From: Greg Kroah-Hartman Date: Tue, 3 Nov 2020 16:13:06 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.14.204~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9a5deefbd1875fa9e7190ebe31b3ab744f0fbc85;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: 9p-cast-to-loff_t-before-multiplying.patch arc-perf-redo-the-pct-irq-missing-in-device-tree-handling.patch ceph-promote-to-unsigned-long-long-before-shifting.patch drm-amd-display-avoid-mst-manager-resource-leak.patch drm-amd-display-don-t-invoke-kgdb_breakpoint-unconditionally.patch drm-amd-display-fix-kernel-panic-by-dal_gpio_open-error.patch drm-amd-display-increase-timeout-for-dp-disable.patch drm-amdgpu-correct-the-gpu-reset-handling-for-job-null-case.patch drm-amdgpu-don-t-map-bo-in-reserved-region.patch drm-amdgpu-increase-the-reserved-vm-size-to-2mb.patch drm-amdkfd-use-same-sq-prefetch-setting-as-amdgpu.patch drm-ttm-fix-eviction-valuable-range-check.patch ext4-fix-error-handling-code-in-add_new_gdb.patch ext4-fix-invalid-inode-checksum.patch ext4-fix-leaking-sysfs-kobject-after-failed-mount.patch ext4-fix-superblock-checksum-calculation-race.patch i2c-imx-fix-external-abort-on-interrupt-in-exit-paths.patch ia64-fix-build-error-with-coredump.patch libceph-clear-con-out_msg-on-policy-stateful_server-faults.patch mmc-sdhci-of-esdhc-set-timeout-to-max-before-tuning.patch mmc-sdhci-use-auto-cmd-auto-select-only-when-v4_mode-is-true.patch perf-python-scripting-fix-printable-strings-in-python3-scripts.patch ring-buffer-return-0-on-success-from-ring_buffer_resize.patch rtc-rx8010-don-t-modify-the-global-rtc-ops.patch ubi-check-kthread_should_stop-after-the-setting-of-task-state.patch vringh-fix-__vringh_iov-when-riov-and-wiov-are-different.patch --- diff --git a/queue-5.4/9p-cast-to-loff_t-before-multiplying.patch b/queue-5.4/9p-cast-to-loff_t-before-multiplying.patch new file mode 100644 index 00000000000..c5ec73edbcb --- /dev/null +++ b/queue-5.4/9p-cast-to-loff_t-before-multiplying.patch @@ -0,0 +1,37 @@ +From f5f7ab168b9a60e12a4b8f2bb6fcc91321dc23c1 Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Sun, 4 Oct 2020 19:04:22 +0100 +Subject: 9P: Cast to loff_t before multiplying + +From: Matthew Wilcox (Oracle) + +commit f5f7ab168b9a60e12a4b8f2bb6fcc91321dc23c1 upstream. + +On 32-bit systems, this multiplication will overflow for files larger +than 4GB. + +Link: http://lkml.kernel.org/r/20201004180428.14494-2-willy@infradead.org +Cc: stable@vger.kernel.org +Fixes: fb89b45cdfdc ("9P: introduction of a new cache=mmap model.") +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + fs/9p/vfs_file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/9p/vfs_file.c ++++ b/fs/9p/vfs_file.c +@@ -609,9 +609,9 @@ static void v9fs_mmap_vm_close(struct vm + struct writeback_control wbc = { + .nr_to_write = LONG_MAX, + .sync_mode = WB_SYNC_ALL, +- .range_start = vma->vm_pgoff * PAGE_SIZE, ++ .range_start = (loff_t)vma->vm_pgoff * PAGE_SIZE, + /* absolute end, byte at end included */ +- .range_end = vma->vm_pgoff * PAGE_SIZE + ++ .range_end = (loff_t)vma->vm_pgoff * PAGE_SIZE + + (vma->vm_end - vma->vm_start - 1), + }; + diff --git a/queue-5.4/arc-perf-redo-the-pct-irq-missing-in-device-tree-handling.patch b/queue-5.4/arc-perf-redo-the-pct-irq-missing-in-device-tree-handling.patch new file mode 100644 index 00000000000..628cde89bab --- /dev/null +++ b/queue-5.4/arc-perf-redo-the-pct-irq-missing-in-device-tree-handling.patch @@ -0,0 +1,106 @@ +From 8c42a5c02bec6c7eccf08957be3c6c8fccf9790b Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Thu, 22 Oct 2020 03:16:22 -0700 +Subject: ARC: perf: redo the pct irq missing in device-tree handling + +From: Vineet Gupta + +commit 8c42a5c02bec6c7eccf08957be3c6c8fccf9790b upstream. + +commit feb92d7d3813456c11dce21 "(ARC: perf: don't bail setup if pct irq +missing in device-tree)" introduced a silly brown-paper bag bug: +The assignment and comparison in an if statement were not bracketed +correctly leaving the order of evaluation undefined. + +| +| if (has_interrupts && (irq = platform_get_irq(pdev, 0) >= 0)) { +| ^^^ ^^^^ + +And given such a chance, the compiler will bite you hard, fully entitled +to generating this piece of beauty: + +| +| # if (has_interrupts && (irq = platform_get_irq(pdev, 0) >= 0)) { +| +| bl.d @platform_get_irq <-- irq returned in r0 +| +| setge r2, r0, 0 <-- r2 is bool 1 or 0 if irq >= 0 true/false +| brlt.d r0, 0, @.L114 +| +| st_s r2,[sp] <-- irq saved is bool 1 or 0, not actual return val +| st 1,[r3,160] # arc_pmu.18_29->irq <-- drops bool and assumes 1 +| +| # return __request_percpu_irq(irq, handler, 0, +| +| bl.d @__request_percpu_irq; +| mov_s r0,1 <-- drops even bool and assumes 1 which fails + +With the snafu fixed, everything is as expected. + +| bl.d @platform_get_irq <-- returns irq in r0 +| +| mov_s r2,r0 +| brlt.d r2, 0, @.L112 +| +| st_s r0,[sp] <-- irq isaved is actual return value above +| st r0,[r13,160] #arc_pmu.18_27->irq +| +| bl.d @__request_percpu_irq <-- r0 unchanged so actual irq returned +| add r4,r4,r12 #, tmp363, __ptr + +Cc: +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/kernel/perf_event.c | 29 +++++++++++++++++++---------- + 1 file changed, 19 insertions(+), 10 deletions(-) + +--- a/arch/arc/kernel/perf_event.c ++++ b/arch/arc/kernel/perf_event.c +@@ -562,7 +562,7 @@ static int arc_pmu_device_probe(struct p + { + struct arc_reg_pct_build pct_bcr; + struct arc_reg_cc_build cc_bcr; +- int i, has_interrupts, irq; ++ int i, has_interrupts, irq = -1; + int counter_size; /* in bits */ + + union cc_name { +@@ -637,18 +637,27 @@ static int arc_pmu_device_probe(struct p + .attr_groups = arc_pmu->attr_groups, + }; + +- if (has_interrupts && (irq = platform_get_irq(pdev, 0) >= 0)) { ++ if (has_interrupts) { ++ irq = platform_get_irq(pdev, 0); ++ if (irq >= 0) { ++ int ret; ++ ++ arc_pmu->irq = irq; ++ ++ /* intc map function ensures irq_set_percpu_devid() called */ ++ ret = request_percpu_irq(irq, arc_pmu_intr, "ARC perf counters", ++ this_cpu_ptr(&arc_pmu_cpu)); ++ ++ if (!ret) ++ on_each_cpu(arc_cpu_pmu_irq_init, &irq, 1); ++ else ++ irq = -1; ++ } + +- arc_pmu->irq = irq; +- +- /* intc map function ensures irq_set_percpu_devid() called */ +- request_percpu_irq(irq, arc_pmu_intr, "ARC perf counters", +- this_cpu_ptr(&arc_pmu_cpu)); ++ } + +- on_each_cpu(arc_cpu_pmu_irq_init, &irq, 1); +- } else { ++ if (irq == -1) + arc_pmu->pmu.capabilities |= PERF_PMU_CAP_NO_INTERRUPT; +- } + + /* + * perf parser doesn't really like '-' symbol in events name, so let's diff --git a/queue-5.4/ceph-promote-to-unsigned-long-long-before-shifting.patch b/queue-5.4/ceph-promote-to-unsigned-long-long-before-shifting.patch new file mode 100644 index 00000000000..70ef7c27089 --- /dev/null +++ b/queue-5.4/ceph-promote-to-unsigned-long-long-before-shifting.patch @@ -0,0 +1,33 @@ +From c403c3a2fbe24d4ed33e10cabad048583ebd4edf Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Sun, 4 Oct 2020 19:04:24 +0100 +Subject: ceph: promote to unsigned long long before shifting + +From: Matthew Wilcox (Oracle) + +commit c403c3a2fbe24d4ed33e10cabad048583ebd4edf upstream. + +On 32-bit systems, this shift will overflow for files larger than 4GB. + +Cc: stable@vger.kernel.org +Fixes: 61f68816211e ("ceph: check caps in filemap_fault and page_mkwrite") +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/addr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ceph/addr.c ++++ b/fs/ceph/addr.c +@@ -1427,7 +1427,7 @@ static vm_fault_t ceph_filemap_fault(str + struct ceph_inode_info *ci = ceph_inode(inode); + struct ceph_file_info *fi = vma->vm_file->private_data; + struct page *pinned_page = NULL; +- loff_t off = vmf->pgoff << PAGE_SHIFT; ++ loff_t off = (loff_t)vmf->pgoff << PAGE_SHIFT; + int want, got, err; + sigset_t oldset; + vm_fault_t ret = VM_FAULT_SIGBUS; diff --git a/queue-5.4/drm-amd-display-avoid-mst-manager-resource-leak.patch b/queue-5.4/drm-amd-display-avoid-mst-manager-resource-leak.patch new file mode 100644 index 00000000000..e5db8625550 --- /dev/null +++ b/queue-5.4/drm-amd-display-avoid-mst-manager-resource-leak.patch @@ -0,0 +1,41 @@ +From 5dff80bdce9e385af5716ed083f9e33e814484ab Mon Sep 17 00:00:00 2001 +From: Andrey Grodzovsky +Date: Wed, 14 Oct 2020 13:12:30 -0400 +Subject: drm/amd/display: Avoid MST manager resource leak. + +From: Andrey Grodzovsky + +commit 5dff80bdce9e385af5716ed083f9e33e814484ab upstream. + +On connector destruction call drm_dp_mst_topology_mgr_destroy +to release resources allocated in drm_dp_mst_topology_mgr_init. +Do it only if MST manager was initilized before otherwsie a crash +is seen on driver unload/device unplug. + +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Andrey Grodzovsky +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -3956,6 +3956,13 @@ static void amdgpu_dm_connector_destroy( + struct amdgpu_device *adev = connector->dev->dev_private; + struct amdgpu_display_manager *dm = &adev->dm; + ++ /* ++ * Call only if mst_mgr was iniitalized before since it's not done ++ * for all connector types. ++ */ ++ if (aconnector->mst_mgr.dev) ++ drm_dp_mst_topology_mgr_destroy(&aconnector->mst_mgr); ++ + #if defined(CONFIG_BACKLIGHT_CLASS_DEVICE) ||\ + defined(CONFIG_BACKLIGHT_CLASS_DEVICE_MODULE) + diff --git a/queue-5.4/drm-amd-display-don-t-invoke-kgdb_breakpoint-unconditionally.patch b/queue-5.4/drm-amd-display-don-t-invoke-kgdb_breakpoint-unconditionally.patch new file mode 100644 index 00000000000..2303f26c1b5 --- /dev/null +++ b/queue-5.4/drm-amd-display-don-t-invoke-kgdb_breakpoint-unconditionally.patch @@ -0,0 +1,41 @@ +From 8b7dc1fe1a5c1093551f6cd7dfbb941bd9081c2e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 23 Oct 2020 09:46:55 +0200 +Subject: drm/amd/display: Don't invoke kgdb_breakpoint() unconditionally + +From: Takashi Iwai + +commit 8b7dc1fe1a5c1093551f6cd7dfbb941bd9081c2e upstream. + +ASSERT_CRITICAL() invokes kgdb_breakpoint() whenever either +CONFIG_KGDB or CONFIG_HAVE_KGDB is set. This, however, may lead to a +kernel panic when no kdb stuff is attached, since the +kgdb_breakpoint() call issues INT3. It's nothing but a surprise for +normal end-users. + +For avoiding the pitfall, make the kgdb_breakpoint() call only when +CONFIG_DEBUG_KERNEL_DC is set. + +https://bugzilla.opensuse.org/show_bug.cgi?id=1177973 +Cc: +Acked-by: Alex Deucher +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Takashi Iwai +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/dc/os_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/os_types.h ++++ b/drivers/gpu/drm/amd/display/dc/os_types.h +@@ -57,7 +57,7 @@ + * general debug capabilities + * + */ +-#if defined(CONFIG_HAVE_KGDB) || defined(CONFIG_KGDB) ++#if defined(CONFIG_DEBUG_KERNEL_DC) && (defined(CONFIG_HAVE_KGDB) || defined(CONFIG_KGDB)) + #define ASSERT_CRITICAL(expr) do { \ + if (WARN_ON(!(expr))) { \ + kgdb_breakpoint(); \ diff --git a/queue-5.4/drm-amd-display-fix-kernel-panic-by-dal_gpio_open-error.patch b/queue-5.4/drm-amd-display-fix-kernel-panic-by-dal_gpio_open-error.patch new file mode 100644 index 00000000000..041c7571480 --- /dev/null +++ b/queue-5.4/drm-amd-display-fix-kernel-panic-by-dal_gpio_open-error.patch @@ -0,0 +1,45 @@ +From 920bb38c518408fa2600eaefa0af9e82cf48f166 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 23 Oct 2020 09:46:54 +0200 +Subject: drm/amd/display: Fix kernel panic by dal_gpio_open() error + +From: Takashi Iwai + +commit 920bb38c518408fa2600eaefa0af9e82cf48f166 upstream. + +Currently both error code paths handled in dal_gpio_open_ex() issues +ASSERT_CRITICAL(), and this leads to a kernel panic unnecessarily if +CONFIG_KGDB is enabled. Since basically both are non-critical errors +and can be recovered, drop those assert calls and use a safer one, +BREAK_TO_DEBUGGER(), for allowing the debugging, instead. + +BugLink: https://bugzilla.opensuse.org/show_bug.cgi?id=1177973 +Cc: +Acked-by: Alex Deucher +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Takashi Iwai +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/dc/gpio/gpio_base.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/gpio/gpio_base.c ++++ b/drivers/gpu/drm/amd/display/dc/gpio/gpio_base.c +@@ -63,13 +63,13 @@ enum gpio_result dal_gpio_open_ex( + enum gpio_mode mode) + { + if (gpio->pin) { +- ASSERT_CRITICAL(false); ++ BREAK_TO_DEBUGGER(); + return GPIO_RESULT_ALREADY_OPENED; + } + + // No action if allocation failed during gpio construct + if (!gpio->hw_container.ddc) { +- ASSERT_CRITICAL(false); ++ BREAK_TO_DEBUGGER(); + return GPIO_RESULT_NON_SPECIFIC_ERROR; + } + gpio->mode = mode; diff --git a/queue-5.4/drm-amd-display-increase-timeout-for-dp-disable.patch b/queue-5.4/drm-amd-display-increase-timeout-for-dp-disable.patch new file mode 100644 index 00000000000..a009c19fb92 --- /dev/null +++ b/queue-5.4/drm-amd-display-increase-timeout-for-dp-disable.patch @@ -0,0 +1,44 @@ +From 37b7cb10f07c1174522faafc1d51c6591b1501d4 Mon Sep 17 00:00:00 2001 +From: Wesley Chalmers +Date: Wed, 9 Sep 2020 17:41:53 -0400 +Subject: drm/amd/display: Increase timeout for DP Disable + +From: Wesley Chalmers + +commit 37b7cb10f07c1174522faafc1d51c6591b1501d4 upstream. + +[WHY] +When disabling DP video, the current REG_WAIT timeout +of 50ms is too low for certain cases with very high +VSYNC intervals. + +[HOW] +Increase the timeout to 102ms, so that +refresh rates as low as 10Hz can be handled properly. + +Signed-off-by: Wesley Chalmers +Reviewed-by: Aric Cyr +Acked-by: Qingqing Zhuo +Signed-off-by: Alex Deucher +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c +@@ -898,10 +898,10 @@ void enc1_stream_encoder_dp_blank( + */ + REG_UPDATE(DP_VID_STREAM_CNTL, DP_VID_STREAM_DIS_DEFER, 2); + /* Larger delay to wait until VBLANK - use max retry of +- * 10us*5000=50ms. This covers 41.7ms of minimum 24 Hz mode + ++ * 10us*10200=102ms. This covers 100.0ms of minimum 10 Hz mode + + * a little more because we may not trust delay accuracy. + */ +- max_retries = DP_BLANK_MAX_RETRY * 250; ++ max_retries = DP_BLANK_MAX_RETRY * 501; + + /* disable DP stream */ + REG_UPDATE(DP_VID_STREAM_CNTL, DP_VID_STREAM_ENABLE, 0); diff --git a/queue-5.4/drm-amdgpu-correct-the-gpu-reset-handling-for-job-null-case.patch b/queue-5.4/drm-amdgpu-correct-the-gpu-reset-handling-for-job-null-case.patch new file mode 100644 index 00000000000..d2968866485 --- /dev/null +++ b/queue-5.4/drm-amdgpu-correct-the-gpu-reset-handling-for-job-null-case.patch @@ -0,0 +1,32 @@ +From 207ac684792560acdb9e06f9d707ebf63c84b0e0 Mon Sep 17 00:00:00 2001 +From: Evan Quan +Date: Thu, 15 Oct 2020 14:57:46 +0800 +Subject: drm/amdgpu: correct the gpu reset handling for job != NULL case + +From: Evan Quan + +commit 207ac684792560acdb9e06f9d707ebf63c84b0e0 upstream. + +Current code wrongly treat all cases as job == NULL. + +Signed-off-by: Evan Quan +Reviewed-and-tested-by: Jane Jian +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3890,7 +3890,7 @@ retry: /* Rest of adevs pre asic reset f + + amdgpu_device_lock_adev(tmp_adev, false); + r = amdgpu_device_pre_asic_reset(tmp_adev, +- NULL, ++ (tmp_adev == adev) ? job : NULL, + &need_full_reset); + /*TODO Should we stop ?*/ + if (r) { diff --git a/queue-5.4/drm-amdgpu-don-t-map-bo-in-reserved-region.patch b/queue-5.4/drm-amdgpu-don-t-map-bo-in-reserved-region.patch new file mode 100644 index 00000000000..3f7a8a5ff38 --- /dev/null +++ b/queue-5.4/drm-amdgpu-don-t-map-bo-in-reserved-region.patch @@ -0,0 +1,51 @@ +From c4aa8dff6091cc9536aeb255e544b0b4ba29faf4 Mon Sep 17 00:00:00 2001 +From: Madhav Chauhan +Date: Fri, 16 Oct 2020 18:03:07 +0530 +Subject: drm/amdgpu: don't map BO in reserved region +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Madhav Chauhan + +commit c4aa8dff6091cc9536aeb255e544b0b4ba29faf4 upstream. + +2MB area is reserved at top inside VM. + +Suggested-by: Christian König +Signed-off-by: Madhav Chauhan +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c +@@ -561,6 +561,7 @@ int amdgpu_gem_va_ioctl(struct drm_devic + struct ww_acquire_ctx ticket; + struct list_head list, duplicates; + uint64_t va_flags; ++ uint64_t vm_size; + int r = 0; + + if (args->va_address < AMDGPU_VA_RESERVED_SIZE) { +@@ -581,6 +582,15 @@ int amdgpu_gem_va_ioctl(struct drm_devic + + args->va_address &= AMDGPU_GMC_HOLE_MASK; + ++ vm_size = adev->vm_manager.max_pfn * AMDGPU_GPU_PAGE_SIZE; ++ vm_size -= AMDGPU_VA_RESERVED_SIZE; ++ if (args->va_address + args->map_size > vm_size) { ++ dev_dbg(&dev->pdev->dev, ++ "va_address 0x%llx is in top reserved area 0x%llx\n", ++ args->va_address + args->map_size, vm_size); ++ return -EINVAL; ++ } ++ + if ((args->flags & ~valid_flags) && (args->flags & ~prt_flags)) { + dev_dbg(&dev->pdev->dev, "invalid flags combination 0x%08X\n", + args->flags); diff --git a/queue-5.4/drm-amdgpu-increase-the-reserved-vm-size-to-2mb.patch b/queue-5.4/drm-amdgpu-increase-the-reserved-vm-size-to-2mb.patch new file mode 100644 index 00000000000..bf10c846787 --- /dev/null +++ b/queue-5.4/drm-amdgpu-increase-the-reserved-vm-size-to-2mb.patch @@ -0,0 +1,39 @@ +From 55bb919be4e4973cd037a04f527ecc6686800437 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Mon, 12 Oct 2020 13:09:36 +0200 +Subject: drm/amdgpu: increase the reserved VM size to 2MB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +commit 55bb919be4e4973cd037a04f527ecc6686800437 upstream. + +Ideally this should be a multiple of the VM block size. +2MB should at least fit for Vega/Navi. + +Signed-off-by: Christian König +Reviewed-by: Madhav Chauhan +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h +@@ -105,8 +105,8 @@ struct amdgpu_bo_list_entry; + #define AMDGPU_MMHUB_0 1 + #define AMDGPU_MMHUB_1 2 + +-/* hardcode that limit for now */ +-#define AMDGPU_VA_RESERVED_SIZE (1ULL << 20) ++/* Reserve 2MB at top/bottom of address space for kernel use */ ++#define AMDGPU_VA_RESERVED_SIZE (2ULL << 20) + + /* max vmids dedicated for process */ + #define AMDGPU_VM_MAX_RESERVED_VMID 1 diff --git a/queue-5.4/drm-amdkfd-use-same-sq-prefetch-setting-as-amdgpu.patch b/queue-5.4/drm-amdkfd-use-same-sq-prefetch-setting-as-amdgpu.patch new file mode 100644 index 00000000000..bf56614a958 --- /dev/null +++ b/queue-5.4/drm-amdkfd-use-same-sq-prefetch-setting-as-amdgpu.patch @@ -0,0 +1,39 @@ +From d56b1980d7efe9ef08469e856fc0703d0cef65e4 Mon Sep 17 00:00:00 2001 +From: Jay Cornwall +Date: Sat, 17 Oct 2020 08:38:43 -0500 +Subject: drm/amdkfd: Use same SQ prefetch setting as amdgpu + +From: Jay Cornwall + +commit d56b1980d7efe9ef08469e856fc0703d0cef65e4 upstream. + +0 causes instruction fetch stall at cache line boundary under some +conditions on Navi10. A non-zero prefetch is the preferred default +in any case. + +Fixes soft hang in Luxmark. + +Signed-off-by: Jay Cornwall +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_v10.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_v10.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_v10.c +@@ -58,8 +58,9 @@ static int update_qpd_v10(struct device_ + /* check if sh_mem_config register already configured */ + if (qpd->sh_mem_config == 0) { + qpd->sh_mem_config = +- SH_MEM_ALIGNMENT_MODE_UNALIGNED << +- SH_MEM_CONFIG__ALIGNMENT_MODE__SHIFT; ++ (SH_MEM_ALIGNMENT_MODE_UNALIGNED << ++ SH_MEM_CONFIG__ALIGNMENT_MODE__SHIFT) | ++ (3 << SH_MEM_CONFIG__INITIAL_INST_PREFETCH__SHIFT); + #if 0 + /* TODO: + * This shouldn't be an issue with Navi10. Verify. diff --git a/queue-5.4/drm-ttm-fix-eviction-valuable-range-check.patch b/queue-5.4/drm-ttm-fix-eviction-valuable-range-check.patch new file mode 100644 index 00000000000..1f43950b298 --- /dev/null +++ b/queue-5.4/drm-ttm-fix-eviction-valuable-range-check.patch @@ -0,0 +1,39 @@ +From fea456d82c19d201c21313864105876deabe148b Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Tue, 20 Oct 2020 08:22:53 +1000 +Subject: drm/ttm: fix eviction valuable range check. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dave Airlie + +commit fea456d82c19d201c21313864105876deabe148b upstream. + +This was adding size to start, but pfn and start are in pages, +so it should be using num_pages. + +Not sure this fixes anything in the real world, just noticed it +during refactoring. + +Signed-off-by: Dave Airlie +Reviewed-by: Christian König +Cc: stable@vger.kernel.org +Link: https://patchwork.freedesktop.org/patch/msgid/20201019222257.1684769-2-airlied@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ttm/ttm_bo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ttm/ttm_bo.c ++++ b/drivers/gpu/drm/ttm/ttm_bo.c +@@ -761,7 +761,7 @@ bool ttm_bo_eviction_valuable(struct ttm + /* Don't evict this BO if it's outside of the + * requested placement range + */ +- if (place->fpfn >= (bo->mem.start + bo->mem.size) || ++ if (place->fpfn >= (bo->mem.start + bo->mem.num_pages) || + (place->lpfn && place->lpfn <= bo->mem.start)) + return false; + diff --git a/queue-5.4/ext4-fix-error-handling-code-in-add_new_gdb.patch b/queue-5.4/ext4-fix-error-handling-code-in-add_new_gdb.patch new file mode 100644 index 00000000000..ca58bb2a43d --- /dev/null +++ b/queue-5.4/ext4-fix-error-handling-code-in-add_new_gdb.patch @@ -0,0 +1,38 @@ +From c9e87161cc621cbdcfc472fa0b2d81c63780c8f5 Mon Sep 17 00:00:00 2001 +From: Dinghao Liu +Date: Sat, 29 Aug 2020 10:54:02 +0800 +Subject: ext4: fix error handling code in add_new_gdb + +From: Dinghao Liu + +commit c9e87161cc621cbdcfc472fa0b2d81c63780c8f5 upstream. + +When ext4_journal_get_write_access() fails, we should +terminate the execution flow and release n_group_desc, +iloc.bh, dind and gdb_bh. + +Cc: stable@kernel.org +Signed-off-by: Dinghao Liu +Reviewed-by: Andreas Dilger +Link: https://lore.kernel.org/r/20200829025403.3139-1-dinghao.liu@zju.edu.cn +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -861,8 +861,10 @@ static int add_new_gdb(handle_t *handle, + + BUFFER_TRACE(dind, "get_write_access"); + err = ext4_journal_get_write_access(handle, dind); +- if (unlikely(err)) ++ if (unlikely(err)) { + ext4_std_error(sb, err); ++ goto errout; ++ } + + /* ext4_reserve_inode_write() gets a reference on the iloc */ + err = ext4_reserve_inode_write(handle, inode, &iloc); diff --git a/queue-5.4/ext4-fix-invalid-inode-checksum.patch b/queue-5.4/ext4-fix-invalid-inode-checksum.patch new file mode 100644 index 00000000000..c0bb6dc46eb --- /dev/null +++ b/queue-5.4/ext4-fix-invalid-inode-checksum.patch @@ -0,0 +1,57 @@ +From 1322181170bb01bce3c228b82ae3d5c6b793164f Mon Sep 17 00:00:00 2001 +From: Luo Meng +Date: Tue, 20 Oct 2020 09:36:31 +0800 +Subject: ext4: fix invalid inode checksum + +From: Luo Meng + +commit 1322181170bb01bce3c228b82ae3d5c6b793164f upstream. + +During the stability test, there are some errors: + ext4_lookup:1590: inode #6967: comm fsstress: iget: checksum invalid. + +If the inode->i_iblocks too big and doesn't set huge file flag, checksum +will not be recalculated when update the inode information to it's buffer. +If other inode marks the buffer dirty, then the inconsistent inode will +be flushed to disk. + +Fix this problem by checking i_blocks in advance. + +Cc: stable@kernel.org +Signed-off-by: Luo Meng +Reviewed-by: Darrick J. Wong +Link: https://lore.kernel.org/r/20201020013631.3796673-1-luomeng12@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5271,6 +5271,12 @@ static int ext4_do_update_inode(handle_t + if (ext4_test_inode_state(inode, EXT4_STATE_NEW)) + memset(raw_inode, 0, EXT4_SB(inode->i_sb)->s_inode_size); + ++ err = ext4_inode_blocks_set(handle, raw_inode, ei); ++ if (err) { ++ spin_unlock(&ei->i_raw_lock); ++ goto out_brelse; ++ } ++ + raw_inode->i_mode = cpu_to_le16(inode->i_mode); + i_uid = i_uid_read(inode); + i_gid = i_gid_read(inode); +@@ -5304,11 +5310,6 @@ static int ext4_do_update_inode(handle_t + EXT4_INODE_SET_XTIME(i_atime, inode, raw_inode); + EXT4_EINODE_SET_XTIME(i_crtime, ei, raw_inode); + +- err = ext4_inode_blocks_set(handle, raw_inode, ei); +- if (err) { +- spin_unlock(&ei->i_raw_lock); +- goto out_brelse; +- } + raw_inode->i_dtime = cpu_to_le32(ei->i_dtime); + raw_inode->i_flags = cpu_to_le32(ei->i_flags & 0xFFFFFFFF); + if (likely(!test_opt2(inode->i_sb, HURD_COMPAT))) diff --git a/queue-5.4/ext4-fix-leaking-sysfs-kobject-after-failed-mount.patch b/queue-5.4/ext4-fix-leaking-sysfs-kobject-after-failed-mount.patch new file mode 100644 index 00000000000..a4df9ad09aa --- /dev/null +++ b/queue-5.4/ext4-fix-leaking-sysfs-kobject-after-failed-mount.patch @@ -0,0 +1,39 @@ +From cb8d53d2c97369029cc638c9274ac7be0a316c75 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 22 Sep 2020 09:24:56 -0700 +Subject: ext4: fix leaking sysfs kobject after failed mount + +From: Eric Biggers + +commit cb8d53d2c97369029cc638c9274ac7be0a316c75 upstream. + +ext4_unregister_sysfs() only deletes the kobject. The reference to it +needs to be put separately, like ext4_put_super() does. + +This addresses the syzbot report +"memory leak in kobject_set_name_vargs (3)" +(https://syzkaller.appspot.com/bug?extid=9f864abad79fae7c17e1). + +Reported-by: syzbot+9f864abad79fae7c17e1@syzkaller.appspotmail.com +Fixes: 72ba74508b28 ("ext4: release sysfs kobject when failing to enable quotas on mount") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Link: https://lore.kernel.org/r/20200922162456.93657-1-ebiggers@kernel.org +Reviewed-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -4684,6 +4684,7 @@ cantfind_ext4: + + failed_mount8: + ext4_unregister_sysfs(sb); ++ kobject_put(&sbi->s_kobj); + failed_mount7: + ext4_unregister_li_request(sb); + failed_mount6: diff --git a/queue-5.4/ext4-fix-superblock-checksum-calculation-race.patch b/queue-5.4/ext4-fix-superblock-checksum-calculation-race.patch new file mode 100644 index 00000000000..4ba823e996f --- /dev/null +++ b/queue-5.4/ext4-fix-superblock-checksum-calculation-race.patch @@ -0,0 +1,60 @@ +From acaa532687cdc3a03757defafece9c27aa667546 Mon Sep 17 00:00:00 2001 +From: Constantine Sapuntzakis +Date: Mon, 14 Sep 2020 10:10:14 -0600 +Subject: ext4: fix superblock checksum calculation race + +From: Constantine Sapuntzakis + +commit acaa532687cdc3a03757defafece9c27aa667546 upstream. + +The race condition could cause the persisted superblock checksum +to not match the contents of the superblock, causing the +superblock to be considered corrupt. + +An example of the race follows. A first thread is interrupted in the +middle of a checksum calculation. Then, another thread changes the +superblock, calculates a new checksum, and sets it. Then, the first +thread resumes and sets the checksum based on the older superblock. + +To fix, serialize the superblock checksum calculation using the buffer +header lock. While a spinlock is sufficient, the buffer header is +already there and there is precedent for locking it (e.g. in +ext4_commit_super). + +Tested the patch by booting up a kernel with the patch, creating +a filesystem and some files (including some orphans), and then +unmounting and remounting the file system. + +Cc: stable@kernel.org +Signed-off-by: Constantine Sapuntzakis +Reviewed-by: Jan Kara +Suggested-by: Jan Kara +Link: https://lore.kernel.org/r/20200914161014.22275-1-costa@purestorage.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -201,7 +201,18 @@ void ext4_superblock_csum_set(struct sup + if (!ext4_has_metadata_csum(sb)) + return; + ++ /* ++ * Locking the superblock prevents the scenario ++ * where: ++ * 1) a first thread pauses during checksum calculation. ++ * 2) a second thread updates the superblock, recalculates ++ * the checksum, and updates s_checksum ++ * 3) the first thread resumes and finishes its checksum calculation ++ * and updates s_checksum with a potentially stale or torn value. ++ */ ++ lock_buffer(EXT4_SB(sb)->s_sbh); + es->s_checksum = ext4_superblock_csum(sb, es); ++ unlock_buffer(EXT4_SB(sb)->s_sbh); + } + + void *ext4_kvmalloc(size_t size, gfp_t flags) diff --git a/queue-5.4/i2c-imx-fix-external-abort-on-interrupt-in-exit-paths.patch b/queue-5.4/i2c-imx-fix-external-abort-on-interrupt-in-exit-paths.patch new file mode 100644 index 00000000000..9184cea5afe --- /dev/null +++ b/queue-5.4/i2c-imx-fix-external-abort-on-interrupt-in-exit-paths.patch @@ -0,0 +1,118 @@ +From e50e4f0b85be308a01b830c5fbdffc657e1a6dd0 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sun, 20 Sep 2020 23:12:38 +0200 +Subject: i2c: imx: Fix external abort on interrupt in exit paths + +From: Krzysztof Kozlowski + +commit e50e4f0b85be308a01b830c5fbdffc657e1a6dd0 upstream. + +If interrupt comes late, during probe error path or device remove (could +be triggered with CONFIG_DEBUG_SHIRQ), the interrupt handler +i2c_imx_isr() will access registers with the clock being disabled. This +leads to external abort on non-linefetch on Toradex Colibri VF50 module +(with Vybrid VF5xx): + + Unhandled fault: external abort on non-linefetch (0x1008) at 0x8882d003 + Internal error: : 1008 [#1] ARM + Modules linked in: + CPU: 0 PID: 1 Comm: swapper Not tainted 5.7.0 #607 + Hardware name: Freescale Vybrid VF5xx/VF6xx (Device Tree) + (i2c_imx_isr) from [<8017009c>] (free_irq+0x25c/0x3b0) + (free_irq) from [<805844ec>] (release_nodes+0x178/0x284) + (release_nodes) from [<80580030>] (really_probe+0x10c/0x348) + (really_probe) from [<80580380>] (driver_probe_device+0x60/0x170) + (driver_probe_device) from [<80580630>] (device_driver_attach+0x58/0x60) + (device_driver_attach) from [<805806bc>] (__driver_attach+0x84/0xc0) + (__driver_attach) from [<8057e228>] (bus_for_each_dev+0x68/0xb4) + (bus_for_each_dev) from [<8057f3ec>] (bus_add_driver+0x144/0x1ec) + (bus_add_driver) from [<80581320>] (driver_register+0x78/0x110) + (driver_register) from [<8010213c>] (do_one_initcall+0xa8/0x2f4) + (do_one_initcall) from [<80c0100c>] (kernel_init_freeable+0x178/0x1dc) + (kernel_init_freeable) from [<80807048>] (kernel_init+0x8/0x110) + (kernel_init) from [<80100114>] (ret_from_fork+0x14/0x20) + +Additionally, the i2c_imx_isr() could wake up the wait queue +(imx_i2c_struct->queue) before its initialization happens. + +The resource-managed framework should not be used for interrupt handling, +because the resource will be released too late - after disabling clocks. +The interrupt handler is not prepared for such case. + +Fixes: 1c4b6c3bcf30 ("i2c: imx: implement bus recovery") +Cc: +Signed-off-by: Krzysztof Kozlowski +Acked-by: Oleksij Rempel +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-imx.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/drivers/i2c/busses/i2c-imx.c ++++ b/drivers/i2c/busses/i2c-imx.c +@@ -1112,14 +1112,6 @@ static int i2c_imx_probe(struct platform + return ret; + } + +- /* Request IRQ */ +- ret = devm_request_irq(&pdev->dev, irq, i2c_imx_isr, IRQF_SHARED, +- pdev->name, i2c_imx); +- if (ret) { +- dev_err(&pdev->dev, "can't claim irq %d\n", irq); +- goto clk_disable; +- } +- + /* Init queue */ + init_waitqueue_head(&i2c_imx->queue); + +@@ -1138,6 +1130,14 @@ static int i2c_imx_probe(struct platform + if (ret < 0) + goto rpm_disable; + ++ /* Request IRQ */ ++ ret = request_threaded_irq(irq, i2c_imx_isr, NULL, IRQF_SHARED, ++ pdev->name, i2c_imx); ++ if (ret) { ++ dev_err(&pdev->dev, "can't claim irq %d\n", irq); ++ goto rpm_disable; ++ } ++ + /* Set up clock divider */ + i2c_imx->bitrate = IMX_I2C_BIT_RATE; + ret = of_property_read_u32(pdev->dev.of_node, +@@ -1180,13 +1180,12 @@ static int i2c_imx_probe(struct platform + + clk_notifier_unregister: + clk_notifier_unregister(i2c_imx->clk, &i2c_imx->clk_change_nb); ++ free_irq(irq, i2c_imx); + rpm_disable: + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); + pm_runtime_set_suspended(&pdev->dev); + pm_runtime_dont_use_autosuspend(&pdev->dev); +- +-clk_disable: + clk_disable_unprepare(i2c_imx->clk); + return ret; + } +@@ -1194,7 +1193,7 @@ clk_disable: + static int i2c_imx_remove(struct platform_device *pdev) + { + struct imx_i2c_struct *i2c_imx = platform_get_drvdata(pdev); +- int ret; ++ int irq, ret; + + ret = pm_runtime_get_sync(&pdev->dev); + if (ret < 0) +@@ -1214,6 +1213,9 @@ static int i2c_imx_remove(struct platfor + imx_i2c_write_reg(0, i2c_imx, IMX_I2C_I2SR); + + clk_notifier_unregister(i2c_imx->clk, &i2c_imx->clk_change_nb); ++ irq = platform_get_irq(pdev, 0); ++ if (irq >= 0) ++ free_irq(irq, i2c_imx); + clk_disable_unprepare(i2c_imx->clk); + + pm_runtime_put_noidle(&pdev->dev); diff --git a/queue-5.4/ia64-fix-build-error-with-coredump.patch b/queue-5.4/ia64-fix-build-error-with-coredump.patch new file mode 100644 index 00000000000..9bc8101883a --- /dev/null +++ b/queue-5.4/ia64-fix-build-error-with-coredump.patch @@ -0,0 +1,43 @@ +From 7404840d87557c4092bf0272bce5e0354c774bf9 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sat, 17 Oct 2020 16:13:37 -0700 +Subject: ia64: fix build error with !COREDUMP + +From: Krzysztof Kozlowski + +commit 7404840d87557c4092bf0272bce5e0354c774bf9 upstream. + +Fix linkage error when CONFIG_BINFMT_ELF is selected but CONFIG_COREDUMP +is not: + + ia64-linux-ld: arch/ia64/kernel/elfcore.o: in function `elf_core_write_extra_phdrs': + elfcore.c:(.text+0x172): undefined reference to `dump_emit' + ia64-linux-ld: arch/ia64/kernel/elfcore.o: in function `elf_core_write_extra_data': + elfcore.c:(.text+0x2b2): undefined reference to `dump_emit' + +Fixes: 1fcccbac89f5 ("elf coredump: replace ELF_CORE_EXTRA_* macros by functions") +Reported-by: kernel test robot +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Andrew Morton +Cc: Tony Luck +Cc: Fenghua Yu +Cc: +Link: https://lkml.kernel.org/r/20200819064146.12529-1-krzk@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/ia64/kernel/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/ia64/kernel/Makefile ++++ b/arch/ia64/kernel/Makefile +@@ -41,7 +41,7 @@ obj-y += esi_stub.o # must be in kern + endif + obj-$(CONFIG_INTEL_IOMMU) += pci-dma.o + +-obj-$(CONFIG_BINFMT_ELF) += elfcore.o ++obj-$(CONFIG_ELF_CORE) += elfcore.o + + # fp_emulate() expects f2-f5,f16-f31 to contain the user-level state. + CFLAGS_traps.o += -mfixed-range=f2-f5,f16-f31 diff --git a/queue-5.4/libceph-clear-con-out_msg-on-policy-stateful_server-faults.patch b/queue-5.4/libceph-clear-con-out_msg-on-policy-stateful_server-faults.patch new file mode 100644 index 00000000000..3ddb58e9d04 --- /dev/null +++ b/queue-5.4/libceph-clear-con-out_msg-on-policy-stateful_server-faults.patch @@ -0,0 +1,57 @@ +From 28e1581c3b4ea5f98530064a103c6217bedeea73 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Wed, 7 Oct 2020 20:06:48 +0200 +Subject: libceph: clear con->out_msg on Policy::stateful_server faults + +From: Ilya Dryomov + +commit 28e1581c3b4ea5f98530064a103c6217bedeea73 upstream. + +con->out_msg must be cleared on Policy::stateful_server +(!CEPH_MSG_CONNECT_LOSSY) faults. Not doing so botches the +reconnection attempt, because after writing the banner the +messenger moves on to writing the data section of that message +(either from where it got interrupted by the connection reset or +from the beginning) instead of writing struct ceph_msg_connect. +This results in a bizarre error message because the server +sends CEPH_MSGR_TAG_BADPROTOVER but we think we wrote struct +ceph_msg_connect: + + libceph: mds0 (1)172.21.15.45:6828 socket error on write + ceph: mds0 reconnect start + libceph: mds0 (1)172.21.15.45:6829 socket closed (con state OPEN) + libceph: mds0 (1)172.21.15.45:6829 protocol version mismatch, my 32 != server's 32 + libceph: mds0 (1)172.21.15.45:6829 protocol version mismatch + +AFAICT this bug goes back to the dawn of the kernel client. +The reason it survived for so long is that only MDS sessions +are stateful and only two MDS messages have a data section: +CEPH_MSG_CLIENT_RECONNECT (always, but reconnecting is rare) +and CEPH_MSG_CLIENT_REQUEST (only when xattrs are involved). +The connection has to get reset precisely when such message +is being sent -- in this case it was the former. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/47723 +Signed-off-by: Ilya Dryomov +Reviewed-by: Jeff Layton +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/messenger.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -3007,6 +3007,11 @@ static void con_fault(struct ceph_connec + ceph_msg_put(con->in_msg); + con->in_msg = NULL; + } ++ if (con->out_msg) { ++ BUG_ON(con->out_msg->con != con); ++ ceph_msg_put(con->out_msg); ++ con->out_msg = NULL; ++ } + + /* Requeue anything that hasn't been acked */ + list_splice_init(&con->out_sent, &con->out_queue); diff --git a/queue-5.4/mmc-sdhci-of-esdhc-set-timeout-to-max-before-tuning.patch b/queue-5.4/mmc-sdhci-of-esdhc-set-timeout-to-max-before-tuning.patch new file mode 100644 index 00000000000..98cf285d10e --- /dev/null +++ b/queue-5.4/mmc-sdhci-of-esdhc-set-timeout-to-max-before-tuning.patch @@ -0,0 +1,57 @@ +From 0add6e9b88d0632a25323aaf4987dbacb0e4ae64 Mon Sep 17 00:00:00 2001 +From: Michael Walle +Date: Fri, 23 Oct 2020 00:23:37 +0200 +Subject: mmc: sdhci-of-esdhc: set timeout to max before tuning + +From: Michael Walle + +commit 0add6e9b88d0632a25323aaf4987dbacb0e4ae64 upstream. + +On rare occations there is the following error: + + mmc0: Tuning timeout, falling back to fixed sampling clock + +There are SD cards which takes a significant longer time to reply to the +first CMD19 command. The eSDHC takes the data timeout value into account +during the tuning period. The SDHCI core doesn't explicitly set this +timeout for the tuning procedure. Thus on the slow cards, there might be +a spurious "Buffer Read Ready" interrupt, which in turn triggers a wrong +sequence of events. In the end this will lead to an unsuccessful tuning +procedure and to the above error. + +To workaround this, set the timeout to the maximum value (which is the +best we can do) and the SDHCI core will take care of the proper timeout +handling. + +Fixes: ba49cbd0936e ("mmc: sdhci-of-esdhc: add tuning support") +Signed-off-by: Michael Walle +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20201022222337.19857-1-michael@walle.cc +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-of-esdhc.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/mmc/host/sdhci-of-esdhc.c ++++ b/drivers/mmc/host/sdhci-of-esdhc.c +@@ -1004,6 +1004,17 @@ static int esdhc_execute_tuning(struct m + + esdhc_tuning_block_enable(host, true); + ++ /* ++ * The eSDHC controller takes the data timeout value into account ++ * during tuning. If the SD card is too slow sending the response, the ++ * timer will expire and a "Buffer Read Ready" interrupt without data ++ * is triggered. This leads to tuning errors. ++ * ++ * Just set the timeout to the maximum value because the core will ++ * already take care of it in sdhci_send_tuning(). ++ */ ++ sdhci_writeb(host, 0xe, SDHCI_TIMEOUT_CONTROL); ++ + hs400_tuning = host->flags & SDHCI_HS400_TUNING; + + do { diff --git a/queue-5.4/mmc-sdhci-use-auto-cmd-auto-select-only-when-v4_mode-is-true.patch b/queue-5.4/mmc-sdhci-use-auto-cmd-auto-select-only-when-v4_mode-is-true.patch new file mode 100644 index 00000000000..949ba1cbe72 --- /dev/null +++ b/queue-5.4/mmc-sdhci-use-auto-cmd-auto-select-only-when-v4_mode-is-true.patch @@ -0,0 +1,50 @@ +From b3e1ea16fb39fb6e1a1cf1dbdd6738531de3dc7d Mon Sep 17 00:00:00 2001 +From: Jisheng Zhang +Date: Thu, 15 Oct 2020 17:41:15 +0800 +Subject: mmc: sdhci: Use Auto CMD Auto Select only when v4_mode is true + +From: Jisheng Zhang + +commit b3e1ea16fb39fb6e1a1cf1dbdd6738531de3dc7d upstream. + +sdhci-of-dwcmshc meets an eMMC read performance regression with below +command after commit 427b6514d095 ("mmc: sdhci: Add Auto CMD Auto +Select support"): + +dd if=/dev/mmcblk0 of=/dev/null bs=8192 count=100000 + +Before the commit, the above command gives 120MB/s +After the commit, the above command gives 51.3 MB/s + +So it looks like sdhci-of-dwcmshc expects Version 4 Mode for Auto +CMD Auto Select. Fix the performance degradation by ensuring v4_mode +is true to use Auto CMD Auto Select. + +Fixes: 427b6514d095 ("mmc: sdhci: Add Auto CMD Auto Select support") +Signed-off-by: Jisheng Zhang +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20201015174115.4cf2c19a@xhacker.debian +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -1162,9 +1162,11 @@ static inline void sdhci_auto_cmd_select + /* + * In case of Version 4.10 or later, use of 'Auto CMD Auto + * Select' is recommended rather than use of 'Auto CMD12 +- * Enable' or 'Auto CMD23 Enable'. ++ * Enable' or 'Auto CMD23 Enable'. We require Version 4 Mode ++ * here because some controllers (e.g sdhci-of-dwmshc) expect it. + */ +- if (host->version >= SDHCI_SPEC_410 && (use_cmd12 || use_cmd23)) { ++ if (host->version >= SDHCI_SPEC_410 && host->v4_mode && ++ (use_cmd12 || use_cmd23)) { + *mode |= SDHCI_TRNS_AUTO_SEL; + + ctrl2 = sdhci_readw(host, SDHCI_HOST_CONTROL2); diff --git a/queue-5.4/perf-python-scripting-fix-printable-strings-in-python3-scripts.patch b/queue-5.4/perf-python-scripting-fix-printable-strings-in-python3-scripts.patch new file mode 100644 index 00000000000..71dee412871 --- /dev/null +++ b/queue-5.4/perf-python-scripting-fix-printable-strings-in-python3-scripts.patch @@ -0,0 +1,62 @@ +From 6fcd5ddc3b1467b3586972ef785d0d926ae4cdf4 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Mon, 28 Sep 2020 22:11:35 +0200 +Subject: perf python scripting: Fix printable strings in python3 scripts + +From: Jiri Olsa + +commit 6fcd5ddc3b1467b3586972ef785d0d926ae4cdf4 upstream. + +Hagen reported broken strings in python3 tracepoint scripts: + + make PYTHON=python3 + perf record -e sched:sched_switch -a -- sleep 5 + perf script --gen-script py + perf script -s ./perf-script.py + + [..] + sched__sched_switch 7 563231.759525792 0 swapper prev_comm=bytearray(b'swapper/7\x00\x00\x00\x00\x00\x00\x00'), prev_pid=0, prev_prio=120, prev_state=, next_comm=bytearray(b'mutex-thread-co\x00'), + +The problem is in the is_printable_array function that does not take the +zero byte into account and claim such string as not printable, so the +code will create byte array instead of string. + +Committer testing: + +After this fix: + +sched__sched_switch 3 484522.497072626 1158680 kworker/3:0-eve prev_comm=kworker/3:0, prev_pid=1158680, prev_prio=120, prev_state=I, next_comm=swapper/3, next_pid=0, next_prio=120 +Sample: {addr=0, cpu=3, datasrc=84410401, datasrc_decode=N/A|SNP N/A|TLB N/A|LCK N/A, ip=18446744071841817196, period=1, phys_addr=0, pid=1158680, tid=1158680, time=484522497072626, transaction=0, values=[(0, 0)], weight=0} + +sched__sched_switch 4 484522.497085610 1225814 perf prev_comm=perf, prev_pid=1225814, prev_prio=120, prev_state=, next_comm=migration/4, next_pid=30, next_prio=0 +Sample: {addr=0, cpu=4, datasrc=84410401, datasrc_decode=N/A|SNP N/A|TLB N/A|LCK N/A, ip=18446744071841817196, period=1, phys_addr=0, pid=1225814, tid=1225814, time=484522497085610, transaction=0, values=[(0, 0)], weight=0} + +Fixes: 249de6e07458 ("perf script python: Fix string vs byte array resolving") +Signed-off-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Tested-by: Hagen Paul Pfeifer +Cc: Alexander Shishkin +Cc: Mark Rutland +Cc: Michael Petlan +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: http://lore.kernel.org/lkml/20200928201135.3633850-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/print_binary.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/print_binary.c ++++ b/tools/perf/util/print_binary.c +@@ -50,7 +50,7 @@ int is_printable_array(char *p, unsigned + + len--; + +- for (i = 0; i < len; i++) { ++ for (i = 0; i < len && p[i]; i++) { + if (!isprint(p[i]) && !isspace(p[i])) + return 0; + } diff --git a/queue-5.4/ring-buffer-return-0-on-success-from-ring_buffer_resize.patch b/queue-5.4/ring-buffer-return-0-on-success-from-ring_buffer_resize.patch new file mode 100644 index 00000000000..894a2df6252 --- /dev/null +++ b/queue-5.4/ring-buffer-return-0-on-success-from-ring_buffer_resize.patch @@ -0,0 +1,64 @@ +From 0a1754b2a97efa644aa6e84d1db5b17c42251483 Mon Sep 17 00:00:00 2001 +From: Qiujun Huang +Date: Mon, 19 Oct 2020 22:22:42 +0800 +Subject: ring-buffer: Return 0 on success from ring_buffer_resize() + +From: Qiujun Huang + +commit 0a1754b2a97efa644aa6e84d1db5b17c42251483 upstream. + +We don't need to check the new buffer size, and the return value +had confused resize_buffer_duplicate_size(). +... + ret = ring_buffer_resize(trace_buf->buffer, + per_cpu_ptr(size_buf->data,cpu_id)->entries, cpu_id); + if (ret == 0) + per_cpu_ptr(trace_buf->data, cpu_id)->entries = + per_cpu_ptr(size_buf->data, cpu_id)->entries; +... + +Link: https://lkml.kernel.org/r/20201019142242.11560-1-hqjagain@gmail.com + +Cc: stable@vger.kernel.org +Fixes: d60da506cbeb3 ("tracing: Add a resize function to make one buffer equivalent to another buffer") +Signed-off-by: Qiujun Huang +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1717,18 +1717,18 @@ int ring_buffer_resize(struct ring_buffe + { + struct ring_buffer_per_cpu *cpu_buffer; + unsigned long nr_pages; +- int cpu, err = 0; ++ int cpu, err; + + /* + * Always succeed at resizing a non-existent buffer: + */ + if (!buffer) +- return size; ++ return 0; + + /* Make sure the requested buffer exists */ + if (cpu_id != RING_BUFFER_ALL_CPUS && + !cpumask_test_cpu(cpu_id, buffer->cpumask)) +- return size; ++ return 0; + + nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE); + +@@ -1868,7 +1868,7 @@ int ring_buffer_resize(struct ring_buffe + } + + mutex_unlock(&buffer->mutex); +- return size; ++ return 0; + + out_err: + for_each_buffer_cpu(buffer, cpu) { diff --git a/queue-5.4/rtc-rx8010-don-t-modify-the-global-rtc-ops.patch b/queue-5.4/rtc-rx8010-don-t-modify-the-global-rtc-ops.patch new file mode 100644 index 00000000000..a4715eda2a7 --- /dev/null +++ b/queue-5.4/rtc-rx8010-don-t-modify-the-global-rtc-ops.patch @@ -0,0 +1,83 @@ +From d3b14296da69adb7825022f3224ac6137eb30abf Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Mon, 14 Sep 2020 17:45:48 +0200 +Subject: rtc: rx8010: don't modify the global rtc ops + +From: Bartosz Golaszewski + +commit d3b14296da69adb7825022f3224ac6137eb30abf upstream. + +The way the driver is implemented is buggy for the (admittedly unlikely) +use case where there are two RTCs with one having an interrupt configured +and the second not. This is caused by the fact that we use a global +rtc_class_ops struct which we modify depending on whether the irq number +is present or not. + +Fix it by using two const ops structs with and without alarm operations. +While at it: not being able to request a configured interrupt is an error +so don't ignore it and bail out of probe(). + +Fixes: ed13d89b08e3 ("rtc: Add Epson RX8010SJ RTC driver") +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Alexandre Belloni +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200914154601.32245-2-brgl@bgdev.pl +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-rx8010.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +--- a/drivers/rtc/rtc-rx8010.c ++++ b/drivers/rtc/rtc-rx8010.c +@@ -424,16 +424,26 @@ static int rx8010_ioctl(struct device *d + } + } + +-static struct rtc_class_ops rx8010_rtc_ops = { ++static const struct rtc_class_ops rx8010_rtc_ops_default = { + .read_time = rx8010_get_time, + .set_time = rx8010_set_time, + .ioctl = rx8010_ioctl, + }; + ++static const struct rtc_class_ops rx8010_rtc_ops_alarm = { ++ .read_time = rx8010_get_time, ++ .set_time = rx8010_set_time, ++ .ioctl = rx8010_ioctl, ++ .read_alarm = rx8010_read_alarm, ++ .set_alarm = rx8010_set_alarm, ++ .alarm_irq_enable = rx8010_alarm_irq_enable, ++}; ++ + static int rx8010_probe(struct i2c_client *client, + const struct i2c_device_id *id) + { + struct i2c_adapter *adapter = client->adapter; ++ const struct rtc_class_ops *rtc_ops; + struct rx8010_data *rx8010; + int err = 0; + +@@ -464,16 +474,16 @@ static int rx8010_probe(struct i2c_clien + + if (err) { + dev_err(&client->dev, "unable to request IRQ\n"); +- client->irq = 0; +- } else { +- rx8010_rtc_ops.read_alarm = rx8010_read_alarm; +- rx8010_rtc_ops.set_alarm = rx8010_set_alarm; +- rx8010_rtc_ops.alarm_irq_enable = rx8010_alarm_irq_enable; ++ return err; + } ++ ++ rtc_ops = &rx8010_rtc_ops_alarm; ++ } else { ++ rtc_ops = &rx8010_rtc_ops_default; + } + + rx8010->rtc = devm_rtc_device_register(&client->dev, client->name, +- &rx8010_rtc_ops, THIS_MODULE); ++ rtc_ops, THIS_MODULE); + + if (IS_ERR(rx8010->rtc)) { + dev_err(&client->dev, "unable to register the class device\n"); diff --git a/queue-5.4/series b/queue-5.4/series index a367994ae0b..5fb9c9c6ed7 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -170,3 +170,29 @@ ubifs-journal-make-sure-to-not-dirty-twice-for-auth-nodes.patch ubifs-fix-a-memleak-after-dumping-authentication-mount-options.patch ubifs-don-t-parse-authentication-mount-options-in-remount-process.patch ubifs-mount_ubifs-release-authentication-resource-in-error-handling-path.patch +perf-python-scripting-fix-printable-strings-in-python3-scripts.patch +arc-perf-redo-the-pct-irq-missing-in-device-tree-handling.patch +ubi-check-kthread_should_stop-after-the-setting-of-task-state.patch +ia64-fix-build-error-with-coredump.patch +rtc-rx8010-don-t-modify-the-global-rtc-ops.patch +i2c-imx-fix-external-abort-on-interrupt-in-exit-paths.patch +drm-amdgpu-don-t-map-bo-in-reserved-region.patch +drm-amd-display-increase-timeout-for-dp-disable.patch +drm-amdgpu-correct-the-gpu-reset-handling-for-job-null-case.patch +drm-amdkfd-use-same-sq-prefetch-setting-as-amdgpu.patch +drm-amd-display-avoid-mst-manager-resource-leak.patch +drm-amdgpu-increase-the-reserved-vm-size-to-2mb.patch +drm-amd-display-don-t-invoke-kgdb_breakpoint-unconditionally.patch +drm-amd-display-fix-kernel-panic-by-dal_gpio_open-error.patch +ceph-promote-to-unsigned-long-long-before-shifting.patch +libceph-clear-con-out_msg-on-policy-stateful_server-faults.patch +9p-cast-to-loff_t-before-multiplying.patch +ring-buffer-return-0-on-success-from-ring_buffer_resize.patch +vringh-fix-__vringh_iov-when-riov-and-wiov-are-different.patch +ext4-fix-leaking-sysfs-kobject-after-failed-mount.patch +ext4-fix-error-handling-code-in-add_new_gdb.patch +ext4-fix-invalid-inode-checksum.patch +ext4-fix-superblock-checksum-calculation-race.patch +drm-ttm-fix-eviction-valuable-range-check.patch +mmc-sdhci-of-esdhc-set-timeout-to-max-before-tuning.patch +mmc-sdhci-use-auto-cmd-auto-select-only-when-v4_mode-is-true.patch diff --git a/queue-5.4/ubi-check-kthread_should_stop-after-the-setting-of-task-state.patch b/queue-5.4/ubi-check-kthread_should_stop-after-the-setting-of-task-state.patch new file mode 100644 index 00000000000..373b4ee9b46 --- /dev/null +++ b/queue-5.4/ubi-check-kthread_should_stop-after-the-setting-of-task-state.patch @@ -0,0 +1,64 @@ +From d005f8c6588efcfbe88099b6edafc6f58c84a9c1 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Mon, 1 Jun 2020 17:12:31 +0800 +Subject: ubi: check kthread_should_stop() after the setting of task state + +From: Zhihao Cheng + +commit d005f8c6588efcfbe88099b6edafc6f58c84a9c1 upstream. + +A detach hung is possible when a race occurs between the detach process +and the ubi background thread. The following sequences outline the race: + + ubi thread: if (list_empty(&ubi->works)... + + ubi detach: set_bit(KTHREAD_SHOULD_STOP, &kthread->flags) + => by kthread_stop() + wake_up_process() + => ubi thread is still running, so 0 is returned + + ubi thread: set_current_state(TASK_INTERRUPTIBLE) + schedule() + => ubi thread will never be scheduled again + + ubi detach: wait_for_completion() + => hung task! + +To fix that, we need to check kthread_should_stop() after we set the +task state, so the ubi thread will either see the stop bit and exit or +the task state is reset to runnable such that it isn't scheduled out +indefinitely. + +Signed-off-by: Zhihao Cheng +Cc: +Fixes: 801c135ce73d5df1ca ("UBI: Unsorted Block Images") +Reported-by: syzbot+853639d0cb16c31c7a14@syzkaller.appspotmail.com +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/wl.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -1629,6 +1629,19 @@ int ubi_thread(void *u) + !ubi->thread_enabled || ubi_dbg_is_bgt_disabled(ubi)) { + set_current_state(TASK_INTERRUPTIBLE); + spin_unlock(&ubi->wl_lock); ++ ++ /* ++ * Check kthread_should_stop() after we set the task ++ * state to guarantee that we either see the stop bit ++ * and exit or the task state is reset to runnable such ++ * that it's not scheduled out indefinitely and detects ++ * the stop bit at kthread_should_stop(). ++ */ ++ if (kthread_should_stop()) { ++ set_current_state(TASK_RUNNING); ++ break; ++ } ++ + schedule(); + continue; + } diff --git a/queue-5.4/vringh-fix-__vringh_iov-when-riov-and-wiov-are-different.patch b/queue-5.4/vringh-fix-__vringh_iov-when-riov-and-wiov-are-different.patch new file mode 100644 index 00000000000..8b8c6933049 --- /dev/null +++ b/queue-5.4/vringh-fix-__vringh_iov-when-riov-and-wiov-are-different.patch @@ -0,0 +1,58 @@ +From 5745bcfbbf89b158416075374254d3c013488f21 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Thu, 8 Oct 2020 22:42:56 +0200 +Subject: vringh: fix __vringh_iov() when riov and wiov are different + +From: Stefano Garzarella + +commit 5745bcfbbf89b158416075374254d3c013488f21 upstream. + +If riov and wiov are both defined and they point to different +objects, only riov is initialized. If the wiov is not initialized +by the caller, the function fails returning -EINVAL and printing +"Readable desc 0x... after writable" error message. + +This issue happens when descriptors have both readable and writable +buffers (eg. virtio-blk devices has virtio_blk_outhdr in the readable +buffer and status as last byte of writable buffer) and we call +__vringh_iov() to get both type of buffers in two different iovecs. + +Let's replace the 'else if' clause with 'if' to initialize both +riov and wiov if they are not NULL. + +As checkpatch pointed out, we also avoid crashing the kernel +when riov and wiov are both NULL, replacing BUG() with WARN_ON() +and returning -EINVAL. + +Fixes: f87d0fbb5798 ("vringh: host-side implementation of virtio rings.") +Cc: stable@vger.kernel.org +Signed-off-by: Stefano Garzarella +Link: https://lore.kernel.org/r/20201008204256.162292-1-sgarzare@redhat.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vhost/vringh.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/vhost/vringh.c ++++ b/drivers/vhost/vringh.c +@@ -274,13 +274,14 @@ __vringh_iov(struct vringh *vrh, u16 i, + desc_max = vrh->vring.num; + up_next = -1; + ++ /* You must want something! */ ++ if (WARN_ON(!riov && !wiov)) ++ return -EINVAL; ++ + if (riov) + riov->i = riov->used = 0; +- else if (wiov) ++ if (wiov) + wiov->i = wiov->used = 0; +- else +- /* You must want something! */ +- BUG(); + + for (;;) { + void *addr;