From: Greg Kroah-Hartman Date: Mon, 20 Jul 2020 12:45:25 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.4.231~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e784b2f1006731d0f17bcf3d2a6d3239580a7836;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: arm64-compat-ensure-upper-32-bits-of-x0-are-zero-on-syscall-return.patch arm64-ptrace-consistently-use-pseudo-singlestep-exceptions.patch arm64-ptrace-override-spsr.ss-when-single-stepping-is-enabled.patch dmaengine-fsl-edma-fix-null-pointer-exception-in-fsl_edma_tx_handler.patch fuse-fix-parameter-for-fs_ioc_-get-set-flags.patch genirq-affinity-handle-affinity-setting-on-inactive-interrupts-correctly.patch hwmon-emc2103-fix-unable-to-change-fan-pwm1_enable-attribute.patch input-i8042-add-lenovo-xiaoxin-air-12-to-i8042-nomux-list.patch intel_th-fix-a-null-dereference-when-hub-driver-is-not-loaded.patch intel_th-pci-add-emmitsburg-pch-support.patch intel_th-pci-add-jasper-lake-cpu-support.patch intel_th-pci-add-tiger-lake-pch-h-support.patch mei-bus-don-t-clean-driver-pointer.patch mips-fix-build-for-lts-kernel-caused-by-backporting-lpj-adjustment.patch misc-atmel-ssc-lock-with-mutex-instead-of-spinlock.patch ovl-fix-unneeded-call-to-ovl_change_flags.patch ovl-inode-reference-leak-in-ovl_is_inuse-true-case.patch ovl-relax-warn_on-when-decoding-lower-directory-file-handle.patch powerpc-book3s64-pkeys-fix-pkey_access_permitted-for-execute-disable-pkey.patch revert-zram-convert-remaining-class_attr-to-class_attr_ro.patch riscv-use-16kb-kernel-stack-on-64-bit.patch sched-fair-handle-case-of-task_h_load-returning-0.patch sched-fix-unreliable-rseq-cpu_id-for-new-tasks.patch thermal-drivers-cpufreq_cooling-fix-wrong-frequency-converted-from-power.patch timer-fix-wheel-index-calculation-on-last-level.patch timer-prevent-base-clk-from-moving-backward.patch uio_pdrv_genirq-fix-use-without-device-tree-and-no-interrupt.patch --- diff --git a/queue-4.19/arm64-compat-ensure-upper-32-bits-of-x0-are-zero-on-syscall-return.patch b/queue-4.19/arm64-compat-ensure-upper-32-bits-of-x0-are-zero-on-syscall-return.patch new file mode 100644 index 00000000000..42dabec370d --- /dev/null +++ b/queue-4.19/arm64-compat-ensure-upper-32-bits-of-x0-are-zero-on-syscall-return.patch @@ -0,0 +1,70 @@ +From 15956689a0e60aa0c795174f3c310b60d8794235 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 3 Jul 2020 12:08:42 +0100 +Subject: arm64: compat: Ensure upper 32 bits of x0 are zero on syscall return + +From: Will Deacon + +commit 15956689a0e60aa0c795174f3c310b60d8794235 upstream. + +Although we zero the upper bits of x0 on entry to the kernel from an +AArch32 task, we do not clear them on the exception return path and can +therefore expose 64-bit sign extended syscall return values to userspace +via interfaces such as the 'perf_regs' ABI, which deal exclusively with +64-bit registers. + +Explicitly clear the upper 32 bits of x0 on return from a compat system +call. + +Cc: +Cc: Mark Rutland +Cc: Keno Fischer +Cc: Luis Machado +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/syscall.h | 12 +++++++++++- + arch/arm64/kernel/syscall.c | 3 +++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/syscall.h ++++ b/arch/arm64/include/asm/syscall.h +@@ -45,6 +45,10 @@ static inline long syscall_get_error(str + struct pt_regs *regs) + { + unsigned long error = regs->regs[0]; ++ ++ if (is_compat_thread(task_thread_info(task))) ++ error = sign_extend64(error, 31); ++ + return IS_ERR_VALUE(error) ? error : 0; + } + +@@ -58,7 +62,13 @@ static inline void syscall_set_return_va + struct pt_regs *regs, + int error, long val) + { +- regs->regs[0] = (long) error ? error : val; ++ if (error) ++ val = error; ++ ++ if (is_compat_thread(task_thread_info(task))) ++ val = lower_32_bits(val); ++ ++ regs->regs[0] = val; + } + + #define SYSCALL_MAX_ARGS 6 +--- a/arch/arm64/kernel/syscall.c ++++ b/arch/arm64/kernel/syscall.c +@@ -50,6 +50,9 @@ static void invoke_syscall(struct pt_reg + ret = do_ni_syscall(regs, scno); + } + ++ if (is_compat_task()) ++ ret = lower_32_bits(ret); ++ + regs->regs[0] = ret; + } + diff --git a/queue-4.19/arm64-ptrace-consistently-use-pseudo-singlestep-exceptions.patch b/queue-4.19/arm64-ptrace-consistently-use-pseudo-singlestep-exceptions.patch new file mode 100644 index 00000000000..b353e701f4e --- /dev/null +++ b/queue-4.19/arm64-ptrace-consistently-use-pseudo-singlestep-exceptions.patch @@ -0,0 +1,139 @@ +From ac2081cdc4d99c57f219c1a6171526e0fa0a6fff Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 2 Jul 2020 21:16:20 +0100 +Subject: arm64: ptrace: Consistently use pseudo-singlestep exceptions + +From: Will Deacon + +commit ac2081cdc4d99c57f219c1a6171526e0fa0a6fff upstream. + +Although the arm64 single-step state machine can be fast-forwarded in +cases where we wish to generate a SIGTRAP without actually executing an +instruction, this has two major limitations outside of simply skipping +an instruction due to emulation. + +1. Stepping out of a ptrace signal stop into a signal handler where + SIGTRAP is blocked. Fast-forwarding the stepping state machine in + this case will result in a forced SIGTRAP, with the handler reset to + SIG_DFL. + +2. The hardware implicitly fast-forwards the state machine when executing + an SVC instruction for issuing a system call. This can interact badly + with subsequent ptrace stops signalled during the execution of the + system call (e.g. SYSCALL_EXIT or seccomp traps), as they may corrupt + the stepping state by updating the PSTATE for the tracee. + +Resolve both of these issues by injecting a pseudo-singlestep exception +on entry to a signal handler and also on return to userspace following a +system call. + +Cc: +Cc: Mark Rutland +Tested-by: Luis Machado +Reported-by: Keno Fischer +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/thread_info.h | 1 + + arch/arm64/kernel/ptrace.c | 27 ++++++++++++++++++++------- + arch/arm64/kernel/signal.c | 11 ++--------- + arch/arm64/kernel/syscall.c | 2 +- + 4 files changed, 24 insertions(+), 17 deletions(-) + +--- a/arch/arm64/include/asm/thread_info.h ++++ b/arch/arm64/include/asm/thread_info.h +@@ -101,6 +101,7 @@ void arch_release_task_struct(struct tas + #define _TIF_SECCOMP (1 << TIF_SECCOMP) + #define _TIF_UPROBE (1 << TIF_UPROBE) + #define _TIF_FSCHECK (1 << TIF_FSCHECK) ++#define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP) + #define _TIF_32BIT (1 << TIF_32BIT) + #define _TIF_SVE (1 << TIF_SVE) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -1647,12 +1647,23 @@ static void tracehook_report_syscall(str + saved_reg = regs->regs[regno]; + regs->regs[regno] = dir; + +- if (dir == PTRACE_SYSCALL_EXIT) ++ if (dir == PTRACE_SYSCALL_ENTER) { ++ if (tracehook_report_syscall_entry(regs)) ++ forget_syscall(regs); ++ regs->regs[regno] = saved_reg; ++ } else if (!test_thread_flag(TIF_SINGLESTEP)) { + tracehook_report_syscall_exit(regs, 0); +- else if (tracehook_report_syscall_entry(regs)) +- forget_syscall(regs); +- +- regs->regs[regno] = saved_reg; ++ regs->regs[regno] = saved_reg; ++ } else { ++ regs->regs[regno] = saved_reg; ++ ++ /* ++ * Signal a pseudo-step exception since we are stepping but ++ * tracer modifications to the registers may have rewound the ++ * state machine. ++ */ ++ tracehook_report_syscall_exit(regs, 1); ++ } + } + + int syscall_trace_enter(struct pt_regs *regs) +@@ -1675,12 +1686,14 @@ int syscall_trace_enter(struct pt_regs * + + void syscall_trace_exit(struct pt_regs *regs) + { ++ unsigned long flags = READ_ONCE(current_thread_info()->flags); ++ + audit_syscall_exit(regs); + +- if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) ++ if (flags & _TIF_SYSCALL_TRACEPOINT) + trace_sys_exit(regs, regs_return_value(regs)); + +- if (test_thread_flag(TIF_SYSCALL_TRACE)) ++ if (flags & (_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP)) + tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT); + + rseq_syscall(regs); +--- a/arch/arm64/kernel/signal.c ++++ b/arch/arm64/kernel/signal.c +@@ -798,7 +798,6 @@ static void setup_restart_syscall(struct + */ + static void handle_signal(struct ksignal *ksig, struct pt_regs *regs) + { +- struct task_struct *tsk = current; + sigset_t *oldset = sigmask_to_save(); + int usig = ksig->sig; + int ret; +@@ -822,14 +821,8 @@ static void handle_signal(struct ksignal + */ + ret |= !valid_user_regs(®s->user_regs, current); + +- /* +- * Fast forward the stepping logic so we step into the signal +- * handler. +- */ +- if (!ret) +- user_fastforward_single_step(tsk); +- +- signal_setup_done(ret, ksig, 0); ++ /* Step into the signal handler if we are stepping */ ++ signal_setup_done(ret, ksig, test_thread_flag(TIF_SINGLESTEP)); + } + + /* +--- a/arch/arm64/kernel/syscall.c ++++ b/arch/arm64/kernel/syscall.c +@@ -121,7 +121,7 @@ static void el0_svc_common(struct pt_reg + if (!has_syscall_work(flags) && !IS_ENABLED(CONFIG_DEBUG_RSEQ)) { + local_daif_mask(); + flags = current_thread_info()->flags; +- if (!has_syscall_work(flags)) { ++ if (!has_syscall_work(flags) && !(flags & _TIF_SINGLESTEP)) { + /* + * We're off to userspace, where interrupts are + * always enabled after we restore the flags from diff --git a/queue-4.19/arm64-ptrace-override-spsr.ss-when-single-stepping-is-enabled.patch b/queue-4.19/arm64-ptrace-override-spsr.ss-when-single-stepping-is-enabled.patch new file mode 100644 index 00000000000..c3074467506 --- /dev/null +++ b/queue-4.19/arm64-ptrace-override-spsr.ss-when-single-stepping-is-enabled.patch @@ -0,0 +1,110 @@ +From 3a5a4366cecc25daa300b9a9174f7fdd352b9068 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 13 Feb 2020 12:06:26 +0000 +Subject: arm64: ptrace: Override SPSR.SS when single-stepping is enabled + +From: Will Deacon + +commit 3a5a4366cecc25daa300b9a9174f7fdd352b9068 upstream. + +Luis reports that, when reverse debugging with GDB, single-step does not +function as expected on arm64: + + | I've noticed, under very specific conditions, that a PTRACE_SINGLESTEP + | request by GDB won't execute the underlying instruction. As a consequence, + | the PC doesn't move, but we return a SIGTRAP just like we would for a + | regular successful PTRACE_SINGLESTEP request. + +The underlying problem is that when the CPU register state is restored +as part of a reverse step, the SPSR.SS bit is cleared and so the hardware +single-step state can transition to the "active-pending" state, causing +an unexpected step exception to be taken immediately if a step operation +is attempted. + +In hindsight, we probably shouldn't have exposed SPSR.SS in the pstate +accessible by the GPR regset, but it's a bit late for that now. Instead, +simply prevent userspace from configuring the bit to a value which is +inconsistent with the TIF_SINGLESTEP state for the task being traced. + +Cc: +Cc: Mark Rutland +Cc: Keno Fischer +Link: https://lore.kernel.org/r/1eed6d69-d53d-9657-1fc9-c089be07f98c@linaro.org +Reported-by: Luis Machado +Tested-by: Luis Machado +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/debug-monitors.h | 2 ++ + arch/arm64/kernel/debug-monitors.c | 20 ++++++++++++++++---- + arch/arm64/kernel/ptrace.c | 4 ++-- + 3 files changed, 20 insertions(+), 6 deletions(-) + +--- a/arch/arm64/include/asm/debug-monitors.h ++++ b/arch/arm64/include/asm/debug-monitors.h +@@ -119,6 +119,8 @@ void disable_debug_monitors(enum dbg_act + + void user_rewind_single_step(struct task_struct *task); + void user_fastforward_single_step(struct task_struct *task); ++void user_regs_reset_single_step(struct user_pt_regs *regs, ++ struct task_struct *task); + + void kernel_enable_single_step(struct pt_regs *regs); + void kernel_disable_single_step(void); +--- a/arch/arm64/kernel/debug-monitors.c ++++ b/arch/arm64/kernel/debug-monitors.c +@@ -152,17 +152,20 @@ postcore_initcall(debug_monitors_init); + /* + * Single step API and exception handling. + */ +-static void set_regs_spsr_ss(struct pt_regs *regs) ++static void set_user_regs_spsr_ss(struct user_pt_regs *regs) + { + regs->pstate |= DBG_SPSR_SS; + } +-NOKPROBE_SYMBOL(set_regs_spsr_ss); ++NOKPROBE_SYMBOL(set_user_regs_spsr_ss); + +-static void clear_regs_spsr_ss(struct pt_regs *regs) ++static void clear_user_regs_spsr_ss(struct user_pt_regs *regs) + { + regs->pstate &= ~DBG_SPSR_SS; + } +-NOKPROBE_SYMBOL(clear_regs_spsr_ss); ++NOKPROBE_SYMBOL(clear_user_regs_spsr_ss); ++ ++#define set_regs_spsr_ss(r) set_user_regs_spsr_ss(&(r)->user_regs) ++#define clear_regs_spsr_ss(r) clear_user_regs_spsr_ss(&(r)->user_regs) + + /* EL1 Single Step Handler hooks */ + static LIST_HEAD(step_hook); +@@ -400,6 +403,15 @@ void user_fastforward_single_step(struct + clear_regs_spsr_ss(task_pt_regs(task)); + } + ++void user_regs_reset_single_step(struct user_pt_regs *regs, ++ struct task_struct *task) ++{ ++ if (test_tsk_thread_flag(task, TIF_SINGLESTEP)) ++ set_user_regs_spsr_ss(regs); ++ else ++ clear_user_regs_spsr_ss(regs); ++} ++ + /* Kernel API */ + void kernel_enable_single_step(struct pt_regs *regs) + { +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -1758,8 +1758,8 @@ static int valid_native_regs(struct user + */ + int valid_user_regs(struct user_pt_regs *regs, struct task_struct *task) + { +- if (!test_tsk_thread_flag(task, TIF_SINGLESTEP)) +- regs->pstate &= ~DBG_SPSR_SS; ++ /* https://lore.kernel.org/lkml/20191118131525.GA4180@willie-the-truck */ ++ user_regs_reset_single_step(regs, task); + + if (is_compat_thread(task_thread_info(task))) + return valid_compat_regs(regs); diff --git a/queue-4.19/dmaengine-fsl-edma-fix-null-pointer-exception-in-fsl_edma_tx_handler.patch b/queue-4.19/dmaengine-fsl-edma-fix-null-pointer-exception-in-fsl_edma_tx_handler.patch new file mode 100644 index 00000000000..cd03416ebe6 --- /dev/null +++ b/queue-4.19/dmaengine-fsl-edma-fix-null-pointer-exception-in-fsl_edma_tx_handler.patch @@ -0,0 +1,77 @@ +From f5e5677c420346b4e9788051c2e4d750996c428c Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 11 Jun 2020 14:17:41 +0200 +Subject: dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler + +From: Krzysztof Kozlowski + +commit f5e5677c420346b4e9788051c2e4d750996c428c upstream. + +NULL pointer exception happens occasionally on serial output initiated +by login timeout. This was reproduced only if kernel was built with +significant debugging options and EDMA driver is used with serial +console. + + col-vf50 login: root + Password: + Login timed out after 60 seconds. + Unable to handle kernel NULL pointer dereference at virtual address 00000044 + Internal error: Oops: 5 [#1] ARM + CPU: 0 PID: 157 Comm: login Not tainted 5.7.0-next-20200610-dirty #4 + Hardware name: Freescale Vybrid VF5xx/VF6xx (Device Tree) + (fsl_edma_tx_handler) from [<8016eb10>] (__handle_irq_event_percpu+0x64/0x304) + (__handle_irq_event_percpu) from [<8016eddc>] (handle_irq_event_percpu+0x2c/0x7c) + (handle_irq_event_percpu) from [<8016ee64>] (handle_irq_event+0x38/0x5c) + (handle_irq_event) from [<801729e4>] (handle_fasteoi_irq+0xa4/0x160) + (handle_fasteoi_irq) from [<8016ddcc>] (generic_handle_irq+0x34/0x44) + (generic_handle_irq) from [<8016e40c>] (__handle_domain_irq+0x54/0xa8) + (__handle_domain_irq) from [<80508bc8>] (gic_handle_irq+0x4c/0x80) + (gic_handle_irq) from [<80100af0>] (__irq_svc+0x70/0x98) + Exception stack(0x8459fe80 to 0x8459fec8) + fe80: 72286b00 e3359f64 00000001 0000412d a0070013 85c98840 85c98840 a0070013 + fea0: 8054e0d4 00000000 00000002 00000000 00000002 8459fed0 8081fbe8 8081fbec + fec0: 60070013 ffffffff + (__irq_svc) from [<8081fbec>] (_raw_spin_unlock_irqrestore+0x30/0x58) + (_raw_spin_unlock_irqrestore) from [<8056cb48>] (uart_flush_buffer+0x88/0xf8) + (uart_flush_buffer) from [<80554e60>] (tty_ldisc_hangup+0x38/0x1ac) + (tty_ldisc_hangup) from [<8054c7f4>] (__tty_hangup+0x158/0x2bc) + (__tty_hangup) from [<80557b90>] (disassociate_ctty.part.1+0x30/0x23c) + (disassociate_ctty.part.1) from [<8011fc18>] (do_exit+0x580/0xba0) + (do_exit) from [<801214f8>] (do_group_exit+0x3c/0xb4) + (do_group_exit) from [<80121580>] (__wake_up_parent+0x0/0x14) + +Issue looks like race condition between interrupt handler fsl_edma_tx_handler() +(called as result of fsl_edma_xfer_desc()) and terminating the transfer with +fsl_edma_terminate_all(). + +The fsl_edma_tx_handler() handles interrupt for a transfer with already freed +edesc and idle==true. + +Fixes: d6be34fbd39b ("dma: Add Freescale eDMA engine driver support") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Robin Gong +Cc: +Link: https://lore.kernel.org/r/1591877861-28156-2-git-send-email-krzk@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/fsl-edma.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/dma/fsl-edma.c ++++ b/drivers/dma/fsl-edma.c +@@ -682,6 +682,13 @@ static irqreturn_t fsl_edma_tx_handler(i + fsl_chan = &fsl_edma->chans[ch]; + + spin_lock(&fsl_chan->vchan.lock); ++ ++ if (!fsl_chan->edesc) { ++ /* terminate_all called before */ ++ spin_unlock(&fsl_chan->vchan.lock); ++ continue; ++ } ++ + if (!fsl_chan->edesc->iscyclic) { + list_del(&fsl_chan->edesc->vdesc.node); + vchan_cookie_complete(&fsl_chan->edesc->vdesc); diff --git a/queue-4.19/fuse-fix-parameter-for-fs_ioc_-get-set-flags.patch b/queue-4.19/fuse-fix-parameter-for-fs_ioc_-get-set-flags.patch new file mode 100644 index 00000000000..997865e1a57 --- /dev/null +++ b/queue-4.19/fuse-fix-parameter-for-fs_ioc_-get-set-flags.patch @@ -0,0 +1,65 @@ +From 31070f6ccec09f3bd4f1e28cd1e592fa4f3ba0b6 Mon Sep 17 00:00:00 2001 +From: Chirantan Ekbote +Date: Tue, 14 Jul 2020 19:26:39 +0900 +Subject: fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS + +From: Chirantan Ekbote + +commit 31070f6ccec09f3bd4f1e28cd1e592fa4f3ba0b6 upstream. + +The ioctl encoding for this parameter is a long but the documentation says +it should be an int and the kernel drivers expect it to be an int. If the +fuse driver treats this as a long it might end up scribbling over the stack +of a userspace process that only allocated enough space for an int. + +This was previously discussed in [1] and a patch for fuse was proposed in +[2]. From what I can tell the patch in [2] was nacked in favor of adding +new, "fixed" ioctls and using those from userspace. However there is still +no "fixed" version of these ioctls and the fact is that it's sometimes +infeasible to change all userspace to use the new one. + +Handling the ioctls specially in the fuse driver seems like the most +pragmatic way for fuse servers to support them without causing crashes in +userspace applications that call them. + +[1]: https://lore.kernel.org/linux-fsdevel/20131126200559.GH20559@hall.aurel32.net/T/ +[2]: https://sourceforge.net/p/fuse/mailman/message/31771759/ + +Signed-off-by: Chirantan Ekbote +Fixes: 59efec7b9039 ("fuse: implement ioctl support") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + static const struct file_operations fuse_direct_io_file_operations; + +@@ -2535,7 +2536,16 @@ long fuse_do_ioctl(struct file *file, un + struct iovec *iov = iov_page; + + iov->iov_base = (void __user *)arg; +- iov->iov_len = _IOC_SIZE(cmd); ++ ++ switch (cmd) { ++ case FS_IOC_GETFLAGS: ++ case FS_IOC_SETFLAGS: ++ iov->iov_len = sizeof(int); ++ break; ++ default: ++ iov->iov_len = _IOC_SIZE(cmd); ++ break; ++ } + + if (_IOC_DIR(cmd) & _IOC_WRITE) { + in_iov = iov; diff --git a/queue-4.19/genirq-affinity-handle-affinity-setting-on-inactive-interrupts-correctly.patch b/queue-4.19/genirq-affinity-handle-affinity-setting-on-inactive-interrupts-correctly.patch new file mode 100644 index 00000000000..764b0a522f6 --- /dev/null +++ b/queue-4.19/genirq-affinity-handle-affinity-setting-on-inactive-interrupts-correctly.patch @@ -0,0 +1,164 @@ +From baedb87d1b53532f81b4bd0387f83b05d4f7eb9a Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Fri, 17 Jul 2020 18:00:02 +0200 +Subject: genirq/affinity: Handle affinity setting on inactive interrupts correctly + +From: Thomas Gleixner + +commit baedb87d1b53532f81b4bd0387f83b05d4f7eb9a upstream. + +Setting interrupt affinity on inactive interrupts is inconsistent when +hierarchical irq domains are enabled. The core code should just store the +affinity and not call into the irq chip driver for inactive interrupts +because the chip drivers may not be in a state to handle such requests. + +X86 has a hacky workaround for that but all other irq chips have not which +causes problems e.g. on GIC V3 ITS. + +Instead of adding more ugly hacks all over the place, solve the problem in +the core code. If the affinity is set on an inactive interrupt then: + + - Store it in the irq descriptors affinity mask + - Update the effective affinity to reflect that so user space has + a consistent view + - Don't call into the irq chip driver + +This is the core equivalent of the X86 workaround and works correctly +because the affinity setting is established in the irq chip when the +interrupt is activated later on. + +Note, that this is only effective when hierarchical irq domains are enabled +by the architecture. Doing it unconditionally would break legacy irq chip +implementations. + +For hierarchial irq domains this works correctly as none of the drivers can +have a dependency on affinity setting in inactive state by design. + +Remove the X86 workaround as it is not longer required. + +Fixes: 02edee152d6e ("x86/apic/vector: Ignore set_affinity call for inactive interrupts") +Reported-by: Ali Saidi +Signed-off-by: Thomas Gleixner +Tested-by: Ali Saidi +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200529015501.15771-1-alisaidi@amazon.com +Link: https://lkml.kernel.org/r/877dv2rv25.fsf@nanos.tec.linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/vector.c | 22 +++++----------------- + kernel/irq/manage.c | 37 +++++++++++++++++++++++++++++++++++-- + 2 files changed, 40 insertions(+), 19 deletions(-) + +--- a/arch/x86/kernel/apic/vector.c ++++ b/arch/x86/kernel/apic/vector.c +@@ -448,12 +448,10 @@ static int x86_vector_activate(struct ir + trace_vector_activate(irqd->irq, apicd->is_managed, + apicd->can_reserve, reserve); + +- /* Nothing to do for fixed assigned vectors */ +- if (!apicd->can_reserve && !apicd->is_managed) +- return 0; +- + raw_spin_lock_irqsave(&vector_lock, flags); +- if (reserve || irqd_is_managed_and_shutdown(irqd)) ++ if (!apicd->can_reserve && !apicd->is_managed) ++ assign_irq_vector_any_locked(irqd); ++ else if (reserve || irqd_is_managed_and_shutdown(irqd)) + vector_assign_managed_shutdown(irqd); + else if (apicd->is_managed) + ret = activate_managed(irqd); +@@ -771,20 +769,10 @@ void lapic_offline(void) + static int apic_set_affinity(struct irq_data *irqd, + const struct cpumask *dest, bool force) + { +- struct apic_chip_data *apicd = apic_chip_data(irqd); + int err; + +- /* +- * Core code can call here for inactive interrupts. For inactive +- * interrupts which use managed or reservation mode there is no +- * point in going through the vector assignment right now as the +- * activation will assign a vector which fits the destination +- * cpumask. Let the core code store the destination mask and be +- * done with it. +- */ +- if (!irqd_is_activated(irqd) && +- (apicd->is_managed || apicd->can_reserve)) +- return IRQ_SET_MASK_OK; ++ if (WARN_ON_ONCE(!irqd_is_activated(irqd))) ++ return -EIO; + + raw_spin_lock(&vector_lock); + cpumask_and(vector_searchmask, dest, cpu_online_mask); +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -194,9 +194,9 @@ void irq_set_thread_affinity(struct irq_ + set_bit(IRQTF_AFFINITY, &action->thread_flags); + } + ++#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK + static void irq_validate_effective_affinity(struct irq_data *data) + { +-#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK + const struct cpumask *m = irq_data_get_effective_affinity_mask(data); + struct irq_chip *chip = irq_data_get_irq_chip(data); + +@@ -204,9 +204,19 @@ static void irq_validate_effective_affin + return; + pr_warn_once("irq_chip %s did not update eff. affinity mask of irq %u\n", + chip->name, data->irq); +-#endif + } + ++static inline void irq_init_effective_affinity(struct irq_data *data, ++ const struct cpumask *mask) ++{ ++ cpumask_copy(irq_data_get_effective_affinity_mask(data), mask); ++} ++#else ++static inline void irq_validate_effective_affinity(struct irq_data *data) { } ++static inline void irq_init_effective_affinity(struct irq_data *data, ++ const struct cpumask *mask) { } ++#endif ++ + int irq_do_set_affinity(struct irq_data *data, const struct cpumask *mask, + bool force) + { +@@ -264,6 +274,26 @@ static int irq_try_set_affinity(struct i + return ret; + } + ++static bool irq_set_affinity_deactivated(struct irq_data *data, ++ const struct cpumask *mask, bool force) ++{ ++ struct irq_desc *desc = irq_data_to_desc(data); ++ ++ /* ++ * If the interrupt is not yet activated, just store the affinity ++ * mask and do not call the chip driver at all. On activation the ++ * driver has to make sure anyway that the interrupt is in a ++ * useable state so startup works. ++ */ ++ if (!IS_ENABLED(CONFIG_IRQ_DOMAIN_HIERARCHY) || irqd_is_activated(data)) ++ return false; ++ ++ cpumask_copy(desc->irq_common_data.affinity, mask); ++ irq_init_effective_affinity(data, mask); ++ irqd_set(data, IRQD_AFFINITY_SET); ++ return true; ++} ++ + int irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask, + bool force) + { +@@ -274,6 +304,9 @@ int irq_set_affinity_locked(struct irq_d + if (!chip || !chip->irq_set_affinity) + return -EINVAL; + ++ if (irq_set_affinity_deactivated(data, mask, force)) ++ return 0; ++ + if (irq_can_move_pcntxt(data) && !irqd_is_setaffinity_pending(data)) { + ret = irq_try_set_affinity(data, mask, force); + } else { diff --git a/queue-4.19/hwmon-emc2103-fix-unable-to-change-fan-pwm1_enable-attribute.patch b/queue-4.19/hwmon-emc2103-fix-unable-to-change-fan-pwm1_enable-attribute.patch new file mode 100644 index 00000000000..5911cfec704 --- /dev/null +++ b/queue-4.19/hwmon-emc2103-fix-unable-to-change-fan-pwm1_enable-attribute.patch @@ -0,0 +1,40 @@ +From 14b0e83dc4f1e52b94acaeb85a18fd7fdd46d2dc Mon Sep 17 00:00:00 2001 +From: Vishwas M +Date: Tue, 7 Jul 2020 19:57:47 +0530 +Subject: hwmon: (emc2103) fix unable to change fan pwm1_enable attribute + +From: Vishwas M + +commit 14b0e83dc4f1e52b94acaeb85a18fd7fdd46d2dc upstream. + +This patch fixes a bug which does not let FAN mode to be changed from +sysfs(pwm1_enable). i.e pwm1_enable can not be set to 3, it will always +remain at 0. + +This is caused because the device driver handles the result of +"read_u8_from_i2c(client, REG_FAN_CONF1, &conf_reg)" incorrectly. The +driver thinks an error has occurred if the (result != 0). This has been +fixed by changing the condition to (result < 0). + +Signed-off-by: Vishwas M +Link: https://lore.kernel.org/r/20200707142747.118414-1-vishwas.reddy.vr@gmail.com +Fixes: 9df7305b5a86 ("hwmon: Add driver for SMSC EMC2103 temperature monitor and fan controller") +Cc: stable@vger.kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/emc2103.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/emc2103.c ++++ b/drivers/hwmon/emc2103.c +@@ -454,7 +454,7 @@ static ssize_t pwm1_enable_store(struct + } + + result = read_u8_from_i2c(client, REG_FAN_CONF1, &conf_reg); +- if (result) { ++ if (result < 0) { + count = result; + goto err; + } diff --git a/queue-4.19/input-i8042-add-lenovo-xiaoxin-air-12-to-i8042-nomux-list.patch b/queue-4.19/input-i8042-add-lenovo-xiaoxin-air-12-to-i8042-nomux-list.patch new file mode 100644 index 00000000000..4b8bb9c3475 --- /dev/null +++ b/queue-4.19/input-i8042-add-lenovo-xiaoxin-air-12-to-i8042-nomux-list.patch @@ -0,0 +1,39 @@ +From 17d51429da722cd8fc77a365a112f008abf4f8b3 Mon Sep 17 00:00:00 2001 +From: David Pedersen +Date: Mon, 6 Jul 2020 18:48:51 -0700 +Subject: Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list + +From: David Pedersen + +commit 17d51429da722cd8fc77a365a112f008abf4f8b3 upstream. + +This fixes two finger trackpad scroll on the Lenovo XiaoXin Air 12. +Without nomux, the trackpad behaves as if only one finger is present and +moves the cursor when trying to scroll. + +Signed-off-by: David Pedersen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200625133754.291325-1-limero1337@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -430,6 +430,13 @@ static const struct dmi_system_id __init + }, + }, + { ++ /* Lenovo XiaoXin Air 12 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "80UN"), ++ }, ++ }, ++ { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Acer"), + DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 1360"), diff --git a/queue-4.19/intel_th-fix-a-null-dereference-when-hub-driver-is-not-loaded.patch b/queue-4.19/intel_th-fix-a-null-dereference-when-hub-driver-is-not-loaded.patch new file mode 100644 index 00000000000..7ae97d948d4 --- /dev/null +++ b/queue-4.19/intel_th-fix-a-null-dereference-when-hub-driver-is-not-loaded.patch @@ -0,0 +1,91 @@ +From e78e1fdb282726beaf88aa75943682217e6ded0e Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 6 Jul 2020 19:13:39 +0300 +Subject: intel_th: Fix a NULL dereference when hub driver is not loaded + +From: Alexander Shishkin + +commit e78e1fdb282726beaf88aa75943682217e6ded0e upstream. + +Connecting master to an output port when GTH driver module is not loaded +triggers a NULL dereference: + +> RIP: 0010:intel_th_set_output+0x35/0x70 [intel_th] +> Call Trace: +> ? sth_stm_link+0x12/0x20 [intel_th_sth] +> stm_source_link_store+0x164/0x270 [stm_core] +> dev_attr_store+0x17/0x30 +> sysfs_kf_write+0x3e/0x50 +> kernfs_fop_write+0xda/0x1b0 +> __vfs_write+0x1b/0x40 +> vfs_write+0xb9/0x1a0 +> ksys_write+0x67/0xe0 +> __x64_sys_write+0x1a/0x20 +> do_syscall_64+0x57/0x1d0 +> entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Make sure the module in question is loaded and return an error if not. + +Signed-off-by: Alexander Shishkin +Fixes: 39f4034693b7c ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices") +Reviewed-by: Andy Shevchenko +Reported-by: Ammy Yi +Tested-by: Ammy Yi +Cc: stable@vger.kernel.org # v4.4 +Link: https://lore.kernel.org/r/20200706161339.55468-5-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/core.c | 21 ++++++++++++++++++--- + drivers/hwtracing/intel_th/sth.c | 4 +--- + 2 files changed, 19 insertions(+), 6 deletions(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -944,15 +944,30 @@ int intel_th_set_output(struct intel_th_ + { + struct intel_th_device *hub = to_intel_th_hub(thdev); + struct intel_th_driver *hubdrv = to_intel_th_driver(hub->dev.driver); ++ int ret; + + /* In host mode, this is up to the external debugger, do nothing. */ + if (hub->host_mode) + return 0; + +- if (!hubdrv->set_output) +- return -ENOTSUPP; ++ /* ++ * hub is instantiated together with the source device that ++ * calls here, so guaranteed to be present. ++ */ ++ hubdrv = to_intel_th_driver(hub->dev.driver); ++ if (!hubdrv || !try_module_get(hubdrv->driver.owner)) ++ return -EINVAL; + +- return hubdrv->set_output(hub, master); ++ if (!hubdrv->set_output) { ++ ret = -ENOTSUPP; ++ goto out; ++ } ++ ++ ret = hubdrv->set_output(hub, master); ++ ++out: ++ module_put(hubdrv->driver.owner); ++ return ret; + } + EXPORT_SYMBOL_GPL(intel_th_set_output); + +--- a/drivers/hwtracing/intel_th/sth.c ++++ b/drivers/hwtracing/intel_th/sth.c +@@ -157,9 +157,7 @@ static int sth_stm_link(struct stm_data + { + struct sth_device *sth = container_of(stm_data, struct sth_device, stm); + +- intel_th_set_output(to_intel_th_device(sth->dev), master); +- +- return 0; ++ return intel_th_set_output(to_intel_th_device(sth->dev), master); + } + + static int intel_th_sw_init(struct sth_device *sth) diff --git a/queue-4.19/intel_th-pci-add-emmitsburg-pch-support.patch b/queue-4.19/intel_th-pci-add-emmitsburg-pch-support.patch new file mode 100644 index 00000000000..2000980e8e6 --- /dev/null +++ b/queue-4.19/intel_th-pci-add-emmitsburg-pch-support.patch @@ -0,0 +1,35 @@ +From fd73d74a32bfaaf259441322cc5a1c83caaa94f2 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 6 Jul 2020 19:13:38 +0300 +Subject: intel_th: pci: Add Emmitsburg PCH support + +From: Alexander Shishkin + +commit fd73d74a32bfaaf259441322cc5a1c83caaa94f2 upstream. + +This adds support for the Trace Hub in Emmitsburg PCH. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org # v4.14+ +Link: https://lore.kernel.org/r/20200706161339.55468-4-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -230,6 +230,11 @@ static const struct pci_device_id intel_ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4b26), + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, ++ { ++ /* Emmitsburg PCH */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x1bcc), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, + { 0 }, + }; + diff --git a/queue-4.19/intel_th-pci-add-jasper-lake-cpu-support.patch b/queue-4.19/intel_th-pci-add-jasper-lake-cpu-support.patch new file mode 100644 index 00000000000..1d2d187470d --- /dev/null +++ b/queue-4.19/intel_th-pci-add-jasper-lake-cpu-support.patch @@ -0,0 +1,35 @@ +From 203c1f615052921901b7a8fbe2005d8ea6add076 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 6 Jul 2020 19:13:36 +0300 +Subject: intel_th: pci: Add Jasper Lake CPU support + +From: Alexander Shishkin + +commit 203c1f615052921901b7a8fbe2005d8ea6add076 upstream. + +This adds support for the Trace Hub in Jasper Lake CPU. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org # v4.14+ +Link: https://lore.kernel.org/r/20200706161339.55468-2-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -211,6 +211,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Jasper Lake CPU */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4e29), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Elkhart Lake CPU */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4529), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-4.19/intel_th-pci-add-tiger-lake-pch-h-support.patch b/queue-4.19/intel_th-pci-add-tiger-lake-pch-h-support.patch new file mode 100644 index 00000000000..e8f1d0cf634 --- /dev/null +++ b/queue-4.19/intel_th-pci-add-tiger-lake-pch-h-support.patch @@ -0,0 +1,35 @@ +From 6227585dc7b6a5405fc08dc322f98cb95e2f0eb4 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 6 Jul 2020 19:13:37 +0300 +Subject: intel_th: pci: Add Tiger Lake PCH-H support + +From: Alexander Shishkin + +commit 6227585dc7b6a5405fc08dc322f98cb95e2f0eb4 upstream. + +This adds support for the Trace Hub in Tiger Lake PCH-H. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org # v4.14+ +Link: https://lore.kernel.org/r/20200706161339.55468-3-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -206,6 +206,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Tiger Lake PCH-H */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x43a6), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Jasper Lake PCH */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4da6), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-4.19/mei-bus-don-t-clean-driver-pointer.patch b/queue-4.19/mei-bus-don-t-clean-driver-pointer.patch new file mode 100644 index 00000000000..2101072a87a --- /dev/null +++ b/queue-4.19/mei-bus-don-t-clean-driver-pointer.patch @@ -0,0 +1,50 @@ +From e852c2c251ed9c23ae6e3efebc5ec49adb504207 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Mon, 29 Jun 2020 01:53:59 +0300 +Subject: mei: bus: don't clean driver pointer + +From: Alexander Usyskin + +commit e852c2c251ed9c23ae6e3efebc5ec49adb504207 upstream. + +It's not needed to set driver to NULL in mei_cl_device_remove() +which is bus_type remove() handler as this is done anyway +in __device_release_driver(). + +Actually this is causing an endless loop in driver_detach() +on ubuntu patched kernel, while removing (rmmod) the mei_hdcp module. +The reason list_empty(&drv->p->klist_devices.k_list) is always not-empty. +as the check is always true in __device_release_driver() + if (dev->driver != drv) + return; + +The non upstream patch is causing this behavior, titled: +'vfio -- release device lock before userspace requests' + +Nevertheless the fix is correct also for the upstream. + +Link: https://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20180912085046.3401-2-apw@canonical.com/ +Cc: +Cc: Andy Whitcroft +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Link: https://lore.kernel.org/r/20200628225359.2185929-1-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/bus.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/misc/mei/bus.c ++++ b/drivers/misc/mei/bus.c +@@ -755,9 +755,8 @@ static int mei_cl_device_remove(struct d + + mei_cl_bus_module_put(cldev); + module_put(THIS_MODULE); +- dev->driver = NULL; +- return ret; + ++ return ret; + } + + static ssize_t name_show(struct device *dev, struct device_attribute *a, diff --git a/queue-4.19/mips-fix-build-for-lts-kernel-caused-by-backporting-lpj-adjustment.patch b/queue-4.19/mips-fix-build-for-lts-kernel-caused-by-backporting-lpj-adjustment.patch new file mode 100644 index 00000000000..ad2906bb6aa --- /dev/null +++ b/queue-4.19/mips-fix-build-for-lts-kernel-caused-by-backporting-lpj-adjustment.patch @@ -0,0 +1,62 @@ +From chenhc@lemote.com Mon Jul 20 14:10:23 2020 +From: Huacai Chen +Date: Thu, 16 Jul 2020 17:39:29 +0800 +Subject: MIPS: Fix build for LTS kernel caused by backporting lpj adjustment +To: Thomas Bogendoerfer +Cc: linux-mips@vger.kernel.org, Fuxin Zhang , Zhangjin Wu , Huacai Chen , Jiaxun Yang , Huacai Chen , Serge Semin , "Stable # 4 . 4/4 . 9/4 . 14/4 . 19" +Message-ID: <1594892369-28060-1-git-send-email-chenhc@lemote.com> + +From: Huacai Chen + +Commit ed26aacfb5f71eecb20a ("mips: Add udelay lpj numbers adjustment") +has backported to 4.4~5.4, but the "struct cpufreq_freqs" (and also the +cpufreq notifier machanism) of 4.4~4.19 are different from the upstream +kernel. These differences cause build errors, and this patch can fix the +build. + +Cc: Serge Semin +Cc: Stable # 4.4/4.9/4.14/4.19 +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/time.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/arch/mips/kernel/time.c ++++ b/arch/mips/kernel/time.c +@@ -40,10 +40,8 @@ static unsigned long glb_lpj_ref_freq; + static int cpufreq_callback(struct notifier_block *nb, + unsigned long val, void *data) + { +- struct cpufreq_freqs *freq = data; +- struct cpumask *cpus = freq->policy->cpus; +- unsigned long lpj; + int cpu; ++ struct cpufreq_freqs *freq = data; + + /* + * Skip lpj numbers adjustment if the CPU-freq transition is safe for +@@ -64,6 +62,7 @@ static int cpufreq_callback(struct notif + } + } + ++ cpu = freq->cpu; + /* + * Adjust global lpj variable and per-CPU udelay_val number in + * accordance with the new CPU frequency. +@@ -74,12 +73,8 @@ static int cpufreq_callback(struct notif + glb_lpj_ref_freq, + freq->new); + +- for_each_cpu(cpu, cpus) { +- lpj = cpufreq_scale(per_cpu(pcp_lpj_ref, cpu), +- per_cpu(pcp_lpj_ref_freq, cpu), +- freq->new); +- cpu_data[cpu].udelay_val = (unsigned int)lpj; +- } ++ cpu_data[cpu].udelay_val = cpufreq_scale(per_cpu(pcp_lpj_ref, cpu), ++ per_cpu(pcp_lpj_ref_freq, cpu), freq->new); + } + + return NOTIFY_OK; diff --git a/queue-4.19/misc-atmel-ssc-lock-with-mutex-instead-of-spinlock.patch b/queue-4.19/misc-atmel-ssc-lock-with-mutex-instead-of-spinlock.patch new file mode 100644 index 00000000000..2cfba2ebe80 --- /dev/null +++ b/queue-4.19/misc-atmel-ssc-lock-with-mutex-instead-of-spinlock.patch @@ -0,0 +1,118 @@ +From b037d60a3b1d1227609fd858fa34321f41829911 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= +Date: Wed, 24 Jun 2020 13:35:41 +0200 +Subject: misc: atmel-ssc: lock with mutex instead of spinlock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Mirosław + +commit b037d60a3b1d1227609fd858fa34321f41829911 upstream. + +Uninterruptible context is not needed in the driver and causes lockdep +warning because of mutex taken in of_alias_get_id(). Convert the lock to +mutex to avoid the issue. + +Cc: stable@vger.kernel.org +Fixes: 099343c64e16 ("ARM: at91: atmel-ssc: add device tree support") +Signed-off-by: Michał Mirosław +Link: https://lore.kernel.org/r/50f0d7fa107f318296afb49477c3571e4d6978c5.1592998403.git.mirq-linux@rere.qmqm.pl +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/atmel-ssc.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/misc/atmel-ssc.c ++++ b/drivers/misc/atmel-ssc.c +@@ -13,7 +13,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -23,7 +23,7 @@ + #include "../../sound/soc/atmel/atmel_ssc_dai.h" + + /* Serialize access to ssc_list and user count */ +-static DEFINE_SPINLOCK(user_lock); ++static DEFINE_MUTEX(user_lock); + static LIST_HEAD(ssc_list); + + struct ssc_device *ssc_request(unsigned int ssc_num) +@@ -31,7 +31,7 @@ struct ssc_device *ssc_request(unsigned + int ssc_valid = 0; + struct ssc_device *ssc; + +- spin_lock(&user_lock); ++ mutex_lock(&user_lock); + list_for_each_entry(ssc, &ssc_list, list) { + if (ssc->pdev->dev.of_node) { + if (of_alias_get_id(ssc->pdev->dev.of_node, "ssc") +@@ -47,18 +47,18 @@ struct ssc_device *ssc_request(unsigned + } + + if (!ssc_valid) { +- spin_unlock(&user_lock); ++ mutex_unlock(&user_lock); + pr_err("ssc: ssc%d platform device is missing\n", ssc_num); + return ERR_PTR(-ENODEV); + } + + if (ssc->user) { +- spin_unlock(&user_lock); ++ mutex_unlock(&user_lock); + dev_dbg(&ssc->pdev->dev, "module busy\n"); + return ERR_PTR(-EBUSY); + } + ssc->user++; +- spin_unlock(&user_lock); ++ mutex_unlock(&user_lock); + + clk_prepare(ssc->clk); + +@@ -70,14 +70,14 @@ void ssc_free(struct ssc_device *ssc) + { + bool disable_clk = true; + +- spin_lock(&user_lock); ++ mutex_lock(&user_lock); + if (ssc->user) + ssc->user--; + else { + disable_clk = false; + dev_dbg(&ssc->pdev->dev, "device already free\n"); + } +- spin_unlock(&user_lock); ++ mutex_unlock(&user_lock); + + if (disable_clk) + clk_unprepare(ssc->clk); +@@ -240,9 +240,9 @@ static int ssc_probe(struct platform_dev + return -ENXIO; + } + +- spin_lock(&user_lock); ++ mutex_lock(&user_lock); + list_add_tail(&ssc->list, &ssc_list); +- spin_unlock(&user_lock); ++ mutex_unlock(&user_lock); + + platform_set_drvdata(pdev, ssc); + +@@ -261,9 +261,9 @@ static int ssc_remove(struct platform_de + + ssc_sound_dai_remove(ssc); + +- spin_lock(&user_lock); ++ mutex_lock(&user_lock); + list_del(&ssc->list); +- spin_unlock(&user_lock); ++ mutex_unlock(&user_lock); + + return 0; + } diff --git a/queue-4.19/ovl-fix-unneeded-call-to-ovl_change_flags.patch b/queue-4.19/ovl-fix-unneeded-call-to-ovl_change_flags.patch new file mode 100644 index 00000000000..b927c3f4dd2 --- /dev/null +++ b/queue-4.19/ovl-fix-unneeded-call-to-ovl_change_flags.patch @@ -0,0 +1,61 @@ +From 81a33c1ee941c3bb9ffc6bac8f676be13351344e Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Thu, 18 Jun 2020 18:43:53 +0300 +Subject: ovl: fix unneeded call to ovl_change_flags() + +From: Amir Goldstein + +commit 81a33c1ee941c3bb9ffc6bac8f676be13351344e upstream. + +The check if user has changed the overlay file was wrong, causing unneeded +call to ovl_change_flags() including taking f_lock on every file access. + +Fixes: d989903058a8 ("ovl: do not generate duplicate fsnotify events for "fake" path") +Cc: # v4.19+ +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/file.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/fs/overlayfs/file.c ++++ b/fs/overlayfs/file.c +@@ -24,13 +24,16 @@ static char ovl_whatisit(struct inode *i + return 'm'; + } + ++/* No atime modificaton nor notify on underlying */ ++#define OVL_OPEN_FLAGS (O_NOATIME | FMODE_NONOTIFY) ++ + static struct file *ovl_open_realfile(const struct file *file, + struct inode *realinode) + { + struct inode *inode = file_inode(file); + struct file *realfile; + const struct cred *old_cred; +- int flags = file->f_flags | O_NOATIME | FMODE_NONOTIFY; ++ int flags = file->f_flags | OVL_OPEN_FLAGS; + + old_cred = ovl_override_creds(inode->i_sb); + realfile = open_with_fake_path(&file->f_path, flags, realinode, +@@ -51,8 +54,7 @@ static int ovl_change_flags(struct file + struct inode *inode = file_inode(file); + int err; + +- /* No atime modificaton on underlying */ +- flags |= O_NOATIME | FMODE_NONOTIFY; ++ flags |= OVL_OPEN_FLAGS; + + /* If some flag changed that cannot be changed then something's amiss */ + if (WARN_ON((file->f_flags ^ flags) & ~OVL_SETFL_MASK)) +@@ -105,7 +107,7 @@ static int ovl_real_fdget_meta(const str + } + + /* Did the flags change since open? */ +- if (unlikely((file->f_flags ^ real->file->f_flags) & ~O_NOATIME)) ++ if (unlikely((file->f_flags ^ real->file->f_flags) & ~OVL_OPEN_FLAGS)) + return ovl_change_flags(real->file, file->f_flags); + + return 0; diff --git a/queue-4.19/ovl-inode-reference-leak-in-ovl_is_inuse-true-case.patch b/queue-4.19/ovl-inode-reference-leak-in-ovl_is_inuse-true-case.patch new file mode 100644 index 00000000000..3a892d7c881 --- /dev/null +++ b/queue-4.19/ovl-inode-reference-leak-in-ovl_is_inuse-true-case.patch @@ -0,0 +1,50 @@ +From 24f14009b8f1754ec2ae4c168940c01259b0f88a Mon Sep 17 00:00:00 2001 +From: youngjun +Date: Tue, 16 Jun 2020 17:30:43 +0900 +Subject: ovl: inode reference leak in ovl_is_inuse true case. + +From: youngjun + +commit 24f14009b8f1754ec2ae4c168940c01259b0f88a upstream. + +When "ovl_is_inuse" true case, trap inode reference not put. plus adding +the comment explaining sequence of ovl_is_inuse after ovl_setup_trap. + +Fixes: 0be0bfd2de9d ("ovl: fix regression caused by overlapping layers detection") +Cc: # v4.19+ +Reviewed-by: Amir Goldstein +Signed-off-by: youngjun +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/super.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -1310,14 +1310,23 @@ static int ovl_get_lower_layers(struct s + if (err < 0) + goto out; + ++ /* ++ * Check if lower root conflicts with this overlay layers before ++ * checking if it is in-use as upperdir/workdir of "another" ++ * mount, because we do not bother to check in ovl_is_inuse() if ++ * the upperdir/workdir is in fact in-use by our ++ * upperdir/workdir. ++ */ + err = ovl_setup_trap(sb, stack[i].dentry, &trap, "lowerdir"); + if (err) + goto out; + + if (ovl_is_inuse(stack[i].dentry)) { + err = ovl_report_in_use(ofs, "lowerdir"); +- if (err) ++ if (err) { ++ iput(trap); + goto out; ++ } + } + + mnt = clone_private_mount(&stack[i]); diff --git a/queue-4.19/ovl-relax-warn_on-when-decoding-lower-directory-file-handle.patch b/queue-4.19/ovl-relax-warn_on-when-decoding-lower-directory-file-handle.patch new file mode 100644 index 00000000000..62961a6ae94 --- /dev/null +++ b/queue-4.19/ovl-relax-warn_on-when-decoding-lower-directory-file-handle.patch @@ -0,0 +1,65 @@ +From 124c2de2c0aee96271e4ddab190083d8aa7aa71a Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Wed, 17 Jun 2020 09:57:11 +0300 +Subject: ovl: relax WARN_ON() when decoding lower directory file handle + +From: Amir Goldstein + +commit 124c2de2c0aee96271e4ddab190083d8aa7aa71a upstream. + +Decoding a lower directory file handle to overlay path with cold +inode/dentry cache may go as follows: + +1. Decode real lower file handle to lower dir path +2. Check if lower dir is indexed (was copied up) +3. If indexed, get the upper dir path from index +4. Lookup upper dir path in overlay +5. If overlay path found, verify that overlay lower is the lower dir + from step 1 + +On failure to verify step 5 above, user will get an ESTALE error and a +WARN_ON will be printed. + +A mismatch in step 5 could be a result of lower directory that was renamed +while overlay was offline, after that lower directory has been copied up +and indexed. + +This is a scripted reproducer based on xfstest overlay/052: + + # Create lower subdir + create_dirs + create_test_files $lower/lowertestdir/subdir + mount_dirs + # Copy up lower dir and encode lower subdir file handle + touch $SCRATCH_MNT/lowertestdir + test_file_handles $SCRATCH_MNT/lowertestdir/subdir -p -o $tmp.fhandle + # Rename lower dir offline + unmount_dirs + mv $lower/lowertestdir $lower/lowertestdir.new/ + mount_dirs + # Attempt to decode lower subdir file handle + test_file_handles $SCRATCH_MNT -p -i $tmp.fhandle + +Since this WARN_ON() can be triggered by user we need to relax it. + +Fixes: 4b91c30a5a19 ("ovl: lookup connected ancestor of dir in inode cache") +Cc: # v4.16+ +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/export.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/overlayfs/export.c ++++ b/fs/overlayfs/export.c +@@ -485,7 +485,7 @@ static struct dentry *ovl_lookup_real_in + if (IS_ERR_OR_NULL(this)) + return this; + +- if (WARN_ON(ovl_dentry_real_at(this, layer->idx) != real)) { ++ if (ovl_dentry_real_at(this, layer->idx) != real) { + dput(this); + this = ERR_PTR(-EIO); + } diff --git a/queue-4.19/powerpc-book3s64-pkeys-fix-pkey_access_permitted-for-execute-disable-pkey.patch b/queue-4.19/powerpc-book3s64-pkeys-fix-pkey_access_permitted-for-execute-disable-pkey.patch new file mode 100644 index 00000000000..6b4d0336fbf --- /dev/null +++ b/queue-4.19/powerpc-book3s64-pkeys-fix-pkey_access_permitted-for-execute-disable-pkey.patch @@ -0,0 +1,155 @@ +From 192b6a780598976feb7321ff007754f8511a4129 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Sun, 12 Jul 2020 18:50:47 +0530 +Subject: powerpc/book3s64/pkeys: Fix pkey_access_permitted() for execute disable pkey + +From: Aneesh Kumar K.V + +commit 192b6a780598976feb7321ff007754f8511a4129 upstream. + +Even if the IAMR value denies execute access, the current code returns +true from pkey_access_permitted() for an execute permission check, if +the AMR read pkey bit is cleared. + +This results in repeated page fault loop with a test like below: + + #define _GNU_SOURCE + #include + #include + #include + #include + #include + + #include + #include + #include + #include + #include + + #ifdef SYS_pkey_mprotect + #undef SYS_pkey_mprotect + #endif + + #ifdef SYS_pkey_alloc + #undef SYS_pkey_alloc + #endif + + #ifdef SYS_pkey_free + #undef SYS_pkey_free + #endif + + #undef PKEY_DISABLE_EXECUTE + #define PKEY_DISABLE_EXECUTE 0x4 + + #define SYS_pkey_mprotect 386 + #define SYS_pkey_alloc 384 + #define SYS_pkey_free 385 + + #define PPC_INST_NOP 0x60000000 + #define PPC_INST_BLR 0x4e800020 + #define PROT_RWX (PROT_READ | PROT_WRITE | PROT_EXEC) + + static int sys_pkey_mprotect(void *addr, size_t len, int prot, int pkey) + { + return syscall(SYS_pkey_mprotect, addr, len, prot, pkey); + } + + static int sys_pkey_alloc(unsigned long flags, unsigned long access_rights) + { + return syscall(SYS_pkey_alloc, flags, access_rights); + } + + static int sys_pkey_free(int pkey) + { + return syscall(SYS_pkey_free, pkey); + } + + static void do_execute(void *region) + { + /* jump to region */ + asm volatile( + "mtctr %0;" + "bctrl" + : : "r"(region) : "ctr", "lr"); + } + + static void do_protect(void *region) + { + size_t pgsize; + int i, pkey; + + pgsize = getpagesize(); + + pkey = sys_pkey_alloc(0, PKEY_DISABLE_EXECUTE); + assert (pkey > 0); + + /* perform mprotect */ + assert(!sys_pkey_mprotect(region, pgsize, PROT_RWX, pkey)); + do_execute(region); + + /* free pkey */ + assert(!sys_pkey_free(pkey)); + + } + + int main(int argc, char **argv) + { + size_t pgsize, numinsns; + unsigned int *region; + int i; + + /* allocate memory region to protect */ + pgsize = getpagesize(); + region = memalign(pgsize, pgsize); + assert(region != NULL); + assert(!mprotect(region, pgsize, PROT_RWX)); + + /* fill page with NOPs with a BLR at the end */ + numinsns = pgsize / sizeof(region[0]); + for (i = 0; i < numinsns - 1; i++) + region[i] = PPC_INST_NOP; + region[i] = PPC_INST_BLR; + + do_protect(region); + + return EXIT_SUCCESS; + } + +The fix is to only check the IAMR for an execute check, the AMR value +is not relevant. + +Fixes: f2407ef3ba22 ("powerpc: helper to validate key-access permissions of a pte") +Cc: stable@vger.kernel.org # v4.16+ +Reported-by: Sandipan Das +Signed-off-by: Aneesh Kumar K.V +[mpe: Add detail to change log, tweak wording & formatting] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200712132047.1038594-1-aneesh.kumar@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/pkeys.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/mm/pkeys.c ++++ b/arch/powerpc/mm/pkeys.c +@@ -365,12 +365,14 @@ static bool pkey_access_permitted(int pk + return true; + + pkey_shift = pkeyshift(pkey); +- if (execute && !(read_iamr() & (IAMR_EX_BIT << pkey_shift))) +- return true; ++ if (execute) ++ return !(read_iamr() & (IAMR_EX_BIT << pkey_shift)); ++ ++ amr = read_amr(); ++ if (write) ++ return !(amr & (AMR_WR_BIT << pkey_shift)); + +- amr = read_amr(); /* Delay reading amr until absolutely needed */ +- return ((!write && !(amr & (AMR_RD_BIT << pkey_shift))) || +- (write && !(amr & (AMR_WR_BIT << pkey_shift)))); ++ return !(amr & (AMR_RD_BIT << pkey_shift)); + } + + bool arch_pte_access_permitted(u64 pte, bool write, bool execute) diff --git a/queue-4.19/revert-zram-convert-remaining-class_attr-to-class_attr_ro.patch b/queue-4.19/revert-zram-convert-remaining-class_attr-to-class_attr_ro.patch new file mode 100644 index 00000000000..e07e9abc56a --- /dev/null +++ b/queue-4.19/revert-zram-convert-remaining-class_attr-to-class_attr_ro.patch @@ -0,0 +1,39 @@ +From 853eab68afc80f59f36bbdeb715e5c88c501e680 Mon Sep 17 00:00:00 2001 +From: Wade Mealing +Date: Wed, 17 Jun 2020 13:49:47 +0200 +Subject: Revert "zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()" + +From: Wade Mealing + +commit 853eab68afc80f59f36bbdeb715e5c88c501e680 upstream. + +Turns out that the permissions for 0400 really are what we want here, +otherwise any user can read from this file. + +[fixed formatting, added changelog, and made attribute static - gregkh] + +Reported-by: Wade Mealing +Cc: stable +Fixes: f40609d1591f ("zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()") +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1847832 +Reviewed-by: Steffen Maier +Acked-by: Minchan Kim +Link: https://lore.kernel.org/r/20200617114946.GA2131650@kroah.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/zram/zram_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/block/zram/zram_drv.c ++++ b/drivers/block/zram/zram_drv.c +@@ -1802,7 +1802,8 @@ static ssize_t hot_add_show(struct class + return ret; + return scnprintf(buf, PAGE_SIZE, "%d\n", ret); + } +-static CLASS_ATTR_RO(hot_add); ++static struct class_attribute class_attr_hot_add = ++ __ATTR(hot_add, 0400, hot_add_show, NULL); + + static ssize_t hot_remove_store(struct class *class, + struct class_attribute *attr, diff --git a/queue-4.19/riscv-use-16kb-kernel-stack-on-64-bit.patch b/queue-4.19/riscv-use-16kb-kernel-stack-on-64-bit.patch new file mode 100644 index 00000000000..09a70f3ff5f --- /dev/null +++ b/queue-4.19/riscv-use-16kb-kernel-stack-on-64-bit.patch @@ -0,0 +1,39 @@ +From 0cac21b02ba5f3095fd2dcc77c26a25a0b2432ed Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Mon, 6 Jul 2020 14:32:26 +0200 +Subject: riscv: use 16KB kernel stack on 64-bit + +From: Andreas Schwab + +commit 0cac21b02ba5f3095fd2dcc77c26a25a0b2432ed upstream. + +With the current 8KB stack size there are frequent overflows in a 64-bit +configuration. We may split IRQ stacks off in the future, but this fixes a +number of issues right now. + +Signed-off-by: Andreas Schwab +Reviewed-by: Anup Patel +[Palmer: mention irqstack in the commit text] +Fixes: 7db91e57a0ac ("RISC-V: Task implementation") +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/riscv/include/asm/thread_info.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/riscv/include/asm/thread_info.h ++++ b/arch/riscv/include/asm/thread_info.h +@@ -20,7 +20,11 @@ + #include + + /* thread information allocation */ ++#ifdef CONFIG_64BIT ++#define THREAD_SIZE_ORDER (2) ++#else + #define THREAD_SIZE_ORDER (1) ++#endif + #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER) + + #ifndef __ASSEMBLY__ diff --git a/queue-4.19/sched-fair-handle-case-of-task_h_load-returning-0.patch b/queue-4.19/sched-fair-handle-case-of-task_h_load-returning-0.patch new file mode 100644 index 00000000000..5a2b9c0d1dd --- /dev/null +++ b/queue-4.19/sched-fair-handle-case-of-task_h_load-returning-0.patch @@ -0,0 +1,57 @@ +From 01cfcde9c26d8555f0e6e9aea9d6049f87683998 Mon Sep 17 00:00:00 2001 +From: Vincent Guittot +Date: Fri, 10 Jul 2020 17:24:26 +0200 +Subject: sched/fair: handle case of task_h_load() returning 0 + +From: Vincent Guittot + +commit 01cfcde9c26d8555f0e6e9aea9d6049f87683998 upstream. + +task_h_load() can return 0 in some situations like running stress-ng +mmapfork, which forks thousands of threads, in a sched group on a 224 cores +system. The load balance doesn't handle this correctly because +env->imbalance never decreases and it will stop pulling tasks only after +reaching loop_max, which can be equal to the number of running tasks of +the cfs. Make sure that imbalance will be decreased by at least 1. + +misfit task is the other feature that doesn't handle correctly such +situation although it's probably more difficult to face the problem +because of the smaller number of CPUs and running tasks on heterogenous +system. + +We can't simply ensure that task_h_load() returns at least one because it +would imply to handle underflow in other places. + +Signed-off-by: Vincent Guittot +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Valentin Schneider +Reviewed-by: Dietmar Eggemann +Tested-by: Dietmar Eggemann +Cc: # v4.4+ +Link: https://lkml.kernel.org/r/20200710152426.16981-1-vincent.guittot@linaro.org +Signed-off-by: Greg Kroah-Hartman + + +--- + kernel/sched/fair.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -7337,7 +7337,15 @@ static int detach_tasks(struct lb_env *e + if (!can_migrate_task(p, env)) + goto next; + +- load = task_h_load(p); ++ /* ++ * Depending of the number of CPUs and tasks and the ++ * cgroup hierarchy, task_h_load() can return a null ++ * value. Make sure that env->imbalance decreases ++ * otherwise detach_tasks() will stop only after ++ * detaching up to loop_max tasks. ++ */ ++ load = max_t(unsigned long, task_h_load(p), 1); ++ + + if (sched_feat(LB_MIN) && load < 16 && !env->sd->nr_balance_failed) + goto next; diff --git a/queue-4.19/sched-fix-unreliable-rseq-cpu_id-for-new-tasks.patch b/queue-4.19/sched-fix-unreliable-rseq-cpu_id-for-new-tasks.patch new file mode 100644 index 00000000000..30c1fa4b9ae --- /dev/null +++ b/queue-4.19/sched-fix-unreliable-rseq-cpu_id-for-new-tasks.patch @@ -0,0 +1,81 @@ +From ce3614daabea8a2d01c1dd17ae41d1ec5e5ae7db Mon Sep 17 00:00:00 2001 +From: Mathieu Desnoyers +Date: Mon, 6 Jul 2020 16:49:10 -0400 +Subject: sched: Fix unreliable rseq cpu_id for new tasks + +From: Mathieu Desnoyers + +commit ce3614daabea8a2d01c1dd17ae41d1ec5e5ae7db upstream. + +While integrating rseq into glibc and replacing glibc's sched_getcpu +implementation with rseq, glibc's tests discovered an issue with +incorrect __rseq_abi.cpu_id field value right after the first time +a newly created process issues sched_setaffinity. + +For the records, it triggers after building glibc and running tests, and +then issuing: + + for x in {1..2000} ; do posix/tst-affinity-static & done + +and shows up as: + +error: Unexpected CPU 2, expected 0 +error: Unexpected CPU 2, expected 0 +error: Unexpected CPU 2, expected 0 +error: Unexpected CPU 2, expected 0 +error: Unexpected CPU 138, expected 0 +error: Unexpected CPU 138, expected 0 +error: Unexpected CPU 138, expected 0 +error: Unexpected CPU 138, expected 0 + +This is caused by the scheduler invoking __set_task_cpu() directly from +sched_fork() and wake_up_new_task(), thus bypassing rseq_migrate() which +is done by set_task_cpu(). + +Add the missing rseq_migrate() to both functions. The only other direct +use of __set_task_cpu() is done by init_idle(), which does not involve a +user-space task. + +Based on my testing with the glibc test-case, just adding rseq_migrate() +to wake_up_new_task() is sufficient to fix the observed issue. Also add +it to sched_fork() to keep things consistent. + +The reason why this never triggered so far with the rseq/basic_test +selftest is unclear. + +The current use of sched_getcpu(3) does not typically require it to be +always accurate. However, use of the __rseq_abi.cpu_id field within rseq +critical sections requires it to be accurate. If it is not accurate, it +can cause corruption in the per-cpu data targeted by rseq critical +sections in user-space. + +Reported-By: Florian Weimer +Signed-off-by: Mathieu Desnoyers +Signed-off-by: Peter Zijlstra (Intel) +Tested-By: Florian Weimer +Cc: stable@vger.kernel.org # v4.18+ +Link: https://lkml.kernel.org/r/20200707201505.2632-1-mathieu.desnoyers@efficios.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -2345,6 +2345,7 @@ int sched_fork(unsigned long clone_flags + * Silence PROVE_RCU. + */ + raw_spin_lock_irqsave(&p->pi_lock, flags); ++ rseq_migrate(p); + /* + * We're setting the CPU for the first time, we don't migrate, + * so use __set_task_cpu(). +@@ -2409,6 +2410,7 @@ void wake_up_new_task(struct task_struct + * as we're not fully set-up yet. + */ + p->recent_used_cpu = task_cpu(p); ++ rseq_migrate(p); + __set_task_cpu(p, select_task_rq(p, task_cpu(p), SD_BALANCE_FORK, 0)); + #endif + rq = __task_rq_lock(p, &rf); diff --git a/queue-4.19/series b/queue-4.19/series index aca48c2a736..77d5b52dc48 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -102,3 +102,30 @@ virt-vbox-fix-vbgl_ioctl_vmmdev_request_big-and-_log-req-numbers-to-match-upstre virt-vbox-fix-guest-capabilities-mask-check.patch virtio-virtio_console-add-missing-module_device_table-for-rproc-serial.patch serial-mxs-auart-add-missed-iounmap-in-probe-failure-and-remove.patch +ovl-inode-reference-leak-in-ovl_is_inuse-true-case.patch +ovl-relax-warn_on-when-decoding-lower-directory-file-handle.patch +ovl-fix-unneeded-call-to-ovl_change_flags.patch +fuse-fix-parameter-for-fs_ioc_-get-set-flags.patch +revert-zram-convert-remaining-class_attr-to-class_attr_ro.patch +mei-bus-don-t-clean-driver-pointer.patch +input-i8042-add-lenovo-xiaoxin-air-12-to-i8042-nomux-list.patch +uio_pdrv_genirq-fix-use-without-device-tree-and-no-interrupt.patch +timer-prevent-base-clk-from-moving-backward.patch +timer-fix-wheel-index-calculation-on-last-level.patch +mips-fix-build-for-lts-kernel-caused-by-backporting-lpj-adjustment.patch +riscv-use-16kb-kernel-stack-on-64-bit.patch +hwmon-emc2103-fix-unable-to-change-fan-pwm1_enable-attribute.patch +powerpc-book3s64-pkeys-fix-pkey_access_permitted-for-execute-disable-pkey.patch +intel_th-pci-add-jasper-lake-cpu-support.patch +intel_th-pci-add-tiger-lake-pch-h-support.patch +intel_th-pci-add-emmitsburg-pch-support.patch +intel_th-fix-a-null-dereference-when-hub-driver-is-not-loaded.patch +dmaengine-fsl-edma-fix-null-pointer-exception-in-fsl_edma_tx_handler.patch +misc-atmel-ssc-lock-with-mutex-instead-of-spinlock.patch +thermal-drivers-cpufreq_cooling-fix-wrong-frequency-converted-from-power.patch +arm64-ptrace-override-spsr.ss-when-single-stepping-is-enabled.patch +arm64-ptrace-consistently-use-pseudo-singlestep-exceptions.patch +arm64-compat-ensure-upper-32-bits-of-x0-are-zero-on-syscall-return.patch +sched-fix-unreliable-rseq-cpu_id-for-new-tasks.patch +sched-fair-handle-case-of-task_h_load-returning-0.patch +genirq-affinity-handle-affinity-setting-on-inactive-interrupts-correctly.patch diff --git a/queue-4.19/thermal-drivers-cpufreq_cooling-fix-wrong-frequency-converted-from-power.patch b/queue-4.19/thermal-drivers-cpufreq_cooling-fix-wrong-frequency-converted-from-power.patch new file mode 100644 index 00000000000..0a08d3fe4f4 --- /dev/null +++ b/queue-4.19/thermal-drivers-cpufreq_cooling-fix-wrong-frequency-converted-from-power.patch @@ -0,0 +1,53 @@ +From 371a3bc79c11b707d7a1b7a2c938dc3cc042fffb Mon Sep 17 00:00:00 2001 +From: Finley Xiao +Date: Fri, 19 Jun 2020 17:08:25 +0800 +Subject: thermal/drivers/cpufreq_cooling: Fix wrong frequency converted from power + +From: Finley Xiao + +commit 371a3bc79c11b707d7a1b7a2c938dc3cc042fffb upstream. + +The function cpu_power_to_freq is used to find a frequency and set the +cooling device to consume at most the power to be converted. For example, +if the power to be converted is 80mW, and the em table is as follow. +struct em_cap_state table[] = { + /* KHz mW */ + { 1008000, 36, 0 }, + { 1200000, 49, 0 }, + { 1296000, 59, 0 }, + { 1416000, 72, 0 }, + { 1512000, 86, 0 }, +}; +The target frequency should be 1416000KHz, not 1512000KHz. + +Fixes: 349d39dc5739 ("thermal: cpu_cooling: merge frequency and power tables") +Cc: # v4.13+ +Signed-off-by: Finley Xiao +Acked-by: Viresh Kumar +Reviewed-by: Amit Kucheria +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20200619090825.32747-1-finley.xiao@rock-chips.com +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thermal/cpu_cooling.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/thermal/cpu_cooling.c ++++ b/drivers/thermal/cpu_cooling.c +@@ -278,11 +278,11 @@ static u32 cpu_power_to_freq(struct cpuf + int i; + struct freq_table *freq_table = cpufreq_cdev->freq_table; + +- for (i = 1; i <= cpufreq_cdev->max_level; i++) +- if (power > freq_table[i].power) ++ for (i = 0; i < cpufreq_cdev->max_level; i++) ++ if (power >= freq_table[i].power) + break; + +- return freq_table[i - 1].frequency; ++ return freq_table[i].frequency; + } + + /** diff --git a/queue-4.19/timer-fix-wheel-index-calculation-on-last-level.patch b/queue-4.19/timer-fix-wheel-index-calculation-on-last-level.patch new file mode 100644 index 00000000000..3eb3052a157 --- /dev/null +++ b/queue-4.19/timer-fix-wheel-index-calculation-on-last-level.patch @@ -0,0 +1,44 @@ +From e2a71bdea81690b6ef11f4368261ec6f5b6891aa Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Fri, 17 Jul 2020 16:05:40 +0200 +Subject: timer: Fix wheel index calculation on last level + +From: Frederic Weisbecker + +commit e2a71bdea81690b6ef11f4368261ec6f5b6891aa upstream. + +When an expiration delta falls into the last level of the wheel, that delta +has be compared against the maximum possible delay and reduced to fit in if +necessary. + +However instead of comparing the delta against the maximum, the code +compares the actual expiry against the maximum. Then instead of fixing the +delta to fit in, it sets the maximum delta as the expiry value. + +This can result in various undesired outcomes, the worst possible one +being a timer expiring 15 days ahead to fire immediately. + +Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel") +Signed-off-by: Frederic Weisbecker +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20200717140551.29076-2-frederic@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -519,8 +519,8 @@ static int calc_wheel_index(unsigned lon + * Force expire obscene large timeouts to expire at the + * capacity limit of the wheel. + */ +- if (expires >= WHEEL_TIMEOUT_CUTOFF) +- expires = WHEEL_TIMEOUT_MAX; ++ if (delta >= WHEEL_TIMEOUT_CUTOFF) ++ expires = clk + WHEEL_TIMEOUT_MAX; + + idx = calc_index(expires, LVL_DEPTH - 1); + } diff --git a/queue-4.19/timer-prevent-base-clk-from-moving-backward.patch b/queue-4.19/timer-prevent-base-clk-from-moving-backward.patch new file mode 100644 index 00000000000..55dc08092eb --- /dev/null +++ b/queue-4.19/timer-prevent-base-clk-from-moving-backward.patch @@ -0,0 +1,74 @@ +From 30c66fc30ee7a98c4f3adf5fb7e213b61884474f Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Fri, 3 Jul 2020 03:06:57 +0200 +Subject: timer: Prevent base->clk from moving backward + +From: Frederic Weisbecker + +commit 30c66fc30ee7a98c4f3adf5fb7e213b61884474f upstream. + +When a timer is enqueued with a negative delta (ie: expiry is below +base->clk), it gets added to the wheel as expiring now (base->clk). + +Yet the value that gets stored in base->next_expiry, while calling +trigger_dyntick_cpu(), is the initial timer->expires value. The +resulting state becomes: + + base->next_expiry < base->clk + +On the next timer enqueue, forward_timer_base() may accidentally +rewind base->clk. As a possible outcome, timers may expire way too +early, the worst case being that the highest wheel levels get spuriously +processed again. + +To prevent from that, make sure that base->next_expiry doesn't get below +base->clk. + +Fixes: a683f390b93f ("timers: Forward the wheel clock whenever possible") +Signed-off-by: Frederic Weisbecker +Signed-off-by: Thomas Gleixner +Reviewed-by: Anna-Maria Behnsen +Tested-by: Juri Lelli +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20200703010657.2302-1-frederic@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timer.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -580,7 +580,15 @@ trigger_dyntick_cpu(struct timer_base *b + * Set the next expiry time and kick the CPU so it can reevaluate the + * wheel: + */ +- base->next_expiry = timer->expires; ++ if (time_before(timer->expires, base->clk)) { ++ /* ++ * Prevent from forward_timer_base() moving the base->clk ++ * backward ++ */ ++ base->next_expiry = base->clk; ++ } else { ++ base->next_expiry = timer->expires; ++ } + wake_up_nohz_cpu(base->cpu); + } + +@@ -899,10 +907,13 @@ static inline void forward_timer_base(st + * If the next expiry value is > jiffies, then we fast forward to + * jiffies otherwise we forward to the next expiry value. + */ +- if (time_after(base->next_expiry, jnow)) ++ if (time_after(base->next_expiry, jnow)) { + base->clk = jnow; +- else ++ } else { ++ if (WARN_ON_ONCE(time_before(base->next_expiry, base->clk))) ++ return; + base->clk = base->next_expiry; ++ } + #endif + } + diff --git a/queue-4.19/uio_pdrv_genirq-fix-use-without-device-tree-and-no-interrupt.patch b/queue-4.19/uio_pdrv_genirq-fix-use-without-device-tree-and-no-interrupt.patch new file mode 100644 index 00000000000..20ae56f8ac3 --- /dev/null +++ b/queue-4.19/uio_pdrv_genirq-fix-use-without-device-tree-and-no-interrupt.patch @@ -0,0 +1,42 @@ +From bf12fdf0ab728ca8e5933aac46dd972c0dd0421e Mon Sep 17 00:00:00 2001 +From: Esben Haabendal +Date: Wed, 1 Jul 2020 16:56:58 +0200 +Subject: uio_pdrv_genirq: fix use without device tree and no interrupt + +From: Esben Haabendal + +commit bf12fdf0ab728ca8e5933aac46dd972c0dd0421e upstream. + +While e3a3c3a20555 ("UIO: fix uio_pdrv_genirq with device tree but no +interrupt") added support for using uio_pdrv_genirq for devices without +interrupt for device tree platforms, the removal of uio_pdrv in +26dac3c49d56 ("uio: Remove uio_pdrv and use uio_pdrv_genirq instead") +broke the support for non device tree platforms. + +This change fixes this, so that uio_pdrv_genirq can be used without +interrupt on all platforms. + +This still leaves the support that uio_pdrv had for custom interrupt +handler lacking, as uio_pdrv_genirq does not handle it (yet). + +Fixes: 26dac3c49d56 ("uio: Remove uio_pdrv and use uio_pdrv_genirq instead") +Signed-off-by: Esben Haabendal +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200701145659.3978-3-esben@geanix.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uio/uio_pdrv_genirq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/uio/uio_pdrv_genirq.c ++++ b/drivers/uio/uio_pdrv_genirq.c +@@ -148,7 +148,7 @@ static int uio_pdrv_genirq_probe(struct + if (!uioinfo->irq) { + ret = platform_get_irq(pdev, 0); + uioinfo->irq = ret; +- if (ret == -ENXIO && pdev->dev.of_node) ++ if (ret == -ENXIO) + uioinfo->irq = UIO_IRQ_NONE; + else if (ret < 0) { + dev_err(&pdev->dev, "failed to get IRQ\n");