From: Sasha Levin Date: Wed, 22 Apr 2020 03:25:56 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v4.19.118~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d8b9596524a9ee75121766cae21b48d4863f2c82;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch b/queue-4.9/clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch new file mode 100644 index 00000000000..346bbfff126 --- /dev/null +++ b/queue-4.9/clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch @@ -0,0 +1,49 @@ +From 3a24244b3189823a4326565323602f171217ed56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jan 2020 13:36:46 +0200 +Subject: clk: at91: usb: continue if clk_hw_round_rate() return zero + +From: Claudiu Beznea + +[ Upstream commit b0ecf1c6c6e82da4847900fad0272abfd014666d ] + +clk_hw_round_rate() may call round rate function of its parents. In case +of SAM9X60 two of USB parrents are PLLA and UPLL. These clocks are +controlled by clk-sam9x60-pll.c driver. The round rate function for this +driver is sam9x60_pll_round_rate() which call in turn +sam9x60_pll_get_best_div_mul(). In case the requested rate is not in the +proper range (rate < characteristics->output[0].min && +rate > characteristics->output[0].max) the sam9x60_pll_round_rate() will +return a negative number to its caller (called by +clk_core_round_rate_nolock()). clk_hw_round_rate() will return zero in +case a negative number is returned by clk_core_round_rate_nolock(). With +this, the USB clock will continue its rate computation even caller of +clk_hw_round_rate() returned an error. With this, the USB clock on SAM9X60 +may not chose the best parent. I detected this after a suspend/resume +cycle on SAM9X60. + +Signed-off-by: Claudiu Beznea +Link: https://lkml.kernel.org/r/1579261009-4573-2-git-send-email-claudiu.beznea@microchip.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/clk/at91/clk-usb.c b/drivers/clk/at91/clk-usb.c +index 791770a563fcc..6fac6383d024e 100644 +--- a/drivers/clk/at91/clk-usb.c ++++ b/drivers/clk/at91/clk-usb.c +@@ -78,6 +78,9 @@ static int at91sam9x5_clk_usb_determine_rate(struct clk_hw *hw, + tmp_parent_rate = req->rate * div; + tmp_parent_rate = clk_hw_round_rate(parent, + tmp_parent_rate); ++ if (!tmp_parent_rate) ++ continue; ++ + tmp_rate = DIV_ROUND_CLOSEST(tmp_parent_rate, div); + if (tmp_rate < req->rate) + tmp_diff = req->rate - tmp_rate; +-- +2.20.1 + diff --git a/queue-4.9/clk-tegra-fix-tegra-pmc-clock-out-parents.patch b/queue-4.9/clk-tegra-fix-tegra-pmc-clock-out-parents.patch new file mode 100644 index 00000000000..57395a9370d --- /dev/null +++ b/queue-4.9/clk-tegra-fix-tegra-pmc-clock-out-parents.patch @@ -0,0 +1,56 @@ +From a0acaa9dac559922a7e3af54cc5847cf199d6556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2020 23:24:09 -0800 +Subject: clk: tegra: Fix Tegra PMC clock out parents + +From: Sowjanya Komatineni + +[ Upstream commit 6fe38aa8cac3a5db38154331742835a4d9740788 ] + +Tegra PMC clocks clk_out_1, clk_out_2, and clk_out_3 supported parents +are osc, osc_div2, osc_div4 and extern clock. + +Clock driver is using incorrect parents clk_m, clk_m_div2, clk_m_div4 +for PMC clocks. + +This patch fixes this. + +Tested-by: Dmitry Osipenko +Reviewed-by: Dmitry Osipenko +Signed-off-by: Sowjanya Komatineni +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra-pmc.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/tegra/clk-tegra-pmc.c b/drivers/clk/tegra/clk-tegra-pmc.c +index 91377abfefa19..17a04300f93bf 100644 +--- a/drivers/clk/tegra/clk-tegra-pmc.c ++++ b/drivers/clk/tegra/clk-tegra-pmc.c +@@ -60,16 +60,16 @@ struct pmc_clk_init_data { + + static DEFINE_SPINLOCK(clk_out_lock); + +-static const char *clk_out1_parents[] = { "clk_m", "clk_m_div2", +- "clk_m_div4", "extern1", ++static const char *clk_out1_parents[] = { "osc", "osc_div2", ++ "osc_div4", "extern1", + }; + +-static const char *clk_out2_parents[] = { "clk_m", "clk_m_div2", +- "clk_m_div4", "extern2", ++static const char *clk_out2_parents[] = { "osc", "osc_div2", ++ "osc_div4", "extern2", + }; + +-static const char *clk_out3_parents[] = { "clk_m", "clk_m_div2", +- "clk_m_div4", "extern3", ++static const char *clk_out3_parents[] = { "osc", "osc_div2", ++ "osc_div4", "extern3", + }; + + static struct pmc_clk_init_data pmc_clks[] = { +-- +2.20.1 + diff --git a/queue-4.9/compiler.h-fix-error-in-build_bug_on-reporting.patch b/queue-4.9/compiler.h-fix-error-in-build_bug_on-reporting.patch new file mode 100644 index 00000000000..8f38b6a21e4 --- /dev/null +++ b/queue-4.9/compiler.h-fix-error-in-build_bug_on-reporting.patch @@ -0,0 +1,70 @@ +From b7d945dfc74552315283123363ac5cbca3336c4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 20:09:37 -0700 +Subject: compiler.h: fix error in BUILD_BUG_ON() reporting + +From: Vegard Nossum + +[ Upstream commit af9c5d2e3b355854ff0e4acfbfbfadcd5198a349 ] + +compiletime_assert() uses __LINE__ to create a unique function name. This +means that if you have more than one BUILD_BUG_ON() in the same source +line (which can happen if they appear e.g. in a macro), then the error +message from the compiler might output the wrong condition. + +For this source file: + + #include + + #define macro() \ + BUILD_BUG_ON(1); \ + BUILD_BUG_ON(0); + + void foo() + { + macro(); + } + +gcc would output: + +./include/linux/compiler.h:350:38: error: call to `__compiletime_assert_9' declared with attribute error: BUILD_BUG_ON failed: 0 + _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__) + +However, it was not the BUILD_BUG_ON(0) that failed, so it should say 1 +instead of 0. With this patch, we use __COUNTER__ instead of __LINE__, so +each BUILD_BUG_ON() gets a different function name and the correct +condition is printed: + +./include/linux/compiler.h:350:38: error: call to `__compiletime_assert_0' declared with attribute error: BUILD_BUG_ON failed: 1 + _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + +Signed-off-by: Vegard Nossum +Signed-off-by: Andrew Morton +Reviewed-by: Masahiro Yamada +Reviewed-by: Daniel Santos +Cc: Rasmus Villemoes +Cc: Ian Abbott +Cc: Joe Perches +Link: http://lkml.kernel.org/r/20200331112637.25047-1-vegard.nossum@oracle.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/compiler.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index 0020ee1cab37a..7837afabbd78e 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -546,7 +546,7 @@ unsigned long read_word_at_a_time(const void *addr) + * compiler has support to do so. + */ + #define compiletime_assert(condition, msg) \ +- _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__) ++ _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + + #define compiletime_assert_atomic_type(t) \ + compiletime_assert(__native_word(t), \ +-- +2.20.1 + diff --git a/queue-4.9/ext2-fix-debug-reference-to-ext2_xattr_cache.patch b/queue-4.9/ext2-fix-debug-reference-to-ext2_xattr_cache.patch new file mode 100644 index 00000000000..da4f0451980 --- /dev/null +++ b/queue-4.9/ext2-fix-debug-reference-to-ext2_xattr_cache.patch @@ -0,0 +1,51 @@ +From 0bdef52af3c4aa563f3f1c6ad29660808fb51cc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2020 12:40:02 +0100 +Subject: ext2: fix debug reference to ext2_xattr_cache +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jan Kara + +[ Upstream commit 32302085a8d90859c40cf1a5e8313f575d06ec75 ] + +Fix a debug-only build error in ext2/xattr.c: + +When building without extra debugging, (and with another patch that uses +no_printk() instead of for the ext2-xattr debug-print macros, +this build error happens: + +../fs/ext2/xattr.c: In function ‘ext2_xattr_cache_insert’: +../fs/ext2/xattr.c:869:18: error: ‘ext2_xattr_cache’ undeclared (first use in +this function); did you mean ‘ext2_xattr_list’? + atomic_read(&ext2_xattr_cache->c_entry_count)); + +Fix the problem by removing cached entry count from the debug message +since otherwise we'd have to export the mbcache structure just for that. + +Fixes: be0726d33cb8 ("ext2: convert to mbcache2") +Reported-by: Randy Dunlap +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/ext2/xattr.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c +index a54037df2c8a8..c8679b5835617 100644 +--- a/fs/ext2/xattr.c ++++ b/fs/ext2/xattr.c +@@ -836,8 +836,7 @@ ext2_xattr_cache_insert(struct mb_cache *cache, struct buffer_head *bh) + error = mb_cache_entry_create(cache, GFP_NOFS, hash, bh->b_blocknr, 1); + if (error) { + if (error == -EBUSY) { +- ea_bdebug(bh, "already in cache (%d cache entries)", +- atomic_read(&ext2_xattr_cache->c_entry_count)); ++ ea_bdebug(bh, "already in cache"); + error = 0; + } + } else +-- +2.20.1 + diff --git a/queue-4.9/ext2-fix-empty-body-warnings-when-wextra-is-used.patch b/queue-4.9/ext2-fix-empty-body-warnings-when-wextra-is-used.patch new file mode 100644 index 00000000000..af509f14a19 --- /dev/null +++ b/queue-4.9/ext2-fix-empty-body-warnings-when-wextra-is-used.patch @@ -0,0 +1,60 @@ +From 9d62aab80e125d3d31063ea72152632c7f089c32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Mar 2020 19:45:41 -0700 +Subject: ext2: fix empty body warnings when -Wextra is used +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 44a52022e7f15cbaab957df1c14f7a4f527ef7cf ] + +When EXT2_ATTR_DEBUG is not defined, modify the 2 debug macros +to use the no_printk() macro instead of . +This fixes gcc warnings when -Wextra is used: + +../fs/ext2/xattr.c:252:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +../fs/ext2/xattr.c:258:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +../fs/ext2/xattr.c:330:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +../fs/ext2/xattr.c:872:45: warning: suggest braces around empty body in an ‘else’ statement [-Wempty-body] + +I have verified that the only object code change (with gcc 7.5.0) is +the reversal of some instructions from 'cmp a,b' to 'cmp b,a'. + +Link: https://lore.kernel.org/r/e18a7395-61fb-2093-18e8-ed4f8cf56248@infradead.org +Signed-off-by: Randy Dunlap +Cc: Jan Kara +Cc: linux-ext4@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/ext2/xattr.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c +index babef30d440b1..a54037df2c8a8 100644 +--- a/fs/ext2/xattr.c ++++ b/fs/ext2/xattr.c +@@ -55,6 +55,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -83,8 +84,8 @@ + printk("\n"); \ + } while (0) + #else +-# define ea_idebug(f...) +-# define ea_bdebug(f...) ++# define ea_idebug(inode, f...) no_printk(f) ++# define ea_bdebug(bh, f...) no_printk(f) + #endif + + static int ext2_xattr_set2(struct inode *, struct buffer_head *, +-- +2.20.1 + diff --git a/queue-4.9/ext4-do-not-commit-super-on-read-only-bdev.patch b/queue-4.9/ext4-do-not-commit-super-on-read-only-bdev.patch new file mode 100644 index 00000000000..6f06cebe328 --- /dev/null +++ b/queue-4.9/ext4-do-not-commit-super-on-read-only-bdev.patch @@ -0,0 +1,50 @@ +From ea40fadbaec40d2b6fb5d957296d9d524fff0db1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2020 14:19:38 -0500 +Subject: ext4: do not commit super on read-only bdev + +From: Eric Sandeen + +[ Upstream commit c96e2b8564adfb8ac14469ebc51ddc1bfecb3ae2 ] + +Under some circumstances we may encounter a filesystem error on a +read-only block device, and if we try to save the error info to the +superblock and commit it, we'll wind up with a noisy error and +backtrace, i.e.: + +[ 3337.146838] EXT4-fs error (device pmem1p2): ext4_get_journal_inode:4634: comm mount: inode #0: comm mount: iget: illegal inode # +------------[ cut here ]------------ +generic_make_request: Trying to write to read-only block-device pmem1p2 (partno 2) +WARNING: CPU: 107 PID: 115347 at block/blk-core.c:788 generic_make_request_checks+0x6b4/0x7d0 +... + +To avoid this, commit the error info in the superblock only if the +block device is writable. + +Reported-by: Ritesh Harjani +Signed-off-by: Eric Sandeen +Reviewed-by: Andreas Dilger +Link: https://lore.kernel.org/r/4b6e774d-cc00-3469-7abb-108eb151071a@sandeen.net +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index a5edc5c0882f4..ed0520fe4dad6 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -344,7 +344,8 @@ static void save_error_info(struct super_block *sb, const char *func, + unsigned int line) + { + __save_error_info(sb, func, line); +- ext4_commit_super(sb, 1); ++ if (!bdev_read_only(sb->s_bdev)) ++ ext4_commit_super(sb, 1); + } + + /* +-- +2.20.1 + diff --git a/queue-4.9/iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch b/queue-4.9/iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch new file mode 100644 index 00000000000..a93e7e59e1d --- /dev/null +++ b/queue-4.9/iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch @@ -0,0 +1,38 @@ +From 5330abc3a99dd50d4a7076d9acd6a7524080278a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2020 18:44:51 +0800 +Subject: iommu/amd: Fix the configuration of GCR3 table root pointer + +From: Adrian Huang + +[ Upstream commit c20f36534666e37858a14e591114d93cc1be0d34 ] + +The SPA of the GCR3 table root pointer[51:31] masks 20 bits. However, +this requires 21 bits (Please see the AMD IOMMU specification). +This leads to the potential failure when the bit 51 of SPA of +the GCR3 table root pointer is 1'. + +Signed-off-by: Adrian Huang +Fixes: 52815b75682e2 ("iommu/amd: Add support for IOMMUv2 domain mode") +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h +index 0d91785ebdc34..da3fbf82d1cf4 100644 +--- a/drivers/iommu/amd_iommu_types.h ++++ b/drivers/iommu/amd_iommu_types.h +@@ -329,7 +329,7 @@ + + #define DTE_GCR3_VAL_A(x) (((x) >> 12) & 0x00007ULL) + #define DTE_GCR3_VAL_B(x) (((x) >> 15) & 0x0ffffULL) +-#define DTE_GCR3_VAL_C(x) (((x) >> 31) & 0xfffffULL) ++#define DTE_GCR3_VAL_C(x) (((x) >> 31) & 0x1fffffULL) + + #define DTE_GCR3_INDEX_A 0 + #define DTE_GCR3_INDEX_B 1 +-- +2.20.1 + diff --git a/queue-4.9/kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch b/queue-4.9/kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch new file mode 100644 index 00000000000..422101fe3fd --- /dev/null +++ b/queue-4.9/kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch @@ -0,0 +1,52 @@ +From 9bc28b4830b6b67b964314ce0dff978eebb2c177 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2020 17:30:48 +0200 +Subject: KVM: s390: vsie: Fix possible race when shadowing region 3 tables + +From: David Hildenbrand + +[ Upstream commit 1493e0f944f3c319d11e067c185c904d01c17ae5 ] + +We have to properly retry again by returning -EINVAL immediately in case +somebody else instantiated the table concurrently. We missed to add the +goto in this function only. The code now matches the other, similar +shadowing functions. + +We are overwriting an existing region 2 table entry. All allocated pages +are added to the crst_list to be freed later, so they are not lost +forever. However, when unshadowing the region 2 table, we wouldn't trigger +unshadowing of the original shadowed region 3 table that we replaced. It +would get unshadowed when the original region 3 table is modified. As it's +not connected to the page table hierarchy anymore, it's not going to get +used anymore. However, for a limited time, this page table will stick +around, so it's in some sense a temporary memory leak. + +Identified by manual code inspection. I don't think this classifies as +stable material. + +Fixes: 998f637cc4b9 ("s390/mm: avoid races on region/segment/page table shadowing") +Signed-off-by: David Hildenbrand +Link: https://lore.kernel.org/r/20200403153050.20569-4-david@redhat.com +Reviewed-by: Claudio Imbrenda +Reviewed-by: Christian Borntraeger +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/mm/gmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c +index 871a99dcf93e1..0195c3983f540 100644 +--- a/arch/s390/mm/gmap.c ++++ b/arch/s390/mm/gmap.c +@@ -1684,6 +1684,7 @@ int gmap_shadow_r3t(struct gmap *sg, unsigned long saddr, unsigned long r3t, + goto out_free; + } else if (*table & _REGION_ENTRY_ORIGIN) { + rc = -EAGAIN; /* Race with shadow */ ++ goto out_free; + } + crst_table_init(s_r3t, _REGION3_ENTRY_EMPTY); + /* mark as invalid as long as the parent table is not protected */ +-- +2.20.1 + diff --git a/queue-4.9/libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch b/queue-4.9/libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch new file mode 100644 index 00000000000..3357ed919bd --- /dev/null +++ b/queue-4.9/libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch @@ -0,0 +1,43 @@ +From be3deee4f3eee2123705cbf0f678412bc3339149 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2020 19:20:56 +0300 +Subject: libnvdimm: Out of bounds read in __nd_ioctl() + +From: Dan Carpenter + +[ Upstream commit f84afbdd3a9e5e10633695677b95422572f920dc ] + +The "cmd" comes from the user and it can be up to 255. It it's more +than the number of bits in long, it results out of bounds read when we +check test_bit(cmd, &cmd_mask). The highest valid value for "cmd" is +ND_CMD_CALL (10) so I added a compare against that. + +Fixes: 62232e45f4a2 ("libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200225162055.amtosfy7m35aivxg@kili.mountain +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/bus.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c +index 5768a4749564a..65ac1d3870f93 100644 +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -851,8 +851,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm, + return -EFAULT; + } + +- if (!desc || (desc->out_num + desc->in_num == 0) || +- !test_bit(cmd, &cmd_mask)) ++ if (!desc || ++ (desc->out_num + desc->in_num == 0) || ++ cmd > ND_CMD_CALL || ++ !test_bit(cmd, &cmd_mask)) + return -ENOTTY; + + /* fail write commands (when read-only) */ +-- +2.20.1 + diff --git a/queue-4.9/nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch b/queue-4.9/nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch new file mode 100644 index 00000000000..e060168c11d --- /dev/null +++ b/queue-4.9/nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch @@ -0,0 +1,51 @@ +From 2aceb1d2b4bb30dd9d6767a4b34bdf99ac9a0ab9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2019 17:01:22 +0900 +Subject: NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context + fails + +From: Misono Tomohiro + +[ Upstream commit 8605cf0e852af3b2c771c18417499dc4ceed03d5 ] + +When dreq is allocated by nfs_direct_req_alloc(), dreq->kref is +initialized to 2. Therefore we need to call nfs_direct_req_release() +twice to release the allocated dreq. Usually it is called in +nfs_file_direct_{read, write}() and nfs_direct_complete(). + +However, current code only calls nfs_direct_req_relese() once if +nfs_get_lock_context() fails in nfs_file_direct_{read, write}(). +So, that case would result in memory leak. + +Fix this by adding the missing call. + +Signed-off-by: Misono Tomohiro +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/direct.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c +index 53f0012ace42f..de135d2591ffb 100644 +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -595,6 +595,7 @@ ssize_t nfs_file_direct_read(struct kiocb *iocb, struct iov_iter *iter) + l_ctx = nfs_get_lock_context(dreq->ctx); + if (IS_ERR(l_ctx)) { + result = PTR_ERR(l_ctx); ++ nfs_direct_req_release(dreq); + goto out_release; + } + dreq->l_ctx = l_ctx; +@@ -1019,6 +1020,7 @@ ssize_t nfs_file_direct_write(struct kiocb *iocb, struct iov_iter *iter) + l_ctx = nfs_get_lock_context(dreq->ctx); + if (IS_ERR(l_ctx)) { + result = PTR_ERR(l_ctx); ++ nfs_direct_req_release(dreq); + goto out_release; + } + dreq->l_ctx = l_ctx; +-- +2.20.1 + diff --git a/queue-4.9/nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch b/queue-4.9/nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch new file mode 100644 index 00000000000..17bee3c6093 --- /dev/null +++ b/queue-4.9/nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch @@ -0,0 +1,56 @@ +From e44cbb8c5757cb157c3d99d2d6dd2c16dd241ec2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Mar 2020 20:06:45 -0400 +Subject: NFS: Fix memory leaks in nfs_pageio_stop_mirroring() + +From: Trond Myklebust + +[ Upstream commit 862f35c94730c9270833f3ad05bd758a29f204ed ] + +If we just set the mirror count to 1 without first clearing out +the mirrors, we can leak queued up requests. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pagelist.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c +index b6e25126a0b0f..529f3a5762637 100644 +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -851,15 +851,6 @@ static int nfs_pageio_setup_mirroring(struct nfs_pageio_descriptor *pgio, + return 0; + } + +-/* +- * nfs_pageio_stop_mirroring - stop using mirroring (set mirror count to 1) +- */ +-void nfs_pageio_stop_mirroring(struct nfs_pageio_descriptor *pgio) +-{ +- pgio->pg_mirror_count = 1; +- pgio->pg_mirror_idx = 0; +-} +- + static void nfs_pageio_cleanup_mirroring(struct nfs_pageio_descriptor *pgio) + { + pgio->pg_mirror_count = 1; +@@ -1285,6 +1276,14 @@ void nfs_pageio_cond_complete(struct nfs_pageio_descriptor *desc, pgoff_t index) + } + } + ++/* ++ * nfs_pageio_stop_mirroring - stop using mirroring (set mirror count to 1) ++ */ ++void nfs_pageio_stop_mirroring(struct nfs_pageio_descriptor *pgio) ++{ ++ nfs_pageio_complete(pgio); ++} ++ + int __init nfs_init_nfspagecache(void) + { + nfs_page_cachep = kmem_cache_create("nfs_page", +-- +2.20.1 + diff --git a/queue-4.9/of-unittest-kmemleak-in-of_unittest_platform_populat.patch b/queue-4.9/of-unittest-kmemleak-in-of_unittest_platform_populat.patch new file mode 100644 index 00000000000..b712492d3cd --- /dev/null +++ b/queue-4.9/of-unittest-kmemleak-in-of_unittest_platform_populat.patch @@ -0,0 +1,48 @@ +From 346847b7922349d8d88e65121ad66c2c5923e2a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Apr 2020 16:42:47 -0500 +Subject: of: unittest: kmemleak in of_unittest_platform_populate() + +From: Frank Rowand + +[ Upstream commit 216830d2413cc61be3f76bc02ffd905e47d2439e ] + +kmemleak reports several memory leaks from devicetree unittest. +This is the fix for problem 2 of 5. + +of_unittest_platform_populate() left an elevated reference count for +grandchild nodes (which are platform devices). Fix the platform +device reference counts so that the memory will be freed. + +Fixes: fb2caa50fbac ("of/selftest: add testcase for nodes with same name and address") +Reported-by: Erhard F. +Signed-off-by: Frank Rowand +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 40d170c1ecd50..144d123f6ea4f 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -825,10 +825,13 @@ static void __init of_unittest_platform_populate(void) + + of_platform_populate(np, match, NULL, &test_bus->dev); + for_each_child_of_node(np, child) { +- for_each_child_of_node(child, grandchild) +- unittest(of_find_device_by_node(grandchild), ++ for_each_child_of_node(child, grandchild) { ++ pdev = of_find_device_by_node(grandchild); ++ unittest(pdev, + "Could not create device for node '%s'\n", + grandchild->name); ++ of_dev_put(pdev); ++ } + } + + of_platform_depopulate(&test_bus->dev); +-- +2.20.1 + diff --git a/queue-4.9/percpu_counter-fix-a-data-race-at-vm_committed_as.patch b/queue-4.9/percpu_counter-fix-a-data-race-at-vm_committed_as.patch new file mode 100644 index 00000000000..9de53362930 --- /dev/null +++ b/queue-4.9/percpu_counter-fix-a-data-race-at-vm_committed_as.patch @@ -0,0 +1,72 @@ +From c7a8f6494c66c9dd8e0080f4e639c7a72a821443 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 20:10:25 -0700 +Subject: percpu_counter: fix a data race at vm_committed_as + +From: Qian Cai + +[ Upstream commit 7e2345200262e4a6056580f0231cccdaffc825f3 ] + +"vm_committed_as.count" could be accessed concurrently as reported by +KCSAN, + + BUG: KCSAN: data-race in __vm_enough_memory / percpu_counter_add_batch + + write to 0xffffffff9451c538 of 8 bytes by task 65879 on cpu 35: + percpu_counter_add_batch+0x83/0xd0 + percpu_counter_add_batch at lib/percpu_counter.c:91 + __vm_enough_memory+0xb9/0x260 + dup_mm+0x3a4/0x8f0 + copy_process+0x2458/0x3240 + _do_fork+0xaa/0x9f0 + __do_sys_clone+0x125/0x160 + __x64_sys_clone+0x70/0x90 + do_syscall_64+0x91/0xb05 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + read to 0xffffffff9451c538 of 8 bytes by task 66773 on cpu 19: + __vm_enough_memory+0x199/0x260 + percpu_counter_read_positive at include/linux/percpu_counter.h:81 + (inlined by) __vm_enough_memory at mm/util.c:839 + mmap_region+0x1b2/0xa10 + do_mmap+0x45c/0x700 + vm_mmap_pgoff+0xc0/0x130 + ksys_mmap_pgoff+0x6e/0x300 + __x64_sys_mmap+0x33/0x40 + do_syscall_64+0x91/0xb05 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The read is outside percpu_counter::lock critical section which results in +a data race. Fix it by adding a READ_ONCE() in +percpu_counter_read_positive() which could also service as the existing +compiler memory barrier. + +Signed-off-by: Qian Cai +Signed-off-by: Andrew Morton +Acked-by: Marco Elver +Link: http://lkml.kernel.org/r/1582302724-2804-1-git-send-email-cai@lca.pw +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/percpu_counter.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/percpu_counter.h b/include/linux/percpu_counter.h +index 84a1094496100..b6332cb761a4c 100644 +--- a/include/linux/percpu_counter.h ++++ b/include/linux/percpu_counter.h +@@ -76,9 +76,9 @@ static inline s64 percpu_counter_read(struct percpu_counter *fbc) + */ + static inline s64 percpu_counter_read_positive(struct percpu_counter *fbc) + { +- s64 ret = fbc->count; ++ /* Prevent reloads of fbc->count */ ++ s64 ret = READ_ONCE(fbc->count); + +- barrier(); /* Prevent reloads of fbc->count */ + if (ret >= 0) + return ret; + return 0; +-- +2.20.1 + diff --git a/queue-4.9/power-supply-bq27xxx_battery-silence-deferred-probe-.patch b/queue-4.9/power-supply-bq27xxx_battery-silence-deferred-probe-.patch new file mode 100644 index 00000000000..fd7f21ba17a --- /dev/null +++ b/queue-4.9/power-supply-bq27xxx_battery-silence-deferred-probe-.patch @@ -0,0 +1,45 @@ +From cca8c9b0ceb1737f850028d0972f894b31aaf22e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2020 00:51:43 +0300 +Subject: power: supply: bq27xxx_battery: Silence deferred-probe error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Osipenko + +[ Upstream commit 583b53ece0b0268c542a1eafadb62e3d4b0aab8c ] + +The driver fails to probe with -EPROBE_DEFER if battery's power supply +(charger driver) isn't ready yet and this results in a bit noisy error +message in KMSG during kernel's boot up. Let's silence the harmless +error message. + +Signed-off-by: Dmitry Osipenko +Reviewed-by: Andrew F. Davis +Reviewed-by: Pali Rohár +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c +index bccb3f595ff3d..247be9155694f 100644 +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1031,7 +1031,10 @@ int bq27xxx_battery_setup(struct bq27xxx_device_info *di) + + di->bat = power_supply_register_no_ws(di->dev, psy_desc, &psy_cfg); + if (IS_ERR(di->bat)) { +- dev_err(di->dev, "failed to register battery\n"); ++ if (PTR_ERR(di->bat) == -EPROBE_DEFER) ++ dev_dbg(di->dev, "failed to register battery, deferring probe\n"); ++ else ++ dev_err(di->dev, "failed to register battery\n"); + return PTR_ERR(di->bat); + } + +-- +2.20.1 + diff --git a/queue-4.9/powerpc-maple-fix-declaration-made-after-definition.patch b/queue-4.9/powerpc-maple-fix-declaration-made-after-definition.patch new file mode 100644 index 00000000000..f75a3a1ea77 --- /dev/null +++ b/queue-4.9/powerpc-maple-fix-declaration-made-after-definition.patch @@ -0,0 +1,92 @@ +From 7d0d0a54cd0fdbd1b3e23e781a91968b12aba3a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2020 15:27:29 -0700 +Subject: powerpc/maple: Fix declaration made after definition + +From: Nathan Chancellor + +[ Upstream commit af6cf95c4d003fccd6c2ecc99a598fb854b537e7 ] + +When building ppc64 defconfig, Clang errors (trimmed for brevity): + + arch/powerpc/platforms/maple/setup.c:365:1: error: attribute declaration + must precede definition [-Werror,-Wignored-attributes] + machine_device_initcall(maple, maple_cpc925_edac_setup); + ^ + +machine_device_initcall expands to __define_machine_initcall, which in +turn has the macro machine_is used in it, which declares mach_##name +with an __attribute__((weak)). define_machine actually defines +mach_##name, which in this file happens before the declaration, hence +the warning. + +To fix this, move define_machine after machine_device_initcall so that +the declaration occurs before the definition, which matches how +machine_device_initcall and define_machine work throughout +arch/powerpc. + +While we're here, remove some spaces before tabs. + +Fixes: 8f101a051ef0 ("edac: cpc925 MC platform device setup") +Reported-by: Nick Desaulniers +Suggested-by: Ilie Halip +Signed-off-by: Nathan Chancellor +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200323222729.15365-1-natechancellor@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/maple/setup.c | 34 ++++++++++++++-------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/arch/powerpc/platforms/maple/setup.c b/arch/powerpc/platforms/maple/setup.c +index b7f937563827d..d1fee2d35b49c 100644 +--- a/arch/powerpc/platforms/maple/setup.c ++++ b/arch/powerpc/platforms/maple/setup.c +@@ -299,23 +299,6 @@ static int __init maple_probe(void) + return 1; + } + +-define_machine(maple) { +- .name = "Maple", +- .probe = maple_probe, +- .setup_arch = maple_setup_arch, +- .init_IRQ = maple_init_IRQ, +- .pci_irq_fixup = maple_pci_irq_fixup, +- .pci_get_legacy_ide_irq = maple_pci_get_legacy_ide_irq, +- .restart = maple_restart, +- .halt = maple_halt, +- .get_boot_time = maple_get_boot_time, +- .set_rtc_time = maple_set_rtc_time, +- .get_rtc_time = maple_get_rtc_time, +- .calibrate_decr = generic_calibrate_decr, +- .progress = maple_progress, +- .power_save = power4_idle, +-}; +- + #ifdef CONFIG_EDAC + /* + * Register a platform device for CPC925 memory controller on +@@ -372,3 +355,20 @@ static int __init maple_cpc925_edac_setup(void) + } + machine_device_initcall(maple, maple_cpc925_edac_setup); + #endif ++ ++define_machine(maple) { ++ .name = "Maple", ++ .probe = maple_probe, ++ .setup_arch = maple_setup_arch, ++ .init_IRQ = maple_init_IRQ, ++ .pci_irq_fixup = maple_pci_irq_fixup, ++ .pci_get_legacy_ide_irq = maple_pci_get_legacy_ide_irq, ++ .restart = maple_restart, ++ .halt = maple_halt, ++ .get_boot_time = maple_get_boot_time, ++ .set_rtc_time = maple_set_rtc_time, ++ .get_rtc_time = maple_get_rtc_time, ++ .calibrate_decr = generic_calibrate_decr, ++ .progress = maple_progress, ++ .power_save = power4_idle, ++}; +-- +2.20.1 + diff --git a/queue-4.9/s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch b/queue-4.9/s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch new file mode 100644 index 00000000000..c230f165fd2 --- /dev/null +++ b/queue-4.9/s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch @@ -0,0 +1,49 @@ +From 81f477bcec264b82e193a0488d7215d9c85c8902 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2020 12:39:55 +0100 +Subject: s390/cpuinfo: fix wrong output when CPU0 is offline + +From: Alexander Gordeev + +[ Upstream commit 872f27103874a73783aeff2aac2b41a489f67d7c ] + +/proc/cpuinfo should not print information about CPU 0 when it is offline. + +Fixes: 281eaa8cb67c ("s390/cpuinfo: simplify locking and skip offline cpus early") +Signed-off-by: Alexander Gordeev +Reviewed-by: Heiko Carstens +[heiko.carstens@de.ibm.com: shortened commit message] +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/processor.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/processor.c b/arch/s390/kernel/processor.c +index d856263fd7687..737e22cf09728 100644 +--- a/arch/s390/kernel/processor.c ++++ b/arch/s390/kernel/processor.c +@@ -139,8 +139,9 @@ static void show_cpu_mhz(struct seq_file *m, unsigned long n) + static int show_cpuinfo(struct seq_file *m, void *v) + { + unsigned long n = (unsigned long) v - 1; ++ unsigned long first = cpumask_first(cpu_online_mask); + +- if (!n) ++ if (n == first) + show_cpu_summary(m, v); + if (!machine_has_cpu_mhz) + return 0; +@@ -153,6 +154,8 @@ static inline void *c_update(loff_t *pos) + { + if (*pos) + *pos = cpumask_next(*pos - 1, cpu_online_mask); ++ else ++ *pos = cpumask_first(cpu_online_mask); + return *pos < nr_cpu_ids ? (void *)*pos + 1 : NULL; + } + +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series index aeb268524bd..e95b5b174be 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -99,3 +99,19 @@ wil6210-fix-length-check-in-__wmi_send.patch soc-qcom-smem-use-le32_to_cpu-for-comparison.patch of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch arm64-cpu_errata-include-required-headers.patch +of-unittest-kmemleak-in-of_unittest_platform_populat.patch +clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch +power-supply-bq27xxx_battery-silence-deferred-probe-.patch +clk-tegra-fix-tegra-pmc-clock-out-parents.patch +nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch +s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch +powerpc-maple-fix-declaration-made-after-definition.patch +ext4-do-not-commit-super-on-read-only-bdev.patch +percpu_counter-fix-a-data-race-at-vm_committed_as.patch +compiler.h-fix-error-in-build_bug_on-reporting.patch +kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch +nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch +ext2-fix-empty-body-warnings-when-wextra-is-used.patch +ext2-fix-debug-reference-to-ext2_xattr_cache.patch +libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch +iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch