa459f..f958188207fd 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -3162,8 +3162,9 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb, + hdr_len = skb_transport_offset(skb) + tcp_hdrlen(skb); + if (skb->data_len && hdr_len == len) { + switch (hw->mac_type) { ++ case e1000_82544: { + unsigned int pull_size; +- case e1000_82544: ++ + /* Make sure we have room to chop off 4 bytes, + * and that the end alignment will work out to + * this hardware's requirements +@@ -3184,6 +3185,7 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb, + } + len = skb_headlen(skb); + break; ++ } + default: + /* do nothing */ + break; +-- +2.25.1 + diff --git a/queue-4.4/ixgbe-fix-signed-integer-overflow-warning.patch b/queue-4.4/ixgbe-fix-signed-integer-overflow-warning.patch new file mode 100644 index 00000000000..909040bf9f5 --- /dev/null +++ b/queue-4.4/ixgbe-fix-signed-integer-overflow-warning.patch @@ -0,0 +1,56 @@ +From 67a5898725af2cd57371a74978751f0040000013 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 10:45:21 +0800 +Subject: ixgbe: fix signed-integer-overflow warning + +From: Xie XiuQi + +[ Upstream commit 3b70683fc4d68f5d915d9dc7e5ba72c732c7315c ] + +ubsan report this warning, fix it by adding a unsigned suffix. + +UBSAN: signed-integer-overflow in +drivers/net/ethernet/intel/ixgbe/ixgbe_common.c:2246:26 +65535 * 65537 cannot be represented in type 'int' +CPU: 21 PID: 7 Comm: kworker/u256:0 Not tainted 5.7.0-rc3-debug+ #39 +Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 03/27/2020 +Workqueue: ixgbe ixgbe_service_task [ixgbe] +Call trace: + dump_backtrace+0x0/0x3f0 + show_stack+0x28/0x38 + dump_stack+0x154/0x1e4 + ubsan_epilogue+0x18/0x60 + handle_overflow+0xf8/0x148 + __ubsan_handle_mul_overflow+0x34/0x48 + ixgbe_fc_enable_generic+0x4d0/0x590 [ixgbe] + ixgbe_service_task+0xc20/0x1f78 [ixgbe] + process_one_work+0x8f0/0xf18 + worker_thread+0x430/0x6d0 + kthread+0x218/0x238 + ret_from_fork+0x10/0x18 + +Reported-by: Hulk Robot +Signed-off-by: Xie XiuQi +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c +index cd2afe92f1da..e10808b3d118 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c +@@ -2185,7 +2185,7 @@ s32 ixgbe_fc_enable_generic(struct ixgbe_hw *hw) + } + + /* Configure pause time (2 TCs per register) */ +- reg = hw->fc.pause_time * 0x00010001; ++ reg = hw->fc.pause_time * 0x00010001U; + for (i = 0; i < (MAX_TRAFFIC_CLASS / 2); i++) + IXGBE_WRITE_REG(hw, IXGBE_FCTTV(i), reg); + +-- +2.25.1 + diff --git a/queue-4.4/kgdb-fix-spurious-true-from-in_dbg_master.patch b/queue-4.4/kgdb-fix-spurious-true-from-in_dbg_master.patch new file mode 100644 index 00000000000..a56d77bfe70 --- /dev/null +++ b/queue-4.4/kgdb-fix-spurious-true-from-in_dbg_master.patch @@ -0,0 +1,47 @@ +From ef33651c2d9814a1c7e94a2a83774f51c992948f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 17:42:23 +0100 +Subject: kgdb: Fix spurious true from in_dbg_master() + +From: Daniel Thompson + +[ Upstream commit 3fec4aecb311995189217e64d725cfe84a568de3 ] + +Currently there is a small window where a badly timed migration could +cause in_dbg_master() to spuriously return true. Specifically if we +migrate to a new core after reading the processor id and the previous +core takes a breakpoint then we will evaluate true if we read +kgdb_active before we get the IPI to bring us to halt. + +Fix this by checking irqs_disabled() first. Interrupts are always +disabled when we are executing the kgdb trap so this is an acceptable +prerequisite. This also allows us to replace raw_smp_processor_id() +with smp_processor_id() since the short circuit logic will prevent +warnings from PREEMPT_DEBUG. + +Fixes: dcc7871128e9 ("kgdb: core changes to support kdb") +Suggested-by: Will Deacon +Link: https://lore.kernel.org/r/20200506164223.2875760-1-daniel.thompson@linaro.org +Reviewed-by: Douglas Anderson +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + include/linux/kgdb.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/kgdb.h b/include/linux/kgdb.h +index e465bb15912d..6be5545d3584 100644 +--- a/include/linux/kgdb.h ++++ b/include/linux/kgdb.h +@@ -317,7 +317,7 @@ extern void gdbstub_exit(int status); + extern int kgdb_single_step; + extern atomic_t kgdb_active; + #define in_dbg_master() \ +- (raw_smp_processor_id() == atomic_read(&kgdb_active)) ++ (irqs_disabled() && (smp_processor_id() == atomic_read(&kgdb_active))) + extern bool dbg_is_early; + extern void __init dbg_late_init(void); + #else /* ! CONFIG_KGDB */ +-- +2.25.1 + diff --git a/queue-4.4/kgdb-prevent-infinite-recursive-entries-to-the-debug.patch b/queue-4.4/kgdb-prevent-infinite-recursive-entries-to-the-debug.patch new file mode 100644 index 00000000000..51e1da0e8ba --- /dev/null +++ b/queue-4.4/kgdb-prevent-infinite-recursive-entries-to-the-debug.patch @@ -0,0 +1,38 @@ +From 767d5dc30c2306fa9df5157184a62f0cda04aaa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 13:08:44 -0700 +Subject: kgdb: Prevent infinite recursive entries to the debugger + +From: Douglas Anderson + +[ Upstream commit 3ca676e4ca60d1834bb77535dafe24169cadacef ] + +If we detect that we recursively entered the debugger we should hack +our I/O ops to NULL so that the panic() in the next line won't +actually cause another recursion into the debugger. The first line of +kgdb_panic() will check this and return. + +Signed-off-by: Douglas Anderson +Reviewed-by: Daniel Thompson +Link: https://lore.kernel.org/r/20200507130644.v4.6.I89de39f68736c9de610e6f241e68d8dbc44bc266@changeid +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/debug_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c +index 79517e5549f1..9c939c6bf21c 100644 +--- a/kernel/debug/debug_core.c ++++ b/kernel/debug/debug_core.c +@@ -443,6 +443,7 @@ static int kgdb_reenter_check(struct kgdb_state *ks) + + if (exception_level > 1) { + dump_stack(); ++ kgdb_io_module_registered = false; + panic("Recursive entry to debugger"); + } + +-- +2.25.1 + diff --git a/queue-4.4/lib-mpi-fix-64-bit-mips-build-with-clang.patch b/queue-4.4/lib-mpi-fix-64-bit-mips-build-with-clang.patch new file mode 100644 index 00000000000..f02e78905d8 --- /dev/null +++ b/queue-4.4/lib-mpi-fix-64-bit-mips-build-with-clang.patch @@ -0,0 +1,69 @@ +From bd7f31330178dbebe7980ff1c1cb191a66df9fd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Apr 2020 14:47:04 -0700 +Subject: lib/mpi: Fix 64-bit MIPS build with Clang + +From: Nathan Chancellor + +[ Upstream commit 18f1ca46858eac22437819937ae44aa9a8f9f2fa ] + +When building 64r6_defconfig with CONFIG_MIPS32_O32 disabled and +CONFIG_CRYPTO_RSA enabled: + +lib/mpi/generic_mpih-mul1.c:37:24: error: invalid use of a cast in a +inline asm context requiring an l-value: remove the cast +or build with -fheinous-gnu-extensions + umul_ppmm(prod_high, prod_low, s1_ptr[j], s2_limb); + ~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +lib/mpi/longlong.h:664:22: note: expanded from macro 'umul_ppmm' + : "=d" ((UDItype)(w0)) + ~~~~~~~~~~^~~ +lib/mpi/generic_mpih-mul1.c:37:13: error: invalid use of a cast in a +inline asm context requiring an l-value: remove the cast +or build with -fheinous-gnu-extensions + umul_ppmm(prod_high, prod_low, s1_ptr[j], s2_limb); + ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +lib/mpi/longlong.h:668:22: note: expanded from macro 'umul_ppmm' + : "=d" ((UDItype)(w1)) + ~~~~~~~~~~^~~ +2 errors generated. + +This special case for umul_ppmm for MIPS64r6 was added in +commit bbc25bee37d2b ("lib/mpi: Fix umul_ppmm() for MIPS64r6"), due to +GCC being inefficient and emitting a __multi3 intrinsic. + +There is no such issue with clang; with this patch applied, I can build +this configuration without any problems and there are no link errors +like mentioned in the commit above (which I can still reproduce with +GCC 9.3.0 when that commit is reverted). Only use this definition when +GCC is being used. + +This really should have been caught by commit b0c091ae04f67 ("lib/mpi: +Eliminate unused umul_ppmm definitions for MIPS") when I was messing +around in this area but I was not testing 64-bit MIPS at the time. + +Link: https://github.com/ClangBuiltLinux/linux/issues/885 +Reported-by: Dmitry Golovin +Signed-off-by: Nathan Chancellor +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + lib/mpi/longlong.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/mpi/longlong.h b/lib/mpi/longlong.h +index f1f31c754b3e..70f5cf8deab3 100644 +--- a/lib/mpi/longlong.h ++++ b/lib/mpi/longlong.h +@@ -671,7 +671,7 @@ do { \ + ************** MIPS/64 ************** + ***************************************/ + #if (defined(__mips) && __mips >= 3) && W_TYPE_SIZE == 64 +-#if defined(__mips_isa_rev) && __mips_isa_rev >= 6 ++#if defined(__mips_isa_rev) && __mips_isa_rev >= 6 && defined(CONFIG_CC_IS_GCC) + /* + * GCC ends up emitting a __multi3 intrinsic call for MIPS64r6 with the plain C + * code below, so we special case MIPS64r6 until the compiler can do better. +-- +2.25.1 + diff --git a/queue-4.4/m68k-mac-don-t-call-via_flush_cache-on-mac-iifx.patch b/queue-4.4/m68k-mac-don-t-call-via_flush_cache-on-mac-iifx.patch new file mode 100644 index 00000000000..e56c108bd73 --- /dev/null +++ b/queue-4.4/m68k-mac-don-t-call-via_flush_cache-on-mac-iifx.patch @@ -0,0 +1,171 @@ +From 59e308bf5278290735cf1079d7834d69a3b93d97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 May 2020 14:32:02 +1000 +Subject: m68k: mac: Don't call via_flush_cache() on Mac IIfx + +From: Finn Thain + +[ Upstream commit bcc44f6b74106b31f0b0408b70305a40360d63b7 ] + +There is no VIA2 chip on the Mac IIfx, so don't call via_flush_cache(). +This avoids a boot crash which appeared in v5.4. + +printk: console [ttyS0] enabled +printk: bootconsole [debug0] disabled +printk: bootconsole [debug0] disabled +Calibrating delay loop... 9.61 BogoMIPS (lpj=48064) +pid_max: default: 32768 minimum: 301 +Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear) +Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear) +devtmpfs: initialized +random: get_random_u32 called from bucket_table_alloc.isra.27+0x68/0x194 with crng_init=0 +clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns +futex hash table entries: 256 (order: -1, 3072 bytes, linear) +NET: Registered protocol family 16 +Data read fault at 0x00000000 in Super Data (pc=0x8a6a) +BAD KERNEL BUSERR +Oops: 00000000 +Modules linked in: +PC: [<00008a6a>] via_flush_cache+0x12/0x2c +SR: 2700 SP: 01c1fe3c a2: 01c24000 +d0: 00001119 d1: 0000000c d2: 00012000 d3: 0000000f +d4: 01c06840 d5: 00033b92 a0: 00000000 a1: 00000000 +Process swapper (pid: 1, task=01c24000) +Frame format=B ssw=0755 isc=0200 isb=fff7 daddr=00000000 dobuf=01c1fed0 +baddr=00008a6e dibuf=0000004e ver=f +Stack from 01c1fec4: + 01c1fed0 00007d7e 00010080 01c1fedc 0000792e 00000001 01c1fef4 00006b40 + 01c80000 00040000 00000006 00000003 01c1ff1c 004a545e 004ff200 00040000 + 00000000 00000003 01c06840 00033b92 004a5410 004b6c88 01c1ff84 000021e2 + 00000073 00000003 01c06840 00033b92 0038507a 004bb094 004b6ca8 004b6c88 + 004b6ca4 004b6c88 000021ae 00020002 00000000 01c0685d 00000000 01c1ffb4 + 0049f938 00409c85 01c06840 0045bd40 00000073 00000002 00000002 00000000 +Call Trace: [<00007d7e>] mac_cache_card_flush+0x12/0x1c + [<00010080>] fix_dnrm+0x2/0x18 + [<0000792e>] cache_push+0x46/0x5a + [<00006b40>] arch_dma_prep_coherent+0x60/0x6e + [<00040000>] switched_to_dl+0x76/0xd0 + [<004a545e>] dma_atomic_pool_init+0x4e/0x188 + [<00040000>] switched_to_dl+0x76/0xd0 + [<00033b92>] parse_args+0x0/0x370 + [<004a5410>] dma_atomic_pool_init+0x0/0x188 + [<000021e2>] do_one_initcall+0x34/0x1be + [<00033b92>] parse_args+0x0/0x370 + [<0038507a>] strcpy+0x0/0x1e + [<000021ae>] do_one_initcall+0x0/0x1be + [<00020002>] do_proc_dointvec_conv+0x54/0x74 + [<0049f938>] kernel_init_freeable+0x126/0x190 + [<0049f94c>] kernel_init_freeable+0x13a/0x190 + [<004a5410>] dma_atomic_pool_init+0x0/0x188 + [<00041798>] complete+0x0/0x3c + [<000b9b0c>] kfree+0x0/0x20a + [<0038df98>] schedule+0x0/0xd0 + [<0038d604>] kernel_init+0x0/0xda + [<0038d610>] kernel_init+0xc/0xda + [<0038d604>] kernel_init+0x0/0xda + [<00002d38>] ret_from_kernel_thread+0xc/0x14 +Code: 0000 2079 0048 10da 2279 0048 10c8 d3c8 <1011> 0200 fff7 1280 d1f9 0048 10c8 1010 0000 0008 1080 4e5e 4e75 4e56 0000 2039 +Disabling lock debugging due to kernel taint +Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b + +Thanks to Stan Johnson for capturing the console log and running git +bisect. + +Git bisect said commit 8e3a68fb55e0 ("dma-mapping: make +dma_atomic_pool_init self-contained") is the first "bad" commit. I don't +know why. Perhaps mach_l2_flush first became reachable with that commit. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: Stan Johnson +Signed-off-by: Finn Thain +Cc: Joshua Thompson +Link: https://lore.kernel.org/r/b8bbeef197d6b3898e82ed0d231ad08f575a4b34.1589949122.git.fthain@telegraphics.com.au +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/mac_via.h | 1 + + arch/m68k/mac/config.c | 21 ++------------------- + arch/m68k/mac/via.c | 6 +++++- + 3 files changed, 8 insertions(+), 20 deletions(-) + +diff --git a/arch/m68k/include/asm/mac_via.h b/arch/m68k/include/asm/mac_via.h +index 53c632c85b03..dff6db19ae4d 100644 +--- a/arch/m68k/include/asm/mac_via.h ++++ b/arch/m68k/include/asm/mac_via.h +@@ -256,6 +256,7 @@ extern int rbv_present,via_alt_mapping; + + struct irq_desc; + ++extern void via_l2_flush(int writeback); + extern void via_register_interrupts(void); + extern void via_irq_enable(int); + extern void via_irq_disable(int); +diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c +index 689b47d292ac..c4be82cc07df 100644 +--- a/arch/m68k/mac/config.c ++++ b/arch/m68k/mac/config.c +@@ -60,7 +60,6 @@ extern void iop_preinit(void); + extern void iop_init(void); + extern void via_init(void); + extern void via_init_clock(irq_handler_t func); +-extern void via_flush_cache(void); + extern void oss_init(void); + extern void psc_init(void); + extern void baboon_init(void); +@@ -131,21 +130,6 @@ int __init mac_parse_bootinfo(const struct bi_record *record) + return unknown; + } + +-/* +- * Flip into 24bit mode for an instant - flushes the L2 cache card. We +- * have to disable interrupts for this. Our IRQ handlers will crap +- * themselves if they take an IRQ in 24bit mode! +- */ +- +-static void mac_cache_card_flush(int writeback) +-{ +- unsigned long flags; +- +- local_irq_save(flags); +- via_flush_cache(); +- local_irq_restore(flags); +-} +- + void __init config_mac(void) + { + if (!MACH_IS_MAC) +@@ -178,9 +162,8 @@ void __init config_mac(void) + * not. + */ + +- if (macintosh_config->ident == MAC_MODEL_IICI +- || macintosh_config->ident == MAC_MODEL_IIFX) +- mach_l2_flush = mac_cache_card_flush; ++ if (macintosh_config->ident == MAC_MODEL_IICI) ++ mach_l2_flush = via_l2_flush; + } + + +diff --git a/arch/m68k/mac/via.c b/arch/m68k/mac/via.c +index 49f9fa4529a8..b4c40ed2099a 100644 +--- a/arch/m68k/mac/via.c ++++ b/arch/m68k/mac/via.c +@@ -299,10 +299,14 @@ void via_debug_dump(void) + * the system into 24-bit mode for an instant. + */ + +-void via_flush_cache(void) ++void via_l2_flush(int writeback) + { ++ unsigned long flags; ++ ++ local_irq_save(flags); + via2[gBufB] &= ~VIA2B_vMode32; + via2[gBufB] |= VIA2B_vMode32; ++ local_irq_restore(flags); + } + + /* +-- +2.25.1 + diff --git a/queue-4.4/macvlan-skip-loopback-packets-in-rx-handler.patch b/queue-4.4/macvlan-skip-loopback-packets-in-rx-handler.patch new file mode 100644 index 00000000000..2b5d0e938e0 --- /dev/null +++ b/queue-4.4/macvlan-skip-loopback-packets-in-rx-handler.patch @@ -0,0 +1,102 @@ +From 5cea65012c88e3509a0c38c740082350b68cf005 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 May 2020 14:27:51 +0200 +Subject: macvlan: Skip loopback packets in RX handler + +From: Alexander Sverdlin + +[ Upstream commit 81f3dc9349ce0bf7b8447f147f45e70f0a5b36a6 ] + +Ignore loopback-originatig packets soon enough and don't try to process L2 +header where it doesn't exist. The very similar br_handle_frame() in bridge +code performs exactly the same check. + +This is an example of such ICMPv6 packet: + +skb len=96 headroom=40 headlen=96 tailroom=56 +mac=(40,0) net=(40,40) trans=80 +shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0)) +csum(0xae2e9a2f ip_summed=1 complete_sw=0 valid=0 level=0) +hash(0xc97ebd88 sw=1 l4=1) proto=0x86dd pkttype=5 iif=24 +dev name=etha01.212 feat=0x0x0000000040005000 +skb headroom: 00000000: 00 7c 86 52 84 88 ff ff 00 00 00 00 00 00 08 00 +skb headroom: 00000010: 45 00 00 9e 5d 5c 40 00 40 11 33 33 00 00 00 01 +skb headroom: 00000020: 02 40 43 80 00 00 86 dd +skb linear: 00000000: 60 09 88 bd 00 38 3a ff fe 80 00 00 00 00 00 00 +skb linear: 00000010: 00 40 43 ff fe 80 00 00 ff 02 00 00 00 00 00 00 +skb linear: 00000020: 00 00 00 00 00 00 00 01 86 00 61 00 40 00 00 2d +skb linear: 00000030: 00 00 00 00 00 00 00 00 03 04 40 e0 00 00 01 2c +skb linear: 00000040: 00 00 00 78 00 00 00 00 fd 5f 42 68 23 87 a8 81 +skb linear: 00000050: 00 00 00 00 00 00 00 00 01 01 02 40 43 80 00 00 +skb tailroom: 00000000: ... +skb tailroom: 00000010: ... +skb tailroom: 00000020: ... +skb tailroom: 00000030: ... + +Call Trace, how it happens exactly: + ... + macvlan_handle_frame+0x321/0x425 [macvlan] + ? macvlan_forward_source+0x110/0x110 [macvlan] + __netif_receive_skb_core+0x545/0xda0 + ? enqueue_task_fair+0xe5/0x8e0 + ? __netif_receive_skb_one_core+0x36/0x70 + __netif_receive_skb_one_core+0x36/0x70 + process_backlog+0x97/0x140 + net_rx_action+0x1eb/0x350 + ? __hrtimer_run_queues+0x136/0x2e0 + __do_softirq+0xe3/0x383 + do_softirq_own_stack+0x2a/0x40 + + do_softirq.part.4+0x4e/0x50 + netif_rx_ni+0x60/0xd0 + dev_loopback_xmit+0x83/0xf0 + ip6_finish_output2+0x575/0x590 [ipv6] + ? ip6_cork_release.isra.1+0x64/0x90 [ipv6] + ? __ip6_make_skb+0x38d/0x680 [ipv6] + ? ip6_output+0x6c/0x140 [ipv6] + ip6_output+0x6c/0x140 [ipv6] + ip6_send_skb+0x1e/0x60 [ipv6] + rawv6_sendmsg+0xc4b/0xe10 [ipv6] + ? proc_put_long+0xd0/0xd0 + ? rw_copy_check_uvector+0x4e/0x110 + ? sock_sendmsg+0x36/0x40 + sock_sendmsg+0x36/0x40 + ___sys_sendmsg+0x2b6/0x2d0 + ? proc_dointvec+0x23/0x30 + ? addrconf_sysctl_forward+0x8d/0x250 [ipv6] + ? dev_forward_change+0x130/0x130 [ipv6] + ? _raw_spin_unlock+0x12/0x30 + ? proc_sys_call_handler.isra.14+0x9f/0x110 + ? __call_rcu+0x213/0x510 + ? get_max_files+0x10/0x10 + ? trace_hardirqs_on+0x2c/0xe0 + ? __sys_sendmsg+0x63/0xa0 + __sys_sendmsg+0x63/0xa0 + do_syscall_64+0x6c/0x1e0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Signed-off-by: Alexander Sverdlin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 0c4e1ef80355..73061bee35cd 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -420,6 +420,10 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb) + int ret; + rx_handler_result_t handle_res; + ++ /* Packets from dev_loopback_xmit() do not have L2 header, bail out */ ++ if (unlikely(skb->pkt_type == PACKET_LOOPBACK)) ++ return RX_HANDLER_PASS; ++ + port = macvlan_port_get_rcu(skb->dev); + if (is_multicast_ether_addr(eth->h_dest)) { + skb = ip_check_defrag(dev_net(skb->dev), skb, IP_DEFRAG_MACVLAN); +-- +2.25.1 + diff --git a/queue-4.4/md-don-t-flush-workqueue-unconditionally-in-md_open.patch b/queue-4.4/md-don-t-flush-workqueue-unconditionally-in-md_open.patch new file mode 100644 index 00000000000..edde657a117 --- /dev/null +++ b/queue-4.4/md-don-t-flush-workqueue-unconditionally-in-md_open.patch @@ -0,0 +1,163 @@ +From e21afc3a9eb5c966854cfccb781bd3ef1b45494e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Apr 2020 23:57:09 +0200 +Subject: md: don't flush workqueue unconditionally in md_open + +From: Guoqing Jiang + +[ Upstream commit f6766ff6afff70e2aaf39e1511e16d471de7c3ae ] + +We need to check mddev->del_work before flush workqueu since the purpose +of flush is to ensure the previous md is disappeared. Otherwise the similar +deadlock appeared if LOCKDEP is enabled, it is due to md_open holds the +bdev->bd_mutex before flush workqueue. + +kernel: [ 154.522645] ====================================================== +kernel: [ 154.522647] WARNING: possible circular locking dependency detected +kernel: [ 154.522650] 5.6.0-rc7-lp151.27-default #25 Tainted: G O +kernel: [ 154.522651] ------------------------------------------------------ +kernel: [ 154.522653] mdadm/2482 is trying to acquire lock: +kernel: [ 154.522655] ffff888078529128 ((wq_completion)md_misc){+.+.}, at: flush_workqueue+0x84/0x4b0 +kernel: [ 154.522673] +kernel: [ 154.522673] but task is already holding lock: +kernel: [ 154.522675] ffff88804efa9338 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x79/0x590 +kernel: [ 154.522691] +kernel: [ 154.522691] which lock already depends on the new lock. +kernel: [ 154.522691] +kernel: [ 154.522694] +kernel: [ 154.522694] the existing dependency chain (in reverse order) is: +kernel: [ 154.522696] +kernel: [ 154.522696] -> #4 (&bdev->bd_mutex){+.+.}: +kernel: [ 154.522704] __mutex_lock+0x87/0x950 +kernel: [ 154.522706] __blkdev_get+0x79/0x590 +kernel: [ 154.522708] blkdev_get+0x65/0x140 +kernel: [ 154.522709] blkdev_get_by_dev+0x2f/0x40 +kernel: [ 154.522716] lock_rdev+0x3d/0x90 [md_mod] +kernel: [ 154.522719] md_import_device+0xd6/0x1b0 [md_mod] +kernel: [ 154.522723] new_dev_store+0x15e/0x210 [md_mod] +kernel: [ 154.522728] md_attr_store+0x7a/0xc0 [md_mod] +kernel: [ 154.522732] kernfs_fop_write+0x117/0x1b0 +kernel: [ 154.522735] vfs_write+0xad/0x1a0 +kernel: [ 154.522737] ksys_write+0xa4/0xe0 +kernel: [ 154.522745] do_syscall_64+0x64/0x2b0 +kernel: [ 154.522748] entry_SYSCALL_64_after_hwframe+0x49/0xbe +kernel: [ 154.522749] +kernel: [ 154.522749] -> #3 (&mddev->reconfig_mutex){+.+.}: +kernel: [ 154.522752] __mutex_lock+0x87/0x950 +kernel: [ 154.522756] new_dev_store+0xc9/0x210 [md_mod] +kernel: [ 154.522759] md_attr_store+0x7a/0xc0 [md_mod] +kernel: [ 154.522761] kernfs_fop_write+0x117/0x1b0 +kernel: [ 154.522763] vfs_write+0xad/0x1a0 +kernel: [ 154.522765] ksys_write+0xa4/0xe0 +kernel: [ 154.522767] do_syscall_64+0x64/0x2b0 +kernel: [ 154.522769] entry_SYSCALL_64_after_hwframe+0x49/0xbe +kernel: [ 154.522770] +kernel: [ 154.522770] -> #2 (kn->count#253){++++}: +kernel: [ 154.522775] __kernfs_remove+0x253/0x2c0 +kernel: [ 154.522778] kernfs_remove+0x1f/0x30 +kernel: [ 154.522780] kobject_del+0x28/0x60 +kernel: [ 154.522783] mddev_delayed_delete+0x24/0x30 [md_mod] +kernel: [ 154.522786] process_one_work+0x2a7/0x5f0 +kernel: [ 154.522788] worker_thread+0x2d/0x3d0 +kernel: [ 154.522793] kthread+0x117/0x130 +kernel: [ 154.522795] ret_from_fork+0x3a/0x50 +kernel: [ 154.522796] +kernel: [ 154.522796] -> #1 ((work_completion)(&mddev->del_work)){+.+.}: +kernel: [ 154.522800] process_one_work+0x27e/0x5f0 +kernel: [ 154.522802] worker_thread+0x2d/0x3d0 +kernel: [ 154.522804] kthread+0x117/0x130 +kernel: [ 154.522806] ret_from_fork+0x3a/0x50 +kernel: [ 154.522807] +kernel: [ 154.522807] -> #0 ((wq_completion)md_misc){+.+.}: +kernel: [ 154.522813] __lock_acquire+0x1392/0x1690 +kernel: [ 154.522816] lock_acquire+0xb4/0x1a0 +kernel: [ 154.522818] flush_workqueue+0xab/0x4b0 +kernel: [ 154.522821] md_open+0xb6/0xc0 [md_mod] +kernel: [ 154.522823] __blkdev_get+0xea/0x590 +kernel: [ 154.522825] blkdev_get+0x65/0x140 +kernel: [ 154.522828] do_dentry_open+0x1d1/0x380 +kernel: [ 154.522831] path_openat+0x567/0xcc0 +kernel: [ 154.522834] do_filp_open+0x9b/0x110 +kernel: [ 154.522836] do_sys_openat2+0x201/0x2a0 +kernel: [ 154.522838] do_sys_open+0x57/0x80 +kernel: [ 154.522840] do_syscall_64+0x64/0x2b0 +kernel: [ 154.522842] entry_SYSCALL_64_after_hwframe+0x49/0xbe +kernel: [ 154.522844] +kernel: [ 154.522844] other info that might help us debug this: +kernel: [ 154.522844] +kernel: [ 154.522846] Chain exists of: +kernel: [ 154.522846] (wq_completion)md_misc --> &mddev->reconfig_mutex --> &bdev->bd_mutex +kernel: [ 154.522846] +kernel: [ 154.522850] Possible unsafe locking scenario: +kernel: [ 154.522850] +kernel: [ 154.522852] CPU0 CPU1 +kernel: [ 154.522853] ---- ---- +kernel: [ 154.522854] lock(&bdev->bd_mutex); +kernel: [ 154.522856] lock(&mddev->reconfig_mutex); +kernel: [ 154.522858] lock(&bdev->bd_mutex); +kernel: [ 154.522860] lock((wq_completion)md_misc); +kernel: [ 154.522861] +kernel: [ 154.522861] *** DEADLOCK *** +kernel: [ 154.522861] +kernel: [ 154.522864] 1 lock held by mdadm/2482: +kernel: [ 154.522865] #0: ffff88804efa9338 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x79/0x590 +kernel: [ 154.522868] +kernel: [ 154.522868] stack backtrace: +kernel: [ 154.522873] CPU: 1 PID: 2482 Comm: mdadm Tainted: G O 5.6.0-rc7-lp151.27-default #25 +kernel: [ 154.522875] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +kernel: [ 154.522878] Call Trace: +kernel: [ 154.522881] dump_stack+0x8f/0xcb +kernel: [ 154.522884] check_noncircular+0x194/0x1b0 +kernel: [ 154.522888] ? __lock_acquire+0x1392/0x1690 +kernel: [ 154.522890] __lock_acquire+0x1392/0x1690 +kernel: [ 154.522893] lock_acquire+0xb4/0x1a0 +kernel: [ 154.522895] ? flush_workqueue+0x84/0x4b0 +kernel: [ 154.522898] flush_workqueue+0xab/0x4b0 +kernel: [ 154.522900] ? flush_workqueue+0x84/0x4b0 +kernel: [ 154.522905] ? md_open+0xb6/0xc0 [md_mod] +kernel: [ 154.522908] md_open+0xb6/0xc0 [md_mod] +kernel: [ 154.522910] __blkdev_get+0xea/0x590 +kernel: [ 154.522912] ? bd_acquire+0xc0/0xc0 +kernel: [ 154.522914] blkdev_get+0x65/0x140 +kernel: [ 154.522916] ? bd_acquire+0xc0/0xc0 +kernel: [ 154.522918] do_dentry_open+0x1d1/0x380 +kernel: [ 154.522921] path_openat+0x567/0xcc0 +kernel: [ 154.522923] ? __lock_acquire+0x380/0x1690 +kernel: [ 154.522926] do_filp_open+0x9b/0x110 +kernel: [ 154.522929] ? __alloc_fd+0xe5/0x1f0 +kernel: [ 154.522935] ? kmem_cache_alloc+0x28c/0x630 +kernel: [ 154.522939] ? do_sys_openat2+0x201/0x2a0 +kernel: [ 154.522941] do_sys_openat2+0x201/0x2a0 +kernel: [ 154.522944] do_sys_open+0x57/0x80 +kernel: [ 154.522946] do_syscall_64+0x64/0x2b0 +kernel: [ 154.522948] entry_SYSCALL_64_after_hwframe+0x49/0xbe +kernel: [ 154.522951] RIP: 0033:0x7f98d279d9ae + +And md_alloc also flushed the same workqueue, but the thing is different +here. Because all the paths call md_alloc don't hold bdev->bd_mutex, and +the flush is necessary to avoid race condition, so leave it as it is. + +Signed-off-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index d59d79b77fd6..60161690e226 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7038,7 +7038,8 @@ static int md_open(struct block_device *bdev, fmode_t mode) + */ + mddev_put(mddev); + /* Wait until bdev->bd_disk is definitely gone */ +- flush_workqueue(md_misc_wq); ++ if (work_pending(&mddev->del_work)) ++ flush_workqueue(md_misc_wq); + /* Then retry the open from the top */ + return -ERESTARTSYS; + } +-- +2.25.1 + diff --git a/queue-4.4/media-dvb-return-eremoteio-on-i2c-transfer-failure.patch b/queue-4.4/media-dvb-return-eremoteio-on-i2c-transfer-failure.patch new file mode 100644 index 00000000000..e748aaf4b93 --- /dev/null +++ b/queue-4.4/media-dvb-return-eremoteio-on-i2c-transfer-failure.patch @@ -0,0 +1,43 @@ +From 13e3886a36d85fb94ae2a3968e615bfc33090899 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2020 18:51:33 +0100 +Subject: media: dvb: return -EREMOTEIO on i2c transfer failure. + +From: Colin Ian King + +[ Upstream commit 96f3a9392799dd0f6472648a7366622ffd0989f3 ] + +Currently when i2c transfers fail the error return -EREMOTEIO +is assigned to err but then later overwritten when the tuner +attach call is made. Fix this by returning early with the +error return code -EREMOTEIO on i2c transfer failure errors. + +If the transfer fails, an uninitialized value will be read from b2. + +Addresses-Coverity: ("Unused value") + +Fixes: fbfee8684ff2 ("V4L/DVB (5651): Dibusb-mb: convert pll handling to properly use dvb-pll") +Signed-off-by: Colin Ian King +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dibusb-mb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb/dibusb-mb.c b/drivers/media/usb/dvb-usb/dibusb-mb.c +index a4ac37e0e98b..d888e27dad3c 100644 +--- a/drivers/media/usb/dvb-usb/dibusb-mb.c ++++ b/drivers/media/usb/dvb-usb/dibusb-mb.c +@@ -84,7 +84,7 @@ static int dibusb_tuner_probe_and_attach(struct dvb_usb_adapter *adap) + + if (i2c_transfer(&adap->dev->i2c_adap, msg, 2) != 2) { + err("tuner i2c write failed."); +- ret = -EREMOTEIO; ++ return -EREMOTEIO; + } + + if (adap->fe_adap[0].fe->ops.i2c_gate_ctrl) +-- +2.25.1 + diff --git a/queue-4.4/mips-add-udelay-lpj-numbers-adjustment.patch b/queue-4.4/mips-add-udelay-lpj-numbers-adjustment.patch new file mode 100644 index 00000000000..abf0aa32fb0 --- /dev/null +++ b/queue-4.4/mips-add-udelay-lpj-numbers-adjustment.patch @@ -0,0 +1,127 @@ +From fd7ea93eb7457b9ba9747e6a6f76aca6af429824 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 17:07:22 +0300 +Subject: mips: Add udelay lpj numbers adjustment + +From: Serge Semin + +[ Upstream commit ed26aacfb5f71eecb20a51c4467da440cb719d66 ] + +Loops-per-jiffies is a special number which represents a number of +noop-loop cycles per CPU-scheduler quantum - jiffies. As you +understand aside from CPU-specific implementation it depends on +the CPU frequency. So when a platform has the CPU frequency fixed, +we have no problem and the current udelay interface will work +just fine. But as soon as CPU-freq driver is enabled and the cores +frequency changes, we'll end up with distorted udelay's. In order +to fix this we have to accordinly adjust the per-CPU udelay_val +(the same as the global loops_per_jiffy) number. This can be done +in the CPU-freq transition event handler. We subscribe to that event +in the MIPS arch time-inititalization method. + +Co-developed-by: Alexey Malahov +Signed-off-by: Alexey Malahov +Signed-off-by: Serge Semin +Reviewed-by: Jiaxun Yang +Cc: Thomas Bogendoerfer +Cc: Paul Burton +Cc: Ralf Baechle +Cc: Arnd Bergmann +Cc: Rob Herring +Cc: devicetree@vger.kernel.org +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/time.c | 70 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 70 insertions(+) + +diff --git a/arch/mips/kernel/time.c b/arch/mips/kernel/time.c +index 8d0170969e22..345978cc105b 100644 +--- a/arch/mips/kernel/time.c ++++ b/arch/mips/kernel/time.c +@@ -22,12 +22,82 @@ + #include + #include + #include ++#include ++#include + + #include + #include + #include + #include + ++#ifdef CONFIG_CPU_FREQ ++ ++static DEFINE_PER_CPU(unsigned long, pcp_lpj_ref); ++static DEFINE_PER_CPU(unsigned long, pcp_lpj_ref_freq); ++static unsigned long glb_lpj_ref; ++static unsigned long glb_lpj_ref_freq; ++ ++static int cpufreq_callback(struct notifier_block *nb, ++ unsigned long val, void *data) ++{ ++ struct cpufreq_freqs *freq = data; ++ struct cpumask *cpus = freq->policy->cpus; ++ unsigned long lpj; ++ int cpu; ++ ++ /* ++ * Skip lpj numbers adjustment if the CPU-freq transition is safe for ++ * the loops delay. (Is this possible?) ++ */ ++ if (freq->flags & CPUFREQ_CONST_LOOPS) ++ return NOTIFY_OK; ++ ++ /* Save the initial values of the lpjes for future scaling. */ ++ if (!glb_lpj_ref) { ++ glb_lpj_ref = boot_cpu_data.udelay_val; ++ glb_lpj_ref_freq = freq->old; ++ ++ for_each_online_cpu(cpu) { ++ per_cpu(pcp_lpj_ref, cpu) = ++ cpu_data[cpu].udelay_val; ++ per_cpu(pcp_lpj_ref_freq, cpu) = freq->old; ++ } ++ } ++ ++ /* ++ * Adjust global lpj variable and per-CPU udelay_val number in ++ * accordance with the new CPU frequency. ++ */ ++ if ((val == CPUFREQ_PRECHANGE && freq->old < freq->new) || ++ (val == CPUFREQ_POSTCHANGE && freq->old > freq->new)) { ++ loops_per_jiffy = cpufreq_scale(glb_lpj_ref, ++ glb_lpj_ref_freq, ++ freq->new); ++ ++ for_each_cpu(cpu, cpus) { ++ lpj = cpufreq_scale(per_cpu(pcp_lpj_ref, cpu), ++ per_cpu(pcp_lpj_ref_freq, cpu), ++ freq->new); ++ cpu_data[cpu].udelay_val = (unsigned int)lpj; ++ } ++ } ++ ++ return NOTIFY_OK; ++} ++ ++static struct notifier_block cpufreq_notifier = { ++ .notifier_call = cpufreq_callback, ++}; ++ ++static int __init register_cpufreq_notifier(void) ++{ ++ return cpufreq_register_notifier(&cpufreq_notifier, ++ CPUFREQ_TRANSITION_NOTIFIER); ++} ++core_initcall(register_cpufreq_notifier); ++ ++#endif /* CONFIG_CPU_FREQ */ ++ + /* + * forward reference + */ +-- +2.25.1 + diff --git a/queue-4.4/mips-cm-fix-an-invalid-error-code-of-intvn_-_err.patch b/queue-4.4/mips-cm-fix-an-invalid-error-code-of-intvn_-_err.patch new file mode 100644 index 00000000000..6a27fa777c5 --- /dev/null +++ b/queue-4.4/mips-cm-fix-an-invalid-error-code-of-intvn_-_err.patch @@ -0,0 +1,53 @@ +From 72e100335d9552fb452c2f70571a8bd1c63553c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 20:42:22 +0300 +Subject: mips: cm: Fix an invalid error code of INTVN_*_ERR + +From: Serge Semin + +[ Upstream commit 8a0efb8b101665a843205eab3d67ab09cb2d9a8d ] + +Commit 3885c2b463f6 ("MIPS: CM: Add support for reporting CM cache +errors") adds cm2_causes[] array with map of error type ID and +pointers to the short description string. There is a mistake in +the table, since according to MIPS32 manual CM2_ERROR_TYPE = {17,18} +correspond to INTVN_WR_ERR and INTVN_RD_ERR, while the table +claims they have {0x17,0x18} codes. This is obviously hex-dec +copy-paste bug. Moreover codes {0x18 - 0x1a} indicate L2 ECC errors. + +Fixes: 3885c2b463f6 ("MIPS: CM: Add support for reporting CM cache errors") +Signed-off-by: Serge Semin +Cc: Alexey Malahov +Cc: Thomas Bogendoerfer +Cc: Paul Burton +Cc: Ralf Baechle +Cc: Arnd Bergmann +Cc: Rob Herring +Cc: linux-pm@vger.kernel.org +Cc: devicetree@vger.kernel.org +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/mips-cm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c +index 76f18c56141c..3458d23d230c 100644 +--- a/arch/mips/kernel/mips-cm.c ++++ b/arch/mips/kernel/mips-cm.c +@@ -123,9 +123,9 @@ static char *cm2_causes[32] = { + "COH_RD_ERR", "MMIO_WR_ERR", "MMIO_RD_ERR", "0x07", + "0x08", "0x09", "0x0a", "0x0b", + "0x0c", "0x0d", "0x0e", "0x0f", +- "0x10", "0x11", "0x12", "0x13", +- "0x14", "0x15", "0x16", "INTVN_WR_ERR", +- "INTVN_RD_ERR", "0x19", "0x1a", "0x1b", ++ "0x10", "INTVN_WR_ERR", "INTVN_RD_ERR", "0x13", ++ "0x14", "0x15", "0x16", "0x17", ++ "0x18", "0x19", "0x1a", "0x1b", + "0x1c", "0x1d", "0x1e", "0x1f" + }; + +-- +2.25.1 + diff --git a/queue-4.4/mips-fix-irq-tracing-when-call-handle_fpe-and-handle.patch b/queue-4.4/mips-fix-irq-tracing-when-call-handle_fpe-and-handle.patch new file mode 100644 index 00000000000..6493b45392d --- /dev/null +++ b/queue-4.4/mips-fix-irq-tracing-when-call-handle_fpe-and-handle.patch @@ -0,0 +1,54 @@ +From 7058b8e343b6c16c49ce6a3c23bac2643cca0817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2020 14:11:30 +0800 +Subject: MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe() + +From: YuanJunQing + +[ Upstream commit 31e1b3efa802f97a17628dde280006c4cee4ce5e ] + +Register "a1" is unsaved in this function, + when CONFIG_TRACE_IRQFLAGS is enabled, + the TRACE_IRQS_OFF macro will call trace_hardirqs_off(), + and this may change register "a1". + The changed register "a1" as argument will be send + to do_fpe() and do_msa_fpe(). + +Signed-off-by: YuanJunQing +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/genex.S | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/mips/kernel/genex.S b/arch/mips/kernel/genex.S +index bb72f3ce7e29..7ffd158de76e 100644 +--- a/arch/mips/kernel/genex.S ++++ b/arch/mips/kernel/genex.S +@@ -430,20 +430,20 @@ NESTED(nmi_handler, PT_SIZE, sp) + .endm + + .macro __build_clear_fpe ++ CLI ++ TRACE_IRQS_OFF + .set push + /* gas fails to assemble cfc1 for some archs (octeon).*/ \ + .set mips1 + SET_HARDFLOAT + cfc1 a1, fcr31 + .set pop +- CLI +- TRACE_IRQS_OFF + .endm + + .macro __build_clear_msa_fpe +- _cfcmsa a1, MSA_CSR + CLI + TRACE_IRQS_OFF ++ _cfcmsa a1, MSA_CSR + .endm + + .macro __build_clear_ade +-- +2.25.1 + diff --git a/queue-4.4/mips-make-sparse_init-using-top-down-allocation.patch b/queue-4.4/mips-make-sparse_init-using-top-down-allocation.patch new file mode 100644 index 00000000000..5755ee36871 --- /dev/null +++ b/queue-4.4/mips-make-sparse_init-using-top-down-allocation.patch @@ -0,0 +1,98 @@ +From 1b09878ba96f8bd861ad6024e1e7e0c9830c5da2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Apr 2020 19:59:46 +0800 +Subject: MIPS: Make sparse_init() using top-down allocation + +From: Tiezhu Yang + +[ Upstream commit 269b3a9ac538c4ae87f84be640b9fa89914a2489 ] + +In the current code, if CONFIG_SWIOTLB is set, when failed to get IO TLB +memory from the low pages by plat_swiotlb_setup(), it may lead to the boot +process failed with kernel panic. + +(1) On the Loongson and SiByte platform +arch/mips/loongson64/dma.c +arch/mips/sibyte/common/dma.c +void __init plat_swiotlb_setup(void) +{ + swiotlb_init(1); +} + +kernel/dma/swiotlb.c +void __init +swiotlb_init(int verbose) +{ +... + vstart = memblock_alloc_low(PAGE_ALIGN(bytes), PAGE_SIZE); + if (vstart && !swiotlb_init_with_tbl(vstart, io_tlb_nslabs, verbose)) + return; +... + pr_warn("Cannot allocate buffer"); + no_iotlb_memory = true; +} + +phys_addr_t swiotlb_tbl_map_single() +{ +... + if (no_iotlb_memory) + panic("Can not allocate SWIOTLB buffer earlier ..."); +... +} + +(2) On the Cavium OCTEON platform +arch/mips/cavium-octeon/dma-octeon.c +void __init plat_swiotlb_setup(void) +{ +... + octeon_swiotlb = memblock_alloc_low(swiotlbsize, PAGE_SIZE); + if (!octeon_swiotlb) + panic("%s: Failed to allocate %zu bytes align=%lx\n", + __func__, swiotlbsize, PAGE_SIZE); +... +} + +Because IO_TLB_DEFAULT_SIZE is 64M, if the rest size of low memory is less +than 64M when call plat_swiotlb_setup(), we can easily reproduce the panic +case. + +In order to reduce the possibility of kernel panic when failed to get IO +TLB memory under CONFIG_SWIOTLB, it is better to allocate low memory as +small as possible before plat_swiotlb_setup(), so make sparse_init() using +top-down allocation. + +Reported-by: Juxin Gao +Co-developed-by: Juxin Gao +Signed-off-by: Juxin Gao +Signed-off-by: Tiezhu Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/setup.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/mips/kernel/setup.c b/arch/mips/kernel/setup.c +index 8fa30516f39d..33f5aeaf0024 100644 +--- a/arch/mips/kernel/setup.c ++++ b/arch/mips/kernel/setup.c +@@ -769,7 +769,17 @@ static void __init arch_mem_init(char **cmdline_p) + BOOTMEM_DEFAULT); + #endif + device_tree_init(); ++ ++ /* ++ * In order to reduce the possibility of kernel panic when failed to ++ * get IO TLB memory under CONFIG_SWIOTLB, it is better to allocate ++ * low memory as small as possible before plat_swiotlb_setup(), so ++ * make sparse_init() using top-down allocation. ++ */ ++ memblock_set_bottom_up(false); + sparse_init(); ++ memblock_set_bottom_up(true); ++ + plat_swiotlb_setup(); + paging_init(); + +-- +2.25.1 + diff --git a/queue-4.4/mwifiex-fix-memory-corruption-in-dump_station.patch b/queue-4.4/mwifiex-fix-memory-corruption-in-dump_station.patch new file mode 100644 index 00000000000..379e08a2d15 --- /dev/null +++ b/queue-4.4/mwifiex-fix-memory-corruption-in-dump_station.patch @@ -0,0 +1,92 @@ +From d6e26212be435a3009ba139364cba572d7d9f8a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 May 2020 09:59:24 +0200 +Subject: mwifiex: Fix memory corruption in dump_station +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 3aa42bae9c4d1641aeb36f1a8585cd1d506cf471 ] + +The mwifiex_cfg80211_dump_station() uses static variable for iterating +over a linked list of all associated stations (when the driver is in UAP +role). This has a race condition if .dump_station is called in parallel +for multiple interfaces. This corruption can be triggered by registering +multiple SSIDs and calling, in parallel for multiple interfaces + iw dev station dump + +[16750.719775] Unable to handle kernel paging request at virtual address dead000000000110 +... +[16750.899173] Call trace: +[16750.901696] mwifiex_cfg80211_dump_station+0x94/0x100 [mwifiex] +[16750.907824] nl80211_dump_station+0xbc/0x278 [cfg80211] +[16750.913160] netlink_dump+0xe8/0x320 +[16750.916827] netlink_recvmsg+0x1b4/0x338 +[16750.920861] ____sys_recvmsg+0x7c/0x2b0 +[16750.924801] ___sys_recvmsg+0x70/0x98 +[16750.928564] __sys_recvmsg+0x58/0xa0 +[16750.932238] __arm64_sys_recvmsg+0x28/0x30 +[16750.936453] el0_svc_common.constprop.3+0x90/0x158 +[16750.941378] do_el0_svc+0x74/0x90 +[16750.944784] el0_sync_handler+0x12c/0x1a8 +[16750.948903] el0_sync+0x114/0x140 +[16750.952312] Code: f9400003 f907f423 eb02007f 54fffd60 (b9401060) +[16750.958583] ---[ end trace c8ad181c2f4b8576 ]--- + +This patch drops the use of the static iterator, and instead every time +the function is called iterates to the idx-th position of the +linked-list. + +It would be better to convert the code not to use linked list for +associated stations storage (since the chip has a limited number of +associated stations anyway - it could just be an array). Such a change +may be proposed in the future. In the meantime this patch can backported +into stable kernels in this simple form. + +Fixes: 8baca1a34d4c ("mwifiex: dump station support in uap mode") +Signed-off-by: Pali Rohár +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200515075924.13841-1-pali@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mwifiex/cfg80211.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c +index c6c2d3304dba..8b649b8e4301 100644 +--- a/drivers/net/wireless/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/mwifiex/cfg80211.c +@@ -1387,7 +1387,8 @@ mwifiex_cfg80211_dump_station(struct wiphy *wiphy, struct net_device *dev, + int idx, u8 *mac, struct station_info *sinfo) + { + struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev); +- static struct mwifiex_sta_node *node; ++ struct mwifiex_sta_node *node; ++ int i; + + if ((GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) && + priv->media_connected && idx == 0) { +@@ -1397,13 +1398,10 @@ mwifiex_cfg80211_dump_station(struct wiphy *wiphy, struct net_device *dev, + mwifiex_send_cmd(priv, HOST_CMD_APCMD_STA_LIST, + HostCmd_ACT_GEN_GET, 0, NULL, true); + +- if (node && (&node->list == &priv->sta_list)) { +- node = NULL; +- return -ENOENT; +- } +- +- node = list_prepare_entry(node, &priv->sta_list, list); +- list_for_each_entry_continue(node, &priv->sta_list, list) { ++ i = 0; ++ list_for_each_entry(node, &priv->sta_list, list) { ++ if (i++ != idx) ++ continue; + ether_addr_copy(mac, node->mac_addr); + return mwifiex_dump_station_info(priv, node, sinfo); + } +-- +2.25.1 + diff --git a/queue-4.4/net-allwinner-fix-use-correct-return-type-for-ndo_st.patch b/queue-4.4/net-allwinner-fix-use-correct-return-type-for-ndo_st.patch new file mode 100644 index 00000000000..1a7d69787ed --- /dev/null +++ b/queue-4.4/net-allwinner-fix-use-correct-return-type-for-ndo_st.patch @@ -0,0 +1,45 @@ +From c22918f42fab8d61e4a4a73da330ac9430edfc75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 10:49:20 +0800 +Subject: net: allwinner: Fix use correct return type for ndo_start_xmit() + +From: Yunjian Wang + +[ Upstream commit 09f6c44aaae0f1bdb8b983d7762676d5018c53bc ] + +The method ndo_start_xmit() returns a value of type netdev_tx_t. Fix +the ndo function to use the correct type. And emac_start_xmit() can +leak one skb if 'channel' == 3. + +Signed-off-by: Yunjian Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/allwinner/sun4i-emac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/allwinner/sun4i-emac.c b/drivers/net/ethernet/allwinner/sun4i-emac.c +index 8d50314ac3eb..dde3cd2d4763 100644 +--- a/drivers/net/ethernet/allwinner/sun4i-emac.c ++++ b/drivers/net/ethernet/allwinner/sun4i-emac.c +@@ -438,7 +438,7 @@ static void emac_timeout(struct net_device *dev) + /* Hardware start transmission. + * Send a packet to media from the upper layer. + */ +-static int emac_start_xmit(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t emac_start_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct emac_board_info *db = netdev_priv(dev); + unsigned long channel; +@@ -446,7 +446,7 @@ static int emac_start_xmit(struct sk_buff *skb, struct net_device *dev) + + channel = db->tx_fifo_stat & 3; + if (channel == 3) +- return 1; ++ return NETDEV_TX_BUSY; + + channel = (channel == 1 ? 1 : 0); + +-- +2.25.1 + diff --git a/queue-4.4/net-lpc-enet-fix-error-return-code-in-lpc_mii_init.patch b/queue-4.4/net-lpc-enet-fix-error-return-code-in-lpc_mii_init.patch new file mode 100644 index 00000000000..3a68f79b685 --- /dev/null +++ b/queue-4.4/net-lpc-enet-fix-error-return-code-in-lpc_mii_init.patch @@ -0,0 +1,38 @@ +From aecf8dab3a5ae1c9815df2d973a28fc0b703497c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 12:15:07 +0000 +Subject: net: lpc-enet: fix error return code in lpc_mii_init() + +From: Wei Yongjun + +[ Upstream commit 88ec7cb22ddde725ed4ce15991f0bd9dd817fd85 ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: b7370112f519 ("lpc32xx: Added ethernet driver") +Signed-off-by: Wei Yongjun +Acked-by: Vladimir Zapolskiy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/nxp/lpc_eth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/nxp/lpc_eth.c b/drivers/net/ethernet/nxp/lpc_eth.c +index ba14bad81a21..14b5a0dbf40b 100644 +--- a/drivers/net/ethernet/nxp/lpc_eth.c ++++ b/drivers/net/ethernet/nxp/lpc_eth.c +@@ -865,7 +865,8 @@ static int lpc_mii_init(struct netdata_local *pldat) + if (mdiobus_register(pldat->mii_bus)) + goto err_out_free_mdio_irq; + +- if (lpc_mii_probe(pldat->ndev) != 0) ++ err = lpc_mii_probe(pldat->ndev); ++ if (err) + goto err_out_unregister_bus; + + return 0; +-- +2.25.1 + diff --git a/queue-4.4/net-vmxnet3-fix-possible-buffer-overflow-caused-by-b.patch b/queue-4.4/net-vmxnet3-fix-possible-buffer-overflow-caused-by-b.patch new file mode 100644 index 00000000000..eaa557e3c3e --- /dev/null +++ b/queue-4.4/net-vmxnet3-fix-possible-buffer-overflow-caused-by-b.patch @@ -0,0 +1,41 @@ +From 9f56dfa6dbaa59d6c6469a06672baeb6ffe4bd6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 May 2020 10:41:50 +0800 +Subject: net: vmxnet3: fix possible buffer overflow caused by bad DMA value in + vmxnet3_get_rss() + +From: Jia-Ju Bai + +[ Upstream commit 3e1c6846b9e108740ef8a37be80314053f5dd52a ] + +The value adapter->rss_conf is stored in DMA memory, and it is assigned +to rssConf, so rssConf->indTableSize can be modified at anytime by +malicious hardware. Because rssConf->indTableSize is assigned to n, +buffer overflow may occur when the code "rssConf->indTable[n]" is +executed. + +To fix this possible bug, n is checked after being used. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_ethtool.c b/drivers/net/vmxnet3/vmxnet3_ethtool.c +index 9ba11d737753..f35597c44e3c 100644 +--- a/drivers/net/vmxnet3/vmxnet3_ethtool.c ++++ b/drivers/net/vmxnet3/vmxnet3_ethtool.c +@@ -664,6 +664,8 @@ vmxnet3_get_rss(struct net_device *netdev, u32 *p, u8 *key, u8 *hfunc) + *hfunc = ETH_RSS_HASH_TOP; + if (!p) + return 0; ++ if (n > UPT1_RSS_MAX_IND_TABLE_SIZE) ++ return 0; + while (n--) + p[n] = rssConf->indTable[n]; + return 0; +-- +2.25.1 + diff --git a/queue-4.4/netfilter-nft_nat-return-eopnotsupp-if-type-or-flags.patch b/queue-4.4/netfilter-nft_nat-return-eopnotsupp-if-type-or-flags.patch new file mode 100644 index 00000000000..312c95fcae5 --- /dev/null +++ b/queue-4.4/netfilter-nft_nat-return-eopnotsupp-if-type-or-flags.patch @@ -0,0 +1,44 @@ +From c212642333f760e5b275013f8b0524f249c66aa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Apr 2020 21:55:34 +0200 +Subject: netfilter: nft_nat: return EOPNOTSUPP if type or flags are not + supported + +From: Pablo Neira Ayuso + +[ Upstream commit 0d7c83463fdf7841350f37960a7abadd3e650b41 ] + +Instead of EINVAL which should be used for malformed netlink messages. + +Fixes: eb31628e37a0 ("netfilter: nf_tables: Add support for IPv6 NAT") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_nat.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c +index ee2d71753746..868480b83649 100644 +--- a/net/netfilter/nft_nat.c ++++ b/net/netfilter/nft_nat.c +@@ -135,7 +135,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + priv->type = NF_NAT_MANIP_DST; + break; + default: +- return -EINVAL; ++ return -EOPNOTSUPP; + } + + err = nft_nat_validate(ctx, expr, NULL); +@@ -206,7 +206,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + if (tb[NFTA_NAT_FLAGS]) { + priv->flags = ntohl(nla_get_be32(tb[NFTA_NAT_FLAGS])); + if (priv->flags & ~NF_NAT_RANGE_MASK) +- return -EINVAL; ++ return -EOPNOTSUPP; + } + + return 0; +-- +2.25.1 + diff --git a/queue-4.4/pci-don-t-disable-decoding-when-mmio_always_on-is-se.patch b/queue-4.4/pci-don-t-disable-decoding-when-mmio_always_on-is-se.patch new file mode 100644 index 00000000000..9dbb5723375 --- /dev/null +++ b/queue-4.4/pci-don-t-disable-decoding-when-mmio_always_on-is-se.patch @@ -0,0 +1,39 @@ +From dae73c49b87f29b27d02c6a9b828a4f9881f92b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 May 2020 17:21:12 +0800 +Subject: PCI: Don't disable decoding when mmio_always_on is set + +From: Jiaxun Yang + +[ Upstream commit b6caa1d8c80cb71b6162cb1f1ec13aa655026c9f ] + +Don't disable MEM/IO decoding when a device have both non_compliant_bars +and mmio_always_on. + +That would allow us quirk devices with junk in BARs but can't disable +their decoding. + +Signed-off-by: Jiaxun Yang +Acked-by: Bjorn Helgaas +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + drivers/pci/probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index 5f040619393f..46656322d23e 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1226,7 +1226,7 @@ int pci_setup_device(struct pci_dev *dev) + /* device class may be changed after fixup */ + class = dev->class >> 8; + +- if (dev->non_compliant_bars) { ++ if (dev->non_compliant_bars && !dev->mmio_always_on) { + pci_read_config_word(dev, PCI_COMMAND, &cmd); + if (cmd & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) { + dev_info(&dev->dev, "device has non-compliant BARs; disabling IO/MEM decoding\n"); +-- +2.25.1 + diff --git a/queue-4.4/powerpc-spufs-fix-copy_to_user-while-atomic.patch b/queue-4.4/powerpc-spufs-fix-copy_to_user-while-atomic.patch new file mode 100644 index 00000000000..ae3519d603c --- /dev/null +++ b/queue-4.4/powerpc-spufs-fix-copy_to_user-while-atomic.patch @@ -0,0 +1,284 @@ +From ec239934107b99c694376d9595f556cc299d8a02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 12:12:50 +0200 +Subject: powerpc/spufs: fix copy_to_user while atomic + +From: Jeremy Kerr + +[ Upstream commit 88413a6bfbbe2f648df399b62f85c934460b7a4d ] + +Currently, we may perform a copy_to_user (through +simple_read_from_buffer()) while holding a context's register_lock, +while accessing the context save area. + +This change uses a temporary buffer for the context save area data, +which we then pass to simple_read_from_buffer. + +Includes changes from Christoph Hellwig . + +Fixes: bf1ab978be23 ("[POWERPC] coredump: Add SPU elf notes to coredump.") +Signed-off-by: Jeremy Kerr +Reviewed-by: Arnd Bergmann +[hch: renamed to function to avoid ___-prefixes] +Signed-off-by: Christoph Hellwig +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/cell/spufs/file.c | 113 +++++++++++++++-------- + 1 file changed, 75 insertions(+), 38 deletions(-) + +diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c +index 5038fd578e65..e708c163fd6d 100644 +--- a/arch/powerpc/platforms/cell/spufs/file.c ++++ b/arch/powerpc/platforms/cell/spufs/file.c +@@ -2044,8 +2044,9 @@ static ssize_t __spufs_mbox_info_read(struct spu_context *ctx, + static ssize_t spufs_mbox_info_read(struct file *file, char __user *buf, + size_t len, loff_t *pos) + { +- int ret; + struct spu_context *ctx = file->private_data; ++ u32 stat, data; ++ int ret; + + if (!access_ok(VERIFY_WRITE, buf, len)) + return -EFAULT; +@@ -2054,11 +2055,16 @@ static ssize_t spufs_mbox_info_read(struct file *file, char __user *buf, + if (ret) + return ret; + spin_lock(&ctx->csa.register_lock); +- ret = __spufs_mbox_info_read(ctx, buf, len, pos); ++ stat = ctx->csa.prob.mb_stat_R; ++ data = ctx->csa.prob.pu_mb_R; + spin_unlock(&ctx->csa.register_lock); + spu_release_saved(ctx); + +- return ret; ++ /* EOF if there's no entry in the mbox */ ++ if (!(stat & 0x0000ff)) ++ return 0; ++ ++ return simple_read_from_buffer(buf, len, pos, &data, sizeof(data)); + } + + static const struct file_operations spufs_mbox_info_fops = { +@@ -2085,6 +2091,7 @@ static ssize_t spufs_ibox_info_read(struct file *file, char __user *buf, + size_t len, loff_t *pos) + { + struct spu_context *ctx = file->private_data; ++ u32 stat, data; + int ret; + + if (!access_ok(VERIFY_WRITE, buf, len)) +@@ -2094,11 +2101,16 @@ static ssize_t spufs_ibox_info_read(struct file *file, char __user *buf, + if (ret) + return ret; + spin_lock(&ctx->csa.register_lock); +- ret = __spufs_ibox_info_read(ctx, buf, len, pos); ++ stat = ctx->csa.prob.mb_stat_R; ++ data = ctx->csa.priv2.puint_mb_R; + spin_unlock(&ctx->csa.register_lock); + spu_release_saved(ctx); + +- return ret; ++ /* EOF if there's no entry in the ibox */ ++ if (!(stat & 0xff0000)) ++ return 0; ++ ++ return simple_read_from_buffer(buf, len, pos, &data, sizeof(data)); + } + + static const struct file_operations spufs_ibox_info_fops = { +@@ -2107,6 +2119,11 @@ static const struct file_operations spufs_ibox_info_fops = { + .llseek = generic_file_llseek, + }; + ++static size_t spufs_wbox_info_cnt(struct spu_context *ctx) ++{ ++ return (4 - ((ctx->csa.prob.mb_stat_R & 0x00ff00) >> 8)) * sizeof(u32); ++} ++ + static ssize_t __spufs_wbox_info_read(struct spu_context *ctx, + char __user *buf, size_t len, loff_t *pos) + { +@@ -2115,7 +2132,7 @@ static ssize_t __spufs_wbox_info_read(struct spu_context *ctx, + u32 wbox_stat; + + wbox_stat = ctx->csa.prob.mb_stat_R; +- cnt = 4 - ((wbox_stat & 0x00ff00) >> 8); ++ cnt = spufs_wbox_info_cnt(ctx); + for (i = 0; i < cnt; i++) { + data[i] = ctx->csa.spu_mailbox_data[i]; + } +@@ -2128,7 +2145,8 @@ static ssize_t spufs_wbox_info_read(struct file *file, char __user *buf, + size_t len, loff_t *pos) + { + struct spu_context *ctx = file->private_data; +- int ret; ++ u32 data[ARRAY_SIZE(ctx->csa.spu_mailbox_data)]; ++ int ret, count; + + if (!access_ok(VERIFY_WRITE, buf, len)) + return -EFAULT; +@@ -2137,11 +2155,13 @@ static ssize_t spufs_wbox_info_read(struct file *file, char __user *buf, + if (ret) + return ret; + spin_lock(&ctx->csa.register_lock); +- ret = __spufs_wbox_info_read(ctx, buf, len, pos); ++ count = spufs_wbox_info_cnt(ctx); ++ memcpy(&data, &ctx->csa.spu_mailbox_data, sizeof(data)); + spin_unlock(&ctx->csa.register_lock); + spu_release_saved(ctx); + +- return ret; ++ return simple_read_from_buffer(buf, len, pos, &data, ++ count * sizeof(u32)); + } + + static const struct file_operations spufs_wbox_info_fops = { +@@ -2150,27 +2170,33 @@ static const struct file_operations spufs_wbox_info_fops = { + .llseek = generic_file_llseek, + }; + +-static ssize_t __spufs_dma_info_read(struct spu_context *ctx, +- char __user *buf, size_t len, loff_t *pos) ++static void spufs_get_dma_info(struct spu_context *ctx, ++ struct spu_dma_info *info) + { +- struct spu_dma_info info; +- struct mfc_cq_sr *qp, *spuqp; + int i; + +- info.dma_info_type = ctx->csa.priv2.spu_tag_status_query_RW; +- info.dma_info_mask = ctx->csa.lscsa->tag_mask.slot[0]; +- info.dma_info_status = ctx->csa.spu_chnldata_RW[24]; +- info.dma_info_stall_and_notify = ctx->csa.spu_chnldata_RW[25]; +- info.dma_info_atomic_command_status = ctx->csa.spu_chnldata_RW[27]; ++ info->dma_info_type = ctx->csa.priv2.spu_tag_status_query_RW; ++ info->dma_info_mask = ctx->csa.lscsa->tag_mask.slot[0]; ++ info->dma_info_status = ctx->csa.spu_chnldata_RW[24]; ++ info->dma_info_stall_and_notify = ctx->csa.spu_chnldata_RW[25]; ++ info->dma_info_atomic_command_status = ctx->csa.spu_chnldata_RW[27]; + for (i = 0; i < 16; i++) { +- qp = &info.dma_info_command_data[i]; +- spuqp = &ctx->csa.priv2.spuq[i]; ++ struct mfc_cq_sr *qp = &info->dma_info_command_data[i]; ++ struct mfc_cq_sr *spuqp = &ctx->csa.priv2.spuq[i]; + + qp->mfc_cq_data0_RW = spuqp->mfc_cq_data0_RW; + qp->mfc_cq_data1_RW = spuqp->mfc_cq_data1_RW; + qp->mfc_cq_data2_RW = spuqp->mfc_cq_data2_RW; + qp->mfc_cq_data3_RW = spuqp->mfc_cq_data3_RW; + } ++} ++ ++static ssize_t __spufs_dma_info_read(struct spu_context *ctx, ++ char __user *buf, size_t len, loff_t *pos) ++{ ++ struct spu_dma_info info; ++ ++ spufs_get_dma_info(ctx, &info); + + return simple_read_from_buffer(buf, len, pos, &info, + sizeof info); +@@ -2180,6 +2206,7 @@ static ssize_t spufs_dma_info_read(struct file *file, char __user *buf, + size_t len, loff_t *pos) + { + struct spu_context *ctx = file->private_data; ++ struct spu_dma_info info; + int ret; + + if (!access_ok(VERIFY_WRITE, buf, len)) +@@ -2189,11 +2216,12 @@ static ssize_t spufs_dma_info_read(struct file *file, char __user *buf, + if (ret) + return ret; + spin_lock(&ctx->csa.register_lock); +- ret = __spufs_dma_info_read(ctx, buf, len, pos); ++ spufs_get_dma_info(ctx, &info); + spin_unlock(&ctx->csa.register_lock); + spu_release_saved(ctx); + +- return ret; ++ return simple_read_from_buffer(buf, len, pos, &info, ++ sizeof(info)); + } + + static const struct file_operations spufs_dma_info_fops = { +@@ -2202,13 +2230,31 @@ static const struct file_operations spufs_dma_info_fops = { + .llseek = no_llseek, + }; + ++static void spufs_get_proxydma_info(struct spu_context *ctx, ++ struct spu_proxydma_info *info) ++{ ++ int i; ++ ++ info->proxydma_info_type = ctx->csa.prob.dma_querytype_RW; ++ info->proxydma_info_mask = ctx->csa.prob.dma_querymask_RW; ++ info->proxydma_info_status = ctx->csa.prob.dma_tagstatus_R; ++ ++ for (i = 0; i < 8; i++) { ++ struct mfc_cq_sr *qp = &info->proxydma_info_command_data[i]; ++ struct mfc_cq_sr *puqp = &ctx->csa.priv2.puq[i]; ++ ++ qp->mfc_cq_data0_RW = puqp->mfc_cq_data0_RW; ++ qp->mfc_cq_data1_RW = puqp->mfc_cq_data1_RW; ++ qp->mfc_cq_data2_RW = puqp->mfc_cq_data2_RW; ++ qp->mfc_cq_data3_RW = puqp->mfc_cq_data3_RW; ++ } ++} ++ + static ssize_t __spufs_proxydma_info_read(struct spu_context *ctx, + char __user *buf, size_t len, loff_t *pos) + { + struct spu_proxydma_info info; +- struct mfc_cq_sr *qp, *puqp; + int ret = sizeof info; +- int i; + + if (len < ret) + return -EINVAL; +@@ -2216,18 +2262,7 @@ static ssize_t __spufs_proxydma_info_read(struct spu_context *ctx, + if (!access_ok(VERIFY_WRITE, buf, len)) + return -EFAULT; + +- info.proxydma_info_type = ctx->csa.prob.dma_querytype_RW; +- info.proxydma_info_mask = ctx->csa.prob.dma_querymask_RW; +- info.proxydma_info_status = ctx->csa.prob.dma_tagstatus_R; +- for (i = 0; i < 8; i++) { +- qp = &info.proxydma_info_command_data[i]; +- puqp = &ctx->csa.priv2.puq[i]; +- +- qp->mfc_cq_data0_RW = puqp->mfc_cq_data0_RW; +- qp->mfc_cq_data1_RW = puqp->mfc_cq_data1_RW; +- qp->mfc_cq_data2_RW = puqp->mfc_cq_data2_RW; +- qp->mfc_cq_data3_RW = puqp->mfc_cq_data3_RW; +- } ++ spufs_get_proxydma_info(ctx, &info); + + return simple_read_from_buffer(buf, len, pos, &info, + sizeof info); +@@ -2237,17 +2272,19 @@ static ssize_t spufs_proxydma_info_read(struct file *file, char __user *buf, + size_t len, loff_t *pos) + { + struct spu_context *ctx = file->private_data; ++ struct spu_proxydma_info info; + int ret; + + ret = spu_acquire_saved(ctx); + if (ret) + return ret; + spin_lock(&ctx->csa.register_lock); +- ret = __spufs_proxydma_info_read(ctx, buf, len, pos); ++ spufs_get_proxydma_info(ctx, &info); + spin_unlock(&ctx->csa.register_lock); + spu_release_saved(ctx); + +- return ret; ++ return simple_read_from_buffer(buf, len, pos, &info, ++ sizeof(info)); + } + + static const struct file_operations spufs_proxydma_info_fops = { +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series index ccd1c66f112..3219c7859a4 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -43,3 +43,33 @@ smack-slab-out-of-bounds-in-vsscanf.patch mm-slub-fix-a-memory-leak-in-sysfs_slab_add.patch fat-don-t-allow-to-mount-if-the-fat-length-0.patch can-kvaser_usb-kvaser_usb_leaf-fix-some-info-leaks-to-usb-devices.patch +spi-dw-zero-dma-tx-and-rx-configurations-on-stack.patch +bluetooth-add-sco-fallback-for-invalid-lmp-parameter.patch +kgdb-prevent-infinite-recursive-entries-to-the-debug.patch +spi-dw-enable-interrupts-in-accordance-with-dma-xfer.patch +clocksource-dw_apb_timer_of-fix-missing-clockevent-t.patch +btrfs-do-not-ignore-error-from-btrfs_next_leaf-when-.patch +arm-8978-1-mm-make-act_mm-respect-thread_size.patch +net-vmxnet3-fix-possible-buffer-overflow-caused-by-b.patch +staging-android-ion-use-vmap-instead-of-vm_map_ram.patch +e1000-distribute-switch-variables-for-initialization.patch +media-dvb-return-eremoteio-on-i2c-transfer-failure.patch +mips-make-sparse_init-using-top-down-allocation.patch +netfilter-nft_nat-return-eopnotsupp-if-type-or-flags.patch +lib-mpi-fix-64-bit-mips-build-with-clang.patch +net-lpc-enet-fix-error-return-code-in-lpc_mii_init.patch +net-allwinner-fix-use-correct-return-type-for-ndo_st.patch +powerpc-spufs-fix-copy_to_user-while-atomic.patch +mips-cm-fix-an-invalid-error-code-of-intvn_-_err.patch +kgdb-fix-spurious-true-from-in_dbg_master.patch +md-don-t-flush-workqueue-unconditionally-in-md_open.patch +mwifiex-fix-memory-corruption-in-dump_station.patch +mips-add-udelay-lpj-numbers-adjustment.patch +x86-mm-stop-printing-brk-addresses.patch +m68k-mac-don-t-call-via_flush_cache-on-mac-iifx.patch +macvlan-skip-loopback-packets-in-rx-handler.patch +pci-don-t-disable-decoding-when-mmio_always_on-is-se.patch +mips-fix-irq-tracing-when-call-handle_fpe-and-handle.patch +ixgbe-fix-signed-integer-overflow-warning.patch +spi-dw-return-any-value-retrieved-from-the-dma_trans.patch +cpuidle-fix-three-reference-count-leaks.patch diff --git a/queue-4.4/spi-dw-enable-interrupts-in-accordance-with-dma-xfer.patch b/queue-4.4/spi-dw-enable-interrupts-in-accordance-with-dma-xfer.patch new file mode 100644 index 00000000000..d746ab118a9 --- /dev/null +++ b/queue-4.4/spi-dw-enable-interrupts-in-accordance-with-dma-xfer.patch @@ -0,0 +1,70 @@ +From b28364c49c290c90a3f277855d098b6b0118304d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 May 2020 03:07:51 +0300 +Subject: spi: dw: Enable interrupts in accordance with DMA xfer mode + +From: Serge Semin + +[ Upstream commit 43dba9f3f98c2b184a19f856f06fe22817bfd9e0 ] + +It's pointless to track the Tx overrun interrupts if Rx-only SPI +transfer is issued. Similarly there is no need in handling the Rx +overrun/underrun interrupts if Tx-only SPI transfer is executed. +So lets unmask the interrupts only if corresponding SPI +transactions are implied. + +Co-developed-by: Georgy Vlasov +Signed-off-by: Georgy Vlasov +Signed-off-by: Serge Semin +Cc: Ramil Zaripov +Cc: Alexey Malahov +Cc: Thomas Bogendoerfer +Cc: Paul Burton +Cc: Ralf Baechle +Cc: Arnd Bergmann +Cc: Andy Shevchenko +Cc: Rob Herring +Cc: linux-mips@vger.kernel.org +Cc: devicetree@vger.kernel.org +Link: https://lore.kernel.org/r/20200522000806.7381-3-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw-mid.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c +index 4d6434b244e2..bd116f117b02 100644 +--- a/drivers/spi/spi-dw-mid.c ++++ b/drivers/spi/spi-dw-mid.c +@@ -228,19 +228,23 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_rx(struct dw_spi *dws, + + static int mid_spi_dma_setup(struct dw_spi *dws, struct spi_transfer *xfer) + { +- u16 dma_ctrl = 0; ++ u16 imr = 0, dma_ctrl = 0; + + dw_writel(dws, DW_SPI_DMARDLR, 0xf); + dw_writel(dws, DW_SPI_DMATDLR, 0x10); + +- if (xfer->tx_buf) ++ if (xfer->tx_buf) { + dma_ctrl |= SPI_DMA_TDMAE; +- if (xfer->rx_buf) ++ imr |= SPI_INT_TXOI; ++ } ++ if (xfer->rx_buf) { + dma_ctrl |= SPI_DMA_RDMAE; ++ imr |= SPI_INT_RXUI | SPI_INT_RXOI; ++ } + dw_writel(dws, DW_SPI_DMACR, dma_ctrl); + + /* Set the interrupt mask */ +- spi_umask_intr(dws, SPI_INT_TXOI | SPI_INT_RXUI | SPI_INT_RXOI); ++ spi_umask_intr(dws, imr); + + dws->transfer_handler = dma_transfer; + +-- +2.25.1 + diff --git a/queue-4.4/spi-dw-return-any-value-retrieved-from-the-dma_trans.patch b/queue-4.4/spi-dw-return-any-value-retrieved-from-the-dma_trans.patch new file mode 100644 index 00000000000..79f5a2f7489 --- /dev/null +++ b/queue-4.4/spi-dw-return-any-value-retrieved-from-the-dma_trans.patch @@ -0,0 +1,71 @@ +From 30ca878b08ccaa7bbeb9a01a47bf5ccb229d3b0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 May 2020 16:11:51 +0300 +Subject: spi: dw: Return any value retrieved from the dma_transfer callback + +From: Serge Semin + +[ Upstream commit f0410bbf7d0fb80149e3b17d11d31f5b5197873e ] + +DW APB SSI DMA-part of the driver may need to perform the requested +SPI-transfer synchronously. In that case the dma_transfer() callback +will return 0 as a marker of the SPI transfer being finished so the +SPI core doesn't need to wait and may proceed with the SPI message +trasnfers pumping procedure. This will be needed to fix the problem +when DMA transactions are finished, but there is still data left in +the SPI Tx/Rx FIFOs being sent/received. But for now make dma_transfer +to return 1 as the normal dw_spi_transfer_one() method. + +Signed-off-by: Serge Semin +Cc: Georgy Vlasov +Cc: Ramil Zaripov +Cc: Alexey Malahov +Cc: Thomas Bogendoerfer +Cc: Arnd Bergmann +Cc: Andy Shevchenko +Cc: Feng Tang +Cc: Rob Herring +Cc: linux-mips@vger.kernel.org +Cc: devicetree@vger.kernel.org +Link: https://lore.kernel.org/r/20200529131205.31838-3-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw-mid.c | 2 +- + drivers/spi/spi-dw.c | 7 ++----- + 2 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c +index bd116f117b02..14902efae621 100644 +--- a/drivers/spi/spi-dw-mid.c ++++ b/drivers/spi/spi-dw-mid.c +@@ -274,7 +274,7 @@ static int mid_spi_dma_transfer(struct dw_spi *dws, struct spi_transfer *xfer) + dma_async_issue_pending(dws->txchan); + } + +- return 0; ++ return 1; + } + + static void mid_spi_dma_stop(struct dw_spi *dws) +diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c +index 295249843e7c..8076fa708b24 100644 +--- a/drivers/spi/spi-dw.c ++++ b/drivers/spi/spi-dw.c +@@ -385,11 +385,8 @@ static int dw_spi_transfer_one(struct spi_master *master, + + spi_enable_chip(dws, 1); + +- if (dws->dma_mapped) { +- ret = dws->dma_ops->dma_transfer(dws, transfer); +- if (ret < 0) +- return ret; +- } ++ if (dws->dma_mapped) ++ return dws->dma_ops->dma_transfer(dws, transfer); + + if (chip->poll_mode) + return poll_transfer(dws); +-- +2.25.1 + diff --git a/queue-4.4/spi-dw-zero-dma-tx-and-rx-configurations-on-stack.patch b/queue-4.4/spi-dw-zero-dma-tx-and-rx-configurations-on-stack.patch new file mode 100644 index 00000000000..7daab498c91 --- /dev/null +++ b/queue-4.4/spi-dw-zero-dma-tx-and-rx-configurations-on-stack.patch @@ -0,0 +1,48 @@ +From 9bd8d25208f87ecb4c5d414161fdf1a02d1f6849 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 18:30:18 +0300 +Subject: spi: dw: Zero DMA Tx and Rx configurations on stack + +From: Andy Shevchenko + +[ Upstream commit 3cb97e223d277f84171cc4ccecab31e08b2ee7b5 ] + +Some DMA controller drivers do not tolerate non-zero values in +the DMA configuration structures. Zero them to avoid issues with +such DMA controller drivers. Even despite above this is a good +practice per se. + +Fixes: 7063c0d942a1 ("spi/dw_spi: add DMA support") +Signed-off-by: Andy Shevchenko +Acked-by: Feng Tang +Cc: Feng Tang +Link: https://lore.kernel.org/r/20200506153025.21441-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw-mid.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c +index bb1052e748f2..4d6434b244e2 100644 +--- a/drivers/spi/spi-dw-mid.c ++++ b/drivers/spi/spi-dw-mid.c +@@ -155,6 +155,7 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_tx(struct dw_spi *dws, + if (!xfer->tx_buf) + return NULL; + ++ memset(&txconf, 0, sizeof(txconf)); + txconf.direction = DMA_MEM_TO_DEV; + txconf.dst_addr = dws->dma_addr; + txconf.dst_maxburst = 16; +@@ -201,6 +202,7 @@ static struct dma_async_tx_descriptor *dw_spi_dma_prepare_rx(struct dw_spi *dws, + if (!xfer->rx_buf) + return NULL; + ++ memset(&rxconf, 0, sizeof(rxconf)); + rxconf.direction = DMA_DEV_TO_MEM; + rxconf.src_addr = dws->dma_addr; + rxconf.src_maxburst = 16; +-- +2.25.1 + diff --git a/queue-4.4/staging-android-ion-use-vmap-instead-of-vm_map_ram.patch b/queue-4.4/staging-android-ion-use-vmap-instead-of-vm_map_ram.patch new file mode 100644 index 00000000000..15ed589a01d --- /dev/null +++ b/queue-4.4/staging-android-ion-use-vmap-instead-of-vm_map_ram.patch @@ -0,0 +1,69 @@ +From 210237cafb62abf8e9490a543a831555b68620c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jun 2020 21:50:23 -0700 +Subject: staging: android: ion: use vmap instead of vm_map_ram + +From: Christoph Hellwig + +[ Upstream commit 5bf9917452112694b2c774465ee4dbe441c84b77 ] + +vm_map_ram can keep mappings around after the vm_unmap_ram. Using that +with non-PAGE_KERNEL mappings can lead to all kinds of aliasing issues. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Andrew Morton +Acked-by: Greg Kroah-Hartman +Acked-by: Peter Zijlstra (Intel) +Cc: Christian Borntraeger +Cc: Christophe Leroy +Cc: Daniel Vetter +Cc: David Airlie +Cc: Gao Xiang +Cc: Haiyang Zhang +Cc: Johannes Weiner +Cc: "K. Y. Srinivasan" +Cc: Laura Abbott +Cc: Mark Rutland +Cc: Michael Kelley +Cc: Minchan Kim +Cc: Nitin Gupta +Cc: Robin Murphy +Cc: Sakari Ailus +Cc: Stephen Hemminger +Cc: Sumit Semwal +Cc: Wei Liu +Cc: Benjamin Herrenschmidt +Cc: Catalin Marinas +Cc: Heiko Carstens +Cc: Paul Mackerras +Cc: Vasily Gorbik +Cc: Will Deacon +Link: http://lkml.kernel.org/r/20200414131348.444715-4-hch@lst.de +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/staging/android/ion/ion_heap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c +index 13a9b4c42b26..ae08b3253c21 100644 +--- a/drivers/staging/android/ion/ion_heap.c ++++ b/drivers/staging/android/ion/ion_heap.c +@@ -105,12 +105,12 @@ int ion_heap_map_user(struct ion_heap *heap, struct ion_buffer *buffer, + + static int ion_heap_clear_pages(struct page **pages, int num, pgprot_t pgprot) + { +- void *addr = vm_map_ram(pages, num, -1, pgprot); ++ void *addr = vmap(pages, num, VM_MAP, pgprot); + + if (!addr) + return -ENOMEM; + memset(addr, 0, PAGE_SIZE * num); +- vm_unmap_ram(addr, num); ++ vunmap(addr); + + return 0; + } +-- +2.25.1 + diff --git a/queue-4.4/x86-mm-stop-printing-brk-addresses.patch b/queue-4.4/x86-mm-stop-printing-brk-addresses.patch new file mode 100644 index 00000000000..7ff4072c2de --- /dev/null +++ b/queue-4.4/x86-mm-stop-printing-brk-addresses.patch @@ -0,0 +1,37 @@ +From ee7846b12c70e669b1d6ab7bd0bcd4b69965ffd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Feb 2020 18:11:20 -0500 +Subject: x86/mm: Stop printing BRK addresses + +From: Arvind Sankar + +[ Upstream commit 67d631b7c05eff955ccff4139327f0f92a5117e5 ] + +This currently leaks kernel physical addresses into userspace. + +Signed-off-by: Arvind Sankar +Signed-off-by: Borislav Petkov +Acked-by: Kees Cook +Acked-by: Dave Hansen +Link: https://lkml.kernel.org/r/20200229231120.1147527-1-nivedita@alum.mit.edu +Signed-off-by: Sasha Levin +--- + arch/x86/mm/init.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c +index f00eb52c16a6..17eb564901ca 100644 +--- a/arch/x86/mm/init.c ++++ b/arch/x86/mm/init.c +@@ -109,8 +109,6 @@ __ref void *alloc_low_pages(unsigned int num) + } else { + pfn = pgt_buf_end; + pgt_buf_end += num; +- printk(KERN_DEBUG "BRK [%#010lx, %#010lx] PGTABLE\n", +- pfn << PAGE_SHIFT, (pgt_buf_end << PAGE_SHIFT) - 1); + } + + for (i = 0; i < num; i++) { +-- +2.25.1 +