From: Sasha Levin Date: Wed, 22 Apr 2020 03:25:55 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.19.118~13 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=876dd00141a463dafc616c29669c4ca67af75ee9;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/cifs-allocate-encryption-header-through-kmalloc.patch b/queue-4.19/cifs-allocate-encryption-header-through-kmalloc.patch new file mode 100644 index 00000000000..a8e7be6c447 --- /dev/null +++ b/queue-4.19/cifs-allocate-encryption-header-through-kmalloc.patch @@ -0,0 +1,83 @@ +From 0e3dc8157c147774f8e05a1cf2f82c3544a8379c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Mar 2020 22:09:20 -0700 +Subject: cifs: Allocate encryption header through kmalloc + +From: Long Li + +[ Upstream commit 3946d0d04bb360acca72db5efe9ae8440012d9dc ] + +When encryption is used, smb2_transform_hdr is defined on the stack and is +passed to the transport. This doesn't work with RDMA as the buffer needs to +be DMA'ed. + +Fix it by using kmalloc. + +Signed-off-by: Long Li +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/transport.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c +index 0c4df56c825ab..70412944b267d 100644 +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -392,7 +392,7 @@ smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + struct smb_rqst *rqst, int flags) + { + struct kvec iov; +- struct smb2_transform_hdr tr_hdr; ++ struct smb2_transform_hdr *tr_hdr; + struct smb_rqst cur_rqst[MAX_COMPOUND]; + int rc; + +@@ -402,28 +402,34 @@ smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, + if (num_rqst > MAX_COMPOUND - 1) + return -ENOMEM; + +- memset(&cur_rqst[0], 0, sizeof(cur_rqst)); +- memset(&iov, 0, sizeof(iov)); +- memset(&tr_hdr, 0, sizeof(tr_hdr)); +- +- iov.iov_base = &tr_hdr; +- iov.iov_len = sizeof(tr_hdr); +- cur_rqst[0].rq_iov = &iov; +- cur_rqst[0].rq_nvec = 1; +- + if (!server->ops->init_transform_rq) { + cifs_dbg(VFS, "Encryption requested but transform callback " + "is missing\n"); + return -EIO; + } + ++ tr_hdr = kmalloc(sizeof(*tr_hdr), GFP_NOFS); ++ if (!tr_hdr) ++ return -ENOMEM; ++ ++ memset(&cur_rqst[0], 0, sizeof(cur_rqst)); ++ memset(&iov, 0, sizeof(iov)); ++ memset(tr_hdr, 0, sizeof(*tr_hdr)); ++ ++ iov.iov_base = tr_hdr; ++ iov.iov_len = sizeof(*tr_hdr); ++ cur_rqst[0].rq_iov = &iov; ++ cur_rqst[0].rq_nvec = 1; ++ + rc = server->ops->init_transform_rq(server, num_rqst + 1, + &cur_rqst[0], rqst); + if (rc) +- return rc; ++ goto out; + + rc = __smb_send_rqst(server, num_rqst + 1, &cur_rqst[0]); + smb3_free_compound_rqst(num_rqst, &cur_rqst[1]); ++out: ++ kfree(tr_hdr); + return rc; + } + +-- +2.20.1 + diff --git a/queue-4.19/clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch b/queue-4.19/clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch new file mode 100644 index 00000000000..0af1f5eff1a --- /dev/null +++ b/queue-4.19/clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch @@ -0,0 +1,49 @@ +From 608de60e041c7a3c24a41e443873a4278b6ebc22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jan 2020 13:36:46 +0200 +Subject: clk: at91: usb: continue if clk_hw_round_rate() return zero + +From: Claudiu Beznea + +[ Upstream commit b0ecf1c6c6e82da4847900fad0272abfd014666d ] + +clk_hw_round_rate() may call round rate function of its parents. In case +of SAM9X60 two of USB parrents are PLLA and UPLL. These clocks are +controlled by clk-sam9x60-pll.c driver. The round rate function for this +driver is sam9x60_pll_round_rate() which call in turn +sam9x60_pll_get_best_div_mul(). In case the requested rate is not in the +proper range (rate < characteristics->output[0].min && +rate > characteristics->output[0].max) the sam9x60_pll_round_rate() will +return a negative number to its caller (called by +clk_core_round_rate_nolock()). clk_hw_round_rate() will return zero in +case a negative number is returned by clk_core_round_rate_nolock(). With +this, the USB clock will continue its rate computation even caller of +clk_hw_round_rate() returned an error. With this, the USB clock on SAM9X60 +may not chose the best parent. I detected this after a suspend/resume +cycle on SAM9X60. + +Signed-off-by: Claudiu Beznea +Link: https://lkml.kernel.org/r/1579261009-4573-2-git-send-email-claudiu.beznea@microchip.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/clk/at91/clk-usb.c b/drivers/clk/at91/clk-usb.c +index 791770a563fcc..6fac6383d024e 100644 +--- a/drivers/clk/at91/clk-usb.c ++++ b/drivers/clk/at91/clk-usb.c +@@ -78,6 +78,9 @@ static int at91sam9x5_clk_usb_determine_rate(struct clk_hw *hw, + tmp_parent_rate = req->rate * div; + tmp_parent_rate = clk_hw_round_rate(parent, + tmp_parent_rate); ++ if (!tmp_parent_rate) ++ continue; ++ + tmp_rate = DIV_ROUND_CLOSEST(tmp_parent_rate, div); + if (tmp_rate < req->rate) + tmp_diff = req->rate - tmp_rate; +-- +2.20.1 + diff --git a/queue-4.19/clk-tegra-fix-tegra-pmc-clock-out-parents.patch b/queue-4.19/clk-tegra-fix-tegra-pmc-clock-out-parents.patch new file mode 100644 index 00000000000..678a7fa983a --- /dev/null +++ b/queue-4.19/clk-tegra-fix-tegra-pmc-clock-out-parents.patch @@ -0,0 +1,56 @@ +From f249a272a91c8a8716f94857200899f7e7d405d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2020 23:24:09 -0800 +Subject: clk: tegra: Fix Tegra PMC clock out parents + +From: Sowjanya Komatineni + +[ Upstream commit 6fe38aa8cac3a5db38154331742835a4d9740788 ] + +Tegra PMC clocks clk_out_1, clk_out_2, and clk_out_3 supported parents +are osc, osc_div2, osc_div4 and extern clock. + +Clock driver is using incorrect parents clk_m, clk_m_div2, clk_m_div4 +for PMC clocks. + +This patch fixes this. + +Tested-by: Dmitry Osipenko +Reviewed-by: Dmitry Osipenko +Signed-off-by: Sowjanya Komatineni +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra-pmc.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/tegra/clk-tegra-pmc.c b/drivers/clk/tegra/clk-tegra-pmc.c +index a35579a3f884f..476dab494c44d 100644 +--- a/drivers/clk/tegra/clk-tegra-pmc.c ++++ b/drivers/clk/tegra/clk-tegra-pmc.c +@@ -60,16 +60,16 @@ struct pmc_clk_init_data { + + static DEFINE_SPINLOCK(clk_out_lock); + +-static const char *clk_out1_parents[] = { "clk_m", "clk_m_div2", +- "clk_m_div4", "extern1", ++static const char *clk_out1_parents[] = { "osc", "osc_div2", ++ "osc_div4", "extern1", + }; + +-static const char *clk_out2_parents[] = { "clk_m", "clk_m_div2", +- "clk_m_div4", "extern2", ++static const char *clk_out2_parents[] = { "osc", "osc_div2", ++ "osc_div4", "extern2", + }; + +-static const char *clk_out3_parents[] = { "clk_m", "clk_m_div2", +- "clk_m_div4", "extern3", ++static const char *clk_out3_parents[] = { "osc", "osc_div2", ++ "osc_div4", "extern3", + }; + + static struct pmc_clk_init_data pmc_clks[] = { +-- +2.20.1 + diff --git a/queue-4.19/compiler.h-fix-error-in-build_bug_on-reporting.patch b/queue-4.19/compiler.h-fix-error-in-build_bug_on-reporting.patch new file mode 100644 index 00000000000..424531f8720 --- /dev/null +++ b/queue-4.19/compiler.h-fix-error-in-build_bug_on-reporting.patch @@ -0,0 +1,70 @@ +From 4048bed510dc877f474d27310a1ec691e2f82dd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 20:09:37 -0700 +Subject: compiler.h: fix error in BUILD_BUG_ON() reporting + +From: Vegard Nossum + +[ Upstream commit af9c5d2e3b355854ff0e4acfbfbfadcd5198a349 ] + +compiletime_assert() uses __LINE__ to create a unique function name. This +means that if you have more than one BUILD_BUG_ON() in the same source +line (which can happen if they appear e.g. in a macro), then the error +message from the compiler might output the wrong condition. + +For this source file: + + #include + + #define macro() \ + BUILD_BUG_ON(1); \ + BUILD_BUG_ON(0); + + void foo() + { + macro(); + } + +gcc would output: + +./include/linux/compiler.h:350:38: error: call to `__compiletime_assert_9' declared with attribute error: BUILD_BUG_ON failed: 0 + _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__) + +However, it was not the BUILD_BUG_ON(0) that failed, so it should say 1 +instead of 0. With this patch, we use __COUNTER__ instead of __LINE__, so +each BUILD_BUG_ON() gets a different function name and the correct +condition is printed: + +./include/linux/compiler.h:350:38: error: call to `__compiletime_assert_0' declared with attribute error: BUILD_BUG_ON failed: 1 + _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + +Signed-off-by: Vegard Nossum +Signed-off-by: Andrew Morton +Reviewed-by: Masahiro Yamada +Reviewed-by: Daniel Santos +Cc: Rasmus Villemoes +Cc: Ian Abbott +Cc: Joe Perches +Link: http://lkml.kernel.org/r/20200331112637.25047-1-vegard.nossum@oracle.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/compiler.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index bb22908c79e83..75112aa8064e8 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -345,7 +345,7 @@ static inline void *offset_to_ptr(const int *off) + * compiler has support to do so. + */ + #define compiletime_assert(condition, msg) \ +- _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__) ++ _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + + #define compiletime_assert_atomic_type(t) \ + compiletime_assert(__native_word(t), \ +-- +2.20.1 + diff --git a/queue-4.19/drm-amdkfd-kfree-the-wrong-pointer.patch b/queue-4.19/drm-amdkfd-kfree-the-wrong-pointer.patch new file mode 100644 index 00000000000..dedfa530592 --- /dev/null +++ b/queue-4.19/drm-amdkfd-kfree-the-wrong-pointer.patch @@ -0,0 +1,39 @@ +From fada92d7cc5cefe7c54339bc01ae3ce88708b1e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2020 20:06:58 +0800 +Subject: drm/amdkfd: kfree the wrong pointer + +From: Jack Zhang + +[ Upstream commit 3148a6a0ef3cf93570f30a477292768f7eb5d3c3 ] + +Originally, it kfrees the wrong pointer for mem_obj. +It would cause memory leak under stress test. + +Signed-off-by: Jack Zhang +Acked-by: Nirmoy Das +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +index 938d0053a8208..28022d1cb0f07 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +@@ -921,9 +921,9 @@ int kfd_gtt_sa_allocate(struct kfd_dev *kfd, unsigned int size, + return 0; + + kfd_gtt_no_free_chunk: +- pr_debug("Allocation failed with mem_obj = %p\n", mem_obj); ++ pr_debug("Allocation failed with mem_obj = %p\n", *mem_obj); + mutex_unlock(&kfd->gtt_sa_lock); +- kfree(mem_obj); ++ kfree(*mem_obj); + return -ENOMEM; + } + +-- +2.20.1 + diff --git a/queue-4.19/drm-vc4-fix-hdmi-mode-validation.patch b/queue-4.19/drm-vc4-fix-hdmi-mode-validation.patch new file mode 100644 index 00000000000..3db7c9876db --- /dev/null +++ b/queue-4.19/drm-vc4-fix-hdmi-mode-validation.patch @@ -0,0 +1,61 @@ +From d0b634599dc0e8deda950f37c23fb6afb728c5b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Mar 2020 13:20:01 +0100 +Subject: drm/vc4: Fix HDMI mode validation + +From: Nicolas Saenz Julienne + +[ Upstream commit b1e7396a1d0e6af6806337fdaaa44098d6b3343c ] + +Current mode validation impedes setting up some video modes which should +be supported otherwise. Namely 1920x1200@60Hz. + +Fix this by lowering the minimum HDMI state machine clock to pixel clock +ratio allowed. + +Fixes: 32e823c63e90 ("drm/vc4: Reject HDMI modes with too high of clocks.") +Reported-by: Stefan Wahren +Suggested-by: Dave Stevenson +Signed-off-by: Nicolas Saenz Julienne +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20200326122001.22215-1-nsaenzjulienne@suse.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index fd5522fd179e5..86b98856756d9 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -698,11 +698,23 @@ static enum drm_mode_status + vc4_hdmi_encoder_mode_valid(struct drm_encoder *crtc, + const struct drm_display_mode *mode) + { +- /* HSM clock must be 108% of the pixel clock. Additionally, +- * the AXI clock needs to be at least 25% of pixel clock, but +- * HSM ends up being the limiting factor. ++ /* ++ * As stated in RPi's vc4 firmware "HDMI state machine (HSM) clock must ++ * be faster than pixel clock, infinitesimally faster, tested in ++ * simulation. Otherwise, exact value is unimportant for HDMI ++ * operation." This conflicts with bcm2835's vc4 documentation, which ++ * states HSM's clock has to be at least 108% of the pixel clock. ++ * ++ * Real life tests reveal that vc4's firmware statement holds up, and ++ * users are able to use pixel clocks closer to HSM's, namely for ++ * 1920x1200@60Hz. So it was decided to have leave a 1% margin between ++ * both clocks. Which, for RPi0-3 implies a maximum pixel clock of ++ * 162MHz. ++ * ++ * Additionally, the AXI clock needs to be at least 25% of ++ * pixel clock, but HSM ends up being the limiting factor. + */ +- if (mode->clock > HSM_CLOCK_FREQ / (1000 * 108 / 100)) ++ if (mode->clock > HSM_CLOCK_FREQ / (1000 * 101 / 100)) + return MODE_CLOCK_HIGH; + + return MODE_OK; +-- +2.20.1 + diff --git a/queue-4.19/ext2-fix-debug-reference-to-ext2_xattr_cache.patch b/queue-4.19/ext2-fix-debug-reference-to-ext2_xattr_cache.patch new file mode 100644 index 00000000000..c6b791b67a5 --- /dev/null +++ b/queue-4.19/ext2-fix-debug-reference-to-ext2_xattr_cache.patch @@ -0,0 +1,51 @@ +From 06b747ed382d0492f9712ff40f5b949cc7ff8083 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2020 12:40:02 +0100 +Subject: ext2: fix debug reference to ext2_xattr_cache +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jan Kara + +[ Upstream commit 32302085a8d90859c40cf1a5e8313f575d06ec75 ] + +Fix a debug-only build error in ext2/xattr.c: + +When building without extra debugging, (and with another patch that uses +no_printk() instead of for the ext2-xattr debug-print macros, +this build error happens: + +../fs/ext2/xattr.c: In function ‘ext2_xattr_cache_insert’: +../fs/ext2/xattr.c:869:18: error: ‘ext2_xattr_cache’ undeclared (first use in +this function); did you mean ‘ext2_xattr_list’? + atomic_read(&ext2_xattr_cache->c_entry_count)); + +Fix the problem by removing cached entry count from the debug message +since otherwise we'd have to export the mbcache structure just for that. + +Fixes: be0726d33cb8 ("ext2: convert to mbcache2") +Reported-by: Randy Dunlap +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/ext2/xattr.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c +index 4439bfaf1c57f..bd1d68ff3a9f8 100644 +--- a/fs/ext2/xattr.c ++++ b/fs/ext2/xattr.c +@@ -839,8 +839,7 @@ ext2_xattr_cache_insert(struct mb_cache *cache, struct buffer_head *bh) + error = mb_cache_entry_create(cache, GFP_NOFS, hash, bh->b_blocknr, 1); + if (error) { + if (error == -EBUSY) { +- ea_bdebug(bh, "already in cache (%d cache entries)", +- atomic_read(&ext2_xattr_cache->c_entry_count)); ++ ea_bdebug(bh, "already in cache"); + error = 0; + } + } else +-- +2.20.1 + diff --git a/queue-4.19/ext2-fix-empty-body-warnings-when-wextra-is-used.patch b/queue-4.19/ext2-fix-empty-body-warnings-when-wextra-is-used.patch new file mode 100644 index 00000000000..9ff5a73e0e4 --- /dev/null +++ b/queue-4.19/ext2-fix-empty-body-warnings-when-wextra-is-used.patch @@ -0,0 +1,60 @@ +From 1c60e4185210cff79d32eb42c52e1224e9abca6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Mar 2020 19:45:41 -0700 +Subject: ext2: fix empty body warnings when -Wextra is used +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 44a52022e7f15cbaab957df1c14f7a4f527ef7cf ] + +When EXT2_ATTR_DEBUG is not defined, modify the 2 debug macros +to use the no_printk() macro instead of . +This fixes gcc warnings when -Wextra is used: + +../fs/ext2/xattr.c:252:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +../fs/ext2/xattr.c:258:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +../fs/ext2/xattr.c:330:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +../fs/ext2/xattr.c:872:45: warning: suggest braces around empty body in an ‘else’ statement [-Wempty-body] + +I have verified that the only object code change (with gcc 7.5.0) is +the reversal of some instructions from 'cmp a,b' to 'cmp b,a'. + +Link: https://lore.kernel.org/r/e18a7395-61fb-2093-18e8-ed4f8cf56248@infradead.org +Signed-off-by: Randy Dunlap +Cc: Jan Kara +Cc: linux-ext4@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/ext2/xattr.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c +index dd8f10db82e99..4439bfaf1c57f 100644 +--- a/fs/ext2/xattr.c ++++ b/fs/ext2/xattr.c +@@ -56,6 +56,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -84,8 +85,8 @@ + printk("\n"); \ + } while (0) + #else +-# define ea_idebug(f...) +-# define ea_bdebug(f...) ++# define ea_idebug(inode, f...) no_printk(f) ++# define ea_bdebug(bh, f...) no_printk(f) + #endif + + static int ext2_xattr_set2(struct inode *, struct buffer_head *, +-- +2.20.1 + diff --git a/queue-4.19/ext4-do-not-commit-super-on-read-only-bdev.patch b/queue-4.19/ext4-do-not-commit-super-on-read-only-bdev.patch new file mode 100644 index 00000000000..8ea04cd75a0 --- /dev/null +++ b/queue-4.19/ext4-do-not-commit-super-on-read-only-bdev.patch @@ -0,0 +1,50 @@ +From b9395024319ecf94404c5faa542297d1b4df2ee7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2020 14:19:38 -0500 +Subject: ext4: do not commit super on read-only bdev + +From: Eric Sandeen + +[ Upstream commit c96e2b8564adfb8ac14469ebc51ddc1bfecb3ae2 ] + +Under some circumstances we may encounter a filesystem error on a +read-only block device, and if we try to save the error info to the +superblock and commit it, we'll wind up with a noisy error and +backtrace, i.e.: + +[ 3337.146838] EXT4-fs error (device pmem1p2): ext4_get_journal_inode:4634: comm mount: inode #0: comm mount: iget: illegal inode # +------------[ cut here ]------------ +generic_make_request: Trying to write to read-only block-device pmem1p2 (partno 2) +WARNING: CPU: 107 PID: 115347 at block/blk-core.c:788 generic_make_request_checks+0x6b4/0x7d0 +... + +To avoid this, commit the error info in the superblock only if the +block device is writable. + +Reported-by: Ritesh Harjani +Signed-off-by: Eric Sandeen +Reviewed-by: Andreas Dilger +Link: https://lore.kernel.org/r/4b6e774d-cc00-3469-7abb-108eb151071a@sandeen.net +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index cc8c738480e8a..bf949fcc970ab 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -388,7 +388,8 @@ static void save_error_info(struct super_block *sb, const char *func, + unsigned int line) + { + __save_error_info(sb, func, line); +- ext4_commit_super(sb, 1); ++ if (!bdev_read_only(sb->s_bdev)) ++ ext4_commit_super(sb, 1); + } + + /* +-- +2.20.1 + diff --git a/queue-4.19/f2fs-fix-null-pointer-dereference-in-f2fs_write_begi.patch b/queue-4.19/f2fs-fix-null-pointer-dereference-in-f2fs_write_begi.patch new file mode 100644 index 00000000000..61d4797b801 --- /dev/null +++ b/queue-4.19/f2fs-fix-null-pointer-dereference-in-f2fs_write_begi.patch @@ -0,0 +1,77 @@ +From 88df8ec15f2fd4a41e109b47df5211a4e1e0deb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2020 19:58:00 +0800 +Subject: f2fs: fix NULL pointer dereference in f2fs_write_begin() + +From: Chao Yu + +[ Upstream commit 62f63eea291b50a5677ae7503ac128803174698a ] + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +RIP: 0010:f2fs_write_begin+0x823/0xb90 [f2fs] +Call Trace: + f2fs_quota_write+0x139/0x1d0 [f2fs] + write_blk+0x36/0x80 [quota_tree] + get_free_dqblk+0x42/0xa0 [quota_tree] + do_insert_tree+0x235/0x4a0 [quota_tree] + do_insert_tree+0x26e/0x4a0 [quota_tree] + do_insert_tree+0x26e/0x4a0 [quota_tree] + do_insert_tree+0x26e/0x4a0 [quota_tree] + qtree_write_dquot+0x70/0x190 [quota_tree] + v2_write_dquot+0x43/0x90 [quota_v2] + dquot_acquire+0x77/0x100 + f2fs_dquot_acquire+0x2f/0x60 [f2fs] + dqget+0x310/0x450 + dquot_transfer+0x7e/0x120 + f2fs_setattr+0x11a/0x4a0 [f2fs] + notify_change+0x349/0x480 + chown_common+0x168/0x1c0 + do_fchownat+0xbc/0xf0 + __x64_sys_fchownat+0x20/0x30 + do_syscall_64+0x5f/0x220 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Passing fsdata parameter to .write_{begin,end} in f2fs_quota_write(), +so that if quota file is compressed one, we can avoid above NULL +pointer dereference when updating quota content. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index da348cf4ff56a..45f8f6ec22a55 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1648,6 +1648,7 @@ static ssize_t f2fs_quota_write(struct super_block *sb, int type, + int offset = off & (sb->s_blocksize - 1); + size_t towrite = len; + struct page *page; ++ void *fsdata = NULL; + char *kaddr; + int err = 0; + int tocopy; +@@ -1657,7 +1658,7 @@ static ssize_t f2fs_quota_write(struct super_block *sb, int type, + towrite); + retry: + err = a_ops->write_begin(NULL, mapping, off, tocopy, 0, +- &page, NULL); ++ &page, &fsdata); + if (unlikely(err)) { + if (err == -ENOMEM) { + congestion_wait(BLK_RW_ASYNC, HZ/50); +@@ -1672,7 +1673,7 @@ static ssize_t f2fs_quota_write(struct super_block *sb, int type, + flush_dcache_page(page); + + a_ops->write_end(NULL, mapping, off, tocopy, tocopy, +- page, NULL); ++ page, fsdata); + offset = 0; + towrite -= tocopy; + off += tocopy; +-- +2.20.1 + diff --git a/queue-4.19/f2fs-fix-to-wait-all-node-page-writeback.patch b/queue-4.19/f2fs-fix-to-wait-all-node-page-writeback.patch new file mode 100644 index 00000000000..d44467cfe8f --- /dev/null +++ b/queue-4.19/f2fs-fix-to-wait-all-node-page-writeback.patch @@ -0,0 +1,58 @@ +From 44b4f93224f7a85674bcf07baedad1691bd31916 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2020 17:45:12 +0800 +Subject: f2fs: fix to wait all node page writeback + +From: Chao Yu + +[ Upstream commit dc5a941223edd803f476a153abd950cc3a83c3e1 ] + +There is a race condition that we may miss to wait for all node pages +writeback, fix it. + +- fsync() - shrink + - f2fs_do_sync_file + - __write_node_page + - set_page_writeback(page#0) + : remove DIRTY/TOWRITE flag + - f2fs_fsync_node_pages + : won't find page #0 as TOWRITE flag was removeD + - f2fs_wait_on_node_pages_writeback + : wont' wait page #0 writeback as it was not in fsync_node_list list. + - f2fs_add_fsync_node_entry + +Fixes: 50fa53eccf9f ("f2fs: fix to avoid broken of dnode block list") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/node.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index e5d474681471c..f0714c1258c79 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -1559,15 +1559,16 @@ static int __write_node_page(struct page *page, bool atomic, bool *submitted, + if (atomic && !test_opt(sbi, NOBARRIER)) + fio.op_flags |= REQ_PREFLUSH | REQ_FUA; + +- set_page_writeback(page); +- ClearPageError(page); +- ++ /* should add to global list before clearing PAGECACHE status */ + if (f2fs_in_warm_node_list(sbi, page)) { + seq = f2fs_add_fsync_node_entry(sbi, page); + if (seq_id) + *seq_id = seq; + } + ++ set_page_writeback(page); ++ ClearPageError(page); ++ + fio.old_blkaddr = ni.blk_addr; + f2fs_do_write_node_page(nid, &fio); + set_node_addr(sbi, &ni, fio.new_blkaddr, is_fsync_dnode(page)); +-- +2.20.1 + diff --git a/queue-4.19/include-linux-swapops.h-correct-guards-for-non_swap_.patch b/queue-4.19/include-linux-swapops.h-correct-guards-for-non_swap_.patch new file mode 100644 index 00000000000..6da3695786f --- /dev/null +++ b/queue-4.19/include-linux-swapops.h-correct-guards-for-non_swap_.patch @@ -0,0 +1,62 @@ +From f9579a6491dee82c57cb6acb55339a7db6276ca3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 20:08:43 -0700 +Subject: include/linux/swapops.h: correct guards for non_swap_entry() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Steven Price + +[ Upstream commit 3f3673d7d324d872d9d8ddb73b3e5e47fbf12e0d ] + +If CONFIG_DEVICE_PRIVATE is defined, but neither CONFIG_MEMORY_FAILURE nor +CONFIG_MIGRATION, then non_swap_entry() will return 0, meaning that the +condition (non_swap_entry(entry) && is_device_private_entry(entry)) in +zap_pte_range() will never be true even if the entry is a device private +one. + +Equally any other code depending on non_swap_entry() will not function as +expected. + +I originally spotted this just by looking at the code, I haven't actually +observed any problems. + +Looking a bit more closely it appears that actually this situation +(currently at least) cannot occur: + +DEVICE_PRIVATE depends on ZONE_DEVICE +ZONE_DEVICE depends on MEMORY_HOTREMOVE +MEMORY_HOTREMOVE depends on MIGRATION + +Fixes: 5042db43cc26 ("mm/ZONE_DEVICE: new type of ZONE_DEVICE for unaddressable memory") +Signed-off-by: Steven Price +Signed-off-by: Andrew Morton +Cc: Jérôme Glisse +Cc: Arnd Bergmann +Cc: Dan Williams +Cc: John Hubbard +Link: http://lkml.kernel.org/r/20200305130550.22693-1-steven.price@arm.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/swapops.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/swapops.h b/include/linux/swapops.h +index 22af9d8a84ae2..28d572b7ea73e 100644 +--- a/include/linux/swapops.h ++++ b/include/linux/swapops.h +@@ -368,7 +368,8 @@ static inline void num_poisoned_pages_inc(void) + } + #endif + +-#if defined(CONFIG_MEMORY_FAILURE) || defined(CONFIG_MIGRATION) ++#if defined(CONFIG_MEMORY_FAILURE) || defined(CONFIG_MIGRATION) || \ ++ defined(CONFIG_DEVICE_PRIVATE) + static inline int non_swap_entry(swp_entry_t entry) + { + return swp_type(entry) >= MAX_SWAPFILES; +-- +2.20.1 + diff --git a/queue-4.19/iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch b/queue-4.19/iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch new file mode 100644 index 00000000000..be176a5241d --- /dev/null +++ b/queue-4.19/iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch @@ -0,0 +1,38 @@ +From 0006cc0624f9a8f1ddc7f57a79497a6638ac45da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2020 18:44:51 +0800 +Subject: iommu/amd: Fix the configuration of GCR3 table root pointer + +From: Adrian Huang + +[ Upstream commit c20f36534666e37858a14e591114d93cc1be0d34 ] + +The SPA of the GCR3 table root pointer[51:31] masks 20 bits. However, +this requires 21 bits (Please see the AMD IOMMU specification). +This leads to the potential failure when the bit 51 of SPA of +the GCR3 table root pointer is 1'. + +Signed-off-by: Adrian Huang +Fixes: 52815b75682e2 ("iommu/amd: Add support for IOMMUv2 domain mode") +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h +index 69f3d4c95b530..859b06424e5c4 100644 +--- a/drivers/iommu/amd_iommu_types.h ++++ b/drivers/iommu/amd_iommu_types.h +@@ -352,7 +352,7 @@ + + #define DTE_GCR3_VAL_A(x) (((x) >> 12) & 0x00007ULL) + #define DTE_GCR3_VAL_B(x) (((x) >> 15) & 0x0ffffULL) +-#define DTE_GCR3_VAL_C(x) (((x) >> 31) & 0xfffffULL) ++#define DTE_GCR3_VAL_C(x) (((x) >> 31) & 0x1fffffULL) + + #define DTE_GCR3_INDEX_A 0 + #define DTE_GCR3_INDEX_B 1 +-- +2.20.1 + diff --git a/queue-4.19/iommu-vt-d-fix-mm-reference-leak.patch b/queue-4.19/iommu-vt-d-fix-mm-reference-leak.patch new file mode 100644 index 00000000000..fe978330506 --- /dev/null +++ b/queue-4.19/iommu-vt-d-fix-mm-reference-leak.patch @@ -0,0 +1,47 @@ +From 17b522e4cad2d2d5f969fa2d0aebb144c959c711 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2020 21:32:30 -0700 +Subject: iommu/vt-d: Fix mm reference leak + +From: Jacob Pan + +[ Upstream commit 902baf61adf6b187f0a6b789e70d788ea71ff5bc ] + +Move canonical address check before mmget_not_zero() to avoid mm +reference leak. + +Fixes: 9d8c3af31607 ("iommu/vt-d: IOMMU Page Request needs to check if address is canonical.") +Signed-off-by: Jacob Pan +Acked-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel-svm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c +index 5944d3b4dca37..ef3aadec980ee 100644 +--- a/drivers/iommu/intel-svm.c ++++ b/drivers/iommu/intel-svm.c +@@ -620,14 +620,15 @@ static irqreturn_t prq_event_thread(int irq, void *d) + * any faults on kernel addresses. */ + if (!svm->mm) + goto bad_req; +- /* If the mm is already defunct, don't handle faults. */ +- if (!mmget_not_zero(svm->mm)) +- goto bad_req; + + /* If address is not canonical, return invalid response */ + if (!is_canonical_address(address)) + goto bad_req; + ++ /* If the mm is already defunct, don't handle faults. */ ++ if (!mmget_not_zero(svm->mm)) ++ goto bad_req; ++ + down_read(&svm->mm->mmap_sem); + vma = find_extend_vma(svm->mm, address); + if (!vma || address < vma->vm_start) +-- +2.20.1 + diff --git a/queue-4.19/kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch b/queue-4.19/kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch new file mode 100644 index 00000000000..73caba35076 --- /dev/null +++ b/queue-4.19/kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch @@ -0,0 +1,52 @@ +From 15ffe43ada2e7e471b688f02f86261ef732f822d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2020 17:30:48 +0200 +Subject: KVM: s390: vsie: Fix possible race when shadowing region 3 tables + +From: David Hildenbrand + +[ Upstream commit 1493e0f944f3c319d11e067c185c904d01c17ae5 ] + +We have to properly retry again by returning -EINVAL immediately in case +somebody else instantiated the table concurrently. We missed to add the +goto in this function only. The code now matches the other, similar +shadowing functions. + +We are overwriting an existing region 2 table entry. All allocated pages +are added to the crst_list to be freed later, so they are not lost +forever. However, when unshadowing the region 2 table, we wouldn't trigger +unshadowing of the original shadowed region 3 table that we replaced. It +would get unshadowed when the original region 3 table is modified. As it's +not connected to the page table hierarchy anymore, it's not going to get +used anymore. However, for a limited time, this page table will stick +around, so it's in some sense a temporary memory leak. + +Identified by manual code inspection. I don't think this classifies as +stable material. + +Fixes: 998f637cc4b9 ("s390/mm: avoid races on region/segment/page table shadowing") +Signed-off-by: David Hildenbrand +Link: https://lore.kernel.org/r/20200403153050.20569-4-david@redhat.com +Reviewed-by: Claudio Imbrenda +Reviewed-by: Christian Borntraeger +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/mm/gmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c +index b56c4fdb15178..7cde0f2f52e14 100644 +--- a/arch/s390/mm/gmap.c ++++ b/arch/s390/mm/gmap.c +@@ -1838,6 +1838,7 @@ int gmap_shadow_r3t(struct gmap *sg, unsigned long saddr, unsigned long r3t, + goto out_free; + } else if (*table & _REGION_ENTRY_ORIGIN) { + rc = -EAGAIN; /* Race with shadow */ ++ goto out_free; + } + crst_table_init(s_r3t, _REGION3_ENTRY_EMPTY); + /* mark as invalid as long as the parent table is not protected */ +-- +2.20.1 + diff --git a/queue-4.19/libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch b/queue-4.19/libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch new file mode 100644 index 00000000000..4b4e9eeb9fc --- /dev/null +++ b/queue-4.19/libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch @@ -0,0 +1,43 @@ +From 7bc557cd94fdd95f4f5454a12085a804917c8f77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2020 19:20:56 +0300 +Subject: libnvdimm: Out of bounds read in __nd_ioctl() + +From: Dan Carpenter + +[ Upstream commit f84afbdd3a9e5e10633695677b95422572f920dc ] + +The "cmd" comes from the user and it can be up to 255. It it's more +than the number of bits in long, it results out of bounds read when we +check test_bit(cmd, &cmd_mask). The highest valid value for "cmd" is +ND_CMD_CALL (10) so I added a compare against that. + +Fixes: 62232e45f4a2 ("libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200225162055.amtosfy7m35aivxg@kili.mountain +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/bus.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c +index 54a633e8cb5d2..48a070a37ea9b 100644 +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -984,8 +984,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm, + return -EFAULT; + } + +- if (!desc || (desc->out_num + desc->in_num == 0) || +- !test_bit(cmd, &cmd_mask)) ++ if (!desc || ++ (desc->out_num + desc->in_num == 0) || ++ cmd > ND_CMD_CALL || ++ !test_bit(cmd, &cmd_mask)) + return -ENOTTY; + + /* fail write commands (when read-only) */ +-- +2.20.1 + diff --git a/queue-4.19/nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch b/queue-4.19/nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch new file mode 100644 index 00000000000..b435a20fea2 --- /dev/null +++ b/queue-4.19/nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch @@ -0,0 +1,51 @@ +From bf96764871bfbaa2a016186445df5a7707bc6a7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2019 17:01:22 +0900 +Subject: NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context + fails + +From: Misono Tomohiro + +[ Upstream commit 8605cf0e852af3b2c771c18417499dc4ceed03d5 ] + +When dreq is allocated by nfs_direct_req_alloc(), dreq->kref is +initialized to 2. Therefore we need to call nfs_direct_req_release() +twice to release the allocated dreq. Usually it is called in +nfs_file_direct_{read, write}() and nfs_direct_complete(). + +However, current code only calls nfs_direct_req_relese() once if +nfs_get_lock_context() fails in nfs_file_direct_{read, write}(). +So, that case would result in memory leak. + +Fix this by adding the missing call. + +Signed-off-by: Misono Tomohiro +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/direct.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c +index c61bd3fc723ee..e5da9d7fb69e9 100644 +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -600,6 +600,7 @@ ssize_t nfs_file_direct_read(struct kiocb *iocb, struct iov_iter *iter) + l_ctx = nfs_get_lock_context(dreq->ctx); + if (IS_ERR(l_ctx)) { + result = PTR_ERR(l_ctx); ++ nfs_direct_req_release(dreq); + goto out_release; + } + dreq->l_ctx = l_ctx; +@@ -1023,6 +1024,7 @@ ssize_t nfs_file_direct_write(struct kiocb *iocb, struct iov_iter *iter) + l_ctx = nfs_get_lock_context(dreq->ctx); + if (IS_ERR(l_ctx)) { + result = PTR_ERR(l_ctx); ++ nfs_direct_req_release(dreq); + goto out_release; + } + dreq->l_ctx = l_ctx; +-- +2.20.1 + diff --git a/queue-4.19/nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch b/queue-4.19/nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch new file mode 100644 index 00000000000..5a20e541601 --- /dev/null +++ b/queue-4.19/nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch @@ -0,0 +1,56 @@ +From b7ec318bbb424d15dd83d27a68fd40b8d9ddb2d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Mar 2020 20:06:45 -0400 +Subject: NFS: Fix memory leaks in nfs_pageio_stop_mirroring() + +From: Trond Myklebust + +[ Upstream commit 862f35c94730c9270833f3ad05bd758a29f204ed ] + +If we just set the mirror count to 1 without first clearing out +the mirrors, we can leak queued up requests. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pagelist.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c +index 9cf59e2622f8e..5dae7c85d9b6e 100644 +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -865,15 +865,6 @@ static void nfs_pageio_setup_mirroring(struct nfs_pageio_descriptor *pgio, + pgio->pg_mirror_count = mirror_count; + } + +-/* +- * nfs_pageio_stop_mirroring - stop using mirroring (set mirror count to 1) +- */ +-void nfs_pageio_stop_mirroring(struct nfs_pageio_descriptor *pgio) +-{ +- pgio->pg_mirror_count = 1; +- pgio->pg_mirror_idx = 0; +-} +- + static void nfs_pageio_cleanup_mirroring(struct nfs_pageio_descriptor *pgio) + { + pgio->pg_mirror_count = 1; +@@ -1302,6 +1293,14 @@ void nfs_pageio_cond_complete(struct nfs_pageio_descriptor *desc, pgoff_t index) + } + } + ++/* ++ * nfs_pageio_stop_mirroring - stop using mirroring (set mirror count to 1) ++ */ ++void nfs_pageio_stop_mirroring(struct nfs_pageio_descriptor *pgio) ++{ ++ nfs_pageio_complete(pgio); ++} ++ + int __init nfs_init_nfspagecache(void) + { + nfs_page_cachep = kmem_cache_create("nfs_page", +-- +2.20.1 + diff --git a/queue-4.19/nfsv4-pnfs-return-valid-stateids-in-nfs_layout_find_.patch b/queue-4.19/nfsv4-pnfs-return-valid-stateids-in-nfs_layout_find_.patch new file mode 100644 index 00000000000..00c923a34b3 --- /dev/null +++ b/queue-4.19/nfsv4-pnfs-return-valid-stateids-in-nfs_layout_find_.patch @@ -0,0 +1,37 @@ +From a89c90513242765f99922d5c9485818b0bef0393 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2020 11:01:12 -0500 +Subject: NFSv4/pnfs: Return valid stateids in + nfs_layout_find_inode_by_stateid() + +From: Trond Myklebust + +[ Upstream commit d911c57a19551c6bef116a3b55c6b089901aacb0 ] + +Make sure to test the stateid for validity so that we catch instances +where the server may have been reusing stateids in +nfs_layout_find_inode_by_stateid(). + +Fixes: 7b410d9ce460 ("pNFS: Delay getting the layout header in CB_LAYOUTRECALL handlers") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/callback_proc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/callback_proc.c b/fs/nfs/callback_proc.c +index 3159673549540..bcc51f131a496 100644 +--- a/fs/nfs/callback_proc.c ++++ b/fs/nfs/callback_proc.c +@@ -130,6 +130,8 @@ static struct inode *nfs_layout_find_inode_by_stateid(struct nfs_client *clp, + + list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) { + list_for_each_entry(lo, &server->layouts, plh_layouts) { ++ if (!pnfs_layout_is_valid(lo)) ++ continue; + if (stateid != NULL && + !nfs4_stateid_match_other(stateid, &lo->plh_stateid)) + continue; +-- +2.20.1 + diff --git a/queue-4.19/percpu_counter-fix-a-data-race-at-vm_committed_as.patch b/queue-4.19/percpu_counter-fix-a-data-race-at-vm_committed_as.patch new file mode 100644 index 00000000000..512cb6096ff --- /dev/null +++ b/queue-4.19/percpu_counter-fix-a-data-race-at-vm_committed_as.patch @@ -0,0 +1,72 @@ +From e13dd99c308ef94d71033c0957ccf18244069bec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 20:10:25 -0700 +Subject: percpu_counter: fix a data race at vm_committed_as + +From: Qian Cai + +[ Upstream commit 7e2345200262e4a6056580f0231cccdaffc825f3 ] + +"vm_committed_as.count" could be accessed concurrently as reported by +KCSAN, + + BUG: KCSAN: data-race in __vm_enough_memory / percpu_counter_add_batch + + write to 0xffffffff9451c538 of 8 bytes by task 65879 on cpu 35: + percpu_counter_add_batch+0x83/0xd0 + percpu_counter_add_batch at lib/percpu_counter.c:91 + __vm_enough_memory+0xb9/0x260 + dup_mm+0x3a4/0x8f0 + copy_process+0x2458/0x3240 + _do_fork+0xaa/0x9f0 + __do_sys_clone+0x125/0x160 + __x64_sys_clone+0x70/0x90 + do_syscall_64+0x91/0xb05 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + read to 0xffffffff9451c538 of 8 bytes by task 66773 on cpu 19: + __vm_enough_memory+0x199/0x260 + percpu_counter_read_positive at include/linux/percpu_counter.h:81 + (inlined by) __vm_enough_memory at mm/util.c:839 + mmap_region+0x1b2/0xa10 + do_mmap+0x45c/0x700 + vm_mmap_pgoff+0xc0/0x130 + ksys_mmap_pgoff+0x6e/0x300 + __x64_sys_mmap+0x33/0x40 + do_syscall_64+0x91/0xb05 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The read is outside percpu_counter::lock critical section which results in +a data race. Fix it by adding a READ_ONCE() in +percpu_counter_read_positive() which could also service as the existing +compiler memory barrier. + +Signed-off-by: Qian Cai +Signed-off-by: Andrew Morton +Acked-by: Marco Elver +Link: http://lkml.kernel.org/r/1582302724-2804-1-git-send-email-cai@lca.pw +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/percpu_counter.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/percpu_counter.h b/include/linux/percpu_counter.h +index 4f052496cdfd7..0a4f54dd4737b 100644 +--- a/include/linux/percpu_counter.h ++++ b/include/linux/percpu_counter.h +@@ -78,9 +78,9 @@ static inline s64 percpu_counter_read(struct percpu_counter *fbc) + */ + static inline s64 percpu_counter_read_positive(struct percpu_counter *fbc) + { +- s64 ret = fbc->count; ++ /* Prevent reloads of fbc->count */ ++ s64 ret = READ_ONCE(fbc->count); + +- barrier(); /* Prevent reloads of fbc->count */ + if (ret >= 0) + return ret; + return 0; +-- +2.20.1 + diff --git a/queue-4.19/power-supply-axp288_fuel_gauge-broaden-vendor-check-.patch b/queue-4.19/power-supply-axp288_fuel_gauge-broaden-vendor-check-.patch new file mode 100644 index 00000000000..4128de65558 --- /dev/null +++ b/queue-4.19/power-supply-axp288_fuel_gauge-broaden-vendor-check-.patch @@ -0,0 +1,50 @@ +From 2f8583d7a44b442b42ab45505acf39d50ae19dbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2020 16:59:41 -0600 +Subject: power: supply: axp288_fuel_gauge: Broaden vendor check for Intel + Compute Sticks. + +From: Jeffery Miller + +[ Upstream commit e42fe5b29ac07210297e75f36deefe54edbdbf80 ] + +The Intel Compute Stick `STK1A32SC` can have a system vendor of +"Intel(R) Client Systems". +Broaden the Intel Compute Stick DMI checks so that they match "Intel +Corporation" as well as "Intel(R) Client Systems". + +This fixes an issue where the STK1A32SC compute sticks were still +exposing a battery with the existing blacklist entry. + +Signed-off-by: Jeffery Miller +Reviewed-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/axp288_fuel_gauge.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/axp288_fuel_gauge.c b/drivers/power/supply/axp288_fuel_gauge.c +index ab0b6e78ca02a..157cf5ec6b023 100644 +--- a/drivers/power/supply/axp288_fuel_gauge.c ++++ b/drivers/power/supply/axp288_fuel_gauge.c +@@ -718,14 +718,14 @@ static const struct dmi_system_id axp288_fuel_gauge_blacklist[] = { + { + /* Intel Cherry Trail Compute Stick, Windows version */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Intel Corporation"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Intel"), + DMI_MATCH(DMI_PRODUCT_NAME, "STK1AW32SC"), + }, + }, + { + /* Intel Cherry Trail Compute Stick, version without an OS */ + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Intel Corporation"), ++ DMI_MATCH(DMI_SYS_VENDOR, "Intel"), + DMI_MATCH(DMI_PRODUCT_NAME, "STK1A32SC"), + }, + }, +-- +2.20.1 + diff --git a/queue-4.19/power-supply-bq27xxx_battery-silence-deferred-probe-.patch b/queue-4.19/power-supply-bq27xxx_battery-silence-deferred-probe-.patch new file mode 100644 index 00000000000..f33ef1d137d --- /dev/null +++ b/queue-4.19/power-supply-bq27xxx_battery-silence-deferred-probe-.patch @@ -0,0 +1,45 @@ +From 12ceec7d29dc61a02d8e297883378c17be7b8720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2020 00:51:43 +0300 +Subject: power: supply: bq27xxx_battery: Silence deferred-probe error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Osipenko + +[ Upstream commit 583b53ece0b0268c542a1eafadb62e3d4b0aab8c ] + +The driver fails to probe with -EPROBE_DEFER if battery's power supply +(charger driver) isn't ready yet and this results in a bit noisy error +message in KMSG during kernel's boot up. Let's silence the harmless +error message. + +Signed-off-by: Dmitry Osipenko +Reviewed-by: Andrew F. Davis +Reviewed-by: Pali Rohár +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c +index f022e1b550dfe..ff02a917556a9 100644 +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1887,7 +1887,10 @@ int bq27xxx_battery_setup(struct bq27xxx_device_info *di) + + di->bat = power_supply_register_no_ws(di->dev, psy_desc, &psy_cfg); + if (IS_ERR(di->bat)) { +- dev_err(di->dev, "failed to register battery\n"); ++ if (PTR_ERR(di->bat) == -EPROBE_DEFER) ++ dev_dbg(di->dev, "failed to register battery, deferring probe\n"); ++ else ++ dev_err(di->dev, "failed to register battery\n"); + return PTR_ERR(di->bat); + } + +-- +2.20.1 + diff --git a/queue-4.19/powerpc-maple-fix-declaration-made-after-definition.patch b/queue-4.19/powerpc-maple-fix-declaration-made-after-definition.patch new file mode 100644 index 00000000000..d3ce278b90b --- /dev/null +++ b/queue-4.19/powerpc-maple-fix-declaration-made-after-definition.patch @@ -0,0 +1,92 @@ +From 3844548bd5fa7309e0004d6cbed86f72aa98b889 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2020 15:27:29 -0700 +Subject: powerpc/maple: Fix declaration made after definition + +From: Nathan Chancellor + +[ Upstream commit af6cf95c4d003fccd6c2ecc99a598fb854b537e7 ] + +When building ppc64 defconfig, Clang errors (trimmed for brevity): + + arch/powerpc/platforms/maple/setup.c:365:1: error: attribute declaration + must precede definition [-Werror,-Wignored-attributes] + machine_device_initcall(maple, maple_cpc925_edac_setup); + ^ + +machine_device_initcall expands to __define_machine_initcall, which in +turn has the macro machine_is used in it, which declares mach_##name +with an __attribute__((weak)). define_machine actually defines +mach_##name, which in this file happens before the declaration, hence +the warning. + +To fix this, move define_machine after machine_device_initcall so that +the declaration occurs before the definition, which matches how +machine_device_initcall and define_machine work throughout +arch/powerpc. + +While we're here, remove some spaces before tabs. + +Fixes: 8f101a051ef0 ("edac: cpc925 MC platform device setup") +Reported-by: Nick Desaulniers +Suggested-by: Ilie Halip +Signed-off-by: Nathan Chancellor +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200323222729.15365-1-natechancellor@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/maple/setup.c | 34 ++++++++++++++-------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/arch/powerpc/platforms/maple/setup.c b/arch/powerpc/platforms/maple/setup.c +index b7f937563827d..d1fee2d35b49c 100644 +--- a/arch/powerpc/platforms/maple/setup.c ++++ b/arch/powerpc/platforms/maple/setup.c +@@ -299,23 +299,6 @@ static int __init maple_probe(void) + return 1; + } + +-define_machine(maple) { +- .name = "Maple", +- .probe = maple_probe, +- .setup_arch = maple_setup_arch, +- .init_IRQ = maple_init_IRQ, +- .pci_irq_fixup = maple_pci_irq_fixup, +- .pci_get_legacy_ide_irq = maple_pci_get_legacy_ide_irq, +- .restart = maple_restart, +- .halt = maple_halt, +- .get_boot_time = maple_get_boot_time, +- .set_rtc_time = maple_set_rtc_time, +- .get_rtc_time = maple_get_rtc_time, +- .calibrate_decr = generic_calibrate_decr, +- .progress = maple_progress, +- .power_save = power4_idle, +-}; +- + #ifdef CONFIG_EDAC + /* + * Register a platform device for CPC925 memory controller on +@@ -372,3 +355,20 @@ static int __init maple_cpc925_edac_setup(void) + } + machine_device_initcall(maple, maple_cpc925_edac_setup); + #endif ++ ++define_machine(maple) { ++ .name = "Maple", ++ .probe = maple_probe, ++ .setup_arch = maple_setup_arch, ++ .init_IRQ = maple_init_IRQ, ++ .pci_irq_fixup = maple_pci_irq_fixup, ++ .pci_get_legacy_ide_irq = maple_pci_get_legacy_ide_irq, ++ .restart = maple_restart, ++ .halt = maple_halt, ++ .get_boot_time = maple_get_boot_time, ++ .set_rtc_time = maple_set_rtc_time, ++ .get_rtc_time = maple_get_rtc_time, ++ .calibrate_decr = generic_calibrate_decr, ++ .progress = maple_progress, ++ .power_save = power4_idle, ++}; +-- +2.20.1 + diff --git a/queue-4.19/rbd-avoid-a-deadlock-on-header_rwsem-when-flushing-n.patch b/queue-4.19/rbd-avoid-a-deadlock-on-header_rwsem-when-flushing-n.patch new file mode 100644 index 00000000000..81eeba25c3e --- /dev/null +++ b/queue-4.19/rbd-avoid-a-deadlock-on-header_rwsem-when-flushing-n.patch @@ -0,0 +1,88 @@ +From 6e05f6d895ce51f13744225a983f7adddcf78384 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2020 11:20:51 +0100 +Subject: rbd: avoid a deadlock on header_rwsem when flushing notifies + +From: Ilya Dryomov + +[ Upstream commit 0e4e1de5b63fa423b13593337a27fd2d2b0bcf77 ] + +rbd_unregister_watch() flushes notifies and therefore cannot be called +under header_rwsem because a header update notify takes header_rwsem to +synchronize with "rbd map". If mapping an image fails after the watch +is established and a header update notify sneaks in, we deadlock when +erroring out from rbd_dev_image_probe(). + +Move watch registration and unregistration out of the critical section. +The only reason they were put there was to make header_rwsem management +slightly more obvious. + +Fixes: 811c66887746 ("rbd: fix rbd map vs notify races") +Signed-off-by: Ilya Dryomov +Reviewed-by: Jason Dillaman +Signed-off-by: Sasha Levin +--- + drivers/block/rbd.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index d3ad1b8c133e6..8e2df524494cb 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -3427,6 +3427,10 @@ static void cancel_tasks_sync(struct rbd_device *rbd_dev) + cancel_work_sync(&rbd_dev->unlock_work); + } + ++/* ++ * header_rwsem must not be held to avoid a deadlock with ++ * rbd_dev_refresh() when flushing notifies. ++ */ + static void rbd_unregister_watch(struct rbd_device *rbd_dev) + { + WARN_ON(waitqueue_active(&rbd_dev->lock_waitq)); +@@ -5732,6 +5736,9 @@ static void rbd_dev_image_release(struct rbd_device *rbd_dev) + * device. If this image is the one being mapped (i.e., not a + * parent), initiate a watch on its header object before using that + * object to get detailed information about the rbd image. ++ * ++ * On success, returns with header_rwsem held for write if called ++ * with @depth == 0. + */ + static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + { +@@ -5764,6 +5771,9 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + } + } + ++ if (!depth) ++ down_write(&rbd_dev->header_rwsem); ++ + ret = rbd_dev_header_info(rbd_dev); + if (ret) + goto err_out_watch; +@@ -5814,6 +5824,8 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + err_out_probe: + rbd_dev_unprobe(rbd_dev); + err_out_watch: ++ if (!depth) ++ up_write(&rbd_dev->header_rwsem); + if (!depth) + rbd_unregister_watch(rbd_dev); + err_out_format: +@@ -5872,12 +5884,9 @@ static ssize_t do_rbd_add(struct bus_type *bus, + goto err_out_rbd_dev; + } + +- down_write(&rbd_dev->header_rwsem); + rc = rbd_dev_image_probe(rbd_dev, 0); +- if (rc < 0) { +- up_write(&rbd_dev->header_rwsem); ++ if (rc < 0) + goto err_out_rbd_dev; +- } + + /* If we are mapping a snapshot it must be marked read-only */ + if (rbd_dev->spec->snap_id != CEPH_NOSNAP) +-- +2.20.1 + diff --git a/queue-4.19/rbd-call-rbd_dev_unprobe-after-unwatching-and-flushi.patch b/queue-4.19/rbd-call-rbd_dev_unprobe-after-unwatching-and-flushi.patch new file mode 100644 index 00000000000..dd4678b89da --- /dev/null +++ b/queue-4.19/rbd-call-rbd_dev_unprobe-after-unwatching-and-flushi.patch @@ -0,0 +1,81 @@ +From a215a813028e76fe2881004e6f055dfa3164befe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2020 15:52:54 +0100 +Subject: rbd: call rbd_dev_unprobe() after unwatching and flushing notifies + +From: Ilya Dryomov + +[ Upstream commit 952c48b0ed18919bff7528501e9a3fff8a24f8cd ] + +rbd_dev_unprobe() is supposed to undo most of rbd_dev_image_probe(), +including rbd_dev_header_info(), which means that rbd_dev_header_info() +isn't supposed to be called after rbd_dev_unprobe(). + +However, rbd_dev_image_release() calls rbd_dev_unprobe() before +rbd_unregister_watch(). This is racy because a header update notify +can sneak in: + + "rbd unmap" thread ceph-watch-notify worker + + rbd_dev_image_release() + rbd_dev_unprobe() + free and zero out header + rbd_watch_cb() + rbd_dev_refresh() + rbd_dev_header_info() + read in header + +The same goes for "rbd map" because rbd_dev_image_probe() calls +rbd_dev_unprobe() on errors. In both cases this results in a memory +leak. + +Fixes: fd22aef8b47c ("rbd: move rbd_unregister_watch() call into rbd_dev_image_release()") +Signed-off-by: Ilya Dryomov +Reviewed-by: Jason Dillaman +Signed-off-by: Sasha Levin +--- + drivers/block/rbd.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index 8e2df524494cb..1101290971699 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -5723,9 +5723,10 @@ static int rbd_dev_header_name(struct rbd_device *rbd_dev) + + static void rbd_dev_image_release(struct rbd_device *rbd_dev) + { +- rbd_dev_unprobe(rbd_dev); + if (rbd_dev->opts) + rbd_unregister_watch(rbd_dev); ++ ++ rbd_dev_unprobe(rbd_dev); + rbd_dev->image_format = 0; + kfree(rbd_dev->spec->image_id); + rbd_dev->spec->image_id = NULL; +@@ -5776,7 +5777,7 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + + ret = rbd_dev_header_info(rbd_dev); + if (ret) +- goto err_out_watch; ++ goto err_out_probe; + + /* + * If this image is the one being mapped, we have pool name and +@@ -5822,12 +5823,11 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + return 0; + + err_out_probe: +- rbd_dev_unprobe(rbd_dev); +-err_out_watch: + if (!depth) + up_write(&rbd_dev->header_rwsem); + if (!depth) + rbd_unregister_watch(rbd_dev); ++ rbd_dev_unprobe(rbd_dev); + err_out_format: + rbd_dev->image_format = 0; + kfree(rbd_dev->spec->image_id); +-- +2.20.1 + diff --git a/queue-4.19/rtc-88pm860x-fix-possible-race-condition.patch b/queue-4.19/rtc-88pm860x-fix-possible-race-condition.patch new file mode 100644 index 00000000000..e73d260a730 --- /dev/null +++ b/queue-4.19/rtc-88pm860x-fix-possible-race-condition.patch @@ -0,0 +1,62 @@ +From 3c7182ebcae934eaf31c919b236391148bcd8579 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2020 23:39:51 +0100 +Subject: rtc: 88pm860x: fix possible race condition + +From: Alexandre Belloni + +[ Upstream commit 9cf4789e6e4673d0b2c96fa6bb0c35e81b43111a ] + +The RTC IRQ is requested before the struct rtc_device is allocated, +this may lead to a NULL pointer dereference in the IRQ handler. + +To fix this issue, allocating the rtc_device struct before requesting +the RTC IRQ using devm_rtc_allocate_device, and use rtc_register_device +to register the RTC device. + +Also remove the unnecessary error message as the core already prints the +info. + +Link: https://lore.kernel.org/r/20200311223956.51352-1-alexandre.belloni@bootlin.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-88pm860x.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/rtc/rtc-88pm860x.c b/drivers/rtc/rtc-88pm860x.c +index 73697e4b18a9d..9d4a59aa29a1a 100644 +--- a/drivers/rtc/rtc-88pm860x.c ++++ b/drivers/rtc/rtc-88pm860x.c +@@ -341,6 +341,10 @@ static int pm860x_rtc_probe(struct platform_device *pdev) + info->dev = &pdev->dev; + dev_set_drvdata(&pdev->dev, info); + ++ info->rtc_dev = devm_rtc_allocate_device(&pdev->dev); ++ if (IS_ERR(info->rtc_dev)) ++ return PTR_ERR(info->rtc_dev); ++ + ret = devm_request_threaded_irq(&pdev->dev, info->irq, NULL, + rtc_update_handler, IRQF_ONESHOT, "rtc", + info); +@@ -382,13 +386,11 @@ static int pm860x_rtc_probe(struct platform_device *pdev) + } + } + +- info->rtc_dev = devm_rtc_device_register(&pdev->dev, "88pm860x-rtc", +- &pm860x_rtc_ops, THIS_MODULE); +- ret = PTR_ERR(info->rtc_dev); +- if (IS_ERR(info->rtc_dev)) { +- dev_err(&pdev->dev, "Failed to register RTC device: %d\n", ret); ++ info->rtc_dev->ops = &pm860x_rtc_ops; ++ ++ ret = rtc_register_device(info->rtc_dev); ++ if (ret) + return ret; +- } + + /* + * enable internal XO instead of internal 3.25MHz clock since it can +-- +2.20.1 + diff --git a/queue-4.19/s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch b/queue-4.19/s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch new file mode 100644 index 00000000000..038aed31461 --- /dev/null +++ b/queue-4.19/s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch @@ -0,0 +1,49 @@ +From 2a8f24c9b07f1ce8cd3e629e96ecf409317c3cb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2020 12:39:55 +0100 +Subject: s390/cpuinfo: fix wrong output when CPU0 is offline + +From: Alexander Gordeev + +[ Upstream commit 872f27103874a73783aeff2aac2b41a489f67d7c ] + +/proc/cpuinfo should not print information about CPU 0 when it is offline. + +Fixes: 281eaa8cb67c ("s390/cpuinfo: simplify locking and skip offline cpus early") +Signed-off-by: Alexander Gordeev +Reviewed-by: Heiko Carstens +[heiko.carstens@de.ibm.com: shortened commit message] +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/processor.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/processor.c b/arch/s390/kernel/processor.c +index 6fe2e1875058b..675d4be0c2b77 100644 +--- a/arch/s390/kernel/processor.c ++++ b/arch/s390/kernel/processor.c +@@ -157,8 +157,9 @@ static void show_cpu_mhz(struct seq_file *m, unsigned long n) + static int show_cpuinfo(struct seq_file *m, void *v) + { + unsigned long n = (unsigned long) v - 1; ++ unsigned long first = cpumask_first(cpu_online_mask); + +- if (!n) ++ if (n == first) + show_cpu_summary(m, v); + if (!machine_has_cpu_mhz) + return 0; +@@ -171,6 +172,8 @@ static inline void *c_update(loff_t *pos) + { + if (*pos) + *pos = cpumask_next(*pos - 1, cpu_online_mask); ++ else ++ *pos = cpumask_first(cpu_online_mask); + return *pos < nr_cpu_ids ? (void *)*pos + 1 : NULL; + } + +-- +2.20.1 + diff --git a/queue-4.19/s390-cpum_sf-fix-wrong-page-count-in-error-message.patch b/queue-4.19/s390-cpum_sf-fix-wrong-page-count-in-error-message.patch new file mode 100644 index 00000000000..db989fc69a5 --- /dev/null +++ b/queue-4.19/s390-cpum_sf-fix-wrong-page-count-in-error-message.patch @@ -0,0 +1,54 @@ +From ee28a58c8b9c15fc3709a7ef7ac67c2779b28b8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2020 11:09:07 +0100 +Subject: s390/cpum_sf: Fix wrong page count in error message + +From: Thomas Richter + +[ Upstream commit 4141b6a5e9f171325effc36a22eb92bf961e7a5c ] + +When perf record -e SF_CYCLES_BASIC_DIAG runs with very high +frequency, the samples arrive faster than the perf process can +save them to file. Eventually, for longer running processes, this +leads to the siutation where the trace buffers allocated by perf +slowly fills up. At one point the auxiliary trace buffer is full +and the CPU Measurement sampling facility is turned off. Furthermore +a warning is printed to the kernel log buffer: + +cpum_sf: The AUX buffer with 0 pages for the diagnostic-sampling + mode is full + +The number of allocated pages for the auxiliary trace buffer is shown +as zero pages. That is wrong. + +Fix this by saving the number of allocated pages before entering the +work loop in the interrupt handler. When the interrupt handler processes +the samples, it may detect the buffer full condition and stop sampling, +reducing the buffer size to zero. +Print the correct value in the error message: + +cpum_sf: The AUX buffer with 256 pages for the diagnostic-sampling + mode is full + +Signed-off-by: Thomas Richter +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_sf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index 5bfb1ce129f4b..74a296cea21cc 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -1537,6 +1537,7 @@ static void hw_collect_aux(struct cpu_hw_sf *cpuhw) + perf_aux_output_end(handle, size); + num_sdb = aux->sfb.num_sdb; + ++ num_sdb = aux->sfb.num_sdb; + while (!done) { + /* Get an output handle */ + aux = perf_aux_output_begin(handle, cpuhw->event); +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 885736f075b..c61e968dcda 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -15,3 +15,40 @@ of-overlay-kmemleak-in-dup_and_fixup_symbol_prop.patch x86-hyper-v-report-crash-register-data-or-kmsg-before-running-crash-kernel.patch lib-raid6-use-vdupq_n_u8-to-avoid-endianness-warnings.patch video-fbdev-sis-remove-unnecessary-parentheses-and-commented-code.patch +rbd-avoid-a-deadlock-on-header_rwsem-when-flushing-n.patch +rbd-call-rbd_dev_unprobe-after-unwatching-and-flushi.patch +xsk-add-missing-check-on-user-supplied-headroom-size.patch +x86-hyper-v-unload-vmbus-channel-in-hv-panic-callbac.patch +x86-hyper-v-free-hv_panic_page-when-fail-to-register.patch +x86-hyper-v-trigger-crash-enlightenment-only-once-du.patch +x86-hyper-v-report-crash-register-data-when-sysctl_r.patch +x86-hyper-v-report-crash-data-in-die-when-panic_on_o.patch +clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch +power-supply-bq27xxx_battery-silence-deferred-probe-.patch +clk-tegra-fix-tegra-pmc-clock-out-parents.patch +soc-imx-gpc-fix-power-up-sequencing.patch +rtc-88pm860x-fix-possible-race-condition.patch +nfsv4-pnfs-return-valid-stateids-in-nfs_layout_find_.patch +nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch +s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch +powerpc-maple-fix-declaration-made-after-definition.patch +s390-cpum_sf-fix-wrong-page-count-in-error-message.patch +ext4-do-not-commit-super-on-read-only-bdev.patch +um-ubd-prevent-buffer-overrun-on-command-completion.patch +cifs-allocate-encryption-header-through-kmalloc.patch +include-linux-swapops.h-correct-guards-for-non_swap_.patch +percpu_counter-fix-a-data-race-at-vm_committed_as.patch +compiler.h-fix-error-in-build_bug_on-reporting.patch +kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch +x86-acpi-fix-cpu-hotplug-deadlock.patch +drm-amdkfd-kfree-the-wrong-pointer.patch +nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch +f2fs-fix-null-pointer-dereference-in-f2fs_write_begi.patch +drm-vc4-fix-hdmi-mode-validation.patch +iommu-vt-d-fix-mm-reference-leak.patch +ext2-fix-empty-body-warnings-when-wextra-is-used.patch +ext2-fix-debug-reference-to-ext2_xattr_cache.patch +power-supply-axp288_fuel_gauge-broaden-vendor-check-.patch +libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch +iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch +f2fs-fix-to-wait-all-node-page-writeback.patch diff --git a/queue-4.19/soc-imx-gpc-fix-power-up-sequencing.patch b/queue-4.19/soc-imx-gpc-fix-power-up-sequencing.patch new file mode 100644 index 00000000000..35726a7a59f --- /dev/null +++ b/queue-4.19/soc-imx-gpc-fix-power-up-sequencing.patch @@ -0,0 +1,78 @@ +From 1e89ef8ba56052eafd98fbf2f3b2dcdd00c12d95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2020 11:09:12 +0100 +Subject: soc: imx: gpc: fix power up sequencing + +From: Lucas Stach + +[ Upstream commit e0ea2d11f8a08ba7066ff897e16c5217215d1e68 ] + +Currently we wait only until the PGC inverts the isolation setting +before disabling the peripheral clocks. This doesn't ensure that the +reset is properly propagated through the peripheral devices in the +power domain. + +Wait until the PGC signals that the power up request is done and +wait a bit for resets to propagate before disabling the clocks. + +Signed-off-by: Lucas Stach +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/soc/imx/gpc.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/soc/imx/gpc.c b/drivers/soc/imx/gpc.c +index d160fc2a7b7a2..56c019ec7f14a 100644 +--- a/drivers/soc/imx/gpc.c ++++ b/drivers/soc/imx/gpc.c +@@ -93,8 +93,8 @@ static int imx6_pm_domain_power_off(struct generic_pm_domain *genpd) + static int imx6_pm_domain_power_on(struct generic_pm_domain *genpd) + { + struct imx_pm_domain *pd = to_imx_pm_domain(genpd); +- int i, ret, sw, sw2iso; +- u32 val; ++ int i, ret; ++ u32 val, req; + + if (pd->supply) { + ret = regulator_enable(pd->supply); +@@ -113,17 +113,18 @@ static int imx6_pm_domain_power_on(struct generic_pm_domain *genpd) + regmap_update_bits(pd->regmap, pd->reg_offs + GPC_PGC_CTRL_OFFS, + 0x1, 0x1); + +- /* Read ISO and ISO2SW power up delays */ +- regmap_read(pd->regmap, pd->reg_offs + GPC_PGC_PUPSCR_OFFS, &val); +- sw = val & 0x3f; +- sw2iso = (val >> 8) & 0x3f; +- + /* Request GPC to power up domain */ +- val = BIT(pd->cntr_pdn_bit + 1); +- regmap_update_bits(pd->regmap, GPC_CNTR, val, val); ++ req = BIT(pd->cntr_pdn_bit + 1); ++ regmap_update_bits(pd->regmap, GPC_CNTR, req, req); + +- /* Wait ISO + ISO2SW IPG clock cycles */ +- udelay(DIV_ROUND_UP(sw + sw2iso, pd->ipg_rate_mhz)); ++ /* Wait for the PGC to handle the request */ ++ ret = regmap_read_poll_timeout(pd->regmap, GPC_CNTR, val, !(val & req), ++ 1, 50); ++ if (ret) ++ pr_err("powerup request on domain %s timed out\n", genpd->name); ++ ++ /* Wait for reset to propagate through peripherals */ ++ usleep_range(5, 10); + + /* Disable reset clocks for all devices in the domain */ + for (i = 0; i < pd->num_clks; i++) +@@ -345,6 +346,7 @@ static const struct regmap_config imx_gpc_regmap_config = { + .rd_table = &access_table, + .wr_table = &access_table, + .max_register = 0x2ac, ++ .fast_io = true, + }; + + static struct generic_pm_domain *imx_gpc_onecell_domains[] = { +-- +2.20.1 + diff --git a/queue-4.19/um-ubd-prevent-buffer-overrun-on-command-completion.patch b/queue-4.19/um-ubd-prevent-buffer-overrun-on-command-completion.patch new file mode 100644 index 00000000000..1f7a72e3e78 --- /dev/null +++ b/queue-4.19/um-ubd-prevent-buffer-overrun-on-command-completion.patch @@ -0,0 +1,41 @@ +From aab6bd3db333d462f059b3fc36924c0971c1b4ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2020 20:45:06 -0400 +Subject: um: ubd: Prevent buffer overrun on command completion + +From: Gabriel Krisman Bertazi + +[ Upstream commit 6e682d53fc1ef73a169e2a5300326cb23abb32ee ] + +On the hypervisor side, when completing commands and the pipe is full, +we retry writing only the entries that failed, by offsetting +io_req_buffer, but we don't reduce the number of bytes written, which +can cause a buffer overrun of io_req_buffer, and write garbage to the +pipe. + +Cc: Martyn Welch +Signed-off-by: Gabriel Krisman Bertazi +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/ubd_kern.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/um/drivers/ubd_kern.c b/arch/um/drivers/ubd_kern.c +index 83c470364dfb3..748bd0921dfff 100644 +--- a/arch/um/drivers/ubd_kern.c ++++ b/arch/um/drivers/ubd_kern.c +@@ -1574,7 +1574,9 @@ int io_thread(void *arg) + written = 0; + + do { +- res = os_write_file(kernel_fd, ((char *) io_req_buffer) + written, n); ++ res = os_write_file(kernel_fd, ++ ((char *) io_req_buffer) + written, ++ n - written); + if (res >= 0) { + written += res; + } else { +-- +2.20.1 + diff --git a/queue-4.19/x86-acpi-fix-cpu-hotplug-deadlock.patch b/queue-4.19/x86-acpi-fix-cpu-hotplug-deadlock.patch new file mode 100644 index 00000000000..526abd02423 --- /dev/null +++ b/queue-4.19/x86-acpi-fix-cpu-hotplug-deadlock.patch @@ -0,0 +1,169 @@ +From 370a6b8903841de9026fedab09be1c13970a44ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2020 10:03:45 -0400 +Subject: x86: ACPI: fix CPU hotplug deadlock + +From: Qian Cai + +[ Upstream commit 696ac2e3bf267f5a2b2ed7d34e64131f2287d0ad ] + +Similar to commit 0266d81e9bf5 ("acpi/processor: Prevent cpu hotplug +deadlock") except this is for acpi_processor_ffh_cstate_probe(): + +"The problem is that the work is scheduled on the current CPU from the +hotplug thread associated with that CPU. + +It's not required to invoke these functions via the workqueue because +the hotplug thread runs on the target CPU already. + +Check whether current is a per cpu thread pinned on the target CPU and +invoke the function directly to avoid the workqueue." + + WARNING: possible circular locking dependency detected + ------------------------------------------------------ + cpuhp/1/15 is trying to acquire lock: + ffffc90003447a28 ((work_completion)(&wfc.work)){+.+.}-{0:0}, at: __flush_work+0x4c6/0x630 + + but task is already holding lock: + ffffffffafa1c0e8 (cpuidle_lock){+.+.}-{3:3}, at: cpuidle_pause_and_lock+0x17/0x20 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (cpu_hotplug_lock){++++}-{0:0}: + cpus_read_lock+0x3e/0xc0 + irq_calc_affinity_vectors+0x5f/0x91 + __pci_enable_msix_range+0x10f/0x9a0 + pci_alloc_irq_vectors_affinity+0x13e/0x1f0 + pci_alloc_irq_vectors_affinity at drivers/pci/msi.c:1208 + pqi_ctrl_init+0x72f/0x1618 [smartpqi] + pqi_pci_probe.cold.63+0x882/0x892 [smartpqi] + local_pci_probe+0x7a/0xc0 + work_for_cpu_fn+0x2e/0x50 + process_one_work+0x57e/0xb90 + worker_thread+0x363/0x5b0 + kthread+0x1f4/0x220 + ret_from_fork+0x27/0x50 + + -> #0 ((work_completion)(&wfc.work)){+.+.}-{0:0}: + __lock_acquire+0x2244/0x32a0 + lock_acquire+0x1a2/0x680 + __flush_work+0x4e6/0x630 + work_on_cpu+0x114/0x160 + acpi_processor_ffh_cstate_probe+0x129/0x250 + acpi_processor_evaluate_cst+0x4c8/0x580 + acpi_processor_get_power_info+0x86/0x740 + acpi_processor_hotplug+0xc3/0x140 + acpi_soft_cpu_online+0x102/0x1d0 + cpuhp_invoke_callback+0x197/0x1120 + cpuhp_thread_fun+0x252/0x2f0 + smpboot_thread_fn+0x255/0x440 + kthread+0x1f4/0x220 + ret_from_fork+0x27/0x50 + + other info that might help us debug this: + + Chain exists of: + (work_completion)(&wfc.work) --> cpuhp_state-up --> cpuidle_lock + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(cpuidle_lock); + lock(cpuhp_state-up); + lock(cpuidle_lock); + lock((work_completion)(&wfc.work)); + + *** DEADLOCK *** + + 3 locks held by cpuhp/1/15: + #0: ffffffffaf51ab10 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x69/0x2f0 + #1: ffffffffaf51ad40 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x69/0x2f0 + #2: ffffffffafa1c0e8 (cpuidle_lock){+.+.}-{3:3}, at: cpuidle_pause_and_lock+0x17/0x20 + + Call Trace: + dump_stack+0xa0/0xea + print_circular_bug.cold.52+0x147/0x14c + check_noncircular+0x295/0x2d0 + __lock_acquire+0x2244/0x32a0 + lock_acquire+0x1a2/0x680 + __flush_work+0x4e6/0x630 + work_on_cpu+0x114/0x160 + acpi_processor_ffh_cstate_probe+0x129/0x250 + acpi_processor_evaluate_cst+0x4c8/0x580 + acpi_processor_get_power_info+0x86/0x740 + acpi_processor_hotplug+0xc3/0x140 + acpi_soft_cpu_online+0x102/0x1d0 + cpuhp_invoke_callback+0x197/0x1120 + cpuhp_thread_fun+0x252/0x2f0 + smpboot_thread_fn+0x255/0x440 + kthread+0x1f4/0x220 + ret_from_fork+0x27/0x50 + +Signed-off-by: Qian Cai +Tested-by: Borislav Petkov +[ rjw: Subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/acpi/cstate.c | 3 ++- + drivers/acpi/processor_throttling.c | 7 ------- + include/acpi/processor.h | 8 ++++++++ + 3 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/kernel/acpi/cstate.c b/arch/x86/kernel/acpi/cstate.c +index 158ad1483c435..92539a1c3e317 100644 +--- a/arch/x86/kernel/acpi/cstate.c ++++ b/arch/x86/kernel/acpi/cstate.c +@@ -133,7 +133,8 @@ int acpi_processor_ffh_cstate_probe(unsigned int cpu, + + /* Make sure we are running on right CPU */ + +- retval = work_on_cpu(cpu, acpi_processor_ffh_cstate_probe_cpu, cx); ++ retval = call_on_cpu(cpu, acpi_processor_ffh_cstate_probe_cpu, cx, ++ false); + if (retval == 0) { + /* Use the hint in CST */ + percpu_entry->states[cx->index].eax = cx->address; +diff --git a/drivers/acpi/processor_throttling.c b/drivers/acpi/processor_throttling.c +index fbc936cf2025c..62c0fe9ef4124 100644 +--- a/drivers/acpi/processor_throttling.c ++++ b/drivers/acpi/processor_throttling.c +@@ -910,13 +910,6 @@ static long __acpi_processor_get_throttling(void *data) + return pr->throttling.acpi_processor_get_throttling(pr); + } + +-static int call_on_cpu(int cpu, long (*fn)(void *), void *arg, bool direct) +-{ +- if (direct || (is_percpu_thread() && cpu == smp_processor_id())) +- return fn(arg); +- return work_on_cpu(cpu, fn, arg); +-} +- + static int acpi_processor_get_throttling(struct acpi_processor *pr) + { + if (!pr) +diff --git a/include/acpi/processor.h b/include/acpi/processor.h +index 1194a4c78d557..5b9eab15a1e6c 100644 +--- a/include/acpi/processor.h ++++ b/include/acpi/processor.h +@@ -293,6 +293,14 @@ static inline void acpi_processor_ffh_cstate_enter(struct acpi_processor_cx + } + #endif + ++static inline int call_on_cpu(int cpu, long (*fn)(void *), void *arg, ++ bool direct) ++{ ++ if (direct || (is_percpu_thread() && cpu == smp_processor_id())) ++ return fn(arg); ++ return work_on_cpu(cpu, fn, arg); ++} ++ + /* in processor_perflib.c */ + + #ifdef CONFIG_CPU_FREQ +-- +2.20.1 + diff --git a/queue-4.19/x86-hyper-v-free-hv_panic_page-when-fail-to-register.patch b/queue-4.19/x86-hyper-v-free-hv_panic_page-when-fail-to-register.patch new file mode 100644 index 00000000000..96d93e04588 --- /dev/null +++ b/queue-4.19/x86-hyper-v-free-hv_panic_page-when-fail-to-register.patch @@ -0,0 +1,52 @@ +From 5129f084461749add1bbea9b0d5c91bf090bf0b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 08:53:27 -0700 +Subject: x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump + +From: Tianyu Lan + +[ Upstream commit 7f11a2cc10a4ae3a70e2c73361f4a9a33503539b ] + +If kmsg_dump_register() fails, hv_panic_page will not be used +anywhere. So free and reset it. + +Fixes: 81b18bce48af ("Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic") +Reviewed-by: Michael Kelley +Signed-off-by: Tianyu Lan +Link: https://lore.kernel.org/r/20200406155331.2105-3-Tianyu.Lan@microsoft.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/vmbus_drv.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 5ff7c1708d0e7..dd6d18d918a4b 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -1222,9 +1222,13 @@ static int vmbus_bus_init(void) + hv_panic_page = (void *)get_zeroed_page(GFP_KERNEL); + if (hv_panic_page) { + ret = kmsg_dump_register(&hv_kmsg_dumper); +- if (ret) ++ if (ret) { + pr_err("Hyper-V: kmsg dump register " + "error 0x%x\n", ret); ++ free_page( ++ (unsigned long)hv_panic_page); ++ hv_panic_page = NULL; ++ } + } else + pr_err("Hyper-V: panic message page memory " + "allocation failed"); +@@ -1252,7 +1256,6 @@ static int vmbus_bus_init(void) + hv_remove_vmbus_irq(); + + bus_unregister(&hv_bus); +- free_page((unsigned long)hv_panic_page); + unregister_sysctl_table(hv_ctl_table_hdr); + hv_ctl_table_hdr = NULL; + return ret; +-- +2.20.1 + diff --git a/queue-4.19/x86-hyper-v-report-crash-data-in-die-when-panic_on_o.patch b/queue-4.19/x86-hyper-v-report-crash-data-in-die-when-panic_on_o.patch new file mode 100644 index 00000000000..c6fd69c251d --- /dev/null +++ b/queue-4.19/x86-hyper-v-report-crash-data-in-die-when-panic_on_o.patch @@ -0,0 +1,102 @@ +From 1bbe2c8a192e6aff776f2655d72ab643d7bdd686 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 08:53:31 -0700 +Subject: x86/Hyper-V: Report crash data in die() when panic_on_oops is set + +From: Tianyu Lan + +[ Upstream commit f3a99e761efa616028b255b4de58e9b5b87c5545 ] + +When oops happens with panic_on_oops unset, the oops +thread is killed by die() and system continues to run. +In such case, guest should not report crash register +data to host since system still runs. Check panic_on_oops +and return directly in hyperv_report_panic() when the function +is called in the die() and panic_on_oops is unset. Fix it. + +Fixes: 7ed4325a44ea ("Drivers: hv: vmbus: Make panic reporting to be more useful") +Signed-off-by: Tianyu Lan +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20200406155331.2105-7-Tianyu.Lan@microsoft.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + arch/x86/hyperv/hv_init.c | 6 +++++- + arch/x86/include/asm/mshyperv.h | 2 +- + drivers/hv/vmbus_drv.c | 5 +++-- + 3 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c +index 8a9cff1f129dc..1663ad84778ba 100644 +--- a/arch/x86/hyperv/hv_init.c ++++ b/arch/x86/hyperv/hv_init.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + + #ifdef CONFIG_HYPERV_TSCPAGE +@@ -427,11 +428,14 @@ void hyperv_cleanup(void) + } + EXPORT_SYMBOL_GPL(hyperv_cleanup); + +-void hyperv_report_panic(struct pt_regs *regs, long err) ++void hyperv_report_panic(struct pt_regs *regs, long err, bool in_die) + { + static bool panic_reported; + u64 guest_id; + ++ if (in_die && !panic_on_oops) ++ return; ++ + /* + * We prefer to report panic on 'die' chain as we have proper + * registers to report, but if we miss it (e.g. on BUG()) we need +diff --git a/arch/x86/include/asm/mshyperv.h b/arch/x86/include/asm/mshyperv.h +index f37704497d8f3..5b58a6cf487ff 100644 +--- a/arch/x86/include/asm/mshyperv.h ++++ b/arch/x86/include/asm/mshyperv.h +@@ -338,7 +338,7 @@ static inline int cpumask_to_vpset(struct hv_vpset *vpset, + + void __init hyperv_init(void); + void hyperv_setup_mmu_ops(void); +-void hyperv_report_panic(struct pt_regs *regs, long err); ++void hyperv_report_panic(struct pt_regs *regs, long err, bool in_die); + void hyperv_report_panic_msg(phys_addr_t pa, size_t size); + bool hv_is_hyperv_initialized(void); + void hyperv_cleanup(void); +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index eacfe7933c4dd..fb22b72fd535a 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + #include "hyperv_vmbus.h" + + struct vmbus_dynid { +@@ -85,7 +86,7 @@ static int hyperv_panic_event(struct notifier_block *nb, unsigned long val, + if (ms_hyperv.misc_features & HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE + && hyperv_report_reg()) { + regs = current_pt_regs(); +- hyperv_report_panic(regs, val); ++ hyperv_report_panic(regs, val, false); + } + return NOTIFY_DONE; + } +@@ -102,7 +103,7 @@ static int hyperv_die_event(struct notifier_block *nb, unsigned long val, + * the notification here. + */ + if (hyperv_report_reg()) +- hyperv_report_panic(regs, val); ++ hyperv_report_panic(regs, val, true); + return NOTIFY_DONE; + } + +-- +2.20.1 + diff --git a/queue-4.19/x86-hyper-v-report-crash-register-data-when-sysctl_r.patch b/queue-4.19/x86-hyper-v-report-crash-register-data-when-sysctl_r.patch new file mode 100644 index 00000000000..b3c4b415f4f --- /dev/null +++ b/queue-4.19/x86-hyper-v-report-crash-register-data-when-sysctl_r.patch @@ -0,0 +1,82 @@ +From b6884069b54b727c7f3cd0f212f42b081abc21e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 08:53:30 -0700 +Subject: x86/Hyper-V: Report crash register data when sysctl_record_panic_msg + is not set + +From: Tianyu Lan + +[ Upstream commit 040026df7088c56ccbad28f7042308f67bde63df ] + +When sysctl_record_panic_msg is not set, the panic will +not be reported to Hyper-V via hyperv_report_panic_msg(). +So the crash should be reported via hyperv_report_panic(). + +Fixes: 81b18bce48af ("Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic") +Reviewed-by: Michael Kelley +Signed-off-by: Tianyu Lan +Link: https://lore.kernel.org/r/20200406155331.2105-6-Tianyu.Lan@microsoft.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/vmbus_drv.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 6469e1f2c4ae0..eacfe7933c4dd 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -58,6 +58,18 @@ static int hyperv_cpuhp_online; + + static void *hv_panic_page; + ++/* ++ * Boolean to control whether to report panic messages over Hyper-V. ++ * ++ * It can be set via /proc/sys/kernel/hyperv/record_panic_msg ++ */ ++static int sysctl_record_panic_msg = 1; ++ ++static int hyperv_report_reg(void) ++{ ++ return !sysctl_record_panic_msg || !hv_panic_page; ++} ++ + static int hyperv_panic_event(struct notifier_block *nb, unsigned long val, + void *args) + { +@@ -71,7 +83,7 @@ static int hyperv_panic_event(struct notifier_block *nb, unsigned long val, + * the notification here. + */ + if (ms_hyperv.misc_features & HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE +- && !hv_panic_page) { ++ && hyperv_report_reg()) { + regs = current_pt_regs(); + hyperv_report_panic(regs, val); + } +@@ -89,7 +101,7 @@ static int hyperv_die_event(struct notifier_block *nb, unsigned long val, + * doing hyperv_report_panic_msg() later with kmsg data, don't do + * the notification here. + */ +- if (!hv_panic_page) ++ if (hyperv_report_reg()) + hyperv_report_panic(regs, val); + return NOTIFY_DONE; + } +@@ -1103,13 +1115,6 @@ static void vmbus_isr(void) + add_interrupt_randomness(HYPERVISOR_CALLBACK_VECTOR, 0); + } + +-/* +- * Boolean to control whether to report panic messages over Hyper-V. +- * +- * It can be set via /proc/sys/kernel/hyperv/record_panic_msg +- */ +-static int sysctl_record_panic_msg = 1; +- + /* + * Callback from kmsg_dump. Grab as much as possible from the end of the kmsg + * buffer and call into Hyper-V to transfer the data. +-- +2.20.1 + diff --git a/queue-4.19/x86-hyper-v-trigger-crash-enlightenment-only-once-du.patch b/queue-4.19/x86-hyper-v-trigger-crash-enlightenment-only-once-du.patch new file mode 100644 index 00000000000..5d7a0724a74 --- /dev/null +++ b/queue-4.19/x86-hyper-v-trigger-crash-enlightenment-only-once-du.patch @@ -0,0 +1,67 @@ +From fa9553b0d90497b8a941e9f992878fac001da557 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 08:53:28 -0700 +Subject: x86/Hyper-V: Trigger crash enlightenment only once during system + crash. + +From: Tianyu Lan + +[ Upstream commit 73f26e526f19afb3a06b76b970a76bcac2cafd05 ] + +When a guest VM panics, Hyper-V should be notified only once via the +crash synthetic MSRs. Current Linux code might write these crash MSRs +twice during a system panic: +1) hyperv_panic/die_event() calling hyperv_report_panic() +2) hv_kmsg_dump() calling hyperv_report_panic_msg() + +Fix this by not calling hyperv_report_panic() if a kmsg dump has been +successfully registered. The notification will happen later via +hyperv_report_panic_msg(). + +Fixes: 7ed4325a44ea ("Drivers: hv: vmbus: Make panic reporting to be more useful") +Reviewed-by: Michael Kelley +Signed-off-by: Tianyu Lan +Link: https://lore.kernel.org/r/20200406155331.2105-4-Tianyu.Lan@microsoft.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/vmbus_drv.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index dd6d18d918a4b..6469e1f2c4ae0 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -65,7 +65,13 @@ static int hyperv_panic_event(struct notifier_block *nb, unsigned long val, + + vmbus_initiate_unload(true); + +- if (ms_hyperv.misc_features & HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE) { ++ /* ++ * Hyper-V should be notified only once about a panic. If we will be ++ * doing hyperv_report_panic_msg() later with kmsg data, don't do ++ * the notification here. ++ */ ++ if (ms_hyperv.misc_features & HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE ++ && !hv_panic_page) { + regs = current_pt_regs(); + hyperv_report_panic(regs, val); + } +@@ -78,7 +84,13 @@ static int hyperv_die_event(struct notifier_block *nb, unsigned long val, + struct die_args *die = (struct die_args *)args; + struct pt_regs *regs = die->regs; + +- hyperv_report_panic(regs, val); ++ /* ++ * Hyper-V should be notified only once about a panic. If we will be ++ * doing hyperv_report_panic_msg() later with kmsg data, don't do ++ * the notification here. ++ */ ++ if (!hv_panic_page) ++ hyperv_report_panic(regs, val); + return NOTIFY_DONE; + } + +-- +2.20.1 + diff --git a/queue-4.19/x86-hyper-v-unload-vmbus-channel-in-hv-panic-callbac.patch b/queue-4.19/x86-hyper-v-unload-vmbus-channel-in-hv-panic-callbac.patch new file mode 100644 index 00000000000..01be0084863 --- /dev/null +++ b/queue-4.19/x86-hyper-v-unload-vmbus-channel-in-hv-panic-callbac.patch @@ -0,0 +1,106 @@ +From b6092bae40c5e5e0cc4236c0ff87a128b86534ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 08:53:26 -0700 +Subject: x86/Hyper-V: Unload vmbus channel in hv panic callback + +From: Tianyu Lan + +[ Upstream commit 74347a99e73ae00b8385f1209aaea193c670f901 ] + +When kdump is not configured, a Hyper-V VM might still respond to +network traffic after a kernel panic when kernel parameter panic=0. +The panic CPU goes into an infinite loop with interrupts enabled, +and the VMbus driver interrupt handler still works because the +VMbus connection is unloaded only in the kdump path. The network +responses make the other end of the connection think the VM is +still functional even though it has panic'ed, which could affect any +failover actions that should be taken. + +Fix this by unloading the VMbus connection during the panic process. +vmbus_initiate_unload() could then be called twice (e.g., by +hyperv_panic_event() and hv_crash_handler(), so reset the connection +state in vmbus_initiate_unload() to ensure the unload is done only +once. + +Fixes: 81b18bce48af ("Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic") +Reviewed-by: Michael Kelley +Signed-off-by: Tianyu Lan +Link: https://lore.kernel.org/r/20200406155331.2105-2-Tianyu.Lan@microsoft.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/channel_mgmt.c | 3 +++ + drivers/hv/vmbus_drv.c | 19 +++++++++++++------ + 2 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c +index 16eb9b3f1cb1b..3bf1f9ef8ea25 100644 +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -849,6 +849,9 @@ void vmbus_initiate_unload(bool crash) + { + struct vmbus_channel_message_header hdr; + ++ if (xchg(&vmbus_connection.conn_state, DISCONNECTED) == DISCONNECTED) ++ return; ++ + /* Pre-Win2012R2 hosts don't support reconnect */ + if (vmbus_proto_version < VERSION_WIN8_1) + return; +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 9aa18f387a346..5ff7c1708d0e7 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -63,9 +63,12 @@ static int hyperv_panic_event(struct notifier_block *nb, unsigned long val, + { + struct pt_regs *regs; + +- regs = current_pt_regs(); ++ vmbus_initiate_unload(true); + +- hyperv_report_panic(regs, val); ++ if (ms_hyperv.misc_features & HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE) { ++ regs = current_pt_regs(); ++ hyperv_report_panic(regs, val); ++ } + return NOTIFY_DONE; + } + +@@ -1228,10 +1231,16 @@ static int vmbus_bus_init(void) + } + + register_die_notifier(&hyperv_die_block); +- atomic_notifier_chain_register(&panic_notifier_list, +- &hyperv_panic_block); + } + ++ /* ++ * Always register the panic notifier because we need to unload ++ * the VMbus channel connection to prevent any VMbus ++ * activity after the VM panics. ++ */ ++ atomic_notifier_chain_register(&panic_notifier_list, ++ &hyperv_panic_block); ++ + vmbus_request_offers(); + + return 0; +@@ -1875,7 +1884,6 @@ static void hv_kexec_handler(void) + { + hv_synic_clockevents_cleanup(); + vmbus_initiate_unload(false); +- vmbus_connection.conn_state = DISCONNECTED; + /* Make sure conn_state is set as hv_synic_cleanup checks for it */ + mb(); + cpuhp_remove_state(hyperv_cpuhp_online); +@@ -1890,7 +1898,6 @@ static void hv_crash_handler(struct pt_regs *regs) + * doing the cleanup for current CPU only. This should be sufficient + * for kdump. + */ +- vmbus_connection.conn_state = DISCONNECTED; + hv_synic_cleanup(smp_processor_id()); + hyperv_cleanup(); + }; +-- +2.20.1 + diff --git a/queue-4.19/xsk-add-missing-check-on-user-supplied-headroom-size.patch b/queue-4.19/xsk-add-missing-check-on-user-supplied-headroom-size.patch new file mode 100644 index 00000000000..c3312171608 --- /dev/null +++ b/queue-4.19/xsk-add-missing-check-on-user-supplied-headroom-size.patch @@ -0,0 +1,53 @@ +From ccfa5a62de387e2a28d5dbbe6e46b418c0580ac0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Apr 2020 09:35:15 +0200 +Subject: xsk: Add missing check on user supplied headroom size + +From: Magnus Karlsson + +[ Upstream commit 99e3a236dd43d06c65af0a2ef9cb44306aef6e02 ] + +Add a check that the headroom cannot be larger than the available +space in the chunk. In the current code, a malicious user can set the +headroom to a value larger than the chunk size minus the fixed XDP +headroom. That way packets with a length larger than the supported +size in the umem could get accepted and result in an out-of-bounds +write. + +Fixes: c0c77d8fb787 ("xsk: add user memory registration support sockopt") +Reported-by: Bui Quang Minh +Signed-off-by: Magnus Karlsson +Signed-off-by: Daniel Borkmann +Link: https://bugzilla.kernel.org/show_bug.cgi?id=207225 +Link: https://lore.kernel.org/bpf/1586849715-23490-1-git-send-email-magnus.karlsson@intel.com +Signed-off-by: Sasha Levin +--- + net/xdp/xdp_umem.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c +index 556a649512b60..706fad12f22cf 100644 +--- a/net/xdp/xdp_umem.c ++++ b/net/xdp/xdp_umem.c +@@ -260,7 +260,7 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + u32 chunk_size = mr->chunk_size, headroom = mr->headroom; + unsigned int chunks, chunks_per_page; + u64 addr = mr->addr, size = mr->len; +- int size_chk, err, i; ++ int err, i; + + if (chunk_size < XDP_UMEM_MIN_CHUNK_SIZE || chunk_size > PAGE_SIZE) { + /* Strictly speaking we could support this, if: +@@ -295,8 +295,7 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + + headroom = ALIGN(headroom, 64); + +- size_chk = chunk_size - headroom - XDP_PACKET_HEADROOM; +- if (size_chk < 0) ++ if (headroom >= chunk_size - XDP_PACKET_HEADROOM) + return -EINVAL; + + umem->address = (unsigned long)addr; +-- +2.20.1 +