From: Sasha Levin Date: Mon, 27 Sep 2021 05:02:47 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.4.150~26 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=883fdd9906a996e7e5059fd82c0765a4e295c688;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch b/queue-4.19/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch new file mode 100644 index 00000000000..7070b151ce0 --- /dev/null +++ b/queue-4.19/alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch @@ -0,0 +1,69 @@ +From fb36e245ce9a9c9582e220dd0a89ea11deabd56a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 22:00:33 -0700 +Subject: alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to + volatile + +From: Guenter Roeck + +[ Upstream commit 35a3f4ef0ab543daa1725b0c963eb8c05e3376f8 ] + +Some drivers pass a pointer to volatile data to virt_to_bus() and +virt_to_phys(), and that works fine. One exception is alpha. This +results in a number of compile errors such as + + drivers/net/wan/lmc/lmc_main.c: In function 'lmc_softreset': + drivers/net/wan/lmc/lmc_main.c:1782:50: error: + passing argument 1 of 'virt_to_bus' discards 'volatile' + qualifier from pointer target type + + drivers/atm/ambassador.c: In function 'do_loader_command': + drivers/atm/ambassador.c:1747:58: error: + passing argument 1 of 'virt_to_bus' discards 'volatile' + qualifier from pointer target type + +Declare the parameter of virt_to_phys and virt_to_bus as pointer to +volatile to fix the problem. + +Signed-off-by: Guenter Roeck +Acked-by: Arnd Bergmann +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/alpha/include/asm/io.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/alpha/include/asm/io.h b/arch/alpha/include/asm/io.h +index 0bba9e991189..d4eab4f20249 100644 +--- a/arch/alpha/include/asm/io.h ++++ b/arch/alpha/include/asm/io.h +@@ -61,7 +61,7 @@ extern inline void set_hae(unsigned long new_hae) + * Change virtual addresses to physical addresses and vv. + */ + #ifdef USE_48_BIT_KSEG +-static inline unsigned long virt_to_phys(void *address) ++static inline unsigned long virt_to_phys(volatile void *address) + { + return (unsigned long)address - IDENT_ADDR; + } +@@ -71,7 +71,7 @@ static inline void * phys_to_virt(unsigned long address) + return (void *) (address + IDENT_ADDR); + } + #else +-static inline unsigned long virt_to_phys(void *address) ++static inline unsigned long virt_to_phys(volatile void *address) + { + unsigned long phys = (unsigned long)address; + +@@ -112,7 +112,7 @@ static inline dma_addr_t __deprecated isa_page_to_bus(struct page *page) + extern unsigned long __direct_map_base; + extern unsigned long __direct_map_size; + +-static inline unsigned long __deprecated virt_to_bus(void *address) ++static inline unsigned long __deprecated virt_to_bus(volatile void *address) + { + unsigned long phys = virt_to_phys(address); + unsigned long bus = phys + __direct_map_base; +-- +2.33.0 + diff --git a/queue-4.19/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch b/queue-4.19/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch new file mode 100644 index 00000000000..d563d9521b5 --- /dev/null +++ b/queue-4.19/arm64-mark-__stack_chk_guard-as-__ro_after_init.patch @@ -0,0 +1,42 @@ +From 5c80e65f6b83f82a847b537edd2d51269c22aa62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 17:44:02 +0800 +Subject: arm64: Mark __stack_chk_guard as __ro_after_init + +From: Dan Li + +[ Upstream commit 9fcb2e93f41c07a400885325e7dbdfceba6efaec ] + +__stack_chk_guard is setup once while init stage and never changed +after that. + +Although the modification of this variable at runtime will usually +cause the kernel to crash (so does the attacker), it should be marked +as __ro_after_init, and it should not affect performance if it is +placed in the ro_after_init section. + +Signed-off-by: Dan Li +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/1631612642-102881-1-git-send-email-ashimida@linux.alibaba.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/process.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c +index d6a49bb07a5f..1945b8096a06 100644 +--- a/arch/arm64/kernel/process.c ++++ b/arch/arm64/kernel/process.c +@@ -61,7 +61,7 @@ + + #ifdef CONFIG_STACKPROTECTOR + #include +-unsigned long __stack_chk_guard __read_mostly; ++unsigned long __stack_chk_guard __ro_after_init; + EXPORT_SYMBOL(__stack_chk_guard); + #endif + +-- +2.33.0 + diff --git a/queue-4.19/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch b/queue-4.19/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch new file mode 100644 index 00000000000..cd31b074308 --- /dev/null +++ b/queue-4.19/blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch @@ -0,0 +1,93 @@ +From 15fa429b07d485e84444c3165f4e5aa4ee6f802b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 21:49:21 +0800 +Subject: blktrace: Fix uaf in blk_trace access after removing by sysfs + +From: Zhihao Cheng + +[ Upstream commit 5afedf670caf30a2b5a52da96eb7eac7dee6a9c9 ] + +There is an use-after-free problem triggered by following process: + + P1(sda) P2(sdb) + echo 0 > /sys/block/sdb/trace/enable + blk_trace_remove_queue + synchronize_rcu + blk_trace_free + relay_close +rcu_read_lock +__blk_add_trace + trace_note_tsk + (Iterate running_trace_list) + relay_close_buf + relay_destroy_buf + kfree(buf) + trace_note(sdb's bt) + relay_reserve + buf->offset <- nullptr deference (use-after-free) !!! +rcu_read_unlock + +[ 502.714379] BUG: kernel NULL pointer dereference, address: +0000000000000010 +[ 502.715260] #PF: supervisor read access in kernel mode +[ 502.715903] #PF: error_code(0x0000) - not-present page +[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0 +[ 502.717252] Oops: 0000 [#1] SMP +[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360 +[ 502.732872] Call Trace: +[ 502.733193] __blk_add_trace.cold+0x137/0x1a3 +[ 502.733734] blk_add_trace_rq+0x7b/0xd0 +[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0 +[ 502.734755] blk_mq_start_request+0xde/0x1b0 +[ 502.735287] scsi_queue_rq+0x528/0x1140 +... +[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0 +[ 502.747501] sg_ioctl+0x466/0x1100 + +Reproduce method: + ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) + ioctl(/dev/sda, BLKTRACESTART) + ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127]) + ioctl(/dev/sdb, BLKTRACESTART) + + echo 0 > /sys/block/sdb/trace/enable & + // Add delay(mdelay/msleep) before kernel enters blk_trace_free() + + ioctl$SG_IO(/dev/sda, SG_IO, ...) + // Enters trace_note_tsk() after blk_trace_free() returned + // Use mdelay in rcu region rather than msleep(which may schedule out) + +Remove blk_trace from running_list before calling blk_trace_free() by +sysfs if blk_trace is at Blktrace_running state. + +Fixes: c71a896154119f ("blktrace: add ftrace plugin") +Signed-off-by: Zhihao Cheng +Link: https://lore.kernel.org/r/20210923134921.109194-1-chengzhihao1@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + kernel/trace/blktrace.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index 645048bb1e86..75ea1a5be31a 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -1661,6 +1661,14 @@ static int blk_trace_remove_queue(struct request_queue *q) + if (bt == NULL) + return -EINVAL; + ++ if (bt->trace_state == Blktrace_running) { ++ bt->trace_state = Blktrace_stopped; ++ spin_lock_irq(&running_trace_lock); ++ list_del_init(&bt->running_list); ++ spin_unlock_irq(&running_trace_lock); ++ relay_flush(bt->rchan); ++ } ++ + put_probe_ref(); + synchronize_rcu(); + blk_trace_free(bt); +-- +2.33.0 + diff --git a/queue-4.19/compiler.h-introduce-absolute_pointer-macro.patch b/queue-4.19/compiler.h-introduce-absolute_pointer-macro.patch new file mode 100644 index 00000000000..de4ece1aca3 --- /dev/null +++ b/queue-4.19/compiler.h-introduce-absolute_pointer-macro.patch @@ -0,0 +1,44 @@ +From 19a35951428f872e49c200beb1c3100f9421ea26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 20:52:24 -0700 +Subject: compiler.h: Introduce absolute_pointer macro + +From: Guenter Roeck + +[ Upstream commit f6b5f1a56987de837f8e25cd560847106b8632a8 ] + +absolute_pointer() disassociates a pointer from its originating symbol +type and context. Use it to prevent compiler warnings/errors such as + + drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe': + arch/m68k/include/asm/string.h:72:25: error: + '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread] + +Such warnings may be reported by gcc 11.x for string and memory +operations on fixed addresses. + +Suggested-by: Linus Torvalds +Signed-off-by: Guenter Roeck +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/compiler.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index 6a53300cbd1e..ab9dfb14f486 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -228,6 +228,8 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val, + (typeof(ptr)) (__ptr + (off)); }) + #endif + ++#define absolute_pointer(val) RELOC_HIDE((void *)(val), 0) ++ + #ifndef OPTIMIZER_HIDE_VAR + /* Make the optimizer believe the variable can be manipulated arbitrarily. */ + #define OPTIMIZER_HIDE_VAR(var) \ +-- +2.33.0 + diff --git a/queue-4.19/fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch b/queue-4.19/fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch new file mode 100644 index 00000000000..41a3a143759 --- /dev/null +++ b/queue-4.19/fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch @@ -0,0 +1,42 @@ +From d557d6deda3e0a1e6c48c95f03c329bca7af4de6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 14:40:42 +0800 +Subject: fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() + +From: Jiapeng Chong + +[ Upstream commit a1e4470823d99e75b596748086e120dea169ed3c ] + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'ret'. + +Eliminate the follow smatch warning: + +drivers/fpga/machxo2-spi.c:341 machxo2_write_complete() + warn: missing error code 'ret'. + +[mdf@kernel.org: Reworded commit message] +Fixes: 88fb3a002330 ("fpga: lattice machxo2: Add Lattice MachXO2 support") +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Signed-off-by: Moritz Fischer +Signed-off-by: Sasha Levin +--- + drivers/fpga/machxo2-spi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/fpga/machxo2-spi.c b/drivers/fpga/machxo2-spi.c +index e3cbd7ff9dc9..fa76239f979b 100644 +--- a/drivers/fpga/machxo2-spi.c ++++ b/drivers/fpga/machxo2-spi.c +@@ -334,6 +334,7 @@ static int machxo2_write_complete(struct fpga_manager *mgr, + break; + if (++refreshloop == MACHXO2_MAX_REFRESH_LOOP) { + machxo2_cleanup(mgr); ++ ret = -EINVAL; + goto fail; + } + } while (1); +-- +2.33.0 + diff --git a/queue-4.19/fpga-machxo2-spi-return-an-error-on-failure.patch b/queue-4.19/fpga-machxo2-spi-return-an-error-on-failure.patch new file mode 100644 index 00000000000..9595924e8b8 --- /dev/null +++ b/queue-4.19/fpga-machxo2-spi-return-an-error-on-failure.patch @@ -0,0 +1,56 @@ +From 9b85a0ab4dac4032da887c6563764affcc1d5b0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 09:40:36 -0700 +Subject: fpga: machxo2-spi: Return an error on failure + +From: Tom Rix + +[ Upstream commit 34331739e19fd6a293d488add28832ad49c9fc54 ] + +Earlier successes leave 'ret' in a non error state, so these errors are +not reported. Set ret to -EINVAL before going to the error handler. + +This addresses two issues reported by smatch: +drivers/fpga/machxo2-spi.c:229 machxo2_write_init() + warn: missing error code 'ret' + +drivers/fpga/machxo2-spi.c:316 machxo2_write_complete() + warn: missing error code 'ret' + +[mdf@kernel.org: Reworded commit message] +Fixes: 88fb3a002330 ("fpga: lattice machxo2: Add Lattice MachXO2 support") +Reported-by: Dan Carpenter +Signed-off-by: Tom Rix +Signed-off-by: Moritz Fischer +Signed-off-by: Sasha Levin +--- + drivers/fpga/machxo2-spi.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/fpga/machxo2-spi.c b/drivers/fpga/machxo2-spi.c +index a582e0000c97..e3cbd7ff9dc9 100644 +--- a/drivers/fpga/machxo2-spi.c ++++ b/drivers/fpga/machxo2-spi.c +@@ -223,8 +223,10 @@ static int machxo2_write_init(struct fpga_manager *mgr, + goto fail; + + get_status(spi, &status); +- if (test_bit(FAIL, &status)) ++ if (test_bit(FAIL, &status)) { ++ ret = -EINVAL; + goto fail; ++ } + dump_status_reg(&status); + + spi_message_init(&msg); +@@ -310,6 +312,7 @@ static int machxo2_write_complete(struct fpga_manager *mgr, + dump_status_reg(&status); + if (!test_bit(DONE, &status)) { + machxo2_cleanup(mgr); ++ ret = -EINVAL; + goto fail; + } + +-- +2.33.0 + diff --git a/queue-4.19/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch b/queue-4.19/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch new file mode 100644 index 00000000000..6190eb4d6a6 --- /dev/null +++ b/queue-4.19/irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch @@ -0,0 +1,41 @@ +From af9c123a44cefc2999fdd7a9e0389a772d10411c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 10:20:55 +0800 +Subject: irqchip/gic-v3-its: Fix potential VPE leak on error + +From: Kaige Fu + +[ Upstream commit 280bef512933b2dda01d681d8cbe499b98fc5bdd ] + +In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error, +there is an off-by-one in the number of VPEs to be freed. + +Fix it by simply passing the number of VPEs allocated, which is the +index of the loop iterating over the VPEs. + +Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown") +Signed-off-by: Kaige Fu +[maz: fixed commit message] +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/d9e36dee512e63670287ed9eff884a5d8d6d27f2.1631672311.git.kaige.fu@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index cd58c123f547..b55dff1aa50b 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -2996,7 +2996,7 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq + + if (err) { + if (i > 0) +- its_vpe_irq_domain_free(domain, virq, i - 1); ++ its_vpe_irq_domain_free(domain, virq, i); + + its_lpi_free(bitmap, base, nr_ids); + its_free_prop_table(vprop_page); +-- +2.33.0 + diff --git a/queue-4.19/irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch b/queue-4.19/irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch new file mode 100644 index 00000000000..a5a987dc63c --- /dev/null +++ b/queue-4.19/irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch @@ -0,0 +1,55 @@ +From 9074e7e982df002fdae8e62964ae1d01cf605780 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Sep 2021 09:25:19 -0700 +Subject: irqchip/goldfish-pic: Select GENERIC_IRQ_CHIP to fix build + +From: Randy Dunlap + +[ Upstream commit 969ac78db78c723a24e9410666b457cc1b0cb3c3 ] + +irq-goldfish-pic uses GENERIC_IRQ_CHIP interfaces so select that symbol +to fix build errors. + +Fixes these build errors: + +mips-linux-ld: drivers/irqchip/irq-goldfish-pic.o: in function `goldfish_pic_of_init': +irq-goldfish-pic.c:(.init.text+0xc0): undefined reference to `irq_alloc_generic_chip' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0xf4): undefined reference to `irq_gc_unmask_enable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0xf8): undefined reference to `irq_gc_unmask_enable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x100): undefined reference to `irq_gc_mask_disable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x104): undefined reference to `irq_gc_mask_disable_reg' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x11c): undefined reference to `irq_setup_generic_chip' +mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x168): undefined reference to `irq_remove_generic_chip' + +Fixes: 4235ff50cf98 ("irqchip/irq-goldfish-pic: Add Goldfish PIC driver") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Miodrag Dinic +Cc: Geert Uytterhoeven +Cc: Bartosz Golaszewski +Cc: Thomas Gleixner +Cc: Marc Zyngier +Cc: Goran Ferenc +Cc: Aleksandar Markovic +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20210905162519.21507-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/irqchip/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig +index 8cb6800dbdfb..9d3812cd668e 100644 +--- a/drivers/irqchip/Kconfig ++++ b/drivers/irqchip/Kconfig +@@ -357,6 +357,7 @@ config MESON_IRQ_GPIO + config GOLDFISH_PIC + bool "Goldfish programmable interrupt controller" + depends on MIPS && (GOLDFISH || COMPILE_TEST) ++ select GENERIC_IRQ_CHIP + select IRQ_DOMAIN + help + Say yes here to enable Goldfish interrupt controller driver used +-- +2.33.0 + diff --git a/queue-4.19/m68k-double-cast-io-functions-to-unsigned-long.patch b/queue-4.19/m68k-double-cast-io-functions-to-unsigned-long.patch new file mode 100644 index 00000000000..9a3ed3e3e20 --- /dev/null +++ b/queue-4.19/m68k-double-cast-io-functions-to-unsigned-long.patch @@ -0,0 +1,68 @@ +From d3708982ba363d8dd3b2704def73d6ffd8454c2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 23:07:29 -0700 +Subject: m68k: Double cast io functions to unsigned long + +From: Guenter Roeck + +[ Upstream commit b1a89856fbf63fffde6a4771d8f1ac21df549e50 ] + +m68k builds fail widely with errors such as + +arch/m68k/include/asm/raw_io.h:20:19: error: + cast to pointer from integer of different size +arch/m68k/include/asm/raw_io.h:30:32: error: + cast to pointer from integer of different size [-Werror=int-to-p + +On m68k, io functions are defined as macros. The problem is seen if the +macro parameter variable size differs from the size of a pointer. Cast +the parameter of all io macros to unsigned long before casting it to +a pointer to fix the problem. + +Signed-off-by: Guenter Roeck +Link: https://lore.kernel.org/r/20210907060729.2391992-1-linux@roeck-us.net +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/raw_io.h | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/m68k/include/asm/raw_io.h b/arch/m68k/include/asm/raw_io.h +index 85761255dde5..6a03aef53980 100644 +--- a/arch/m68k/include/asm/raw_io.h ++++ b/arch/m68k/include/asm/raw_io.h +@@ -17,21 +17,21 @@ + * two accesses to memory, which may be undesirable for some devices. + */ + #define in_8(addr) \ +- ({ u8 __v = (*(__force volatile u8 *) (addr)); __v; }) ++ ({ u8 __v = (*(__force volatile u8 *) (unsigned long)(addr)); __v; }) + #define in_be16(addr) \ +- ({ u16 __v = (*(__force volatile u16 *) (addr)); __v; }) ++ ({ u16 __v = (*(__force volatile u16 *) (unsigned long)(addr)); __v; }) + #define in_be32(addr) \ +- ({ u32 __v = (*(__force volatile u32 *) (addr)); __v; }) ++ ({ u32 __v = (*(__force volatile u32 *) (unsigned long)(addr)); __v; }) + #define in_le16(addr) \ +- ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (addr)); __v; }) ++ ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (unsigned long)(addr)); __v; }) + #define in_le32(addr) \ +- ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (addr)); __v; }) ++ ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (unsigned long)(addr)); __v; }) + +-#define out_8(addr,b) (void)((*(__force volatile u8 *) (addr)) = (b)) +-#define out_be16(addr,w) (void)((*(__force volatile u16 *) (addr)) = (w)) +-#define out_be32(addr,l) (void)((*(__force volatile u32 *) (addr)) = (l)) +-#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (addr)) = cpu_to_le16(w)) +-#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (addr)) = cpu_to_le32(l)) ++#define out_8(addr,b) (void)((*(__force volatile u8 *) (unsigned long)(addr)) = (b)) ++#define out_be16(addr,w) (void)((*(__force volatile u16 *) (unsigned long)(addr)) = (w)) ++#define out_be32(addr,l) (void)((*(__force volatile u32 *) (unsigned long)(addr)) = (l)) ++#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (unsigned long)(addr)) = cpu_to_le16(w)) ++#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (unsigned long)(addr)) = cpu_to_le32(l)) + + #define raw_inb in_8 + #define raw_inw in_be16 +-- +2.33.0 + diff --git a/queue-4.19/md-fix-a-lock-order-reversal-in-md_alloc.patch b/queue-4.19/md-fix-a-lock-order-reversal-in-md_alloc.patch new file mode 100644 index 00000000000..262d37bd140 --- /dev/null +++ b/queue-4.19/md-fix-a-lock-order-reversal-in-md_alloc.patch @@ -0,0 +1,61 @@ +From afe790086fa3112667d49d2c67ec7354da4f4fd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 13:38:29 +0200 +Subject: md: fix a lock order reversal in md_alloc + +From: Christoph Hellwig + +[ Upstream commit 7df835a32a8bedf7ce88efcfa7c9b245b52ff139 ] + +Commit b0140891a8cea3 ("md: Fix race when creating a new md device.") +not only moved assigning mddev->gendisk before calling add_disk, which +fixes the races described in the commit log, but also added a +mddev->open_mutex critical section over add_disk and creation of the +md kobj. Adding a kobject after add_disk is racy vs deleting the gendisk +right after adding it, but md already prevents against that by holding +a mddev->active reference. + +On the other hand taking this lock added a lock order reversal with what +is not disk->open_mutex (used to be bdev->bd_mutex when the commit was +added) for partition devices, which need that lock for the internal open +for the partition scan, and a recent commit also takes it for +non-partitioned devices, leading to further lockdep splatter. + +Fixes: b0140891a8ce ("md: Fix race when creating a new md device.") +Fixes: d62633873590 ("block: support delayed holder registration") +Reported-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com +Signed-off-by: Christoph Hellwig +Tested-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com +Reviewed-by: NeilBrown +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index fae6a983ceee..7e0477e883c7 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5401,10 +5401,6 @@ static int md_alloc(dev_t dev, char *name) + */ + disk->flags |= GENHD_FL_EXT_DEVT; + mddev->gendisk = disk; +- /* As soon as we call add_disk(), another thread could get +- * through to md_open, so make sure it doesn't get too far +- */ +- mutex_lock(&mddev->open_mutex); + add_disk(disk); + + error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj, "%s", "md"); +@@ -5419,7 +5415,6 @@ static int md_alloc(dev_t dev, char *name) + if (mddev->kobj.sd && + sysfs_create_group(&mddev->kobj, &md_bitmap_group)) + pr_debug("pointless warning\n"); +- mutex_unlock(&mddev->open_mutex); + abort: + mutex_unlock(&disks_mutex); + if (!error && mddev->kobj.sd) { +-- +2.33.0 + diff --git a/queue-4.19/net-6pack-fix-tx-timeout-and-slot-time.patch b/queue-4.19/net-6pack-fix-tx-timeout-and-slot-time.patch new file mode 100644 index 00000000000..944780bdbeb --- /dev/null +++ b/queue-4.19/net-6pack-fix-tx-timeout-and-slot-time.patch @@ -0,0 +1,59 @@ +From 8605656e9ea727703905353ea75ce38affeb560b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 20:57:43 -0700 +Subject: net: 6pack: Fix tx timeout and slot time + +From: Guenter Roeck + +[ Upstream commit 3c0d2a46c0141913dc6fd126c57d0615677d946e ] + +tx timeout and slot time are currently specified in units of HZ. On +Alpha, HZ is defined as 1024. When building alpha:allmodconfig, this +results in the following error message. + + drivers/net/hamradio/6pack.c: In function 'sixpack_open': + drivers/net/hamradio/6pack.c:71:41: error: + unsigned conversion from 'int' to 'unsigned char' + changes value from '256' to '0' + +In the 6PACK protocol, tx timeout is specified in units of 10 ms and +transmitted over the wire: + + https://www.linux-ax25.org/wiki/6PACK + +Defining a value dependent on HZ doesn't really make sense, and +presumably comes from the (very historical) situation where HZ was +originally 100. + +Note that the SIXP_SLOTTIME use explicitly is about 10ms granularity: + + mod_timer(&sp->tx_t, jiffies + ((when + 1) * HZ) / 100); + +and the SIXP_TXDELAY walue is sent as a byte over the wire. + +Signed-off-by: Guenter Roeck +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/6pack.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c +index 1001e9a2edd4..af776d7be780 100644 +--- a/drivers/net/hamradio/6pack.c ++++ b/drivers/net/hamradio/6pack.c +@@ -68,9 +68,9 @@ + #define SIXP_DAMA_OFF 0 + + /* default level 2 parameters */ +-#define SIXP_TXDELAY (HZ/4) /* in 1 s */ ++#define SIXP_TXDELAY 25 /* 250 ms */ + #define SIXP_PERSIST 50 /* in 256ths */ +-#define SIXP_SLOTTIME (HZ/10) /* in 1 s */ ++#define SIXP_SLOTTIME 10 /* 100 ms */ + #define SIXP_INIT_RESYNC_TIMEOUT (3*HZ/2) /* in 1 s */ + #define SIXP_RESYNC_TIMEOUT 5*HZ /* in 1 s */ + +-- +2.33.0 + diff --git a/queue-4.19/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch b/queue-4.19/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch new file mode 100644 index 00000000000..a847b1678ac --- /dev/null +++ b/queue-4.19/net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch @@ -0,0 +1,43 @@ +From 517111f71f9c52f1a7c1f8eab2cd7991785b6886 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 20:52:25 -0700 +Subject: net: i825xx: Use absolute_pointer for memcpy from fixed memory + location + +From: Guenter Roeck + +[ Upstream commit dff2d13114f0beec448da9b3716204eb34b0cf41 ] + +gcc 11.x reports the following compiler warning/error. + + drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe': + arch/m68k/include/asm/string.h:72:25: error: + '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread] + +Use absolute_pointer() to work around the problem. + +Cc: Geert Uytterhoeven +Signed-off-by: Guenter Roeck +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/i825xx/82596.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/i825xx/82596.c b/drivers/net/ethernet/i825xx/82596.c +index d719668a6684..8efcec305fc5 100644 +--- a/drivers/net/ethernet/i825xx/82596.c ++++ b/drivers/net/ethernet/i825xx/82596.c +@@ -1155,7 +1155,7 @@ struct net_device * __init i82596_probe(int unit) + err = -ENODEV; + goto out; + } +- memcpy(eth_addr, (void *) 0xfffc1f2c, ETH_ALEN); /* YUCK! Get addr from NOVRAM */ ++ memcpy(eth_addr, absolute_pointer(0xfffc1f2c), ETH_ALEN); /* YUCK! Get addr from NOVRAM */ + dev->base_addr = MVME_I596_BASE; + dev->irq = (unsigned) MVME16x_IRQ_I596; + goto found; +-- +2.33.0 + diff --git a/queue-4.19/net-macb-fix-use-after-free-on-rmmod.patch b/queue-4.19/net-macb-fix-use-after-free-on-rmmod.patch new file mode 100644 index 00000000000..9f68eb73149 --- /dev/null +++ b/queue-4.19/net-macb-fix-use-after-free-on-rmmod.patch @@ -0,0 +1,44 @@ +From 2b7728321f8ee797447609e659fedbe02612b07a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 12:02:32 -0700 +Subject: net: macb: fix use after free on rmmod + +From: Tong Zhang + +[ Upstream commit d82d5303c4c539db86588ffb5dc5b26c3f1513e8 ] + +plat_dev->dev->platform_data is released by platform_device_unregister(), +use of pclk and hclk is a use-after-free. Since device unregister won't +need a clk device we adjust the function call sequence to fix this issue. + +[ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci] +[ 31.275563] Freed by task 306: +[ 30.276782] platform_device_release+0x25/0x80 + +Suggested-by: Nicolas Ferre +Signed-off-by: Tong Zhang +Acked-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c +index 248a8fc45069..f06fddf9919b 100644 +--- a/drivers/net/ethernet/cadence/macb_pci.c ++++ b/drivers/net/ethernet/cadence/macb_pci.c +@@ -123,9 +123,9 @@ static void macb_remove(struct pci_dev *pdev) + struct platform_device *plat_dev = pci_get_drvdata(pdev); + struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev); + +- platform_device_unregister(plat_dev); + clk_unregister(plat_data->pclk); + clk_unregister(plat_data->hclk); ++ platform_device_unregister(plat_dev); + } + + static const struct pci_device_id dev_id_table[] = { +-- +2.33.0 + diff --git a/queue-4.19/net-stmmac-allow-csr-clock-of-300mhz.patch b/queue-4.19/net-stmmac-allow-csr-clock-of-300mhz.patch new file mode 100644 index 00000000000..a43a56c5bc5 --- /dev/null +++ b/queue-4.19/net-stmmac-allow-csr-clock-of-300mhz.patch @@ -0,0 +1,59 @@ +From 4867615e78a62eec460d87b97803d12f565a6fd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 21:55:34 +0200 +Subject: net: stmmac: allow CSR clock of 300MHz + +From: Jesper Nilsson + +[ Upstream commit 08dad2f4d541fcfe5e7bfda72cc6314bbfd2802f ] + +The Synopsys Ethernet IP uses the CSR clock as a base clock for MDC. +The divisor used is set in the MAC_MDIO_Address register field CR +(Clock Rate) + +The divisor is there to change the CSR clock into a clock that falls +below the IEEE 802.3 specified max frequency of 2.5MHz. + +If the CSR clock is 300MHz, the code falls back to using the reset +value in the MAC_MDIO_Address register, as described in the comment +above this code. + +However, 300MHz is actually an allowed value and the proper divider +can be estimated quite easily (it's just 1Hz difference!) + +A CSR frequency of 300MHz with the maximum clock rate value of 0x5 +(STMMAC_CSR_250_300M, a divisor of 124) gives somewhere around +~2.42MHz which is below the IEEE 802.3 specified maximum. + +For the ARTPEC-8 SoC, the CSR clock is this problematic 300MHz, +and unfortunately, the reset-value of the MAC_MDIO_Address CR field +is 0x0. + +This leads to a clock rate of zero and a divisor of 42, and gives an +MDC frequency of ~7.14MHz. + +Allow CSR clock of 300MHz by making the comparison inclusive. + +Signed-off-by: Jesper Nilsson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index af59761ddfa0..064e13bd2c8b 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -227,7 +227,7 @@ static void stmmac_clk_csr_set(struct stmmac_priv *priv) + priv->clk_csr = STMMAC_CSR_100_150M; + else if ((clk_rate >= CSR_F_150M) && (clk_rate < CSR_F_250M)) + priv->clk_csr = STMMAC_CSR_150_250M; +- else if ((clk_rate >= CSR_F_250M) && (clk_rate < CSR_F_300M)) ++ else if ((clk_rate >= CSR_F_250M) && (clk_rate <= CSR_F_300M)) + priv->clk_csr = STMMAC_CSR_250_300M; + } + +-- +2.33.0 + diff --git a/queue-4.19/nvme-multipath-fix-ana-state-updates-when-a-namespac.patch b/queue-4.19/nvme-multipath-fix-ana-state-updates-when-a-namespac.patch new file mode 100644 index 00000000000..64d3007a169 --- /dev/null +++ b/queue-4.19/nvme-multipath-fix-ana-state-updates-when-a-namespac.patch @@ -0,0 +1,61 @@ +From 8fbdf55834a13292e804978f7ebbeb374b0fc62d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Sep 2021 12:54:57 -0600 +Subject: nvme-multipath: fix ANA state updates when a namespace is not present + +From: Anton Eidelman + +[ Upstream commit 79f528afa93918519574773ea49a444c104bc1bd ] + +nvme_update_ana_state() has a deficiency that results in a failure to +properly update the ana state for a namespace in the following case: + + NSIDs in ctrl->namespaces: 1, 3, 4 + NSIDs in desc->nsids: 1, 2, 3, 4 + +Loop iteration 0: + ns index = 0, n = 0, ns->head->ns_id = 1, nsid = 1, MATCH. +Loop iteration 1: + ns index = 1, n = 1, ns->head->ns_id = 3, nsid = 2, NO MATCH. +Loop iteration 2: + ns index = 2, n = 2, ns->head->ns_id = 4, nsid = 4, MATCH. + +Where the update to the ANA state of NSID 3 is missed. To fix this +increment n and retry the update with the same ns when ns->head->ns_id is +higher than nsid, + +Signed-off-by: Anton Eidelman +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 64f699a1afd7..022e03643dac 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -398,14 +398,17 @@ static int nvme_update_ana_state(struct nvme_ctrl *ctrl, + + down_read(&ctrl->namespaces_rwsem); + list_for_each_entry(ns, &ctrl->namespaces, list) { +- unsigned nsid = le32_to_cpu(desc->nsids[n]); +- ++ unsigned nsid; ++again: ++ nsid = le32_to_cpu(desc->nsids[n]); + if (ns->head->ns_id < nsid) + continue; + if (ns->head->ns_id == nsid) + nvme_update_ns_ana_state(desc, ns); + if (++n == nr_nsids) + break; ++ if (ns->head->ns_id > nsid) ++ goto again; + } + up_read(&ctrl->namespaces_rwsem); + return 0; +-- +2.33.0 + diff --git a/queue-4.19/parisc-use-absolute_pointer-to-define-page0.patch b/queue-4.19/parisc-use-absolute_pointer-to-define-page0.patch new file mode 100644 index 00000000000..45602d175bb --- /dev/null +++ b/queue-4.19/parisc-use-absolute_pointer-to-define-page0.patch @@ -0,0 +1,38 @@ +From fad7e7b0743e3fdd28546ce70c80a7bc33c52bb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 08:35:42 +0200 +Subject: parisc: Use absolute_pointer() to define PAGE0 + +From: Helge Deller + +[ Upstream commit 90cc7bed1ed19f869ae7221a6b41887fe762a6a3 ] + +Use absolute_pointer() wrapper for PAGE0 to avoid this compiler warning: + + arch/parisc/kernel/setup.c: In function 'start_parisc': + error: '__builtin_memcmp_eq' specified bound 8 exceeds source size 0 + +Signed-off-by: Helge Deller +Co-Developed-by: Guenter Roeck +Suggested-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/parisc/include/asm/page.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/parisc/include/asm/page.h b/arch/parisc/include/asm/page.h +index af00fe9bf846..c631a8fd856a 100644 +--- a/arch/parisc/include/asm/page.h ++++ b/arch/parisc/include/asm/page.h +@@ -179,7 +179,7 @@ extern int npmem_ranges; + #include + #include + +-#define PAGE0 ((struct zeropage *)__PAGE_OFFSET) ++#define PAGE0 ((struct zeropage *)absolute_pointer(__PAGE_OFFSET)) + + /* DEFINITION OF THE ZERO-PAGE (PAG0) */ + /* based on work by Jason Eckhardt (jason@equator.com) */ +-- +2.33.0 + diff --git a/queue-4.19/qnx4-avoid-stringop-overread-errors.patch b/queue-4.19/qnx4-avoid-stringop-overread-errors.patch new file mode 100644 index 00000000000..3e0f7f589f2 --- /dev/null +++ b/queue-4.19/qnx4-avoid-stringop-overread-errors.patch @@ -0,0 +1,134 @@ +From 490eb4905eefecc5ad6dca49db0ce17e34aa80b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 13:56:37 -0700 +Subject: qnx4: avoid stringop-overread errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit b7213ffa0e585feb1aee3e7173e965e66ee0abaa ] + +The qnx4 directory entries are 64-byte blocks that have different +contents depending on the a status byte that is in the last byte of the +block. + +In particular, a directory entry can be either a "link info" entry with +a 48-byte name and pointers to the real inode information, or an "inode +entry" with a smaller 16-byte name and the full inode information. + +But the code was written to always just treat the directory name as if +it was part of that "inode entry", and just extend the name to the +longer case if the status byte said it was a link entry. + +That work just fine and gives the right results, but now that gcc is +tracking data structure accesses much more, the code can trigger a +compiler error about using up to 48 bytes (the long name) in a structure +that only has that shorter name in it: + + fs/qnx4/dir.c: In function ‘qnx4_readdir’: + fs/qnx4/dir.c:51:32: error: ‘strnlen’ specified bound 48 exceeds source size 16 [-Werror=stringop-overread] + 51 | size = strnlen(de->di_fname, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + In file included from fs/qnx4/qnx4.h:3, + from fs/qnx4/dir.c:16: + include/uapi/linux/qnx4_fs.h:45:25: note: source object declared here + 45 | char di_fname[QNX4_SHORT_NAME_MAX]; + | ^~~~~~~~ + +which is because the source code doesn't really make this whole "one of +two different types" explicit. + +Fix this by introducing a very explicit union of the two types, and +basically explaining to the compiler what is really going on. + +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/qnx4/dir.c | 51 ++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 34 insertions(+), 17 deletions(-) + +diff --git a/fs/qnx4/dir.c b/fs/qnx4/dir.c +index a6ee23aadd28..2a66844b7ff8 100644 +--- a/fs/qnx4/dir.c ++++ b/fs/qnx4/dir.c +@@ -15,13 +15,27 @@ + #include + #include "qnx4.h" + ++/* ++ * A qnx4 directory entry is an inode entry or link info ++ * depending on the status field in the last byte. The ++ * first byte is where the name start either way, and a ++ * zero means it's empty. ++ */ ++union qnx4_directory_entry { ++ struct { ++ char de_name; ++ char de_pad[62]; ++ char de_status; ++ }; ++ struct qnx4_inode_entry inode; ++ struct qnx4_link_info link; ++}; ++ + static int qnx4_readdir(struct file *file, struct dir_context *ctx) + { + struct inode *inode = file_inode(file); + unsigned int offset; + struct buffer_head *bh; +- struct qnx4_inode_entry *de; +- struct qnx4_link_info *le; + unsigned long blknum; + int ix, ino; + int size; +@@ -38,27 +52,30 @@ static int qnx4_readdir(struct file *file, struct dir_context *ctx) + } + ix = (ctx->pos >> QNX4_DIR_ENTRY_SIZE_BITS) % QNX4_INODES_PER_BLOCK; + for (; ix < QNX4_INODES_PER_BLOCK; ix++, ctx->pos += QNX4_DIR_ENTRY_SIZE) { ++ union qnx4_directory_entry *de; ++ const char *name; ++ + offset = ix * QNX4_DIR_ENTRY_SIZE; +- de = (struct qnx4_inode_entry *) (bh->b_data + offset); +- if (!de->di_fname[0]) ++ de = (union qnx4_directory_entry *) (bh->b_data + offset); ++ ++ if (!de->de_name) + continue; +- if (!(de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK))) ++ if (!(de->de_status & (QNX4_FILE_USED|QNX4_FILE_LINK))) + continue; +- if (!(de->di_status & QNX4_FILE_LINK)) +- size = QNX4_SHORT_NAME_MAX; +- else +- size = QNX4_NAME_MAX; +- size = strnlen(de->di_fname, size); +- QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, de->di_fname)); +- if (!(de->di_status & QNX4_FILE_LINK)) ++ if (!(de->de_status & QNX4_FILE_LINK)) { ++ size = sizeof(de->inode.di_fname); ++ name = de->inode.di_fname; + ino = blknum * QNX4_INODES_PER_BLOCK + ix - 1; +- else { +- le = (struct qnx4_link_info*)de; +- ino = ( le32_to_cpu(le->dl_inode_blk) - 1 ) * ++ } else { ++ size = sizeof(de->link.dl_fname); ++ name = de->link.dl_fname; ++ ino = ( le32_to_cpu(de->link.dl_inode_blk) - 1 ) * + QNX4_INODES_PER_BLOCK + +- le->dl_inode_ndx; ++ de->link.dl_inode_ndx; + } +- if (!dir_emit(ctx, de->di_fname, size, ino, DT_UNKNOWN)) { ++ size = strnlen(name, size); ++ QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, name)); ++ if (!dir_emit(ctx, name, size, ino, DT_UNKNOWN)) { + brelse(bh); + return 0; + } +-- +2.33.0 + diff --git a/queue-4.19/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch b/queue-4.19/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch new file mode 100644 index 00000000000..ec56b1f0208 --- /dev/null +++ b/queue-4.19/scsi-iscsi-adjust-iface-sysfs-attr-detection.patch @@ -0,0 +1,53 @@ +From 109513511f41e2ebdf32b2e2b97a28ce6ea3bd0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 16:53:36 +0800 +Subject: scsi: iscsi: Adjust iface sysfs attr detection + +From: Baokun Li + +[ Upstream commit 4e28550829258f7dab97383acaa477bd724c0ff4 ] + +ISCSI_NET_PARAM_IFACE_ENABLE belongs to enum iscsi_net_param instead of +iscsi_iface_param so move it to ISCSI_NET_PARAM. Otherwise, when we call +into the driver, we might not match and return that we don't want attr +visible in sysfs. Found in code review. + +Link: https://lore.kernel.org/r/20210901085336.2264295-1-libaokun1@huawei.com +Fixes: e746f3451ec7 ("scsi: iscsi: Fix iface sysfs attr detection") +Reviewed-by: Lee Duncan +Signed-off-by: Baokun Li +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 20e69052161e..c06e648a415b 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -429,9 +429,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + struct iscsi_transport *t = iface->transport; + int param = -1; + +- if (attr == &dev_attr_iface_enabled.attr) +- param = ISCSI_NET_PARAM_IFACE_ENABLE; +- else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) ++ if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr) + param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO; + else if (attr == &dev_attr_iface_header_digest.attr) + param = ISCSI_IFACE_PARAM_HDRDGST_EN; +@@ -471,7 +469,9 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj, + if (param != -1) + return t->attr_is_visible(ISCSI_IFACE_PARAM, param); + +- if (attr == &dev_attr_iface_vlan_id.attr) ++ if (attr == &dev_attr_iface_enabled.attr) ++ param = ISCSI_NET_PARAM_IFACE_ENABLE; ++ else if (attr == &dev_attr_iface_vlan_id.attr) + param = ISCSI_NET_PARAM_VLAN_ID; + else if (attr == &dev_attr_iface_vlan_priority.attr) + param = ISCSI_NET_PARAM_VLAN_PRIORITY; +-- +2.33.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 57e7379790f..ee5c166ecfd 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -20,3 +20,27 @@ bnxt_en-fix-tx-timeout-when-tx-ring-size-is-set-to-t.patch net-smc-add-missing-error-check-in-smc_clc_prfx_set.patch gpio-uniphier-fix-void-functions-to-remove-return-va.patch net-mlx4_en-don-t-allow-arfs-for-encapsulated-packet.patch +scsi-iscsi-adjust-iface-sysfs-attr-detection.patch +tty-synclink_gt-drop-unneeded-forward-declarations.patch +tty-synclink_gt-rename-a-conflicting-function-name.patch +fpga-machxo2-spi-return-an-error-on-failure.patch +fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch +thermal-core-potential-buffer-overflow-in-thermal_bu.patch +irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch +irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch +md-fix-a-lock-order-reversal-in-md_alloc.patch +blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch +net-macb-fix-use-after-free-on-rmmod.patch +net-stmmac-allow-csr-clock-of-300mhz.patch +m68k-double-cast-io-functions-to-unsigned-long.patch +xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch +nvme-multipath-fix-ana-state-updates-when-a-namespac.patch +compiler.h-introduce-absolute_pointer-macro.patch +net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch +sparc-avoid-stringop-overread-errors.patch +qnx4-avoid-stringop-overread-errors.patch +parisc-use-absolute_pointer-to-define-page0.patch +arm64-mark-__stack_chk_guard-as-__ro_after_init.patch +alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch +net-6pack-fix-tx-timeout-and-slot-time.patch +spi-fix-tegra20-build-with-config_pm-n.patch diff --git a/queue-4.19/sparc-avoid-stringop-overread-errors.patch b/queue-4.19/sparc-avoid-stringop-overread-errors.patch new file mode 100644 index 00000000000..8b926652393 --- /dev/null +++ b/queue-4.19/sparc-avoid-stringop-overread-errors.patch @@ -0,0 +1,65 @@ +From 9e3ad2c18d28be8147db07cae26feea20981cfc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 16:06:04 -0700 +Subject: sparc: avoid stringop-overread errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit fc7c028dcdbfe981bca75d2a7b95f363eb691ef3 ] + +The sparc mdesc code does pointer games with 'struct mdesc_hdr', but +didn't describe to the compiler how that header is then followed by the +data that the header describes. + +As a result, gcc is now unhappy since it does stricter pointer range +tracking, and doesn't understand about how these things work. This +results in various errors like: + + arch/sparc/kernel/mdesc.c: In function ‘mdesc_node_by_name’: + arch/sparc/kernel/mdesc.c:647:22: error: ‘strcmp’ reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread] + 647 | if (!strcmp(names + ep[ret].name_offset, name)) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +which are easily avoided by just describing 'struct mdesc_hdr' better, +and making the node_block() helper function look into that unsized +data[] that follows the header. + +This makes the sparc64 build happy again at least for my cross-compiler +version (gcc version 11.2.1). + +Link: https://lore.kernel.org/lkml/CAHk-=wi4NW3NC0xWykkw=6LnjQD6D_rtRtxY9g8gQAJXtQMi8A@mail.gmail.com/ +Cc: Guenter Roeck +Cc: David S. Miller +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/mdesc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c +index 51028abe5e90..ecec6a616e0d 100644 +--- a/arch/sparc/kernel/mdesc.c ++++ b/arch/sparc/kernel/mdesc.c +@@ -40,6 +40,7 @@ struct mdesc_hdr { + u32 node_sz; /* node block size */ + u32 name_sz; /* name block size */ + u32 data_sz; /* data block size */ ++ char data[]; + } __attribute__((aligned(16))); + + struct mdesc_elem { +@@ -613,7 +614,7 @@ EXPORT_SYMBOL(mdesc_get_node_info); + + static struct mdesc_elem *node_block(struct mdesc_hdr *mdesc) + { +- return (struct mdesc_elem *) (mdesc + 1); ++ return (struct mdesc_elem *) mdesc->data; + } + + static void *name_block(struct mdesc_hdr *mdesc) +-- +2.33.0 + diff --git a/queue-4.19/spi-fix-tegra20-build-with-config_pm-n.patch b/queue-4.19/spi-fix-tegra20-build-with-config_pm-n.patch new file mode 100644 index 00000000000..01616b086e8 --- /dev/null +++ b/queue-4.19/spi-fix-tegra20-build-with-config_pm-n.patch @@ -0,0 +1,59 @@ +From acc0df7b3763a03910c331e5ecb74ab9cf069dde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Sep 2021 10:05:06 -0700 +Subject: spi: Fix tegra20 build with CONFIG_PM=n +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit efafec27c5658ed987e720130772f8933c685e87 ] + +Without CONFIG_PM enabled, the SET_RUNTIME_PM_OPS() macro ends up being +empty, and the only use of tegra_slink_runtime_{resume,suspend} goes +away, resulting in + + drivers/spi/spi-tegra20-slink.c:1200:12: error: ‘tegra_slink_runtime_resume’ defined but not used [-Werror=unused-function] + 1200 | static int tegra_slink_runtime_resume(struct device *dev) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~ + drivers/spi/spi-tegra20-slink.c:1188:12: error: ‘tegra_slink_runtime_suspend’ defined but not used [-Werror=unused-function] + 1188 | static int tegra_slink_runtime_suspend(struct device *dev) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ + +mark the functions __maybe_unused to make the build happy. + +This hits the alpha allmodconfig build (and others). + +Reported-by: Guenter Roeck +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra20-slink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-tegra20-slink.c b/drivers/spi/spi-tegra20-slink.c +index c6b80a60951b..bc3097e5cc26 100644 +--- a/drivers/spi/spi-tegra20-slink.c ++++ b/drivers/spi/spi-tegra20-slink.c +@@ -1210,7 +1210,7 @@ static int tegra_slink_resume(struct device *dev) + } + #endif + +-static int tegra_slink_runtime_suspend(struct device *dev) ++static int __maybe_unused tegra_slink_runtime_suspend(struct device *dev) + { + struct spi_master *master = dev_get_drvdata(dev); + struct tegra_slink_data *tspi = spi_master_get_devdata(master); +@@ -1222,7 +1222,7 @@ static int tegra_slink_runtime_suspend(struct device *dev) + return 0; + } + +-static int tegra_slink_runtime_resume(struct device *dev) ++static int __maybe_unused tegra_slink_runtime_resume(struct device *dev) + { + struct spi_master *master = dev_get_drvdata(dev); + struct tegra_slink_data *tspi = spi_master_get_devdata(master); +-- +2.33.0 + diff --git a/queue-4.19/thermal-core-potential-buffer-overflow-in-thermal_bu.patch b/queue-4.19/thermal-core-potential-buffer-overflow-in-thermal_bu.patch new file mode 100644 index 00000000000..5e58940b38a --- /dev/null +++ b/queue-4.19/thermal-core-potential-buffer-overflow-in-thermal_bu.patch @@ -0,0 +1,52 @@ +From d78c9d5528877acc32a09bb4c78d7398238f4cf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 16:13:42 +0300 +Subject: thermal/core: Potential buffer overflow in + thermal_build_list_of_policies() + +From: Dan Carpenter + +[ Upstream commit 1bb30b20b49773369c299d4d6c65227201328663 ] + +After printing the list of thermal governors, then this function prints +a newline character. The problem is that "size" has not been updated +after printing the last governor. This means that it can write one +character (the NUL terminator) beyond the end of the buffer. + +Get rid of the "size" variable and just use "PAGE_SIZE - count" directly. + +Fixes: 1b4f48494eb2 ("thermal: core: group functions related to governor handling") +Signed-off-by: Dan Carpenter +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210916131342.GB25094@kili +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index a24296d68f3e..ae60599c462b 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -228,15 +228,14 @@ int thermal_build_list_of_policies(char *buf) + { + struct thermal_governor *pos; + ssize_t count = 0; +- ssize_t size = PAGE_SIZE; + + mutex_lock(&thermal_governor_lock); + + list_for_each_entry(pos, &thermal_governor_list, governor_list) { +- size = PAGE_SIZE - count; +- count += scnprintf(buf + count, size, "%s ", pos->name); ++ count += scnprintf(buf + count, PAGE_SIZE - count, "%s ", ++ pos->name); + } +- count += scnprintf(buf + count, size, "\n"); ++ count += scnprintf(buf + count, PAGE_SIZE - count, "\n"); + + mutex_unlock(&thermal_governor_lock); + +-- +2.33.0 + diff --git a/queue-4.19/tty-synclink_gt-drop-unneeded-forward-declarations.patch b/queue-4.19/tty-synclink_gt-drop-unneeded-forward-declarations.patch new file mode 100644 index 00000000000..4824b80e0dd --- /dev/null +++ b/queue-4.19/tty-synclink_gt-drop-unneeded-forward-declarations.patch @@ -0,0 +1,154 @@ +From d996b645e05ab309024d73100b788bf5db3e8cef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Mar 2021 07:22:09 +0100 +Subject: tty: synclink_gt, drop unneeded forward declarations + +From: Jiri Slaby + +[ Upstream commit b9b90fe655c0bd816847ac1bcbf179cfa2981ecb ] + +Forward declarations make the code larger and rewrites harder. Harder as +they are often omitted from global changes. Remove forward declarations +which are not really needed, i.e. the definition of the function is +before its first use. + +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20210302062214.29627-39-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/synclink_gt.c | 57 +-------------------------------------- + 1 file changed, 1 insertion(+), 56 deletions(-) + +diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c +index e9779b03ee56..503836be5fe2 100644 +--- a/drivers/tty/synclink_gt.c ++++ b/drivers/tty/synclink_gt.c +@@ -137,37 +137,14 @@ MODULE_PARM_DESC(maxframe, "Maximum frame size used by device (4096 to 65535)"); + */ + static struct tty_driver *serial_driver; + +-static int open(struct tty_struct *tty, struct file * filp); +-static void close(struct tty_struct *tty, struct file * filp); +-static void hangup(struct tty_struct *tty); +-static void set_termios(struct tty_struct *tty, struct ktermios *old_termios); +- +-static int write(struct tty_struct *tty, const unsigned char *buf, int count); +-static int put_char(struct tty_struct *tty, unsigned char ch); +-static void send_xchar(struct tty_struct *tty, char ch); + static void wait_until_sent(struct tty_struct *tty, int timeout); +-static int write_room(struct tty_struct *tty); +-static void flush_chars(struct tty_struct *tty); + static void flush_buffer(struct tty_struct *tty); +-static void tx_hold(struct tty_struct *tty); + static void tx_release(struct tty_struct *tty); + +-static int ioctl(struct tty_struct *tty, unsigned int cmd, unsigned long arg); +-static int chars_in_buffer(struct tty_struct *tty); +-static void throttle(struct tty_struct * tty); +-static void unthrottle(struct tty_struct * tty); +-static int set_break(struct tty_struct *tty, int break_state); +- + /* +- * generic HDLC support and callbacks ++ * generic HDLC support + */ +-#if SYNCLINK_GENERIC_HDLC + #define dev_to_port(D) (dev_to_hdlc(D)->priv) +-static void hdlcdev_tx_done(struct slgt_info *info); +-static void hdlcdev_rx(struct slgt_info *info, char *buf, int size); +-static int hdlcdev_init(struct slgt_info *info); +-static void hdlcdev_exit(struct slgt_info *info); +-#endif + + + /* +@@ -186,9 +163,6 @@ struct cond_wait { + wait_queue_entry_t wait; + unsigned int data; + }; +-static void init_cond_wait(struct cond_wait *w, unsigned int data); +-static void add_cond_wait(struct cond_wait **head, struct cond_wait *w); +-static void remove_cond_wait(struct cond_wait **head, struct cond_wait *w); + static void flush_cond_wait(struct cond_wait **head); + + /* +@@ -443,12 +417,8 @@ static void shutdown(struct slgt_info *info); + static void program_hw(struct slgt_info *info); + static void change_params(struct slgt_info *info); + +-static int register_test(struct slgt_info *info); +-static int irq_test(struct slgt_info *info); +-static int loopback_test(struct slgt_info *info); + static int adapter_test(struct slgt_info *info); + +-static void reset_adapter(struct slgt_info *info); + static void reset_port(struct slgt_info *info); + static void async_mode(struct slgt_info *info); + static void sync_mode(struct slgt_info *info); +@@ -457,14 +427,12 @@ static void rx_stop(struct slgt_info *info); + static void rx_start(struct slgt_info *info); + static void reset_rbufs(struct slgt_info *info); + static void free_rbufs(struct slgt_info *info, unsigned int first, unsigned int last); +-static void rdma_reset(struct slgt_info *info); + static bool rx_get_frame(struct slgt_info *info); + static bool rx_get_buf(struct slgt_info *info); + + static void tx_start(struct slgt_info *info); + static void tx_stop(struct slgt_info *info); + static void tx_set_idle(struct slgt_info *info); +-static unsigned int free_tbuf_count(struct slgt_info *info); + static unsigned int tbuf_bytes(struct slgt_info *info); + static void reset_tbufs(struct slgt_info *info); + static void tdma_reset(struct slgt_info *info); +@@ -472,26 +440,10 @@ static bool tx_load(struct slgt_info *info, const char *buf, unsigned int count) + + static void get_signals(struct slgt_info *info); + static void set_signals(struct slgt_info *info); +-static void enable_loopback(struct slgt_info *info); + static void set_rate(struct slgt_info *info, u32 data_rate); + +-static int bh_action(struct slgt_info *info); +-static void bh_handler(struct work_struct *work); + static void bh_transmit(struct slgt_info *info); +-static void isr_serial(struct slgt_info *info); +-static void isr_rdma(struct slgt_info *info); + static void isr_txeom(struct slgt_info *info, unsigned short status); +-static void isr_tdma(struct slgt_info *info); +- +-static int alloc_dma_bufs(struct slgt_info *info); +-static void free_dma_bufs(struct slgt_info *info); +-static int alloc_desc(struct slgt_info *info); +-static void free_desc(struct slgt_info *info); +-static int alloc_bufs(struct slgt_info *info, struct slgt_desc *bufs, int count); +-static void free_bufs(struct slgt_info *info, struct slgt_desc *bufs, int count); +- +-static int alloc_tmp_rbuf(struct slgt_info *info); +-static void free_tmp_rbuf(struct slgt_info *info); + + static void tx_timeout(struct timer_list *t); + static void rx_timeout(struct timer_list *t); +@@ -509,10 +461,6 @@ static int tx_abort(struct slgt_info *info); + static int rx_enable(struct slgt_info *info, int enable); + static int modem_input_wait(struct slgt_info *info,int arg); + static int wait_mgsl_event(struct slgt_info *info, int __user *mask_ptr); +-static int tiocmget(struct tty_struct *tty); +-static int tiocmset(struct tty_struct *tty, +- unsigned int set, unsigned int clear); +-static int set_break(struct tty_struct *tty, int break_state); + static int get_interface(struct slgt_info *info, int __user *if_mode); + static int set_interface(struct slgt_info *info, int if_mode); + static int set_gpio(struct slgt_info *info, struct gpio_desc __user *gpio); +@@ -526,9 +474,6 @@ static int set_xctrl(struct slgt_info *info, int if_mode); + /* + * driver functions + */ +-static void add_device(struct slgt_info *info); +-static void device_init(int adapter_num, struct pci_dev *pdev); +-static int claim_resources(struct slgt_info *info); + static void release_resources(struct slgt_info *info); + + /* +-- +2.33.0 + diff --git a/queue-4.19/tty-synclink_gt-rename-a-conflicting-function-name.patch b/queue-4.19/tty-synclink_gt-rename-a-conflicting-function-name.patch new file mode 100644 index 00000000000..4232a5b570e --- /dev/null +++ b/queue-4.19/tty-synclink_gt-rename-a-conflicting-function-name.patch @@ -0,0 +1,235 @@ +From c0fd81154370a8ae5a7bdd075d2b3110c3a9bf67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 17:38:06 -0700 +Subject: tty: synclink_gt: rename a conflicting function name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 06e49073dfba24df4b1073a068631b13a0039c34 ] + +'set_signals()' in synclink_gt.c conflicts with an exported symbol +in arch/um/, so change set_signals() to set_gtsignals(). Keep +the function names similar by also changing get_signals() to +get_gtsignals(). + +../drivers/tty/synclink_gt.c:442:13: error: conflicting types for ‘set_signals’ + static void set_signals(struct slgt_info *info); + ^~~~~~~~~~~ +In file included from ../include/linux/irqflags.h:16:0, + from ../include/linux/spinlock.h:58, + from ../include/linux/mm_types.h:9, + from ../include/linux/buildid.h:5, + from ../include/linux/module.h:14, + from ../drivers/tty/synclink_gt.c:46: +../arch/um/include/asm/irqflags.h:6:5: note: previous declaration of ‘set_signals’ was here + int set_signals(int enable); + ^~~~~~~~~~~ + +Fixes: 705b6c7b34f2 ("[PATCH] new driver synclink_gt") +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: Paul Fulghum +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20210902003806.17054-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/synclink_gt.c | 44 +++++++++++++++++++-------------------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c +index 503836be5fe2..afe34beec720 100644 +--- a/drivers/tty/synclink_gt.c ++++ b/drivers/tty/synclink_gt.c +@@ -438,8 +438,8 @@ static void reset_tbufs(struct slgt_info *info); + static void tdma_reset(struct slgt_info *info); + static bool tx_load(struct slgt_info *info, const char *buf, unsigned int count); + +-static void get_signals(struct slgt_info *info); +-static void set_signals(struct slgt_info *info); ++static void get_gtsignals(struct slgt_info *info); ++static void set_gtsignals(struct slgt_info *info); + static void set_rate(struct slgt_info *info, u32 data_rate); + + static void bh_transmit(struct slgt_info *info); +@@ -721,7 +721,7 @@ static void set_termios(struct tty_struct *tty, struct ktermios *old_termios) + if ((old_termios->c_cflag & CBAUD) && !C_BAUD(tty)) { + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +@@ -731,7 +731,7 @@ static void set_termios(struct tty_struct *tty, struct ktermios *old_termios) + if (!C_CRTSCTS(tty) || !tty_throttled(tty)) + info->signals |= SerialSignal_RTS; + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +@@ -1183,7 +1183,7 @@ static inline void line_info(struct seq_file *m, struct slgt_info *info) + + /* output current serial signal states */ + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + + stat_buf[0] = 0; +@@ -1283,7 +1283,7 @@ static void throttle(struct tty_struct * tty) + if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->signals &= ~SerialSignal_RTS; +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -1308,7 +1308,7 @@ static void unthrottle(struct tty_struct * tty) + if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->signals |= SerialSignal_RTS; +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -1480,7 +1480,7 @@ static int hdlcdev_open(struct net_device *dev) + + /* inform generic HDLC layer of current DCD status */ + spin_lock_irqsave(&info->lock, flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock, flags); + if (info->signals & SerialSignal_DCD) + netif_carrier_on(dev); +@@ -2236,7 +2236,7 @@ static void isr_txeom(struct slgt_info *info, unsigned short status) + if (info->params.mode != MGSL_MODE_ASYNC && info->drop_rts_on_tx_done) { + info->signals &= ~SerialSignal_RTS; + info->drop_rts_on_tx_done = false; +- set_signals(info); ++ set_gtsignals(info); + } + + #if SYNCLINK_GENERIC_HDLC +@@ -2401,7 +2401,7 @@ static void shutdown(struct slgt_info *info) + + if (!info->port.tty || info->port.tty->termios.c_cflag & HUPCL) { + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_gtsignals(info); + } + + flush_cond_wait(&info->gpio_wait_q); +@@ -2429,7 +2429,7 @@ static void program_hw(struct slgt_info *info) + else + async_mode(info); + +- set_signals(info); ++ set_gtsignals(info); + + info->dcd_chkcount = 0; + info->cts_chkcount = 0; +@@ -2437,7 +2437,7 @@ static void program_hw(struct slgt_info *info) + info->dsr_chkcount = 0; + + slgt_irq_on(info, IRQ_DCD | IRQ_CTS | IRQ_DSR | IRQ_RI); +- get_signals(info); ++ get_gtsignals(info); + + if (info->netcount || + (info->port.tty && info->port.tty->termios.c_cflag & CREAD)) +@@ -2681,7 +2681,7 @@ static int wait_mgsl_event(struct slgt_info *info, int __user *mask_ptr) + spin_lock_irqsave(&info->lock,flags); + + /* return immediately if state matches requested events */ +- get_signals(info); ++ get_gtsignals(info); + s = info->signals; + + events = mask & +@@ -3099,7 +3099,7 @@ static int tiocmget(struct tty_struct *tty) + unsigned long flags; + + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + + result = ((info->signals & SerialSignal_RTS) ? TIOCM_RTS:0) + +@@ -3138,7 +3138,7 @@ static int tiocmset(struct tty_struct *tty, + info->signals &= ~SerialSignal_DTR; + + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + return 0; + } +@@ -3149,7 +3149,7 @@ static int carrier_raised(struct tty_port *port) + struct slgt_info *info = container_of(port, struct slgt_info, port); + + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + return (info->signals & SerialSignal_DCD) ? 1 : 0; + } +@@ -3164,7 +3164,7 @@ static void dtr_rts(struct tty_port *port, int on) + info->signals |= SerialSignal_RTS | SerialSignal_DTR; + else + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_gtsignals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +@@ -3963,10 +3963,10 @@ static void tx_start(struct slgt_info *info) + + if (info->params.mode != MGSL_MODE_ASYNC) { + if (info->params.flags & HDLC_FLAG_AUTO_RTS) { +- get_signals(info); ++ get_gtsignals(info); + if (!(info->signals & SerialSignal_RTS)) { + info->signals |= SerialSignal_RTS; +- set_signals(info); ++ set_gtsignals(info); + info->drop_rts_on_tx_done = true; + } + } +@@ -4020,7 +4020,7 @@ static void reset_port(struct slgt_info *info) + rx_stop(info); + + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_gtsignals(info); + + slgt_irq_off(info, IRQ_ALL | IRQ_MASTER); + } +@@ -4442,7 +4442,7 @@ static void tx_set_idle(struct slgt_info *info) + /* + * get state of V24 status (input) signals + */ +-static void get_signals(struct slgt_info *info) ++static void get_gtsignals(struct slgt_info *info) + { + unsigned short status = rd_reg16(info, SSR); + +@@ -4504,7 +4504,7 @@ static void msc_set_vcr(struct slgt_info *info) + /* + * set state of V24 control (output) signals + */ +-static void set_signals(struct slgt_info *info) ++static void set_gtsignals(struct slgt_info *info) + { + unsigned char val = rd_reg8(info, VCR); + if (info->signals & SerialSignal_DTR) +-- +2.33.0 + diff --git a/queue-4.19/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch b/queue-4.19/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch new file mode 100644 index 00000000000..2bde848f319 --- /dev/null +++ b/queue-4.19/xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch @@ -0,0 +1,195 @@ +From 5bc4eec8de045246ce828f05f892b69c9ed0c37e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Aug 2021 14:32:06 +0200 +Subject: xen/balloon: use a kernel thread instead a workqueue + +From: Juergen Gross + +[ Upstream commit 8480ed9c2bbd56fc86524998e5f2e3e22f5038f6 ] + +Today the Xen ballooning is done via delayed work in a workqueue. This +might result in workqueue hangups being reported in case of large +amounts of memory are being ballooned in one go (here 16GB): + +BUG: workqueue lockup - pool cpus=6 node=0 flags=0x0 nice=0 stuck for 64s! +Showing busy workqueues and worker pools: +workqueue events: flags=0x0 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=2/256 refcnt=3 + in-flight: 229:balloon_process + pending: cache_reap +workqueue events_freezable_power_: flags=0x84 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2 + pending: disk_events_workfn +workqueue mm_percpu_wq: flags=0x8 + pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2 + pending: vmstat_update +pool 12: cpus=6 node=0 flags=0x0 nice=0 hung=64s workers=3 idle: 2222 43 + +This can easily be avoided by using a dedicated kernel thread for doing +the ballooning work. + +Reported-by: Jan Beulich +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Link: https://lore.kernel.org/r/20210827123206.15429-1-jgross@suse.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/balloon.c | 62 +++++++++++++++++++++++++++++++------------ + 1 file changed, 45 insertions(+), 17 deletions(-) + +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index b23edf64c2b2..643dbe5620e8 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -43,6 +43,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -120,7 +122,7 @@ static struct ctl_table xen_root[] = { + #define EXTENT_ORDER (fls(XEN_PFN_PER_PAGE) - 1) + + /* +- * balloon_process() state: ++ * balloon_thread() state: + * + * BP_DONE: done or nothing to do, + * BP_WAIT: wait to be rescheduled, +@@ -135,6 +137,8 @@ enum bp_state { + BP_ECANCELED + }; + ++/* Main waiting point for xen-balloon thread. */ ++static DECLARE_WAIT_QUEUE_HEAD(balloon_thread_wq); + + static DEFINE_MUTEX(balloon_mutex); + +@@ -149,10 +153,6 @@ static xen_pfn_t frame_list[PAGE_SIZE / sizeof(xen_pfn_t)]; + static LIST_HEAD(ballooned_pages); + static DECLARE_WAIT_QUEUE_HEAD(balloon_wq); + +-/* Main work function, always executed in process context. */ +-static void balloon_process(struct work_struct *work); +-static DECLARE_DELAYED_WORK(balloon_worker, balloon_process); +- + /* When ballooning out (allocating memory to return to Xen) we don't really + want the kernel to try too hard since that can trigger the oom killer. */ + #define GFP_BALLOON \ +@@ -383,7 +383,7 @@ static void xen_online_page(struct page *page) + static int xen_memory_notifier(struct notifier_block *nb, unsigned long val, void *v) + { + if (val == MEM_ONLINE) +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + + return NOTIFY_OK; + } +@@ -508,18 +508,43 @@ static enum bp_state decrease_reservation(unsigned long nr_pages, gfp_t gfp) + } + + /* +- * As this is a work item it is guaranteed to run as a single instance only. ++ * Stop waiting if either state is not BP_EAGAIN and ballooning action is ++ * needed, or if the credit has changed while state is BP_EAGAIN. ++ */ ++static bool balloon_thread_cond(enum bp_state state, long credit) ++{ ++ if (state != BP_EAGAIN) ++ credit = 0; ++ ++ return current_credit() != credit || kthread_should_stop(); ++} ++ ++/* ++ * As this is a kthread it is guaranteed to run as a single instance only. + * We may of course race updates of the target counts (which are protected + * by the balloon lock), or with changes to the Xen hard limit, but we will + * recover from these in time. + */ +-static void balloon_process(struct work_struct *work) ++static int balloon_thread(void *unused) + { + enum bp_state state = BP_DONE; + long credit; ++ unsigned long timeout; ++ ++ set_freezable(); ++ for (;;) { ++ if (state == BP_EAGAIN) ++ timeout = balloon_stats.schedule_delay * HZ; ++ else ++ timeout = 3600 * HZ; ++ credit = current_credit(); + ++ wait_event_interruptible_timeout(balloon_thread_wq, ++ balloon_thread_cond(state, credit), timeout); ++ ++ if (kthread_should_stop()) ++ return 0; + +- do { + mutex_lock(&balloon_mutex); + + credit = current_credit(); +@@ -546,12 +571,7 @@ static void balloon_process(struct work_struct *work) + mutex_unlock(&balloon_mutex); + + cond_resched(); +- +- } while (credit && state == BP_DONE); +- +- /* Schedule more work if there is some still to be done. */ +- if (state == BP_EAGAIN) +- schedule_delayed_work(&balloon_worker, balloon_stats.schedule_delay * HZ); ++ } + } + + /* Resets the Xen limit, sets new target, and kicks off processing. */ +@@ -559,7 +579,7 @@ void balloon_set_new_target(unsigned long target) + { + /* No need for lock. Not read-modify-write updates. */ + balloon_stats.target_pages = target; +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + } + EXPORT_SYMBOL_GPL(balloon_set_new_target); + +@@ -664,7 +684,7 @@ void free_xenballooned_pages(int nr_pages, struct page **pages) + + /* The balloon may be too large now. Shrink it if needed. */ + if (current_credit()) +- schedule_delayed_work(&balloon_worker, 0); ++ wake_up(&balloon_thread_wq); + + mutex_unlock(&balloon_mutex); + } +@@ -698,6 +718,8 @@ static void __init balloon_add_region(unsigned long start_pfn, + + static int __init balloon_init(void) + { ++ struct task_struct *task; ++ + if (!xen_domain()) + return -ENODEV; + +@@ -741,6 +763,12 @@ static int __init balloon_init(void) + } + #endif + ++ task = kthread_run(balloon_thread, NULL, "xen-balloon"); ++ if (IS_ERR(task)) { ++ pr_err("xen-balloon thread could not be started, ballooning will not work!\n"); ++ return PTR_ERR(task); ++ } ++ + /* Init the xen-balloon driver. */ + xen_balloon_init(); + +-- +2.33.0 +