From: Sasha Levin Date: Wed, 22 Apr 2020 03:25:55 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.19.118~12 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f974a2660a57fa07693f40d5bf31eccfdd3908b7;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch b/queue-4.14/clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch new file mode 100644 index 00000000000..1648f54cf29 --- /dev/null +++ b/queue-4.14/clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch @@ -0,0 +1,49 @@ +From ade488b35113895a87d96eade6ccb99c1607db53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jan 2020 13:36:46 +0200 +Subject: clk: at91: usb: continue if clk_hw_round_rate() return zero + +From: Claudiu Beznea + +[ Upstream commit b0ecf1c6c6e82da4847900fad0272abfd014666d ] + +clk_hw_round_rate() may call round rate function of its parents. In case +of SAM9X60 two of USB parrents are PLLA and UPLL. These clocks are +controlled by clk-sam9x60-pll.c driver. The round rate function for this +driver is sam9x60_pll_round_rate() which call in turn +sam9x60_pll_get_best_div_mul(). In case the requested rate is not in the +proper range (rate < characteristics->output[0].min && +rate > characteristics->output[0].max) the sam9x60_pll_round_rate() will +return a negative number to its caller (called by +clk_core_round_rate_nolock()). clk_hw_round_rate() will return zero in +case a negative number is returned by clk_core_round_rate_nolock(). With +this, the USB clock will continue its rate computation even caller of +clk_hw_round_rate() returned an error. With this, the USB clock on SAM9X60 +may not chose the best parent. I detected this after a suspend/resume +cycle on SAM9X60. + +Signed-off-by: Claudiu Beznea +Link: https://lkml.kernel.org/r/1579261009-4573-2-git-send-email-claudiu.beznea@microchip.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/clk/at91/clk-usb.c b/drivers/clk/at91/clk-usb.c +index 791770a563fcc..6fac6383d024e 100644 +--- a/drivers/clk/at91/clk-usb.c ++++ b/drivers/clk/at91/clk-usb.c +@@ -78,6 +78,9 @@ static int at91sam9x5_clk_usb_determine_rate(struct clk_hw *hw, + tmp_parent_rate = req->rate * div; + tmp_parent_rate = clk_hw_round_rate(parent, + tmp_parent_rate); ++ if (!tmp_parent_rate) ++ continue; ++ + tmp_rate = DIV_ROUND_CLOSEST(tmp_parent_rate, div); + if (tmp_rate < req->rate) + tmp_diff = req->rate - tmp_rate; +-- +2.20.1 + diff --git a/queue-4.14/clk-tegra-fix-tegra-pmc-clock-out-parents.patch b/queue-4.14/clk-tegra-fix-tegra-pmc-clock-out-parents.patch new file mode 100644 index 00000000000..f8f892fd7e3 --- /dev/null +++ b/queue-4.14/clk-tegra-fix-tegra-pmc-clock-out-parents.patch @@ -0,0 +1,56 @@ +From c3dd06576001cb3fc8e88e7788cdfc22d3620268 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2020 23:24:09 -0800 +Subject: clk: tegra: Fix Tegra PMC clock out parents + +From: Sowjanya Komatineni + +[ Upstream commit 6fe38aa8cac3a5db38154331742835a4d9740788 ] + +Tegra PMC clocks clk_out_1, clk_out_2, and clk_out_3 supported parents +are osc, osc_div2, osc_div4 and extern clock. + +Clock driver is using incorrect parents clk_m, clk_m_div2, clk_m_div4 +for PMC clocks. + +This patch fixes this. + +Tested-by: Dmitry Osipenko +Reviewed-by: Dmitry Osipenko +Signed-off-by: Sowjanya Komatineni +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra-pmc.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/tegra/clk-tegra-pmc.c b/drivers/clk/tegra/clk-tegra-pmc.c +index a35579a3f884f..476dab494c44d 100644 +--- a/drivers/clk/tegra/clk-tegra-pmc.c ++++ b/drivers/clk/tegra/clk-tegra-pmc.c +@@ -60,16 +60,16 @@ struct pmc_clk_init_data { + + static DEFINE_SPINLOCK(clk_out_lock); + +-static const char *clk_out1_parents[] = { "clk_m", "clk_m_div2", +- "clk_m_div4", "extern1", ++static const char *clk_out1_parents[] = { "osc", "osc_div2", ++ "osc_div4", "extern1", + }; + +-static const char *clk_out2_parents[] = { "clk_m", "clk_m_div2", +- "clk_m_div4", "extern2", ++static const char *clk_out2_parents[] = { "osc", "osc_div2", ++ "osc_div4", "extern2", + }; + +-static const char *clk_out3_parents[] = { "clk_m", "clk_m_div2", +- "clk_m_div4", "extern3", ++static const char *clk_out3_parents[] = { "osc", "osc_div2", ++ "osc_div4", "extern3", + }; + + static struct pmc_clk_init_data pmc_clks[] = { +-- +2.20.1 + diff --git a/queue-4.14/compiler.h-fix-error-in-build_bug_on-reporting.patch b/queue-4.14/compiler.h-fix-error-in-build_bug_on-reporting.patch new file mode 100644 index 00000000000..f4e7ff8e4ff --- /dev/null +++ b/queue-4.14/compiler.h-fix-error-in-build_bug_on-reporting.patch @@ -0,0 +1,70 @@ +From b7c08aecca26ba7c2243250773d3d52b83bc3b73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 20:09:37 -0700 +Subject: compiler.h: fix error in BUILD_BUG_ON() reporting + +From: Vegard Nossum + +[ Upstream commit af9c5d2e3b355854ff0e4acfbfbfadcd5198a349 ] + +compiletime_assert() uses __LINE__ to create a unique function name. This +means that if you have more than one BUILD_BUG_ON() in the same source +line (which can happen if they appear e.g. in a macro), then the error +message from the compiler might output the wrong condition. + +For this source file: + + #include + + #define macro() \ + BUILD_BUG_ON(1); \ + BUILD_BUG_ON(0); + + void foo() + { + macro(); + } + +gcc would output: + +./include/linux/compiler.h:350:38: error: call to `__compiletime_assert_9' declared with attribute error: BUILD_BUG_ON failed: 0 + _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__) + +However, it was not the BUILD_BUG_ON(0) that failed, so it should say 1 +instead of 0. With this patch, we use __COUNTER__ instead of __LINE__, so +each BUILD_BUG_ON() gets a different function name and the correct +condition is printed: + +./include/linux/compiler.h:350:38: error: call to `__compiletime_assert_0' declared with attribute error: BUILD_BUG_ON failed: 1 + _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + +Signed-off-by: Vegard Nossum +Signed-off-by: Andrew Morton +Reviewed-by: Masahiro Yamada +Reviewed-by: Daniel Santos +Cc: Rasmus Villemoes +Cc: Ian Abbott +Cc: Joe Perches +Link: http://lkml.kernel.org/r/20200331112637.25047-1-vegard.nossum@oracle.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/compiler.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/compiler.h b/include/linux/compiler.h +index f84d332085c31..3ffe3f3f79035 100644 +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -331,7 +331,7 @@ unsigned long read_word_at_a_time(const void *addr) + * compiler has support to do so. + */ + #define compiletime_assert(condition, msg) \ +- _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__) ++ _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + + #define compiletime_assert_atomic_type(t) \ + compiletime_assert(__native_word(t), \ +-- +2.20.1 + diff --git a/queue-4.14/drm-amdkfd-kfree-the-wrong-pointer.patch b/queue-4.14/drm-amdkfd-kfree-the-wrong-pointer.patch new file mode 100644 index 00000000000..4c3b1050851 --- /dev/null +++ b/queue-4.14/drm-amdkfd-kfree-the-wrong-pointer.patch @@ -0,0 +1,39 @@ +From b56935eff4159a4a179adda421c5a491b85465a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2020 20:06:58 +0800 +Subject: drm/amdkfd: kfree the wrong pointer + +From: Jack Zhang + +[ Upstream commit 3148a6a0ef3cf93570f30a477292768f7eb5d3c3 ] + +Originally, it kfrees the wrong pointer for mem_obj. +It would cause memory leak under stress test. + +Signed-off-by: Jack Zhang +Acked-by: Nirmoy Das +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +index 61fff25b4ce7d..ecd4eba221c0a 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +@@ -550,9 +550,9 @@ int kfd_gtt_sa_allocate(struct kfd_dev *kfd, unsigned int size, + return 0; + + kfd_gtt_no_free_chunk: +- pr_debug("Allocation failed with mem_obj = %p\n", mem_obj); ++ pr_debug("Allocation failed with mem_obj = %p\n", *mem_obj); + mutex_unlock(&kfd->gtt_sa_lock); +- kfree(mem_obj); ++ kfree(*mem_obj); + return -ENOMEM; + } + +-- +2.20.1 + diff --git a/queue-4.14/ext2-fix-debug-reference-to-ext2_xattr_cache.patch b/queue-4.14/ext2-fix-debug-reference-to-ext2_xattr_cache.patch new file mode 100644 index 00000000000..b6dd6a34bc0 --- /dev/null +++ b/queue-4.14/ext2-fix-debug-reference-to-ext2_xattr_cache.patch @@ -0,0 +1,51 @@ +From dbd954973e91a1738c82362fef7b5ee3efca2832 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2020 12:40:02 +0100 +Subject: ext2: fix debug reference to ext2_xattr_cache +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jan Kara + +[ Upstream commit 32302085a8d90859c40cf1a5e8313f575d06ec75 ] + +Fix a debug-only build error in ext2/xattr.c: + +When building without extra debugging, (and with another patch that uses +no_printk() instead of for the ext2-xattr debug-print macros, +this build error happens: + +../fs/ext2/xattr.c: In function ‘ext2_xattr_cache_insert’: +../fs/ext2/xattr.c:869:18: error: ‘ext2_xattr_cache’ undeclared (first use in +this function); did you mean ‘ext2_xattr_list’? + atomic_read(&ext2_xattr_cache->c_entry_count)); + +Fix the problem by removing cached entry count from the debug message +since otherwise we'd have to export the mbcache structure just for that. + +Fixes: be0726d33cb8 ("ext2: convert to mbcache2") +Reported-by: Randy Dunlap +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/ext2/xattr.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c +index 4439bfaf1c57f..bd1d68ff3a9f8 100644 +--- a/fs/ext2/xattr.c ++++ b/fs/ext2/xattr.c +@@ -839,8 +839,7 @@ ext2_xattr_cache_insert(struct mb_cache *cache, struct buffer_head *bh) + error = mb_cache_entry_create(cache, GFP_NOFS, hash, bh->b_blocknr, 1); + if (error) { + if (error == -EBUSY) { +- ea_bdebug(bh, "already in cache (%d cache entries)", +- atomic_read(&ext2_xattr_cache->c_entry_count)); ++ ea_bdebug(bh, "already in cache"); + error = 0; + } + } else +-- +2.20.1 + diff --git a/queue-4.14/ext2-fix-empty-body-warnings-when-wextra-is-used.patch b/queue-4.14/ext2-fix-empty-body-warnings-when-wextra-is-used.patch new file mode 100644 index 00000000000..26a879adafe --- /dev/null +++ b/queue-4.14/ext2-fix-empty-body-warnings-when-wextra-is-used.patch @@ -0,0 +1,60 @@ +From a94756f37d30c957fc9690ec92bf095e7208d8d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Mar 2020 19:45:41 -0700 +Subject: ext2: fix empty body warnings when -Wextra is used +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 44a52022e7f15cbaab957df1c14f7a4f527ef7cf ] + +When EXT2_ATTR_DEBUG is not defined, modify the 2 debug macros +to use the no_printk() macro instead of . +This fixes gcc warnings when -Wextra is used: + +../fs/ext2/xattr.c:252:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +../fs/ext2/xattr.c:258:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +../fs/ext2/xattr.c:330:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] +../fs/ext2/xattr.c:872:45: warning: suggest braces around empty body in an ‘else’ statement [-Wempty-body] + +I have verified that the only object code change (with gcc 7.5.0) is +the reversal of some instructions from 'cmp a,b' to 'cmp b,a'. + +Link: https://lore.kernel.org/r/e18a7395-61fb-2093-18e8-ed4f8cf56248@infradead.org +Signed-off-by: Randy Dunlap +Cc: Jan Kara +Cc: linux-ext4@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/ext2/xattr.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c +index dd8f10db82e99..4439bfaf1c57f 100644 +--- a/fs/ext2/xattr.c ++++ b/fs/ext2/xattr.c +@@ -56,6 +56,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -84,8 +85,8 @@ + printk("\n"); \ + } while (0) + #else +-# define ea_idebug(f...) +-# define ea_bdebug(f...) ++# define ea_idebug(inode, f...) no_printk(f) ++# define ea_bdebug(bh, f...) no_printk(f) + #endif + + static int ext2_xattr_set2(struct inode *, struct buffer_head *, +-- +2.20.1 + diff --git a/queue-4.14/ext4-do-not-commit-super-on-read-only-bdev.patch b/queue-4.14/ext4-do-not-commit-super-on-read-only-bdev.patch new file mode 100644 index 00000000000..811b79480df --- /dev/null +++ b/queue-4.14/ext4-do-not-commit-super-on-read-only-bdev.patch @@ -0,0 +1,50 @@ +From 484b3437754c7dd7c99946e80c95c3459df79cf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Mar 2020 14:19:38 -0500 +Subject: ext4: do not commit super on read-only bdev + +From: Eric Sandeen + +[ Upstream commit c96e2b8564adfb8ac14469ebc51ddc1bfecb3ae2 ] + +Under some circumstances we may encounter a filesystem error on a +read-only block device, and if we try to save the error info to the +superblock and commit it, we'll wind up with a noisy error and +backtrace, i.e.: + +[ 3337.146838] EXT4-fs error (device pmem1p2): ext4_get_journal_inode:4634: comm mount: inode #0: comm mount: iget: illegal inode # +------------[ cut here ]------------ +generic_make_request: Trying to write to read-only block-device pmem1p2 (partno 2) +WARNING: CPU: 107 PID: 115347 at block/blk-core.c:788 generic_make_request_checks+0x6b4/0x7d0 +... + +To avoid this, commit the error info in the superblock only if the +block device is writable. + +Reported-by: Ritesh Harjani +Signed-off-by: Eric Sandeen +Reviewed-by: Andreas Dilger +Link: https://lore.kernel.org/r/4b6e774d-cc00-3469-7abb-108eb151071a@sandeen.net +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 98e27432c8592..0ced133a36ec5 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -369,7 +369,8 @@ static void save_error_info(struct super_block *sb, const char *func, + unsigned int line) + { + __save_error_info(sb, func, line); +- ext4_commit_super(sb, 1); ++ if (!bdev_read_only(sb->s_bdev)) ++ ext4_commit_super(sb, 1); + } + + /* +-- +2.20.1 + diff --git a/queue-4.14/include-linux-swapops.h-correct-guards-for-non_swap_.patch b/queue-4.14/include-linux-swapops.h-correct-guards-for-non_swap_.patch new file mode 100644 index 00000000000..03e9bf844fa --- /dev/null +++ b/queue-4.14/include-linux-swapops.h-correct-guards-for-non_swap_.patch @@ -0,0 +1,62 @@ +From b003413192e039d33a514c928fc5489487a3c6c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 20:08:43 -0700 +Subject: include/linux/swapops.h: correct guards for non_swap_entry() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Steven Price + +[ Upstream commit 3f3673d7d324d872d9d8ddb73b3e5e47fbf12e0d ] + +If CONFIG_DEVICE_PRIVATE is defined, but neither CONFIG_MEMORY_FAILURE nor +CONFIG_MIGRATION, then non_swap_entry() will return 0, meaning that the +condition (non_swap_entry(entry) && is_device_private_entry(entry)) in +zap_pte_range() will never be true even if the entry is a device private +one. + +Equally any other code depending on non_swap_entry() will not function as +expected. + +I originally spotted this just by looking at the code, I haven't actually +observed any problems. + +Looking a bit more closely it appears that actually this situation +(currently at least) cannot occur: + +DEVICE_PRIVATE depends on ZONE_DEVICE +ZONE_DEVICE depends on MEMORY_HOTREMOVE +MEMORY_HOTREMOVE depends on MIGRATION + +Fixes: 5042db43cc26 ("mm/ZONE_DEVICE: new type of ZONE_DEVICE for unaddressable memory") +Signed-off-by: Steven Price +Signed-off-by: Andrew Morton +Cc: Jérôme Glisse +Cc: Arnd Bergmann +Cc: Dan Williams +Cc: John Hubbard +Link: http://lkml.kernel.org/r/20200305130550.22693-1-steven.price@arm.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/swapops.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/swapops.h b/include/linux/swapops.h +index 1d3877c39a000..0b8c860967527 100644 +--- a/include/linux/swapops.h ++++ b/include/linux/swapops.h +@@ -377,7 +377,8 @@ static inline void num_poisoned_pages_inc(void) + } + #endif + +-#if defined(CONFIG_MEMORY_FAILURE) || defined(CONFIG_MIGRATION) ++#if defined(CONFIG_MEMORY_FAILURE) || defined(CONFIG_MIGRATION) || \ ++ defined(CONFIG_DEVICE_PRIVATE) + static inline int non_swap_entry(swp_entry_t entry) + { + return swp_type(entry) >= MAX_SWAPFILES; +-- +2.20.1 + diff --git a/queue-4.14/iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch b/queue-4.14/iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch new file mode 100644 index 00000000000..e53d41f445c --- /dev/null +++ b/queue-4.14/iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch @@ -0,0 +1,38 @@ +From bf3c4ff0bcffbbac3adea44c0d0ff21dc8bafa5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2020 18:44:51 +0800 +Subject: iommu/amd: Fix the configuration of GCR3 table root pointer + +From: Adrian Huang + +[ Upstream commit c20f36534666e37858a14e591114d93cc1be0d34 ] + +The SPA of the GCR3 table root pointer[51:31] masks 20 bits. However, +this requires 21 bits (Please see the AMD IOMMU specification). +This leads to the potential failure when the bit 51 of SPA of +the GCR3 table root pointer is 1'. + +Signed-off-by: Adrian Huang +Fixes: 52815b75682e2 ("iommu/amd: Add support for IOMMUv2 domain mode") +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h +index 3054c0971759f..74c8638aac2b9 100644 +--- a/drivers/iommu/amd_iommu_types.h ++++ b/drivers/iommu/amd_iommu_types.h +@@ -348,7 +348,7 @@ + + #define DTE_GCR3_VAL_A(x) (((x) >> 12) & 0x00007ULL) + #define DTE_GCR3_VAL_B(x) (((x) >> 15) & 0x0ffffULL) +-#define DTE_GCR3_VAL_C(x) (((x) >> 31) & 0xfffffULL) ++#define DTE_GCR3_VAL_C(x) (((x) >> 31) & 0x1fffffULL) + + #define DTE_GCR3_INDEX_A 0 + #define DTE_GCR3_INDEX_B 1 +-- +2.20.1 + diff --git a/queue-4.14/iommu-vt-d-fix-mm-reference-leak.patch b/queue-4.14/iommu-vt-d-fix-mm-reference-leak.patch new file mode 100644 index 00000000000..21e66a93cb1 --- /dev/null +++ b/queue-4.14/iommu-vt-d-fix-mm-reference-leak.patch @@ -0,0 +1,47 @@ +From c8b41fb7969c53e787835fffb578193d0dcaec0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2020 21:32:30 -0700 +Subject: iommu/vt-d: Fix mm reference leak + +From: Jacob Pan + +[ Upstream commit 902baf61adf6b187f0a6b789e70d788ea71ff5bc ] + +Move canonical address check before mmget_not_zero() to avoid mm +reference leak. + +Fixes: 9d8c3af31607 ("iommu/vt-d: IOMMU Page Request needs to check if address is canonical.") +Signed-off-by: Jacob Pan +Acked-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel-svm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c +index f5573bb9f450e..837459762eb39 100644 +--- a/drivers/iommu/intel-svm.c ++++ b/drivers/iommu/intel-svm.c +@@ -613,14 +613,15 @@ static irqreturn_t prq_event_thread(int irq, void *d) + * any faults on kernel addresses. */ + if (!svm->mm) + goto bad_req; +- /* If the mm is already defunct, don't handle faults. */ +- if (!mmget_not_zero(svm->mm)) +- goto bad_req; + + /* If address is not canonical, return invalid response */ + if (!is_canonical_address(address)) + goto bad_req; + ++ /* If the mm is already defunct, don't handle faults. */ ++ if (!mmget_not_zero(svm->mm)) ++ goto bad_req; ++ + down_read(&svm->mm->mmap_sem); + vma = find_extend_vma(svm->mm, address); + if (!vma || address < vma->vm_start) +-- +2.20.1 + diff --git a/queue-4.14/kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch b/queue-4.14/kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch new file mode 100644 index 00000000000..aa37b5fe47b --- /dev/null +++ b/queue-4.14/kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch @@ -0,0 +1,52 @@ +From 32d4612596732f9e242769497368e870db2e2054 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2020 17:30:48 +0200 +Subject: KVM: s390: vsie: Fix possible race when shadowing region 3 tables + +From: David Hildenbrand + +[ Upstream commit 1493e0f944f3c319d11e067c185c904d01c17ae5 ] + +We have to properly retry again by returning -EINVAL immediately in case +somebody else instantiated the table concurrently. We missed to add the +goto in this function only. The code now matches the other, similar +shadowing functions. + +We are overwriting an existing region 2 table entry. All allocated pages +are added to the crst_list to be freed later, so they are not lost +forever. However, when unshadowing the region 2 table, we wouldn't trigger +unshadowing of the original shadowed region 3 table that we replaced. It +would get unshadowed when the original region 3 table is modified. As it's +not connected to the page table hierarchy anymore, it's not going to get +used anymore. However, for a limited time, this page table will stick +around, so it's in some sense a temporary memory leak. + +Identified by manual code inspection. I don't think this classifies as +stable material. + +Fixes: 998f637cc4b9 ("s390/mm: avoid races on region/segment/page table shadowing") +Signed-off-by: David Hildenbrand +Link: https://lore.kernel.org/r/20200403153050.20569-4-david@redhat.com +Reviewed-by: Claudio Imbrenda +Reviewed-by: Christian Borntraeger +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/mm/gmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c +index e297efa6e648c..a29d2e88b00ef 100644 +--- a/arch/s390/mm/gmap.c ++++ b/arch/s390/mm/gmap.c +@@ -1687,6 +1687,7 @@ int gmap_shadow_r3t(struct gmap *sg, unsigned long saddr, unsigned long r3t, + goto out_free; + } else if (*table & _REGION_ENTRY_ORIGIN) { + rc = -EAGAIN; /* Race with shadow */ ++ goto out_free; + } + crst_table_init(s_r3t, _REGION3_ENTRY_EMPTY); + /* mark as invalid as long as the parent table is not protected */ +-- +2.20.1 + diff --git a/queue-4.14/libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch b/queue-4.14/libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch new file mode 100644 index 00000000000..787010e6226 --- /dev/null +++ b/queue-4.14/libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch @@ -0,0 +1,43 @@ +From 5a13dd5ae0d6d196254021dd012a96660f3e299c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2020 19:20:56 +0300 +Subject: libnvdimm: Out of bounds read in __nd_ioctl() + +From: Dan Carpenter + +[ Upstream commit f84afbdd3a9e5e10633695677b95422572f920dc ] + +The "cmd" comes from the user and it can be up to 255. It it's more +than the number of bits in long, it results out of bounds read when we +check test_bit(cmd, &cmd_mask). The highest valid value for "cmd" is +ND_CMD_CALL (10) so I added a compare against that. + +Fixes: 62232e45f4a2 ("libnvdimm: control (ioctl) messages for nvdimm_bus and nvdimm devices") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200225162055.amtosfy7m35aivxg@kili.mountain +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/bus.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c +index 2f1b54fab399f..83e18b367944c 100644 +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -951,8 +951,10 @@ static int __nd_ioctl(struct nvdimm_bus *nvdimm_bus, struct nvdimm *nvdimm, + return -EFAULT; + } + +- if (!desc || (desc->out_num + desc->in_num == 0) || +- !test_bit(cmd, &cmd_mask)) ++ if (!desc || ++ (desc->out_num + desc->in_num == 0) || ++ cmd > ND_CMD_CALL || ++ !test_bit(cmd, &cmd_mask)) + return -ENOTTY; + + /* fail write commands (when read-only) */ +-- +2.20.1 + diff --git a/queue-4.14/nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch b/queue-4.14/nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch new file mode 100644 index 00000000000..8aac87250c0 --- /dev/null +++ b/queue-4.14/nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch @@ -0,0 +1,51 @@ +From 7c2ce59ded66d298c5e5f57c9f9625fdfd01f2e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2019 17:01:22 +0900 +Subject: NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context + fails + +From: Misono Tomohiro + +[ Upstream commit 8605cf0e852af3b2c771c18417499dc4ceed03d5 ] + +When dreq is allocated by nfs_direct_req_alloc(), dreq->kref is +initialized to 2. Therefore we need to call nfs_direct_req_release() +twice to release the allocated dreq. Usually it is called in +nfs_file_direct_{read, write}() and nfs_direct_complete(). + +However, current code only calls nfs_direct_req_relese() once if +nfs_get_lock_context() fails in nfs_file_direct_{read, write}(). +So, that case would result in memory leak. + +Fix this by adding the missing call. + +Signed-off-by: Misono Tomohiro +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/direct.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c +index 9d07b53e1647b..e6ea4511c41ce 100644 +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -600,6 +600,7 @@ ssize_t nfs_file_direct_read(struct kiocb *iocb, struct iov_iter *iter) + l_ctx = nfs_get_lock_context(dreq->ctx); + if (IS_ERR(l_ctx)) { + result = PTR_ERR(l_ctx); ++ nfs_direct_req_release(dreq); + goto out_release; + } + dreq->l_ctx = l_ctx; +@@ -1023,6 +1024,7 @@ ssize_t nfs_file_direct_write(struct kiocb *iocb, struct iov_iter *iter) + l_ctx = nfs_get_lock_context(dreq->ctx); + if (IS_ERR(l_ctx)) { + result = PTR_ERR(l_ctx); ++ nfs_direct_req_release(dreq); + goto out_release; + } + dreq->l_ctx = l_ctx; +-- +2.20.1 + diff --git a/queue-4.14/nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch b/queue-4.14/nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch new file mode 100644 index 00000000000..c03248dc180 --- /dev/null +++ b/queue-4.14/nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch @@ -0,0 +1,56 @@ +From 3dc9e3711719afea2b486cede0f666813c47fcf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Mar 2020 20:06:45 -0400 +Subject: NFS: Fix memory leaks in nfs_pageio_stop_mirroring() + +From: Trond Myklebust + +[ Upstream commit 862f35c94730c9270833f3ad05bd758a29f204ed ] + +If we just set the mirror count to 1 without first clearing out +the mirrors, we can leak queued up requests. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pagelist.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c +index ceb6892d9bbdc..7c01936be7c70 100644 +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -864,15 +864,6 @@ static void nfs_pageio_setup_mirroring(struct nfs_pageio_descriptor *pgio, + pgio->pg_mirror_count = mirror_count; + } + +-/* +- * nfs_pageio_stop_mirroring - stop using mirroring (set mirror count to 1) +- */ +-void nfs_pageio_stop_mirroring(struct nfs_pageio_descriptor *pgio) +-{ +- pgio->pg_mirror_count = 1; +- pgio->pg_mirror_idx = 0; +-} +- + static void nfs_pageio_cleanup_mirroring(struct nfs_pageio_descriptor *pgio) + { + pgio->pg_mirror_count = 1; +@@ -1301,6 +1292,14 @@ void nfs_pageio_cond_complete(struct nfs_pageio_descriptor *desc, pgoff_t index) + } + } + ++/* ++ * nfs_pageio_stop_mirroring - stop using mirroring (set mirror count to 1) ++ */ ++void nfs_pageio_stop_mirroring(struct nfs_pageio_descriptor *pgio) ++{ ++ nfs_pageio_complete(pgio); ++} ++ + int __init nfs_init_nfspagecache(void) + { + nfs_page_cachep = kmem_cache_create("nfs_page", +-- +2.20.1 + diff --git a/queue-4.14/nfsv4-pnfs-return-valid-stateids-in-nfs_layout_find_.patch b/queue-4.14/nfsv4-pnfs-return-valid-stateids-in-nfs_layout_find_.patch new file mode 100644 index 00000000000..dd663c447f4 --- /dev/null +++ b/queue-4.14/nfsv4-pnfs-return-valid-stateids-in-nfs_layout_find_.patch @@ -0,0 +1,37 @@ +From 75e2a9418046d66edcc19665f9025370ef35f5c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2020 11:01:12 -0500 +Subject: NFSv4/pnfs: Return valid stateids in + nfs_layout_find_inode_by_stateid() + +From: Trond Myklebust + +[ Upstream commit d911c57a19551c6bef116a3b55c6b089901aacb0 ] + +Make sure to test the stateid for validity so that we catch instances +where the server may have been reusing stateids in +nfs_layout_find_inode_by_stateid(). + +Fixes: 7b410d9ce460 ("pNFS: Delay getting the layout header in CB_LAYOUTRECALL handlers") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/callback_proc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/callback_proc.c b/fs/nfs/callback_proc.c +index b8d55da2f04d5..440ff8e7082b6 100644 +--- a/fs/nfs/callback_proc.c ++++ b/fs/nfs/callback_proc.c +@@ -127,6 +127,8 @@ static struct inode *nfs_layout_find_inode_by_stateid(struct nfs_client *clp, + restart: + list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) { + list_for_each_entry(lo, &server->layouts, plh_layouts) { ++ if (!pnfs_layout_is_valid(lo)) ++ continue; + if (stateid != NULL && + !nfs4_stateid_match_other(stateid, &lo->plh_stateid)) + continue; +-- +2.20.1 + diff --git a/queue-4.14/of-unittest-kmemleak-in-of_unittest_platform_populat.patch b/queue-4.14/of-unittest-kmemleak-in-of_unittest_platform_populat.patch new file mode 100644 index 00000000000..4cd5c8b8d15 --- /dev/null +++ b/queue-4.14/of-unittest-kmemleak-in-of_unittest_platform_populat.patch @@ -0,0 +1,48 @@ +From 93e754d83ab2e040bf48d1e1414111bf77046374 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Apr 2020 16:42:47 -0500 +Subject: of: unittest: kmemleak in of_unittest_platform_populate() + +From: Frank Rowand + +[ Upstream commit 216830d2413cc61be3f76bc02ffd905e47d2439e ] + +kmemleak reports several memory leaks from devicetree unittest. +This is the fix for problem 2 of 5. + +of_unittest_platform_populate() left an elevated reference count for +grandchild nodes (which are platform devices). Fix the platform +device reference counts so that the memory will be freed. + +Fixes: fb2caa50fbac ("of/selftest: add testcase for nodes with same name and address") +Reported-by: Erhard F. +Signed-off-by: Frank Rowand +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index aaec4a9fa2bc4..e7e6dd07f2150 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -891,10 +891,13 @@ static void __init of_unittest_platform_populate(void) + + of_platform_populate(np, match, NULL, &test_bus->dev); + for_each_child_of_node(np, child) { +- for_each_child_of_node(child, grandchild) +- unittest(of_find_device_by_node(grandchild), ++ for_each_child_of_node(child, grandchild) { ++ pdev = of_find_device_by_node(grandchild); ++ unittest(pdev, + "Could not create device for node '%s'\n", + grandchild->name); ++ of_dev_put(pdev); ++ } + } + + of_platform_depopulate(&test_bus->dev); +-- +2.20.1 + diff --git a/queue-4.14/percpu_counter-fix-a-data-race-at-vm_committed_as.patch b/queue-4.14/percpu_counter-fix-a-data-race-at-vm_committed_as.patch new file mode 100644 index 00000000000..7e9d0465438 --- /dev/null +++ b/queue-4.14/percpu_counter-fix-a-data-race-at-vm_committed_as.patch @@ -0,0 +1,72 @@ +From 91cc73c98bd1b2a86714cede45bb04c66d137ee2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Apr 2020 20:10:25 -0700 +Subject: percpu_counter: fix a data race at vm_committed_as + +From: Qian Cai + +[ Upstream commit 7e2345200262e4a6056580f0231cccdaffc825f3 ] + +"vm_committed_as.count" could be accessed concurrently as reported by +KCSAN, + + BUG: KCSAN: data-race in __vm_enough_memory / percpu_counter_add_batch + + write to 0xffffffff9451c538 of 8 bytes by task 65879 on cpu 35: + percpu_counter_add_batch+0x83/0xd0 + percpu_counter_add_batch at lib/percpu_counter.c:91 + __vm_enough_memory+0xb9/0x260 + dup_mm+0x3a4/0x8f0 + copy_process+0x2458/0x3240 + _do_fork+0xaa/0x9f0 + __do_sys_clone+0x125/0x160 + __x64_sys_clone+0x70/0x90 + do_syscall_64+0x91/0xb05 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + read to 0xffffffff9451c538 of 8 bytes by task 66773 on cpu 19: + __vm_enough_memory+0x199/0x260 + percpu_counter_read_positive at include/linux/percpu_counter.h:81 + (inlined by) __vm_enough_memory at mm/util.c:839 + mmap_region+0x1b2/0xa10 + do_mmap+0x45c/0x700 + vm_mmap_pgoff+0xc0/0x130 + ksys_mmap_pgoff+0x6e/0x300 + __x64_sys_mmap+0x33/0x40 + do_syscall_64+0x91/0xb05 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The read is outside percpu_counter::lock critical section which results in +a data race. Fix it by adding a READ_ONCE() in +percpu_counter_read_positive() which could also service as the existing +compiler memory barrier. + +Signed-off-by: Qian Cai +Signed-off-by: Andrew Morton +Acked-by: Marco Elver +Link: http://lkml.kernel.org/r/1582302724-2804-1-git-send-email-cai@lca.pw +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/percpu_counter.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/percpu_counter.h b/include/linux/percpu_counter.h +index 73a7bf30fe9a3..3f3cece31148d 100644 +--- a/include/linux/percpu_counter.h ++++ b/include/linux/percpu_counter.h +@@ -78,9 +78,9 @@ static inline s64 percpu_counter_read(struct percpu_counter *fbc) + */ + static inline s64 percpu_counter_read_positive(struct percpu_counter *fbc) + { +- s64 ret = fbc->count; ++ /* Prevent reloads of fbc->count */ ++ s64 ret = READ_ONCE(fbc->count); + +- barrier(); /* Prevent reloads of fbc->count */ + if (ret >= 0) + return ret; + return 0; +-- +2.20.1 + diff --git a/queue-4.14/power-supply-bq27xxx_battery-silence-deferred-probe-.patch b/queue-4.14/power-supply-bq27xxx_battery-silence-deferred-probe-.patch new file mode 100644 index 00000000000..b9742240f0f --- /dev/null +++ b/queue-4.14/power-supply-bq27xxx_battery-silence-deferred-probe-.patch @@ -0,0 +1,45 @@ +From bd88212a820453ea010da66fbe25acaccb25c2e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2020 00:51:43 +0300 +Subject: power: supply: bq27xxx_battery: Silence deferred-probe error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Osipenko + +[ Upstream commit 583b53ece0b0268c542a1eafadb62e3d4b0aab8c ] + +The driver fails to probe with -EPROBE_DEFER if battery's power supply +(charger driver) isn't ready yet and this results in a bit noisy error +message in KMSG during kernel's boot up. Let's silence the harmless +error message. + +Signed-off-by: Dmitry Osipenko +Reviewed-by: Andrew F. Davis +Reviewed-by: Pali Rohár +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c +index 51f0961ecf3e0..a7d8cadf172cb 100644 +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1842,7 +1842,10 @@ int bq27xxx_battery_setup(struct bq27xxx_device_info *di) + + di->bat = power_supply_register_no_ws(di->dev, psy_desc, &psy_cfg); + if (IS_ERR(di->bat)) { +- dev_err(di->dev, "failed to register battery\n"); ++ if (PTR_ERR(di->bat) == -EPROBE_DEFER) ++ dev_dbg(di->dev, "failed to register battery, deferring probe\n"); ++ else ++ dev_err(di->dev, "failed to register battery\n"); + return PTR_ERR(di->bat); + } + +-- +2.20.1 + diff --git a/queue-4.14/powerpc-maple-fix-declaration-made-after-definition.patch b/queue-4.14/powerpc-maple-fix-declaration-made-after-definition.patch new file mode 100644 index 00000000000..04982d27714 --- /dev/null +++ b/queue-4.14/powerpc-maple-fix-declaration-made-after-definition.patch @@ -0,0 +1,92 @@ +From 08b3cf47230c0f137a31473d71b02779db7e0f2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2020 15:27:29 -0700 +Subject: powerpc/maple: Fix declaration made after definition + +From: Nathan Chancellor + +[ Upstream commit af6cf95c4d003fccd6c2ecc99a598fb854b537e7 ] + +When building ppc64 defconfig, Clang errors (trimmed for brevity): + + arch/powerpc/platforms/maple/setup.c:365:1: error: attribute declaration + must precede definition [-Werror,-Wignored-attributes] + machine_device_initcall(maple, maple_cpc925_edac_setup); + ^ + +machine_device_initcall expands to __define_machine_initcall, which in +turn has the macro machine_is used in it, which declares mach_##name +with an __attribute__((weak)). define_machine actually defines +mach_##name, which in this file happens before the declaration, hence +the warning. + +To fix this, move define_machine after machine_device_initcall so that +the declaration occurs before the definition, which matches how +machine_device_initcall and define_machine work throughout +arch/powerpc. + +While we're here, remove some spaces before tabs. + +Fixes: 8f101a051ef0 ("edac: cpc925 MC platform device setup") +Reported-by: Nick Desaulniers +Suggested-by: Ilie Halip +Signed-off-by: Nathan Chancellor +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200323222729.15365-1-natechancellor@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/maple/setup.c | 34 ++++++++++++++-------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/arch/powerpc/platforms/maple/setup.c b/arch/powerpc/platforms/maple/setup.c +index b7f937563827d..d1fee2d35b49c 100644 +--- a/arch/powerpc/platforms/maple/setup.c ++++ b/arch/powerpc/platforms/maple/setup.c +@@ -299,23 +299,6 @@ static int __init maple_probe(void) + return 1; + } + +-define_machine(maple) { +- .name = "Maple", +- .probe = maple_probe, +- .setup_arch = maple_setup_arch, +- .init_IRQ = maple_init_IRQ, +- .pci_irq_fixup = maple_pci_irq_fixup, +- .pci_get_legacy_ide_irq = maple_pci_get_legacy_ide_irq, +- .restart = maple_restart, +- .halt = maple_halt, +- .get_boot_time = maple_get_boot_time, +- .set_rtc_time = maple_set_rtc_time, +- .get_rtc_time = maple_get_rtc_time, +- .calibrate_decr = generic_calibrate_decr, +- .progress = maple_progress, +- .power_save = power4_idle, +-}; +- + #ifdef CONFIG_EDAC + /* + * Register a platform device for CPC925 memory controller on +@@ -372,3 +355,20 @@ static int __init maple_cpc925_edac_setup(void) + } + machine_device_initcall(maple, maple_cpc925_edac_setup); + #endif ++ ++define_machine(maple) { ++ .name = "Maple", ++ .probe = maple_probe, ++ .setup_arch = maple_setup_arch, ++ .init_IRQ = maple_init_IRQ, ++ .pci_irq_fixup = maple_pci_irq_fixup, ++ .pci_get_legacy_ide_irq = maple_pci_get_legacy_ide_irq, ++ .restart = maple_restart, ++ .halt = maple_halt, ++ .get_boot_time = maple_get_boot_time, ++ .set_rtc_time = maple_set_rtc_time, ++ .get_rtc_time = maple_get_rtc_time, ++ .calibrate_decr = generic_calibrate_decr, ++ .progress = maple_progress, ++ .power_save = power4_idle, ++}; +-- +2.20.1 + diff --git a/queue-4.14/rbd-avoid-a-deadlock-on-header_rwsem-when-flushing-n.patch b/queue-4.14/rbd-avoid-a-deadlock-on-header_rwsem-when-flushing-n.patch new file mode 100644 index 00000000000..5846c46dbdb --- /dev/null +++ b/queue-4.14/rbd-avoid-a-deadlock-on-header_rwsem-when-flushing-n.patch @@ -0,0 +1,88 @@ +From f3e27cc808bbb2d000d1cf6468054b1b4b16be77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2020 11:20:51 +0100 +Subject: rbd: avoid a deadlock on header_rwsem when flushing notifies + +From: Ilya Dryomov + +[ Upstream commit 0e4e1de5b63fa423b13593337a27fd2d2b0bcf77 ] + +rbd_unregister_watch() flushes notifies and therefore cannot be called +under header_rwsem because a header update notify takes header_rwsem to +synchronize with "rbd map". If mapping an image fails after the watch +is established and a header update notify sneaks in, we deadlock when +erroring out from rbd_dev_image_probe(). + +Move watch registration and unregistration out of the critical section. +The only reason they were put there was to make header_rwsem management +slightly more obvious. + +Fixes: 811c66887746 ("rbd: fix rbd map vs notify races") +Signed-off-by: Ilya Dryomov +Reviewed-by: Jason Dillaman +Signed-off-by: Sasha Levin +--- + drivers/block/rbd.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index f2b1994d58a06..fb1b9b8946f07 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -3847,6 +3847,10 @@ static void cancel_tasks_sync(struct rbd_device *rbd_dev) + cancel_work_sync(&rbd_dev->unlock_work); + } + ++/* ++ * header_rwsem must not be held to avoid a deadlock with ++ * rbd_dev_refresh() when flushing notifies. ++ */ + static void rbd_unregister_watch(struct rbd_device *rbd_dev) + { + WARN_ON(waitqueue_active(&rbd_dev->lock_waitq)); +@@ -6057,6 +6061,9 @@ static void rbd_dev_image_release(struct rbd_device *rbd_dev) + * device. If this image is the one being mapped (i.e., not a + * parent), initiate a watch on its header object before using that + * object to get detailed information about the rbd image. ++ * ++ * On success, returns with header_rwsem held for write if called ++ * with @depth == 0. + */ + static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + { +@@ -6087,6 +6094,9 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + } + } + ++ if (!depth) ++ down_write(&rbd_dev->header_rwsem); ++ + ret = rbd_dev_header_info(rbd_dev); + if (ret) + goto err_out_watch; +@@ -6135,6 +6145,8 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + err_out_probe: + rbd_dev_unprobe(rbd_dev); + err_out_watch: ++ if (!depth) ++ up_write(&rbd_dev->header_rwsem); + if (!depth) + rbd_unregister_watch(rbd_dev); + err_out_format: +@@ -6194,12 +6206,9 @@ static ssize_t do_rbd_add(struct bus_type *bus, + goto err_out_rbd_dev; + } + +- down_write(&rbd_dev->header_rwsem); + rc = rbd_dev_image_probe(rbd_dev, 0); +- if (rc < 0) { +- up_write(&rbd_dev->header_rwsem); ++ if (rc < 0) + goto err_out_rbd_dev; +- } + + /* If we are mapping a snapshot it must be marked read-only */ + +-- +2.20.1 + diff --git a/queue-4.14/rbd-call-rbd_dev_unprobe-after-unwatching-and-flushi.patch b/queue-4.14/rbd-call-rbd_dev_unprobe-after-unwatching-and-flushi.patch new file mode 100644 index 00000000000..a8184b52a4d --- /dev/null +++ b/queue-4.14/rbd-call-rbd_dev_unprobe-after-unwatching-and-flushi.patch @@ -0,0 +1,81 @@ +From bb15199e9e8a434a88232615dfbda447120c9b5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2020 15:52:54 +0100 +Subject: rbd: call rbd_dev_unprobe() after unwatching and flushing notifies + +From: Ilya Dryomov + +[ Upstream commit 952c48b0ed18919bff7528501e9a3fff8a24f8cd ] + +rbd_dev_unprobe() is supposed to undo most of rbd_dev_image_probe(), +including rbd_dev_header_info(), which means that rbd_dev_header_info() +isn't supposed to be called after rbd_dev_unprobe(). + +However, rbd_dev_image_release() calls rbd_dev_unprobe() before +rbd_unregister_watch(). This is racy because a header update notify +can sneak in: + + "rbd unmap" thread ceph-watch-notify worker + + rbd_dev_image_release() + rbd_dev_unprobe() + free and zero out header + rbd_watch_cb() + rbd_dev_refresh() + rbd_dev_header_info() + read in header + +The same goes for "rbd map" because rbd_dev_image_probe() calls +rbd_dev_unprobe() on errors. In both cases this results in a memory +leak. + +Fixes: fd22aef8b47c ("rbd: move rbd_unregister_watch() call into rbd_dev_image_release()") +Signed-off-by: Ilya Dryomov +Reviewed-by: Jason Dillaman +Signed-off-by: Sasha Levin +--- + drivers/block/rbd.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c +index fb1b9b8946f07..557cf52f674b5 100644 +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -6048,9 +6048,10 @@ static int rbd_dev_header_name(struct rbd_device *rbd_dev) + + static void rbd_dev_image_release(struct rbd_device *rbd_dev) + { +- rbd_dev_unprobe(rbd_dev); + if (rbd_dev->opts) + rbd_unregister_watch(rbd_dev); ++ ++ rbd_dev_unprobe(rbd_dev); + rbd_dev->image_format = 0; + kfree(rbd_dev->spec->image_id); + rbd_dev->spec->image_id = NULL; +@@ -6099,7 +6100,7 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + + ret = rbd_dev_header_info(rbd_dev); + if (ret) +- goto err_out_watch; ++ goto err_out_probe; + + /* + * If this image is the one being mapped, we have pool name and +@@ -6143,12 +6144,11 @@ static int rbd_dev_image_probe(struct rbd_device *rbd_dev, int depth) + return 0; + + err_out_probe: +- rbd_dev_unprobe(rbd_dev); +-err_out_watch: + if (!depth) + up_write(&rbd_dev->header_rwsem); + if (!depth) + rbd_unregister_watch(rbd_dev); ++ rbd_dev_unprobe(rbd_dev); + err_out_format: + rbd_dev->image_format = 0; + kfree(rbd_dev->spec->image_id); +-- +2.20.1 + diff --git a/queue-4.14/rtc-88pm860x-fix-possible-race-condition.patch b/queue-4.14/rtc-88pm860x-fix-possible-race-condition.patch new file mode 100644 index 00000000000..dcffcf5046e --- /dev/null +++ b/queue-4.14/rtc-88pm860x-fix-possible-race-condition.patch @@ -0,0 +1,62 @@ +From 65c458d46777fddf35ad34be1393196c026e16cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2020 23:39:51 +0100 +Subject: rtc: 88pm860x: fix possible race condition + +From: Alexandre Belloni + +[ Upstream commit 9cf4789e6e4673d0b2c96fa6bb0c35e81b43111a ] + +The RTC IRQ is requested before the struct rtc_device is allocated, +this may lead to a NULL pointer dereference in the IRQ handler. + +To fix this issue, allocating the rtc_device struct before requesting +the RTC IRQ using devm_rtc_allocate_device, and use rtc_register_device +to register the RTC device. + +Also remove the unnecessary error message as the core already prints the +info. + +Link: https://lore.kernel.org/r/20200311223956.51352-1-alexandre.belloni@bootlin.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-88pm860x.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/rtc/rtc-88pm860x.c b/drivers/rtc/rtc-88pm860x.c +index 7d3e5168fcefc..efbbde7379f13 100644 +--- a/drivers/rtc/rtc-88pm860x.c ++++ b/drivers/rtc/rtc-88pm860x.c +@@ -341,6 +341,10 @@ static int pm860x_rtc_probe(struct platform_device *pdev) + info->dev = &pdev->dev; + dev_set_drvdata(&pdev->dev, info); + ++ info->rtc_dev = devm_rtc_allocate_device(&pdev->dev); ++ if (IS_ERR(info->rtc_dev)) ++ return PTR_ERR(info->rtc_dev); ++ + ret = devm_request_threaded_irq(&pdev->dev, info->irq, NULL, + rtc_update_handler, IRQF_ONESHOT, "rtc", + info); +@@ -382,13 +386,11 @@ static int pm860x_rtc_probe(struct platform_device *pdev) + } + } + +- info->rtc_dev = devm_rtc_device_register(&pdev->dev, "88pm860x-rtc", +- &pm860x_rtc_ops, THIS_MODULE); +- ret = PTR_ERR(info->rtc_dev); +- if (IS_ERR(info->rtc_dev)) { +- dev_err(&pdev->dev, "Failed to register RTC device: %d\n", ret); ++ info->rtc_dev->ops = &pm860x_rtc_ops; ++ ++ ret = rtc_register_device(info->rtc_dev); ++ if (ret) + return ret; +- } + + /* + * enable internal XO instead of internal 3.25MHz clock since it can +-- +2.20.1 + diff --git a/queue-4.14/s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch b/queue-4.14/s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch new file mode 100644 index 00000000000..b049e52d8d0 --- /dev/null +++ b/queue-4.14/s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch @@ -0,0 +1,49 @@ +From 55160f0ae94b1537db317cc9aa10bcf4590179e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Mar 2020 12:39:55 +0100 +Subject: s390/cpuinfo: fix wrong output when CPU0 is offline + +From: Alexander Gordeev + +[ Upstream commit 872f27103874a73783aeff2aac2b41a489f67d7c ] + +/proc/cpuinfo should not print information about CPU 0 when it is offline. + +Fixes: 281eaa8cb67c ("s390/cpuinfo: simplify locking and skip offline cpus early") +Signed-off-by: Alexander Gordeev +Reviewed-by: Heiko Carstens +[heiko.carstens@de.ibm.com: shortened commit message] +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/processor.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/processor.c b/arch/s390/kernel/processor.c +index 6fe2e1875058b..675d4be0c2b77 100644 +--- a/arch/s390/kernel/processor.c ++++ b/arch/s390/kernel/processor.c +@@ -157,8 +157,9 @@ static void show_cpu_mhz(struct seq_file *m, unsigned long n) + static int show_cpuinfo(struct seq_file *m, void *v) + { + unsigned long n = (unsigned long) v - 1; ++ unsigned long first = cpumask_first(cpu_online_mask); + +- if (!n) ++ if (n == first) + show_cpu_summary(m, v); + if (!machine_has_cpu_mhz) + return 0; +@@ -171,6 +172,8 @@ static inline void *c_update(loff_t *pos) + { + if (*pos) + *pos = cpumask_next(*pos - 1, cpu_online_mask); ++ else ++ *pos = cpumask_first(cpu_online_mask); + return *pos < nr_cpu_ids ? (void *)*pos + 1 : NULL; + } + +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index d19c9864c27..d97c826462e 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -164,3 +164,28 @@ wil6210-fix-length-check-in-__wmi_send.patch wil6210-abort-properly-in-cfg-suspend.patch soc-qcom-smem-use-le32_to_cpu-for-comparison.patch of-fix-missing-kobject-init-for-sysfs-of_dynamic-config.patch +rbd-avoid-a-deadlock-on-header_rwsem-when-flushing-n.patch +rbd-call-rbd_dev_unprobe-after-unwatching-and-flushi.patch +of-unittest-kmemleak-in-of_unittest_platform_populat.patch +clk-at91-usb-continue-if-clk_hw_round_rate-return-ze.patch +power-supply-bq27xxx_battery-silence-deferred-probe-.patch +clk-tegra-fix-tegra-pmc-clock-out-parents.patch +soc-imx-gpc-fix-power-up-sequencing.patch +rtc-88pm860x-fix-possible-race-condition.patch +nfsv4-pnfs-return-valid-stateids-in-nfs_layout_find_.patch +nfs-direct.c-fix-memory-leak-of-dreq-when-nfs_get_lo.patch +s390-cpuinfo-fix-wrong-output-when-cpu0-is-offline.patch +powerpc-maple-fix-declaration-made-after-definition.patch +ext4-do-not-commit-super-on-read-only-bdev.patch +include-linux-swapops.h-correct-guards-for-non_swap_.patch +percpu_counter-fix-a-data-race-at-vm_committed_as.patch +compiler.h-fix-error-in-build_bug_on-reporting.patch +kvm-s390-vsie-fix-possible-race-when-shadowing-regio.patch +x86-acpi-fix-cpu-hotplug-deadlock.patch +drm-amdkfd-kfree-the-wrong-pointer.patch +nfs-fix-memory-leaks-in-nfs_pageio_stop_mirroring.patch +iommu-vt-d-fix-mm-reference-leak.patch +ext2-fix-empty-body-warnings-when-wextra-is-used.patch +ext2-fix-debug-reference-to-ext2_xattr_cache.patch +libnvdimm-out-of-bounds-read-in-__nd_ioctl.patch +iommu-amd-fix-the-configuration-of-gcr3-table-root-p.patch diff --git a/queue-4.14/soc-imx-gpc-fix-power-up-sequencing.patch b/queue-4.14/soc-imx-gpc-fix-power-up-sequencing.patch new file mode 100644 index 00000000000..5db17c7fb35 --- /dev/null +++ b/queue-4.14/soc-imx-gpc-fix-power-up-sequencing.patch @@ -0,0 +1,78 @@ +From 7e59316516a45a9df353b159a205445df52084e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2020 11:09:12 +0100 +Subject: soc: imx: gpc: fix power up sequencing + +From: Lucas Stach + +[ Upstream commit e0ea2d11f8a08ba7066ff897e16c5217215d1e68 ] + +Currently we wait only until the PGC inverts the isolation setting +before disabling the peripheral clocks. This doesn't ensure that the +reset is properly propagated through the peripheral devices in the +power domain. + +Wait until the PGC signals that the power up request is done and +wait a bit for resets to propagate before disabling the clocks. + +Signed-off-by: Lucas Stach +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/soc/imx/gpc.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/soc/imx/gpc.c b/drivers/soc/imx/gpc.c +index 3a12123de4662..0e083fe8b893f 100644 +--- a/drivers/soc/imx/gpc.c ++++ b/drivers/soc/imx/gpc.c +@@ -97,8 +97,8 @@ static int imx6_pm_domain_power_off(struct generic_pm_domain *genpd) + static int imx6_pm_domain_power_on(struct generic_pm_domain *genpd) + { + struct imx_pm_domain *pd = to_imx_pm_domain(genpd); +- int i, ret, sw, sw2iso; +- u32 val; ++ int i, ret; ++ u32 val, req; + + if (pd->supply) { + ret = regulator_enable(pd->supply); +@@ -117,17 +117,18 @@ static int imx6_pm_domain_power_on(struct generic_pm_domain *genpd) + regmap_update_bits(pd->regmap, pd->reg_offs + GPC_PGC_CTRL_OFFS, + 0x1, 0x1); + +- /* Read ISO and ISO2SW power up delays */ +- regmap_read(pd->regmap, pd->reg_offs + GPC_PGC_PUPSCR_OFFS, &val); +- sw = val & 0x3f; +- sw2iso = (val >> 8) & 0x3f; +- + /* Request GPC to power up domain */ +- val = BIT(pd->cntr_pdn_bit + 1); +- regmap_update_bits(pd->regmap, GPC_CNTR, val, val); ++ req = BIT(pd->cntr_pdn_bit + 1); ++ regmap_update_bits(pd->regmap, GPC_CNTR, req, req); + +- /* Wait ISO + ISO2SW IPG clock cycles */ +- udelay(DIV_ROUND_UP(sw + sw2iso, pd->ipg_rate_mhz)); ++ /* Wait for the PGC to handle the request */ ++ ret = regmap_read_poll_timeout(pd->regmap, GPC_CNTR, val, !(val & req), ++ 1, 50); ++ if (ret) ++ pr_err("powerup request on domain %s timed out\n", genpd->name); ++ ++ /* Wait for reset to propagate through peripherals */ ++ usleep_range(5, 10); + + /* Disable reset clocks for all devices in the domain */ + for (i = 0; i < pd->num_clks; i++) +@@ -329,6 +330,7 @@ static const struct regmap_config imx_gpc_regmap_config = { + .rd_table = &access_table, + .wr_table = &access_table, + .max_register = 0x2ac, ++ .fast_io = true, + }; + + static struct generic_pm_domain *imx_gpc_onecell_domains[] = { +-- +2.20.1 + diff --git a/queue-4.14/x86-acpi-fix-cpu-hotplug-deadlock.patch b/queue-4.14/x86-acpi-fix-cpu-hotplug-deadlock.patch new file mode 100644 index 00000000000..201cea17680 --- /dev/null +++ b/queue-4.14/x86-acpi-fix-cpu-hotplug-deadlock.patch @@ -0,0 +1,169 @@ +From 0914222b61ec4d8ce7c7c23b17abaeb3d0301b1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2020 10:03:45 -0400 +Subject: x86: ACPI: fix CPU hotplug deadlock + +From: Qian Cai + +[ Upstream commit 696ac2e3bf267f5a2b2ed7d34e64131f2287d0ad ] + +Similar to commit 0266d81e9bf5 ("acpi/processor: Prevent cpu hotplug +deadlock") except this is for acpi_processor_ffh_cstate_probe(): + +"The problem is that the work is scheduled on the current CPU from the +hotplug thread associated with that CPU. + +It's not required to invoke these functions via the workqueue because +the hotplug thread runs on the target CPU already. + +Check whether current is a per cpu thread pinned on the target CPU and +invoke the function directly to avoid the workqueue." + + WARNING: possible circular locking dependency detected + ------------------------------------------------------ + cpuhp/1/15 is trying to acquire lock: + ffffc90003447a28 ((work_completion)(&wfc.work)){+.+.}-{0:0}, at: __flush_work+0x4c6/0x630 + + but task is already holding lock: + ffffffffafa1c0e8 (cpuidle_lock){+.+.}-{3:3}, at: cpuidle_pause_and_lock+0x17/0x20 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (cpu_hotplug_lock){++++}-{0:0}: + cpus_read_lock+0x3e/0xc0 + irq_calc_affinity_vectors+0x5f/0x91 + __pci_enable_msix_range+0x10f/0x9a0 + pci_alloc_irq_vectors_affinity+0x13e/0x1f0 + pci_alloc_irq_vectors_affinity at drivers/pci/msi.c:1208 + pqi_ctrl_init+0x72f/0x1618 [smartpqi] + pqi_pci_probe.cold.63+0x882/0x892 [smartpqi] + local_pci_probe+0x7a/0xc0 + work_for_cpu_fn+0x2e/0x50 + process_one_work+0x57e/0xb90 + worker_thread+0x363/0x5b0 + kthread+0x1f4/0x220 + ret_from_fork+0x27/0x50 + + -> #0 ((work_completion)(&wfc.work)){+.+.}-{0:0}: + __lock_acquire+0x2244/0x32a0 + lock_acquire+0x1a2/0x680 + __flush_work+0x4e6/0x630 + work_on_cpu+0x114/0x160 + acpi_processor_ffh_cstate_probe+0x129/0x250 + acpi_processor_evaluate_cst+0x4c8/0x580 + acpi_processor_get_power_info+0x86/0x740 + acpi_processor_hotplug+0xc3/0x140 + acpi_soft_cpu_online+0x102/0x1d0 + cpuhp_invoke_callback+0x197/0x1120 + cpuhp_thread_fun+0x252/0x2f0 + smpboot_thread_fn+0x255/0x440 + kthread+0x1f4/0x220 + ret_from_fork+0x27/0x50 + + other info that might help us debug this: + + Chain exists of: + (work_completion)(&wfc.work) --> cpuhp_state-up --> cpuidle_lock + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(cpuidle_lock); + lock(cpuhp_state-up); + lock(cpuidle_lock); + lock((work_completion)(&wfc.work)); + + *** DEADLOCK *** + + 3 locks held by cpuhp/1/15: + #0: ffffffffaf51ab10 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x69/0x2f0 + #1: ffffffffaf51ad40 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x69/0x2f0 + #2: ffffffffafa1c0e8 (cpuidle_lock){+.+.}-{3:3}, at: cpuidle_pause_and_lock+0x17/0x20 + + Call Trace: + dump_stack+0xa0/0xea + print_circular_bug.cold.52+0x147/0x14c + check_noncircular+0x295/0x2d0 + __lock_acquire+0x2244/0x32a0 + lock_acquire+0x1a2/0x680 + __flush_work+0x4e6/0x630 + work_on_cpu+0x114/0x160 + acpi_processor_ffh_cstate_probe+0x129/0x250 + acpi_processor_evaluate_cst+0x4c8/0x580 + acpi_processor_get_power_info+0x86/0x740 + acpi_processor_hotplug+0xc3/0x140 + acpi_soft_cpu_online+0x102/0x1d0 + cpuhp_invoke_callback+0x197/0x1120 + cpuhp_thread_fun+0x252/0x2f0 + smpboot_thread_fn+0x255/0x440 + kthread+0x1f4/0x220 + ret_from_fork+0x27/0x50 + +Signed-off-by: Qian Cai +Tested-by: Borislav Petkov +[ rjw: Subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/acpi/cstate.c | 3 ++- + drivers/acpi/processor_throttling.c | 7 ------- + include/acpi/processor.h | 8 ++++++++ + 3 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/kernel/acpi/cstate.c b/arch/x86/kernel/acpi/cstate.c +index dde437f5d14ff..596e7640d895a 100644 +--- a/arch/x86/kernel/acpi/cstate.c ++++ b/arch/x86/kernel/acpi/cstate.c +@@ -133,7 +133,8 @@ int acpi_processor_ffh_cstate_probe(unsigned int cpu, + + /* Make sure we are running on right CPU */ + +- retval = work_on_cpu(cpu, acpi_processor_ffh_cstate_probe_cpu, cx); ++ retval = call_on_cpu(cpu, acpi_processor_ffh_cstate_probe_cpu, cx, ++ false); + if (retval == 0) { + /* Use the hint in CST */ + percpu_entry->states[cx->index].eax = cx->address; +diff --git a/drivers/acpi/processor_throttling.c b/drivers/acpi/processor_throttling.c +index 7f9aff4b8d627..9fdc13a2f2d59 100644 +--- a/drivers/acpi/processor_throttling.c ++++ b/drivers/acpi/processor_throttling.c +@@ -909,13 +909,6 @@ static long __acpi_processor_get_throttling(void *data) + return pr->throttling.acpi_processor_get_throttling(pr); + } + +-static int call_on_cpu(int cpu, long (*fn)(void *), void *arg, bool direct) +-{ +- if (direct || (is_percpu_thread() && cpu == smp_processor_id())) +- return fn(arg); +- return work_on_cpu(cpu, fn, arg); +-} +- + static int acpi_processor_get_throttling(struct acpi_processor *pr) + { + if (!pr) +diff --git a/include/acpi/processor.h b/include/acpi/processor.h +index d591bb77f592b..f4bff23135479 100644 +--- a/include/acpi/processor.h ++++ b/include/acpi/processor.h +@@ -291,6 +291,14 @@ static inline void acpi_processor_ffh_cstate_enter(struct acpi_processor_cx + } + #endif + ++static inline int call_on_cpu(int cpu, long (*fn)(void *), void *arg, ++ bool direct) ++{ ++ if (direct || (is_percpu_thread() && cpu == smp_processor_id())) ++ return fn(arg); ++ return work_on_cpu(cpu, fn, arg); ++} ++ + /* in processor_perflib.c */ + + #ifdef CONFIG_CPU_FREQ +-- +2.20.1 +