From: Sasha Levin Date: Wed, 22 Apr 2020 03:25:54 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.19.118~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=84b4b82e1d2fe0a58167dd62c2dc8d33ca2f2667;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/acpica-fixes-for-acpiexec-namespace-init-file.patch b/queue-5.4/acpica-fixes-for-acpiexec-namespace-init-file.patch new file mode 100644 index 00000000000..bb7394390f4 --- /dev/null +++ b/queue-5.4/acpica-fixes-for-acpiexec-namespace-init-file.patch @@ -0,0 +1,299 @@ +From 37e799e9c9eddc394952cbf6112d1f34fc2695cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2020 15:21:09 -0700 +Subject: ACPICA: Fixes for acpiExec namespace init file + +From: Bob Moore + +[ Upstream commit 9a1ae80412dcaa67a29eecf19de44f32b5f1c357 ] + +This is the result of squashing the following ACPICA commit ID's: +6803997e5b4f3635cea6610b51ff69e29d251de3 +f31cdf8bfda22fe265c1a176d0e33d311c82a7f7 + +This change fixes several problems with the support for the +acpi_exec namespace init file (-fi option). Specifically, it +fixes AE_ALREADY_EXISTS errors, as well as various seg faults. + +Link: https://github.com/acpica/acpica/commit/f31cdf8b +Link: https://github.com/acpica/acpica/commit/6803997e +Signed-off-by: Bob Moore +Signed-off-by: Erik Kaneda +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/acnamesp.h | 2 ++ + drivers/acpi/acpica/dbinput.c | 16 +++++++--------- + drivers/acpi/acpica/dswexec.c | 33 ++++++++++++++++++++++++++++++++ + drivers/acpi/acpica/dswload.c | 2 -- + drivers/acpi/acpica/dswload2.c | 35 ++++++++++++++++++++++++++++++++++ + drivers/acpi/acpica/nsnames.c | 6 +----- + drivers/acpi/acpica/utdelete.c | 9 +++++---- + 7 files changed, 83 insertions(+), 20 deletions(-) + +diff --git a/drivers/acpi/acpica/acnamesp.h b/drivers/acpi/acpica/acnamesp.h +index 7da1864798a0e..ecaa28733dc61 100644 +--- a/drivers/acpi/acpica/acnamesp.h ++++ b/drivers/acpi/acpica/acnamesp.h +@@ -256,6 +256,8 @@ u32 + acpi_ns_build_normalized_path(struct acpi_namespace_node *node, + char *full_path, u32 path_size, u8 no_trailing); + ++void acpi_ns_normalize_pathname(char *original_path); ++ + char *acpi_ns_get_normalized_pathname(struct acpi_namespace_node *node, + u8 no_trailing); + +diff --git a/drivers/acpi/acpica/dbinput.c b/drivers/acpi/acpica/dbinput.c +index 55a7e10998d87..1ef053585bbb8 100644 +--- a/drivers/acpi/acpica/dbinput.c ++++ b/drivers/acpi/acpica/dbinput.c +@@ -464,16 +464,14 @@ char *acpi_db_get_next_token(char *string, + return (NULL); + } + +- /* Remove any spaces at the beginning */ ++ /* Remove any spaces at the beginning, ignore blank lines */ + +- if (*string == ' ') { +- while (*string && (*string == ' ')) { +- string++; +- } ++ while (*string && isspace(*string)) { ++ string++; ++ } + +- if (!(*string)) { +- return (NULL); +- } ++ if (!(*string)) { ++ return (NULL); + } + + switch (*string) { +@@ -551,7 +549,7 @@ char *acpi_db_get_next_token(char *string, + + /* Find end of token */ + +- while (*string && (*string != ' ')) { ++ while (*string && !isspace(*string)) { + string++; + } + break; +diff --git a/drivers/acpi/acpica/dswexec.c b/drivers/acpi/acpica/dswexec.c +index d75aae3045958..a68237b97c4c8 100644 +--- a/drivers/acpi/acpica/dswexec.c ++++ b/drivers/acpi/acpica/dswexec.c +@@ -16,6 +16,9 @@ + #include "acinterp.h" + #include "acnamesp.h" + #include "acdebug.h" ++#ifdef ACPI_EXEC_APP ++#include "aecommon.h" ++#endif + + #define _COMPONENT ACPI_DISPATCHER + ACPI_MODULE_NAME("dswexec") +@@ -329,6 +332,10 @@ acpi_status acpi_ds_exec_end_op(struct acpi_walk_state *walk_state) + u32 op_class; + union acpi_parse_object *next_op; + union acpi_parse_object *first_arg; ++#ifdef ACPI_EXEC_APP ++ char *namepath; ++ union acpi_operand_object *obj_desc; ++#endif + + ACPI_FUNCTION_TRACE_PTR(ds_exec_end_op, walk_state); + +@@ -537,6 +544,32 @@ acpi_status acpi_ds_exec_end_op(struct acpi_walk_state *walk_state) + + status = + acpi_ds_eval_buffer_field_operands(walk_state, op); ++ if (ACPI_FAILURE(status)) { ++ break; ++ } ++#ifdef ACPI_EXEC_APP ++ /* ++ * acpi_exec support for namespace initialization file (initialize ++ * buffer_fields in this code.) ++ */ ++ namepath = ++ acpi_ns_get_external_pathname(op->common.node); ++ status = ae_lookup_init_file_entry(namepath, &obj_desc); ++ if (ACPI_SUCCESS(status)) { ++ status = ++ acpi_ex_write_data_to_field(obj_desc, ++ op->common. ++ node->object, ++ NULL); ++ if ACPI_FAILURE ++ (status) { ++ ACPI_EXCEPTION((AE_INFO, status, ++ "While writing to buffer field")); ++ } ++ } ++ ACPI_FREE(namepath); ++ status = AE_OK; ++#endif + break; + + case AML_TYPE_CREATE_OBJECT: +diff --git a/drivers/acpi/acpica/dswload.c b/drivers/acpi/acpica/dswload.c +index 4bcf15bf03ded..6cf93fae4d07f 100644 +--- a/drivers/acpi/acpica/dswload.c ++++ b/drivers/acpi/acpica/dswload.c +@@ -14,7 +14,6 @@ + #include "acdispat.h" + #include "acinterp.h" + #include "acnamesp.h" +- + #ifdef ACPI_ASL_COMPILER + #include "acdisasm.h" + #endif +@@ -399,7 +398,6 @@ acpi_status acpi_ds_load1_end_op(struct acpi_walk_state *walk_state) + union acpi_parse_object *op; + acpi_object_type object_type; + acpi_status status = AE_OK; +- + #ifdef ACPI_ASL_COMPILER + u8 param_count; + #endif +diff --git a/drivers/acpi/acpica/dswload2.c b/drivers/acpi/acpica/dswload2.c +index 935a8e2623e4b..15d92bf15f0b6 100644 +--- a/drivers/acpi/acpica/dswload2.c ++++ b/drivers/acpi/acpica/dswload2.c +@@ -15,6 +15,9 @@ + #include "acinterp.h" + #include "acnamesp.h" + #include "acevents.h" ++#ifdef ACPI_EXEC_APP ++#include "aecommon.h" ++#endif + + #define _COMPONENT ACPI_DISPATCHER + ACPI_MODULE_NAME("dswload2") +@@ -373,6 +376,10 @@ acpi_status acpi_ds_load2_end_op(struct acpi_walk_state *walk_state) + struct acpi_namespace_node *new_node; + u32 i; + u8 region_space; ++#ifdef ACPI_EXEC_APP ++ union acpi_operand_object *obj_desc; ++ char *namepath; ++#endif + + ACPI_FUNCTION_TRACE(ds_load2_end_op); + +@@ -466,6 +473,11 @@ acpi_status acpi_ds_load2_end_op(struct acpi_walk_state *walk_state) + * be evaluated later during the execution phase + */ + status = acpi_ds_create_buffer_field(op, walk_state); ++ if (ACPI_FAILURE(status)) { ++ ACPI_EXCEPTION((AE_INFO, status, ++ "CreateBufferField failure")); ++ goto cleanup; ++ } + break; + + case AML_TYPE_NAMED_FIELD: +@@ -604,6 +616,29 @@ acpi_status acpi_ds_load2_end_op(struct acpi_walk_state *walk_state) + case AML_NAME_OP: + + status = acpi_ds_create_node(walk_state, node, op); ++ if (ACPI_FAILURE(status)) { ++ goto cleanup; ++ } ++#ifdef ACPI_EXEC_APP ++ /* ++ * acpi_exec support for namespace initialization file (initialize ++ * Name opcodes in this code.) ++ */ ++ namepath = acpi_ns_get_external_pathname(node); ++ status = ae_lookup_init_file_entry(namepath, &obj_desc); ++ if (ACPI_SUCCESS(status)) { ++ ++ /* Detach any existing object, attach new object */ ++ ++ if (node->object) { ++ acpi_ns_detach_object(node); ++ } ++ acpi_ns_attach_object(node, obj_desc, ++ obj_desc->common.type); ++ } ++ ACPI_FREE(namepath); ++ status = AE_OK; ++#endif + break; + + case AML_METHOD_OP: +diff --git a/drivers/acpi/acpica/nsnames.c b/drivers/acpi/acpica/nsnames.c +index 370bbc8677453..c717fff7d9b57 100644 +--- a/drivers/acpi/acpica/nsnames.c ++++ b/drivers/acpi/acpica/nsnames.c +@@ -13,9 +13,6 @@ + #define _COMPONENT ACPI_NAMESPACE + ACPI_MODULE_NAME("nsnames") + +-/* Local Prototypes */ +-static void acpi_ns_normalize_pathname(char *original_path); +- + /******************************************************************************* + * + * FUNCTION: acpi_ns_get_external_pathname +@@ -30,7 +27,6 @@ static void acpi_ns_normalize_pathname(char *original_path); + * for error and debug statements. + * + ******************************************************************************/ +- + char *acpi_ns_get_external_pathname(struct acpi_namespace_node *node) + { + char *name_buffer; +@@ -411,7 +407,7 @@ char *acpi_ns_build_prefixed_pathname(union acpi_generic_state *prefix_scope, + * + ******************************************************************************/ + +-static void acpi_ns_normalize_pathname(char *original_path) ++void acpi_ns_normalize_pathname(char *original_path) + { + char *input_path = original_path; + char *new_path_buffer; +diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c +index eee263cb7beb0..c365faf4e6cd4 100644 +--- a/drivers/acpi/acpica/utdelete.c ++++ b/drivers/acpi/acpica/utdelete.c +@@ -452,13 +452,13 @@ acpi_ut_update_ref_count(union acpi_operand_object *object, u32 action) + * + * FUNCTION: acpi_ut_update_object_reference + * +- * PARAMETERS: object - Increment ref count for this object +- * and all sub-objects ++ * PARAMETERS: object - Increment or decrement the ref count for ++ * this object and all sub-objects + * action - Either REF_INCREMENT or REF_DECREMENT + * + * RETURN: Status + * +- * DESCRIPTION: Increment the object reference count ++ * DESCRIPTION: Increment or decrement the object reference count + * + * Object references are incremented when: + * 1) An object is attached to a Node (namespace object) +@@ -492,7 +492,7 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action) + } + + /* +- * All sub-objects must have their reference count incremented ++ * All sub-objects must have their reference count updated + * also. Different object types have different subobjects. + */ + switch (object->common.type) { +@@ -559,6 +559,7 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action) + break; + } + } ++ + next_object = NULL; + break; + +-- +2.20.1 + diff --git a/queue-5.4/arm-dts-rockchip-fix-lvds-encoder-ports-subnode-for-.patch b/queue-5.4/arm-dts-rockchip-fix-lvds-encoder-ports-subnode-for-.patch new file mode 100644 index 00000000000..54a9ca743e1 --- /dev/null +++ b/queue-5.4/arm-dts-rockchip-fix-lvds-encoder-ports-subnode-for-.patch @@ -0,0 +1,74 @@ +From bd2fef700d19aa4a5c915597d4c3605e878f9a63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2020 18:46:47 +0100 +Subject: ARM: dts: rockchip: fix lvds-encoder ports subnode for + rk3188-bqedison2qc + +From: Johan Jonker + +[ Upstream commit 1a7e99599dffd836fcb720cdc0eaf3cd43d7af4a ] + +A test with the command below gives this error: + +arch/arm/boot/dts/rk3188-bqedison2qc.dt.yaml: lvds-encoder: +'ports' is a required property + +Fix error by adding a ports wrapper for port@0 and port@1 +inside the 'lvds-encoder' node for rk3188-bqedison2qc. + +make ARCH=arm dtbs_check +DT_SCHEMA_FILES=Documentation/devicetree/bindings/display/ +bridge/lvds-codec.yaml + +Signed-off-by: Johan Jonker +Link: https://lore.kernel.org/r/20200316174647.5598-1-jbx6244@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3188-bqedison2qc.dts | 27 ++++++++++++++---------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/arch/arm/boot/dts/rk3188-bqedison2qc.dts b/arch/arm/boot/dts/rk3188-bqedison2qc.dts +index 8afb2fd5d9f1b..66a0ff196eb1f 100644 +--- a/arch/arm/boot/dts/rk3188-bqedison2qc.dts ++++ b/arch/arm/boot/dts/rk3188-bqedison2qc.dts +@@ -58,20 +58,25 @@ + + lvds-encoder { + compatible = "ti,sn75lvds83", "lvds-encoder"; +- #address-cells = <1>; +- #size-cells = <0>; + +- port@0 { +- reg = <0>; +- lvds_in_vop0: endpoint { +- remote-endpoint = <&vop0_out_lvds>; ++ ports { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ port@0 { ++ reg = <0>; ++ ++ lvds_in_vop0: endpoint { ++ remote-endpoint = <&vop0_out_lvds>; ++ }; + }; +- }; + +- port@1 { +- reg = <1>; +- lvds_out_panel: endpoint { +- remote-endpoint = <&panel_in_lvds>; ++ port@1 { ++ reg = <1>; ++ ++ lvds_out_panel: endpoint { ++ remote-endpoint = <&panel_in_lvds>; ++ }; + }; + }; + }; +-- +2.20.1 + diff --git a/queue-5.4/arm-dts-rockchip-fix-vqmmc-supply-property-name-for-.patch b/queue-5.4/arm-dts-rockchip-fix-vqmmc-supply-property-name-for-.patch new file mode 100644 index 00000000000..9ba4a2efaf0 --- /dev/null +++ b/queue-5.4/arm-dts-rockchip-fix-vqmmc-supply-property-name-for-.patch @@ -0,0 +1,62 @@ +From 80ecb3157de9e1a983efc1df98c9f053c8ed1ba8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2020 14:48:37 +0100 +Subject: ARM: dts: rockchip: fix vqmmc-supply property name for + rk3188-bqedison2qc + +From: Johan Jonker + +[ Upstream commit 9cd568dc588c5d168615bf34f325fabe33b2c9a0 ] + +A test with the command below does not detect all errors +in combination with 'additionalProperties: false' and +allOf: + - $ref: "synopsys-dw-mshc-common.yaml#" +allOf: + - $ref: "mmc-controller.yaml#" + +'additionalProperties' applies to all properties that are not +accounted-for by 'properties' or 'patternProperties' in +the immediate schema. + +First when we combine rockchip-dw-mshc.yaml, +synopsys-dw-mshc-common.yaml and mmc-controller.yaml it gives +this error: + +arch/arm/boot/dts/rk3188-bqedison2qc.dt.yaml: mmc@10218000: +'vmmcq-supply' does not match any of the regexes: +'^.*@[0-9]+$', +'^clk-phase-(legacy|sd-hs|mmc-(hs|hs[24]00|ddr52)| +uhs-(sdr(12|25|50|104)|ddr50))$', +'pinctrl-[0-9]+' + +'vmmcq-supply' is not a valid property name for mmc nodes. +Fix this error by renaming it to 'vqmmc-supply'. + +make ARCH=arm dtbs_check +DT_SCHEMA_FILES=Documentation/devicetree/bindings/mmc/rockchip-dw-mshc.yaml + +Signed-off-by: Johan Jonker +Link: https://lore.kernel.org/r/20200307134841.13803-1-jbx6244@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3188-bqedison2qc.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/rk3188-bqedison2qc.dts b/arch/arm/boot/dts/rk3188-bqedison2qc.dts +index ad1afd403052a..8afb2fd5d9f1b 100644 +--- a/arch/arm/boot/dts/rk3188-bqedison2qc.dts ++++ b/arch/arm/boot/dts/rk3188-bqedison2qc.dts +@@ -465,7 +465,7 @@ + non-removable; + pinctrl-names = "default"; + pinctrl-0 = <&sd1_clk>, <&sd1_cmd>, <&sd1_bus4>; +- vmmcq-supply = <&vccio_wl>; ++ vqmmc-supply = <&vccio_wl>; + #address-cells = <1>; + #size-cells = <0>; + status = "okay"; +-- +2.20.1 + diff --git a/queue-5.4/arm64-dts-allwinner-a64-fix-display-clock-register-r.patch b/queue-5.4/arm64-dts-allwinner-a64-fix-display-clock-register-r.patch new file mode 100644 index 00000000000..dfaf81d2f4c --- /dev/null +++ b/queue-5.4/arm64-dts-allwinner-a64-fix-display-clock-register-r.patch @@ -0,0 +1,39 @@ +From 77a4d91fdb8db9956cf269dd5bc7225bfb2fddb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jan 2020 00:20:10 +0100 +Subject: arm64: dts: allwinner: a64: Fix display clock register range + +From: Jernej Skrabec + +[ Upstream commit 3e9a1a8b7f811de3eb1445d72f68766b704ad17c ] + +Register range of display clocks is 0x10000, as it can be seen from +DE2 documentation. + +Fix it. + +Signed-off-by: Jernej Skrabec +Fixes: 2c796fc8f5dbd ("arm64: dts: allwinner: a64: add necessary device tree nodes for DE2 CCU") +[wens@csie.org: added fixes tag] +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi +index ba41c1b85887a..367699c8c9028 100644 +--- a/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi ++++ b/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi +@@ -227,7 +227,7 @@ + + display_clocks: clock@0 { + compatible = "allwinner,sun50i-a64-de2-clk"; +- reg = <0x0 0x100000>; ++ reg = <0x0 0x10000>; + clocks = <&ccu CLK_BUS_DE>, + <&ccu CLK_DE>; + clock-names = "bus", +-- +2.20.1 + diff --git a/queue-5.4/arm64-dts-clearfog-gt-8k-set-gigabit-phy-reset-deass.patch b/queue-5.4/arm64-dts-clearfog-gt-8k-set-gigabit-phy-reset-deass.patch new file mode 100644 index 00000000000..de9c75bbb6c --- /dev/null +++ b/queue-5.4/arm64-dts-clearfog-gt-8k-set-gigabit-phy-reset-deass.patch @@ -0,0 +1,44 @@ +From 308d9abf5d2426ccc777e4c24052a9c2138c3629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2020 11:45:12 +0000 +Subject: arm64: dts: clearfog-gt-8k: set gigabit PHY reset deassert delay + +From: Russell King + +[ Upstream commit 46f94c7818e7ab82758fca74935ef3d454340b4e ] + +If the mv88e6xxx DSA driver is built as a module, it causes the +ethernet driver to re-probe when it's loaded. This in turn causes +the gigabit PHY to be momentarily reset and reprogrammed. However, +we attempt to reprogram the PHY immediately after deasserting reset, +and the PHY ignores the writes. + +This results in the PHY operating in the wrong mode, and the copper +link states down. + +Set a reset deassert delay of 10ms for the gigabit PHY to avoid this. + +Fixes: babc5544c293 ("arm64: dts: clearfog-gt-8k: 1G eth PHY reset signal") +Signed-off-by: Russell King +Acked-by: Baruch Siach +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/marvell/armada-8040-clearfog-gt-8k.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/marvell/armada-8040-clearfog-gt-8k.dts b/arch/arm64/boot/dts/marvell/armada-8040-clearfog-gt-8k.dts +index a211a046b2f2f..b90d78a5724b2 100644 +--- a/arch/arm64/boot/dts/marvell/armada-8040-clearfog-gt-8k.dts ++++ b/arch/arm64/boot/dts/marvell/armada-8040-clearfog-gt-8k.dts +@@ -367,6 +367,7 @@ + pinctrl-0 = <&cp0_copper_eth_phy_reset>; + reset-gpios = <&cp0_gpio2 11 GPIO_ACTIVE_LOW>; + reset-assert-us = <10000>; ++ reset-deassert-us = <10000>; + }; + + switch0: switch0@4 { +-- +2.20.1 + diff --git a/queue-5.4/arm64-tegra-add-pcie-endpoint-controllers-nodes-for-.patch b/queue-5.4/arm64-tegra-add-pcie-endpoint-controllers-nodes-for-.patch new file mode 100644 index 00000000000..75feb6fd17f --- /dev/null +++ b/queue-5.4/arm64-tegra-add-pcie-endpoint-controllers-nodes-for-.patch @@ -0,0 +1,132 @@ +From 7faf318bceb24431bc1e929bd556675a02cbf64d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2020 23:40:50 +0530 +Subject: arm64: tegra: Add PCIe endpoint controllers nodes for Tegra194 + +From: Vidya Sagar + +[ Upstream commit 0c988b731e6430f0081991fdb4f63f7fc837df9a ] + +Add endpoint mode controllers nodes for the dual mode PCIe controllers +present in Tegra194 SoC. + +Signed-off-by: Vidya Sagar +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/nvidia/tegra194.dtsi | 99 ++++++++++++++++++++++++ + 1 file changed, 99 insertions(+) + +diff --git a/arch/arm64/boot/dts/nvidia/tegra194.dtsi b/arch/arm64/boot/dts/nvidia/tegra194.dtsi +index 3c0cf54f0aab3..57adcbb7352d6 100644 +--- a/arch/arm64/boot/dts/nvidia/tegra194.dtsi ++++ b/arch/arm64/boot/dts/nvidia/tegra194.dtsi +@@ -1430,6 +1430,105 @@ + 0x82000000 0x0 0x40000000 0x1f 0x40000000 0x0 0xc0000000>; /* non-prefetchable memory (3GB) */ + }; + ++ pcie_ep@14160000 { ++ compatible = "nvidia,tegra194-pcie-ep", "snps,dw-pcie-ep"; ++ power-domains = <&bpmp TEGRA194_POWER_DOMAIN_PCIEX4A>; ++ reg = <0x00 0x14160000 0x0 0x00020000 /* appl registers (128K) */ ++ 0x00 0x36040000 0x0 0x00040000 /* iATU_DMA reg space (256K) */ ++ 0x00 0x36080000 0x0 0x00040000 /* DBI reg space (256K) */ ++ 0x14 0x00000000 0x4 0x00000000>; /* Address Space (16G) */ ++ reg-names = "appl", "atu_dma", "dbi", "addr_space"; ++ ++ status = "disabled"; ++ ++ num-lanes = <4>; ++ num-ib-windows = <2>; ++ num-ob-windows = <8>; ++ ++ clocks = <&bpmp TEGRA194_CLK_PEX0_CORE_4>; ++ clock-names = "core"; ++ ++ resets = <&bpmp TEGRA194_RESET_PEX0_CORE_4_APB>, ++ <&bpmp TEGRA194_RESET_PEX0_CORE_4>; ++ reset-names = "apb", "core"; ++ ++ interrupts = ; /* controller interrupt */ ++ interrupt-names = "intr"; ++ ++ nvidia,bpmp = <&bpmp 4>; ++ ++ nvidia,aspm-cmrt-us = <60>; ++ nvidia,aspm-pwr-on-t-us = <20>; ++ nvidia,aspm-l0s-entrance-latency-us = <3>; ++ }; ++ ++ pcie_ep@14180000 { ++ compatible = "nvidia,tegra194-pcie-ep", "snps,dw-pcie-ep"; ++ power-domains = <&bpmp TEGRA194_POWER_DOMAIN_PCIEX8B>; ++ reg = <0x00 0x14180000 0x0 0x00020000 /* appl registers (128K) */ ++ 0x00 0x38040000 0x0 0x00040000 /* iATU_DMA reg space (256K) */ ++ 0x00 0x38080000 0x0 0x00040000 /* DBI reg space (256K) */ ++ 0x18 0x00000000 0x4 0x00000000>; /* Address Space (16G) */ ++ reg-names = "appl", "atu_dma", "dbi", "addr_space"; ++ ++ status = "disabled"; ++ ++ num-lanes = <8>; ++ num-ib-windows = <2>; ++ num-ob-windows = <8>; ++ ++ clocks = <&bpmp TEGRA194_CLK_PEX0_CORE_0>; ++ clock-names = "core"; ++ ++ resets = <&bpmp TEGRA194_RESET_PEX0_CORE_0_APB>, ++ <&bpmp TEGRA194_RESET_PEX0_CORE_0>; ++ reset-names = "apb", "core"; ++ ++ interrupts = ; /* controller interrupt */ ++ interrupt-names = "intr"; ++ ++ nvidia,bpmp = <&bpmp 0>; ++ ++ nvidia,aspm-cmrt-us = <60>; ++ nvidia,aspm-pwr-on-t-us = <20>; ++ nvidia,aspm-l0s-entrance-latency-us = <3>; ++ }; ++ ++ pcie_ep@141a0000 { ++ compatible = "nvidia,tegra194-pcie-ep", "snps,dw-pcie-ep"; ++ power-domains = <&bpmp TEGRA194_POWER_DOMAIN_PCIEX8A>; ++ reg = <0x00 0x141a0000 0x0 0x00020000 /* appl registers (128K) */ ++ 0x00 0x3a040000 0x0 0x00040000 /* iATU_DMA reg space (256K) */ ++ 0x00 0x3a080000 0x0 0x00040000 /* DBI reg space (256K) */ ++ 0x1c 0x00000000 0x4 0x00000000>; /* Address Space (16G) */ ++ reg-names = "appl", "atu_dma", "dbi", "addr_space"; ++ ++ status = "disabled"; ++ ++ num-lanes = <8>; ++ num-ib-windows = <2>; ++ num-ob-windows = <8>; ++ ++ pinctrl-names = "default"; ++ pinctrl-0 = <&clkreq_c5_bi_dir_state>; ++ ++ clocks = <&bpmp TEGRA194_CLK_PEX1_CORE_5>; ++ clock-names = "core"; ++ ++ resets = <&bpmp TEGRA194_RESET_PEX1_CORE_5_APB>, ++ <&bpmp TEGRA194_RESET_PEX1_CORE_5>; ++ reset-names = "apb", "core"; ++ ++ interrupts = ; /* controller interrupt */ ++ interrupt-names = "intr"; ++ ++ nvidia,bpmp = <&bpmp 5>; ++ ++ nvidia,aspm-cmrt-us = <60>; ++ nvidia,aspm-pwr-on-t-us = <20>; ++ nvidia,aspm-l0s-entrance-latency-us = <3>; ++ }; ++ + sysram@40000000 { + compatible = "nvidia,tegra194-sysram", "mmio-sram"; + reg = <0x0 0x40000000 0x0 0x50000>; +-- +2.20.1 + diff --git a/queue-5.4/arm64-tegra-fix-tegra194-pcie-compatible-string.patch b/queue-5.4/arm64-tegra-fix-tegra194-pcie-compatible-string.patch new file mode 100644 index 00000000000..0d598914058 --- /dev/null +++ b/queue-5.4/arm64-tegra-fix-tegra194-pcie-compatible-string.patch @@ -0,0 +1,106 @@ +From 97c15dd3e6a52a07c899ea635ef5122aaae898f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2020 13:53:53 +0000 +Subject: arm64: tegra: Fix Tegra194 PCIe compatible string + +From: Jon Hunter + +[ Upstream commit f9f711efd441ad0d22874be49986d92121862335 ] + +If the kernel configuration option CONFIG_PCIE_DW_PLAT_HOST is enabled +then this can cause the kernel to incorrectly probe the generic +designware PCIe platform driver instead of the Tegra194 designware PCIe +driver. This causes a boot failure on Tegra194 because the necessary +configuration to access the hardware is not performed. + +The order in which the compatible strings are populated in Device-Tree +is not relevant in this case, because the kernel will attempt to probe +the device as soon as a driver is loaded and if the generic designware +PCIe driver is loaded first, then this driver will be probed first. +Therefore, to fix this problem, remove the "snps,dw-pcie" string from +the compatible string as we never want this driver to be probe on +Tegra194. + +Fixes: 2602c32f15e7 ("arm64: tegra: Add P2U and PCIe controller nodes to Tegra194 DT") +Signed-off-by: Jon Hunter +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/pci/nvidia,tegra194-pcie.txt | 2 +- + arch/arm64/boot/dts/nvidia/tegra194.dtsi | 12 ++++++------ + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/Documentation/devicetree/bindings/pci/nvidia,tegra194-pcie.txt b/Documentation/devicetree/bindings/pci/nvidia,tegra194-pcie.txt +index b739f92da58e5..1f90eb39870be 100644 +--- a/Documentation/devicetree/bindings/pci/nvidia,tegra194-pcie.txt ++++ b/Documentation/devicetree/bindings/pci/nvidia,tegra194-pcie.txt +@@ -118,7 +118,7 @@ Tegra194: + -------- + + pcie@14180000 { +- compatible = "nvidia,tegra194-pcie", "snps,dw-pcie"; ++ compatible = "nvidia,tegra194-pcie"; + power-domains = <&bpmp TEGRA194_POWER_DOMAIN_PCIEX8B>; + reg = <0x00 0x14180000 0x0 0x00020000 /* appl registers (128K) */ + 0x00 0x38000000 0x0 0x00040000 /* configuration space (256K) */ +diff --git a/arch/arm64/boot/dts/nvidia/tegra194.dtsi b/arch/arm64/boot/dts/nvidia/tegra194.dtsi +index 57adcbb7352d6..457b815d57f40 100644 +--- a/arch/arm64/boot/dts/nvidia/tegra194.dtsi ++++ b/arch/arm64/boot/dts/nvidia/tegra194.dtsi +@@ -1151,7 +1151,7 @@ + }; + + pcie@14100000 { +- compatible = "nvidia,tegra194-pcie", "snps,dw-pcie"; ++ compatible = "nvidia,tegra194-pcie"; + power-domains = <&bpmp TEGRA194_POWER_DOMAIN_PCIEX1A>; + reg = <0x00 0x14100000 0x0 0x00020000 /* appl registers (128K) */ + 0x00 0x30000000 0x0 0x00040000 /* configuration space (256K) */ +@@ -1197,7 +1197,7 @@ + }; + + pcie@14120000 { +- compatible = "nvidia,tegra194-pcie", "snps,dw-pcie"; ++ compatible = "nvidia,tegra194-pcie"; + power-domains = <&bpmp TEGRA194_POWER_DOMAIN_PCIEX1A>; + reg = <0x00 0x14120000 0x0 0x00020000 /* appl registers (128K) */ + 0x00 0x32000000 0x0 0x00040000 /* configuration space (256K) */ +@@ -1243,7 +1243,7 @@ + }; + + pcie@14140000 { +- compatible = "nvidia,tegra194-pcie", "snps,dw-pcie"; ++ compatible = "nvidia,tegra194-pcie"; + power-domains = <&bpmp TEGRA194_POWER_DOMAIN_PCIEX1A>; + reg = <0x00 0x14140000 0x0 0x00020000 /* appl registers (128K) */ + 0x00 0x34000000 0x0 0x00040000 /* configuration space (256K) */ +@@ -1289,7 +1289,7 @@ + }; + + pcie@14160000 { +- compatible = "nvidia,tegra194-pcie", "snps,dw-pcie"; ++ compatible = "nvidia,tegra194-pcie"; + power-domains = <&bpmp TEGRA194_POWER_DOMAIN_PCIEX4A>; + reg = <0x00 0x14160000 0x0 0x00020000 /* appl registers (128K) */ + 0x00 0x36000000 0x0 0x00040000 /* configuration space (256K) */ +@@ -1335,7 +1335,7 @@ + }; + + pcie@14180000 { +- compatible = "nvidia,tegra194-pcie", "snps,dw-pcie"; ++ compatible = "nvidia,tegra194-pcie"; + power-domains = <&bpmp TEGRA194_POWER_DOMAIN_PCIEX8B>; + reg = <0x00 0x14180000 0x0 0x00020000 /* appl registers (128K) */ + 0x00 0x38000000 0x0 0x00040000 /* configuration space (256K) */ +@@ -1381,7 +1381,7 @@ + }; + + pcie@141a0000 { +- compatible = "nvidia,tegra194-pcie", "snps,dw-pcie"; ++ compatible = "nvidia,tegra194-pcie"; + power-domains = <&bpmp TEGRA194_POWER_DOMAIN_PCIEX8A>; + reg = <0x00 0x141a0000 0x0 0x00020000 /* appl registers (128K) */ + 0x00 0x3a000000 0x0 0x00040000 /* configuration space (256K) */ +-- +2.20.1 + diff --git a/queue-5.4/btrfs-add-rcu-locks-around-block-group-initializatio.patch b/queue-5.4/btrfs-add-rcu-locks-around-block-group-initializatio.patch new file mode 100644 index 00000000000..602dbfaaf44 --- /dev/null +++ b/queue-5.4/btrfs-add-rcu-locks-around-block-group-initializatio.patch @@ -0,0 +1,57 @@ +From 8246951879691546611805491d604a70cc79d873 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2020 12:22:43 +0530 +Subject: btrfs: add RCU locks around block group initialization + +From: Madhuparna Bhowmik + +[ Upstream commit 29566c9c773456467933ee22bbca1c2b72a3506c ] + +The space_info list is normally RCU protected and should be traversed +with rcu_read_lock held. There's a warning + + [29.104756] WARNING: suspicious RCU usage + [29.105046] 5.6.0-rc4-next-20200305 #1 Not tainted + [29.105231] ----------------------------- + [29.105401] fs/btrfs/block-group.c:2011 RCU-list traversed in non-reader section!! + +pointing out that the locking is missing in btrfs_read_block_groups. +However this is not necessary as the list traversal happens at mount +time when there's no other thread potentially accessing the list. + +To fix the warning and for consistency let's add the RCU lock/unlock, +the code won't be affected much as it's doing some lightweight +operations. + +Reported-by: Guenter Roeck +Signed-off-by: Madhuparna Bhowmik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/block-group.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c +index 7dcfa7d7632a1..95330f40f998c 100644 +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -1829,6 +1829,7 @@ int btrfs_read_block_groups(struct btrfs_fs_info *info) + } + } + ++ rcu_read_lock(); + list_for_each_entry_rcu(space_info, &info->space_info, list) { + if (!(btrfs_get_alloc_profile(info, space_info->flags) & + (BTRFS_BLOCK_GROUP_RAID10 | +@@ -1849,6 +1850,7 @@ int btrfs_read_block_groups(struct btrfs_fs_info *info) + list) + inc_block_group_ro(cache, 1); + } ++ rcu_read_unlock(); + + btrfs_init_global_block_rsv(info); + ret = check_chunk_block_group_mappings(info); +-- +2.20.1 + diff --git a/queue-5.4/cifs-allocate-encryption-header-through-kmalloc.patch b/queue-5.4/cifs-allocate-encryption-header-through-kmalloc.patch new file mode 100644 index 00000000000..0f94fea42e7 --- /dev/null +++ b/queue-5.4/cifs-allocate-encryption-header-through-kmalloc.patch @@ -0,0 +1,83 @@ +From 3a7a7a5efb648bc8f2e8bb2dbf402177502b0794 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Mar 2020 22:09:20 -0700 +Subject: cifs: Allocate encryption header through kmalloc + +From: Long Li + +[ Upstream commit 3946d0d04bb360acca72db5efe9ae8440012d9dc ] + +When encryption is used, smb2_transform_hdr is defined on the stack and is +passed to the transport. This doesn't work with RDMA as the buffer needs to +be DMA'ed. + +Fix it by using kmalloc. + +Signed-off-by: Long Li +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/transport.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c +index e67a43fd037c9..fe1552cc8a0a7 100644 +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -466,7 +466,7 @@ smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + struct smb_rqst *rqst, int flags) + { + struct kvec iov; +- struct smb2_transform_hdr tr_hdr; ++ struct smb2_transform_hdr *tr_hdr; + struct smb_rqst cur_rqst[MAX_COMPOUND]; + int rc; + +@@ -476,28 +476,34 @@ smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + if (num_rqst > MAX_COMPOUND - 1) + return -ENOMEM; + +- memset(&cur_rqst[0], 0, sizeof(cur_rqst)); +- memset(&iov, 0, sizeof(iov)); +- memset(&tr_hdr, 0, sizeof(tr_hdr)); +- +- iov.iov_base = &tr_hdr; +- iov.iov_len = sizeof(tr_hdr); +- cur_rqst[0].rq_iov = &iov; +- cur_rqst[0].rq_nvec = 1; +- + if (!server->ops->init_transform_rq) { + cifs_server_dbg(VFS, "Encryption requested but transform " + "callback is missing\n"); + return -EIO; + } + ++ tr_hdr = kmalloc(sizeof(*tr_hdr), GFP_NOFS); ++ if (!tr_hdr) ++ return -ENOMEM; ++ ++ memset(&cur_rqst[0], 0, sizeof(cur_rqst)); ++ memset(&iov, 0, sizeof(iov)); ++ memset(tr_hdr, 0, sizeof(*tr_hdr)); ++ ++ iov.iov_base = tr_hdr; ++ iov.iov_len = sizeof(*tr_hdr); ++ cur_rqst[0].rq_iov = &iov; ++ cur_rqst[0].rq_nvec = 1; ++ + rc = server->ops->init_transform_rq(server, num_rqst + 1, + &cur_rqst[0], rqst); + if (rc) +- return rc; ++ goto out; + + rc = __smb_send_rqst(server, num_rqst + 1, &cur_rqst[0]); + smb3_free_compound_rqst(num_rqst, &cur_rqst[1]); ++out: ++ kfree(tr_hdr); + return rc; + } + +-- +2.20.1 + diff --git a/queue-5.4/clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch b/queue-5.4/clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch new file mode 100644 index 00000000000..81fd1c3a193 --- /dev/null +++ b/queue-5.4/clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch @@ -0,0 +1,49 @@ +From 32d2e13c03340984768859d31b46564767598805 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jan 2020 13:36:46 +0200 +Subject: clk: at91: usb: continue if clk_hw_round_rate() return zero + +From: Claudiu Beznea + +[ Upstream commit b0ecf1c6c6e82da4847900fad0272abfd014666d ] + +clk_hw_round_rate() may call round rate function of its parents. In case +of SAM9X60 two of USB parrents are PLLA and UPLL. These clocks are +controlled by clk-sam9x60-pll.c driver. The round rate function for this +driver is sam9x60_pll_round_rate() which call in turn +sam9x60_pll_get_best_div_mul(). In case the requested rate is not in the +proper range (rate < characteristics->output[0].min && +rate > characteristics->output[0].max) the sam9x60_pll_round_rate() will +return a negative number to its caller (called by +clk_core_round_rate_nolock()). clk_hw_round_rate() will return zero in +case a negative number is returned by clk_core_round_rate_nolock(). With +this, the USB clock will continue its rate computation even caller of +clk_hw_round_rate() returned an error. With this, the USB clock on SAM9X60 +may not chose the best parent. I detected this after a suspend/resume +cycle on SAM9X60. + +Signed-off-by: Claudiu Beznea +Link: https://lkml.kernel.org/r/1579261009-4573-2-git-send-email-claudiu.beznea@microchip.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/clk/at91/clk-usb.c b/drivers/clk/at91/clk-usb.c +index bda92980e0155..c0895c993cce2 100644 +--- a/drivers/clk/at91/clk-usb.c ++++ b/drivers/clk/at91/clk-usb.c +@@ -75,6 +75,9 @@ static int at91sam9x5_clk_usb_determine_rate(struct clk_hw *hw, + tmp_parent_rate = req->rate * div; + tmp_parent_rate = clk_hw_round_rate(parent, + tmp_parent_rate); ++ if (!tmp_parent_rate) ++ continue; ++ + tmp_rate = DIV_ROUND_CLOSEST(tmp_parent_rate, div); + if (tmp_rate < req->rate) + tmp_diff = req->rate - tmp_rate; +-- +2.20.1 + diff --git a/queue-5.4/clk-don-t-cache-errors-from-clk_ops-get_phase.patch b/queue-5.4/clk-don-t-cache-errors-from-clk_ops-get_phase.patch new file mode 100644 index 00000000000..eb51293994c --- /dev/null +++ b/queue-5.4/clk-don-t-cache-errors-from-clk_ops-get_phase.patch @@ -0,0 +1,134 @@ +From 5311f4b178717dfb6fae8ceef8418dc20d7cbaf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2020 15:27:59 -0800 +Subject: clk: Don't cache errors from clk_ops::get_phase() + +From: Stephen Boyd + +[ Upstream commit f21cf9c77ee82ef8adfeb2143adfacf21ec1d5cc ] + +We don't check for errors from clk_ops::get_phase() before storing away +the result into the clk_core::phase member. This can lead to some fairly +confusing debugfs information if these ops do return an error. Let's +skip the store when this op fails to fix this. While we're here, move +the locking outside of clk_core_get_phase() to simplify callers from +the debugfs side. + +Cc: Douglas Anderson +Cc: Heiko Stuebner +Cc: Jerome Brunet +Signed-off-by: Stephen Boyd +Link: https://lkml.kernel.org/r/20200205232802.29184-2-sboyd@kernel.org +Acked-by: Jerome Brunet +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 48 +++++++++++++++++++++++++++++++---------------- + 1 file changed, 32 insertions(+), 16 deletions(-) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index 62d0fc486d3a2..80b029713722b 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -2642,12 +2642,14 @@ static int clk_core_get_phase(struct clk_core *core) + { + int ret; + +- clk_prepare_lock(); ++ lockdep_assert_held(&prepare_lock); ++ if (!core->ops->get_phase) ++ return 0; ++ + /* Always try to update cached phase if possible */ +- if (core->ops->get_phase) +- core->phase = core->ops->get_phase(core->hw); +- ret = core->phase; +- clk_prepare_unlock(); ++ ret = core->ops->get_phase(core->hw); ++ if (ret >= 0) ++ core->phase = ret; + + return ret; + } +@@ -2661,10 +2663,16 @@ static int clk_core_get_phase(struct clk_core *core) + */ + int clk_get_phase(struct clk *clk) + { ++ int ret; ++ + if (!clk) + return 0; + +- return clk_core_get_phase(clk->core); ++ clk_prepare_lock(); ++ ret = clk_core_get_phase(clk->core); ++ clk_prepare_unlock(); ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(clk_get_phase); + +@@ -2878,13 +2886,21 @@ static struct hlist_head *orphan_list[] = { + static void clk_summary_show_one(struct seq_file *s, struct clk_core *c, + int level) + { +- seq_printf(s, "%*s%-*s %7d %8d %8d %11lu %10lu %5d %6d\n", ++ int phase; ++ ++ seq_printf(s, "%*s%-*s %7d %8d %8d %11lu %10lu ", + level * 3 + 1, "", + 30 - level * 3, c->name, + c->enable_count, c->prepare_count, c->protect_count, +- clk_core_get_rate(c), clk_core_get_accuracy(c), +- clk_core_get_phase(c), +- clk_core_get_scaled_duty_cycle(c, 100000)); ++ clk_core_get_rate(c), clk_core_get_accuracy(c)); ++ ++ phase = clk_core_get_phase(c); ++ if (phase >= 0) ++ seq_printf(s, "%5d", phase); ++ else ++ seq_puts(s, "-----"); ++ ++ seq_printf(s, " %6d\n", clk_core_get_scaled_duty_cycle(c, 100000)); + } + + static void clk_summary_show_subtree(struct seq_file *s, struct clk_core *c, +@@ -2921,6 +2937,7 @@ DEFINE_SHOW_ATTRIBUTE(clk_summary); + + static void clk_dump_one(struct seq_file *s, struct clk_core *c, int level) + { ++ int phase; + unsigned long min_rate, max_rate; + + clk_core_get_boundaries(c, &min_rate, &max_rate); +@@ -2934,7 +2951,9 @@ static void clk_dump_one(struct seq_file *s, struct clk_core *c, int level) + seq_printf(s, "\"min_rate\": %lu,", min_rate); + seq_printf(s, "\"max_rate\": %lu,", max_rate); + seq_printf(s, "\"accuracy\": %lu,", clk_core_get_accuracy(c)); +- seq_printf(s, "\"phase\": %d,", clk_core_get_phase(c)); ++ phase = clk_core_get_phase(c); ++ if (phase >= 0) ++ seq_printf(s, "\"phase\": %d,", phase); + seq_printf(s, "\"duty_cycle\": %u", + clk_core_get_scaled_duty_cycle(c, 100000)); + } +@@ -3375,14 +3394,11 @@ static int __clk_core_init(struct clk_core *core) + core->accuracy = 0; + + /* +- * Set clk's phase. ++ * Set clk's phase by clk_core_get_phase() caching the phase. + * Since a phase is by definition relative to its parent, just + * query the current clock phase, or just assume it's in phase. + */ +- if (core->ops->get_phase) +- core->phase = core->ops->get_phase(core->hw); +- else +- core->phase = 0; ++ clk_core_get_phase(core); + + /* + * Set clk's duty cycle. +-- +2.20.1 + diff --git a/queue-5.4/clk-tegra-fix-tegra-pmc-clock-out-parents.patch b/queue-5.4/clk-tegra-fix-tegra-pmc-clock-out-parents.patch new file mode 100644 index 00000000000..fbca112dcb5 --- /dev/null +++ b/queue-5.4/clk-tegra-fix-tegra-pmc-clock-out-parents.patch @@ -0,0 +1,56 @@ +From f9c4d434e7f249b7febbcc9cd91c43fd150bc396 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2020 23:24:09 -0800 +Subject: clk: tegra: Fix Tegra PMC clock out parents + +From: Sowjanya Komatineni + +[ Upstream commit 6fe38aa8cac3a5db38154331742835a4d9740788 ] + +Tegra PMC clocks clk_out_1, clk_out_2, and clk_out_3 supported parents +are osc, osc_div2, osc_div4 and extern clock. + +Clock driver is using incorrect parents clk_m, clk_m_div2, clk_m_div4 +for PMC clocks. + +This patch fixes this. + +Tested-by: Dmitry Osipenko +Reviewed-by: Dmitry Osipenko +Signed-off-by: Sowjanya Komatineni +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra-pmc.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/tegra/clk-tegra-pmc.c b/drivers/clk/tegra/clk-tegra-pmc.c +index bec3e008335f3..5e044ba1ae364 100644 +--- a/drivers/clk/tegra/clk-tegra-pmc.c ++++ b/drivers/clk/tegra/clk-tegra-pmc.c +@@ -49,16 +49,16 @@ struct pmc_clk_init_data { + + static DEFINE_SPINLOCK(clk_out_lock); + +-static const char *clk_out1_parents[] = { "clk_m", "clk_m_div2", +- "clk_m_div4", "extern1", ++static const char *clk_out1_parents[] = { "osc", "osc_div2", ++ "osc_div4", "extern1", + }; + +-static const char *clk_out2_parents[] = { "clk_m", "clk_m_div2", +- "clk_m_div4", "extern2", ++static const char *clk_out2_parents[] = { "osc", "osc_div2", ++ "osc_div4", "extern2", + }; + +-static const char *clk_out3_parents[] = { "clk_m", "clk_m_div2", +- "clk_m_div4", "extern3", ++static const char *clk_out3_parents[] = { "osc", "osc_div2", ++ "osc_div4", "extern3", + }; + + static struct pmc_clk_init_data pmc_clks[] = { +-- +2.20.1 + diff --git a/queue-5.4/compiler.h-fix-error-in-build_bug_on-reporting.patch b/queue-5.4/compiler.h-fix-error-in-build_bug_on-reporting.patch new file mode 100644 index 00000000000..ba397d33554 --- /dev/null +++ b/queue-5.4/compiler.h-fix-error-in-build_bug_on-reporting.patch @@ -0,0 +1,70 @@ +From 0744d31b434e9c47328597087d78f648fb30f024 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 20:09:37 -0700 +Subject: compiler.h: fix error in BUILD_BUG_ON() reporting + +From: Vegard Nossum + +[ Upstream commit af9c5d2e3b355854ff0e4acfbfbfadcd5198a349 ] + +compiletime_assert() uses __LINE__ to create a unique function name. This +means that if you have more than one BUILD_BUG_ON() in the same source +line (which can happen if they appear e.g. in a macro), then the error +message from the compiler might output the wrong condition. + +For this source file: + + #include + + #define macro() \ + BUILD_BUG_ON(1); \ + BUILD_BUG_ON(0); + + void foo() + { + macro(); + } + +gcc would output: + +./include/linux/compiler.h:350:38: error: call to `__compiletime_assert_9' declared with attribute error: BUILD_BUG_ON failed: 0 + _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__) + +However, it was not the BUILD_BUG_ON(0) that failed, so it should say 1 +instead of 0. With this patch, we use __COUNTER__ instead of __LINE__, so +each BUILD_BUG_ON() gets a different function name and the correct +condition is printed: + +./include/linux/compiler.h:350:38: error: call to `__compiletime_assert_0' declared with attribute error: BUILD_BUG_ON failed: 1 + _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + +Signed-off-by: Vegard Nossum +Signed-off-by: Andrew Morton +Reviewed-by: Masahiro Yamada +Reviewed-by: Daniel Santos +Cc: Rasmus Villemoes +Cc: Ian Abbott +Cc: Joe Perches +Link: http://lkml.kernel.org/r/20200331112637.25047-1-vegard.nossum@oracle.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/compiler.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index 5e88e7e33abec..034b0a644efcc 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -347,7 +347,7 @@ static inline void *offset_to_ptr(const int *off) + * compiler has support to do so. + */ + #define compiletime_assert(condition, msg) \ +- _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__) ++ _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + + #define compiletime_assert_atomic_type(t) \ + compiletime_assert(__native_word(t), \ +-- +2.20.1 + diff --git a/queue-5.4/csky-fixup-cpu-speculative-execution-to-io-area.patch b/queue-5.4/csky-fixup-cpu-speculative-execution-to-io-area.patch new file mode 100644 index 00000000000..c732bd67e01 --- /dev/null +++ b/queue-5.4/csky-fixup-cpu-speculative-execution-to-io-area.patch @@ -0,0 +1,212 @@ +From 0e7e5c12b4544a343282718f412e416995267355 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Mar 2020 19:14:37 +0800 +Subject: csky: Fixup cpu speculative execution to IO area + +From: Guo Ren + +[ Upstream commit aefd9461d34a1b0a2acad0750c43216c1c27b9d4 ] + +For the memory size ( > 512MB, < 1GB), the MSA setting is: + + - SSEG0: PHY_START , PHY_START + 512MB + - SSEG1: PHY_START + 512MB, PHY_START + 1GB + +But the real memory is no more than 1GB, there is a gap between the +end size of memory and border of 1GB. CPU could speculatively +execute to that gap and if the gap of the bus couldn't respond to +the CPU request, then the crash will happen. + +Now make the setting with: + + - SSEG0: PHY_START , PHY_START + 512MB (no change) + - SSEG1: Disabled (We use highmem to use the memory of 512MB~1GB) + +We also deprecated zhole_szie[] settings, it's only used by arm +style CPUs. All memory gap should use Reserved setting of dts in +csky system. + +Signed-off-by: Guo Ren +Signed-off-by: Sasha Levin +--- + arch/csky/abiv1/inc/abi/entry.h | 5 +-- + arch/csky/abiv2/inc/abi/entry.h | 7 ++-- + arch/csky/kernel/head.S | 5 +++ + arch/csky/kernel/setup.c | 63 ++++++++------------------------- + arch/csky/kernel/smp.c | 3 ++ + 5 files changed, 25 insertions(+), 58 deletions(-) + +diff --git a/arch/csky/abiv1/inc/abi/entry.h b/arch/csky/abiv1/inc/abi/entry.h +index f35a9f3315ee6..5056ebb902d18 100644 +--- a/arch/csky/abiv1/inc/abi/entry.h ++++ b/arch/csky/abiv1/inc/abi/entry.h +@@ -172,10 +172,7 @@ + addi r6, 0xe + cpwcr r6, cpcr30 + +- lsri r6, 28 +- addi r6, 2 +- lsli r6, 28 +- addi r6, 0xe ++ movi r6, 0 + cpwcr r6, cpcr31 + .endm + +diff --git a/arch/csky/abiv2/inc/abi/entry.h b/arch/csky/abiv2/inc/abi/entry.h +index 94a7a58765dff..111973c6c713f 100644 +--- a/arch/csky/abiv2/inc/abi/entry.h ++++ b/arch/csky/abiv2/inc/abi/entry.h +@@ -230,11 +230,8 @@ + addi r6, 0x1ce + mtcr r6, cr<30, 15> /* Set MSA0 */ + +- lsri r6, 28 +- addi r6, 2 +- lsli r6, 28 +- addi r6, 0x1ce +- mtcr r6, cr<31, 15> /* Set MSA1 */ ++ movi r6, 0 ++ mtcr r6, cr<31, 15> /* Clr MSA1 */ + + /* enable MMU */ + mfcr r6, cr18 +diff --git a/arch/csky/kernel/head.S b/arch/csky/kernel/head.S +index 61989f9241c02..17ed9d2504807 100644 +--- a/arch/csky/kernel/head.S ++++ b/arch/csky/kernel/head.S +@@ -21,6 +21,11 @@ END(_start) + ENTRY(_start_smp_secondary) + SETUP_MMU + ++ /* copy msa1 from CPU0 */ ++ lrw r6, secondary_msa1 ++ ld.w r6, (r6, 0) ++ mtcr r6, cr<31, 15> ++ + /* set stack point */ + lrw r6, secondary_stack + ld.w r6, (r6, 0) +diff --git a/arch/csky/kernel/setup.c b/arch/csky/kernel/setup.c +index 23ee604aafdb6..2c1e253abb74c 100644 +--- a/arch/csky/kernel/setup.c ++++ b/arch/csky/kernel/setup.c +@@ -24,26 +24,9 @@ struct screen_info screen_info = { + }; + #endif + +-phys_addr_t __init_memblock memblock_end_of_REG0(void) +-{ +- return (memblock.memory.regions[0].base + +- memblock.memory.regions[0].size); +-} +- +-phys_addr_t __init_memblock memblock_start_of_REG1(void) +-{ +- return memblock.memory.regions[1].base; +-} +- +-size_t __init_memblock memblock_size_of_REG1(void) +-{ +- return memblock.memory.regions[1].size; +-} +- + static void __init csky_memblock_init(void) + { + unsigned long zone_size[MAX_NR_ZONES]; +- unsigned long zhole_size[MAX_NR_ZONES]; + signed long size; + + memblock_reserve(__pa(_stext), _end - _stext); +@@ -57,54 +40,36 @@ static void __init csky_memblock_init(void) + memblock_dump_all(); + + memset(zone_size, 0, sizeof(zone_size)); +- memset(zhole_size, 0, sizeof(zhole_size)); + + min_low_pfn = PFN_UP(memblock_start_of_DRAM()); +- max_pfn = PFN_DOWN(memblock_end_of_DRAM()); +- +- max_low_pfn = PFN_UP(memblock_end_of_REG0()); +- if (max_low_pfn == 0) +- max_low_pfn = max_pfn; ++ max_low_pfn = max_pfn = PFN_DOWN(memblock_end_of_DRAM()); + + size = max_pfn - min_low_pfn; + +- if (memblock.memory.cnt > 1) { +- zone_size[ZONE_NORMAL] = +- PFN_DOWN(memblock_start_of_REG1()) - min_low_pfn; +- zhole_size[ZONE_NORMAL] = +- PFN_DOWN(memblock_start_of_REG1()) - max_low_pfn; ++ if (size <= PFN_DOWN(SSEG_SIZE - PHYS_OFFSET_OFFSET)) ++ zone_size[ZONE_NORMAL] = size; ++ else if (size < PFN_DOWN(LOWMEM_LIMIT - PHYS_OFFSET_OFFSET)) { ++ zone_size[ZONE_NORMAL] = ++ PFN_DOWN(SSEG_SIZE - PHYS_OFFSET_OFFSET); ++ max_low_pfn = min_low_pfn + zone_size[ZONE_NORMAL]; + } else { +- if (size <= PFN_DOWN(LOWMEM_LIMIT - PHYS_OFFSET_OFFSET)) +- zone_size[ZONE_NORMAL] = max_pfn - min_low_pfn; +- else { +- zone_size[ZONE_NORMAL] = ++ zone_size[ZONE_NORMAL] = + PFN_DOWN(LOWMEM_LIMIT - PHYS_OFFSET_OFFSET); +- max_low_pfn = min_low_pfn + zone_size[ZONE_NORMAL]; +- } ++ max_low_pfn = min_low_pfn + zone_size[ZONE_NORMAL]; ++ write_mmu_msa1(read_mmu_msa0() + SSEG_SIZE); + } + + #ifdef CONFIG_HIGHMEM +- size = 0; +- if (memblock.memory.cnt > 1) { +- size = PFN_DOWN(memblock_size_of_REG1()); +- highstart_pfn = PFN_DOWN(memblock_start_of_REG1()); +- } else { +- size = max_pfn - min_low_pfn - +- PFN_DOWN(LOWMEM_LIMIT - PHYS_OFFSET_OFFSET); +- highstart_pfn = min_low_pfn + +- PFN_DOWN(LOWMEM_LIMIT - PHYS_OFFSET_OFFSET); +- } +- +- if (size > 0) +- zone_size[ZONE_HIGHMEM] = size; ++ zone_size[ZONE_HIGHMEM] = max_pfn - max_low_pfn; + +- highend_pfn = max_pfn; ++ highstart_pfn = max_low_pfn; ++ highend_pfn = max_pfn; + #endif + memblock_set_current_limit(PFN_PHYS(max_low_pfn)); + + dma_contiguous_reserve(0); + +- free_area_init_node(0, zone_size, min_low_pfn, zhole_size); ++ free_area_init_node(0, zone_size, min_low_pfn, NULL); + } + + void __init setup_arch(char **cmdline_p) +diff --git a/arch/csky/kernel/smp.c b/arch/csky/kernel/smp.c +index 0bb0954d55709..de61feb4b6df2 100644 +--- a/arch/csky/kernel/smp.c ++++ b/arch/csky/kernel/smp.c +@@ -156,6 +156,8 @@ volatile unsigned int secondary_hint; + volatile unsigned int secondary_ccr; + volatile unsigned int secondary_stack; + ++unsigned long secondary_msa1; ++ + int __cpu_up(unsigned int cpu, struct task_struct *tidle) + { + unsigned long mask = 1 << cpu; +@@ -164,6 +166,7 @@ int __cpu_up(unsigned int cpu, struct task_struct *tidle) + (unsigned int) task_stack_page(tidle) + THREAD_SIZE - 8; + secondary_hint = mfcr("cr31"); + secondary_ccr = mfcr("cr18"); ++ secondary_msa1 = read_mmu_msa1(); + + /* + * Because other CPUs are in reset status, we must flush data +-- +2.20.1 + diff --git a/queue-5.4/csky-fixup-get-wrong-psr-value-from-phyical-reg.patch b/queue-5.4/csky-fixup-get-wrong-psr-value-from-phyical-reg.patch new file mode 100644 index 00000000000..cff48d9245e --- /dev/null +++ b/queue-5.4/csky-fixup-get-wrong-psr-value-from-phyical-reg.patch @@ -0,0 +1,126 @@ +From d66cc94ef4a15009e78cddbeb42321131f06de69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2020 23:45:52 +0800 +Subject: csky: Fixup get wrong psr value from phyical reg + +From: Guo Ren + +[ Upstream commit 9c0e343d7654a329d1f9b53d253cbf7fb6eff85d ] + +We should get psr value from regs->psr in stack, not directly get +it from phyiscal register then save the vector number in +tsk->trap_no. + +Signed-off-by: Guo Ren +Signed-off-by: Sasha Levin +--- + arch/csky/include/asm/processor.h | 1 + + arch/csky/kernel/traps.c | 11 ++++++++++- + arch/csky/mm/fault.c | 7 +++++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/arch/csky/include/asm/processor.h b/arch/csky/include/asm/processor.h +index 21e0bd5293dde..c6bcd7f7c720b 100644 +--- a/arch/csky/include/asm/processor.h ++++ b/arch/csky/include/asm/processor.h +@@ -43,6 +43,7 @@ extern struct cpuinfo_csky cpu_data[]; + struct thread_struct { + unsigned long ksp; /* kernel stack pointer */ + unsigned long sr; /* saved status register */ ++ unsigned long trap_no; /* saved status register */ + + /* FPU regs */ + struct user_fp __aligned(16) user_fp; +diff --git a/arch/csky/kernel/traps.c b/arch/csky/kernel/traps.c +index b057480e7463c..63715cb90ee99 100644 +--- a/arch/csky/kernel/traps.c ++++ b/arch/csky/kernel/traps.c +@@ -115,8 +115,9 @@ asmlinkage void trap_c(struct pt_regs *regs) + int sig; + unsigned long vector; + siginfo_t info; ++ struct task_struct *tsk = current; + +- vector = (mfcr("psr") >> 16) & 0xff; ++ vector = (regs->sr >> 16) & 0xff; + + switch (vector) { + case VEC_ZERODIV: +@@ -129,6 +130,7 @@ asmlinkage void trap_c(struct pt_regs *regs) + sig = SIGTRAP; + break; + case VEC_ILLEGAL: ++ tsk->thread.trap_no = vector; + die_if_kernel("Kernel mode ILLEGAL", regs, vector); + #ifndef CONFIG_CPU_NO_USER_BKPT + if (*(uint16_t *)instruction_pointer(regs) != USR_BKPT) +@@ -146,16 +148,20 @@ asmlinkage void trap_c(struct pt_regs *regs) + sig = SIGTRAP; + break; + case VEC_ACCESS: ++ tsk->thread.trap_no = vector; + return buserr(regs); + #ifdef CONFIG_CPU_NEED_SOFTALIGN + case VEC_ALIGN: ++ tsk->thread.trap_no = vector; + return csky_alignment(regs); + #endif + #ifdef CONFIG_CPU_HAS_FPU + case VEC_FPE: ++ tsk->thread.trap_no = vector; + die_if_kernel("Kernel mode FPE", regs, vector); + return fpu_fpe(regs); + case VEC_PRIV: ++ tsk->thread.trap_no = vector; + die_if_kernel("Kernel mode PRIV", regs, vector); + if (fpu_libc_helper(regs)) + return; +@@ -164,5 +170,8 @@ asmlinkage void trap_c(struct pt_regs *regs) + sig = SIGSEGV; + break; + } ++ ++ tsk->thread.trap_no = vector; ++ + send_sig(sig, current, 0); + } +diff --git a/arch/csky/mm/fault.c b/arch/csky/mm/fault.c +index f76618b630f91..562c7f7087490 100644 +--- a/arch/csky/mm/fault.c ++++ b/arch/csky/mm/fault.c +@@ -179,11 +179,14 @@ asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long write, + bad_area_nosemaphore: + /* User mode accesses just cause a SIGSEGV */ + if (user_mode(regs)) { ++ tsk->thread.trap_no = (regs->sr >> 16) & 0xff; + force_sig_fault(SIGSEGV, si_code, (void __user *)address); + return; + } + + no_context: ++ tsk->thread.trap_no = (regs->sr >> 16) & 0xff; ++ + /* Are we prepared to handle this kernel fault? */ + if (fixup_exception(regs)) + return; +@@ -198,6 +201,8 @@ asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long write, + die_if_kernel("Oops", regs, write); + + out_of_memory: ++ tsk->thread.trap_no = (regs->sr >> 16) & 0xff; ++ + /* + * We ran out of memory, call the OOM killer, and return the userspace + * (which will retry the fault, or kill us if we got oom-killed). +@@ -206,6 +211,8 @@ asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long write, + return; + + do_sigbus: ++ tsk->thread.trap_no = (regs->sr >> 16) & 0xff; ++ + up_read(&mm->mmap_sem); + + /* Kernel mode? Handle exceptions or die */ +-- +2.20.1 + diff --git a/queue-5.4/csky-fixup-init_fpu-compile-warning-with-__init.patch b/queue-5.4/csky-fixup-init_fpu-compile-warning-with-__init.patch new file mode 100644 index 00000000000..48ffb0ce58a --- /dev/null +++ b/queue-5.4/csky-fixup-init_fpu-compile-warning-with-__init.patch @@ -0,0 +1,73 @@ +From eaa231f30c5415130ee5c890f9f05cbeb5b04555 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2020 10:23:26 +0800 +Subject: csky: Fixup init_fpu compile warning with __init + +From: Guo Ren + +[ Upstream commit 12879bda3c2a974b7e4fe199a9c21f0c5f6bca04 ] + +WARNING: vmlinux.o(.text+0x2366): Section mismatch in reference from the +function csky_start_secondary() to the function .init.text:init_fpu() + +The function csky_start_secondary() references +the function __init init_fpu(). +This is often because csky_start_secondary lacks a __init +annotation or the annotation of init_fpu is wrong. + +Reported-by: Lu Chongzhi +Signed-off-by: Guo Ren +Signed-off-by: Sasha Levin +--- + arch/csky/abiv2/fpu.c | 5 ----- + arch/csky/abiv2/inc/abi/fpu.h | 3 ++- + arch/csky/kernel/smp.c | 3 +++ + 3 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/arch/csky/abiv2/fpu.c b/arch/csky/abiv2/fpu.c +index 86d187d4e5af1..5acc5c2e544e1 100644 +--- a/arch/csky/abiv2/fpu.c ++++ b/arch/csky/abiv2/fpu.c +@@ -10,11 +10,6 @@ + #define MTCR_DIST 0xC0006420 + #define MFCR_DIST 0xC0006020 + +-void __init init_fpu(void) +-{ +- mtcr("cr<1, 2>", 0); +-} +- + /* + * fpu_libc_helper() is to help libc to excute: + * - mfcr %a, cr<1, 2> +diff --git a/arch/csky/abiv2/inc/abi/fpu.h b/arch/csky/abiv2/inc/abi/fpu.h +index 22ca3cf2794a1..09e2700a36936 100644 +--- a/arch/csky/abiv2/inc/abi/fpu.h ++++ b/arch/csky/abiv2/inc/abi/fpu.h +@@ -9,7 +9,8 @@ + + int fpu_libc_helper(struct pt_regs *regs); + void fpu_fpe(struct pt_regs *regs); +-void __init init_fpu(void); ++ ++static inline void init_fpu(void) { mtcr("cr<1, 2>", 0); } + + void save_to_user_fp(struct user_fp *user_fp); + void restore_from_user_fp(struct user_fp *user_fp); +diff --git a/arch/csky/kernel/smp.c b/arch/csky/kernel/smp.c +index de61feb4b6df2..b5c5bc3afeb5c 100644 +--- a/arch/csky/kernel/smp.c ++++ b/arch/csky/kernel/smp.c +@@ -22,6 +22,9 @@ + #include + #include + #include ++#ifdef CONFIG_CPU_HAS_FPU ++#include ++#endif + + struct ipi_data_struct { + unsigned long bits ____cacheline_aligned; +-- +2.20.1 + diff --git a/queue-5.4/dma-coherent-fix-integer-overflow-in-the-reserved-me.patch b/queue-5.4/dma-coherent-fix-integer-overflow-in-the-reserved-me.patch new file mode 100644 index 00000000000..8861e989c33 --- /dev/null +++ b/queue-5.4/dma-coherent-fix-integer-overflow-in-the-reserved-me.patch @@ -0,0 +1,84 @@ +From ab06fd81608a4bf24977ba9cf9cb0df219634133 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2020 15:41:45 +0000 +Subject: dma-coherent: fix integer overflow in the reserved-memory dma + allocation + +From: Kevin Grandemange + +[ Upstream commit 286c21de32b904131f8cf6a36ce40b8b0c9c5da3 ] + +pageno is an int and the PAGE_SHIFT shift is done on an int, +overflowing if the memory is bigger than 2G + +This can be reproduced using for example a reserved-memory of 4G + +reserved-memory { + #address-cells = <2>; + #size-cells = <2>; + ranges; + + reserved_dma: buffer@0 { + compatible = "shared-dma-pool"; + no-map; + reg = <0x5 0x00000000 0x1 0x0>; + }; +}; + +Signed-off-by: Kevin Grandemange +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/coherent.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/kernel/dma/coherent.c b/kernel/dma/coherent.c +index 551b0eb7028a3..2a0c4985f38e4 100644 +--- a/kernel/dma/coherent.c ++++ b/kernel/dma/coherent.c +@@ -134,7 +134,7 @@ static void *__dma_alloc_from_coherent(struct device *dev, + + spin_lock_irqsave(&mem->spinlock, flags); + +- if (unlikely(size > (mem->size << PAGE_SHIFT))) ++ if (unlikely(size > ((dma_addr_t)mem->size << PAGE_SHIFT))) + goto err; + + pageno = bitmap_find_free_region(mem->bitmap, mem->size, order); +@@ -144,8 +144,9 @@ static void *__dma_alloc_from_coherent(struct device *dev, + /* + * Memory was found in the coherent area. + */ +- *dma_handle = dma_get_device_base(dev, mem) + (pageno << PAGE_SHIFT); +- ret = mem->virt_base + (pageno << PAGE_SHIFT); ++ *dma_handle = dma_get_device_base(dev, mem) + ++ ((dma_addr_t)pageno << PAGE_SHIFT); ++ ret = mem->virt_base + ((dma_addr_t)pageno << PAGE_SHIFT); + spin_unlock_irqrestore(&mem->spinlock, flags); + memset(ret, 0, size); + return ret; +@@ -194,7 +195,7 @@ static int __dma_release_from_coherent(struct dma_coherent_mem *mem, + int order, void *vaddr) + { + if (mem && vaddr >= mem->virt_base && vaddr < +- (mem->virt_base + (mem->size << PAGE_SHIFT))) { ++ (mem->virt_base + ((dma_addr_t)mem->size << PAGE_SHIFT))) { + int page = (vaddr - mem->virt_base) >> PAGE_SHIFT; + unsigned long flags; + +@@ -238,10 +239,10 @@ static int __dma_mmap_from_coherent(struct dma_coherent_mem *mem, + struct vm_area_struct *vma, void *vaddr, size_t size, int *ret) + { + if (mem && vaddr >= mem->virt_base && vaddr + size <= +- (mem->virt_base + (mem->size << PAGE_SHIFT))) { ++ (mem->virt_base + ((dma_addr_t)mem->size << PAGE_SHIFT))) { + unsigned long off = vma->vm_pgoff; + int start = (vaddr - mem->virt_base) >> PAGE_SHIFT; +- int user_count = vma_pages(vma); ++ unsigned long user_count = vma_pages(vma); + int count = PAGE_ALIGN(size) >> PAGE_SHIFT; + + *ret = -ENXIO; +-- +2.20.1 + diff --git a/queue-5.4/drm-amdkfd-kfree-the-wrong-pointer.patch b/queue-5.4/drm-amdkfd-kfree-the-wrong-pointer.patch new file mode 100644 index 00000000000..4fb825e1cee --- /dev/null +++ b/queue-5.4/drm-amdkfd-kfree-the-wrong-pointer.patch @@ -0,0 +1,39 @@ +From 62173a3d7abfb912c02b3002de9dfd02463ac10b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2020 20:06:58 +0800 +Subject: drm/amdkfd: kfree the wrong pointer + +From: Jack Zhang + +[ Upstream commit 3148a6a0ef3cf93570f30a477292768f7eb5d3c3 ] + +Originally, it kfrees the wrong pointer for mem_obj. +It would cause memory leak under stress test. + +Signed-off-by: Jack Zhang +Acked-by: Nirmoy Das +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +index 0dc1084b5e829..ad9483b9eea32 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +@@ -1112,9 +1112,9 @@ int kfd_gtt_sa_allocate(struct kfd_dev *kfd, unsigned int size, + return 0; + + kfd_gtt_no_free_chunk: +- pr_debug("Allocation failed with mem_obj = %p\n", mem_obj); ++ pr_debug("Allocation failed with mem_obj = %p\n", *mem_obj); + mutex_unlock(&kfd->gtt_sa_lock); +- kfree(mem_obj); ++ kfree(*mem_obj); + return -ENOMEM; + } + +-- +2.20.1 + diff --git a/queue-5.4/drm-nouveau-gr-gp107-gp108-implement-workaround-for-.patch b/queue-5.4/drm-nouveau-gr-gp107-gp108-implement-workaround-for-.patch new file mode 100644 index 00000000000..edfb11c0dce --- /dev/null +++ b/queue-5.4/drm-nouveau-gr-gp107-gp108-implement-workaround-for-.patch @@ -0,0 +1,73 @@ +From efde57bbcc4d673b62b681d394c8b8d99245354f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Mar 2020 16:08:44 +1000 +Subject: drm/nouveau/gr/gp107,gp108: implement workaround for HW hanging + during init + +From: Ben Skeggs + +[ Upstream commit 028a12f5aa829b4ba6ac011530b815eda4960e89 ] + +Certain boards with GP107/GP108 chipsets hang (often, but randomly) for +unknown reasons during GR initialisation. + +The first tell-tale symptom of this issue is: + +nouveau 0000:01:00.0: bus: MMIO read of 00000000 FAULT at 409800 [ TIMEOUT ] + +appearing in dmesg, likely followed by many other failures being logged. + +Karol found this WAR for the issue a while back, but efforts to isolate +the root cause and proper fix have not yielded success so far. I've +modified the original patch to include a few more details, limit it to +GP107/GP108 by default, and added a config option to override this choice. + +Signed-off-by: Ben Skeggs +Reviewed-by: Karol Herbst +Signed-off-by: Sasha Levin +--- + .../gpu/drm/nouveau/nvkm/engine/gr/gf100.c | 26 +++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c b/drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c +index c578deb5867a8..c71606a45d1de 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c +@@ -1988,8 +1988,34 @@ gf100_gr_init_(struct nvkm_gr *base) + { + struct gf100_gr *gr = gf100_gr(base); + struct nvkm_subdev *subdev = &base->engine.subdev; ++ struct nvkm_device *device = subdev->device; ++ bool reset = device->chipset == 0x137 || device->chipset == 0x138; + u32 ret; + ++ /* On certain GP107/GP108 boards, we trigger a weird issue where ++ * GR will stop responding to PRI accesses after we've asked the ++ * SEC2 RTOS to boot the GR falcons. This happens with far more ++ * frequency when cold-booting a board (ie. returning from D3). ++ * ++ * The root cause for this is not known and has proven difficult ++ * to isolate, with many avenues being dead-ends. ++ * ++ * A workaround was discovered by Karol, whereby putting GR into ++ * reset for an extended period right before initialisation ++ * prevents the problem from occuring. ++ * ++ * XXX: As RM does not require any such workaround, this is more ++ * of a hack than a true fix. ++ */ ++ reset = nvkm_boolopt(device->cfgopt, "NvGrResetWar", reset); ++ if (reset) { ++ nvkm_mask(device, 0x000200, 0x00001000, 0x00000000); ++ nvkm_rd32(device, 0x000200); ++ msleep(50); ++ nvkm_mask(device, 0x000200, 0x00001000, 0x00001000); ++ nvkm_rd32(device, 0x000200); ++ } ++ + nvkm_pmu_pgob(gr->base.engine.subdev.device->pmu, false); + + ret = nvkm_falcon_get(gr->fecs.falcon, subdev); +-- +2.20.1 + diff --git a/queue-5.4/drm-nouveau-svm-check-for-svm-initialized-before-mig.patch b/queue-5.4/drm-nouveau-svm-check-for-svm-initialized-before-mig.patch new file mode 100644 index 00000000000..2bff3fa1f31 --- /dev/null +++ b/queue-5.4/drm-nouveau-svm-check-for-svm-initialized-before-mig.patch @@ -0,0 +1,40 @@ +From cb0a7221244b2b8ebcda755979e402ea79d83fcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2020 16:13:37 -0800 +Subject: drm/nouveau/svm: check for SVM initialized before migrating + +From: Ralph Campbell + +[ Upstream commit 822cab6150d3002952407a8297ff5a0d32bb7b54 ] + +When migrating system memory to GPU memory, check that SVM has been +enabled. Even though most errors can be ignored since migration is +a performance optimization, return an error because this is a violation +of the API. + +Signed-off-by: Ralph Campbell +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_svm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_svm.c b/drivers/gpu/drm/nouveau/nouveau_svm.c +index 668d4bd0c118f..25b7055949c45 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_svm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_svm.c +@@ -173,6 +173,11 @@ nouveau_svmm_bind(struct drm_device *dev, void *data, + mm = get_task_mm(current); + down_read(&mm->mmap_sem); + ++ if (!cli->svm.svmm) { ++ up_read(&mm->mmap_sem); ++ return -EINVAL; ++ } ++ + for (addr = args->va_start, end = args->va_start + size; addr < end;) { + struct vm_area_struct *vma; + unsigned long next; +-- +2.20.1 + diff --git a/queue-5.4/drm-nouveau-svm-fix-vma-range-check-for-migration.patch b/queue-5.4/drm-nouveau-svm-fix-vma-range-check-for-migration.patch new file mode 100644 index 00000000000..d0f7cb62ca7 --- /dev/null +++ b/queue-5.4/drm-nouveau-svm-fix-vma-range-check-for-migration.patch @@ -0,0 +1,40 @@ +From 11c0ca4f5d040ee1bfafc41d2ab781631885e466 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2020 16:13:36 -0800 +Subject: drm/nouveau/svm: fix vma range check for migration + +From: Ralph Campbell + +[ Upstream commit b92103b559c77abc5f8b7bec269230a219c880b7 ] + +find_vma_intersection(mm, start, end) only guarantees that end is greater +than or equal to vma->vm_start but doesn't guarantee that start is +greater than or equal to vma->vm_start. The calculation for the +intersecting range in nouveau_svmm_bind() isn't accounting for this and +can call migrate_vma_setup() with a starting address less than +vma->vm_start. This results in migrate_vma_setup() returning -EINVAL for +the range instead of nouveau skipping that part of the range and migrating +the rest. + +Signed-off-by: Ralph Campbell +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_svm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_svm.c b/drivers/gpu/drm/nouveau/nouveau_svm.c +index 25b7055949c45..824654742a604 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_svm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_svm.c +@@ -186,6 +186,7 @@ nouveau_svmm_bind(struct drm_device *dev, void *data, + if (!vma) + break; + ++ addr = max(addr, vma->vm_start); + next = min(vma->vm_end, end); + /* This is a best effort so we ignore errors */ + nouveau_dmem_migrate_vma(cli->drm, vma, addr, next); +-- +2.20.1 + diff --git a/queue-5.4/drm-nouveau-workaround-runpm-fail-by-disabling-pci-p.patch b/queue-5.4/drm-nouveau-workaround-runpm-fail-by-disabling-pci-p.patch new file mode 100644 index 00000000000..5a64115701f --- /dev/null +++ b/queue-5.4/drm-nouveau-workaround-runpm-fail-by-disabling-pci-p.patch @@ -0,0 +1,146 @@ +From 62e46280aafbd7711962626655ee760d686c25d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Mar 2020 21:29:23 +0100 +Subject: drm/nouveau: workaround runpm fail by disabling PCI power management + on certain intel bridges + +From: Karol Herbst + +[ Upstream commit 434fdb51513bf3057ac144d152e6f2f2b509e857 ] + +Fixes the infamous 'runtime PM' bug many users are facing on Laptops with +Nvidia Pascal GPUs by skipping said PCI power state changes on the GPU. + +Depending on the used kernel there might be messages like those in demsg: + +"nouveau 0000:01:00.0: Refused to change power state, currently in D3" +"nouveau 0000:01:00.0: can't change power state from D3cold to D0 (config +space inaccessible)" +followed by backtraces of kernel crashes or timeouts within nouveau. + +It's still unkown why this issue exists, but this is a reliable workaround +and solves a very annoying issue for user having to choose between a +crashing kernel or higher power consumption of their Laptops. + +Signed-off-by: Karol Herbst +Cc: Bjorn Helgaas +Cc: Lyude Paul +Cc: Rafael J. Wysocki +Cc: Mika Westerberg +Cc: linux-pci@vger.kernel.org +Cc: linux-pm@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: nouveau@lists.freedesktop.org +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=205623 +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_drm.c | 63 +++++++++++++++++++++++++++ + drivers/gpu/drm/nouveau/nouveau_drv.h | 2 + + 2 files changed, 65 insertions(+) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c +index 2cd83849600f3..b1beed40e746a 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_drm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c +@@ -618,6 +618,64 @@ nouveau_drm_device_fini(struct drm_device *dev) + kfree(drm); + } + ++/* ++ * On some Intel PCIe bridge controllers doing a ++ * D0 -> D3hot -> D3cold -> D0 sequence causes Nvidia GPUs to not reappear. ++ * Skipping the intermediate D3hot step seems to make it work again. This is ++ * probably caused by not meeting the expectation the involved AML code has ++ * when the GPU is put into D3hot state before invoking it. ++ * ++ * This leads to various manifestations of this issue: ++ * - AML code execution to power on the GPU hits an infinite loop (as the ++ * code waits on device memory to change). ++ * - kernel crashes, as all PCI reads return -1, which most code isn't able ++ * to handle well enough. ++ * ++ * In all cases dmesg will contain at least one line like this: ++ * 'nouveau 0000:01:00.0: Refused to change power state, currently in D3' ++ * followed by a lot of nouveau timeouts. ++ * ++ * In the \_SB.PCI0.PEG0.PG00._OFF code deeper down writes bit 0x80 to the not ++ * documented PCI config space register 0x248 of the Intel PCIe bridge ++ * controller (0x1901) in order to change the state of the PCIe link between ++ * the PCIe port and the GPU. There are alternative code paths using other ++ * registers, which seem to work fine (executed pre Windows 8): ++ * - 0xbc bit 0x20 (publicly available documentation claims 'reserved') ++ * - 0xb0 bit 0x10 (link disable) ++ * Changing the conditions inside the firmware by poking into the relevant ++ * addresses does resolve the issue, but it seemed to be ACPI private memory ++ * and not any device accessible memory at all, so there is no portable way of ++ * changing the conditions. ++ * On a XPS 9560 that means bits [0,3] on \CPEX need to be cleared. ++ * ++ * The only systems where this behavior can be seen are hybrid graphics laptops ++ * with a secondary Nvidia Maxwell, Pascal or Turing GPU. It's unclear whether ++ * this issue only occurs in combination with listed Intel PCIe bridge ++ * controllers and the mentioned GPUs or other devices as well. ++ * ++ * documentation on the PCIe bridge controller can be found in the ++ * "7th Generation Intel® Processor Families for H Platforms Datasheet Volume 2" ++ * Section "12 PCI Express* Controller (x16) Registers" ++ */ ++ ++static void quirk_broken_nv_runpm(struct pci_dev *pdev) ++{ ++ struct drm_device *dev = pci_get_drvdata(pdev); ++ struct nouveau_drm *drm = nouveau_drm(dev); ++ struct pci_dev *bridge = pci_upstream_bridge(pdev); ++ ++ if (!bridge || bridge->vendor != PCI_VENDOR_ID_INTEL) ++ return; ++ ++ switch (bridge->device) { ++ case 0x1901: ++ drm->old_pm_cap = pdev->pm_cap; ++ pdev->pm_cap = 0; ++ NV_INFO(drm, "Disabling PCI power management to avoid bug\n"); ++ break; ++ } ++} ++ + static int nouveau_drm_probe(struct pci_dev *pdev, + const struct pci_device_id *pent) + { +@@ -699,6 +757,7 @@ static int nouveau_drm_probe(struct pci_dev *pdev, + if (ret) + goto fail_drm_dev_init; + ++ quirk_broken_nv_runpm(pdev); + return 0; + + fail_drm_dev_init: +@@ -736,7 +795,11 @@ static void + nouveau_drm_remove(struct pci_dev *pdev) + { + struct drm_device *dev = pci_get_drvdata(pdev); ++ struct nouveau_drm *drm = nouveau_drm(dev); + ++ /* revert our workaround */ ++ if (drm->old_pm_cap) ++ pdev->pm_cap = drm->old_pm_cap; + nouveau_drm_device_remove(dev); + } + +diff --git a/drivers/gpu/drm/nouveau/nouveau_drv.h b/drivers/gpu/drm/nouveau/nouveau_drv.h +index 70f34cacc552c..8104e3806499d 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_drv.h ++++ b/drivers/gpu/drm/nouveau/nouveau_drv.h +@@ -138,6 +138,8 @@ struct nouveau_drm { + + struct list_head clients; + ++ u8 old_pm_cap; ++ + struct { + struct agp_bridge_data *bridge; + u32 base; +-- +2.20.1 + diff --git a/queue-5.4/drm-ttm-flush-the-fence-on-the-bo-after-we-individua.patch b/queue-5.4/drm-ttm-flush-the-fence-on-the-bo-after-we-individua.patch new file mode 100644 index 00000000000..6bddb3814c7 --- /dev/null +++ b/queue-5.4/drm-ttm-flush-the-fence-on-the-bo-after-we-individua.patch @@ -0,0 +1,51 @@ +From 21954fa65dc5e128c2aaaccad6e3f00123dc9370 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2020 14:07:45 +0800 +Subject: drm/ttm: flush the fence on the bo after we individualize the + reservation object +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: xinhui pan + +[ Upstream commit 1bbcf69e42fe7fd49b6f4339c970729d0e343753 ] + +As we move the ttm_bo_individualize_resv() upwards, we need flush the +copied fence too. Otherwise the driver keeps waiting for fence. + +run&Kill kfdtest, then perf top. + + 25.53% [ttm] [k] ttm_bo_delayed_delete + 24.29% [kernel] [k] dma_resv_test_signaled_rcu + 19.72% [kernel] [k] ww_mutex_lock + +Fix: 378e2d5b("drm/ttm: fix ttm_bo_cleanup_refs_or_queue once more") +Signed-off-by: xinhui pan +Reviewed-by: Christian König +Link: https://patchwork.freedesktop.org/series/72339/ +Signed-off-by: Christian König +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ttm/ttm_bo.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c +index f078036998092..abf165b2f64fc 100644 +--- a/drivers/gpu/drm/ttm/ttm_bo.c ++++ b/drivers/gpu/drm/ttm/ttm_bo.c +@@ -517,8 +517,10 @@ static void ttm_bo_cleanup_refs_or_queue(struct ttm_buffer_object *bo) + + dma_resv_unlock(bo->base.resv); + } +- if (bo->base.resv != &bo->base._resv) ++ if (bo->base.resv != &bo->base._resv) { ++ ttm_bo_flush_all_fences(bo); + dma_resv_unlock(&bo->base._resv); ++ } + + error: + kref_get(&bo->list_kref); +-- +2.20.1 + diff --git a/queue-5.4/drm-vc4-fix-hdmi-mode-validation.patch b/queue-5.4/drm-vc4-fix-hdmi-mode-validation.patch new file mode 100644 index 00000000000..48379c346a1 --- /dev/null +++ b/queue-5.4/drm-vc4-fix-hdmi-mode-validation.patch @@ -0,0 +1,61 @@ +From c9ab5850e09fda013daa70df64ce3d286ec4695f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Mar 2020 13:20:01 +0100 +Subject: drm/vc4: Fix HDMI mode validation + +From: Nicolas Saenz Julienne + +[ Upstream commit b1e7396a1d0e6af6806337fdaaa44098d6b3343c ] + +Current mode validation impedes setting up some video modes which should +be supported otherwise. Namely 1920x1200@60Hz. + +Fix this by lowering the minimum HDMI state machine clock to pixel clock +ratio allowed. + +Fixes: 32e823c63e90 ("drm/vc4: Reject HDMI modes with too high of clocks.") +Reported-by: Stefan Wahren +Suggested-by: Dave Stevenson +Signed-off-by: Nicolas Saenz Julienne +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20200326122001.22215-1-nsaenzjulienne@suse.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index 0853b980bcb31..d5f5ba4105241 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -681,11 +681,23 @@ static enum drm_mode_status + vc4_hdmi_encoder_mode_valid(struct drm_encoder *crtc, + const struct drm_display_mode *mode) + { +- /* HSM clock must be 108% of the pixel clock. Additionally, +- * the AXI clock needs to be at least 25% of pixel clock, but +- * HSM ends up being the limiting factor. ++ /* ++ * As stated in RPi's vc4 firmware "HDMI state machine (HSM) clock must ++ * be faster than pixel clock, infinitesimally faster, tested in ++ * simulation. Otherwise, exact value is unimportant for HDMI ++ * operation." This conflicts with bcm2835's vc4 documentation, which ++ * states HSM's clock has to be at least 108% of the pixel clock. ++ * ++ * Real life tests reveal that vc4's firmware statement holds up, and ++ * users are able to use pixel clocks closer to HSM's, namely for ++ * 1920x1200@60Hz. So it was decided to have leave a 1% margin between ++ * both clocks. Which, for RPi0-3 implies a maximum pixel clock of ++ * 162MHz. ++ * ++ * Additionally, the AXI clock needs to be at least 25% of ++ * pixel clock, but HSM ends up being the limiting factor. + */ +- if (mode->clock > HSM_CLOCK_FREQ / (1000 * 108 / 100)) ++ if (mode->clock > HSM_CLOCK_FREQ / (1000 * 101 / 100)) + return MODE_CLOCK_HIGH; + + return MODE_OK; +-- +2.20.1 + diff --git a/queue-5.4/ext2-fix-debug-reference-to-ext2_xattr_cache.patch b/queue-5.4/ext2-fix-debug-reference-to-ext2_xattr_cache.patch new file mode 100644 index 00000000000..44da1eeb95f --- /dev/null +++ b/queue-5.4/ext2-fix-debug-reference-to-ext2_xattr_cache.patch @@ -0,0 +1,51 @@ +From 4ddcdccdff6d55ecb41abe44ce54e52af802d93c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2020 12:40:02 +0100 +Subject: ext2: fix debug reference to ext2_xattr_cache +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jan Kara + +[ Upstream commit 32302085a8d90859c40cf1a5e8313f575d06ec75 ] + +Fix a debug-only build error in ext2/xattr.c: + +When building without extra debugging, (and with another patch that uses +no_printk() instead of for the ext2-xattr debug-print macros, +this build error happens: + +../fs/ext2/xattr.c: In function ‘ext2_xattr_cache_insert’: +../fs/ext2/xattr.c:869:18: error: ‘ext2_xattr_cache’ undeclared (first use in +this function); did you mean ‘ext2_xattr_list’? + atomic_read(&ext2_xattr_cache->c_entry_count)); + +Fix the problem by removing cached entry count from the debug message +since otherwise we'd have to export the mbcache structure just for that. + +Fixes: be0726d33cb8 ("ext2: convert to mbcache2") +Reported-by: Randy Dunlap +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/ext2/xattr.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c +index b91f99d9482e9..62acbe27d8bf4 100644 +--- a/fs/ext2/xattr.c ++++ b/fs/ext2/xattr.c +@@ -865,8 +865,7 @@ ext2_xattr_cache_insert(struct mb_cache *cache, struct buffer_head *bh) + true); + if (error) { + if (error == -EBUSY) { +- ea_bdebug(bh, "already in cache (%d cache entries)", +- atomic_read(&ext2_xattr_cache->c_entry_count)); ++ ea_bdebug(bh, "already in cache"); + error = 0; + } + } else +-- +2.20.1 + diff --git a/queue-5.4/ext2-fix-empty-body-warnings-when-wextra-is-used.patch b/queue-5.4/ext2-fix-empty-body-warnings-when-wextra-is-used.patch new file mode 100644 index 00000000000..7e273dc3094 --- /dev/null +++ b/queue-5.4/ext2-fix-empty-body-warnings-when-wextra-is-used.patch @@ -0,0 +1,60 @@ +From b4e613b49e8a1d910f63b4150e9549fc45718803 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Mar 2020 19:45:41 -0700 +Subject: ext2: fix empty body warnings when -Wextra is used +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 44a52022e7f15cbaab957df1c14f7a4f527ef7cf ] + +When EXT2_ATTR_DEBUG is not defined, modify the 2 debug macros +to use the no_printk() macro instead of . +This fixes gcc warnings when -Wextra is used: + +../fs/ext2/xattr.c:252:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +../fs/ext2/xattr.c:258:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +../fs/ext2/xattr.c:330:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +../fs/ext2/xattr.c:872:45: warning: suggest braces around empty body in an ‘else’ statement [-Wempty-body] + +I have verified that the only object code change (with gcc 7.5.0) is +the reversal of some instructions from 'cmp a,b' to 'cmp b,a'. + +Link: https://lore.kernel.org/r/e18a7395-61fb-2093-18e8-ed4f8cf56248@infradead.org +Signed-off-by: Randy Dunlap +Cc: Jan Kara +Cc: linux-ext4@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/ext2/xattr.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c +index 0456bc990b5ee..b91f99d9482e9 100644 +--- a/fs/ext2/xattr.c ++++ b/fs/ext2/xattr.c +@@ -56,6 +56,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -84,8 +85,8 @@ + printk("\n"); \ + } while (0) + #else +-# define ea_idebug(f...) +-# define ea_bdebug(f...) ++# define ea_idebug(inode, f...) no_printk(f) ++# define ea_bdebug(bh, f...) no_printk(f) + #endif + + static int ext2_xattr_set2(struct inode *, struct buffer_head *, +-- +2.20.1 + diff --git a/queue-5.4/ext4-do-not-commit-super-on-read-only-bdev.patch b/queue-5.4/ext4-do-not-commit-super-on-read-only-bdev.patch new file mode 100644 index 00000000000..f8f2858a914 --- /dev/null +++ b/queue-5.4/ext4-do-not-commit-super-on-read-only-bdev.patch @@ -0,0 +1,50 @@ +From e993539ab646138dd58fa842680df54f4b7591ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2020 14:19:38 -0500 +Subject: ext4: do not commit super on read-only bdev + +From: Eric Sandeen + +[ Upstream commit c96e2b8564adfb8ac14469ebc51ddc1bfecb3ae2 ] + +Under some circumstances we may encounter a filesystem error on a +read-only block device, and if we try to save the error info to the +superblock and commit it, we'll wind up with a noisy error and +backtrace, i.e.: + +[ 3337.146838] EXT4-fs error (device pmem1p2): ext4_get_journal_inode:4634: comm mount: inode #0: comm mount: iget: illegal inode # +------------[ cut here ]------------ +generic_make_request: Trying to write to read-only block-device pmem1p2 (partno 2) +WARNING: CPU: 107 PID: 115347 at block/blk-core.c:788 generic_make_request_checks+0x6b4/0x7d0 +... + +To avoid this, commit the error info in the superblock only if the +block device is writable. + +Reported-by: Ritesh Harjani +Signed-off-by: Eric Sandeen +Reviewed-by: Andreas Dilger +Link: https://lore.kernel.org/r/4b6e774d-cc00-3469-7abb-108eb151071a@sandeen.net +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 8f7a46d3abffb..53d4c67a20df9 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -389,7 +389,8 @@ static void save_error_info(struct super_block *sb, const char *func, + unsigned int line) + { + __save_error_info(sb, func, line); +- ext4_commit_super(sb, 1); ++ if (!bdev_read_only(sb->s_bdev)) ++ ext4_commit_super(sb, 1); + } + + /* +-- +2.20.1 + diff --git a/queue-5.4/f2fs-add-a-new-cp-flag-to-help-fsck-fix-resize-spo-i.patch b/queue-5.4/f2fs-add-a-new-cp-flag-to-help-fsck-fix-resize-spo-i.patch new file mode 100644 index 00000000000..8560cbcb795 --- /dev/null +++ b/queue-5.4/f2fs-add-a-new-cp-flag-to-help-fsck-fix-resize-spo-i.patch @@ -0,0 +1,64 @@ +From c39b573b3e12020404b3826454d5603772801119 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2020 19:59:26 +0530 +Subject: f2fs: Add a new CP flag to help fsck fix resize SPO issues + +From: Sahitya Tummala + +[ Upstream commit c84ef3c5e65ccf99a7a91a4d731ebb5d6331a178 ] + +Add and set a new CP flag CP_RESIZEFS_FLAG during +online resize FS to help fsck fix the metadata mismatch +that may happen due to SPO during resize, where SB +got updated but CP data couldn't be written yet. + +fsck errors - +Info: CKPT version = 6ed7bccb + Wrong user_block_count(2233856) +[f2fs_do_mount:3365] Checkpoint is polluted + +Signed-off-by: Sahitya Tummala +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 8 ++++++-- + include/linux/f2fs_fs.h | 1 + + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index 410f5c2c6ef17..a28ffecc0f95a 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -1301,10 +1301,14 @@ static void update_ckpt_flags(struct f2fs_sb_info *sbi, struct cp_control *cpc) + else + __clear_ckpt_flags(ckpt, CP_ORPHAN_PRESENT_FLAG); + +- if (is_sbi_flag_set(sbi, SBI_NEED_FSCK) || +- is_sbi_flag_set(sbi, SBI_IS_RESIZEFS)) ++ if (is_sbi_flag_set(sbi, SBI_NEED_FSCK)) + __set_ckpt_flags(ckpt, CP_FSCK_FLAG); + ++ if (is_sbi_flag_set(sbi, SBI_IS_RESIZEFS)) ++ __set_ckpt_flags(ckpt, CP_RESIZEFS_FLAG); ++ else ++ __clear_ckpt_flags(ckpt, CP_RESIZEFS_FLAG); ++ + if (is_sbi_flag_set(sbi, SBI_CP_DISABLED)) + __set_ckpt_flags(ckpt, CP_DISABLED_FLAG); + else +diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h +index 2847389960281..6bb6f718a1023 100644 +--- a/include/linux/f2fs_fs.h ++++ b/include/linux/f2fs_fs.h +@@ -124,6 +124,7 @@ struct f2fs_super_block { + /* + * For checkpoint + */ ++#define CP_RESIZEFS_FLAG 0x00004000 + #define CP_DISABLED_QUICK_FLAG 0x00002000 + #define CP_DISABLED_FLAG 0x00001000 + #define CP_QUOTA_NEED_FSCK_FLAG 0x00000800 +-- +2.20.1 + diff --git a/queue-5.4/f2fs-fix-mount-failure-due-to-spo-after-a-successful.patch b/queue-5.4/f2fs-fix-mount-failure-due-to-spo-after-a-successful.patch new file mode 100644 index 00000000000..1272c3e3e02 --- /dev/null +++ b/queue-5.4/f2fs-fix-mount-failure-due-to-spo-after-a-successful.patch @@ -0,0 +1,53 @@ +From a779f90c54a71ac8706d6a9f86fd75fd6a3dc6b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2020 19:59:25 +0530 +Subject: f2fs: Fix mount failure due to SPO after a successful online resize + FS + +From: Sahitya Tummala + +[ Upstream commit 682756827501dc52593bf490f2d437c65ec9efcb ] + +Even though online resize is successfully done, a SPO immediately +after resize, still causes below error in the next mount. + +[ 11.294650] F2FS-fs (sda8): Wrong user_block_count: 2233856 +[ 11.300272] F2FS-fs (sda8): Failed to get valid F2FS checkpoint + +This is because after FS metadata is updated in update_fs_metadata() +if the SBI_IS_DIRTY is not dirty, then CP will not be done to reflect +the new user_block_count. + +Signed-off-by: Sahitya Tummala +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/gc.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index 5877bd7296896..e611d768efde3 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1532,11 +1532,17 @@ int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count) + goto out; + } + ++ mutex_lock(&sbi->cp_mutex); + update_fs_metadata(sbi, -secs); + clear_sbi_flag(sbi, SBI_IS_RESIZEFS); ++ set_sbi_flag(sbi, SBI_IS_DIRTY); ++ mutex_unlock(&sbi->cp_mutex); ++ + err = f2fs_sync_fs(sbi->sb, 1); + if (err) { ++ mutex_lock(&sbi->cp_mutex); + update_fs_metadata(sbi, secs); ++ mutex_unlock(&sbi->cp_mutex); + update_sb_metadata(sbi, secs); + f2fs_commit_super(sbi, false); + } +-- +2.20.1 + diff --git a/queue-5.4/f2fs-fix-null-pointer-dereference-in-f2fs_write_begi.patch b/queue-5.4/f2fs-fix-null-pointer-dereference-in-f2fs_write_begi.patch new file mode 100644 index 00000000000..e75aef4cfc3 --- /dev/null +++ b/queue-5.4/f2fs-fix-null-pointer-dereference-in-f2fs_write_begi.patch @@ -0,0 +1,77 @@ +From 27f76a5030edb16d1e41c4699ad335d6820c00c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2020 19:58:00 +0800 +Subject: f2fs: fix NULL pointer dereference in f2fs_write_begin() + +From: Chao Yu + +[ Upstream commit 62f63eea291b50a5677ae7503ac128803174698a ] + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +RIP: 0010:f2fs_write_begin+0x823/0xb90 [f2fs] +Call Trace: + f2fs_quota_write+0x139/0x1d0 [f2fs] + write_blk+0x36/0x80 [quota_tree] + get_free_dqblk+0x42/0xa0 [quota_tree] + do_insert_tree+0x235/0x4a0 [quota_tree] + do_insert_tree+0x26e/0x4a0 [quota_tree] + do_insert_tree+0x26e/0x4a0 [quota_tree] + do_insert_tree+0x26e/0x4a0 [quota_tree] + qtree_write_dquot+0x70/0x190 [quota_tree] + v2_write_dquot+0x43/0x90 [quota_v2] + dquot_acquire+0x77/0x100 + f2fs_dquot_acquire+0x2f/0x60 [f2fs] + dqget+0x310/0x450 + dquot_transfer+0x7e/0x120 + f2fs_setattr+0x11a/0x4a0 [f2fs] + notify_change+0x349/0x480 + chown_common+0x168/0x1c0 + do_fchownat+0xbc/0xf0 + __x64_sys_fchownat+0x20/0x30 + do_syscall_64+0x5f/0x220 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Passing fsdata parameter to .write_{begin,end} in f2fs_quota_write(), +so that if quota file is compressed one, we can avoid above NULL +pointer dereference when updating quota content. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 94caf26901e0b..5e1d4d9243a95 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1826,6 +1826,7 @@ static ssize_t f2fs_quota_write(struct super_block *sb, int type, + int offset = off & (sb->s_blocksize - 1); + size_t towrite = len; + struct page *page; ++ void *fsdata = NULL; + char *kaddr; + int err = 0; + int tocopy; +@@ -1835,7 +1836,7 @@ static ssize_t f2fs_quota_write(struct super_block *sb, int type, + towrite); + retry: + err = a_ops->write_begin(NULL, mapping, off, tocopy, 0, +- &page, NULL); ++ &page, &fsdata); + if (unlikely(err)) { + if (err == -ENOMEM) { + congestion_wait(BLK_RW_ASYNC, HZ/50); +@@ -1851,7 +1852,7 @@ static ssize_t f2fs_quota_write(struct super_block *sb, int type, + flush_dcache_page(page); + + a_ops->write_end(NULL, mapping, off, tocopy, tocopy, +- page, NULL); ++ page, fsdata); + offset = 0; + towrite -= tocopy; + off += tocopy; +-- +2.20.1 + diff --git a/queue-5.4/f2fs-fix-the-panic-in-do_checkpoint.patch b/queue-5.4/f2fs-fix-the-panic-in-do_checkpoint.patch new file mode 100644 index 00000000000..2917840751e --- /dev/null +++ b/queue-5.4/f2fs-fix-the-panic-in-do_checkpoint.patch @@ -0,0 +1,135 @@ +From f2294be8f6dd43830f8bd3bc4300e4b6f7b08ae1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2020 09:19:07 +0530 +Subject: f2fs: fix the panic in do_checkpoint() + +From: Sahitya Tummala + +[ Upstream commit bf22c3cc8ce71454dddd772284773306a68031d8 ] + +There could be a scenario where f2fs_sync_meta_pages() will not +ensure that all F2FS_DIRTY_META pages are submitted for IO. Thus, +resulting in the below panic in do_checkpoint() - + +f2fs_bug_on(sbi, get_pages(sbi, F2FS_DIRTY_META) && + !f2fs_cp_error(sbi)); + +This can happen in a low-memory condition, where shrinker could +also be doing the writepage operation (stack shown below) +at the same time when checkpoint is running on another core. + +schedule +down_write +f2fs_submit_page_write -> by this time, this page in page cache is tagged + as PAGECACHE_TAG_WRITEBACK and PAGECACHE_TAG_DIRTY + is cleared, due to which f2fs_sync_meta_pages() + cannot sync this page in do_checkpoint() path. +f2fs_do_write_meta_page +__f2fs_write_meta_page +f2fs_write_meta_page +shrink_page_list +shrink_inactive_list +shrink_node_memcg +shrink_node +kswapd + +Signed-off-by: Sahitya Tummala +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 16 +++++++--------- + fs/f2fs/f2fs.h | 2 +- + fs/f2fs/super.c | 2 +- + 3 files changed, 9 insertions(+), 11 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index a0eef95b9e0ed..410f5c2c6ef17 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -1250,20 +1250,20 @@ static void unblock_operations(struct f2fs_sb_info *sbi) + f2fs_unlock_all(sbi); + } + +-void f2fs_wait_on_all_pages_writeback(struct f2fs_sb_info *sbi) ++void f2fs_wait_on_all_pages(struct f2fs_sb_info *sbi, int type) + { + DEFINE_WAIT(wait); + + for (;;) { + prepare_to_wait(&sbi->cp_wait, &wait, TASK_UNINTERRUPTIBLE); + +- if (!get_pages(sbi, F2FS_WB_CP_DATA)) ++ if (!get_pages(sbi, type)) + break; + + if (unlikely(f2fs_cp_error(sbi))) + break; + +- io_schedule_timeout(5*HZ); ++ io_schedule_timeout(HZ/50); + } + finish_wait(&sbi->cp_wait, &wait); + } +@@ -1384,8 +1384,6 @@ static int do_checkpoint(struct f2fs_sb_info *sbi, struct cp_control *cpc) + + /* Flush all the NAT/SIT pages */ + f2fs_sync_meta_pages(sbi, META, LONG_MAX, FS_CP_META_IO); +- f2fs_bug_on(sbi, get_pages(sbi, F2FS_DIRTY_META) && +- !f2fs_cp_error(sbi)); + + /* + * modify checkpoint +@@ -1493,11 +1491,11 @@ static int do_checkpoint(struct f2fs_sb_info *sbi, struct cp_control *cpc) + + /* Here, we have one bio having CP pack except cp pack 2 page */ + f2fs_sync_meta_pages(sbi, META, LONG_MAX, FS_CP_META_IO); +- f2fs_bug_on(sbi, get_pages(sbi, F2FS_DIRTY_META) && +- !f2fs_cp_error(sbi)); ++ /* Wait for all dirty meta pages to be submitted for IO */ ++ f2fs_wait_on_all_pages(sbi, F2FS_DIRTY_META); + + /* wait for previous submitted meta pages writeback */ +- f2fs_wait_on_all_pages_writeback(sbi); ++ f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA); + + /* flush all device cache */ + err = f2fs_flush_device_cache(sbi); +@@ -1506,7 +1504,7 @@ static int do_checkpoint(struct f2fs_sb_info *sbi, struct cp_control *cpc) + + /* barrier and flush checkpoint cp pack 2 page if it can */ + commit_checkpoint(sbi, ckpt, start_blk); +- f2fs_wait_on_all_pages_writeback(sbi); ++ f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA); + + /* + * invalidate intermediate page cache borrowed from meta inode +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 9046432b87c2d..1a8b68ceaa62f 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3185,7 +3185,7 @@ int f2fs_get_valid_checkpoint(struct f2fs_sb_info *sbi); + void f2fs_update_dirty_page(struct inode *inode, struct page *page); + void f2fs_remove_dirty_inode(struct inode *inode); + int f2fs_sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type); +-void f2fs_wait_on_all_pages_writeback(struct f2fs_sb_info *sbi); ++void f2fs_wait_on_all_pages(struct f2fs_sb_info *sbi, int type); + int f2fs_write_checkpoint(struct f2fs_sb_info *sbi, struct cp_control *cpc); + void f2fs_init_ino_entry_info(struct f2fs_sb_info *sbi); + int __init f2fs_create_checkpoint_caches(void); +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index ea8dbf1458c99..28441f4971b8d 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1105,7 +1105,7 @@ static void f2fs_put_super(struct super_block *sb) + /* our cp_error case, we can wait for any writeback page */ + f2fs_flush_merged_writes(sbi); + +- f2fs_wait_on_all_pages_writeback(sbi); ++ f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA); + + f2fs_bug_on(sbi, sbi->fsync_node_num); + +-- +2.20.1 + diff --git a/queue-5.4/f2fs-fix-to-show-norecovery-mount-option.patch b/queue-5.4/f2fs-fix-to-show-norecovery-mount-option.patch new file mode 100644 index 00000000000..461888d1371 --- /dev/null +++ b/queue-5.4/f2fs-fix-to-show-norecovery-mount-option.patch @@ -0,0 +1,67 @@ +From 640745c22ed1201b873205229c1177f9931cd2ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2020 17:45:11 +0800 +Subject: f2fs: fix to show norecovery mount option + +From: Chao Yu + +[ Upstream commit a9117eca1de6b738e713d2142126db2cfbf6fb36 ] + +Previously, 'norecovery' mount option will be shown as +'disable_roll_forward', fix to show original option name correctly. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 1 + + fs/f2fs/super.c | 7 +++++-- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 1a8b68ceaa62f..3edde3d6d089d 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -100,6 +100,7 @@ extern const char *f2fs_fault_name[FAULT_MAX]; + #define F2FS_MOUNT_INLINE_XATTR_SIZE 0x00800000 + #define F2FS_MOUNT_RESERVE_ROOT 0x01000000 + #define F2FS_MOUNT_DISABLE_CHECKPOINT 0x02000000 ++#define F2FS_MOUNT_NORECOVERY 0x04000000 + + #define F2FS_OPTION(sbi) ((sbi)->mount_opt) + #define clear_opt(sbi, option) (F2FS_OPTION(sbi).opt &= ~F2FS_MOUNT_##option) +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 28441f4971b8d..94caf26901e0b 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -439,7 +439,7 @@ static int parse_options(struct super_block *sb, char *options) + break; + case Opt_norecovery: + /* this option mounts f2fs with ro */ +- set_opt(sbi, DISABLE_ROLL_FORWARD); ++ set_opt(sbi, NORECOVERY); + if (!f2fs_readonly(sb)) + return -EINVAL; + break; +@@ -1348,6 +1348,8 @@ static int f2fs_show_options(struct seq_file *seq, struct dentry *root) + } + if (test_opt(sbi, DISABLE_ROLL_FORWARD)) + seq_puts(seq, ",disable_roll_forward"); ++ if (test_opt(sbi, NORECOVERY)) ++ seq_puts(seq, ",norecovery"); + if (test_opt(sbi, DISCARD)) + seq_puts(seq, ",discard"); + else +@@ -3488,7 +3490,8 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) + goto reset_checkpoint; + + /* recover fsynced data */ +- if (!test_opt(sbi, DISABLE_ROLL_FORWARD)) { ++ if (!test_opt(sbi, DISABLE_ROLL_FORWARD) && ++ !test_opt(sbi, NORECOVERY)) { + /* + * mount should be failed, when device has readonly mode, and + * previous checkpoint was not done by clean system shutdown. +-- +2.20.1 + diff --git a/queue-5.4/f2fs-fix-to-wait-all-node-page-writeback.patch b/queue-5.4/f2fs-fix-to-wait-all-node-page-writeback.patch new file mode 100644 index 00000000000..2bdd43af712 --- /dev/null +++ b/queue-5.4/f2fs-fix-to-wait-all-node-page-writeback.patch @@ -0,0 +1,58 @@ +From 59615714c2bec46202bb1897bddb8e2d2ee0003c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2020 17:45:12 +0800 +Subject: f2fs: fix to wait all node page writeback + +From: Chao Yu + +[ Upstream commit dc5a941223edd803f476a153abd950cc3a83c3e1 ] + +There is a race condition that we may miss to wait for all node pages +writeback, fix it. + +- fsync() - shrink + - f2fs_do_sync_file + - __write_node_page + - set_page_writeback(page#0) + : remove DIRTY/TOWRITE flag + - f2fs_fsync_node_pages + : won't find page #0 as TOWRITE flag was removeD + - f2fs_wait_on_node_pages_writeback + : wont' wait page #0 writeback as it was not in fsync_node_list list. + - f2fs_add_fsync_node_entry + +Fixes: 50fa53eccf9f ("f2fs: fix to avoid broken of dnode block list") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/node.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index 8b66bc4c004b6..f14401a77d601 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -1562,15 +1562,16 @@ static int __write_node_page(struct page *page, bool atomic, bool *submitted, + if (atomic && !test_opt(sbi, NOBARRIER)) + fio.op_flags |= REQ_PREFLUSH | REQ_FUA; + +- set_page_writeback(page); +- ClearPageError(page); +- ++ /* should add to global list before clearing PAGECACHE status */ + if (f2fs_in_warm_node_list(sbi, page)) { + seq = f2fs_add_fsync_node_entry(sbi, page); + if (seq_id) + *seq_id = seq; + } + ++ set_page_writeback(page); ++ ClearPageError(page); ++ + fio.old_blkaddr = ni.blk_addr; + f2fs_do_write_node_page(nid, &fio); + set_node_addr(sbi, &ni, fio.new_blkaddr, is_fsync_dnode(page)); +-- +2.20.1 + diff --git a/queue-5.4/hibernate-allow-uswsusp-to-write-to-swap.patch b/queue-5.4/hibernate-allow-uswsusp-to-write-to-swap.patch new file mode 100644 index 00000000000..bf4542eb0a4 --- /dev/null +++ b/queue-5.4/hibernate-allow-uswsusp-to-write-to-swap.patch @@ -0,0 +1,50 @@ +From ea2e9ce76d60a7979944baaf926d322a94de59bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2020 08:22:15 -0700 +Subject: hibernate: Allow uswsusp to write to swap + +From: Domenico Andreoli + +[ Upstream commit 56939e014a6c212b317414faa307029e2e80c3b9 ] + +It turns out that there is one use case for programs being able to +write to swap devices, and that is the userspace hibernation code. + +Quick fix: disable the S_SWAPFILE check if hibernation is configured. + +Fixes: dc617f29dbe5 ("vfs: don't allow writes to swap files") +Reported-by: Domenico Andreoli +Reported-by: Marian Klein +Signed-off-by: Domenico Andreoli +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/block_dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/block_dev.c b/fs/block_dev.c +index d612468ee66bf..34644ce4b5025 100644 +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include "internal.h" + + struct bdev_inode { +@@ -1975,7 +1976,8 @@ ssize_t blkdev_write_iter(struct kiocb *iocb, struct iov_iter *from) + if (bdev_read_only(I_BDEV(bd_inode))) + return -EPERM; + +- if (IS_SWAPFILE(bd_inode)) ++ /* uswsusp needs write permission to the swap */ ++ if (IS_SWAPFILE(bd_inode) && !hibernation_available()) + return -ETXTBSY; + + if (!iov_iter_count(from)) +-- +2.20.1 + diff --git a/queue-5.4/include-linux-swapops.h-correct-guards-for-non_swap_.patch b/queue-5.4/include-linux-swapops.h-correct-guards-for-non_swap_.patch new file mode 100644 index 00000000000..1b3b0f5936a --- /dev/null +++ b/queue-5.4/include-linux-swapops.h-correct-guards-for-non_swap_.patch @@ -0,0 +1,62 @@ +From 7c72428330f2c7f16f27e45eb2f86b754d6ac098 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 20:08:43 -0700 +Subject: include/linux/swapops.h: correct guards for non_swap_entry() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Steven Price + +[ Upstream commit 3f3673d7d324d872d9d8ddb73b3e5e47fbf12e0d ] + +If CONFIG_DEVICE_PRIVATE is defined, but neither CONFIG_MEMORY_FAILURE nor +CONFIG_MIGRATION, then non_swap_entry() will return 0, meaning that the +condition (non_swap_entry(entry) && is_device_private_entry(entry)) in +zap_pte_range() will never be true even if the entry is a device private +one. + +Equally any other code depending on non_swap_entry() will not function as +expected. + +I originally spotted this just by looking at the code, I haven't actually +observed any problems. + +Looking a bit more closely it appears that actually this situation +(currently at least) cannot occur: + +DEVICE_PRIVATE depends on ZONE_DEVICE +ZONE_DEVICE depends on MEMORY_HOTREMOVE +MEMORY_HOTREMOVE depends on MIGRATION + +Fixes: 5042db43cc26 ("mm/ZONE_DEVICE: new type of ZONE_DEVICE for unaddressable memory") +Signed-off-by: Steven Price +Signed-off-by: Andrew Morton +Cc: Jérôme Glisse +Cc: Arnd Bergmann +Cc: Dan Williams +Cc: John Hubbard +Link: http://lkml.kernel.org/r/20200305130550.22693-1-steven.price@arm.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/swapops.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/swapops.h b/include/linux/swapops.h +index 877fd239b6fff..3208a520d0be3 100644 +--- a/include/linux/swapops.h ++++ b/include/linux/swapops.h +@@ -348,7 +348,8 @@ static inline void num_poisoned_pages_inc(void) + } + #endif + +-#if defined(CONFIG_MEMORY_FAILURE) || defined(CONFIG_MIGRATION) ++#if defined(CONFIG_MEMORY_FAILURE) || defined(CONFIG_MIGRATION) || \ ++ defined(CONFIG_DEVICE_PRIVATE) + static inline int non_swap_entry(swp_entry_t entry) + { + return swp_type(entry) >= MAX_SWAPFILES; +-- +2.20.1 + diff --git a/queue-5.4/iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch b/queue-5.4/iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch new file mode 100644 index 00000000000..e66b9e3ad7a --- /dev/null +++ b/queue-5.4/iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch @@ -0,0 +1,38 @@ +From 607646a255dbb268f375392344ca7cfc0c2346d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2020 18:44:51 +0800 +Subject: iommu/amd: Fix the configuration of GCR3 table root pointer + +From: Adrian Huang + +[ Upstream commit c20f36534666e37858a14e591114d93cc1be0d34 ] + +The SPA of the GCR3 table root pointer[51:31] masks 20 bits. However, +this requires 21 bits (Please see the AMD IOMMU specification). +This leads to the potential failure when the bit 51 of SPA of +the GCR3 table root pointer is 1'. + +Signed-off-by: Adrian Huang +Fixes: 52815b75682e2 ("iommu/amd: Add support for IOMMUv2 domain mode") +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h +index daeabd98c60e2..0679896b9e2e1 100644 +--- a/drivers/iommu/amd_iommu_types.h ++++ b/drivers/iommu/amd_iommu_types.h +@@ -348,7 +348,7 @@ + + #define DTE_GCR3_VAL_A(x) (((x) >> 12) & 0x00007ULL) + #define DTE_GCR3_VAL_B(x) (((x) >> 15) & 0x0ffffULL) +-#define DTE_GCR3_VAL_C(x) (((x) >> 31) & 0xfffffULL) ++#define DTE_GCR3_VAL_C(x) (((x) >> 31) & 0x1fffffULL) + + #define DTE_GCR3_INDEX_A 0 + #define DTE_GCR3_INDEX_B 1 +-- +2.20.1 + diff --git a/queue-5.4/iommu-virtio-fix-freeing-of-incomplete-domains.patch b/queue-5.4/iommu-virtio-fix-freeing-of-incomplete-domains.patch new file mode 100644 index 00000000000..786cf6d2751 --- /dev/null +++ b/queue-5.4/iommu-virtio-fix-freeing-of-incomplete-domains.patch @@ -0,0 +1,63 @@ +From 27dee0b0dfdf833066970786302e085afdda5c2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Mar 2020 10:35:57 +0100 +Subject: iommu/virtio: Fix freeing of incomplete domains + +From: Jean-Philippe Brucker + +[ Upstream commit 7062af3ed2ba451029e3733d9f677c68f5ea9e77 ] + +Calling viommu_domain_free() on a domain that hasn't been finalised (not +attached to any device, for example) can currently cause an Oops, +because we attempt to call ida_free() on ID 0, which may either be +unallocated or used by another domain. + +Only initialise the vdomain->viommu pointer, which denotes a finalised +domain, at the end of a successful viommu_domain_finalise(). + +Fixes: edcd69ab9a32 ("iommu: Add virtio-iommu driver") +Reported-by: Eric Auger +Signed-off-by: Jean-Philippe Brucker +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/20200326093558.2641019-3-jean-philippe@linaro.org +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/virtio-iommu.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/iommu/virtio-iommu.c b/drivers/iommu/virtio-iommu.c +index 3ea9d76829995..6c340a4f4fd28 100644 +--- a/drivers/iommu/virtio-iommu.c ++++ b/drivers/iommu/virtio-iommu.c +@@ -614,18 +614,20 @@ static int viommu_domain_finalise(struct viommu_dev *viommu, + int ret; + struct viommu_domain *vdomain = to_viommu_domain(domain); + +- vdomain->viommu = viommu; +- vdomain->map_flags = viommu->map_flags; ++ ret = ida_alloc_range(&viommu->domain_ids, viommu->first_domain, ++ viommu->last_domain, GFP_KERNEL); ++ if (ret < 0) ++ return ret; ++ ++ vdomain->id = (unsigned int)ret; + + domain->pgsize_bitmap = viommu->pgsize_bitmap; + domain->geometry = viommu->geometry; + +- ret = ida_alloc_range(&viommu->domain_ids, viommu->first_domain, +- viommu->last_domain, GFP_KERNEL); +- if (ret >= 0) +- vdomain->id = (unsigned int)ret; ++ vdomain->map_flags = viommu->map_flags; ++ vdomain->viommu = viommu; + +- return ret > 0 ? 0 : ret; ++ return 0; + } + + static void viommu_domain_free(struct iommu_domain *domain) +-- +2.20.1 + diff --git a/queue-5.4/iommu-vt-d-fix-mm-reference-leak.patch b/queue-5.4/iommu-vt-d-fix-mm-reference-leak.patch new file mode 100644 index 00000000000..4a094a74433 --- /dev/null +++ b/queue-5.4/iommu-vt-d-fix-mm-reference-leak.patch @@ -0,0 +1,47 @@ +From 63a555499cb2779931ebab0eedf1958bda8614a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2020 21:32:30 -0700 +Subject: iommu/vt-d: Fix mm reference leak + +From: Jacob Pan + +[ Upstream commit 902baf61adf6b187f0a6b789e70d788ea71ff5bc ] + +Move canonical address check before mmget_not_zero() to avoid mm +reference leak. + +Fixes: 9d8c3af31607 ("iommu/vt-d: IOMMU Page Request needs to check if address is canonical.") +Signed-off-by: Jacob Pan +Acked-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel-svm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c +index 518d0b2d12afd..3020506180c10 100644 +--- a/drivers/iommu/intel-svm.c ++++ b/drivers/iommu/intel-svm.c +@@ -583,14 +583,15 @@ static irqreturn_t prq_event_thread(int irq, void *d) + * any faults on kernel addresses. */ + if (!svm->mm) + goto bad_req; +- /* If the mm is already defunct, don't handle faults. */ +- if (!mmget_not_zero(svm->mm)) +- goto bad_req; + + /* If address is not canonical, return invalid response */ + if (!is_canonical_address(address)) + goto bad_req; + ++ /* If the mm is already defunct, don't handle faults. */ ++ if (!mmget_not_zero(svm->mm)) ++ goto bad_req; ++ + down_read(&svm->mm->mmap_sem); + vma = find_extend_vma(svm->mm, address); + if (!vma || address < vma->vm_start) +-- +2.20.1 + diff --git a/queue-5.4/iommu-vt-d-fix-page-request-descriptor-size.patch b/queue-5.4/iommu-vt-d-fix-page-request-descriptor-size.patch new file mode 100644 index 00000000000..055d5015b77 --- /dev/null +++ b/queue-5.4/iommu-vt-d-fix-page-request-descriptor-size.patch @@ -0,0 +1,40 @@ +From 92aa0969f384fcf51082947f3ba2458f54c0b8e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2020 09:10:18 +0800 +Subject: iommu/vt-d: Fix page request descriptor size + +From: Jacob Pan + +[ Upstream commit 52355fb1919ef7ed9a38e0f3de6e928de1f57217 ] + +Intel VT-d might support PRS (Page Reqest Support) when it's +running in the scalable mode. Each page request descriptor +occupies 32 bytes and is 32-bytes aligned. The page request +descriptor offset mask should be 32-bytes aligned. + +Fixes: 5b438f4ba315d ("iommu/vt-d: Support page request in scalable mode") +Signed-off-by: Lu Baolu +Signed-off-by: Liu Yi L +Signed-off-by: Jacob Pan +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel-svm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c +index 3020506180c10..1d3816cd65d57 100644 +--- a/drivers/iommu/intel-svm.c ++++ b/drivers/iommu/intel-svm.c +@@ -502,7 +502,7 @@ struct page_req_dsc { + u64 priv_data[2]; + }; + +-#define PRQ_RING_MASK ((0x1000 << PRQ_ORDER) - 0x10) ++#define PRQ_RING_MASK ((0x1000 << PRQ_ORDER) - 0x20) + + static bool access_error(struct vm_area_struct *vma, struct page_req_dsc *req) + { +-- +2.20.1 + diff --git a/queue-5.4/iommu-vt-d-silence-rcu-list-debugging-warning-in-dma.patch b/queue-5.4/iommu-vt-d-silence-rcu-list-debugging-warning-in-dma.patch new file mode 100644 index 00000000000..945b50a8c1f --- /dev/null +++ b/queue-5.4/iommu-vt-d-silence-rcu-list-debugging-warning-in-dma.patch @@ -0,0 +1,55 @@ +From 9772f095fef1ca3c6aa50b94975f9341d7646679 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2020 11:03:26 -0400 +Subject: iommu/vt-d: Silence RCU-list debugging warning in dmar_find_atsr() + +From: Qian Cai + +[ Upstream commit c6f4ebdeba4cff590594df931ff1ee610c426431 ] + +dmar_find_atsr() calls list_for_each_entry_rcu() outside of an RCU read +side critical section but with dmar_global_lock held. Silence this +false positive. + + drivers/iommu/intel-iommu.c:4504 RCU-list traversed in non-reader section!! + 1 lock held by swapper/0/1: + #0: ffffffff9755bee8 (dmar_global_lock){+.+.}, at: intel_iommu_init+0x1a6/0xe19 + + Call Trace: + dump_stack+0xa4/0xfe + lockdep_rcu_suspicious+0xeb/0xf5 + dmar_find_atsr+0x1ab/0x1c0 + dmar_parse_one_atsr+0x64/0x220 + dmar_walk_remapping_entries+0x130/0x380 + dmar_table_init+0x166/0x243 + intel_iommu_init+0x1ab/0xe19 + pci_iommu_init+0x1a/0x44 + do_one_initcall+0xae/0x4d0 + kernel_init_freeable+0x412/0x4c5 + kernel_init+0x19/0x193 + +Signed-off-by: Qian Cai +Acked-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel-iommu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index 0d922eeae3579..773ac2b0d6068 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -4335,7 +4335,8 @@ static struct dmar_atsr_unit *dmar_find_atsr(struct acpi_dmar_atsr *atsr) + struct dmar_atsr_unit *atsru; + struct acpi_dmar_atsr *tmp; + +- list_for_each_entry_rcu(atsru, &dmar_atsr_units, list) { ++ list_for_each_entry_rcu(atsru, &dmar_atsr_units, list, ++ dmar_rcu_check()) { + tmp = (struct acpi_dmar_atsr *)atsru->hdr; + if (atsr->segment != tmp->segment) + continue; +-- +2.20.1 + diff --git a/queue-5.4/kvm-ppc-book3s-hv-fix-h_cede-return-code-for-nested-.patch b/queue-5.4/kvm-ppc-book3s-hv-fix-h_cede-return-code-for-nested-.patch new file mode 100644 index 00000000000..de4b4584c31 --- /dev/null +++ b/queue-5.4/kvm-ppc-book3s-hv-fix-h_cede-return-code-for-nested-.patch @@ -0,0 +1,67 @@ +From fc03a36c605a3e19dd0048ecdf35f829749c9fb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2020 16:11:28 -0500 +Subject: KVM: PPC: Book3S HV: Fix H_CEDE return code for nested guests + +From: Michael Roth + +[ Upstream commit 1f50cc1705350a4697923203fedd7d8fb1087fe2 ] + +The h_cede_tm kvm-unit-test currently fails when run inside an L1 guest +via the guest/nested hypervisor. + + ./run-tests.sh -v + ... + TESTNAME=h_cede_tm TIMEOUT=90s ACCEL= ./powerpc/run powerpc/tm.elf -smp 2,threads=2 -machine cap-htm=on -append "h_cede_tm" + FAIL h_cede_tm (2 tests, 1 unexpected failures) + +While the test relates to transactional memory instructions, the actual +failure is due to the return code of the H_CEDE hypercall, which is +reported as 224 instead of 0. This happens even when no TM instructions +are issued. + +224 is the value placed in r3 to execute a hypercall for H_CEDE, and r3 +is where the caller expects the return code to be placed upon return. + +In the case of guest running under a nested hypervisor, issuing H_CEDE +causes a return from H_ENTER_NESTED. In this case H_CEDE is +specially-handled immediately rather than later in +kvmppc_pseries_do_hcall() as with most other hcalls, but we forget to +set the return code for the caller, hence why kvm-unit-test sees the +224 return code and reports an error. + +Guest kernels generally don't check the return value of H_CEDE, so +that likely explains why this hasn't caused issues outside of +kvm-unit-tests so far. + +Fix this by setting r3 to 0 after we finish processing the H_CEDE. + +RHBZ: 1778556 + +Fixes: 4bad77799fed ("KVM: PPC: Book3S HV: Handle hypercalls correctly when nested") +Cc: linuxppc-dev@ozlabs.org +Cc: David Gibson +Cc: Paul Mackerras +Signed-off-by: Michael Roth +Reviewed-by: David Gibson +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 36abbe3c346df..e2183fed947d4 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -3623,6 +3623,7 @@ int kvmhv_p9_guest_entry(struct kvm_vcpu *vcpu, u64 time_limit, + if (trap == BOOK3S_INTERRUPT_SYSCALL && !vcpu->arch.nested && + kvmppc_get_gpr(vcpu, 3) == H_CEDE) { + kvmppc_nested_cede(vcpu); ++ kvmppc_set_gpr(vcpu, 3, 0); + trap = 0; + } + } else { +-- +2.20.1 + diff --git a/queue-5.4/kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch b/queue-5.4/kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch new file mode 100644 index 00000000000..dc17e427599 --- /dev/null +++ b/queue-5.4/kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch @@ -0,0 +1,52 @@ +From 53774620f9323daaab7f35fb8a168d991f942a9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2020 17:30:48 +0200 +Subject: KVM: s390: vsie: Fix possible race when shadowing region 3 tables + +From: David Hildenbrand + +[ Upstream commit 1493e0f944f3c319d11e067c185c904d01c17ae5 ] + +We have to properly retry again by returning -EINVAL immediately in case +somebody else instantiated the table concurrently. We missed to add the +goto in this function only. The code now matches the other, similar +shadowing functions. + +We are overwriting an existing region 2 table entry. All allocated pages +are added to the crst_list to be freed later, so they are not lost +forever. However, when unshadowing the region 2 table, we wouldn't trigger +unshadowing of the original shadowed region 3 table that we replaced. It +would get unshadowed when the original region 3 table is modified. As it's +not connected to the page table hierarchy anymore, it's not going to get +used anymore. However, for a limited time, this page table will stick +around, so it's in some sense a temporary memory leak. + +Identified by manual code inspection. I don't think this classifies as +stable material. + +Fixes: 998f637cc4b9 ("s390/mm: avoid races on region/segment/page table shadowing") +Signed-off-by: David Hildenbrand +Link: https://lore.kernel.org/r/20200403153050.20569-4-david@redhat.com +Reviewed-by: Claudio Imbrenda +Reviewed-by: Christian Borntraeger +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/mm/gmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c +index 9d9ab77d02dd3..364e3a89c0969 100644 +--- a/arch/s390/mm/gmap.c ++++ b/arch/s390/mm/gmap.c +@@ -1844,6 +1844,7 @@ int gmap_shadow_r3t(struct gmap *sg, unsigned long saddr, unsigned long r3t, + goto out_free; + } else if (*table & _REGION_ENTRY_ORIGIN) { + rc = -EAGAIN; /* Race with shadow */ ++ goto out_free; + } + crst_table_init(s_r3t, _REGION3_ENTRY_EMPTY); + /* mark as invalid as long as the parent table is not protected */ +-- +2.20.1 + diff --git a/queue-5.4/leds-core-fix-warning-message-when-init_data.patch b/queue-5.4/leds-core-fix-warning-message-when-init_data.patch new file mode 100644 index 00000000000..1e334b658b9 --- /dev/null +++ b/queue-5.4/leds-core-fix-warning-message-when-init_data.patch @@ -0,0 +1,39 @@ +From 56c95c92eb293ff3b9501388bc2fd3e14a36520b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2020 11:51:47 +0200 +Subject: leds: core: Fix warning message when init_data + +From: Ricardo Ribalda Delgado + +[ Upstream commit 64ed6588c2ea618d3f9ca9d8b365ae4c19f76225 ] + +The warning message when a led is renamed due to name collition can fail +to show proper original name if init_data is used. Eg: + +[ 9.073996] leds-gpio a0040000.leds_0: Led (null) renamed to red_led_1 due to name collision + +Fixes: bb4e9af0348d ("leds: core: Add support for composing LED class device names") +Signed-off-by: Ricardo Ribalda Delgado +Acked-by: Jacek Anaszewski +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + drivers/leds/led-class.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/leds/led-class.c b/drivers/leds/led-class.c +index 647b1263c5794..d3e83c33783e5 100644 +--- a/drivers/leds/led-class.c ++++ b/drivers/leds/led-class.c +@@ -281,7 +281,7 @@ int led_classdev_register_ext(struct device *parent, + + if (ret) + dev_warn(parent, "Led %s renamed to %s due to name collision", +- led_cdev->name, dev_name(led_cdev->dev)); ++ proposed_name, dev_name(led_cdev->dev)); + + if (led_cdev->flags & LED_BRIGHT_HW_CHANGED) { + ret = led_add_brightness_hw_changed(led_cdev); +-- +2.20.1 + diff --git a/queue-5.4/libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch b/queue-5.4/libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch new file mode 100644 index 00000000000..ce39cbe524a --- /dev/null +++ b/queue-5.4/libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch @@ -0,0 +1,43 @@ +From 0597d87aeb430b553675bb4b62945f1a5124cbe8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2020 19:20:56 +0300 +Subject: libnvdimm: Out of bounds read in __nd_ioctl() + +From: Dan Carpenter + +[ Upstream commit f84afbdd3a9e5e10633695677b95422572f920dc ] + +The "cmd" comes from the user and it can be up to 255. It it's more +than the number of bits in long, it results out of bounds read when we +check test_bit(cmd, &cmd_mask). The highest valid value for "cmd" is +ND_CMD_CALL (10) so I added a compare against that. + +Fixes: 62232e45f4a2 ("libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200225162055.amtosfy7m35aivxg@kili.mountain +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/bus.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c +index d47412dcdf38d..5e5c6aafc070b 100644 +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -1010,8 +1010,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm, + return -EFAULT; + } + +- if (!desc || (desc->out_num + desc->in_num == 0) || +- !test_bit(cmd, &cmd_mask)) ++ if (!desc || ++ (desc->out_num + desc->in_num == 0) || ++ cmd > ND_CMD_CALL || ++ !test_bit(cmd, &cmd_mask)) + return -ENOTTY; + + /* fail write commands (when read-only) */ +-- +2.20.1 + diff --git a/queue-5.4/mm-hugetlb-fix-build-failure-with-hugetlb_page-but-n.patch b/queue-5.4/mm-hugetlb-fix-build-failure-with-hugetlb_page-but-n.patch new file mode 100644 index 00000000000..c6a7e70727f --- /dev/null +++ b/queue-5.4/mm-hugetlb-fix-build-failure-with-hugetlb_page-but-n.patch @@ -0,0 +1,95 @@ +From 7fb5c447cead2b26f9835ee6077a8cb4fa88d8b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2020 21:11:54 -0700 +Subject: mm/hugetlb: fix build failure with HUGETLB_PAGE but not HUGEBTLBFS + +From: Christophe Leroy + +[ Upstream commit bb297bb2de517e41199185021f043bbc5d75b377 ] + +When CONFIG_HUGETLB_PAGE is set but not CONFIG_HUGETLBFS, the following +build failure is encoutered: + + In file included from arch/powerpc/mm/fault.c:33:0: + include/linux/hugetlb.h: In function 'hstate_inode': + include/linux/hugetlb.h:477:9: error: implicit declaration of function 'HUGETLBFS_SB' [-Werror=implicit-function-declaration] + return HUGETLBFS_SB(i->i_sb)->hstate; + ^ + include/linux/hugetlb.h:477:30: error: invalid type argument of '->' (have 'int') + return HUGETLBFS_SB(i->i_sb)->hstate; + ^ + +Gate hstate_inode() with CONFIG_HUGETLBFS instead of CONFIG_HUGETLB_PAGE. + +Fixes: a137e1cc6d6e ("hugetlbfs: per mount huge page sizes") +Reported-by: kbuild test robot +Signed-off-by: Christophe Leroy +Signed-off-by: Andrew Morton +Reviewed-by: Mike Kravetz +Cc: Baoquan He +Cc: Nishanth Aravamudan +Cc: Nick Piggin +Cc: Adam Litke +Cc: Andi Kleen +Link: http://lkml.kernel.org/r/7e8c3a3c9a587b9cd8a2f146df32a421b961f3a2.1584432148.git.christophe.leroy@c-s.fr +Link: https://patchwork.ozlabs.org/patch/1255548/#2386036 +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/hugetlb.h | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h +index 53fc34f930d08..8a03f392f3680 100644 +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -298,7 +298,10 @@ static inline bool is_file_hugepages(struct file *file) + return is_file_shm_hugepages(file); + } + +- ++static inline struct hstate *hstate_inode(struct inode *i) ++{ ++ return HUGETLBFS_SB(i->i_sb)->hstate; ++} + #else /* !CONFIG_HUGETLBFS */ + + #define is_file_hugepages(file) false +@@ -310,6 +313,10 @@ hugetlb_file_setup(const char *name, size_t size, vm_flags_t acctflag, + return ERR_PTR(-ENOSYS); + } + ++static inline struct hstate *hstate_inode(struct inode *i) ++{ ++ return NULL; ++} + #endif /* !CONFIG_HUGETLBFS */ + + #ifdef HAVE_ARCH_HUGETLB_UNMAPPED_AREA +@@ -379,11 +386,6 @@ extern unsigned int default_hstate_idx; + + #define default_hstate (hstates[default_hstate_idx]) + +-static inline struct hstate *hstate_inode(struct inode *i) +-{ +- return HUGETLBFS_SB(i->i_sb)->hstate; +-} +- + static inline struct hstate *hstate_file(struct file *f) + { + return hstate_inode(file_inode(f)); +@@ -636,11 +638,6 @@ static inline struct hstate *hstate_vma(struct vm_area_struct *vma) + return NULL; + } + +-static inline struct hstate *hstate_inode(struct inode *i) +-{ +- return NULL; +-} +- + static inline struct hstate *page_hstate(struct page *page) + { + return NULL; +-- +2.20.1 + diff --git a/queue-5.4/net-mlx5e-enforce-setting-of-a-single-fec-mode.patch b/queue-5.4/net-mlx5e-enforce-setting-of-a-single-fec-mode.patch new file mode 100644 index 00000000000..b5c585af6bf --- /dev/null +++ b/queue-5.4/net-mlx5e-enforce-setting-of-a-single-fec-mode.patch @@ -0,0 +1,38 @@ +From a875c7ca2ebf6f20696cdcc54a75a982ec67051e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2020 14:32:49 -0800 +Subject: net/mlx5e: Enforce setting of a single FEC mode + +From: Aya Levin + +[ Upstream commit 4bd9d5070b92da012f2715cf8e4859acb78b8f35 ] + +Ethtool command allow setting of several FEC modes in a single set +command. The driver can only set a single FEC mode at a time. With this +patch driver will reply not-supported on setting several FEC modes. + +Signed-off-by: Aya Levin +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 304ddce6b0872..39ee32518b106 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1548,6 +1548,10 @@ static int mlx5e_set_fecparam(struct net_device *netdev, + int mode; + int err; + ++ if (bitmap_weight((unsigned long *)&fecparam->fec, ++ ETHTOOL_FEC_BASER_BIT + 1) > 1) ++ return -EOPNOTSUPP; ++ + for (mode = 0; mode < ARRAY_SIZE(pplm_fec_2_ethtool); mode++) { + if (!(pplm_fec_2_ethtool[mode] & fecparam->fec)) + continue; +-- +2.20.1 + diff --git a/queue-5.4/nfs-alloc_nfs_open_context-must-use-the-file-cred-wh.patch b/queue-5.4/nfs-alloc_nfs_open_context-must-use-the-file-cred-wh.patch new file mode 100644 index 00000000000..6cd530425d1 --- /dev/null +++ b/queue-5.4/nfs-alloc_nfs_open_context-must-use-the-file-cred-wh.patch @@ -0,0 +1,48 @@ +From 728d7e9fadf681d94110a311a3405865e8e67f96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2020 19:32:49 -0500 +Subject: NFS: alloc_nfs_open_context() must use the file cred when available + +From: Trond Myklebust + +[ Upstream commit 1d179d6bd67369a52edea8562154b31ee20be1cc ] + +If we're creating a nfs_open_context() for a specific file pointer, +we must use the cred assigned to that file. + +Fixes: a52458b48af1 ("NFS/NFSD/SUNRPC: replace generic creds with 'struct cred'.") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/inode.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 2a03bfeec10a4..3802c88e83720 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -959,16 +959,16 @@ struct nfs_open_context *alloc_nfs_open_context(struct dentry *dentry, + struct file *filp) + { + struct nfs_open_context *ctx; +- const struct cred *cred = get_current_cred(); + + ctx = kmalloc(sizeof(*ctx), GFP_KERNEL); +- if (!ctx) { +- put_cred(cred); ++ if (!ctx) + return ERR_PTR(-ENOMEM); +- } + nfs_sb_active(dentry->d_sb); + ctx->dentry = dget(dentry); +- ctx->cred = cred; ++ if (filp) ++ ctx->cred = get_cred(filp->f_cred); ++ else ++ ctx->cred = get_current_cred(); + ctx->ll_cred = NULL; + ctx->state = NULL; + ctx->mode = f_mode; +-- +2.20.1 + diff --git a/queue-5.4/nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch b/queue-5.4/nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch new file mode 100644 index 00000000000..2e9240fa790 --- /dev/null +++ b/queue-5.4/nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch @@ -0,0 +1,51 @@ +From f03406b2198aa1a62b9dd9193ffaf5d4f6ba30d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2019 17:01:22 +0900 +Subject: NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context + fails + +From: Misono Tomohiro + +[ Upstream commit 8605cf0e852af3b2c771c18417499dc4ceed03d5 ] + +When dreq is allocated by nfs_direct_req_alloc(), dreq->kref is +initialized to 2. Therefore we need to call nfs_direct_req_release() +twice to release the allocated dreq. Usually it is called in +nfs_file_direct_{read, write}() and nfs_direct_complete(). + +However, current code only calls nfs_direct_req_relese() once if +nfs_get_lock_context() fails in nfs_file_direct_{read, write}(). +So, that case would result in memory leak. + +Fix this by adding the missing call. + +Signed-off-by: Misono Tomohiro +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/direct.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c +index 29f00da8a0b7f..6b0bf4ebd8124 100644 +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -571,6 +571,7 @@ ssize_t nfs_file_direct_read(struct kiocb *iocb, struct iov_iter *iter) + l_ctx = nfs_get_lock_context(dreq->ctx); + if (IS_ERR(l_ctx)) { + result = PTR_ERR(l_ctx); ++ nfs_direct_req_release(dreq); + goto out_release; + } + dreq->l_ctx = l_ctx; +@@ -989,6 +990,7 @@ ssize_t nfs_file_direct_write(struct kiocb *iocb, struct iov_iter *iter) + l_ctx = nfs_get_lock_context(dreq->ctx); + if (IS_ERR(l_ctx)) { + result = PTR_ERR(l_ctx); ++ nfs_direct_req_release(dreq); + goto out_release; + } + dreq->l_ctx = l_ctx; +-- +2.20.1 + diff --git a/queue-5.4/nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch b/queue-5.4/nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch new file mode 100644 index 00000000000..0569aac6dcf --- /dev/null +++ b/queue-5.4/nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch @@ -0,0 +1,56 @@ +From 55b29ad6d34e0e27edff7a3c58cf4cf9794e2a2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Mar 2020 20:06:45 -0400 +Subject: NFS: Fix memory leaks in nfs_pageio_stop_mirroring() + +From: Trond Myklebust + +[ Upstream commit 862f35c94730c9270833f3ad05bd758a29f204ed ] + +If we just set the mirror count to 1 without first clearing out +the mirrors, we can leak queued up requests. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pagelist.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c +index 8b7c525dbbf7c..b736912098eee 100644 +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -886,15 +886,6 @@ static void nfs_pageio_setup_mirroring(struct nfs_pageio_descriptor *pgio, + pgio->pg_mirror_count = mirror_count; + } + +-/* +- * nfs_pageio_stop_mirroring - stop using mirroring (set mirror count to 1) +- */ +-void nfs_pageio_stop_mirroring(struct nfs_pageio_descriptor *pgio) +-{ +- pgio->pg_mirror_count = 1; +- pgio->pg_mirror_idx = 0; +-} +- + static void nfs_pageio_cleanup_mirroring(struct nfs_pageio_descriptor *pgio) + { + pgio->pg_mirror_count = 1; +@@ -1320,6 +1311,14 @@ void nfs_pageio_cond_complete(struct nfs_pageio_descriptor *desc, pgoff_t index) + } + } + ++/* ++ * nfs_pageio_stop_mirroring - stop using mirroring (set mirror count to 1) ++ */ ++void nfs_pageio_stop_mirroring(struct nfs_pageio_descriptor *pgio) ++{ ++ nfs_pageio_complete(pgio); ++} ++ + int __init nfs_init_nfspagecache(void) + { + nfs_page_cachep = kmem_cache_create("nfs_page", +-- +2.20.1 + diff --git a/queue-5.4/nfsv4-pnfs-return-valid-stateids-in-nfs_layout_find_.patch b/queue-5.4/nfsv4-pnfs-return-valid-stateids-in-nfs_layout_find_.patch new file mode 100644 index 00000000000..eed0205dde4 --- /dev/null +++ b/queue-5.4/nfsv4-pnfs-return-valid-stateids-in-nfs_layout_find_.patch @@ -0,0 +1,37 @@ +From 7c89e2a735ebee424e7c80a25acb8c7ebf0f1205 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2020 11:01:12 -0500 +Subject: NFSv4/pnfs: Return valid stateids in + nfs_layout_find_inode_by_stateid() + +From: Trond Myklebust + +[ Upstream commit d911c57a19551c6bef116a3b55c6b089901aacb0 ] + +Make sure to test the stateid for validity so that we catch instances +where the server may have been reusing stateids in +nfs_layout_find_inode_by_stateid(). + +Fixes: 7b410d9ce460 ("pNFS: Delay getting the layout header in CB_LAYOUTRECALL handlers") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/callback_proc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/callback_proc.c b/fs/nfs/callback_proc.c +index f39924ba050b1..fc775b0b5194f 100644 +--- a/fs/nfs/callback_proc.c ++++ b/fs/nfs/callback_proc.c +@@ -130,6 +130,8 @@ static struct inode *nfs_layout_find_inode_by_stateid(struct nfs_client *clp, + + list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) { + list_for_each_entry(lo, &server->layouts, plh_layouts) { ++ if (!pnfs_layout_is_valid(lo)) ++ continue; + if (stateid != NULL && + !nfs4_stateid_match_other(stateid, &lo->plh_stateid)) + continue; +-- +2.20.1 + diff --git a/queue-5.4/nfsv4.2-error-out-when-relink-swapfile.patch b/queue-5.4/nfsv4.2-error-out-when-relink-swapfile.patch new file mode 100644 index 00000000000..358435928ba --- /dev/null +++ b/queue-5.4/nfsv4.2-error-out-when-relink-swapfile.patch @@ -0,0 +1,35 @@ +From 1edb2d19b2dec78532420d6bbeef3ff7b7e43231 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2020 22:34:09 +0800 +Subject: NFSv4.2: error out when relink swapfile + +From: Murphy Zhou + +[ Upstream commit f5fdf1243fb750598b46305dd03c553949cfa14f ] + +This fixes xfstests generic/356 failure on NFSv4.2. + +Signed-off-by: Murphy Zhou +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c +index 54f1c1f626fc5..fb55c04cdc6bd 100644 +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -210,6 +210,9 @@ static loff_t nfs42_remap_file_range(struct file *src_file, loff_t src_off, + if (remap_flags & ~REMAP_FILE_ADVISORY) + return -EINVAL; + ++ if (IS_SWAPFILE(dst_inode) || IS_SWAPFILE(src_inode)) ++ return -ETXTBSY; ++ + /* check alignment w.r.t. clone_blksize */ + ret = -EINVAL; + if (bs) { +-- +2.20.1 + diff --git a/queue-5.4/percpu_counter-fix-a-data-race-at-vm_committed_as.patch b/queue-5.4/percpu_counter-fix-a-data-race-at-vm_committed_as.patch new file mode 100644 index 00000000000..3740b94071f --- /dev/null +++ b/queue-5.4/percpu_counter-fix-a-data-race-at-vm_committed_as.patch @@ -0,0 +1,72 @@ +From 3cd5a492572f1262717de92911199d95728d5450 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 20:10:25 -0700 +Subject: percpu_counter: fix a data race at vm_committed_as + +From: Qian Cai + +[ Upstream commit 7e2345200262e4a6056580f0231cccdaffc825f3 ] + +"vm_committed_as.count" could be accessed concurrently as reported by +KCSAN, + + BUG: KCSAN: data-race in __vm_enough_memory / percpu_counter_add_batch + + write to 0xffffffff9451c538 of 8 bytes by task 65879 on cpu 35: + percpu_counter_add_batch+0x83/0xd0 + percpu_counter_add_batch at lib/percpu_counter.c:91 + __vm_enough_memory+0xb9/0x260 + dup_mm+0x3a4/0x8f0 + copy_process+0x2458/0x3240 + _do_fork+0xaa/0x9f0 + __do_sys_clone+0x125/0x160 + __x64_sys_clone+0x70/0x90 + do_syscall_64+0x91/0xb05 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + read to 0xffffffff9451c538 of 8 bytes by task 66773 on cpu 19: + __vm_enough_memory+0x199/0x260 + percpu_counter_read_positive at include/linux/percpu_counter.h:81 + (inlined by) __vm_enough_memory at mm/util.c:839 + mmap_region+0x1b2/0xa10 + do_mmap+0x45c/0x700 + vm_mmap_pgoff+0xc0/0x130 + ksys_mmap_pgoff+0x6e/0x300 + __x64_sys_mmap+0x33/0x40 + do_syscall_64+0x91/0xb05 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The read is outside percpu_counter::lock critical section which results in +a data race. Fix it by adding a READ_ONCE() in +percpu_counter_read_positive() which could also service as the existing +compiler memory barrier. + +Signed-off-by: Qian Cai +Signed-off-by: Andrew Morton +Acked-by: Marco Elver +Link: http://lkml.kernel.org/r/1582302724-2804-1-git-send-email-cai@lca.pw +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/percpu_counter.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/percpu_counter.h b/include/linux/percpu_counter.h +index 4f052496cdfd7..0a4f54dd4737b 100644 +--- a/include/linux/percpu_counter.h ++++ b/include/linux/percpu_counter.h +@@ -78,9 +78,9 @@ static inline s64 percpu_counter_read(struct percpu_counter *fbc) + */ + static inline s64 percpu_counter_read_positive(struct percpu_counter *fbc) + { +- s64 ret = fbc->count; ++ /* Prevent reloads of fbc->count */ ++ s64 ret = READ_ONCE(fbc->count); + +- barrier(); /* Prevent reloads of fbc->count */ + if (ret >= 0) + return ret; + return 0; +-- +2.20.1 + diff --git a/queue-5.4/phy-uniphier-usb3ss-add-pro5-support.patch b/queue-5.4/phy-uniphier-usb3ss-add-pro5-support.patch new file mode 100644 index 00000000000..0ab2969dce2 --- /dev/null +++ b/queue-5.4/phy-uniphier-usb3ss-add-pro5-support.patch @@ -0,0 +1,37 @@ +From bed76107f337ec3ca1904c3cb3f46c947beb6e78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2020 15:52:41 +0900 +Subject: phy: uniphier-usb3ss: Add Pro5 support + +From: Kunihiko Hayashi + +[ Upstream commit 9376fa634afc207a3ce99e0957e04948c34d6510 ] + +Pro5 SoC has same scheme of USB3 ss-phy as Pro4, so the data for Pro5 is +equivalent to Pro4. + +Signed-off-by: Kunihiko Hayashi +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +--- + drivers/phy/socionext/phy-uniphier-usb3ss.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/phy/socionext/phy-uniphier-usb3ss.c b/drivers/phy/socionext/phy-uniphier-usb3ss.c +index ec231e40ef2ac..a7577e316baf5 100644 +--- a/drivers/phy/socionext/phy-uniphier-usb3ss.c ++++ b/drivers/phy/socionext/phy-uniphier-usb3ss.c +@@ -314,6 +314,10 @@ static const struct of_device_id uniphier_u3ssphy_match[] = { + .compatible = "socionext,uniphier-pro4-usb3-ssphy", + .data = &uniphier_pro4_data, + }, ++ { ++ .compatible = "socionext,uniphier-pro5-usb3-ssphy", ++ .data = &uniphier_pro4_data, ++ }, + { + .compatible = "socionext,uniphier-pxs2-usb3-ssphy", + .data = &uniphier_pxs2_data, +-- +2.20.1 + diff --git a/queue-5.4/power-supply-axp288_fuel_gauge-broaden-vendor-check-.patch b/queue-5.4/power-supply-axp288_fuel_gauge-broaden-vendor-check-.patch new file mode 100644 index 00000000000..4b31bfaff26 --- /dev/null +++ b/queue-5.4/power-supply-axp288_fuel_gauge-broaden-vendor-check-.patch @@ -0,0 +1,50 @@ +From a12f28d97ed8c2e7c265362663aba3a04bf49816 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2020 16:59:41 -0600 +Subject: power: supply: axp288_fuel_gauge: Broaden vendor check for Intel + Compute Sticks. + +From: Jeffery Miller + +[ Upstream commit e42fe5b29ac07210297e75f36deefe54edbdbf80 ] + +The Intel Compute Stick `STK1A32SC` can have a system vendor of +"Intel(R) Client Systems". +Broaden the Intel Compute Stick DMI checks so that they match "Intel +Corporation" as well as "Intel(R) Client Systems". + +This fixes an issue where the STK1A32SC compute sticks were still +exposing a battery with the existing blacklist entry. + +Signed-off-by: Jeffery Miller +Reviewed-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/axp288_fuel_gauge.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/axp288_fuel_gauge.c b/drivers/power/supply/axp288_fuel_gauge.c +index e1bc4e6e6f30e..f40fa0e63b6e5 100644 +--- a/drivers/power/supply/axp288_fuel_gauge.c ++++ b/drivers/power/supply/axp288_fuel_gauge.c +@@ -706,14 +706,14 @@ static const struct dmi_system_id axp288_fuel_gauge_blacklist[] = { + { + /* Intel Cherry Trail Compute Stick, Windows version */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Intel Corporation"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Intel"), + DMI_MATCH(DMI_PRODUCT_NAME, "STK1AW32SC"), + }, + }, + { + /* Intel Cherry Trail Compute Stick, version without an OS */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Intel Corporation"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Intel"), + DMI_MATCH(DMI_PRODUCT_NAME, "STK1A32SC"), + }, + }, +-- +2.20.1 + diff --git a/queue-5.4/power-supply-bq27xxx_battery-silence-deferred-probe-.patch b/queue-5.4/power-supply-bq27xxx_battery-silence-deferred-probe-.patch new file mode 100644 index 00000000000..2c0abaf981c --- /dev/null +++ b/queue-5.4/power-supply-bq27xxx_battery-silence-deferred-probe-.patch @@ -0,0 +1,45 @@ +From 129d5e90ab5fdddad8bf739204c7814c7bd65aa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2020 00:51:43 +0300 +Subject: power: supply: bq27xxx_battery: Silence deferred-probe error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Osipenko + +[ Upstream commit 583b53ece0b0268c542a1eafadb62e3d4b0aab8c ] + +The driver fails to probe with -EPROBE_DEFER if battery's power supply +(charger driver) isn't ready yet and this results in a bit noisy error +message in KMSG during kernel's boot up. Let's silence the harmless +error message. + +Signed-off-by: Dmitry Osipenko +Reviewed-by: Andrew F. Davis +Reviewed-by: Pali Rohár +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c +index 195c18c2f426e..664e50103eaaf 100644 +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1885,7 +1885,10 @@ int bq27xxx_battery_setup(struct bq27xxx_device_info *di) + + di->bat = power_supply_register_no_ws(di->dev, psy_desc, &psy_cfg); + if (IS_ERR(di->bat)) { +- dev_err(di->dev, "failed to register battery\n"); ++ if (PTR_ERR(di->bat) == -EPROBE_DEFER) ++ dev_dbg(di->dev, "failed to register battery, deferring probe\n"); ++ else ++ dev_err(di->dev, "failed to register battery\n"); + return PTR_ERR(di->bat); + } + +-- +2.20.1 + diff --git a/queue-5.4/powerpc-maple-fix-declaration-made-after-definition.patch b/queue-5.4/powerpc-maple-fix-declaration-made-after-definition.patch new file mode 100644 index 00000000000..757ea802027 --- /dev/null +++ b/queue-5.4/powerpc-maple-fix-declaration-made-after-definition.patch @@ -0,0 +1,92 @@ +From 0184e49cba5c807d55d33bffc50cb3c00801b7fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2020 15:27:29 -0700 +Subject: powerpc/maple: Fix declaration made after definition + +From: Nathan Chancellor + +[ Upstream commit af6cf95c4d003fccd6c2ecc99a598fb854b537e7 ] + +When building ppc64 defconfig, Clang errors (trimmed for brevity): + + arch/powerpc/platforms/maple/setup.c:365:1: error: attribute declaration + must precede definition [-Werror,-Wignored-attributes] + machine_device_initcall(maple, maple_cpc925_edac_setup); + ^ + +machine_device_initcall expands to __define_machine_initcall, which in +turn has the macro machine_is used in it, which declares mach_##name +with an __attribute__((weak)). define_machine actually defines +mach_##name, which in this file happens before the declaration, hence +the warning. + +To fix this, move define_machine after machine_device_initcall so that +the declaration occurs before the definition, which matches how +machine_device_initcall and define_machine work throughout +arch/powerpc. + +While we're here, remove some spaces before tabs. + +Fixes: 8f101a051ef0 ("edac: cpc925 MC platform device setup") +Reported-by: Nick Desaulniers +Suggested-by: Ilie Halip +Signed-off-by: Nathan Chancellor +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200323222729.15365-1-natechancellor@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/maple/setup.c | 34 ++++++++++++++-------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/arch/powerpc/platforms/maple/setup.c b/arch/powerpc/platforms/maple/setup.c +index 9cd6f3e1000b3..09a0594350b69 100644 +--- a/arch/powerpc/platforms/maple/setup.c ++++ b/arch/powerpc/platforms/maple/setup.c +@@ -294,23 +294,6 @@ static int __init maple_probe(void) + return 1; + } + +-define_machine(maple) { +- .name = "Maple", +- .probe = maple_probe, +- .setup_arch = maple_setup_arch, +- .init_IRQ = maple_init_IRQ, +- .pci_irq_fixup = maple_pci_irq_fixup, +- .pci_get_legacy_ide_irq = maple_pci_get_legacy_ide_irq, +- .restart = maple_restart, +- .halt = maple_halt, +- .get_boot_time = maple_get_boot_time, +- .set_rtc_time = maple_set_rtc_time, +- .get_rtc_time = maple_get_rtc_time, +- .calibrate_decr = generic_calibrate_decr, +- .progress = maple_progress, +- .power_save = power4_idle, +-}; +- + #ifdef CONFIG_EDAC + /* + * Register a platform device for CPC925 memory controller on +@@ -367,3 +350,20 @@ static int __init maple_cpc925_edac_setup(void) + } + machine_device_initcall(maple, maple_cpc925_edac_setup); + #endif ++ ++define_machine(maple) { ++ .name = "Maple", ++ .probe = maple_probe, ++ .setup_arch = maple_setup_arch, ++ .init_IRQ = maple_init_IRQ, ++ .pci_irq_fixup = maple_pci_irq_fixup, ++ .pci_get_legacy_ide_irq = maple_pci_get_legacy_ide_irq, ++ .restart = maple_restart, ++ .halt = maple_halt, ++ .get_boot_time = maple_get_boot_time, ++ .set_rtc_time = maple_set_rtc_time, ++ .get_rtc_time = maple_get_rtc_time, ++ .calibrate_decr = generic_calibrate_decr, ++ .progress = maple_progress, ++ .power_save = power4_idle, ++}; +-- +2.20.1 + diff --git a/queue-5.4/powerpc-prom_init-pass-the-os-term-message-to-hyperv.patch b/queue-5.4/powerpc-prom_init-pass-the-os-term-message-to-hyperv.patch new file mode 100644 index 00000000000..be15452c74e --- /dev/null +++ b/queue-5.4/powerpc-prom_init-pass-the-os-term-message-to-hyperv.patch @@ -0,0 +1,42 @@ +From 9744b64b86b97b473a7114a599dd736fe7954b50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2020 18:44:04 +1100 +Subject: powerpc/prom_init: Pass the "os-term" message to hypervisor + +From: Alexey Kardashevskiy + +[ Upstream commit 74bb84e5117146fa73eb9d01305975c53022b3c3 ] + +The "os-term" RTAS calls has one argument with a message address of OS +termination cause. rtas_os_term() already passes it but the recently +added prom_init's version of that missed it; it also does not fill +args correctly. + +This passes the message address and initializes the number of arguments. + +Fixes: 6a9c930bd775 ("powerpc/prom_init: Add the ESM call to prom_init") +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200312074404.87293-1-aik@ozlabs.ru +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/prom_init.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c +index eba9d4ee4baf6..689664cd4e79b 100644 +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -1761,6 +1761,9 @@ static void __init prom_rtas_os_term(char *str) + if (token == 0) + prom_panic("Could not get token for ibm,os-term\n"); + os_term_args.token = cpu_to_be32(token); ++ os_term_args.nargs = cpu_to_be32(1); ++ os_term_args.nret = cpu_to_be32(1); ++ os_term_args.args[0] = cpu_to_be32(__pa(str)); + prom_rtas_hcall((uint64_t)&os_term_args); + } + #endif /* CONFIG_PPC_SVM */ +-- +2.20.1 + diff --git a/queue-5.4/rbd-avoid-a-deadlock-on-header_rwsem-when-flushing-n.patch b/queue-5.4/rbd-avoid-a-deadlock-on-header_rwsem-when-flushing-n.patch new file mode 100644 index 00000000000..c43827adace --- /dev/null +++ b/queue-5.4/rbd-avoid-a-deadlock-on-header_rwsem-when-flushing-n.patch @@ -0,0 +1,88 @@ +From 5ba798fd6fed34481c2daff3474a2215cf80a113 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2020 11:20:51 +0100 +Subject: rbd: avoid a deadlock on header_rwsem when flushing notifies + +From: Ilya Dryomov + +[ Upstream commit 0e4e1de5b63fa423b13593337a27fd2d2b0bcf77 ] + +rbd_unregister_watch() flushes notifies and therefore cannot be called +under header_rwsem because a header update notify takes header_rwsem to +synchronize with "rbd map". If mapping an image fails after the watch +is established and a header update notify sneaks in, we deadlock when +erroring out from rbd_dev_image_probe(). + +Move watch registration and unregistration out of the critical section. +The only reason they were put there was to make header_rwsem management +slightly more obvious. + +Fixes: 811c66887746 ("rbd: fix rbd map vs notify races") +Signed-off-by: Ilya Dryomov +Reviewed-by: Jason Dillaman +Signed-off-by: Sasha Levin +--- + drivers/block/rbd.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index a67315786db47..bab9c546ba334 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -4636,6 +4636,10 @@ static void cancel_tasks_sync(struct rbd_device *rbd_dev) + cancel_work_sync(&rbd_dev->unlock_work); + } + ++/* ++ * header_rwsem must not be held to avoid a deadlock with ++ * rbd_dev_refresh() when flushing notifies. ++ */ + static void rbd_unregister_watch(struct rbd_device *rbd_dev) + { + cancel_tasks_sync(rbd_dev); +@@ -6942,6 +6946,9 @@ static void rbd_dev_image_release(struct rbd_device *rbd_dev) + * device. If this image is the one being mapped (i.e., not a + * parent), initiate a watch on its header object before using that + * object to get detailed information about the rbd image. ++ * ++ * On success, returns with header_rwsem held for write if called ++ * with @depth == 0. + */ + static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + { +@@ -6974,6 +6981,9 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + } + } + ++ if (!depth) ++ down_write(&rbd_dev->header_rwsem); ++ + ret = rbd_dev_header_info(rbd_dev); + if (ret) + goto err_out_watch; +@@ -7027,6 +7037,8 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + err_out_probe: + rbd_dev_unprobe(rbd_dev); + err_out_watch: ++ if (!depth) ++ up_write(&rbd_dev->header_rwsem); + if (!depth) + rbd_unregister_watch(rbd_dev); + err_out_format: +@@ -7085,12 +7097,9 @@ static ssize_t do_rbd_add(struct bus_type *bus, + goto err_out_rbd_dev; + } + +- down_write(&rbd_dev->header_rwsem); + rc = rbd_dev_image_probe(rbd_dev, 0); +- if (rc < 0) { +- up_write(&rbd_dev->header_rwsem); ++ if (rc < 0) + goto err_out_rbd_dev; +- } + + /* If we are mapping a snapshot it must be marked read-only */ + if (rbd_dev->spec->snap_id != CEPH_NOSNAP) +-- +2.20.1 + diff --git a/queue-5.4/rbd-call-rbd_dev_unprobe-after-unwatching-and-flushi.patch b/queue-5.4/rbd-call-rbd_dev_unprobe-after-unwatching-and-flushi.patch new file mode 100644 index 00000000000..bf834e1ecb8 --- /dev/null +++ b/queue-5.4/rbd-call-rbd_dev_unprobe-after-unwatching-and-flushi.patch @@ -0,0 +1,81 @@ +From 0adc4ac82e92f369f36e2268d336687efcb67f05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2020 15:52:54 +0100 +Subject: rbd: call rbd_dev_unprobe() after unwatching and flushing notifies + +From: Ilya Dryomov + +[ Upstream commit 952c48b0ed18919bff7528501e9a3fff8a24f8cd ] + +rbd_dev_unprobe() is supposed to undo most of rbd_dev_image_probe(), +including rbd_dev_header_info(), which means that rbd_dev_header_info() +isn't supposed to be called after rbd_dev_unprobe(). + +However, rbd_dev_image_release() calls rbd_dev_unprobe() before +rbd_unregister_watch(). This is racy because a header update notify +can sneak in: + + "rbd unmap" thread ceph-watch-notify worker + + rbd_dev_image_release() + rbd_dev_unprobe() + free and zero out header + rbd_watch_cb() + rbd_dev_refresh() + rbd_dev_header_info() + read in header + +The same goes for "rbd map" because rbd_dev_image_probe() calls +rbd_dev_unprobe() on errors. In both cases this results in a memory +leak. + +Fixes: fd22aef8b47c ("rbd: move rbd_unregister_watch() call into rbd_dev_image_release()") +Signed-off-by: Ilya Dryomov +Reviewed-by: Jason Dillaman +Signed-off-by: Sasha Levin +--- + drivers/block/rbd.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index bab9c546ba334..274beda31c356 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -6933,9 +6933,10 @@ static int rbd_dev_header_name(struct rbd_device *rbd_dev) + + static void rbd_dev_image_release(struct rbd_device *rbd_dev) + { +- rbd_dev_unprobe(rbd_dev); + if (rbd_dev->opts) + rbd_unregister_watch(rbd_dev); ++ ++ rbd_dev_unprobe(rbd_dev); + rbd_dev->image_format = 0; + kfree(rbd_dev->spec->image_id); + rbd_dev->spec->image_id = NULL; +@@ -6986,7 +6987,7 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + + ret = rbd_dev_header_info(rbd_dev); + if (ret) +- goto err_out_watch; ++ goto err_out_probe; + + /* + * If this image is the one being mapped, we have pool name and +@@ -7035,12 +7036,11 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + return 0; + + err_out_probe: +- rbd_dev_unprobe(rbd_dev); +-err_out_watch: + if (!depth) + up_write(&rbd_dev->header_rwsem); + if (!depth) + rbd_unregister_watch(rbd_dev); ++ rbd_dev_unprobe(rbd_dev); + err_out_format: + rbd_dev->image_format = 0; + kfree(rbd_dev->spec->image_id); +-- +2.20.1 + diff --git a/queue-5.4/rtc-88pm860x-fix-possible-race-condition.patch b/queue-5.4/rtc-88pm860x-fix-possible-race-condition.patch new file mode 100644 index 00000000000..87a2e9d98d0 --- /dev/null +++ b/queue-5.4/rtc-88pm860x-fix-possible-race-condition.patch @@ -0,0 +1,62 @@ +From a7bed82170aa55afd73ed133966b4b44b26f0a9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2020 23:39:51 +0100 +Subject: rtc: 88pm860x: fix possible race condition + +From: Alexandre Belloni + +[ Upstream commit 9cf4789e6e4673d0b2c96fa6bb0c35e81b43111a ] + +The RTC IRQ is requested before the struct rtc_device is allocated, +this may lead to a NULL pointer dereference in the IRQ handler. + +To fix this issue, allocating the rtc_device struct before requesting +the RTC IRQ using devm_rtc_allocate_device, and use rtc_register_device +to register the RTC device. + +Also remove the unnecessary error message as the core already prints the +info. + +Link: https://lore.kernel.org/r/20200311223956.51352-1-alexandre.belloni@bootlin.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-88pm860x.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/rtc/rtc-88pm860x.c b/drivers/rtc/rtc-88pm860x.c +index 4743b16a8d849..1526402e126b2 100644 +--- a/drivers/rtc/rtc-88pm860x.c ++++ b/drivers/rtc/rtc-88pm860x.c +@@ -336,6 +336,10 @@ static int pm860x_rtc_probe(struct platform_device *pdev) + info->dev = &pdev->dev; + dev_set_drvdata(&pdev->dev, info); + ++ info->rtc_dev = devm_rtc_allocate_device(&pdev->dev); ++ if (IS_ERR(info->rtc_dev)) ++ return PTR_ERR(info->rtc_dev); ++ + ret = devm_request_threaded_irq(&pdev->dev, info->irq, NULL, + rtc_update_handler, IRQF_ONESHOT, "rtc", + info); +@@ -377,13 +381,11 @@ static int pm860x_rtc_probe(struct platform_device *pdev) + } + } + +- info->rtc_dev = devm_rtc_device_register(&pdev->dev, "88pm860x-rtc", +- &pm860x_rtc_ops, THIS_MODULE); +- ret = PTR_ERR(info->rtc_dev); +- if (IS_ERR(info->rtc_dev)) { +- dev_err(&pdev->dev, "Failed to register RTC device: %d\n", ret); ++ info->rtc_dev->ops = &pm860x_rtc_ops; ++ ++ ret = rtc_register_device(info->rtc_dev); ++ if (ret) + return ret; +- } + + /* + * enable internal XO instead of internal 3.25MHz clock since it can +-- +2.20.1 + diff --git a/queue-5.4/s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch b/queue-5.4/s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch new file mode 100644 index 00000000000..c71f5845c99 --- /dev/null +++ b/queue-5.4/s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch @@ -0,0 +1,49 @@ +From c9695799d6afadb10697ab71746d3faabe64c248 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2020 12:39:55 +0100 +Subject: s390/cpuinfo: fix wrong output when CPU0 is offline + +From: Alexander Gordeev + +[ Upstream commit 872f27103874a73783aeff2aac2b41a489f67d7c ] + +/proc/cpuinfo should not print information about CPU 0 when it is offline. + +Fixes: 281eaa8cb67c ("s390/cpuinfo: simplify locking and skip offline cpus early") +Signed-off-by: Alexander Gordeev +Reviewed-by: Heiko Carstens +[heiko.carstens@de.ibm.com: shortened commit message] +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/processor.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/processor.c b/arch/s390/kernel/processor.c +index 6ebc2117c66c7..91b9b3f73de6e 100644 +--- a/arch/s390/kernel/processor.c ++++ b/arch/s390/kernel/processor.c +@@ -165,8 +165,9 @@ static void show_cpu_mhz(struct seq_file *m, unsigned long n) + static int show_cpuinfo(struct seq_file *m, void *v) + { + unsigned long n = (unsigned long) v - 1; ++ unsigned long first = cpumask_first(cpu_online_mask); + +- if (!n) ++ if (n == first) + show_cpu_summary(m, v); + if (!machine_has_cpu_mhz) + return 0; +@@ -179,6 +180,8 @@ static inline void *c_update(loff_t *pos) + { + if (*pos) + *pos = cpumask_next(*pos - 1, cpu_online_mask); ++ else ++ *pos = cpumask_first(cpu_online_mask); + return *pos < nr_cpu_ids ? (void *)*pos + 1 : NULL; + } + +-- +2.20.1 + diff --git a/queue-5.4/s390-cpum_sf-fix-wrong-page-count-in-error-message.patch b/queue-5.4/s390-cpum_sf-fix-wrong-page-count-in-error-message.patch new file mode 100644 index 00000000000..b369870f09e --- /dev/null +++ b/queue-5.4/s390-cpum_sf-fix-wrong-page-count-in-error-message.patch @@ -0,0 +1,54 @@ +From fea43d563c008f16f73d991615bc3bd4d2d3ea9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2020 11:09:07 +0100 +Subject: s390/cpum_sf: Fix wrong page count in error message + +From: Thomas Richter + +[ Upstream commit 4141b6a5e9f171325effc36a22eb92bf961e7a5c ] + +When perf record -e SF_CYCLES_BASIC_DIAG runs with very high +frequency, the samples arrive faster than the perf process can +save them to file. Eventually, for longer running processes, this +leads to the siutation where the trace buffers allocated by perf +slowly fills up. At one point the auxiliary trace buffer is full +and the CPU Measurement sampling facility is turned off. Furthermore +a warning is printed to the kernel log buffer: + +cpum_sf: The AUX buffer with 0 pages for the diagnostic-sampling + mode is full + +The number of allocated pages for the auxiliary trace buffer is shown +as zero pages. That is wrong. + +Fix this by saving the number of allocated pages before entering the +work loop in the interrupt handler. When the interrupt handler processes +the samples, it may detect the buffer full condition and stop sampling, +reducing the buffer size to zero. +Print the correct value in the error message: + +cpum_sf: The AUX buffer with 256 pages for the diagnostic-sampling + mode is full + +Signed-off-by: Thomas Richter +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_sf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index fdb8083e7870c..229e1e2f8253a 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -1589,6 +1589,7 @@ static void hw_collect_aux(struct cpu_hw_sf *cpuhw) + perf_aux_output_end(handle, size); + num_sdb = aux->sfb.num_sdb; + ++ num_sdb = aux->sfb.num_sdb; + while (!done) { + /* Get an output handle */ + aux = perf_aux_output_begin(handle, cpuhw->event); +-- +2.20.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 804f71fa76a..58ffa23f177 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -29,3 +29,72 @@ afs-fix-race-between-post-modification-dir-edit-and-readdir-d_revalidate.patch block-bfq-turn-put_queue-into-release_process_ref-in-__bfq_bic_change_cgroup.patch block-bfq-make-reparent_leaf_entity-actually-work-only-on-leaf-entities.patch block-bfq-invoke-flush_idle_tree-after-reparent_active_queues-in-pd_offline.patch +rbd-avoid-a-deadlock-on-header_rwsem-when-flushing-n.patch +rbd-call-rbd_dev_unprobe-after-unwatching-and-flushi.patch +x86-hyper-v-free-hv_panic_page-when-fail-to-register.patch +drm-ttm-flush-the-fence-on-the-bo-after-we-individua.patch +clk-don-t-cache-errors-from-clk_ops-get_phase.patch +clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch +net-mlx5e-enforce-setting-of-a-single-fec-mode.patch +f2fs-fix-the-panic-in-do_checkpoint.patch +arm-dts-rockchip-fix-vqmmc-supply-property-name-for-.patch +arm64-dts-allwinner-a64-fix-display-clock-register-r.patch +power-supply-bq27xxx_battery-silence-deferred-probe-.patch +clk-tegra-fix-tegra-pmc-clock-out-parents.patch +arm64-tegra-add-pcie-endpoint-controllers-nodes-for-.patch +arm64-tegra-fix-tegra194-pcie-compatible-string.patch +arm64-dts-clearfog-gt-8k-set-gigabit-phy-reset-deass.patch +soc-imx-gpc-fix-power-up-sequencing.patch +dma-coherent-fix-integer-overflow-in-the-reserved-me.patch +rtc-88pm860x-fix-possible-race-condition.patch +nfs-alloc_nfs_open_context-must-use-the-file-cred-wh.patch +nfsv4-pnfs-return-valid-stateids-in-nfs_layout_find_.patch +nfsv4.2-error-out-when-relink-swapfile.patch +arm-dts-rockchip-fix-lvds-encoder-ports-subnode-for-.patch +kvm-ppc-book3s-hv-fix-h_cede-return-code-for-nested-.patch +f2fs-fix-to-show-norecovery-mount-option.patch +phy-uniphier-usb3ss-add-pro5-support.patch +nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch +f2fs-fix-mount-failure-due-to-spo-after-a-successful.patch +f2fs-add-a-new-cp-flag-to-help-fsck-fix-resize-spo-i.patch +s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch +hibernate-allow-uswsusp-to-write-to-swap.patch +btrfs-add-rcu-locks-around-block-group-initializatio.patch +powerpc-prom_init-pass-the-os-term-message-to-hyperv.patch +powerpc-maple-fix-declaration-made-after-definition.patch +s390-cpum_sf-fix-wrong-page-count-in-error-message.patch +ext4-do-not-commit-super-on-read-only-bdev.patch +um-ubd-prevent-buffer-overrun-on-command-completion.patch +cifs-allocate-encryption-header-through-kmalloc.patch +mm-hugetlb-fix-build-failure-with-hugetlb_page-but-n.patch +drm-nouveau-svm-check-for-svm-initialized-before-mig.patch +drm-nouveau-svm-fix-vma-range-check-for-migration.patch +include-linux-swapops.h-correct-guards-for-non_swap_.patch +percpu_counter-fix-a-data-race-at-vm_committed_as.patch +compiler.h-fix-error-in-build_bug_on-reporting.patch +kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch +drm-nouveau-workaround-runpm-fail-by-disabling-pci-p.patch +leds-core-fix-warning-message-when-init_data.patch +x86-acpi-fix-cpu-hotplug-deadlock.patch +csky-fixup-cpu-speculative-execution-to-io-area.patch +drm-amdkfd-kfree-the-wrong-pointer.patch +nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch +csky-fixup-get-wrong-psr-value-from-phyical-reg.patch +f2fs-fix-null-pointer-dereference-in-f2fs_write_begi.patch +acpica-fixes-for-acpiexec-namespace-init-file.patch +um-falloc.h-needs-to-be-directly-included-for-older-.patch +drm-vc4-fix-hdmi-mode-validation.patch +iommu-virtio-fix-freeing-of-incomplete-domains.patch +iommu-vt-d-fix-mm-reference-leak.patch +sunrpc-fix-krb5p-mount-to-provide-large-enough-buffe.patch +ext2-fix-empty-body-warnings-when-wextra-is-used.patch +iommu-vt-d-silence-rcu-list-debugging-warning-in-dma.patch +iommu-vt-d-fix-page-request-descriptor-size.patch +ext2-fix-debug-reference-to-ext2_xattr_cache.patch +sunrpc-fix-gss_unwrap_resp_integ-again.patch +csky-fixup-init_fpu-compile-warning-with-__init.patch +power-supply-axp288_fuel_gauge-broaden-vendor-check-.patch +libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch +iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch +f2fs-fix-to-wait-all-node-page-writeback.patch +drm-nouveau-gr-gp107-gp108-implement-workaround-for-.patch diff --git a/queue-5.4/soc-imx-gpc-fix-power-up-sequencing.patch b/queue-5.4/soc-imx-gpc-fix-power-up-sequencing.patch new file mode 100644 index 00000000000..2e96b6e1c1d --- /dev/null +++ b/queue-5.4/soc-imx-gpc-fix-power-up-sequencing.patch @@ -0,0 +1,78 @@ +From 5d1756acdb97b68ddd8141fd245e8fee0e82f2c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2020 11:09:12 +0100 +Subject: soc: imx: gpc: fix power up sequencing + +From: Lucas Stach + +[ Upstream commit e0ea2d11f8a08ba7066ff897e16c5217215d1e68 ] + +Currently we wait only until the PGC inverts the isolation setting +before disabling the peripheral clocks. This doesn't ensure that the +reset is properly propagated through the peripheral devices in the +power domain. + +Wait until the PGC signals that the power up request is done and +wait a bit for resets to propagate before disabling the clocks. + +Signed-off-by: Lucas Stach +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/soc/imx/gpc.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/soc/imx/gpc.c b/drivers/soc/imx/gpc.c +index 98b9d9a902ae3..90a8b2c0676ff 100644 +--- a/drivers/soc/imx/gpc.c ++++ b/drivers/soc/imx/gpc.c +@@ -87,8 +87,8 @@ static int imx6_pm_domain_power_off(struct generic_pm_domain *genpd) + static int imx6_pm_domain_power_on(struct generic_pm_domain *genpd) + { + struct imx_pm_domain *pd = to_imx_pm_domain(genpd); +- int i, ret, sw, sw2iso; +- u32 val; ++ int i, ret; ++ u32 val, req; + + if (pd->supply) { + ret = regulator_enable(pd->supply); +@@ -107,17 +107,18 @@ static int imx6_pm_domain_power_on(struct generic_pm_domain *genpd) + regmap_update_bits(pd->regmap, pd->reg_offs + GPC_PGC_CTRL_OFFS, + 0x1, 0x1); + +- /* Read ISO and ISO2SW power up delays */ +- regmap_read(pd->regmap, pd->reg_offs + GPC_PGC_PUPSCR_OFFS, &val); +- sw = val & 0x3f; +- sw2iso = (val >> 8) & 0x3f; +- + /* Request GPC to power up domain */ +- val = BIT(pd->cntr_pdn_bit + 1); +- regmap_update_bits(pd->regmap, GPC_CNTR, val, val); ++ req = BIT(pd->cntr_pdn_bit + 1); ++ regmap_update_bits(pd->regmap, GPC_CNTR, req, req); + +- /* Wait ISO + ISO2SW IPG clock cycles */ +- udelay(DIV_ROUND_UP(sw + sw2iso, pd->ipg_rate_mhz)); ++ /* Wait for the PGC to handle the request */ ++ ret = regmap_read_poll_timeout(pd->regmap, GPC_CNTR, val, !(val & req), ++ 1, 50); ++ if (ret) ++ pr_err("powerup request on domain %s timed out\n", genpd->name); ++ ++ /* Wait for reset to propagate through peripherals */ ++ usleep_range(5, 10); + + /* Disable reset clocks for all devices in the domain */ + for (i = 0; i < pd->num_clks; i++) +@@ -343,6 +344,7 @@ static const struct regmap_config imx_gpc_regmap_config = { + .rd_table = &access_table, + .wr_table = &access_table, + .max_register = 0x2ac, ++ .fast_io = true, + }; + + static struct generic_pm_domain *imx_gpc_onecell_domains[] = { +-- +2.20.1 + diff --git a/queue-5.4/sunrpc-fix-gss_unwrap_resp_integ-again.patch b/queue-5.4/sunrpc-fix-gss_unwrap_resp_integ-again.patch new file mode 100644 index 00000000000..b90a8ebc2e0 --- /dev/null +++ b/queue-5.4/sunrpc-fix-gss_unwrap_resp_integ-again.patch @@ -0,0 +1,178 @@ +From 056d4372e27a2542d02902043e99682e03262d8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2020 11:21:07 -0400 +Subject: sunrpc: Fix gss_unwrap_resp_integ() again + +From: Chuck Lever + +[ Upstream commit 4047aa909c4a40fceebc36fff708d465a4d3c6e2 ] + +xdr_buf_read_mic() tries to find unused contiguous space in a +received xdr_buf in order to linearize the checksum for the call +to gss_verify_mic. However, the corner cases in this code are +numerous and we seem to keep missing them. I've just hit yet +another buffer overrun related to it. + +This overrun is at the end of xdr_buf_read_mic(): + +1284 if (buf->tail[0].iov_len != 0) +1285 mic->data = buf->tail[0].iov_base + buf->tail[0].iov_len; +1286 else +1287 mic->data = buf->head[0].iov_base + buf->head[0].iov_len; +1288 __read_bytes_from_xdr_buf(&subbuf, mic->data, mic->len); +1289 return 0; + +This logic assumes the transport has set the length of the tail +based on the size of the received message. base + len is then +supposed to be off the end of the message but still within the +actual buffer. + +In fact, the length of the tail is set by the upper layer when the +Call is encoded so that the end of the tail is actually the end of +the allocated buffer itself. This causes the logic above to set +mic->data to point past the end of the receive buffer. + +The "mic->data = head" arm of this if statement is no less fragile. + +As near as I can tell, this has been a problem forever. I'm not sure +that minimizing au_rslack recently changed this pathology much. + +So instead, let's use a more straightforward approach: kmalloc a +separate buffer to linearize the checksum. This is similar to +how gss_validate() currently works. + +Coming back to this code, I had some trouble understanding what +was going on. So I've cleaned up the variable naming and added +a few comments that point back to the XDR definition in RFC 2203 +to help guide future spelunkers, including myself. + +As an added clean up, the functionality that was in +xdr_buf_read_mic() is folded directly into gss_unwrap_resp_integ(), +as that is its only caller. + +Signed-off-by: Chuck Lever +Reviewed-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth_gss/auth_gss.c | 77 +++++++++++++++++++++++++--------- + 1 file changed, 58 insertions(+), 19 deletions(-) + +diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c +index f9e1a7e61eda0..ff5fcb3e12084 100644 +--- a/net/sunrpc/auth_gss/auth_gss.c ++++ b/net/sunrpc/auth_gss/auth_gss.c +@@ -1935,35 +1935,69 @@ gss_unwrap_resp_auth(struct rpc_cred *cred) + return 0; + } + ++/* ++ * RFC 2203, Section 5.3.2.2 ++ * ++ * struct rpc_gss_integ_data { ++ * opaque databody_integ<>; ++ * opaque checksum<>; ++ * }; ++ * ++ * struct rpc_gss_data_t { ++ * unsigned int seq_num; ++ * proc_req_arg_t arg; ++ * }; ++ */ + static int + gss_unwrap_resp_integ(struct rpc_task *task, struct rpc_cred *cred, + struct gss_cl_ctx *ctx, struct rpc_rqst *rqstp, + struct xdr_stream *xdr) + { +- struct xdr_buf integ_buf, *rcv_buf = &rqstp->rq_rcv_buf; +- u32 data_offset, mic_offset, integ_len, maj_stat; ++ struct xdr_buf gss_data, *rcv_buf = &rqstp->rq_rcv_buf; + struct rpc_auth *auth = cred->cr_auth; ++ u32 len, offset, seqno, maj_stat; + struct xdr_netobj mic; +- __be32 *p; ++ int ret; + +- p = xdr_inline_decode(xdr, 2 * sizeof(*p)); +- if (unlikely(!p)) ++ ret = -EIO; ++ mic.data = NULL; ++ ++ /* opaque databody_integ<>; */ ++ if (xdr_stream_decode_u32(xdr, &len)) + goto unwrap_failed; +- integ_len = be32_to_cpup(p++); +- if (integ_len & 3) ++ if (len & 3) + goto unwrap_failed; +- data_offset = (u8 *)(p) - (u8 *)rcv_buf->head[0].iov_base; +- mic_offset = integ_len + data_offset; +- if (mic_offset > rcv_buf->len) ++ offset = rcv_buf->len - xdr_stream_remaining(xdr); ++ if (xdr_stream_decode_u32(xdr, &seqno)) + goto unwrap_failed; +- if (be32_to_cpup(p) != rqstp->rq_seqno) ++ if (seqno != rqstp->rq_seqno) + goto bad_seqno; ++ if (xdr_buf_subsegment(rcv_buf, &gss_data, offset, len)) ++ goto unwrap_failed; + +- if (xdr_buf_subsegment(rcv_buf, &integ_buf, data_offset, integ_len)) ++ /* ++ * The xdr_stream now points to the beginning of the ++ * upper layer payload, to be passed below to ++ * rpcauth_unwrap_resp_decode(). The checksum, which ++ * follows the upper layer payload in @rcv_buf, is ++ * located and parsed without updating the xdr_stream. ++ */ ++ ++ /* opaque checksum<>; */ ++ offset += len; ++ if (xdr_decode_word(rcv_buf, offset, &len)) ++ goto unwrap_failed; ++ offset += sizeof(__be32); ++ if (offset + len > rcv_buf->len) + goto unwrap_failed; +- if (xdr_buf_read_mic(rcv_buf, &mic, mic_offset)) ++ mic.len = len; ++ mic.data = kmalloc(len, GFP_NOFS); ++ if (!mic.data) ++ goto unwrap_failed; ++ if (read_bytes_from_xdr_buf(rcv_buf, offset, mic.data, mic.len)) + goto unwrap_failed; +- maj_stat = gss_verify_mic(ctx->gc_gss_ctx, &integ_buf, &mic); ++ ++ maj_stat = gss_verify_mic(ctx->gc_gss_ctx, &gss_data, &mic); + if (maj_stat == GSS_S_CONTEXT_EXPIRED) + clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); + if (maj_stat != GSS_S_COMPLETE) +@@ -1971,16 +2005,21 @@ gss_unwrap_resp_integ(struct rpc_task *task, struct rpc_cred *cred, + + auth->au_rslack = auth->au_verfsize + 2 + 1 + XDR_QUADLEN(mic.len); + auth->au_ralign = auth->au_verfsize + 2; +- return 0; ++ ret = 0; ++ ++out: ++ kfree(mic.data); ++ return ret; ++ + unwrap_failed: + trace_rpcgss_unwrap_failed(task); +- return -EIO; ++ goto out; + bad_seqno: +- trace_rpcgss_bad_seqno(task, rqstp->rq_seqno, be32_to_cpup(p)); +- return -EIO; ++ trace_rpcgss_bad_seqno(task, rqstp->rq_seqno, seqno); ++ goto out; + bad_mic: + trace_rpcgss_verify_mic(task, maj_stat); +- return -EIO; ++ goto out; + } + + static int +-- +2.20.1 + diff --git a/queue-5.4/sunrpc-fix-krb5p-mount-to-provide-large-enough-buffe.patch b/queue-5.4/sunrpc-fix-krb5p-mount-to-provide-large-enough-buffe.patch new file mode 100644 index 00000000000..a2350516b8b --- /dev/null +++ b/queue-5.4/sunrpc-fix-krb5p-mount-to-provide-large-enough-buffe.patch @@ -0,0 +1,124 @@ +From 7da9b8fc54499495d46109fd8853d7178f4cca70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Mar 2020 10:24:51 -0400 +Subject: SUNRPC: fix krb5p mount to provide large enough buffer in rq_rcvsize + +From: Olga Kornievskaia + +[ Upstream commit df513a7711712758b9cb1a48d86712e7e1ee03f4 ] + +Ever since commit 2c94b8eca1a2 ("SUNRPC: Use au_rslack when computing +reply buffer size"). It changed how "req->rq_rcvsize" is calculated. It +used to use au_cslack value which was nice and large and changed it to +au_rslack value which turns out to be too small. + +Since 5.1, v3 mount with sec=krb5p fails against an Ontap server +because client's receive buffer it too small. + +For gss krb5p, we need to account for the mic token in the verifier, +and the wrap token in the wrap token. + +RFC 4121 defines: +mic token +Octet no Name Description + -------------------------------------------------------------- + 0..1 TOK_ID Identification field. Tokens emitted by + GSS_GetMIC() contain the hex value 04 04 + expressed in big-endian order in this + field. + 2 Flags Attributes field, as described in section + 4.2.2. + 3..7 Filler Contains five octets of hex value FF. + 8..15 SND_SEQ Sequence number field in clear text, + expressed in big-endian order. + 16..last SGN_CKSUM Checksum of the "to-be-signed" data and + octet 0..15, as described in section 4.2.4. + +that's 16bytes (GSS_KRB5_TOK_HDR_LEN) + chksum + +wrap token +Octet no Name Description + -------------------------------------------------------------- + 0..1 TOK_ID Identification field. Tokens emitted by + GSS_Wrap() contain the hex value 05 04 + expressed in big-endian order in this + field. + 2 Flags Attributes field, as described in section + 4.2.2. + 3 Filler Contains the hex value FF. + 4..5 EC Contains the "extra count" field, in big- + endian order as described in section 4.2.3. + 6..7 RRC Contains the "right rotation count" in big- + endian order, as described in section + 4.2.5. + 8..15 SND_SEQ Sequence number field in clear text, + expressed in big-endian order. + 16..last Data Encrypted data for Wrap tokens with + confidentiality, or plaintext data followed + by the checksum for Wrap tokens without + confidentiality, as described in section + 4.2.4. + +Also 16bytes of header (GSS_KRB5_TOK_HDR_LEN), encrypted data, and cksum +(other things like padding) + +RFC 3961 defines known cksum sizes: +Checksum type sumtype checksum section or + value size reference + --------------------------------------------------------------------- + CRC32 1 4 6.1.3 + rsa-md4 2 16 6.1.2 + rsa-md4-des 3 24 6.2.5 + des-mac 4 16 6.2.7 + des-mac-k 5 8 6.2.8 + rsa-md4-des-k 6 16 6.2.6 + rsa-md5 7 16 6.1.1 + rsa-md5-des 8 24 6.2.4 + rsa-md5-des3 9 24 ?? + sha1 (unkeyed) 10 20 ?? + hmac-sha1-des3-kd 12 20 6.3 + hmac-sha1-des3 13 20 ?? + sha1 (unkeyed) 14 20 ?? + hmac-sha1-96-aes128 15 20 [KRB5-AES] + hmac-sha1-96-aes256 16 20 [KRB5-AES] + [reserved] 0x8003 ? [GSS-KRB5] + +Linux kernel now mainly supports type 15,16 so max cksum size is 20bytes. +(GSS_KRB5_MAX_CKSUM_LEN) + +Re-use already existing define of GSS_KRB5_MAX_SLACK_NEEDED that's used +for encoding the gss_wrap tokens (same tokens are used in reply). + +Fixes: 2c94b8eca1a2 ("SUNRPC: Use au_rslack when computing reply buffer size") +Signed-off-by: Olga Kornievskaia +Reviewed-by: Chuck Lever +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth_gss/auth_gss.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c +index d75fddca44c94..f9e1a7e61eda0 100644 +--- a/net/sunrpc/auth_gss/auth_gss.c ++++ b/net/sunrpc/auth_gss/auth_gss.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1050,7 +1051,7 @@ gss_create_new(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt) + goto err_put_mech; + auth = &gss_auth->rpc_auth; + auth->au_cslack = GSS_CRED_SLACK >> 2; +- auth->au_rslack = GSS_VERF_SLACK >> 2; ++ auth->au_rslack = GSS_KRB5_MAX_SLACK_NEEDED >> 2; + auth->au_verfsize = GSS_VERF_SLACK >> 2; + auth->au_ralign = GSS_VERF_SLACK >> 2; + auth->au_flags = 0; +-- +2.20.1 + diff --git a/queue-5.4/um-falloc.h-needs-to-be-directly-included-for-older-.patch b/queue-5.4/um-falloc.h-needs-to-be-directly-included-for-older-.patch new file mode 100644 index 00000000000..013200a828a --- /dev/null +++ b/queue-5.4/um-falloc.h-needs-to-be-directly-included-for-older-.patch @@ -0,0 +1,47 @@ +From 2d8e57fa6c972c2fc687e031c02d682e4685a94d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2020 17:35:34 +0000 +Subject: um: falloc.h needs to be directly included for older libc + +From: Alan Maguire + +[ Upstream commit 35f3401317a3b26aa01fde8facfd320f2628fdcc ] + +When building UML with glibc 2.17 installed, compilation +of arch/um/os-Linux/file.c fails due to failure to find +FALLOC_FL_PUNCH_HOLE and FALLOC_FL_KEEP_SIZE definitions. + +It appears that /usr/include/bits/fcntl-linux.h (indirectly +included by /usr/include/fcntl.h) does not include falloc.h +with an older glibc, whereas a more up-to-date version +does. + +Adding the direct include to file.c resolves the issue +and does not cause problems for more recent glibc. + +Fixes: 50109b5a03b4 ("um: Add support for DISCARD in the UBD Driver") +Cc: Brendan Higgins +Signed-off-by: Alan Maguire +Reviewed-by: Brendan Higgins +Acked-By: Anton Ivanov +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/os-Linux/file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/um/os-Linux/file.c b/arch/um/os-Linux/file.c +index 5133e3afb96f7..3996937e2c0dd 100644 +--- a/arch/um/os-Linux/file.c ++++ b/arch/um/os-Linux/file.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +-- +2.20.1 + diff --git a/queue-5.4/um-ubd-prevent-buffer-overrun-on-command-completion.patch b/queue-5.4/um-ubd-prevent-buffer-overrun-on-command-completion.patch new file mode 100644 index 00000000000..f3868b06733 --- /dev/null +++ b/queue-5.4/um-ubd-prevent-buffer-overrun-on-command-completion.patch @@ -0,0 +1,41 @@ +From 58de01ab750fc3cc281dd083a8ebdbccca2725d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2020 20:45:06 -0400 +Subject: um: ubd: Prevent buffer overrun on command completion + +From: Gabriel Krisman Bertazi + +[ Upstream commit 6e682d53fc1ef73a169e2a5300326cb23abb32ee ] + +On the hypervisor side, when completing commands and the pipe is full, +we retry writing only the entries that failed, by offsetting +io_req_buffer, but we don't reduce the number of bytes written, which +can cause a buffer overrun of io_req_buffer, and write garbage to the +pipe. + +Cc: Martyn Welch +Signed-off-by: Gabriel Krisman Bertazi +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/ubd_kern.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/um/drivers/ubd_kern.c b/arch/um/drivers/ubd_kern.c +index 6627d7c30f370..0f5d0a699a49b 100644 +--- a/arch/um/drivers/ubd_kern.c ++++ b/arch/um/drivers/ubd_kern.c +@@ -1606,7 +1606,9 @@ int io_thread(void *arg) + written = 0; + + do { +- res = os_write_file(kernel_fd, ((char *) io_req_buffer) + written, n); ++ res = os_write_file(kernel_fd, ++ ((char *) io_req_buffer) + written, ++ n - written); + if (res >= 0) { + written += res; + } +-- +2.20.1 + diff --git a/queue-5.4/x86-acpi-fix-cpu-hotplug-deadlock.patch b/queue-5.4/x86-acpi-fix-cpu-hotplug-deadlock.patch new file mode 100644 index 00000000000..c4324c14029 --- /dev/null +++ b/queue-5.4/x86-acpi-fix-cpu-hotplug-deadlock.patch @@ -0,0 +1,169 @@ +From d415f7e407a4eef5e784376e5a7aaf674872e1cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2020 10:03:45 -0400 +Subject: x86: ACPI: fix CPU hotplug deadlock + +From: Qian Cai + +[ Upstream commit 696ac2e3bf267f5a2b2ed7d34e64131f2287d0ad ] + +Similar to commit 0266d81e9bf5 ("acpi/processor: Prevent cpu hotplug +deadlock") except this is for acpi_processor_ffh_cstate_probe(): + +"The problem is that the work is scheduled on the current CPU from the +hotplug thread associated with that CPU. + +It's not required to invoke these functions via the workqueue because +the hotplug thread runs on the target CPU already. + +Check whether current is a per cpu thread pinned on the target CPU and +invoke the function directly to avoid the workqueue." + + WARNING: possible circular locking dependency detected + ------------------------------------------------------ + cpuhp/1/15 is trying to acquire lock: + ffffc90003447a28 ((work_completion)(&wfc.work)){+.+.}-{0:0}, at: __flush_work+0x4c6/0x630 + + but task is already holding lock: + ffffffffafa1c0e8 (cpuidle_lock){+.+.}-{3:3}, at: cpuidle_pause_and_lock+0x17/0x20 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (cpu_hotplug_lock){++++}-{0:0}: + cpus_read_lock+0x3e/0xc0 + irq_calc_affinity_vectors+0x5f/0x91 + __pci_enable_msix_range+0x10f/0x9a0 + pci_alloc_irq_vectors_affinity+0x13e/0x1f0 + pci_alloc_irq_vectors_affinity at drivers/pci/msi.c:1208 + pqi_ctrl_init+0x72f/0x1618 [smartpqi] + pqi_pci_probe.cold.63+0x882/0x892 [smartpqi] + local_pci_probe+0x7a/0xc0 + work_for_cpu_fn+0x2e/0x50 + process_one_work+0x57e/0xb90 + worker_thread+0x363/0x5b0 + kthread+0x1f4/0x220 + ret_from_fork+0x27/0x50 + + -> #0 ((work_completion)(&wfc.work)){+.+.}-{0:0}: + __lock_acquire+0x2244/0x32a0 + lock_acquire+0x1a2/0x680 + __flush_work+0x4e6/0x630 + work_on_cpu+0x114/0x160 + acpi_processor_ffh_cstate_probe+0x129/0x250 + acpi_processor_evaluate_cst+0x4c8/0x580 + acpi_processor_get_power_info+0x86/0x740 + acpi_processor_hotplug+0xc3/0x140 + acpi_soft_cpu_online+0x102/0x1d0 + cpuhp_invoke_callback+0x197/0x1120 + cpuhp_thread_fun+0x252/0x2f0 + smpboot_thread_fn+0x255/0x440 + kthread+0x1f4/0x220 + ret_from_fork+0x27/0x50 + + other info that might help us debug this: + + Chain exists of: + (work_completion)(&wfc.work) --> cpuhp_state-up --> cpuidle_lock + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(cpuidle_lock); + lock(cpuhp_state-up); + lock(cpuidle_lock); + lock((work_completion)(&wfc.work)); + + *** DEADLOCK *** + + 3 locks held by cpuhp/1/15: + #0: ffffffffaf51ab10 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x69/0x2f0 + #1: ffffffffaf51ad40 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x69/0x2f0 + #2: ffffffffafa1c0e8 (cpuidle_lock){+.+.}-{3:3}, at: cpuidle_pause_and_lock+0x17/0x20 + + Call Trace: + dump_stack+0xa0/0xea + print_circular_bug.cold.52+0x147/0x14c + check_noncircular+0x295/0x2d0 + __lock_acquire+0x2244/0x32a0 + lock_acquire+0x1a2/0x680 + __flush_work+0x4e6/0x630 + work_on_cpu+0x114/0x160 + acpi_processor_ffh_cstate_probe+0x129/0x250 + acpi_processor_evaluate_cst+0x4c8/0x580 + acpi_processor_get_power_info+0x86/0x740 + acpi_processor_hotplug+0xc3/0x140 + acpi_soft_cpu_online+0x102/0x1d0 + cpuhp_invoke_callback+0x197/0x1120 + cpuhp_thread_fun+0x252/0x2f0 + smpboot_thread_fn+0x255/0x440 + kthread+0x1f4/0x220 + ret_from_fork+0x27/0x50 + +Signed-off-by: Qian Cai +Tested-by: Borislav Petkov +[ rjw: Subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/acpi/cstate.c | 3 ++- + drivers/acpi/processor_throttling.c | 7 ------- + include/acpi/processor.h | 8 ++++++++ + 3 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/kernel/acpi/cstate.c b/arch/x86/kernel/acpi/cstate.c +index caf2edccbad2e..49ae4e1ac9cd8 100644 +--- a/arch/x86/kernel/acpi/cstate.c ++++ b/arch/x86/kernel/acpi/cstate.c +@@ -161,7 +161,8 @@ int acpi_processor_ffh_cstate_probe(unsigned int cpu, + + /* Make sure we are running on right CPU */ + +- retval = work_on_cpu(cpu, acpi_processor_ffh_cstate_probe_cpu, cx); ++ retval = call_on_cpu(cpu, acpi_processor_ffh_cstate_probe_cpu, cx, ++ false); + if (retval == 0) { + /* Use the hint in CST */ + percpu_entry->states[cx->index].eax = cx->address; +diff --git a/drivers/acpi/processor_throttling.c b/drivers/acpi/processor_throttling.c +index 532a1ae3595a7..a0bd56ece3ff5 100644 +--- a/drivers/acpi/processor_throttling.c ++++ b/drivers/acpi/processor_throttling.c +@@ -897,13 +897,6 @@ static long __acpi_processor_get_throttling(void *data) + return pr->throttling.acpi_processor_get_throttling(pr); + } + +-static int call_on_cpu(int cpu, long (*fn)(void *), void *arg, bool direct) +-{ +- if (direct || (is_percpu_thread() && cpu == smp_processor_id())) +- return fn(arg); +- return work_on_cpu(cpu, fn, arg); +-} +- + static int acpi_processor_get_throttling(struct acpi_processor *pr) + { + if (!pr) +diff --git a/include/acpi/processor.h b/include/acpi/processor.h +index 47805172e73d8..683e124ad517d 100644 +--- a/include/acpi/processor.h ++++ b/include/acpi/processor.h +@@ -297,6 +297,14 @@ static inline void acpi_processor_ffh_cstate_enter(struct acpi_processor_cx + } + #endif + ++static inline int call_on_cpu(int cpu, long (*fn)(void *), void *arg, ++ bool direct) ++{ ++ if (direct || (is_percpu_thread() && cpu == smp_processor_id())) ++ return fn(arg); ++ return work_on_cpu(cpu, fn, arg); ++} ++ + /* in processor_perflib.c */ + + #ifdef CONFIG_CPU_FREQ +-- +2.20.1 + diff --git a/queue-5.4/x86-hyper-v-free-hv_panic_page-when-fail-to-register.patch b/queue-5.4/x86-hyper-v-free-hv_panic_page-when-fail-to-register.patch new file mode 100644 index 00000000000..e4af5c62022 --- /dev/null +++ b/queue-5.4/x86-hyper-v-free-hv_panic_page-when-fail-to-register.patch @@ -0,0 +1,52 @@ +From b32241d1e65e7836be8f4e44ec67cc3890babd1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 08:53:27 -0700 +Subject: x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump + +From: Tianyu Lan + +[ Upstream commit 7f11a2cc10a4ae3a70e2c73361f4a9a33503539b ] + +If kmsg_dump_register() fails, hv_panic_page will not be used +anywhere. So free and reset it. + +Fixes: 81b18bce48af ("Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic") +Reviewed-by: Michael Kelley +Signed-off-by: Tianyu Lan +Link: https://lore.kernel.org/r/20200406155331.2105-3-Tianyu.Lan@microsoft.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/vmbus_drv.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 593107c20e977..40f6b73dae940 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -1401,9 +1401,13 @@ static int vmbus_bus_init(void) + hv_panic_page = (void *)get_zeroed_page(GFP_KERNEL); + if (hv_panic_page) { + ret = kmsg_dump_register(&hv_kmsg_dumper); +- if (ret) ++ if (ret) { + pr_err("Hyper-V: kmsg dump register " + "error 0x%x\n", ret); ++ hv_free_hyperv_page( ++ (unsigned long)hv_panic_page); ++ hv_panic_page = NULL; ++ } + } else + pr_err("Hyper-V: panic message page memory " + "allocation failed"); +@@ -1433,7 +1437,6 @@ static int vmbus_bus_init(void) + hv_remove_vmbus_irq(); + + bus_unregister(&hv_bus); +- free_page((unsigned long)hv_panic_page); + unregister_sysctl_table(hv_ctl_table_hdr); + hv_ctl_table_hdr = NULL; + return ret; +-- +2.20.1 +