From 927579fc600697ff68e46b2e1b193de958ed5ae9 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 2 Nov 2020 00:20:05 -0500 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...bounds-and-numa_off-protections-to-p.patch | 42 ++++ ...ndling-of-changes-from-acpi-6.2-to-a.patch | 44 ++++ ...ix-the-errors-detected-by-dtbs_check.patch | 95 +++++++++ ...eakpoint-handle-inexact-watchpoint-a.patch | 188 +++++++++++++++++ ...ts-omap4-fix-sgx-clock-rate-for-4430.patch | 70 +++++++ ...10-move-fixed-clocks-under-root-node.patch | 85 ++++++++ ...move-pmu-node-out-of-clock-controlle.patch | 57 ++++++ ...remove-dedicated-audio-subsystem-nod.patch | 106 ++++++++++ ...remove-dma-controller-bus-node-name-.patch | 87 ++++++++ ...s-ulcb-add-full-pwr-cycle-in-suspend.patch | 36 ++++ ...cpu_all_mask-when-node-is-numa_no_no.patch | 61 ++++++ ...top-using-mpidr-for-topology-informa.patch | 138 +++++++++++++ ...-fix-config_generic_iomap-pci_iounma.patch | 114 +++++++++++ ...sata_nv-fix-retrieving-of-active-qcs.patch | 43 ++++ ...nss-calculation-when-stbc-is-enabled.patch | 58 ++++++ ...overy-process-when-payload-length-ex.patch | 85 ++++++++ ...log-unknown-link-speed-appropriately.patch | 51 +++++ ...tr-arithmetic-with-opcode-add-and-of.patch | 119 +++++++++++ ...ning-message-after-dongle-setup-fail.patch | 76 +++++++ .../btrfs-fix-replace-of-seed-device.patch | 115 +++++++++++ ...t-rely-on-caller-to-provide-non-null.patch | 43 ++++ ...xcan-disable-clocks-during-stop-mode.patch | 85 ++++++++ .../cifs-handle-eintr-in-cifs_setattr.patch | 57 ++++++ ...ockdomain-fix-static-checker-warning.patch | 40 ++++ ...ysfs-functional-on-topologies-with-p.patch | 143 +++++++++++++ ...freq-sti-cpufreq-add-stih418-support.patch | 46 +++++ ...hdlc_fr-correctly-handle-special-skb.patch | 188 +++++++++++++++++ ...-rdc321x_wdt-fix-race-condition-bugs.patch | 62 ++++++ ...hdmi-remote-sink-need-mode-validatio.patch | 49 +++++ ...sys-dsi-add-support-for-non-continuo.patch | 67 +++++++ ...ips-add-checking-if-ge_b850v3_lvds_i.patch | 60 ++++++ ...detect-already-used-quota-file-early.patch | 48 +++++ ...2fs-add-trace-exit-in-exception-path.patch | 40 ++++ ...k-segment-boundary-during-sit-page-r.patch | 60 ++++++ ...f2fs-fix-uninit-value-in-f2fs_lookup.patch | 81 ++++++++ ...-errors-of-f2fs_get_meta_page_nofail.patch | 131 ++++++++++++ ...i-add-missing-rx-size-re-initialisat.patch | 124 ++++++++++++ ...irmware-arm_scmi-fix-arch_cold_reset.patch | 39 ++++ ...incorrect-should_fail_futex-handling.patch | 49 +++++ ...dation-checks-for-size-of-superblock.patch | 62 ++++++ ...e-after-free-in-sysfs-deregistration.patch | 189 ++++++++++++++++++ ...-generic-kretprobe-trampoline-handle.patch | 120 +++++++++++ ...con-work-properly-with-kgdb_earlycon.patch | 70 +++++++ ...v-do-not-allocate-hpt-for-a-nested-g.patch | 101 ++++++++++ ...map_get_counter-returns-wrong-blocks.patch | 53 +++++ ...a-imx274-fix-frame-interval-handling.patch | 54 +++++ ...mprove-queue-set-up-flow-for-bug-fix.patch | 41 ++++ ...ck-status-of-tw5864_frameinterval_ge.patch | 63 ++++++ ...ix-dereference-of-out-of-bound-list-.patch | 75 +++++++ ...h-rgb-bt2020-and-hsv-are-always-full.patch | 117 +++++++++++ ...-remove-bogus-debugfs-error-handling.patch | 75 +++++++ ...se-after-free-in-mlxsw_emad_trans_fi.patch | 166 +++++++++++++++ ...vate_mm-vs-tlb-shootdown-and-lazy-tl.patch | 116 +++++++++++ .../mmc-via-sdmmc-fix-data-race-bug.patch | 48 +++++ ...fig-put-is-called-before-the-notifyi.patch | 43 ++++ ...e-sun_server.sun_path-to-have-addr-s.patch | 45 +++++ ...en-copy_file_range-is-attempted-with.patch | 62 ++++++ ...rdma-fix-crash-when-connect-rejected.patch | 47 +++++ ...7xxx-report-not-charging-on-all-type.patch | 55 +++++ ...t_power-add-missing-newlines-when-pr.patch | 84 ++++++++ ...powernv-smp-fix-spurious-dbg-warning.patch | 55 +++++ ...elect-arch_want_irqs_off_activate_mm.patch | 50 +++++ ...reduce-log_buf_shift-range-for-h8300.patch | 42 ++++ ...dma-qedr-fix-memory-leak-in-iwarp-cm.patch | 37 ++++ ...-at_vector_size_arch-for-arch_dlinfo.patch | 38 ++++ ...ink-use-complete_all-for-open-states.patch | 57 ++++++ ...tartup-avoid-save_area_sync-overflow.patch | 62 ++++++ ...bpf-fix-possible-deadlock-in-xdpsock.patch | 41 ++++ ...fine-string-const-as-global-for-test.patch | 57 ++++++ ...-x86-fsgsbase-reap-a-forgotten-child.patch | 36 ++++ queue-5.4/series | 82 ++++++++ .../sgl_alloc_order-fix-memory-leak.patch | 42 ++++ ...m_cpumask-clearing-to-fix-kthread_us.patch | 179 +++++++++++++++++ ...tigate-cond_resched-in-xprt_transmit.patch | 55 +++++ ...-uio-id-after-uio-file-node-is-freed.patch | 85 ++++++++ .../um-change-sigio_spinlock-to-a-mutex.patch | 78 ++++++++ queue-5.4/usb-adutux-fix-debugging.patch | 35 ++++ ...uring-pr_swap-source-caps-should-be-.patch | 80 ++++++++ ...plicate-actions-when-suspending-a-ru.patch | 58 ++++++ ...eo-fbdev-pvr2fb-initialize-variables.patch | 49 +++++ ...ix-inactive-tasks-with-stack-pointer.patch | 145 ++++++++++++++ ...t-blocks-when-we-re-doing-a-remap-bu.patch | 63 ++++++ ...-bitmap-summary-file-truncation-when.patch | 70 +++++++ 83 files changed, 6264 insertions(+) create mode 100644 queue-5.4/acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch create mode 100644 queue-5.4/acpi-hmat-fix-handling-of-changes-from-acpi-6.2-to-a.patch create mode 100644 queue-5.4/arc-dts-fix-the-errors-detected-by-dtbs_check.patch create mode 100644 queue-5.4/arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch create mode 100644 queue-5.4/arm-dts-omap4-fix-sgx-clock-rate-for-4430.patch create mode 100644 queue-5.4/arm-dts-s5pv210-move-fixed-clocks-under-root-node.patch create mode 100644 queue-5.4/arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch create mode 100644 queue-5.4/arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch create mode 100644 queue-5.4/arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch create mode 100644 queue-5.4/arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch create mode 100644 queue-5.4/arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch create mode 100644 queue-5.4/arm64-topology-stop-using-mpidr-for-topology-informa.patch create mode 100644 queue-5.4/asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch create mode 100644 queue-5.4/ata-sata_nv-fix-retrieving-of-active-qcs.patch create mode 100644 queue-5.4/ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch create mode 100644 queue-5.4/ath10k-start-recovery-process-when-payload-length-ex.patch create mode 100644 queue-5.4/bnxt_en-log-unknown-link-speed-appropriately.patch create mode 100644 queue-5.4/bpf-permit-map_ptr-arithmetic-with-opcode-add-and-of.patch create mode 100644 queue-5.4/brcmfmac-fix-warning-message-after-dongle-setup-fail.patch create mode 100644 queue-5.4/btrfs-fix-replace-of-seed-device.patch create mode 100644 queue-5.4/bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch create mode 100644 queue-5.4/can-flexcan-disable-clocks-during-stop-mode.patch create mode 100644 queue-5.4/cifs-handle-eintr-in-cifs_setattr.patch create mode 100644 queue-5.4/clk-ti-clockdomain-fix-static-checker-warning.patch create mode 100644 queue-5.4/coresight-make-sysfs-functional-on-topologies-with-p.patch create mode 100644 queue-5.4/cpufreq-sti-cpufreq-add-stih418-support.patch create mode 100644 queue-5.4/drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch create mode 100644 queue-5.4/drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch create mode 100644 queue-5.4/drm-amd-display-hdmi-remote-sink-need-mode-validatio.patch create mode 100644 queue-5.4/drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch create mode 100644 queue-5.4/drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch create mode 100644 queue-5.4/ext4-detect-already-used-quota-file-early.patch create mode 100644 queue-5.4/f2fs-add-trace-exit-in-exception-path.patch create mode 100644 queue-5.4/f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch create mode 100644 queue-5.4/f2fs-fix-uninit-value-in-f2fs_lookup.patch create mode 100644 queue-5.4/f2fs-handle-errors-of-f2fs_get_meta_page_nofail.patch create mode 100644 queue-5.4/firmware-arm_scmi-add-missing-rx-size-re-initialisat.patch create mode 100644 queue-5.4/firmware-arm_scmi-fix-arch_cold_reset.patch create mode 100644 queue-5.4/futex-fix-incorrect-should_fail_futex-handling.patch create mode 100644 queue-5.4/gfs2-add-validation-checks-for-size-of-superblock.patch create mode 100644 queue-5.4/gfs2-use-after-free-in-sysfs-deregistration.patch create mode 100644 queue-5.4/ia64-kprobes-use-generic-kretprobe-trampoline-handle.patch create mode 100644 queue-5.4/kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch create mode 100644 queue-5.4/kvm-ppc-book3s-hv-do-not-allocate-hpt-for-a-nested-g.patch create mode 100644 queue-5.4/md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch create mode 100644 queue-5.4/media-imx274-fix-frame-interval-handling.patch create mode 100644 queue-5.4/media-platform-improve-queue-set-up-flow-for-bug-fix.patch create mode 100644 queue-5.4/media-tw5864-check-status-of-tw5864_frameinterval_ge.patch create mode 100644 queue-5.4/media-uvcvideo-fix-dereference-of-out-of-bound-list-.patch create mode 100644 queue-5.4/media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch create mode 100644 queue-5.4/memory-emif-remove-bogus-debugfs-error-handling.patch create mode 100644 queue-5.4/mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch create mode 100644 queue-5.4/mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tl.patch create mode 100644 queue-5.4/mmc-via-sdmmc-fix-data-race-bug.patch create mode 100644 queue-5.4/nbd-make-the-config-put-is-called-before-the-notifyi.patch create mode 100644 queue-5.4/net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch create mode 100644 queue-5.4/nfs4-fix-oops-when-copy_file_range-is-attempted-with.patch create mode 100644 queue-5.4/nvme-rdma-fix-crash-when-connect-rejected.patch create mode 100644 queue-5.4/power-supply-bq27xxx-report-not-charging-on-all-type.patch create mode 100644 queue-5.4/power-supply-test_power-add-missing-newlines-when-pr.patch create mode 100644 queue-5.4/powerpc-powernv-smp-fix-spurious-dbg-warning.patch create mode 100644 queue-5.4/powerpc-select-arch_want_irqs_off_activate_mm.patch create mode 100644 queue-5.4/printk-reduce-log_buf_shift-range-for-h8300.patch create mode 100644 queue-5.4/rdma-qedr-fix-memory-leak-in-iwarp-cm.patch create mode 100644 queue-5.4/riscv-define-at_vector_size_arch-for-arch_dlinfo.patch create mode 100644 queue-5.4/rpmsg-glink-use-complete_all-for-open-states.patch create mode 100644 queue-5.4/s390-startup-avoid-save_area_sync-overflow.patch create mode 100644 queue-5.4/samples-bpf-fix-possible-deadlock-in-xdpsock.patch create mode 100644 queue-5.4/selftests-bpf-define-string-const-as-global-for-test.patch create mode 100644 queue-5.4/selftests-x86-fsgsbase-reap-a-forgotten-child.patch create mode 100644 queue-5.4/series create mode 100644 queue-5.4/sgl_alloc_order-fix-memory-leak.patch create mode 100644 queue-5.4/sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch create mode 100644 queue-5.4/sunrpc-mitigate-cond_resched-in-xprt_transmit.patch create mode 100644 queue-5.4/uio-free-uio-id-after-uio-file-node-is-freed.patch create mode 100644 queue-5.4/um-change-sigio_spinlock-to-a-mutex.patch create mode 100644 queue-5.4/usb-adutux-fix-debugging.patch create mode 100644 queue-5.4/usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch create mode 100644 queue-5.4/usb-xhci-omit-duplicate-actions-when-suspending-a-ru.patch create mode 100644 queue-5.4/video-fbdev-pvr2fb-initialize-variables.patch create mode 100644 queue-5.4/x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch create mode 100644 queue-5.4/xfs-don-t-free-rt-blocks-when-we-re-doing-a-remap-bu.patch create mode 100644 queue-5.4/xfs-fix-realtime-bitmap-summary-file-truncation-when.patch diff --git a/queue-5.4/acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch b/queue-5.4/acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch new file mode 100644 index 00000000000..c089336448a --- /dev/null +++ b/queue-5.4/acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch @@ -0,0 +1,42 @@ +From 7f81675cb76acecf7e890ce0b24eb8a969f95447 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 22:24:25 +0800 +Subject: ACPI: Add out of bounds and numa_off protections to pxm_to_node() + +From: Jonathan Cameron + +[ Upstream commit 8a3decac087aa897df5af04358c2089e52e70ac4 ] + +The function should check the validity of the pxm value before using +it to index the pxm_to_node_map[] array. + +Whilst hardening this code may be good in general, the main intent +here is to enable following patches that use this function to replace +acpi_map_pxm_to_node() for non SRAT usecases which should return +NO_NUMA_NODE for PXM entries not matching with those in SRAT. + +Signed-off-by: Jonathan Cameron +Reviewed-by: Barry Song +Reviewed-by: Hanjun Guo +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/numa.c b/drivers/acpi/numa.c +index eadbf90e65d14..85e01752fbe47 100644 +--- a/drivers/acpi/numa.c ++++ b/drivers/acpi/numa.c +@@ -31,7 +31,7 @@ int acpi_numa __initdata; + + int pxm_to_node(int pxm) + { +- if (pxm < 0) ++ if (pxm < 0 || pxm >= MAX_PXM_DOMAINS || numa_off) + return NUMA_NO_NODE; + return pxm_to_node_map[pxm]; + } +-- +2.27.0 + diff --git a/queue-5.4/acpi-hmat-fix-handling-of-changes-from-acpi-6.2-to-a.patch b/queue-5.4/acpi-hmat-fix-handling-of-changes-from-acpi-6.2-to-a.patch new file mode 100644 index 00000000000..1677b36d34c --- /dev/null +++ b/queue-5.4/acpi-hmat-fix-handling-of-changes-from-acpi-6.2-to-a.patch @@ -0,0 +1,44 @@ +From 97b675a977d9882cbf3084a48b730088b6fbfaad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Sep 2020 22:05:45 +0800 +Subject: ACPI: HMAT: Fix handling of changes from ACPI 6.2 to ACPI 6.3 + +From: Jonathan Cameron + +[ Upstream commit 2c5b9bde95c96942f2873cea6ef383c02800e4a8 ] + +In ACPI 6.3, the Memory Proximity Domain Attributes Structure +changed substantially. One of those changes was that the flag +for "Memory Proximity Domain field is valid" was deprecated. + +This was because the field "Proximity Domain for the Memory" +became a required field and hence having a validity flag makes +no sense. + +So the correct logic is to always assume the field is there. +Current code assumes it never is. + +Signed-off-by: Jonathan Cameron +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/hmat/hmat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/hmat/hmat.c b/drivers/acpi/hmat/hmat.c +index 8b0de8a3c6470..0f1c939b7e901 100644 +--- a/drivers/acpi/hmat/hmat.c ++++ b/drivers/acpi/hmat/hmat.c +@@ -403,7 +403,8 @@ static int __init hmat_parse_proximity_domain(union acpi_subtable_headers *heade + pr_info("HMAT: Memory Flags:%04x Processor Domain:%d Memory Domain:%d\n", + p->flags, p->processor_PD, p->memory_PD); + +- if (p->flags & ACPI_HMAT_MEMORY_PD_VALID && hmat_revision == 1) { ++ if ((hmat_revision == 1 && p->flags & ACPI_HMAT_MEMORY_PD_VALID) || ++ hmat_revision > 1) { + target = find_mem_target(p->memory_PD); + if (!target) { + pr_debug("HMAT: Memory Domain missing from SRAT\n"); +-- +2.27.0 + diff --git a/queue-5.4/arc-dts-fix-the-errors-detected-by-dtbs_check.patch b/queue-5.4/arc-dts-fix-the-errors-detected-by-dtbs_check.patch new file mode 100644 index 00000000000..5fb82ca96d3 --- /dev/null +++ b/queue-5.4/arc-dts-fix-the-errors-detected-by-dtbs_check.patch @@ -0,0 +1,95 @@ +From 7a46597c96319ca74a17e32cb4ec34b1ec6db93c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 15:17:54 +0800 +Subject: ARC: [dts] fix the errors detected by dtbs_check + +From: Zhen Lei + +[ Upstream commit 05b1be68c4d6d76970025e6139bfd735c2256ee5 ] + +xxx/arc/boot/dts/axs101.dt.yaml: dw-apb-ictl@e0012000: $nodename:0: \ +'dw-apb-ictl@e0012000' does not match '^interrupt-controller(@[0-9a-f,]+)*$' + From schema: xxx/interrupt-controller/snps,dw-apb-ictl.yaml + +The node name of the interrupt controller must start with +"interrupt-controller" instead of "dw-apb-ictl". + +Signed-off-by: Zhen Lei +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/boot/dts/axc001.dtsi | 2 +- + arch/arc/boot/dts/axc003.dtsi | 2 +- + arch/arc/boot/dts/axc003_idu.dtsi | 2 +- + arch/arc/boot/dts/vdk_axc003.dtsi | 2 +- + arch/arc/boot/dts/vdk_axc003_idu.dtsi | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arc/boot/dts/axc001.dtsi b/arch/arc/boot/dts/axc001.dtsi +index 6ec1fcdfc0d7f..92247288d0562 100644 +--- a/arch/arc/boot/dts/axc001.dtsi ++++ b/arch/arc/boot/dts/axc001.dtsi +@@ -85,7 +85,7 @@ + * avoid duplicating the MB dtsi file given that IRQ from + * this intc to cpu intc are different for axs101 and axs103 + */ +- mb_intc: dw-apb-ictl@e0012000 { ++ mb_intc: interrupt-controller@e0012000 { + #interrupt-cells = <1>; + compatible = "snps,dw-apb-ictl"; + reg = < 0x0 0xe0012000 0x0 0x200 >; +diff --git a/arch/arc/boot/dts/axc003.dtsi b/arch/arc/boot/dts/axc003.dtsi +index ac8e1b463a709..cd1edcf4f95ef 100644 +--- a/arch/arc/boot/dts/axc003.dtsi ++++ b/arch/arc/boot/dts/axc003.dtsi +@@ -129,7 +129,7 @@ + * avoid duplicating the MB dtsi file given that IRQ from + * this intc to cpu intc are different for axs101 and axs103 + */ +- mb_intc: dw-apb-ictl@e0012000 { ++ mb_intc: interrupt-controller@e0012000 { + #interrupt-cells = <1>; + compatible = "snps,dw-apb-ictl"; + reg = < 0x0 0xe0012000 0x0 0x200 >; +diff --git a/arch/arc/boot/dts/axc003_idu.dtsi b/arch/arc/boot/dts/axc003_idu.dtsi +index 9da21e7fd246f..70779386ca796 100644 +--- a/arch/arc/boot/dts/axc003_idu.dtsi ++++ b/arch/arc/boot/dts/axc003_idu.dtsi +@@ -135,7 +135,7 @@ + * avoid duplicating the MB dtsi file given that IRQ from + * this intc to cpu intc are different for axs101 and axs103 + */ +- mb_intc: dw-apb-ictl@e0012000 { ++ mb_intc: interrupt-controller@e0012000 { + #interrupt-cells = <1>; + compatible = "snps,dw-apb-ictl"; + reg = < 0x0 0xe0012000 0x0 0x200 >; +diff --git a/arch/arc/boot/dts/vdk_axc003.dtsi b/arch/arc/boot/dts/vdk_axc003.dtsi +index f8be7ba8dad49..c21d0eb07bf67 100644 +--- a/arch/arc/boot/dts/vdk_axc003.dtsi ++++ b/arch/arc/boot/dts/vdk_axc003.dtsi +@@ -46,7 +46,7 @@ + + }; + +- mb_intc: dw-apb-ictl@e0012000 { ++ mb_intc: interrupt-controller@e0012000 { + #interrupt-cells = <1>; + compatible = "snps,dw-apb-ictl"; + reg = < 0xe0012000 0x200 >; +diff --git a/arch/arc/boot/dts/vdk_axc003_idu.dtsi b/arch/arc/boot/dts/vdk_axc003_idu.dtsi +index 0afa3e53a4e39..4d348853ac7c5 100644 +--- a/arch/arc/boot/dts/vdk_axc003_idu.dtsi ++++ b/arch/arc/boot/dts/vdk_axc003_idu.dtsi +@@ -54,7 +54,7 @@ + + }; + +- mb_intc: dw-apb-ictl@e0012000 { ++ mb_intc: interrupt-controller@e0012000 { + #interrupt-cells = <1>; + compatible = "snps,dw-apb-ictl"; + reg = < 0xe0012000 0x200 >; +-- +2.27.0 + diff --git a/queue-5.4/arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch b/queue-5.4/arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch new file mode 100644 index 00000000000..53848d2a73e --- /dev/null +++ b/queue-5.4/arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch @@ -0,0 +1,188 @@ +From 979df443bd55552f7ae9d57453e770fea7ec8e95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 23:24:35 +0100 +Subject: ARM: 8997/2: hw_breakpoint: Handle inexact watchpoint addresses + +From: Douglas Anderson + +[ Upstream commit 22c9e58299e5f18274788ce54c03d4fb761e3c5d ] + +This is commit fdfeff0f9e3d ("arm64: hw_breakpoint: Handle inexact +watchpoint addresses") but ported to arm32, which has the same +problem. + +This problem was found by Android CTS tests, notably the +"watchpoint_imprecise" test [1]. I tested locally against a copycat +(simplified) version of the test though. + +[1] https://android.googlesource.com/platform/bionic/+/master/tests/sys_ptrace_test.cpp + +Link: https://lkml.kernel.org/r/20191019111216.1.I82eae759ca6dc28a245b043f485ca490e3015321@changeid + +Signed-off-by: Douglas Anderson +Reviewed-by: Matthias Kaehlcke +Acked-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/hw_breakpoint.c | 100 +++++++++++++++++++++++--------- + 1 file changed, 72 insertions(+), 28 deletions(-) + +diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c +index 5f95e4b911a0b..7021ef0b4e71b 100644 +--- a/arch/arm/kernel/hw_breakpoint.c ++++ b/arch/arm/kernel/hw_breakpoint.c +@@ -680,6 +680,40 @@ static void disable_single_step(struct perf_event *bp) + arch_install_hw_breakpoint(bp); + } + ++/* ++ * Arm32 hardware does not always report a watchpoint hit address that matches ++ * one of the watchpoints set. It can also report an address "near" the ++ * watchpoint if a single instruction access both watched and unwatched ++ * addresses. There is no straight-forward way, short of disassembling the ++ * offending instruction, to map that address back to the watchpoint. This ++ * function computes the distance of the memory access from the watchpoint as a ++ * heuristic for the likelyhood that a given access triggered the watchpoint. ++ * ++ * See this same function in the arm64 platform code, which has the same ++ * problem. ++ * ++ * The function returns the distance of the address from the bytes watched by ++ * the watchpoint. In case of an exact match, it returns 0. ++ */ ++static u32 get_distance_from_watchpoint(unsigned long addr, u32 val, ++ struct arch_hw_breakpoint_ctrl *ctrl) ++{ ++ u32 wp_low, wp_high; ++ u32 lens, lene; ++ ++ lens = __ffs(ctrl->len); ++ lene = __fls(ctrl->len); ++ ++ wp_low = val + lens; ++ wp_high = val + lene; ++ if (addr < wp_low) ++ return wp_low - addr; ++ else if (addr > wp_high) ++ return addr - wp_high; ++ else ++ return 0; ++} ++ + static int watchpoint_fault_on_uaccess(struct pt_regs *regs, + struct arch_hw_breakpoint *info) + { +@@ -689,23 +723,25 @@ static int watchpoint_fault_on_uaccess(struct pt_regs *regs, + static void watchpoint_handler(unsigned long addr, unsigned int fsr, + struct pt_regs *regs) + { +- int i, access; +- u32 val, ctrl_reg, alignment_mask; ++ int i, access, closest_match = 0; ++ u32 min_dist = -1, dist; ++ u32 val, ctrl_reg; + struct perf_event *wp, **slots; + struct arch_hw_breakpoint *info; + struct arch_hw_breakpoint_ctrl ctrl; + + slots = this_cpu_ptr(wp_on_reg); + ++ /* ++ * Find all watchpoints that match the reported address. If no exact ++ * match is found. Attribute the hit to the closest watchpoint. ++ */ ++ rcu_read_lock(); + for (i = 0; i < core_num_wrps; ++i) { +- rcu_read_lock(); +- + wp = slots[i]; +- + if (wp == NULL) +- goto unlock; ++ continue; + +- info = counter_arch_bp(wp); + /* + * The DFAR is an unknown value on debug architectures prior + * to 7.1. Since we only allow a single watchpoint on these +@@ -714,33 +750,31 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr, + */ + if (debug_arch < ARM_DEBUG_ARCH_V7_1) { + BUG_ON(i > 0); ++ info = counter_arch_bp(wp); + info->trigger = wp->attr.bp_addr; + } else { +- if (info->ctrl.len == ARM_BREAKPOINT_LEN_8) +- alignment_mask = 0x7; +- else +- alignment_mask = 0x3; +- +- /* Check if the watchpoint value matches. */ +- val = read_wb_reg(ARM_BASE_WVR + i); +- if (val != (addr & ~alignment_mask)) +- goto unlock; +- +- /* Possible match, check the byte address select. */ +- ctrl_reg = read_wb_reg(ARM_BASE_WCR + i); +- decode_ctrl_reg(ctrl_reg, &ctrl); +- if (!((1 << (addr & alignment_mask)) & ctrl.len)) +- goto unlock; +- + /* Check that the access type matches. */ + if (debug_exception_updates_fsr()) { + access = (fsr & ARM_FSR_ACCESS_MASK) ? + HW_BREAKPOINT_W : HW_BREAKPOINT_R; + if (!(access & hw_breakpoint_type(wp))) +- goto unlock; ++ continue; + } + ++ val = read_wb_reg(ARM_BASE_WVR + i); ++ ctrl_reg = read_wb_reg(ARM_BASE_WCR + i); ++ decode_ctrl_reg(ctrl_reg, &ctrl); ++ dist = get_distance_from_watchpoint(addr, val, &ctrl); ++ if (dist < min_dist) { ++ min_dist = dist; ++ closest_match = i; ++ } ++ /* Is this an exact match? */ ++ if (dist != 0) ++ continue; ++ + /* We have a winner. */ ++ info = counter_arch_bp(wp); + info->trigger = addr; + } + +@@ -762,13 +796,23 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr, + * we can single-step over the watchpoint trigger. + */ + if (!is_default_overflow_handler(wp)) +- goto unlock; +- ++ continue; + step: + enable_single_step(wp, instruction_pointer(regs)); +-unlock: +- rcu_read_unlock(); + } ++ ++ if (min_dist > 0 && min_dist != -1) { ++ /* No exact match found. */ ++ wp = slots[closest_match]; ++ info = counter_arch_bp(wp); ++ info->trigger = addr; ++ pr_debug("watchpoint fired: address = 0x%x\n", info->trigger); ++ perf_bp_event(wp, regs); ++ if (is_default_overflow_handler(wp)) ++ enable_single_step(wp, instruction_pointer(regs)); ++ } ++ ++ rcu_read_unlock(); + } + + static void watchpoint_single_step_handler(unsigned long pc) +-- +2.27.0 + diff --git a/queue-5.4/arm-dts-omap4-fix-sgx-clock-rate-for-4430.patch b/queue-5.4/arm-dts-omap4-fix-sgx-clock-rate-for-4430.patch new file mode 100644 index 00000000000..1ed5438cae2 --- /dev/null +++ b/queue-5.4/arm-dts-omap4-fix-sgx-clock-rate-for-4430.patch @@ -0,0 +1,70 @@ +From 3e45ce8472968adc2dce04f2a64bdf2146424de0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2020 14:02:48 -0700 +Subject: ARM: dts: omap4: Fix sgx clock rate for 4430 + +From: Tony Lindgren + +[ Upstream commit 19d3e9a0bdd57b90175f30390edeb06851f5f9f3 ] + +We currently have a different clock rate for droid4 compared to the +stock v3.0.8 based Android Linux kernel: + +# cat /sys/kernel/debug/clk/dpll_*_m7x2_ck/clk_rate +266666667 +307200000 +# cat /sys/kernel/debug/clk/l3_gfx_cm:clk:0000:0/clk_rate +307200000 + +Let's fix this by configuring sgx to use 153.6 MHz instead of 307.2 MHz. +Looks like also at least duover needs this change to avoid hangs, so +let's apply it for all 4430. + +This helps a bit with thermal issues that seem to be related to memory +corruption when using sgx. It seems that other driver related issues +still remain though. + +Cc: Arthur Demchenkov +Cc: Merlijn Wajer +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap4.dtsi | 2 +- + arch/arm/boot/dts/omap443x.dtsi | 10 ++++++++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/omap4.dtsi b/arch/arm/boot/dts/omap4.dtsi +index e5506ab669fc6..904852006b9b1 100644 +--- a/arch/arm/boot/dts/omap4.dtsi ++++ b/arch/arm/boot/dts/omap4.dtsi +@@ -328,7 +328,7 @@ + status = "disabled"; + }; + +- target-module@56000000 { ++ sgx_module: target-module@56000000 { + compatible = "ti,sysc-omap4", "ti,sysc"; + reg = <0x5600fe00 0x4>, + <0x5600fe10 0x4>; +diff --git a/arch/arm/boot/dts/omap443x.dtsi b/arch/arm/boot/dts/omap443x.dtsi +index cbcdcb4e7d1c2..86b9caf461dfa 100644 +--- a/arch/arm/boot/dts/omap443x.dtsi ++++ b/arch/arm/boot/dts/omap443x.dtsi +@@ -74,3 +74,13 @@ + }; + + /include/ "omap443x-clocks.dtsi" ++ ++/* ++ * Use dpll_per for sgx at 153.6MHz like droid4 stock v3.0.8 Android kernel ++ */ ++&sgx_module { ++ assigned-clocks = <&l3_gfx_clkctrl OMAP4_GPU_CLKCTRL 24>, ++ <&dpll_per_m7x2_ck>; ++ assigned-clock-rates = <0>, <153600000>; ++ assigned-clock-parents = <&dpll_per_m7x2_ck>; ++}; +-- +2.27.0 + diff --git a/queue-5.4/arm-dts-s5pv210-move-fixed-clocks-under-root-node.patch b/queue-5.4/arm-dts-s5pv210-move-fixed-clocks-under-root-node.patch new file mode 100644 index 00000000000..23de4e63bcd --- /dev/null +++ b/queue-5.4/arm-dts-s5pv210-move-fixed-clocks-under-root-node.patch @@ -0,0 +1,85 @@ +From 4100f8eb87df7172b1542fea54fe9c2e8976c8a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 18:11:22 +0200 +Subject: ARM: dts: s5pv210: move fixed clocks under root node + +From: Krzysztof Kozlowski + +[ Upstream commit d38cae370e5f2094cbc38db3082b8e9509ae52ce ] + +The fixed clocks are kept under dedicated 'external-clocks' node, thus a +fake 'reg' was added. This is not correct with dtschema as fixed-clock +binding does not have a 'reg' property. Moving fixed clocks out of +'soc' to root node fixes multiple dtbs_check warnings: + + external-clocks: $nodename:0: 'external-clocks' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$' + external-clocks: #size-cells:0:0: 0 is not one of [1, 2] + external-clocks: oscillator@0:reg:0: [0] is too short + external-clocks: oscillator@1:reg:0: [1] is too short + external-clocks: 'ranges' is a required property + oscillator@0: 'reg' does not match any of the regexes: 'pinctrl-[0-9]+' + +Signed-off-by: Krzysztof Kozlowski +Tested-by: Jonathan Bakker +Link: https://lore.kernel.org/r/20200907161141.31034-7-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210.dtsi | 36 +++++++++++++--------------------- + 1 file changed, 14 insertions(+), 22 deletions(-) + +diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi +index 8b194da334a5c..ec41e46edaced 100644 +--- a/arch/arm/boot/dts/s5pv210.dtsi ++++ b/arch/arm/boot/dts/s5pv210.dtsi +@@ -52,34 +52,26 @@ + }; + }; + ++ xxti: oscillator-0 { ++ compatible = "fixed-clock"; ++ clock-frequency = <0>; ++ clock-output-names = "xxti"; ++ #clock-cells = <0>; ++ }; ++ ++ xusbxti: oscillator-1 { ++ compatible = "fixed-clock"; ++ clock-frequency = <0>; ++ clock-output-names = "xusbxti"; ++ #clock-cells = <0>; ++ }; ++ + soc { + compatible = "simple-bus"; + #address-cells = <1>; + #size-cells = <1>; + ranges; + +- external-clocks { +- compatible = "simple-bus"; +- #address-cells = <1>; +- #size-cells = <0>; +- +- xxti: oscillator@0 { +- compatible = "fixed-clock"; +- reg = <0>; +- clock-frequency = <0>; +- clock-output-names = "xxti"; +- #clock-cells = <0>; +- }; +- +- xusbxti: oscillator@1 { +- compatible = "fixed-clock"; +- reg = <1>; +- clock-frequency = <0>; +- clock-output-names = "xusbxti"; +- #clock-cells = <0>; +- }; +- }; +- + onenand: onenand@b0600000 { + compatible = "samsung,s5pv210-onenand"; + reg = <0xb0600000 0x2000>, +-- +2.27.0 + diff --git a/queue-5.4/arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch b/queue-5.4/arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch new file mode 100644 index 00000000000..13c81387bf2 --- /dev/null +++ b/queue-5.4/arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch @@ -0,0 +1,57 @@ +From 5e68ea6a3b27267db1e074c4081d538e79a355d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 18:11:23 +0200 +Subject: ARM: dts: s5pv210: move PMU node out of clock controller + +From: Krzysztof Kozlowski + +[ Upstream commit bb98fff84ad1ea321823759edaba573a16fa02bd ] + +The Power Management Unit (PMU) is a separate device which has little +common with clock controller. Moving it to one level up (from clock +controller child to SoC) allows to remove fake simple-bus compatible and +dtbs_check warnings like: + + clock-controller@e0100000: $nodename:0: + 'clock-controller@e0100000' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$' + +Signed-off-by: Krzysztof Kozlowski +Tested-by: Jonathan Bakker +Link: https://lore.kernel.org/r/20200907161141.31034-8-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210.dtsi | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi +index ec41e46edaced..f10139bd80a53 100644 +--- a/arch/arm/boot/dts/s5pv210.dtsi ++++ b/arch/arm/boot/dts/s5pv210.dtsi +@@ -92,19 +92,16 @@ + }; + + clocks: clock-controller@e0100000 { +- compatible = "samsung,s5pv210-clock", "simple-bus"; ++ compatible = "samsung,s5pv210-clock"; + reg = <0xe0100000 0x10000>; + clock-names = "xxti", "xusbxti"; + clocks = <&xxti>, <&xusbxti>; + #clock-cells = <1>; +- #address-cells = <1>; +- #size-cells = <1>; +- ranges; ++ }; + +- pmu_syscon: syscon@e0108000 { +- compatible = "samsung-s5pv210-pmu", "syscon"; +- reg = <0xe0108000 0x8000>; +- }; ++ pmu_syscon: syscon@e0108000 { ++ compatible = "samsung-s5pv210-pmu", "syscon"; ++ reg = <0xe0108000 0x8000>; + }; + + pinctrl0: pinctrl@e0200000 { +-- +2.27.0 + diff --git a/queue-5.4/arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch b/queue-5.4/arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch new file mode 100644 index 00000000000..fd873f94301 --- /dev/null +++ b/queue-5.4/arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch @@ -0,0 +1,106 @@ +From d15ea4719d490161a99cedf2569409e89679408e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 18:11:24 +0200 +Subject: ARM: dts: s5pv210: remove dedicated 'audio-subsystem' node + +From: Krzysztof Kozlowski + +[ Upstream commit 6c17a2974abf68a58517f75741b15c4aba42b4b8 ] + +The 'audio-subsystem' node is an artificial creation, not representing +real hardware. The hardware is described by its nodes - AUDSS clock +controller and I2S0. + +Remove the 'audio-subsystem' node along with its undocumented compatible +to fix dtbs_check warnings like: + + audio-subsystem: $nodename:0: 'audio-subsystem' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$' + +Signed-off-by: Krzysztof Kozlowski +Tested-by: Jonathan Bakker +Link: https://lore.kernel.org/r/20200907161141.31034-9-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210.dtsi | 65 +++++++++++++++------------------- + 1 file changed, 29 insertions(+), 36 deletions(-) + +diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi +index f10139bd80a53..61822afa30ab3 100644 +--- a/arch/arm/boot/dts/s5pv210.dtsi ++++ b/arch/arm/boot/dts/s5pv210.dtsi +@@ -211,43 +211,36 @@ + status = "disabled"; + }; + +- audio-subsystem { +- compatible = "samsung,s5pv210-audss", "simple-bus"; +- #address-cells = <1>; +- #size-cells = <1>; +- ranges; +- +- clk_audss: clock-controller@eee10000 { +- compatible = "samsung,s5pv210-audss-clock"; +- reg = <0xeee10000 0x1000>; +- clock-names = "hclk", "xxti", +- "fout_epll", +- "sclk_audio0"; +- clocks = <&clocks DOUT_HCLKP>, <&xxti>, +- <&clocks FOUT_EPLL>, +- <&clocks SCLK_AUDIO0>; +- #clock-cells = <1>; +- }; ++ clk_audss: clock-controller@eee10000 { ++ compatible = "samsung,s5pv210-audss-clock"; ++ reg = <0xeee10000 0x1000>; ++ clock-names = "hclk", "xxti", ++ "fout_epll", ++ "sclk_audio0"; ++ clocks = <&clocks DOUT_HCLKP>, <&xxti>, ++ <&clocks FOUT_EPLL>, ++ <&clocks SCLK_AUDIO0>; ++ #clock-cells = <1>; ++ }; + +- i2s0: i2s@eee30000 { +- compatible = "samsung,s5pv210-i2s"; +- reg = <0xeee30000 0x1000>; +- interrupt-parent = <&vic2>; +- interrupts = <16>; +- dma-names = "rx", "tx", "tx-sec"; +- dmas = <&pdma1 9>, <&pdma1 10>, <&pdma1 11>; +- clock-names = "iis", +- "i2s_opclk0", +- "i2s_opclk1"; +- clocks = <&clk_audss CLK_I2S>, +- <&clk_audss CLK_I2S>, +- <&clk_audss CLK_DOUT_AUD_BUS>; +- samsung,idma-addr = <0xc0010000>; +- pinctrl-names = "default"; +- pinctrl-0 = <&i2s0_bus>; +- #sound-dai-cells = <0>; +- status = "disabled"; +- }; ++ i2s0: i2s@eee30000 { ++ compatible = "samsung,s5pv210-i2s"; ++ reg = <0xeee30000 0x1000>; ++ interrupt-parent = <&vic2>; ++ interrupts = <16>; ++ dma-names = "rx", "tx", "tx-sec"; ++ dmas = <&pdma1 9>, <&pdma1 10>, <&pdma1 11>; ++ clock-names = "iis", ++ "i2s_opclk0", ++ "i2s_opclk1"; ++ clocks = <&clk_audss CLK_I2S>, ++ <&clk_audss CLK_I2S>, ++ <&clk_audss CLK_DOUT_AUD_BUS>; ++ samsung,idma-addr = <0xc0010000>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&i2s0_bus>; ++ #sound-dai-cells = <0>; ++ status = "disabled"; + }; + + i2s1: i2s@e2100000 { +-- +2.27.0 + diff --git a/queue-5.4/arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch b/queue-5.4/arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch new file mode 100644 index 00000000000..f6b14da5a81 --- /dev/null +++ b/queue-5.4/arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch @@ -0,0 +1,87 @@ +From edc1fe1512b2e0e6557a71bd231622d16aebe4e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 18:11:21 +0200 +Subject: ARM: dts: s5pv210: remove DMA controller bus node name to fix + dtschema warnings + +From: Krzysztof Kozlowski + +[ Upstream commit ea4e792f3c8931fffec4d700cf6197d84e9f35a6 ] + +There is no need to keep DMA controller nodes under AMBA bus node. +Remove the "amba" node to fix dtschema warnings like: + + amba: $nodename:0: 'amba' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$' + +Signed-off-by: Krzysztof Kozlowski +Tested-by: Jonathan Bakker +Link: https://lore.kernel.org/r/20200907161141.31034-6-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210.dtsi | 49 +++++++++++++++------------------- + 1 file changed, 21 insertions(+), 28 deletions(-) + +diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi +index 2ad642f51fd92..8b194da334a5c 100644 +--- a/arch/arm/boot/dts/s5pv210.dtsi ++++ b/arch/arm/boot/dts/s5pv210.dtsi +@@ -128,35 +128,28 @@ + }; + }; + +- amba { +- #address-cells = <1>; +- #size-cells = <1>; +- compatible = "simple-bus"; +- ranges; +- +- pdma0: dma@e0900000 { +- compatible = "arm,pl330", "arm,primecell"; +- reg = <0xe0900000 0x1000>; +- interrupt-parent = <&vic0>; +- interrupts = <19>; +- clocks = <&clocks CLK_PDMA0>; +- clock-names = "apb_pclk"; +- #dma-cells = <1>; +- #dma-channels = <8>; +- #dma-requests = <32>; +- }; ++ pdma0: dma@e0900000 { ++ compatible = "arm,pl330", "arm,primecell"; ++ reg = <0xe0900000 0x1000>; ++ interrupt-parent = <&vic0>; ++ interrupts = <19>; ++ clocks = <&clocks CLK_PDMA0>; ++ clock-names = "apb_pclk"; ++ #dma-cells = <1>; ++ #dma-channels = <8>; ++ #dma-requests = <32>; ++ }; + +- pdma1: dma@e0a00000 { +- compatible = "arm,pl330", "arm,primecell"; +- reg = <0xe0a00000 0x1000>; +- interrupt-parent = <&vic0>; +- interrupts = <20>; +- clocks = <&clocks CLK_PDMA1>; +- clock-names = "apb_pclk"; +- #dma-cells = <1>; +- #dma-channels = <8>; +- #dma-requests = <32>; +- }; ++ pdma1: dma@e0a00000 { ++ compatible = "arm,pl330", "arm,primecell"; ++ reg = <0xe0a00000 0x1000>; ++ interrupt-parent = <&vic0>; ++ interrupts = <20>; ++ clocks = <&clocks CLK_PDMA1>; ++ clock-names = "apb_pclk"; ++ #dma-cells = <1>; ++ #dma-channels = <8>; ++ #dma-requests = <32>; + }; + + spi0: spi@e1300000 { +-- +2.27.0 + diff --git a/queue-5.4/arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch b/queue-5.4/arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch new file mode 100644 index 00000000000..21ffcafdc8a --- /dev/null +++ b/queue-5.4/arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch @@ -0,0 +1,36 @@ +From bb56c5e4201d8f2db643069c6a0725957351986c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 21:33:21 +0900 +Subject: arm64: dts: renesas: ulcb: add full-pwr-cycle-in-suspend into eMMC + nodes + +From: Yoshihiro Shimoda + +[ Upstream commit 992d7a8b88c83c05664b649fc54501ce58e19132 ] + +Add full-pwr-cycle-in-suspend property to do a graceful shutdown of +the eMMC device in system suspend. + +Signed-off-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/1594989201-24228-1-git-send-email-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/ulcb.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/renesas/ulcb.dtsi b/arch/arm64/boot/dts/renesas/ulcb.dtsi +index 3ef89171538ff..d8fccf3d4987a 100644 +--- a/arch/arm64/boot/dts/renesas/ulcb.dtsi ++++ b/arch/arm64/boot/dts/renesas/ulcb.dtsi +@@ -470,6 +470,7 @@ + mmc-hs200-1_8v; + mmc-hs400-1_8v; + non-removable; ++ full-pwr-cycle-in-suspend; + status = "okay"; + }; + +-- +2.27.0 + diff --git a/queue-5.4/arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch b/queue-5.4/arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch new file mode 100644 index 00000000000..2214a0519dc --- /dev/null +++ b/queue-5.4/arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch @@ -0,0 +1,61 @@ +From f2bcda910e3167b7512128b1af597f439db69fc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 10:39:36 +0800 +Subject: arm64/mm: return cpu_all_mask when node is NUMA_NO_NODE + +From: Zhengyuan Liu + +[ Upstream commit a194c5f2d2b3a05428805146afcabe5140b5d378 ] + +The @node passed to cpumask_of_node() can be NUMA_NO_NODE, in that +case it will trigger the following WARN_ON(node >= nr_node_ids) due to +mismatched data types of @node and @nr_node_ids. Actually we should +return cpu_all_mask just like most other architectures do if passed +NUMA_NO_NODE. + +Also add a similar check to the inline cpumask_of_node() in numa.h. + +Signed-off-by: Zhengyuan Liu +Reviewed-by: Gavin Shan +Link: https://lore.kernel.org/r/20200921023936.21846-1-liuzhengyuan@tj.kylinos.cn +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/numa.h | 3 +++ + arch/arm64/mm/numa.c | 6 +++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/numa.h b/arch/arm64/include/asm/numa.h +index 626ad01e83bf0..dd870390d639f 100644 +--- a/arch/arm64/include/asm/numa.h ++++ b/arch/arm64/include/asm/numa.h +@@ -25,6 +25,9 @@ const struct cpumask *cpumask_of_node(int node); + /* Returns a pointer to the cpumask of CPUs on Node 'node'. */ + static inline const struct cpumask *cpumask_of_node(int node) + { ++ if (node == NUMA_NO_NODE) ++ return cpu_all_mask; ++ + return node_to_cpumask_map[node]; + } + #endif +diff --git a/arch/arm64/mm/numa.c b/arch/arm64/mm/numa.c +index 4decf16597008..53ebb4babf3a7 100644 +--- a/arch/arm64/mm/numa.c ++++ b/arch/arm64/mm/numa.c +@@ -46,7 +46,11 @@ EXPORT_SYMBOL(node_to_cpumask_map); + */ + const struct cpumask *cpumask_of_node(int node) + { +- if (WARN_ON(node >= nr_node_ids)) ++ ++ if (node == NUMA_NO_NODE) ++ return cpu_all_mask; ++ ++ if (WARN_ON(node < 0 || node >= nr_node_ids)) + return cpu_none_mask; + + if (WARN_ON(node_to_cpumask_map[node] == NULL)) +-- +2.27.0 + diff --git a/queue-5.4/arm64-topology-stop-using-mpidr-for-topology-informa.patch b/queue-5.4/arm64-topology-stop-using-mpidr-for-topology-informa.patch new file mode 100644 index 00000000000..7b664f9232a --- /dev/null +++ b/queue-5.4/arm64-topology-stop-using-mpidr-for-topology-informa.patch @@ -0,0 +1,138 @@ +From 19548ab894b1e9b50761030f68520dddf958e64e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Aug 2020 14:00:16 +0100 +Subject: arm64: topology: Stop using MPIDR for topology information + +From: Valentin Schneider + +[ Upstream commit 3102bc0e6ac752cc5df896acb557d779af4d82a1 ] + +In the absence of ACPI or DT topology data, we fallback to haphazardly +decoding *something* out of MPIDR. Sadly, the contents of that register are +mostly unusable due to the implementation leniancy and things like Aff0 +having to be capped to 15 (despite being encoded on 8 bits). + +Consider a simple system with a single package of 32 cores, all under the +same LLC. We ought to be shoving them in the same core_sibling mask, but +MPIDR is going to look like: + + | CPU | 0 | ... | 15 | 16 | ... | 31 | + |------+---+-----+----+----+-----+----+ + | Aff0 | 0 | ... | 15 | 0 | ... | 15 | + | Aff1 | 0 | ... | 0 | 1 | ... | 1 | + | Aff2 | 0 | ... | 0 | 0 | ... | 0 | + +Which will eventually yield + + core_sibling(0-15) == 0-15 + core_sibling(16-31) == 16-31 + +NUMA woes +========= + +If we try to play games with this and set up NUMA boundaries within those +groups of 16 cores via e.g. QEMU: + + # Node0: 0-9; Node1: 10-19 + $ qemu-system-aarch64 \ + -smp 20 -numa node,cpus=0-9,nodeid=0 -numa node,cpus=10-19,nodeid=1 + +The scheduler's MC domain (all CPUs with same LLC) is going to be built via + + arch_topology.c::cpu_coregroup_mask() + +In there we try to figure out a sensible mask out of the topology +information we have. In short, here we'll pick the smallest of NUMA or +core sibling mask. + + node_mask(CPU9) == 0-9 + core_sibling(CPU9) == 0-15 + +MC mask for CPU9 will thus be 0-9, not a problem. + + node_mask(CPU10) == 10-19 + core_sibling(CPU10) == 0-15 + +MC mask for CPU10 will thus be 10-19, not a problem. + + node_mask(CPU16) == 10-19 + core_sibling(CPU16) == 16-19 + +MC mask for CPU16 will thus be 16-19... Uh oh. CPUs 16-19 are in two +different unique MC spans, and the scheduler has no idea what to make of +that. That triggers the WARN_ON() added by commit + + ccf74128d66c ("sched/topology: Assert non-NUMA topology masks don't (partially) overlap") + +Fixing MPIDR-derived topology +============================= + +We could try to come up with some cleverer scheme to figure out which of +the available masks to pick, but really if one of those masks resulted from +MPIDR then it should be discarded because it's bound to be bogus. + +I was hoping to give MPIDR a chance for SMT, to figure out which threads are +in the same core using Aff1-3 as core ID, but Sudeep and Robin pointed out +to me that there are systems out there where *all* cores have non-zero +values in their higher affinity fields (e.g. RK3288 has "5" in all of its +cores' MPIDR.Aff1), which would expose a bogus core ID to userspace. + +Stop using MPIDR for topology information. When no other source of topology +information is available, mark each CPU as its own core and its NUMA node +as its LLC domain. + +Signed-off-by: Valentin Schneider +Reviewed-by: Sudeep Holla +Link: https://lore.kernel.org/r/20200829130016.26106-1-valentin.schneider@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/topology.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/arch/arm64/kernel/topology.c b/arch/arm64/kernel/topology.c +index fa9528dfd0ce3..113903db666c0 100644 +--- a/arch/arm64/kernel/topology.c ++++ b/arch/arm64/kernel/topology.c +@@ -35,21 +35,23 @@ void store_cpu_topology(unsigned int cpuid) + if (mpidr & MPIDR_UP_BITMASK) + return; + +- /* Create cpu topology mapping based on MPIDR. */ +- if (mpidr & MPIDR_MT_BITMASK) { +- /* Multiprocessor system : Multi-threads per core */ +- cpuid_topo->thread_id = MPIDR_AFFINITY_LEVEL(mpidr, 0); +- cpuid_topo->core_id = MPIDR_AFFINITY_LEVEL(mpidr, 1); +- cpuid_topo->package_id = MPIDR_AFFINITY_LEVEL(mpidr, 2) | +- MPIDR_AFFINITY_LEVEL(mpidr, 3) << 8; +- } else { +- /* Multiprocessor system : Single-thread per core */ +- cpuid_topo->thread_id = -1; +- cpuid_topo->core_id = MPIDR_AFFINITY_LEVEL(mpidr, 0); +- cpuid_topo->package_id = MPIDR_AFFINITY_LEVEL(mpidr, 1) | +- MPIDR_AFFINITY_LEVEL(mpidr, 2) << 8 | +- MPIDR_AFFINITY_LEVEL(mpidr, 3) << 16; +- } ++ /* ++ * This would be the place to create cpu topology based on MPIDR. ++ * ++ * However, it cannot be trusted to depict the actual topology; some ++ * pieces of the architecture enforce an artificial cap on Aff0 values ++ * (e.g. GICv3's ICC_SGI1R_EL1 limits it to 15), leading to an ++ * artificial cycling of Aff1, Aff2 and Aff3 values. IOW, these end up ++ * having absolutely no relationship to the actual underlying system ++ * topology, and cannot be reasonably used as core / package ID. ++ * ++ * If the MT bit is set, Aff0 *could* be used to define a thread ID, but ++ * we still wouldn't be able to obtain a sane core ID. This means we ++ * need to entirely ignore MPIDR for any topology deduction. ++ */ ++ cpuid_topo->thread_id = -1; ++ cpuid_topo->core_id = cpuid; ++ cpuid_topo->package_id = cpu_to_node(cpuid); + + pr_debug("CPU%u: cluster %d core %d thread %d mpidr %#016llx\n", + cpuid, cpuid_topo->package_id, cpuid_topo->core_id, +-- +2.27.0 + diff --git a/queue-5.4/asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch b/queue-5.4/asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch new file mode 100644 index 00000000000..5eed3d5bea8 --- /dev/null +++ b/queue-5.4/asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch @@ -0,0 +1,114 @@ +From e81ac1dbc3f674964e03a9e15e8019b47c6eb554 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 12:06:58 +0100 +Subject: asm-generic/io.h: Fix !CONFIG_GENERIC_IOMAP pci_iounmap() + implementation + +From: Lorenzo Pieralisi + +[ Upstream commit f5810e5c329238b8553ebd98b914bdbefd8e6737 ] + +For arches that do not select CONFIG_GENERIC_IOMAP, the current +pci_iounmap() function does nothing causing obvious memory leaks +for mapped regions that are backed by MMIO physical space. + +In order to detect if a mapped pointer is IO vs MMIO, a check must made +available to the pci_iounmap() function so that it can actually detect +whether the pointer has to be unmapped. + +In configurations where CONFIG_HAS_IOPORT_MAP && !CONFIG_GENERIC_IOMAP, +a mapped port is detected using an ioport_map() stub defined in +asm-generic/io.h. + +Use the same logic to implement a stub (ie __pci_ioport_unmap()) that +detects if the passed in pointer in pci_iounmap() is IO vs MMIO to +iounmap conditionally and call it in pci_iounmap() fixing the issue. + +Leave __pci_ioport_unmap() as a NOP for all other config options. + +Tested-by: George Cherian +Link: https://lore.kernel.org/lkml/20200905024811.74701-1-yangyingliang@huawei.com +Link: https://lore.kernel.org/lkml/20200824132046.3114383-1-george.cherian@marvell.com +Link: https://lore.kernel.org/r/a9daf8d8444d0ebd00bc6d64e336ec49dbb50784.1600254147.git.lorenzo.pieralisi@arm.com +Reported-by: George Cherian +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Catalin Marinas +Cc: Arnd Bergmann +Cc: George Cherian +Cc: Will Deacon +Cc: Bjorn Helgaas +Cc: Catalin Marinas +Cc: Yang Yingliang +Signed-off-by: Sasha Levin +--- + include/asm-generic/io.h | 39 +++++++++++++++++++++++++++------------ + 1 file changed, 27 insertions(+), 12 deletions(-) + +diff --git a/include/asm-generic/io.h b/include/asm-generic/io.h +index d02806513670c..5e6c4f375e0c3 100644 +--- a/include/asm-generic/io.h ++++ b/include/asm-generic/io.h +@@ -887,18 +887,6 @@ static inline void iowrite64_rep(volatile void __iomem *addr, + #include + #define __io_virt(x) ((void __force *)(x)) + +-#ifndef CONFIG_GENERIC_IOMAP +-struct pci_dev; +-extern void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long max); +- +-#ifndef pci_iounmap +-#define pci_iounmap pci_iounmap +-static inline void pci_iounmap(struct pci_dev *dev, void __iomem *p) +-{ +-} +-#endif +-#endif /* CONFIG_GENERIC_IOMAP */ +- + /* + * Change virtual addresses to physical addresses and vv. + * These are pretty trivial +@@ -1013,6 +1001,16 @@ static inline void __iomem *ioport_map(unsigned long port, unsigned int nr) + port &= IO_SPACE_LIMIT; + return (port > MMIO_UPPER_LIMIT) ? NULL : PCI_IOBASE + port; + } ++#define __pci_ioport_unmap __pci_ioport_unmap ++static inline void __pci_ioport_unmap(void __iomem *p) ++{ ++ uintptr_t start = (uintptr_t) PCI_IOBASE; ++ uintptr_t addr = (uintptr_t) p; ++ ++ if (addr >= start && addr < start + IO_SPACE_LIMIT) ++ return; ++ iounmap(p); ++} + #endif + + #ifndef ioport_unmap +@@ -1027,6 +1025,23 @@ extern void ioport_unmap(void __iomem *p); + #endif /* CONFIG_GENERIC_IOMAP */ + #endif /* CONFIG_HAS_IOPORT_MAP */ + ++#ifndef CONFIG_GENERIC_IOMAP ++struct pci_dev; ++extern void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long max); ++ ++#ifndef __pci_ioport_unmap ++static inline void __pci_ioport_unmap(void __iomem *p) {} ++#endif ++ ++#ifndef pci_iounmap ++#define pci_iounmap pci_iounmap ++static inline void pci_iounmap(struct pci_dev *dev, void __iomem *p) ++{ ++ __pci_ioport_unmap(p); ++} ++#endif ++#endif /* CONFIG_GENERIC_IOMAP */ ++ + /* + * Convert a virtual cached pointer to an uncached pointer + */ +-- +2.27.0 + diff --git a/queue-5.4/ata-sata_nv-fix-retrieving-of-active-qcs.patch b/queue-5.4/ata-sata_nv-fix-retrieving-of-active-qcs.patch new file mode 100644 index 00000000000..667a42e5200 --- /dev/null +++ b/queue-5.4/ata-sata_nv-fix-retrieving-of-active-qcs.patch @@ -0,0 +1,43 @@ +From 23232970a8cb0aec67b14120c877cb71f65ab36a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 07:28:19 +0200 +Subject: ata: sata_nv: Fix retrieving of active qcs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sascha Hauer + +[ Upstream commit 8e4c309f9f33b76c09daa02b796ef87918eee494 ] + +ata_qc_complete_multiple() has to be called with the tags physically +active, that is the hw tag is at bit 0. ap->qc_active has the same tag +at bit ATA_TAG_INTERNAL instead, so call ata_qc_get_active() to fix that +up. This is done in the vein of 8385d756e114 ("libata: Fix retrieving of +active qcs"). + +Fixes: 28361c403683 ("libata: add extra internal command") +Tested-by: Pali Rohár +Signed-off-by: Sascha Hauer +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_nv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/sata_nv.c b/drivers/ata/sata_nv.c +index 18b147c182b96..0514aa7e80e39 100644 +--- a/drivers/ata/sata_nv.c ++++ b/drivers/ata/sata_nv.c +@@ -2100,7 +2100,7 @@ static int nv_swncq_sdbfis(struct ata_port *ap) + pp->dhfis_bits &= ~done_mask; + pp->dmafis_bits &= ~done_mask; + pp->sdbfis_bits |= done_mask; +- ata_qc_complete_multiple(ap, ap->qc_active ^ done_mask); ++ ata_qc_complete_multiple(ap, ata_qc_get_active(ap) ^ done_mask); + + if (!ap->qc_active) { + DPRINTK("over\n"); +-- +2.27.0 + diff --git a/queue-5.4/ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch b/queue-5.4/ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch new file mode 100644 index 00000000000..54c5aa788c2 --- /dev/null +++ b/queue-5.4/ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch @@ -0,0 +1,58 @@ +From 8ef1d0b9fc85594ac5cadc94be0f0ecdf4a3c563 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 13:46:11 +0530 +Subject: ath10k: fix VHT NSS calculation when STBC is enabled + +From: Sathishkumar Muruganandam + +[ Upstream commit 99f41b8e43b8b4b31262adb8ac3e69088fff1289 ] + +When STBC is enabled, NSTS_SU value need to be accounted for VHT NSS +calculation for SU case. + +Without this fix, 1SS + STBC enabled case was reported wrongly as 2SS +in radiotap header on monitor mode capture. + +Tested-on: QCA9984 10.4-3.10-00047 + +Signed-off-by: Sathishkumar Muruganandam +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1597392971-3897-1-git-send-email-murugana@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index 8ca0a808a644d..04095f91d3014 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -949,6 +949,7 @@ static void ath10k_htt_rx_h_rates(struct ath10k *ar, + u8 preamble = 0; + u8 group_id; + u32 info1, info2, info3; ++ u32 stbc, nsts_su; + + info1 = __le32_to_cpu(rxd->ppdu_start.info1); + info2 = __le32_to_cpu(rxd->ppdu_start.info2); +@@ -993,11 +994,16 @@ static void ath10k_htt_rx_h_rates(struct ath10k *ar, + */ + bw = info2 & 3; + sgi = info3 & 1; ++ stbc = (info2 >> 3) & 1; + group_id = (info2 >> 4) & 0x3F; + + if (GROUP_ID_IS_SU_MIMO(group_id)) { + mcs = (info3 >> 4) & 0x0F; +- nss = ((info2 >> 10) & 0x07) + 1; ++ nsts_su = ((info2 >> 10) & 0x07); ++ if (stbc) ++ nss = (nsts_su >> 2) + 1; ++ else ++ nss = (nsts_su + 1); + } else { + /* Hardware doesn't decode VHT-SIG-B into Rx descriptor + * so it's impossible to decode MCS. Also since +-- +2.27.0 + diff --git a/queue-5.4/ath10k-start-recovery-process-when-payload-length-ex.patch b/queue-5.4/ath10k-start-recovery-process-when-payload-length-ex.patch new file mode 100644 index 00000000000..fa6559818ae --- /dev/null +++ b/queue-5.4/ath10k-start-recovery-process-when-payload-length-ex.patch @@ -0,0 +1,85 @@ +From d68ccfceb345437b1ed3654009b06fe7c6a3c549 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 18:17:08 +0300 +Subject: ath10k: start recovery process when payload length exceeds max htc + length for sdio + +From: Wen Gong + +[ Upstream commit 2fd3c8f34d08af0a6236085f9961866ad92ef9ec ] + +When simulate random transfer fail for sdio write and read, it happened +"payload length exceeds max htc length" and recovery later sometimes. + +Test steps: +1. Add config and update kernel: +CONFIG_FAIL_MMC_REQUEST=y +CONFIG_FAULT_INJECTION=y +CONFIG_FAULT_INJECTION_DEBUG_FS=y + +2. Run simulate fail: +cd /sys/kernel/debug/mmc1/fail_mmc_request +echo 10 > probability +echo 10 > times # repeat until hitting issues + +3. It happened payload length exceeds max htc length. +[ 199.935506] ath10k_sdio mmc1:0001:1: payload length 57005 exceeds max htc length: 4088 +.... +[ 264.990191] ath10k_sdio mmc1:0001:1: payload length 57005 exceeds max htc length: 4088 + +4. after some time, such as 60 seconds, it start recovery which triggered +by wmi command timeout for periodic scan. +[ 269.229232] ieee80211 phy0: Hardware restart was requested +[ 269.734693] ath10k_sdio mmc1:0001:1: device successfully recovered + +The simulate fail of sdio is not a real sdio transter fail, it only +set an error status in mmc_should_fail_request after the transfer end, +actually the transfer is success, then sdio_io_rw_ext_helper will +return error status and stop transfer the left data. For example, +the really RX len is 286 bytes, then it will split to 2 blocks in +sdio_io_rw_ext_helper, one is 256 bytes, left is 30 bytes, if the +first 256 bytes get an error status by mmc_should_fail_request,then +the left 30 bytes will not read in this RX operation. Then when the +next RX arrive, the left 30 bytes will be considered as the header +of the read, the top 4 bytes of the 30 bytes will be considered as +lookaheads, but actually the 4 bytes is not the lookaheads, so the len +from this lookaheads is not correct, it exceeds max htc length 4088 +sometimes. When happened exceeds, the buffer chain is not matched between +firmware and ath10k, then it need to start recovery ASAP. Recently then +recovery will be started by wmi command timeout, but it will be long time +later, for example, it is 60+ seconds later from the periodic scan, if +it does not have periodic scan, it will be longer. + +Start recovery when it happened "payload length exceeds max htc length" +will be reasonable. + +This patch only effect sdio chips. + +Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00029. + +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200108031957.22308-3-wgong@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/sdio.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c +index 8fe626deadeb0..24b1927a07518 100644 +--- a/drivers/net/wireless/ath/ath10k/sdio.c ++++ b/drivers/net/wireless/ath/ath10k/sdio.c +@@ -550,6 +550,10 @@ static int ath10k_sdio_mbox_rx_alloc(struct ath10k *ar, + le16_to_cpu(htc_hdr->len), + ATH10K_HTC_MBOX_MAX_PAYLOAD_LENGTH); + ret = -ENOMEM; ++ ++ queue_work(ar->workqueue, &ar->restart_work); ++ ath10k_warn(ar, "exceeds length, start recovery\n"); ++ + goto err; + } + +-- +2.27.0 + diff --git a/queue-5.4/bnxt_en-log-unknown-link-speed-appropriately.patch b/queue-5.4/bnxt_en-log-unknown-link-speed-appropriately.patch new file mode 100644 index 00000000000..f3a0e296d39 --- /dev/null +++ b/queue-5.4/bnxt_en-log-unknown-link-speed-appropriately.patch @@ -0,0 +1,51 @@ +From 724ff036fd8287b5ee3f7c329518b2c944bab840 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 05:10:51 -0400 +Subject: bnxt_en: Log unknown link speed appropriately. + +From: Michael Chan + +[ Upstream commit 8eddb3e7ce124dd6375d3664f1aae13873318b0f ] + +If the VF virtual link is set to always enabled, the speed may be +unknown when the physical link is down. The driver currently logs +the link speed as 4294967295 Mbps which is SPEED_UNKNOWN. Modify +the link up log message as "speed unknown" which makes more sense. + +Reviewed-by: Vasundhara Volam +Reviewed-by: Edwin Peer +Signed-off-by: Michael Chan +Link: https://lore.kernel.org/r/1602493854-29283-7-git-send-email-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index cdd3764760ed9..6f777e9b4b936 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -8375,6 +8375,11 @@ static void bnxt_report_link(struct bnxt *bp) + u16 fec; + + netif_carrier_on(bp->dev); ++ speed = bnxt_fw_to_ethtool_speed(bp->link_info.link_speed); ++ if (speed == SPEED_UNKNOWN) { ++ netdev_info(bp->dev, "NIC Link is Up, speed unknown\n"); ++ return; ++ } + if (bp->link_info.duplex == BNXT_LINK_DUPLEX_FULL) + duplex = "full"; + else +@@ -8387,7 +8392,6 @@ static void bnxt_report_link(struct bnxt *bp) + flow_ctrl = "ON - receive"; + else + flow_ctrl = "none"; +- speed = bnxt_fw_to_ethtool_speed(bp->link_info.link_speed); + netdev_info(bp->dev, "NIC Link is Up, %u Mbps %s duplex, Flow control: %s\n", + speed, duplex, flow_ctrl); + if (bp->flags & BNXT_FLAG_EEE_CAP) +-- +2.27.0 + diff --git a/queue-5.4/bpf-permit-map_ptr-arithmetic-with-opcode-add-and-of.patch b/queue-5.4/bpf-permit-map_ptr-arithmetic-with-opcode-add-and-of.patch new file mode 100644 index 00000000000..771c0e646b3 --- /dev/null +++ b/queue-5.4/bpf-permit-map_ptr-arithmetic-with-opcode-add-and-of.patch @@ -0,0 +1,119 @@ +From 01a516558d71db45d5c98ba2cbf7960371d8855b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 10:57:02 -0700 +Subject: bpf: Permit map_ptr arithmetic with opcode add and offset 0 + +From: Yonghong Song + +[ Upstream commit 7c6967326267bd5c0dded0a99541357d70dd11ac ] + +Commit 41c48f3a98231 ("bpf: Support access +to bpf map fields") added support to access map fields +with CORE support. For example, + + struct bpf_map { + __u32 max_entries; + } __attribute__((preserve_access_index)); + + struct bpf_array { + struct bpf_map map; + __u32 elem_size; + } __attribute__((preserve_access_index)); + + struct { + __uint(type, BPF_MAP_TYPE_ARRAY); + __uint(max_entries, 4); + __type(key, __u32); + __type(value, __u32); + } m_array SEC(".maps"); + + SEC("cgroup_skb/egress") + int cg_skb(void *ctx) + { + struct bpf_array *array = (struct bpf_array *)&m_array; + + /* .. array->map.max_entries .. */ + } + +In kernel, bpf_htab has similar structure, + + struct bpf_htab { + struct bpf_map map; + ... + } + +In the above cg_skb(), to access array->map.max_entries, with CORE, the clang will +generate two builtin's. + base = &m_array; + /* access array.map */ + map_addr = __builtin_preserve_struct_access_info(base, 0, 0); + /* access array.map.max_entries */ + max_entries_addr = __builtin_preserve_struct_access_info(map_addr, 0, 0); + max_entries = *max_entries_addr; + +In the current llvm, if two builtin's are in the same function or +in the same function after inlining, the compiler is smart enough to chain +them together and generates like below: + base = &m_array; + max_entries = *(base + reloc_offset); /* reloc_offset = 0 in this case */ +and we are fine. + +But if we force no inlining for one of functions in test_map_ptr() selftest, e.g., +check_default(), the above two __builtin_preserve_* will be in two different +functions. In this case, we will have code like: + func check_hash(): + reloc_offset_map = 0; + base = &m_array; + map_base = base + reloc_offset_map; + check_default(map_base, ...) + func check_default(map_base, ...): + max_entries = *(map_base + reloc_offset_max_entries); + +In kernel, map_ptr (CONST_PTR_TO_MAP) does not allow any arithmetic. +The above "map_base = base + reloc_offset_map" will trigger a verifier failure. + ; VERIFY(check_default(&hash->map, map)); + 0: (18) r7 = 0xffffb4fe8018a004 + 2: (b4) w1 = 110 + 3: (63) *(u32 *)(r7 +0) = r1 + R1_w=invP110 R7_w=map_value(id=0,off=4,ks=4,vs=8,imm=0) R10=fp0 + ; VERIFY_TYPE(BPF_MAP_TYPE_HASH, check_hash); + 4: (18) r1 = 0xffffb4fe8018a000 + 6: (b4) w2 = 1 + 7: (63) *(u32 *)(r1 +0) = r2 + R1_w=map_value(id=0,off=0,ks=4,vs=8,imm=0) R2_w=invP1 R7_w=map_value(id=0,off=4,ks=4,vs=8,imm=0) R10=fp0 + 8: (b7) r2 = 0 + 9: (18) r8 = 0xffff90bcb500c000 + 11: (18) r1 = 0xffff90bcb500c000 + 13: (0f) r1 += r2 + R1 pointer arithmetic on map_ptr prohibited + +To fix the issue, let us permit map_ptr + 0 arithmetic which will +result in exactly the same map_ptr. + +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20200908175702.2463625-1-yhs@fb.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 507474f79195f..a67bfa803d983 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -4427,6 +4427,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, + dst, reg_type_str[ptr_reg->type]); + return -EACCES; + case CONST_PTR_TO_MAP: ++ /* smin_val represents the known value */ ++ if (known && smin_val == 0 && opcode == BPF_ADD) ++ break; ++ /* fall-through */ + case PTR_TO_PACKET_END: + case PTR_TO_SOCKET: + case PTR_TO_SOCKET_OR_NULL: +-- +2.27.0 + diff --git a/queue-5.4/brcmfmac-fix-warning-message-after-dongle-setup-fail.patch b/queue-5.4/brcmfmac-fix-warning-message-after-dongle-setup-fail.patch new file mode 100644 index 00000000000..8b9c173ae03 --- /dev/null +++ b/queue-5.4/brcmfmac-fix-warning-message-after-dongle-setup-fail.patch @@ -0,0 +1,76 @@ +From 0fc7270935bf39f41043537e5179697c7a22a270 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 00:49:22 -0500 +Subject: brcmfmac: Fix warning message after dongle setup failed + +From: Wright Feng + +[ Upstream commit 6aa5a83a7ed8036c1388a811eb8bdfa77b21f19c ] + +Brcmfmac showed warning message in fweh.c when checking the size of event +queue which is not initialized. Therefore, we only cancel the worker and +reset event handler only when it is initialized. + +[ 145.505899] brcmfmac 0000:02:00.0: brcmf_pcie_setup: Dongle setup +[ 145.929970] ------------[ cut here ]------------ +[ 145.929994] WARNING: CPU: 0 PID: 288 at drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c:312 +brcmf_fweh_detach+0xbc/0xd0 [brcmfmac] +... +[ 145.930029] Call Trace: +[ 145.930036] brcmf_detach+0x77/0x100 [brcmfmac] +[ 145.930043] brcmf_pcie_remove+0x79/0x130 [brcmfmac] +[ 145.930046] pci_device_remove+0x39/0xc0 +[ 145.930048] device_release_driver_internal+0x141/0x200 +[ 145.930049] device_release_driver+0x12/0x20 +[ 145.930054] brcmf_pcie_setup+0x101/0x3c0 [brcmfmac] +[ 145.930060] brcmf_fw_request_done+0x11d/0x1f0 [brcmfmac] +[ 145.930062] ? lock_timer_base+0x7d/0xa0 +[ 145.930063] ? internal_add_timer+0x1f/0xa0 +[ 145.930064] ? add_timer+0x11a/0x1d0 +[ 145.930066] ? __kmalloc_track_caller+0x18c/0x230 +[ 145.930068] ? kstrdup_const+0x23/0x30 +[ 145.930069] ? add_dr+0x46/0x80 +[ 145.930070] ? devres_add+0x3f/0x50 +[ 145.930072] ? usermodehelper_read_unlock+0x15/0x20 +[ 145.930073] ? _request_firmware+0x288/0xa20 +[ 145.930075] request_firmware_work_func+0x36/0x60 +[ 145.930077] process_one_work+0x144/0x360 +[ 145.930078] worker_thread+0x4d/0x3c0 +[ 145.930079] kthread+0x112/0x150 +[ 145.930080] ? rescuer_thread+0x340/0x340 +[ 145.930081] ? kthread_park+0x60/0x60 +[ 145.930083] ret_from_fork+0x25/0x30 + +Signed-off-by: Wright Feng +Signed-off-by: Chi-hsien Lin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200928054922.44580-3-wright.feng@cypress.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +index 79c8a858b6d6f..a30fcfbf2ee7c 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -304,10 +304,12 @@ void brcmf_fweh_detach(struct brcmf_pub *drvr) + { + struct brcmf_fweh_info *fweh = &drvr->fweh; + +- /* cancel the worker */ +- cancel_work_sync(&fweh->event_work); +- WARN_ON(!list_empty(&fweh->event_q)); +- memset(fweh->evt_handler, 0, sizeof(fweh->evt_handler)); ++ /* cancel the worker if initialized */ ++ if (fweh->event_work.func) { ++ cancel_work_sync(&fweh->event_work); ++ WARN_ON(!list_empty(&fweh->event_q)); ++ memset(fweh->evt_handler, 0, sizeof(fweh->evt_handler)); ++ } + } + + /** +-- +2.27.0 + diff --git a/queue-5.4/btrfs-fix-replace-of-seed-device.patch b/queue-5.4/btrfs-fix-replace-of-seed-device.patch new file mode 100644 index 00000000000..e4e603a50a7 --- /dev/null +++ b/queue-5.4/btrfs-fix-replace-of-seed-device.patch @@ -0,0 +1,115 @@ +From d4a1f4c21e200361157f7adfdcbc66be2cbf6f63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 01:34:22 +0800 +Subject: btrfs: fix replace of seed device + +From: Anand Jain + +[ Upstream commit c6a5d954950c5031444173ad2195efc163afcac9 ] + +If you replace a seed device in a sprouted fs, it appears to have +successfully replaced the seed device, but if you look closely, it +didn't. Here is an example. + + $ mkfs.btrfs /dev/sda + $ btrfstune -S1 /dev/sda + $ mount /dev/sda /btrfs + $ btrfs device add /dev/sdb /btrfs + $ umount /btrfs + $ btrfs device scan --forget + $ mount -o device=/dev/sda /dev/sdb /btrfs + $ btrfs replace start -f /dev/sda /dev/sdc /btrfs + $ echo $? + 0 + + BTRFS info (device sdb): dev_replace from /dev/sda (devid 1) to /dev/sdc started + BTRFS info (device sdb): dev_replace from /dev/sda (devid 1) to /dev/sdc finished + + $ btrfs fi show + Label: none uuid: ab2c88b7-be81-4a7e-9849-c3666e7f9f4f + Total devices 2 FS bytes used 256.00KiB + devid 1 size 3.00GiB used 520.00MiB path /dev/sdc + devid 2 size 3.00GiB used 896.00MiB path /dev/sdb + + Label: none uuid: 10bd3202-0415-43af-96a8-d5409f310a7e + Total devices 1 FS bytes used 128.00KiB + devid 1 size 3.00GiB used 536.00MiB path /dev/sda + +So as per the replace start command and kernel log replace was successful. +Now let's try to clean mount. + + $ umount /btrfs + $ btrfs device scan --forget + + $ mount -o device=/dev/sdc /dev/sdb /btrfs + mount: /btrfs: wrong fs type, bad option, bad superblock on /dev/sdb, missing codepage or helper program, or other error. + + [ 636.157517] BTRFS error (device sdc): failed to read chunk tree: -2 + [ 636.180177] BTRFS error (device sdc): open_ctree failed + +That's because per dev items it is still looking for the original seed +device. + + $ btrfs inspect-internal dump-tree -d /dev/sdb + + item 0 key (DEV_ITEMS DEV_ITEM 1) itemoff 16185 itemsize 98 + devid 1 total_bytes 3221225472 bytes_used 545259520 + io_align 4096 io_width 4096 sector_size 4096 type 0 + generation 6 start_offset 0 dev_group 0 + seek_speed 0 bandwidth 0 + uuid 59368f50-9af2-4b17-91da-8a783cc418d4 <--- seed uuid + fsid 10bd3202-0415-43af-96a8-d5409f310a7e <--- seed fsid + item 1 key (DEV_ITEMS DEV_ITEM 2) itemoff 16087 itemsize 98 + devid 2 total_bytes 3221225472 bytes_used 939524096 + io_align 4096 io_width 4096 sector_size 4096 type 0 + generation 0 start_offset 0 dev_group 0 + seek_speed 0 bandwidth 0 + uuid 56a0a6bc-4630-4998-8daf-3c3030c4256a <- sprout uuid + fsid ab2c88b7-be81-4a7e-9849-c3666e7f9f4f <- sprout fsid + +But the replaced target has the following uuid+fsid in its superblock +which doesn't match with the expected uuid+fsid in its devitem. + + $ btrfs in dump-super /dev/sdc | egrep '^generation|dev_item.uuid|dev_item.fsid|devid' + generation 20 + dev_item.uuid 59368f50-9af2-4b17-91da-8a783cc418d4 + dev_item.fsid ab2c88b7-be81-4a7e-9849-c3666e7f9f4f [match] + dev_item.devid 1 + +So if you provide the original seed device the mount shall be +successful. Which so long happening in the test case btrfs/163. + + $ btrfs device scan --forget + $ mount -o device=/dev/sda /dev/sdb /btrfs + +Fix in this patch: +If a seed is not sprouted then there is no replacement of it, because of +its read-only filesystem with a read-only device. Similarly, in the case +of a sprouted filesystem, the seed device is still read only. So, mark +it as you can't replace a seed device, you can only add a new device and +then delete the seed device. If replace is attempted then returns +-EINVAL. + +Signed-off-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/dev-replace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c +index 196bd241e701a..34ddf2d75c1af 100644 +--- a/fs/btrfs/dev-replace.c ++++ b/fs/btrfs/dev-replace.c +@@ -190,7 +190,7 @@ static int btrfs_init_dev_replace_tgtdev(struct btrfs_fs_info *fs_info, + int ret = 0; + + *device_out = NULL; +- if (fs_info->fs_devices->seeding) { ++ if (srcdev->fs_devices->seeding) { + btrfs_err(fs_info, "the filesystem is a seed filesystem!"); + return -EINVAL; + } +-- +2.27.0 + diff --git a/queue-5.4/bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch b/queue-5.4/bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch new file mode 100644 index 00000000000..2c41ec9a8a9 --- /dev/null +++ b/queue-5.4/bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch @@ -0,0 +1,43 @@ +From b1990b60e656d8d9953b9b80c6393f3f6d8df8cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 11:54:38 +0300 +Subject: bus/fsl_mc: Do not rely on caller to provide non NULL mc_io + +From: Diana Craciun + +[ Upstream commit 5026cf605143e764e1785bbf9158559d17f8d260 ] + +Before destroying the mc_io, check first that it was +allocated. + +Reviewed-by: Laurentiu Tudor +Acked-by: Laurentiu Tudor +Signed-off-by: Diana Craciun +Link: https://lore.kernel.org/r/20200929085441.17448-11-diana.craciun@oss.nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/bus/fsl-mc/mc-io.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/bus/fsl-mc/mc-io.c b/drivers/bus/fsl-mc/mc-io.c +index d9629fc13a155..0a4a387b615d5 100644 +--- a/drivers/bus/fsl-mc/mc-io.c ++++ b/drivers/bus/fsl-mc/mc-io.c +@@ -129,7 +129,12 @@ error_destroy_mc_io: + */ + void fsl_destroy_mc_io(struct fsl_mc_io *mc_io) + { +- struct fsl_mc_device *dpmcp_dev = mc_io->dpmcp_dev; ++ struct fsl_mc_device *dpmcp_dev; ++ ++ if (!mc_io) ++ return; ++ ++ dpmcp_dev = mc_io->dpmcp_dev; + + if (dpmcp_dev) + fsl_mc_io_unset_dpmcp(mc_io); +-- +2.27.0 + diff --git a/queue-5.4/can-flexcan-disable-clocks-during-stop-mode.patch b/queue-5.4/can-flexcan-disable-clocks-during-stop-mode.patch new file mode 100644 index 00000000000..11f4751e5a7 --- /dev/null +++ b/queue-5.4/can-flexcan-disable-clocks-during-stop-mode.patch @@ -0,0 +1,85 @@ +From d20e1cc6f50b40e4517989eb8a67c0e5d6f0f195 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 09:00:13 +0000 +Subject: can: flexcan: disable clocks during stop mode + +From: Joakim Zhang + +[ Upstream commit 02f71c6605e1f8259c07f16178330db766189a74 ] + +Disable clocks while CAN core is in stop mode. + +Signed-off-by: Joakim Zhang +Tested-by: Sean Nyekjaer +Link: https://lore.kernel.org/r/20191210085721.9853-2-qiangqing.zhang@nxp.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/flexcan.c | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c +index aaa7ed1dc97ee..d59c6c87164f4 100644 +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -1703,8 +1703,6 @@ static int __maybe_unused flexcan_suspend(struct device *device) + err = flexcan_chip_disable(priv); + if (err) + return err; +- +- err = pm_runtime_force_suspend(device); + } + netif_stop_queue(dev); + netif_device_detach(dev); +@@ -1730,10 +1728,6 @@ static int __maybe_unused flexcan_resume(struct device *device) + if (err) + return err; + } else { +- err = pm_runtime_force_resume(device); +- if (err) +- return err; +- + err = flexcan_chip_enable(priv); + } + } +@@ -1764,8 +1758,16 @@ static int __maybe_unused flexcan_noirq_suspend(struct device *device) + struct net_device *dev = dev_get_drvdata(device); + struct flexcan_priv *priv = netdev_priv(dev); + +- if (netif_running(dev) && device_may_wakeup(device)) +- flexcan_enable_wakeup_irq(priv, true); ++ if (netif_running(dev)) { ++ int err; ++ ++ if (device_may_wakeup(device)) ++ flexcan_enable_wakeup_irq(priv, true); ++ ++ err = pm_runtime_force_suspend(device); ++ if (err) ++ return err; ++ } + + return 0; + } +@@ -1775,8 +1777,16 @@ static int __maybe_unused flexcan_noirq_resume(struct device *device) + struct net_device *dev = dev_get_drvdata(device); + struct flexcan_priv *priv = netdev_priv(dev); + +- if (netif_running(dev) && device_may_wakeup(device)) +- flexcan_enable_wakeup_irq(priv, false); ++ if (netif_running(dev)) { ++ int err; ++ ++ err = pm_runtime_force_resume(device); ++ if (err) ++ return err; ++ ++ if (device_may_wakeup(device)) ++ flexcan_enable_wakeup_irq(priv, false); ++ } + + return 0; + } +-- +2.27.0 + diff --git a/queue-5.4/cifs-handle-eintr-in-cifs_setattr.patch b/queue-5.4/cifs-handle-eintr-in-cifs_setattr.patch new file mode 100644 index 00000000000..a6df7494f4a --- /dev/null +++ b/queue-5.4/cifs-handle-eintr-in-cifs_setattr.patch @@ -0,0 +1,57 @@ +From 0bbec844b0578cb736d5c540a2722c49a0a01210 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 09:32:56 +1000 +Subject: cifs: handle -EINTR in cifs_setattr + +From: Ronnie Sahlberg + +[ Upstream commit c6cc4c5a72505a0ecefc9b413f16bec512f38078 ] + +RHBZ: 1848178 + +Some calls that set attributes, like utimensat(), are not supposed to return +-EINTR and thus do not have handlers for this in glibc which causes us +to leak -EINTR to the applications which are also unprepared to handle it. + +For example tar will break if utimensat() return -EINTR and abort unpacking +the archive. Other applications may break too. + +To handle this we add checks, and retry, for -EINTR in cifs_setattr() + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/inode.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c +index 17df90b5f57a2..fd9e289f3e72a 100644 +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -2614,13 +2614,18 @@ cifs_setattr(struct dentry *direntry, struct iattr *attrs) + { + struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb); + struct cifs_tcon *pTcon = cifs_sb_master_tcon(cifs_sb); ++ int rc, retries = 0; + +- if (pTcon->unix_ext) +- return cifs_setattr_unix(direntry, attrs); +- +- return cifs_setattr_nounix(direntry, attrs); ++ do { ++ if (pTcon->unix_ext) ++ rc = cifs_setattr_unix(direntry, attrs); ++ else ++ rc = cifs_setattr_nounix(direntry, attrs); ++ retries++; ++ } while (is_retryable_error(rc) && retries < 2); + + /* BB: add cifs_setattr_legacy for really old servers */ ++ return rc; + } + + #if 0 +-- +2.27.0 + diff --git a/queue-5.4/clk-ti-clockdomain-fix-static-checker-warning.patch b/queue-5.4/clk-ti-clockdomain-fix-static-checker-warning.patch new file mode 100644 index 00000000000..553c7c15cb0 --- /dev/null +++ b/queue-5.4/clk-ti-clockdomain-fix-static-checker-warning.patch @@ -0,0 +1,40 @@ +From cdbc99cf49ec15bf2feead77296a6febf87119ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 11:25:59 +0300 +Subject: clk: ti: clockdomain: fix static checker warning + +From: Tero Kristo + +[ Upstream commit b7a7943fe291b983b104bcbd2f16e8e896f56590 ] + +Fix a memory leak induced by not calling clk_put after doing of_clk_get. + +Reported-by: Dan Murphy +Signed-off-by: Tero Kristo +Link: https://lore.kernel.org/r/20200907082600.454-3-t-kristo@ti.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/clockdomain.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/ti/clockdomain.c b/drivers/clk/ti/clockdomain.c +index 423a99b9f10c7..8d0dea188a284 100644 +--- a/drivers/clk/ti/clockdomain.c ++++ b/drivers/clk/ti/clockdomain.c +@@ -146,10 +146,12 @@ static void __init of_ti_clockdomain_setup(struct device_node *node) + if (!omap2_clk_is_hw_omap(clk_hw)) { + pr_warn("can't setup clkdm for basic clk %s\n", + __clk_get_name(clk)); ++ clk_put(clk); + continue; + } + to_clk_hw_omap(clk_hw)->clkdm_name = clkdm_name; + omap2_init_clk_clkdm(clk_hw); ++ clk_put(clk); + } + } + +-- +2.27.0 + diff --git a/queue-5.4/coresight-make-sysfs-functional-on-topologies-with-p.patch b/queue-5.4/coresight-make-sysfs-functional-on-topologies-with-p.patch new file mode 100644 index 00000000000..539d9a3cce5 --- /dev/null +++ b/queue-5.4/coresight-make-sysfs-functional-on-topologies-with-p.patch @@ -0,0 +1,143 @@ +From 519be7f4c3ad62d13020893ee82d8c4db2a9c7c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 13:17:35 -0600 +Subject: coresight: Make sysfs functional on topologies with per core sink + +From: Linu Cherian + +[ Upstream commit 6d578258b955fc8888e1bbd9a8fefe7b10065a84 ] + +Coresight driver assumes sink is common across all the ETMs, +and tries to build a path between ETM and the first enabled +sink found using bus based search. This breaks sysFS usage +on implementations that has multiple per core sinks in +enabled state. + +To fix this, coresight_get_enabled_sink API is updated to +do a connection based search starting from the given source, +instead of bus based search. +With sink selection using sysfs depecrated for perf interface, +provision for reset is removed as well in this API. + +Signed-off-by: Linu Cherian +[Fixed indentation problem and removed obsolete comment] +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20200916191737.4001561-15-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-priv.h | 3 +- + drivers/hwtracing/coresight/coresight.c | 62 +++++++++----------- + 2 files changed, 29 insertions(+), 36 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-priv.h b/drivers/hwtracing/coresight/coresight-priv.h +index 82e563cdc8794..dfd24b85a5775 100644 +--- a/drivers/hwtracing/coresight/coresight-priv.h ++++ b/drivers/hwtracing/coresight/coresight-priv.h +@@ -147,7 +147,8 @@ static inline void coresight_write_reg_pair(void __iomem *addr, u64 val, + void coresight_disable_path(struct list_head *path); + int coresight_enable_path(struct list_head *path, u32 mode, void *sink_data); + struct coresight_device *coresight_get_sink(struct list_head *path); +-struct coresight_device *coresight_get_enabled_sink(bool reset); ++struct coresight_device * ++coresight_get_enabled_sink(struct coresight_device *source); + struct coresight_device *coresight_get_sink_by_id(u32 id); + struct list_head *coresight_build_path(struct coresight_device *csdev, + struct coresight_device *sink); +diff --git a/drivers/hwtracing/coresight/coresight.c b/drivers/hwtracing/coresight/coresight.c +index 0bbce0d291582..90ecd04a2f20b 100644 +--- a/drivers/hwtracing/coresight/coresight.c ++++ b/drivers/hwtracing/coresight/coresight.c +@@ -481,50 +481,46 @@ struct coresight_device *coresight_get_sink(struct list_head *path) + return csdev; + } + +-static int coresight_enabled_sink(struct device *dev, const void *data) ++static struct coresight_device * ++coresight_find_enabled_sink(struct coresight_device *csdev) + { +- const bool *reset = data; +- struct coresight_device *csdev = to_coresight_device(dev); ++ int i; ++ struct coresight_device *sink; + + if ((csdev->type == CORESIGHT_DEV_TYPE_SINK || + csdev->type == CORESIGHT_DEV_TYPE_LINKSINK) && +- csdev->activated) { +- /* +- * Now that we have a handle on the sink for this session, +- * disable the sysFS "enable_sink" flag so that possible +- * concurrent perf session that wish to use another sink don't +- * trip on it. Doing so has no ramification for the current +- * session. +- */ +- if (*reset) +- csdev->activated = false; ++ csdev->activated) ++ return csdev; + +- return 1; ++ /* ++ * Recursively explore each port found on this element. ++ */ ++ for (i = 0; i < csdev->pdata->nr_outport; i++) { ++ struct coresight_device *child_dev; ++ ++ child_dev = csdev->pdata->conns[i].child_dev; ++ if (child_dev) ++ sink = coresight_find_enabled_sink(child_dev); ++ if (sink) ++ return sink; + } + +- return 0; ++ return NULL; + } + + /** +- * coresight_get_enabled_sink - returns the first enabled sink found on the bus +- * @deactivate: Whether the 'enable_sink' flag should be reset ++ * coresight_get_enabled_sink - returns the first enabled sink using ++ * connection based search starting from the source reference + * +- * When operated from perf the deactivate parameter should be set to 'true'. +- * That way the "enabled_sink" flag of the sink that was selected can be reset, +- * allowing for other concurrent perf sessions to choose a different sink. +- * +- * When operated from sysFS users have full control and as such the deactivate +- * parameter should be set to 'false', hence mandating users to explicitly +- * clear the flag. ++ * @source: Coresight source device reference + */ +-struct coresight_device *coresight_get_enabled_sink(bool deactivate) ++struct coresight_device * ++coresight_get_enabled_sink(struct coresight_device *source) + { +- struct device *dev = NULL; +- +- dev = bus_find_device(&coresight_bustype, NULL, &deactivate, +- coresight_enabled_sink); ++ if (!source) ++ return NULL; + +- return dev ? to_coresight_device(dev) : NULL; ++ return coresight_find_enabled_sink(source); + } + + static int coresight_sink_by_id(struct device *dev, const void *data) +@@ -764,11 +760,7 @@ int coresight_enable(struct coresight_device *csdev) + goto out; + } + +- /* +- * Search for a valid sink for this session but don't reset the +- * "enable_sink" flag in sysFS. Users get to do that explicitly. +- */ +- sink = coresight_get_enabled_sink(false); ++ sink = coresight_get_enabled_sink(csdev); + if (!sink) { + ret = -EINVAL; + goto out; +-- +2.27.0 + diff --git a/queue-5.4/cpufreq-sti-cpufreq-add-stih418-support.patch b/queue-5.4/cpufreq-sti-cpufreq-add-stih418-support.patch new file mode 100644 index 00000000000..ba6fe86b8c5 --- /dev/null +++ b/queue-5.4/cpufreq-sti-cpufreq-add-stih418-support.patch @@ -0,0 +1,46 @@ +From 3920412dd30173447e5c0f12ac96bcdf92f9553d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Aug 2020 08:10:11 +0200 +Subject: cpufreq: sti-cpufreq: add stih418 support + +From: Alain Volmat + +[ Upstream commit 01a163c52039e9426c7d3d3ab16ca261ad622597 ] + +The STiH418 can be controlled the same way as STiH407 & +STiH410 regarding cpufreq. + +Signed-off-by: Alain Volmat +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/sti-cpufreq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/sti-cpufreq.c b/drivers/cpufreq/sti-cpufreq.c +index 8f16bbb164b84..2855b7878a204 100644 +--- a/drivers/cpufreq/sti-cpufreq.c ++++ b/drivers/cpufreq/sti-cpufreq.c +@@ -141,7 +141,8 @@ static const struct reg_field sti_stih407_dvfs_regfields[DVFS_MAX_REGFIELDS] = { + static const struct reg_field *sti_cpufreq_match(void) + { + if (of_machine_is_compatible("st,stih407") || +- of_machine_is_compatible("st,stih410")) ++ of_machine_is_compatible("st,stih410") || ++ of_machine_is_compatible("st,stih418")) + return sti_stih407_dvfs_regfields; + + return NULL; +@@ -258,7 +259,8 @@ static int sti_cpufreq_init(void) + int ret; + + if ((!of_machine_is_compatible("st,stih407")) && +- (!of_machine_is_compatible("st,stih410"))) ++ (!of_machine_is_compatible("st,stih410")) && ++ (!of_machine_is_compatible("st,stih418"))) + return -ENODEV; + + ddata.cpu = get_cpu_device(0); +-- +2.27.0 + diff --git a/queue-5.4/drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch b/queue-5.4/drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch new file mode 100644 index 00000000000..af78711eb1d --- /dev/null +++ b/queue-5.4/drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch @@ -0,0 +1,188 @@ +From 066a276743195aed6a44ce5c9b3e310ae39b5023 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 05:56:43 -0700 +Subject: drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol + values + +From: Xie He + +[ Upstream commit 8306266c1d51aac9aa7aa907fe99032a58c6382c ] + +The fr_hard_header function is used to prepend the header to skbs before +transmission. It is used in 3 situations: +1) When a control packet is generated internally in this driver; +2) When a user sends an skb on an Ethernet-emulating PVC device; +3) When a user sends an skb on a normal PVC device. + +These 3 situations need to be handled differently by fr_hard_header. +Different headers should be prepended to the skb in different situations. + +Currently fr_hard_header distinguishes these 3 situations using +skb->protocol. For situation 1 and 2, a special skb->protocol value +will be assigned before calling fr_hard_header, so that it can recognize +these 2 situations. All skb->protocol values other than these special ones +are treated by fr_hard_header as situation 3. + +However, it is possible that in situation 3, the user sends an skb with +one of the special skb->protocol values. In this case, fr_hard_header +would incorrectly treat it as situation 1 or 2. + +This patch tries to solve this issue by using skb->dev instead of +skb->protocol to distinguish between these 3 situations. For situation +1, skb->dev would be NULL; for situation 2, skb->dev->type would be +ARPHRD_ETHER; and for situation 3, skb->dev->type would be ARPHRD_DLCI. + +This way fr_hard_header would be able to distinguish these 3 situations +correctly regardless what skb->protocol value the user tries to use in +situation 3. + +Cc: Krzysztof Halasa +Signed-off-by: Xie He +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wan/hdlc_fr.c | 98 ++++++++++++++++++++------------------- + 1 file changed, 51 insertions(+), 47 deletions(-) + +diff --git a/drivers/net/wan/hdlc_fr.c b/drivers/net/wan/hdlc_fr.c +index d6cfd51613ed8..3a44dad87602d 100644 +--- a/drivers/net/wan/hdlc_fr.c ++++ b/drivers/net/wan/hdlc_fr.c +@@ -273,63 +273,69 @@ static inline struct net_device **get_dev_p(struct pvc_device *pvc, + + static int fr_hard_header(struct sk_buff **skb_p, u16 dlci) + { +- u16 head_len; + struct sk_buff *skb = *skb_p; + +- switch (skb->protocol) { +- case cpu_to_be16(NLPID_CCITT_ANSI_LMI): +- head_len = 4; +- skb_push(skb, head_len); +- skb->data[3] = NLPID_CCITT_ANSI_LMI; +- break; +- +- case cpu_to_be16(NLPID_CISCO_LMI): +- head_len = 4; +- skb_push(skb, head_len); +- skb->data[3] = NLPID_CISCO_LMI; +- break; +- +- case cpu_to_be16(ETH_P_IP): +- head_len = 4; +- skb_push(skb, head_len); +- skb->data[3] = NLPID_IP; +- break; +- +- case cpu_to_be16(ETH_P_IPV6): +- head_len = 4; +- skb_push(skb, head_len); +- skb->data[3] = NLPID_IPV6; +- break; +- +- case cpu_to_be16(ETH_P_802_3): +- head_len = 10; +- if (skb_headroom(skb) < head_len) { +- struct sk_buff *skb2 = skb_realloc_headroom(skb, +- head_len); ++ if (!skb->dev) { /* Control packets */ ++ switch (dlci) { ++ case LMI_CCITT_ANSI_DLCI: ++ skb_push(skb, 4); ++ skb->data[3] = NLPID_CCITT_ANSI_LMI; ++ break; ++ ++ case LMI_CISCO_DLCI: ++ skb_push(skb, 4); ++ skb->data[3] = NLPID_CISCO_LMI; ++ break; ++ ++ default: ++ return -EINVAL; ++ } ++ ++ } else if (skb->dev->type == ARPHRD_DLCI) { ++ switch (skb->protocol) { ++ case htons(ETH_P_IP): ++ skb_push(skb, 4); ++ skb->data[3] = NLPID_IP; ++ break; ++ ++ case htons(ETH_P_IPV6): ++ skb_push(skb, 4); ++ skb->data[3] = NLPID_IPV6; ++ break; ++ ++ default: ++ skb_push(skb, 10); ++ skb->data[3] = FR_PAD; ++ skb->data[4] = NLPID_SNAP; ++ /* OUI 00-00-00 indicates an Ethertype follows */ ++ skb->data[5] = 0x00; ++ skb->data[6] = 0x00; ++ skb->data[7] = 0x00; ++ /* This should be an Ethertype: */ ++ *(__be16 *)(skb->data + 8) = skb->protocol; ++ } ++ ++ } else if (skb->dev->type == ARPHRD_ETHER) { ++ if (skb_headroom(skb) < 10) { ++ struct sk_buff *skb2 = skb_realloc_headroom(skb, 10); + if (!skb2) + return -ENOBUFS; + dev_kfree_skb(skb); + skb = *skb_p = skb2; + } +- skb_push(skb, head_len); ++ skb_push(skb, 10); + skb->data[3] = FR_PAD; + skb->data[4] = NLPID_SNAP; +- skb->data[5] = FR_PAD; ++ /* OUI 00-80-C2 stands for the 802.1 organization */ ++ skb->data[5] = 0x00; + skb->data[6] = 0x80; + skb->data[7] = 0xC2; ++ /* PID 00-07 stands for Ethernet frames without FCS */ + skb->data[8] = 0x00; +- skb->data[9] = 0x07; /* bridged Ethernet frame w/out FCS */ +- break; ++ skb->data[9] = 0x07; + +- default: +- head_len = 10; +- skb_push(skb, head_len); +- skb->data[3] = FR_PAD; +- skb->data[4] = NLPID_SNAP; +- skb->data[5] = FR_PAD; +- skb->data[6] = FR_PAD; +- skb->data[7] = FR_PAD; +- *(__be16*)(skb->data + 8) = skb->protocol; ++ } else { ++ return -EINVAL; + } + + dlci_to_q922(skb->data, dlci); +@@ -425,8 +431,8 @@ static netdev_tx_t pvc_xmit(struct sk_buff *skb, struct net_device *dev) + skb_put(skb, pad); + memset(skb->data + len, 0, pad); + } +- skb->protocol = cpu_to_be16(ETH_P_802_3); + } ++ skb->dev = dev; + if (!fr_hard_header(&skb, pvc->dlci)) { + dev->stats.tx_bytes += skb->len; + dev->stats.tx_packets++; +@@ -494,10 +500,8 @@ static void fr_lmi_send(struct net_device *dev, int fullrep) + memset(skb->data, 0, len); + skb_reserve(skb, 4); + if (lmi == LMI_CISCO) { +- skb->protocol = cpu_to_be16(NLPID_CISCO_LMI); + fr_hard_header(&skb, LMI_CISCO_DLCI); + } else { +- skb->protocol = cpu_to_be16(NLPID_CCITT_ANSI_LMI); + fr_hard_header(&skb, LMI_CCITT_ANSI_DLCI); + } + data = skb_tail_pointer(skb); +-- +2.27.0 + diff --git a/queue-5.4/drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch b/queue-5.4/drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch new file mode 100644 index 00000000000..9cf90c8d6d5 --- /dev/null +++ b/queue-5.4/drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch @@ -0,0 +1,62 @@ +From d08352bae5afd3a130e3a6bc594edab3cc10eafe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 16:59:02 +0530 +Subject: drivers: watchdog: rdc321x_wdt: Fix race condition bugs + +From: Madhuparna Bhowmik + +[ Upstream commit 4b2e7f99cdd314263c9d172bc17193b8b6bba463 ] + +In rdc321x_wdt_probe(), rdc321x_wdt_device.queue is initialized +after misc_register(), hence if ioctl is called before its +initialization which can call rdc321x_wdt_start() function, +it will see an uninitialized value of rdc321x_wdt_device.queue, +hence initialize it before misc_register(). +Also, rdc321x_wdt_device.default_ticks is accessed in reset() +function called from write callback, thus initialize it before +misc_register(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Madhuparna Bhowmik +Reviewed-by: Guenter Roeck +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20200807112902.28764-1-madhuparnabhowmik10@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/rdc321x_wdt.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/watchdog/rdc321x_wdt.c b/drivers/watchdog/rdc321x_wdt.c +index 2e608ae6cbc78..e0efbc5831986 100644 +--- a/drivers/watchdog/rdc321x_wdt.c ++++ b/drivers/watchdog/rdc321x_wdt.c +@@ -230,6 +230,8 @@ static int rdc321x_wdt_probe(struct platform_device *pdev) + + rdc321x_wdt_device.sb_pdev = pdata->sb_pdev; + rdc321x_wdt_device.base_reg = r->start; ++ rdc321x_wdt_device.queue = 0; ++ rdc321x_wdt_device.default_ticks = ticks; + + err = misc_register(&rdc321x_wdt_misc); + if (err < 0) { +@@ -244,14 +246,11 @@ static int rdc321x_wdt_probe(struct platform_device *pdev) + rdc321x_wdt_device.base_reg, RDC_WDT_RST); + + init_completion(&rdc321x_wdt_device.stop); +- rdc321x_wdt_device.queue = 0; + + clear_bit(0, &rdc321x_wdt_device.inuse); + + timer_setup(&rdc321x_wdt_device.timer, rdc321x_wdt_trigger, 0); + +- rdc321x_wdt_device.default_ticks = ticks; +- + dev_info(&pdev->dev, "watchdog init success\n"); + + return 0; +-- +2.27.0 + diff --git a/queue-5.4/drm-amd-display-hdmi-remote-sink-need-mode-validatio.patch b/queue-5.4/drm-amd-display-hdmi-remote-sink-need-mode-validatio.patch new file mode 100644 index 00000000000..9975b873195 --- /dev/null +++ b/queue-5.4/drm-amd-display-hdmi-remote-sink-need-mode-validatio.patch @@ -0,0 +1,49 @@ +From 2bfa803a643acd01ede7e850839ffbbf1d4ea633 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 17:52:43 -0400 +Subject: drm/amd/display: HDMI remote sink need mode validation for Linux + +From: Fangzhi Zuo + +[ Upstream commit 95d620adb48f7728e67d82f56f756e8d451cf8d2 ] + +[Why] +Currently mode validation is bypassed if remote sink exists. That +leads to mode set issue when a BW bottle neck exists in the link path, +e.g., a DP-to-HDMI converter that only supports HDMI 1.4. + +Any invalid mode passed to Linux user space will cause the modeset +failure due to limitation of Linux user space implementation. + +[How] +Mode validation is skipped only if in edid override. For real remote +sink, clock limit check should be done for HDMI remote sink. + +Have HDMI related remote sink going through mode validation to +elimiate modes which pixel clock exceeds BW limitation. + +Signed-off-by: Fangzhi Zuo +Reviewed-by: Hersen Wu +Acked-by: Eryk Brol +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +index 3efee7b3378a3..47cefc05fd3f5 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +@@ -2268,7 +2268,7 @@ enum dc_status dc_link_validate_mode_timing( + /* A hack to avoid failing any modes for EDID override feature on + * topology change such as lower quality cable for DP or different dongle + */ +- if (link->remote_sinks[0]) ++ if (link->remote_sinks[0] && link->remote_sinks[0]->sink_signal == SIGNAL_TYPE_VIRTUAL) + return DC_OK; + + /* Passive Dongle */ +-- +2.27.0 + diff --git a/queue-5.4/drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch b/queue-5.4/drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch new file mode 100644 index 00000000000..7ccd2bb9244 --- /dev/null +++ b/queue-5.4/drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch @@ -0,0 +1,67 @@ +From 2c2708b23371e866b77a21b93a058e2b7a88d815 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2020 21:42:34 +0200 +Subject: drm/bridge/synopsys: dsi: add support for non-continuous HS clock + +From: Antonio Borneo + +[ Upstream commit c6d94e37bdbb6dfe7e581e937a915ab58399b8a5 ] + +Current code enables the HS clock when video mode is started or to +send out a HS command, and disables the HS clock to send out a LP +command. This is not what DSI spec specify. + +Enable HS clock either in command and in video mode. +Set automatic HS clock management for panels and devices that +support non-continuous HS clock. + +Signed-off-by: Antonio Borneo +Tested-by: Philippe Cornu +Reviewed-by: Philippe Cornu +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20200701194234.18123-1-yannick.fertre@st.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c b/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c +index 675442bfc1bd7..77384c49fb8dd 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c +@@ -365,7 +365,6 @@ static void dw_mipi_message_config(struct dw_mipi_dsi *dsi, + if (lpm) + val |= CMD_MODE_ALL_LP; + +- dsi_write(dsi, DSI_LPCLK_CTRL, lpm ? 0 : PHY_TXREQUESTCLKHS); + dsi_write(dsi, DSI_CMD_MODE_CFG, val); + } + +@@ -541,16 +540,22 @@ static void dw_mipi_dsi_video_mode_config(struct dw_mipi_dsi *dsi) + static void dw_mipi_dsi_set_mode(struct dw_mipi_dsi *dsi, + unsigned long mode_flags) + { ++ u32 val; ++ + dsi_write(dsi, DSI_PWR_UP, RESET); + + if (mode_flags & MIPI_DSI_MODE_VIDEO) { + dsi_write(dsi, DSI_MODE_CFG, ENABLE_VIDEO_MODE); + dw_mipi_dsi_video_mode_config(dsi); +- dsi_write(dsi, DSI_LPCLK_CTRL, PHY_TXREQUESTCLKHS); + } else { + dsi_write(dsi, DSI_MODE_CFG, ENABLE_CMD_MODE); + } + ++ val = PHY_TXREQUESTCLKHS; ++ if (dsi->mode_flags & MIPI_DSI_CLOCK_NON_CONTINUOUS) ++ val |= AUTO_CLKLANE_CTRL; ++ dsi_write(dsi, DSI_LPCLK_CTRL, val); ++ + dsi_write(dsi, DSI_PWR_UP, POWERUP); + } + +-- +2.27.0 + diff --git a/queue-5.4/drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch b/queue-5.4/drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch new file mode 100644 index 00000000000..c890d6dcab9 --- /dev/null +++ b/queue-5.4/drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch @@ -0,0 +1,60 @@ +From cf6c0ac0d3c97d1084b05a64d59a66ee5d561152 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 17:37:56 +0300 +Subject: drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working + correctly + +From: Nadezda Lutovinova + +[ Upstream commit f688a345f0d7a6df4dd2aeca8e4f3c05e123a0ee ] + +If ge_b850v3_lvds_init() does not allocate memory for ge_b850v3_lvds_ptr, +then a null pointer dereference is accessed. + +The patch adds checking of the return value of ge_b850v3_lvds_init(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Nadezda Lutovinova +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200819143756.30626-1-lutovinova@ispras.ru +Signed-off-by: Sasha Levin +--- + .../gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +index 6e81e5db57f25..b050fd1f3d201 100644 +--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c ++++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +@@ -295,8 +295,12 @@ static int stdp4028_ge_b850v3_fw_probe(struct i2c_client *stdp4028_i2c, + const struct i2c_device_id *id) + { + struct device *dev = &stdp4028_i2c->dev; ++ int ret; ++ ++ ret = ge_b850v3_lvds_init(dev); + +- ge_b850v3_lvds_init(dev); ++ if (ret) ++ return ret; + + ge_b850v3_lvds_ptr->stdp4028_i2c = stdp4028_i2c; + i2c_set_clientdata(stdp4028_i2c, ge_b850v3_lvds_ptr); +@@ -354,8 +358,12 @@ static int stdp2690_ge_b850v3_fw_probe(struct i2c_client *stdp2690_i2c, + const struct i2c_device_id *id) + { + struct device *dev = &stdp2690_i2c->dev; ++ int ret; ++ ++ ret = ge_b850v3_lvds_init(dev); + +- ge_b850v3_lvds_init(dev); ++ if (ret) ++ return ret; + + ge_b850v3_lvds_ptr->stdp2690_i2c = stdp2690_i2c; + i2c_set_clientdata(stdp2690_i2c, ge_b850v3_lvds_ptr); +-- +2.27.0 + diff --git a/queue-5.4/ext4-detect-already-used-quota-file-early.patch b/queue-5.4/ext4-detect-already-used-quota-file-early.patch new file mode 100644 index 00000000000..12f6715ee4d --- /dev/null +++ b/queue-5.4/ext4-detect-already-used-quota-file-early.patch @@ -0,0 +1,48 @@ +From 7d372e5a0ed2f395cda1632169c39287411e16ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 13:03:30 +0200 +Subject: ext4: Detect already used quota file early + +From: Jan Kara + +[ Upstream commit e0770e91424f694b461141cbc99adf6b23006b60 ] + +When we try to use file already used as a quota file again (for the same +or different quota type), strange things can happen. At the very least +lockdep annotations may be wrong but also inode flags may be wrongly set +/ reset. When the file is used for two quota types at once we can even +corrupt the file and likely crash the kernel. Catch all these cases by +checking whether passed file is already used as quota file and bail +early in that case. + +This fixes occasional generic/219 failure due to lockdep complaint. + +Reviewed-by: Andreas Dilger +Reported-by: Ritesh Harjani +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20201015110330.28716-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 4aae7e3e89a12..2603537b1f66b 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5856,6 +5856,11 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id, + /* Quotafile not on the same filesystem? */ + if (path->dentry->d_sb != sb) + return -EXDEV; ++ ++ /* Quota already enabled for this file? */ ++ if (IS_NOQUOTA(d_inode(path->dentry))) ++ return -EBUSY; ++ + /* Journaling quota? */ + if (EXT4_SB(sb)->s_qf_names[type]) { + /* Quotafile not in fs root? */ +-- +2.27.0 + diff --git a/queue-5.4/f2fs-add-trace-exit-in-exception-path.patch b/queue-5.4/f2fs-add-trace-exit-in-exception-path.patch new file mode 100644 index 00000000000..fac49755e74 --- /dev/null +++ b/queue-5.4/f2fs-add-trace-exit-in-exception-path.patch @@ -0,0 +1,40 @@ +From add577486509d21d17061a4ee572df2b00a4e942 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 20:45:44 +0800 +Subject: f2fs: add trace exit in exception path + +From: Zhang Qilong + +[ Upstream commit 9b66482282888d02832b7d90239e1cdb18e4b431 ] + +Missing the trace exit in f2fs_sync_dirty_inodes + +Signed-off-by: Zhang Qilong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index bbd07fe8a4921..3d7f9e20a54bd 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -1044,8 +1044,12 @@ int f2fs_sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type) + get_pages(sbi, is_dir ? + F2FS_DIRTY_DENTS : F2FS_DIRTY_DATA)); + retry: +- if (unlikely(f2fs_cp_error(sbi))) ++ if (unlikely(f2fs_cp_error(sbi))) { ++ trace_f2fs_sync_dirty_inodes_exit(sbi->sb, is_dir, ++ get_pages(sbi, is_dir ? ++ F2FS_DIRTY_DENTS : F2FS_DIRTY_DATA)); + return -EIO; ++ } + + spin_lock(&sbi->inode_lock[type]); + +-- +2.27.0 + diff --git a/queue-5.4/f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch b/queue-5.4/f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch new file mode 100644 index 00000000000..3a00c0091bd --- /dev/null +++ b/queue-5.4/f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch @@ -0,0 +1,60 @@ +From 476cf30706fb47e0bc9a655a8d8234b4c97b5ff0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 09:23:12 +0800 +Subject: f2fs: fix to check segment boundary during SIT page readahead + +From: Chao Yu + +[ Upstream commit 6a257471fa42c8c9c04a875cd3a2a22db148e0f0 ] + +As syzbot reported: + +kernel BUG at fs/f2fs/segment.h:657! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 PID: 16220 Comm: syz-executor.0 Not tainted 5.9.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:f2fs_ra_meta_pages+0xa51/0xdc0 fs/f2fs/segment.h:657 +Call Trace: + build_sit_entries fs/f2fs/segment.c:4195 [inline] + f2fs_build_segment_manager+0x4b8a/0xa3c0 fs/f2fs/segment.c:4779 + f2fs_fill_super+0x377d/0x6b80 fs/f2fs/super.c:3633 + mount_bdev+0x32e/0x3f0 fs/super.c:1417 + legacy_get_tree+0x105/0x220 fs/fs_context.c:592 + vfs_get_tree+0x89/0x2f0 fs/super.c:1547 + do_new_mount fs/namespace.c:2875 [inline] + path_mount+0x1387/0x2070 fs/namespace.c:3192 + do_mount fs/namespace.c:3205 [inline] + __do_sys_mount fs/namespace.c:3413 [inline] + __se_sys_mount fs/namespace.c:3390 [inline] + __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +@blkno in f2fs_ra_meta_pages could exceed max segment count, causing panic +in following sanity check in current_sit_addr(), add check condition to +avoid this issue. + +Reported-by: syzbot+3698081bcf0bb2d12174@syzkaller.appspotmail.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index 3d7f9e20a54bd..6d9be7783d25c 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -243,6 +243,8 @@ int f2fs_ra_meta_pages(struct f2fs_sb_info *sbi, block_t start, int nrpages, + blkno * NAT_ENTRY_PER_BLOCK); + break; + case META_SIT: ++ if (unlikely(blkno >= TOTAL_SEGS(sbi))) ++ goto out; + /* get sit block addr */ + fio.new_blkaddr = current_sit_addr(sbi, + blkno * SIT_ENTRY_PER_BLOCK); +-- +2.27.0 + diff --git a/queue-5.4/f2fs-fix-uninit-value-in-f2fs_lookup.patch b/queue-5.4/f2fs-fix-uninit-value-in-f2fs_lookup.patch new file mode 100644 index 00000000000..a4debf3c381 --- /dev/null +++ b/queue-5.4/f2fs-fix-uninit-value-in-f2fs_lookup.patch @@ -0,0 +1,81 @@ +From ead1e355b152d83b96e6d6c4256b976550ca232a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 09:22:50 +0800 +Subject: f2fs: fix uninit-value in f2fs_lookup + +From: Chao Yu + +[ Upstream commit 6d7ab88a98c1b7a47c228f8ffb4f44d631eaf284 ] + +As syzbot reported: + +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219 + f2fs_lookup+0xe05/0x1a80 fs/f2fs/namei.c:503 + lookup_open fs/namei.c:3082 [inline] + open_last_lookups fs/namei.c:3177 [inline] + path_openat+0x2729/0x6a90 fs/namei.c:3365 + do_filp_open+0x2b8/0x710 fs/namei.c:3395 + do_sys_openat2+0xa88/0x1140 fs/open.c:1168 + do_sys_open fs/open.c:1184 [inline] + __do_compat_sys_openat fs/open.c:1242 [inline] + __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240 + __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240 + do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline] + __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139 + do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162 + do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +In f2fs_lookup(), @res_page could be used before being initialized, +because in __f2fs_find_entry(), once F2FS_I(dir)->i_current_depth was +been fuzzed to zero, then @res_page will never be initialized, causing +this kmsan warning, relocating @res_page initialization place to fix +this bug. + +Reported-by: syzbot+0eac6f0bbd558fd866d7@syzkaller.appspotmail.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/dir.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c +index e9af46dc06f72..78d041f9775a4 100644 +--- a/fs/f2fs/dir.c ++++ b/fs/f2fs/dir.c +@@ -303,16 +303,15 @@ struct f2fs_dir_entry *__f2fs_find_entry(struct inode *dir, + unsigned int max_depth; + unsigned int level; + ++ *res_page = NULL; ++ + if (f2fs_has_inline_dentry(dir)) { +- *res_page = NULL; + de = f2fs_find_in_inline_dir(dir, fname, res_page); + goto out; + } + +- if (npages == 0) { +- *res_page = NULL; ++ if (npages == 0) + goto out; +- } + + max_depth = F2FS_I(dir)->i_current_depth; + if (unlikely(max_depth > MAX_DIR_HASH_DEPTH)) { +@@ -323,7 +322,6 @@ struct f2fs_dir_entry *__f2fs_find_entry(struct inode *dir, + } + + for (level = 0; level < max_depth; level++) { +- *res_page = NULL; + de = find_in_level(dir, level, fname, res_page); + if (de || IS_ERR(*res_page)) + break; +-- +2.27.0 + diff --git a/queue-5.4/f2fs-handle-errors-of-f2fs_get_meta_page_nofail.patch b/queue-5.4/f2fs-handle-errors-of-f2fs_get_meta_page_nofail.patch new file mode 100644 index 00000000000..07eae525dc4 --- /dev/null +++ b/queue-5.4/f2fs-handle-errors-of-f2fs_get_meta_page_nofail.patch @@ -0,0 +1,131 @@ +From ab12118444c15d7fb46b9cc1193d6b07a5a34acd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 14:17:35 -0700 +Subject: f2fs: handle errors of f2fs_get_meta_page_nofail + +From: Jaegeuk Kim + +[ Upstream commit 86f33603f8c51537265ff7ac0320638fd2cbdb1b ] + +First problem is we hit BUG_ON() in f2fs_get_sum_page given EIO on +f2fs_get_meta_page_nofail(). + +Quick fix was not to give any error with infinite loop, but syzbot caught +a case where it goes to that loop from fuzzed image. In turned out we abused +f2fs_get_meta_page_nofail() like in the below call stack. + +- f2fs_fill_super + - f2fs_build_segment_manager + - build_sit_entries + - get_current_sit_page + +INFO: task syz-executor178:6870 can't die for more than 143 seconds. +task:syz-executor178 state:R + stack:26960 pid: 6870 ppid: 6869 flags:0x00004006 +Call Trace: + +Showing all locks held in the system: +1 lock held by khungtaskd/1179: + #0: ffffffff8a554da0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6242 +1 lock held by systemd-journal/3920: +1 lock held by in:imklog/6769: + #0: ffff88809eebc130 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:930 +1 lock held by syz-executor178/6870: + #0: ffff8880925120e0 (&type->s_umount_key#47/1){+.+.}-{3:3}, at: alloc_super+0x201/0xaf0 fs/super.c:229 + +Actually, we didn't have to use _nofail in this case, since we could return +error to mount(2) already with the error handler. + +As a result, this patch tries to 1) remove _nofail callers as much as possible, +2) deal with error case in last remaining caller, f2fs_get_sum_page(). + +Reported-by: syzbot+ee250ac8137be41d7b13@syzkaller.appspotmail.com +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 2 +- + fs/f2fs/f2fs.h | 2 +- + fs/f2fs/node.c | 2 +- + fs/f2fs/segment.c | 12 +++++++++--- + 4 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index 6d9be7783d25c..c966ccc44c157 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -108,7 +108,7 @@ struct page *f2fs_get_meta_page(struct f2fs_sb_info *sbi, pgoff_t index) + return __get_meta_page(sbi, index, true); + } + +-struct page *f2fs_get_meta_page_nofail(struct f2fs_sb_info *sbi, pgoff_t index) ++struct page *f2fs_get_meta_page_retry(struct f2fs_sb_info *sbi, pgoff_t index) + { + struct page *page; + int count = 0; +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index b3b7e63394be7..63440abe58c42 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3149,7 +3149,7 @@ enum rw_hint f2fs_io_type_to_rw_hint(struct f2fs_sb_info *sbi, + void f2fs_stop_checkpoint(struct f2fs_sb_info *sbi, bool end_io); + struct page *f2fs_grab_meta_page(struct f2fs_sb_info *sbi, pgoff_t index); + struct page *f2fs_get_meta_page(struct f2fs_sb_info *sbi, pgoff_t index); +-struct page *f2fs_get_meta_page_nofail(struct f2fs_sb_info *sbi, pgoff_t index); ++struct page *f2fs_get_meta_page_retry(struct f2fs_sb_info *sbi, pgoff_t index); + struct page *f2fs_get_tmp_page(struct f2fs_sb_info *sbi, pgoff_t index); + bool f2fs_is_valid_blkaddr(struct f2fs_sb_info *sbi, + block_t blkaddr, int type); +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index ed12e96681842..2a4a382f28fed 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -109,7 +109,7 @@ static void clear_node_page_dirty(struct page *page) + + static struct page *get_current_nat_page(struct f2fs_sb_info *sbi, nid_t nid) + { +- return f2fs_get_meta_page_nofail(sbi, current_nat_addr(sbi, nid)); ++ return f2fs_get_meta_page(sbi, current_nat_addr(sbi, nid)); + } + + static struct page *get_next_nat_page(struct f2fs_sb_info *sbi, nid_t nid) +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 7d85784012678..5ba677f85533c 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -2310,7 +2310,9 @@ int f2fs_npages_for_summary_flush(struct f2fs_sb_info *sbi, bool for_ra) + */ + struct page *f2fs_get_sum_page(struct f2fs_sb_info *sbi, unsigned int segno) + { +- return f2fs_get_meta_page_nofail(sbi, GET_SUM_BLOCK(sbi, segno)); ++ if (unlikely(f2fs_cp_error(sbi))) ++ return ERR_PTR(-EIO); ++ return f2fs_get_meta_page_retry(sbi, GET_SUM_BLOCK(sbi, segno)); + } + + void f2fs_update_meta_page(struct f2fs_sb_info *sbi, +@@ -2582,7 +2584,11 @@ static void change_curseg(struct f2fs_sb_info *sbi, int type) + __next_free_blkoff(sbi, curseg, 0); + + sum_page = f2fs_get_sum_page(sbi, new_segno); +- f2fs_bug_on(sbi, IS_ERR(sum_page)); ++ if (IS_ERR(sum_page)) { ++ /* GC won't be able to use stale summary pages by cp_error */ ++ memset(curseg->sum_blk, 0, SUM_ENTRY_SIZE); ++ return; ++ } + sum_node = (struct f2fs_summary_block *)page_address(sum_page); + memcpy(curseg->sum_blk, sum_node, SUM_ENTRY_SIZE); + f2fs_put_page(sum_page, 1); +@@ -3713,7 +3719,7 @@ int f2fs_lookup_journal_in_cursum(struct f2fs_journal *journal, int type, + static struct page *get_current_sit_page(struct f2fs_sb_info *sbi, + unsigned int segno) + { +- return f2fs_get_meta_page_nofail(sbi, current_sit_addr(sbi, segno)); ++ return f2fs_get_meta_page(sbi, current_sit_addr(sbi, segno)); + } + + static struct page *get_next_sit_page(struct f2fs_sb_info *sbi, +-- +2.27.0 + diff --git a/queue-5.4/firmware-arm_scmi-add-missing-rx-size-re-initialisat.patch b/queue-5.4/firmware-arm_scmi-add-missing-rx-size-re-initialisat.patch new file mode 100644 index 00000000000..9e8cb3538e8 --- /dev/null +++ b/queue-5.4/firmware-arm_scmi-add-missing-rx-size-re-initialisat.patch @@ -0,0 +1,124 @@ +From b2238d6c37656ef84e9ae82fa2b299a4f7101c5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 14:26:24 +0100 +Subject: firmware: arm_scmi: Add missing Rx size re-initialisation + +From: Sudeep Holla + +[ Upstream commit 9724722fde8f9bbd2b87340f00b9300c9284001e ] + +Few commands provide the list of description partially and require +to be called consecutively until all the descriptors are fetched +completely. In such cases, we don't release the buffers and reuse +them for consecutive transmits. + +However, currently we don't reset the Rx size which will be set as +per the response for the last transmit. This may result in incorrect +response size being interpretted as the firmware may repond with size +greater than the one set but we read only upto the size set by previous +response. + +Let us reset the receive buffer size to max possible in such cases as +we don't know the exact size of the response. + +Link: https://lore.kernel.org/r/20201012141746.32575-1-sudeep.holla@arm.com +Fixes: b6f20ff8bd94 ("firmware: arm_scmi: add common infrastructure and support for base protocol") +Reported-by: Etienne Carriere +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/base.c | 2 ++ + drivers/firmware/arm_scmi/clock.c | 2 ++ + drivers/firmware/arm_scmi/common.h | 2 ++ + drivers/firmware/arm_scmi/driver.c | 8 ++++++++ + drivers/firmware/arm_scmi/perf.c | 2 ++ + drivers/firmware/arm_scmi/sensors.c | 2 ++ + 6 files changed, 18 insertions(+) + +diff --git a/drivers/firmware/arm_scmi/base.c b/drivers/firmware/arm_scmi/base.c +index f804e8af6521b..f986ee8919f03 100644 +--- a/drivers/firmware/arm_scmi/base.c ++++ b/drivers/firmware/arm_scmi/base.c +@@ -173,6 +173,8 @@ static int scmi_base_implementation_list_get(const struct scmi_handle *handle, + protocols_imp[tot_num_ret + loop] = *(list + loop); + + tot_num_ret += loop_num_ret; ++ ++ scmi_reset_rx_to_maxsz(handle, t); + } while (loop_num_ret); + + scmi_xfer_put(handle, t); +diff --git a/drivers/firmware/arm_scmi/clock.c b/drivers/firmware/arm_scmi/clock.c +index 32526a793f3ac..38400a8d0ca89 100644 +--- a/drivers/firmware/arm_scmi/clock.c ++++ b/drivers/firmware/arm_scmi/clock.c +@@ -177,6 +177,8 @@ scmi_clock_describe_rates_get(const struct scmi_handle *handle, u32 clk_id, + } + + tot_rate_cnt += num_returned; ++ ++ scmi_reset_rx_to_maxsz(handle, t); + /* + * check for both returned and remaining to avoid infinite + * loop due to buggy firmware +diff --git a/drivers/firmware/arm_scmi/common.h b/drivers/firmware/arm_scmi/common.h +index 5237c2ff79fea..9a680b9af9e58 100644 +--- a/drivers/firmware/arm_scmi/common.h ++++ b/drivers/firmware/arm_scmi/common.h +@@ -103,6 +103,8 @@ int scmi_do_xfer_with_response(const struct scmi_handle *h, + struct scmi_xfer *xfer); + int scmi_xfer_get_init(const struct scmi_handle *h, u8 msg_id, u8 prot_id, + size_t tx_size, size_t rx_size, struct scmi_xfer **p); ++void scmi_reset_rx_to_maxsz(const struct scmi_handle *handle, ++ struct scmi_xfer *xfer); + int scmi_handle_put(const struct scmi_handle *handle); + struct scmi_handle *scmi_handle_get(struct device *dev); + void scmi_set_handle(struct scmi_device *scmi_dev); +diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c +index 3eb0382491ceb..11078199abed3 100644 +--- a/drivers/firmware/arm_scmi/driver.c ++++ b/drivers/firmware/arm_scmi/driver.c +@@ -481,6 +481,14 @@ int scmi_do_xfer(const struct scmi_handle *handle, struct scmi_xfer *xfer) + return ret; + } + ++void scmi_reset_rx_to_maxsz(const struct scmi_handle *handle, ++ struct scmi_xfer *xfer) ++{ ++ struct scmi_info *info = handle_to_scmi_info(handle); ++ ++ xfer->rx.len = info->desc->max_msg_size; ++} ++ + #define SCMI_MAX_RESPONSE_TIMEOUT (2 * MSEC_PER_SEC) + + /** +diff --git a/drivers/firmware/arm_scmi/perf.c b/drivers/firmware/arm_scmi/perf.c +index 601af4edad5e6..129a2887e964f 100644 +--- a/drivers/firmware/arm_scmi/perf.c ++++ b/drivers/firmware/arm_scmi/perf.c +@@ -281,6 +281,8 @@ scmi_perf_describe_levels_get(const struct scmi_handle *handle, u32 domain, + } + + tot_opp_cnt += num_returned; ++ ++ scmi_reset_rx_to_maxsz(handle, t); + /* + * check for both returned and remaining to avoid infinite + * loop due to buggy firmware +diff --git a/drivers/firmware/arm_scmi/sensors.c b/drivers/firmware/arm_scmi/sensors.c +index a400ea805fc23..931208bc48f12 100644 +--- a/drivers/firmware/arm_scmi/sensors.c ++++ b/drivers/firmware/arm_scmi/sensors.c +@@ -154,6 +154,8 @@ static int scmi_sensor_description_get(const struct scmi_handle *handle, + } + + desc_index += num_returned; ++ ++ scmi_reset_rx_to_maxsz(handle, t); + /* + * check for both returned and remaining to avoid infinite + * loop due to buggy firmware +-- +2.27.0 + diff --git a/queue-5.4/firmware-arm_scmi-fix-arch_cold_reset.patch b/queue-5.4/firmware-arm_scmi-fix-arch_cold_reset.patch new file mode 100644 index 00000000000..de1e0e22871 --- /dev/null +++ b/queue-5.4/firmware-arm_scmi-fix-arch_cold_reset.patch @@ -0,0 +1,39 @@ +From dc38f40ff3f4b9bf8810384c19dc0076648f878a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 16:37:22 +0200 +Subject: firmware: arm_scmi: Fix ARCH_COLD_RESET + +From: Etienne Carriere + +[ Upstream commit 45b9e04d5ba0b043783dfe2b19bb728e712cb32e ] + +The defination for ARCH_COLD_RESET is wrong. Let us fix it according to +the SCMI specification. + +Link: https://lore.kernel.org/r/20201008143722.21888-5-etienne.carriere@linaro.org +Fixes: 95a15d80aa0d ("firmware: arm_scmi: Add RESET protocol in SCMI v2.0") +Signed-off-by: Etienne Carriere +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/reset.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/reset.c b/drivers/firmware/arm_scmi/reset.c +index ab42c21c55175..6d223f345b6c9 100644 +--- a/drivers/firmware/arm_scmi/reset.c ++++ b/drivers/firmware/arm_scmi/reset.c +@@ -35,9 +35,7 @@ struct scmi_msg_reset_domain_reset { + #define EXPLICIT_RESET_ASSERT BIT(1) + #define ASYNCHRONOUS_RESET BIT(2) + __le32 reset_state; +-#define ARCH_RESET_TYPE BIT(31) +-#define COLD_RESET_STATE BIT(0) +-#define ARCH_COLD_RESET (ARCH_RESET_TYPE | COLD_RESET_STATE) ++#define ARCH_COLD_RESET 0 + }; + + struct reset_dom_info { +-- +2.27.0 + diff --git a/queue-5.4/futex-fix-incorrect-should_fail_futex-handling.patch b/queue-5.4/futex-fix-incorrect-should_fail_futex-handling.patch new file mode 100644 index 00000000000..6366c826725 --- /dev/null +++ b/queue-5.4/futex-fix-incorrect-should_fail_futex-handling.patch @@ -0,0 +1,49 @@ +From afb1e495adfe1a3c8ddea75dc7e725725f6cdc1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Sep 2020 02:08:58 +0200 +Subject: futex: Fix incorrect should_fail_futex() handling + +From: Mateusz Nosek + +[ Upstream commit 921c7ebd1337d1a46783d7e15a850e12aed2eaa0 ] + +If should_futex_fail() returns true in futex_wake_pi(), then the 'ret' +variable is set to -EFAULT and then immediately overwritten. So the failure +injection is non-functional. + +Fix it by actually leaving the function and returning -EFAULT. + +The Fixes tag is kinda blury because the initial commit which introduced +failure injection was already sloppy, but the below mentioned commit broke +it completely. + +[ tglx: Massaged changelog ] + +Fixes: 6b4f4bc9cb22 ("locking/futex: Allow low-level atomic operations to return -EAGAIN") +Signed-off-by: Mateusz Nosek +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20200927000858.24219-1-mateusznosek0@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/futex.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/futex.c b/kernel/futex.c +index 5660c02b01b05..17fba7a986e0f 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1594,8 +1594,10 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_pi_state *pi_ + */ + newval = FUTEX_WAITERS | task_pid_vnr(new_owner); + +- if (unlikely(should_fail_futex(true))) ++ if (unlikely(should_fail_futex(true))) { + ret = -EFAULT; ++ goto out_unlock; ++ } + + ret = cmpxchg_futex_value_locked(&curval, uaddr, uval, newval); + if (!ret && (curval != uval)) { +-- +2.27.0 + diff --git a/queue-5.4/gfs2-add-validation-checks-for-size-of-superblock.patch b/queue-5.4/gfs2-add-validation-checks-for-size-of-superblock.patch new file mode 100644 index 00000000000..6060f7e4100 --- /dev/null +++ b/queue-5.4/gfs2-add-validation-checks-for-size-of-superblock.patch @@ -0,0 +1,62 @@ +From 654256f595c17aa192f762c3c241c2aaee0f8dc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 22:01:09 +0530 +Subject: gfs2: add validation checks for size of superblock + +From: Anant Thazhemadam + +[ Upstream commit 0ddc5154b24c96f20e94d653b0a814438de6032b ] + +In gfs2_check_sb(), no validation checks are performed with regards to +the size of the superblock. +syzkaller detected a slab-out-of-bounds bug that was primarily caused +because the block size for a superblock was set to zero. +A valid size for a superblock is a power of 2 between 512 and PAGE_SIZE. +Performing validation checks and ensuring that the size of the superblock +is valid fixes this bug. + +Reported-by: syzbot+af90d47a37376844e731@syzkaller.appspotmail.com +Tested-by: syzbot+af90d47a37376844e731@syzkaller.appspotmail.com +Suggested-by: Andrew Price +Signed-off-by: Anant Thazhemadam +[Minor code reordering.] +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/ops_fstype.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c +index 338666a97fff6..29b27d769860c 100644 +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -169,15 +169,19 @@ static int gfs2_check_sb(struct gfs2_sbd *sdp, int silent) + return -EINVAL; + } + +- /* If format numbers match exactly, we're done. */ +- +- if (sb->sb_fs_format == GFS2_FORMAT_FS && +- sb->sb_multihost_format == GFS2_FORMAT_MULTI) +- return 0; ++ if (sb->sb_fs_format != GFS2_FORMAT_FS || ++ sb->sb_multihost_format != GFS2_FORMAT_MULTI) { ++ fs_warn(sdp, "Unknown on-disk format, unable to mount\n"); ++ return -EINVAL; ++ } + +- fs_warn(sdp, "Unknown on-disk format, unable to mount\n"); ++ if (sb->sb_bsize < 512 || sb->sb_bsize > PAGE_SIZE || ++ (sb->sb_bsize & (sb->sb_bsize - 1))) { ++ pr_warn("Invalid superblock size\n"); ++ return -EINVAL; ++ } + +- return -EINVAL; ++ return 0; + } + + static void end_bio_io_page(struct bio *bio) +-- +2.27.0 + diff --git a/queue-5.4/gfs2-use-after-free-in-sysfs-deregistration.patch b/queue-5.4/gfs2-use-after-free-in-sysfs-deregistration.patch new file mode 100644 index 00000000000..ea9c09f99b6 --- /dev/null +++ b/queue-5.4/gfs2-use-after-free-in-sysfs-deregistration.patch @@ -0,0 +1,189 @@ +From 917a5634b5127c68c8288ebecfee3fb18e8ad410 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 14:13:09 +0100 +Subject: gfs2: use-after-free in sysfs deregistration + +From: Jamie Iles + +[ Upstream commit c2a04b02c060c4858762edce4674d5cba3e5a96f ] + +syzkaller found the following splat with CONFIG_DEBUG_KOBJECT_RELEASE=y: + + Read of size 1 at addr ffff000028e896b8 by task kworker/1:2/228 + + CPU: 1 PID: 228 Comm: kworker/1:2 Tainted: G S 5.9.0-rc8+ #101 + Hardware name: linux,dummy-virt (DT) + Workqueue: events kobject_delayed_cleanup + Call trace: + dump_backtrace+0x0/0x4d8 + show_stack+0x34/0x48 + dump_stack+0x174/0x1f8 + print_address_description.constprop.0+0x5c/0x550 + kasan_report+0x13c/0x1c0 + __asan_report_load1_noabort+0x34/0x60 + memcmp+0xd0/0xd8 + gfs2_uevent+0xc4/0x188 + kobject_uevent_env+0x54c/0x1240 + kobject_uevent+0x2c/0x40 + __kobject_del+0x190/0x1d8 + kobject_delayed_cleanup+0x2bc/0x3b8 + process_one_work+0x96c/0x18c0 + worker_thread+0x3f0/0xc30 + kthread+0x390/0x498 + ret_from_fork+0x10/0x18 + + Allocated by task 1110: + kasan_save_stack+0x28/0x58 + __kasan_kmalloc.isra.0+0xc8/0xe8 + kasan_kmalloc+0x10/0x20 + kmem_cache_alloc_trace+0x1d8/0x2f0 + alloc_super+0x64/0x8c0 + sget_fc+0x110/0x620 + get_tree_bdev+0x190/0x648 + gfs2_get_tree+0x50/0x228 + vfs_get_tree+0x84/0x2e8 + path_mount+0x1134/0x1da8 + do_mount+0x124/0x138 + __arm64_sys_mount+0x164/0x238 + el0_svc_common.constprop.0+0x15c/0x598 + do_el0_svc+0x60/0x150 + el0_svc+0x34/0xb0 + el0_sync_handler+0xc8/0x5b4 + el0_sync+0x15c/0x180 + + Freed by task 228: + kasan_save_stack+0x28/0x58 + kasan_set_track+0x28/0x40 + kasan_set_free_info+0x24/0x48 + __kasan_slab_free+0x118/0x190 + kasan_slab_free+0x14/0x20 + slab_free_freelist_hook+0x6c/0x210 + kfree+0x13c/0x460 + +Use the same pattern as f2fs + ext4 where the kobject destruction must +complete before allowing the FS itself to be freed. This means that we +need an explicit free_sbd in the callers. + +Cc: Bob Peterson +Cc: Andreas Gruenbacher +Signed-off-by: Jamie Iles +[Also go to fail_free when init_names fails.] +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/incore.h | 1 + + fs/gfs2/ops_fstype.c | 22 +++++----------------- + fs/gfs2/super.c | 1 + + fs/gfs2/sys.c | 5 ++++- + 4 files changed, 11 insertions(+), 18 deletions(-) + +diff --git a/fs/gfs2/incore.h b/fs/gfs2/incore.h +index 5f89c515f5bb7..33a6b074209da 100644 +--- a/fs/gfs2/incore.h ++++ b/fs/gfs2/incore.h +@@ -694,6 +694,7 @@ struct gfs2_sbd { + struct super_block *sd_vfs; + struct gfs2_pcpu_lkstats __percpu *sd_lkstats; + struct kobject sd_kobj; ++ struct completion sd_kobj_unregister; + unsigned long sd_flags; /* SDF_... */ + struct gfs2_sb_host sd_sb; + +diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c +index e0c55765b06d2..338666a97fff6 100644 +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -1094,26 +1094,14 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc) + } + + error = init_names(sdp, silent); +- if (error) { +- /* In this case, we haven't initialized sysfs, so we have to +- manually free the sdp. */ +- free_sbd(sdp); +- sb->s_fs_info = NULL; +- return error; +- } ++ if (error) ++ goto fail_free; + + snprintf(sdp->sd_fsname, sizeof(sdp->sd_fsname), "%s", sdp->sd_table_name); + + error = gfs2_sys_fs_add(sdp); +- /* +- * If we hit an error here, gfs2_sys_fs_add will have called function +- * kobject_put which causes the sysfs usage count to go to zero, which +- * causes sysfs to call function gfs2_sbd_release, which frees sdp. +- * Subsequent error paths here will call gfs2_sys_fs_del, which also +- * kobject_put to free sdp. +- */ + if (error) +- return error; ++ goto fail_free; + + gfs2_create_debugfs_file(sdp); + +@@ -1210,9 +1198,9 @@ fail_lm: + gfs2_lm_unmount(sdp); + fail_debug: + gfs2_delete_debugfs_file(sdp); +- /* gfs2_sys_fs_del must be the last thing we do, since it causes +- * sysfs to call function gfs2_sbd_release, which frees sdp. */ + gfs2_sys_fs_del(sdp); ++fail_free: ++ free_sbd(sdp); + sb->s_fs_info = NULL; + return error; + } +diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c +index 5fa1eec4fb4f5..5935ce5ae5636 100644 +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -695,6 +695,7 @@ restart: + + /* At this point, we're through participating in the lockspace */ + gfs2_sys_fs_del(sdp); ++ free_sbd(sdp); + } + + /** +diff --git a/fs/gfs2/sys.c b/fs/gfs2/sys.c +index dd15b8e4af2ce..1c6e52dc878e3 100644 +--- a/fs/gfs2/sys.c ++++ b/fs/gfs2/sys.c +@@ -302,7 +302,7 @@ static void gfs2_sbd_release(struct kobject *kobj) + { + struct gfs2_sbd *sdp = container_of(kobj, struct gfs2_sbd, sd_kobj); + +- free_sbd(sdp); ++ complete(&sdp->sd_kobj_unregister); + } + + static struct kobj_type gfs2_ktype = { +@@ -652,6 +652,7 @@ int gfs2_sys_fs_add(struct gfs2_sbd *sdp) + sprintf(ro, "RDONLY=%d", sb_rdonly(sb)); + sprintf(spectator, "SPECTATOR=%d", sdp->sd_args.ar_spectator ? 1 : 0); + ++ init_completion(&sdp->sd_kobj_unregister); + sdp->sd_kobj.kset = gfs2_kset; + error = kobject_init_and_add(&sdp->sd_kobj, &gfs2_ktype, NULL, + "%s", sdp->sd_table_name); +@@ -682,6 +683,7 @@ fail_tune: + fail_reg: + fs_err(sdp, "error %d adding sysfs files\n", error); + kobject_put(&sdp->sd_kobj); ++ wait_for_completion(&sdp->sd_kobj_unregister); + sb->s_fs_info = NULL; + return error; + } +@@ -692,6 +694,7 @@ void gfs2_sys_fs_del(struct gfs2_sbd *sdp) + sysfs_remove_group(&sdp->sd_kobj, &tune_group); + sysfs_remove_group(&sdp->sd_kobj, &lock_module_group); + kobject_put(&sdp->sd_kobj); ++ wait_for_completion(&sdp->sd_kobj_unregister); + } + + static int gfs2_uevent(struct kset *kset, struct kobject *kobj, +-- +2.27.0 + diff --git a/queue-5.4/ia64-kprobes-use-generic-kretprobe-trampoline-handle.patch b/queue-5.4/ia64-kprobes-use-generic-kretprobe-trampoline-handle.patch new file mode 100644 index 00000000000..ed2a63537f7 --- /dev/null +++ b/queue-5.4/ia64-kprobes-use-generic-kretprobe-trampoline-handle.patch @@ -0,0 +1,120 @@ +From 26de9400a916c5b63b7ec4f9b7d53a4a9a3e8333 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Aug 2020 22:01:09 +0900 +Subject: ia64: kprobes: Use generic kretprobe trampoline handler + +From: Masami Hiramatsu + +[ Upstream commit e792ff804f49720ce003b3e4c618b5d996256a18 ] + +Use the generic kretprobe trampoline handler. Don't use +framepointer verification. + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/159870606883.1229682.12331813108378725668.stgit@devnote2 +Signed-off-by: Sasha Levin +--- + arch/ia64/kernel/kprobes.c | 77 +------------------------------------- + 1 file changed, 2 insertions(+), 75 deletions(-) + +diff --git a/arch/ia64/kernel/kprobes.c b/arch/ia64/kernel/kprobes.c +index b8356edbde659..b3dc39050c1ad 100644 +--- a/arch/ia64/kernel/kprobes.c ++++ b/arch/ia64/kernel/kprobes.c +@@ -396,83 +396,9 @@ static void kretprobe_trampoline(void) + { + } + +-/* +- * At this point the target function has been tricked into +- * returning into our trampoline. Lookup the associated instance +- * and then: +- * - call the handler function +- * - cleanup by marking the instance as unused +- * - long jump back to the original return address +- */ + int __kprobes trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs) + { +- struct kretprobe_instance *ri = NULL; +- struct hlist_head *head, empty_rp; +- struct hlist_node *tmp; +- unsigned long flags, orig_ret_address = 0; +- unsigned long trampoline_address = +- ((struct fnptr *)kretprobe_trampoline)->ip; +- +- INIT_HLIST_HEAD(&empty_rp); +- kretprobe_hash_lock(current, &head, &flags); +- +- /* +- * It is possible to have multiple instances associated with a given +- * task either because an multiple functions in the call path +- * have a return probe installed on them, and/or more than one return +- * return probe was registered for a target function. +- * +- * We can handle this because: +- * - instances are always inserted at the head of the list +- * - when multiple return probes are registered for the same +- * function, the first instance's ret_addr will point to the +- * real return address, and all the rest will point to +- * kretprobe_trampoline +- */ +- hlist_for_each_entry_safe(ri, tmp, head, hlist) { +- if (ri->task != current) +- /* another task is sharing our hash bucket */ +- continue; +- +- orig_ret_address = (unsigned long)ri->ret_addr; +- if (orig_ret_address != trampoline_address) +- /* +- * This is the real return address. Any other +- * instances associated with this task are for +- * other calls deeper on the call stack +- */ +- break; +- } +- +- regs->cr_iip = orig_ret_address; +- +- hlist_for_each_entry_safe(ri, tmp, head, hlist) { +- if (ri->task != current) +- /* another task is sharing our hash bucket */ +- continue; +- +- if (ri->rp && ri->rp->handler) +- ri->rp->handler(ri, regs); +- +- orig_ret_address = (unsigned long)ri->ret_addr; +- recycle_rp_inst(ri, &empty_rp); +- +- if (orig_ret_address != trampoline_address) +- /* +- * This is the real return address. Any other +- * instances associated with this task are for +- * other calls deeper on the call stack +- */ +- break; +- } +- kretprobe_assert(ri, orig_ret_address, trampoline_address); +- +- kretprobe_hash_unlock(current, &flags); +- +- hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { +- hlist_del(&ri->hlist); +- kfree(ri); +- } ++ regs->cr_iip = __kretprobe_trampoline_handler(regs, kretprobe_trampoline, NULL); + /* + * By returning a non-zero value, we are telling + * kprobe_handler() that we don't want the post_handler +@@ -485,6 +411,7 @@ void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri, + struct pt_regs *regs) + { + ri->ret_addr = (kprobe_opcode_t *)regs->b0; ++ ri->fp = NULL; + + /* Replace the return addr with trampoline addr */ + regs->b0 = ((struct fnptr *)kretprobe_trampoline)->ip; +-- +2.27.0 + diff --git a/queue-5.4/kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch b/queue-5.4/kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch new file mode 100644 index 00000000000..61839814d26 --- /dev/null +++ b/queue-5.4/kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch @@ -0,0 +1,70 @@ +From ed3cb6e9dfa8c0118485db0ead4fbd141229ac4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 15:14:38 -0700 +Subject: kgdb: Make "kgdbcon" work properly with "kgdb_earlycon" + +From: Douglas Anderson + +[ Upstream commit b18b099e04f450cdc77bec72acefcde7042bd1f3 ] + +On my system the kernel processes the "kgdb_earlycon" parameter before +the "kgdbcon" parameter. When we setup "kgdb_earlycon" we'll end up +in kgdb_register_callbacks() and "kgdb_use_con" won't have been set +yet so we'll never get around to starting "kgdbcon". Let's remedy +this by detecting that the IO module was already registered when +setting "kgdb_use_con" and registering the console then. + +As part of this, to avoid pre-declaring things, move the handling of +the "kgdbcon" further down in the file. + +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20200630151422.1.I4aa062751ff5e281f5116655c976dff545c09a46@changeid +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/debug_core.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c +index 2222f3225e53d..097ab02989f92 100644 +--- a/kernel/debug/debug_core.c ++++ b/kernel/debug/debug_core.c +@@ -96,14 +96,6 @@ int dbg_switch_cpu; + /* Use kdb or gdbserver mode */ + int dbg_kdb_mode = 1; + +-static int __init opt_kgdb_con(char *str) +-{ +- kgdb_use_con = 1; +- return 0; +-} +- +-early_param("kgdbcon", opt_kgdb_con); +- + module_param(kgdb_use_con, int, 0644); + module_param(kgdbreboot, int, 0644); + +@@ -876,6 +868,20 @@ static struct console kgdbcons = { + .index = -1, + }; + ++static int __init opt_kgdb_con(char *str) ++{ ++ kgdb_use_con = 1; ++ ++ if (kgdb_io_module_registered && !kgdb_con_registered) { ++ register_console(&kgdbcons); ++ kgdb_con_registered = 1; ++ } ++ ++ return 0; ++} ++ ++early_param("kgdbcon", opt_kgdb_con); ++ + #ifdef CONFIG_MAGIC_SYSRQ + static void sysrq_handle_dbg(int key) + { +-- +2.27.0 + diff --git a/queue-5.4/kvm-ppc-book3s-hv-do-not-allocate-hpt-for-a-nested-g.patch b/queue-5.4/kvm-ppc-book3s-hv-do-not-allocate-hpt-for-a-nested-g.patch new file mode 100644 index 00000000000..51346edcad6 --- /dev/null +++ b/queue-5.4/kvm-ppc-book3s-hv-do-not-allocate-hpt-for-a-nested-g.patch @@ -0,0 +1,101 @@ +From 71681fcf2f4f38584e28c59d0c1820187536573c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 01:16:07 -0300 +Subject: KVM: PPC: Book3S HV: Do not allocate HPT for a nested guest + +From: Fabiano Rosas + +[ Upstream commit 05e6295dc7de859c9d56334805485c4d20bebf25 ] + +The current nested KVM code does not support HPT guests. This is +informed/enforced in some ways: + +- Hosts < P9 will not be able to enable the nested HV feature; + +- The nested hypervisor MMU capabilities will not contain + KVM_CAP_PPC_MMU_HASH_V3; + +- QEMU reflects the MMU capabilities in the + 'ibm,arch-vec-5-platform-support' device-tree property; + +- The nested guest, at 'prom_parse_mmu_model' ignores the + 'disable_radix' kernel command line option if HPT is not supported; + +- The KVM_PPC_CONFIGURE_V3_MMU ioctl will fail if trying to use HPT. + +There is, however, still a way to start a HPT guest by using +max-compat-cpu=power8 at the QEMU machine options. This leads to the +guest being set to use hash after QEMU calls the KVM_PPC_ALLOCATE_HTAB +ioctl. + +With the guest set to hash, the nested hypervisor goes through the +entry path that has no knowledge of nesting (kvmppc_run_vcpu) and +crashes when it tries to execute an hypervisor-privileged (mtspr +HDEC) instruction at __kvmppc_vcore_entry: + +root@L1:~ $ qemu-system-ppc64 -machine pseries,max-cpu-compat=power8 ... + + +[ 538.543303] CPU: 83 PID: 25185 Comm: CPU 0/KVM Not tainted 5.9.0-rc4 #1 +[ 538.543355] NIP: c00800000753f388 LR: c00800000753f368 CTR: c0000000001e5ec0 +[ 538.543417] REGS: c0000013e91e33b0 TRAP: 0700 Not tainted (5.9.0-rc4) +[ 538.543470] MSR: 8000000002843033 CR: 22422882 XER: 20040000 +[ 538.543546] CFAR: c00800000753f4b0 IRQMASK: 3 + GPR00: c0080000075397a0 c0000013e91e3640 c00800000755e600 0000000080000000 + GPR04: 0000000000000000 c0000013eab19800 c000001394de0000 00000043a054db72 + GPR08: 00000000003b1652 0000000000000000 0000000000000000 c0080000075502e0 + GPR12: c0000000001e5ec0 c0000007ffa74200 c0000013eab19800 0000000000000008 + GPR16: 0000000000000000 c00000139676c6c0 c000000001d23948 c0000013e91e38b8 + GPR20: 0000000000000053 0000000000000000 0000000000000001 0000000000000000 + GPR24: 0000000000000001 0000000000000001 0000000000000000 0000000000000001 + GPR28: 0000000000000001 0000000000000053 c0000013eab19800 0000000000000001 +[ 538.544067] NIP [c00800000753f388] __kvmppc_vcore_entry+0x90/0x104 [kvm_hv] +[ 538.544121] LR [c00800000753f368] __kvmppc_vcore_entry+0x70/0x104 [kvm_hv] +[ 538.544173] Call Trace: +[ 538.544196] [c0000013e91e3640] [c0000013e91e3680] 0xc0000013e91e3680 (unreliable) +[ 538.544260] [c0000013e91e3820] [c0080000075397a0] kvmppc_run_core+0xbc8/0x19d0 [kvm_hv] +[ 538.544325] [c0000013e91e39e0] [c00800000753d99c] kvmppc_vcpu_run_hv+0x404/0xc00 [kvm_hv] +[ 538.544394] [c0000013e91e3ad0] [c0080000072da4fc] kvmppc_vcpu_run+0x34/0x48 [kvm] +[ 538.544472] [c0000013e91e3af0] [c0080000072d61b8] kvm_arch_vcpu_ioctl_run+0x310/0x420 [kvm] +[ 538.544539] [c0000013e91e3b80] [c0080000072c7450] kvm_vcpu_ioctl+0x298/0x778 [kvm] +[ 538.544605] [c0000013e91e3ce0] [c0000000004b8c2c] sys_ioctl+0x1dc/0xc90 +[ 538.544662] [c0000013e91e3dc0] [c00000000002f9a4] system_call_exception+0xe4/0x1c0 +[ 538.544726] [c0000013e91e3e20] [c00000000000d140] system_call_common+0xf0/0x27c +[ 538.544787] Instruction dump: +[ 538.544821] f86d1098 60000000 60000000 48000099 e8ad0fe8 e8c500a0 e9264140 75290002 +[ 538.544886] 7d1602a6 7cec42a6 40820008 7d0807b4 <7d164ba6> 7d083a14 f90d10a0 480104fd +[ 538.544953] ---[ end trace 74423e2b948c2e0c ]--- + +This patch makes the KVM_PPC_ALLOCATE_HTAB ioctl fail when running in +the nested hypervisor, causing QEMU to abort. + +Reported-by: Satheesh Rajendran +Signed-off-by: Fabiano Rosas +Reviewed-by: Greg Kurz +Reviewed-by: David Gibson +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index e2183fed947d4..dd9b19b1f459a 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -5191,6 +5191,12 @@ static long kvm_arch_vm_ioctl_hv(struct file *filp, + case KVM_PPC_ALLOCATE_HTAB: { + u32 htab_order; + ++ /* If we're a nested hypervisor, we currently only support radix */ ++ if (kvmhv_on_pseries()) { ++ r = -EOPNOTSUPP; ++ break; ++ } ++ + r = -EFAULT; + if (get_user(htab_order, (u32 __user *)argp)) + break; +-- +2.27.0 + diff --git a/queue-5.4/md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch b/queue-5.4/md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch new file mode 100644 index 00000000000..a160a9e7016 --- /dev/null +++ b/queue-5.4/md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch @@ -0,0 +1,53 @@ +From 5ff9b1232dc2348c3cbf8151af57bb949fb90e83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Oct 2020 00:00:24 +0800 +Subject: md/bitmap: md_bitmap_get_counter returns wrong blocks + +From: Zhao Heming + +[ Upstream commit d837f7277f56e70d82b3a4a037d744854e62f387 ] + +md_bitmap_get_counter() has code: + +``` + if (bitmap->bp[page].hijacked || + bitmap->bp[page].map == NULL) + csize = ((sector_t)1) << (bitmap->chunkshift + + PAGE_COUNTER_SHIFT - 1); +``` + +The minus 1 is wrong, this branch should report 2048 bits of space. +With "-1" action, this only report 1024 bit of space. + +This bug code returns wrong blocks, but it doesn't inflence bitmap logic: +1. Most callers focus this function return value (the counter of offset), + not the parameter blocks. +2. The bug is only triggered when hijacked is true or map is NULL. + the hijacked true condition is very rare. + the "map == null" only true when array is creating or resizing. +3. Even the caller gets wrong blocks, current code makes caller just to + call md_bitmap_get_counter() one more time. + +Signed-off-by: Zhao Heming +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index 7227d03dbbea7..0a6c200e3dcb2 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -1372,7 +1372,7 @@ __acquires(bitmap->lock) + if (bitmap->bp[page].hijacked || + bitmap->bp[page].map == NULL) + csize = ((sector_t)1) << (bitmap->chunkshift + +- PAGE_COUNTER_SHIFT - 1); ++ PAGE_COUNTER_SHIFT); + else + csize = ((sector_t)1) << bitmap->chunkshift; + *blocks = csize - (offset & (csize - 1)); +-- +2.27.0 + diff --git a/queue-5.4/media-imx274-fix-frame-interval-handling.patch b/queue-5.4/media-imx274-fix-frame-interval-handling.patch new file mode 100644 index 00000000000..bf79fee5671 --- /dev/null +++ b/queue-5.4/media-imx274-fix-frame-interval-handling.patch @@ -0,0 +1,54 @@ +From 0a1ff90138e204e800f505dc9d2ae90cb9741c2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jul 2020 11:20:32 +0200 +Subject: media: imx274: fix frame interval handling + +From: Hans Verkuil + +[ Upstream commit 49b20d981d723fae5a93843c617af2b2c23611ec ] + +1) the numerator and/or denominator might be 0, in that case + fall back to the default frame interval. This is per the spec + and this caused a v4l2-compliance failure. + +2) the updated frame interval wasn't returned in the s_frame_interval + subdev op. + +Signed-off-by: Hans Verkuil +Reviewed-by: Luca Ceresoli +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/imx274.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/i2c/imx274.c b/drivers/media/i2c/imx274.c +index 6011cec5e351d..e6aa9f32b6a83 100644 +--- a/drivers/media/i2c/imx274.c ++++ b/drivers/media/i2c/imx274.c +@@ -1235,6 +1235,8 @@ static int imx274_s_frame_interval(struct v4l2_subdev *sd, + ret = imx274_set_frame_interval(imx274, fi->interval); + + if (!ret) { ++ fi->interval = imx274->frame_interval; ++ + /* + * exposure time range is decided by frame interval + * need to update it after frame interval changes +@@ -1730,9 +1732,9 @@ static int imx274_set_frame_interval(struct stimx274 *priv, + __func__, frame_interval.numerator, + frame_interval.denominator); + +- if (frame_interval.numerator == 0) { +- err = -EINVAL; +- goto fail; ++ if (frame_interval.numerator == 0 || frame_interval.denominator == 0) { ++ frame_interval.denominator = IMX274_DEF_FRAME_RATE; ++ frame_interval.numerator = 1; + } + + req_frame_rate = (u32)(frame_interval.denominator +-- +2.27.0 + diff --git a/queue-5.4/media-platform-improve-queue-set-up-flow-for-bug-fix.patch b/queue-5.4/media-platform-improve-queue-set-up-flow-for-bug-fix.patch new file mode 100644 index 00000000000..29d4bc4bc1e --- /dev/null +++ b/queue-5.4/media-platform-improve-queue-set-up-flow-for-bug-fix.patch @@ -0,0 +1,41 @@ +From 9c0d621162b63f690aeab96495346b441b80a004 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 09:11:35 +0200 +Subject: media: platform: Improve queue set up flow for bug fixing + +From: Xia Jiang + +[ Upstream commit 5095a6413a0cf896ab468009b6142cb0fe617e66 ] + +Add checking created buffer size follow in mtk_jpeg_queue_setup(). + +Reviewed-by: Tomasz Figa +Signed-off-by: Xia Jiang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +index ee802fc3bcdfc..9fa1bc5514f3e 100644 +--- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c ++++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +@@ -571,6 +571,13 @@ static int mtk_jpeg_queue_setup(struct vb2_queue *q, + if (!q_data) + return -EINVAL; + ++ if (*num_planes) { ++ for (i = 0; i < *num_planes; i++) ++ if (sizes[i] < q_data->sizeimage[i]) ++ return -EINVAL; ++ return 0; ++ } ++ + *num_planes = q_data->fmt->colplanes; + for (i = 0; i < q_data->fmt->colplanes; i++) { + sizes[i] = q_data->sizeimage[i]; +-- +2.27.0 + diff --git a/queue-5.4/media-tw5864-check-status-of-tw5864_frameinterval_ge.patch b/queue-5.4/media-tw5864-check-status-of-tw5864_frameinterval_ge.patch new file mode 100644 index 00000000000..f5f217ab89e --- /dev/null +++ b/queue-5.4/media-tw5864-check-status-of-tw5864_frameinterval_ge.patch @@ -0,0 +1,63 @@ +From ac6d4a5c3e6ed0a06d8f764da2030e62f1f1734b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 21:25:18 +0200 +Subject: media: tw5864: check status of tw5864_frameinterval_get + +From: Tom Rix + +[ Upstream commit 780d815dcc9b34d93ae69385a8465c38d423ff0f ] + +clang static analysis reports this problem + +tw5864-video.c:773:32: warning: The left expression of the compound + assignment is an uninitialized value. + The computed value will also be garbage + fintv->stepwise.max.numerator *= std_max_fps; + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ + +stepwise.max is set with frameinterval, which comes from + + ret = tw5864_frameinterval_get(input, &frameinterval); + fintv->stepwise.step = frameinterval; + fintv->stepwise.min = frameinterval; + fintv->stepwise.max = frameinterval; + fintv->stepwise.max.numerator *= std_max_fps; + +When tw5864_frameinterval_get() fails, frameinterval is not +set. So check the status and fix another similar problem. + +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/tw5864/tw5864-video.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/media/pci/tw5864/tw5864-video.c b/drivers/media/pci/tw5864/tw5864-video.c +index 09732eed7eb4f..656142c7a2cc7 100644 +--- a/drivers/media/pci/tw5864/tw5864-video.c ++++ b/drivers/media/pci/tw5864/tw5864-video.c +@@ -767,6 +767,9 @@ static int tw5864_enum_frameintervals(struct file *file, void *priv, + fintv->type = V4L2_FRMIVAL_TYPE_STEPWISE; + + ret = tw5864_frameinterval_get(input, &frameinterval); ++ if (ret) ++ return ret; ++ + fintv->stepwise.step = frameinterval; + fintv->stepwise.min = frameinterval; + fintv->stepwise.max = frameinterval; +@@ -785,6 +788,9 @@ static int tw5864_g_parm(struct file *file, void *priv, + cp->capability = V4L2_CAP_TIMEPERFRAME; + + ret = tw5864_frameinterval_get(input, &cp->timeperframe); ++ if (ret) ++ return ret; ++ + cp->timeperframe.numerator *= input->frame_interval; + cp->capturemode = 0; + cp->readbuffers = 2; +-- +2.27.0 + diff --git a/queue-5.4/media-uvcvideo-fix-dereference-of-out-of-bound-list-.patch b/queue-5.4/media-uvcvideo-fix-dereference-of-out-of-bound-list-.patch new file mode 100644 index 00000000000..58c31b38168 --- /dev/null +++ b/queue-5.4/media-uvcvideo-fix-dereference-of-out-of-bound-list-.patch @@ -0,0 +1,75 @@ +From e64a85d89881dbdd2b04e6637bb6ec9417c2440b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 10:35:30 +0200 +Subject: media: uvcvideo: Fix dereference of out-of-bound list iterator + +From: Daniel W. S. Almeida + +[ Upstream commit f875bcc375c738bf2f599ff2e1c5b918dbd07c45 ] + +Fixes the following coccinelle report: + +drivers/media/usb/uvc/uvc_ctrl.c:1860:5-11: +ERROR: invalid reference to the index variable of the iterator on line 1854 + +by adding a boolean variable to check if the loop has found the + +Found using - Coccinelle (http://coccinelle.lip6.fr) + +[Replace cursor variable with bool found] + +Signed-off-by: Daniel W. S. Almeida +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_ctrl.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c +index a30a8a731eda8..c13ed95cb06fe 100644 +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -1848,30 +1848,35 @@ int uvc_xu_ctrl_query(struct uvc_video_chain *chain, + { + struct uvc_entity *entity; + struct uvc_control *ctrl; +- unsigned int i, found = 0; ++ unsigned int i; ++ bool found; + u32 reqflags; + u16 size; + u8 *data = NULL; + int ret; + + /* Find the extension unit. */ ++ found = false; + list_for_each_entry(entity, &chain->entities, chain) { + if (UVC_ENTITY_TYPE(entity) == UVC_VC_EXTENSION_UNIT && +- entity->id == xqry->unit) ++ entity->id == xqry->unit) { ++ found = true; + break; ++ } + } + +- if (entity->id != xqry->unit) { ++ if (!found) { + uvc_trace(UVC_TRACE_CONTROL, "Extension unit %u not found.\n", + xqry->unit); + return -ENOENT; + } + + /* Find the control and perform delayed initialization if needed. */ ++ found = false; + for (i = 0; i < entity->ncontrols; ++i) { + ctrl = &entity->controls[i]; + if (ctrl->index == xqry->selector - 1) { +- found = 1; ++ found = true; + break; + } + } +-- +2.27.0 + diff --git a/queue-5.4/media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch b/queue-5.4/media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch new file mode 100644 index 00000000000..a6a42213fcd --- /dev/null +++ b/queue-5.4/media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch @@ -0,0 +1,117 @@ +From 17eeb168a83c59599160d24ad622ecb35df0c01e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 12:47:16 +0200 +Subject: media: videodev2.h: RGB BT2020 and HSV are always full range + +From: Hans Verkuil + +[ Upstream commit b305dfe2e93434b12d438434461b709641f62af4 ] + +The default RGB quantization range for BT.2020 is full range (just as for +all the other RGB pixel encodings), not limited range. + +Update the V4L2_MAP_QUANTIZATION_DEFAULT macro and documentation +accordingly. + +Also mention that HSV is always full range and cannot be limited range. + +When RGB BT2020 was introduced in V4L2 it was not clear whether it should +be limited or full range, but full range is the right (and consistent) +choice. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../media/uapi/v4l/colorspaces-defs.rst | 9 ++++----- + .../media/uapi/v4l/colorspaces-details.rst | 5 ++--- + include/uapi/linux/videodev2.h | 17 ++++++++--------- + 3 files changed, 14 insertions(+), 17 deletions(-) + +diff --git a/Documentation/media/uapi/v4l/colorspaces-defs.rst b/Documentation/media/uapi/v4l/colorspaces-defs.rst +index e122bbe3d799d..aabb08130354a 100644 +--- a/Documentation/media/uapi/v4l/colorspaces-defs.rst ++++ b/Documentation/media/uapi/v4l/colorspaces-defs.rst +@@ -36,8 +36,7 @@ whole range, 0-255, dividing the angular value by 1.41. The enum + :c:type:`v4l2_hsv_encoding` specifies which encoding is used. + + .. note:: The default R'G'B' quantization is full range for all +- colorspaces except for BT.2020 which uses limited range R'G'B' +- quantization. ++ colorspaces. HSV formats are always full range. + + .. tabularcolumns:: |p{6.7cm}|p{10.8cm}| + +@@ -169,8 +168,8 @@ whole range, 0-255, dividing the angular value by 1.41. The enum + - Details + * - ``V4L2_QUANTIZATION_DEFAULT`` + - Use the default quantization encoding as defined by the +- colorspace. This is always full range for R'G'B' (except for the +- BT.2020 colorspace) and HSV. It is usually limited range for Y'CbCr. ++ colorspace. This is always full range for R'G'B' and HSV. ++ It is usually limited range for Y'CbCr. + * - ``V4L2_QUANTIZATION_FULL_RANGE`` + - Use the full range quantization encoding. I.e. the range [0…1] is + mapped to [0…255] (with possible clipping to [1…254] to avoid the +@@ -180,4 +179,4 @@ whole range, 0-255, dividing the angular value by 1.41. The enum + * - ``V4L2_QUANTIZATION_LIM_RANGE`` + - Use the limited range quantization encoding. I.e. the range [0…1] + is mapped to [16…235]. Cb and Cr are mapped from [-0.5…0.5] to +- [16…240]. ++ [16…240]. Limited Range cannot be used with HSV. +diff --git a/Documentation/media/uapi/v4l/colorspaces-details.rst b/Documentation/media/uapi/v4l/colorspaces-details.rst +index 8b0ba3668101d..fd0cf57691d87 100644 +--- a/Documentation/media/uapi/v4l/colorspaces-details.rst ++++ b/Documentation/media/uapi/v4l/colorspaces-details.rst +@@ -377,9 +377,8 @@ Colorspace BT.2020 (V4L2_COLORSPACE_BT2020) + The :ref:`itu2020` standard defines the colorspace used by Ultra-high + definition television (UHDTV). The default transfer function is + ``V4L2_XFER_FUNC_709``. The default Y'CbCr encoding is +-``V4L2_YCBCR_ENC_BT2020``. The default R'G'B' quantization is limited +-range (!), and so is the default Y'CbCr quantization. The chromaticities +-of the primary colors and the white reference are: ++``V4L2_YCBCR_ENC_BT2020``. The default Y'CbCr quantization is limited range. ++The chromaticities of the primary colors and the white reference are: + + + +diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h +index 530638dffd934..3210b3c82a4a2 100644 +--- a/include/uapi/linux/videodev2.h ++++ b/include/uapi/linux/videodev2.h +@@ -371,9 +371,9 @@ enum v4l2_hsv_encoding { + + enum v4l2_quantization { + /* +- * The default for R'G'B' quantization is always full range, except +- * for the BT2020 colorspace. For Y'CbCr the quantization is always +- * limited range, except for COLORSPACE_JPEG: this is full range. ++ * The default for R'G'B' quantization is always full range. ++ * For Y'CbCr the quantization is always limited range, except ++ * for COLORSPACE_JPEG: this is full range. + */ + V4L2_QUANTIZATION_DEFAULT = 0, + V4L2_QUANTIZATION_FULL_RANGE = 1, +@@ -382,14 +382,13 @@ enum v4l2_quantization { + + /* + * Determine how QUANTIZATION_DEFAULT should map to a proper quantization. +- * This depends on whether the image is RGB or not, the colorspace and the +- * Y'CbCr encoding. ++ * This depends on whether the image is RGB or not, the colorspace. ++ * The Y'CbCr encoding is not used anymore, but is still there for backwards ++ * compatibility. + */ + #define V4L2_MAP_QUANTIZATION_DEFAULT(is_rgb_or_hsv, colsp, ycbcr_enc) \ +- (((is_rgb_or_hsv) && (colsp) == V4L2_COLORSPACE_BT2020) ? \ +- V4L2_QUANTIZATION_LIM_RANGE : \ +- (((is_rgb_or_hsv) || (colsp) == V4L2_COLORSPACE_JPEG) ? \ +- V4L2_QUANTIZATION_FULL_RANGE : V4L2_QUANTIZATION_LIM_RANGE)) ++ (((is_rgb_or_hsv) || (colsp) == V4L2_COLORSPACE_JPEG) ? \ ++ V4L2_QUANTIZATION_FULL_RANGE : V4L2_QUANTIZATION_LIM_RANGE) + + /* + * Deprecated names for opRGB colorspace (IEC 61966-2-5) +-- +2.27.0 + diff --git a/queue-5.4/memory-emif-remove-bogus-debugfs-error-handling.patch b/queue-5.4/memory-emif-remove-bogus-debugfs-error-handling.patch new file mode 100644 index 00000000000..f81d1afed43 --- /dev/null +++ b/queue-5.4/memory-emif-remove-bogus-debugfs-error-handling.patch @@ -0,0 +1,75 @@ +From b5465a79b4d506cb7c7cec1dbb1b46a662d91e2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 14:37:59 +0300 +Subject: memory: emif: Remove bogus debugfs error handling + +From: Dan Carpenter + +[ Upstream commit fd22781648080cc400772b3c68aa6b059d2d5420 ] + +Callers are generally not supposed to check the return values from +debugfs functions. Debugfs functions never return NULL so this error +handling will never trigger. (Historically debugfs functions used to +return a mix of NULL and error pointers but it was eventually deemed too +complicated for something which wasn't intended to be used in normal +situations). + +Delete all the error handling. + +Signed-off-by: Dan Carpenter +Acked-by: Santosh Shilimkar +Link: https://lore.kernel.org/r/20200826113759.GF393664@mwanda +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/emif.c | 33 +++++---------------------------- + 1 file changed, 5 insertions(+), 28 deletions(-) + +diff --git a/drivers/memory/emif.c b/drivers/memory/emif.c +index 402c6bc8e621d..af296b6fcbbdc 100644 +--- a/drivers/memory/emif.c ++++ b/drivers/memory/emif.c +@@ -163,35 +163,12 @@ static const struct file_operations emif_mr4_fops = { + + static int __init_or_module emif_debugfs_init(struct emif_data *emif) + { +- struct dentry *dentry; +- int ret; +- +- dentry = debugfs_create_dir(dev_name(emif->dev), NULL); +- if (!dentry) { +- ret = -ENOMEM; +- goto err0; +- } +- emif->debugfs_root = dentry; +- +- dentry = debugfs_create_file("regcache_dump", S_IRUGO, +- emif->debugfs_root, emif, &emif_regdump_fops); +- if (!dentry) { +- ret = -ENOMEM; +- goto err1; +- } +- +- dentry = debugfs_create_file("mr4", S_IRUGO, +- emif->debugfs_root, emif, &emif_mr4_fops); +- if (!dentry) { +- ret = -ENOMEM; +- goto err1; +- } +- ++ emif->debugfs_root = debugfs_create_dir(dev_name(emif->dev), NULL); ++ debugfs_create_file("regcache_dump", S_IRUGO, emif->debugfs_root, emif, ++ &emif_regdump_fops); ++ debugfs_create_file("mr4", S_IRUGO, emif->debugfs_root, emif, ++ &emif_mr4_fops); + return 0; +-err1: +- debugfs_remove_recursive(emif->debugfs_root); +-err0: +- return ret; + } + + static void __exit emif_debugfs_exit(struct emif_data *emif) +-- +2.27.0 + diff --git a/queue-5.4/mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch b/queue-5.4/mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch new file mode 100644 index 00000000000..ecff5c1bcda --- /dev/null +++ b/queue-5.4/mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch @@ -0,0 +1,166 @@ +From 4ab9680ab88bb917bd3548d073b1f9c2edaf7447 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Oct 2020 16:37:33 +0300 +Subject: mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() + +From: Amit Cohen + +[ Upstream commit 0daf2bf5a2dcf33d446b76360908f109816e2e21 ] + +Each EMAD transaction stores the skb used to issue the EMAD request +('trans->tx_skb') so that the request could be retried in case of a +timeout. The skb can be freed when a corresponding response is received +or as part of the retry logic (e.g., failed retransmit, exceeded maximum +number of retries). + +The two tasks (i.e., response processing and retransmits) are +synchronized by the atomic 'trans->active' field which ensures that +responses to inactive transactions are ignored. + +In case of a failed retransmit the transaction is finished and all of +its resources are freed. However, the current code does not mark it as +inactive. Syzkaller was able to hit a race condition in which a +concurrent response is processed while the transaction's resources are +being freed, resulting in a use-after-free [1]. + +Fix the issue by making sure to mark the transaction as inactive after a +failed retransmit and free its resources only if a concurrent task did +not already do that. + +[1] +BUG: KASAN: use-after-free in consume_skb+0x30/0x370 +net/core/skbuff.c:833 +Read of size 4 at addr ffff88804f570494 by task syz-executor.0/1004 + +CPU: 0 PID: 1004 Comm: syz-executor.0 Not tainted 5.8.0-rc7+ #68 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xf6/0x16e lib/dump_stack.c:118 + print_address_description.constprop.0+0x1c/0x250 +mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 + check_memory_region_inline mm/kasan/generic.c:186 [inline] + check_memory_region+0x14e/0x1b0 mm/kasan/generic.c:192 + instrument_atomic_read include/linux/instrumented.h:56 [inline] + atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] + refcount_read include/linux/refcount.h:147 [inline] + skb_unref include/linux/skbuff.h:1044 [inline] + consume_skb+0x30/0x370 net/core/skbuff.c:833 + mlxsw_emad_trans_finish+0x64/0x1c0 drivers/net/ethernet/mellanox/mlxsw/core.c:592 + mlxsw_emad_process_response drivers/net/ethernet/mellanox/mlxsw/core.c:651 [inline] + mlxsw_emad_rx_listener_func+0x5c9/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:672 + mlxsw_core_skb_receive+0x4df/0x770 drivers/net/ethernet/mellanox/mlxsw/core.c:2063 + mlxsw_pci_cqe_rdq_handle drivers/net/ethernet/mellanox/mlxsw/pci.c:595 [inline] + mlxsw_pci_cq_tasklet+0x12a6/0x2520 drivers/net/ethernet/mellanox/mlxsw/pci.c:651 + tasklet_action_common.isra.0+0x13f/0x3e0 kernel/softirq.c:550 + __do_softirq+0x223/0x964 kernel/softirq.c:292 + asm_call_on_stack+0x12/0x20 arch/x86/entry/entry_64.S:711 + +Allocated by task 1006: + save_stack+0x1b/0x40 mm/kasan/common.c:48 + set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc mm/kasan/common.c:494 [inline] + __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:467 + slab_post_alloc_hook mm/slab.h:586 [inline] + slab_alloc_node mm/slub.c:2824 [inline] + slab_alloc mm/slub.c:2832 [inline] + kmem_cache_alloc+0xcd/0x2e0 mm/slub.c:2837 + __build_skb+0x21/0x60 net/core/skbuff.c:311 + __netdev_alloc_skb+0x1e2/0x360 net/core/skbuff.c:464 + netdev_alloc_skb include/linux/skbuff.h:2810 [inline] + mlxsw_emad_alloc drivers/net/ethernet/mellanox/mlxsw/core.c:756 [inline] + mlxsw_emad_reg_access drivers/net/ethernet/mellanox/mlxsw/core.c:787 [inline] + mlxsw_core_reg_access_emad+0x1ab/0x1420 drivers/net/ethernet/mellanox/mlxsw/core.c:1817 + mlxsw_reg_trans_query+0x39/0x50 drivers/net/ethernet/mellanox/mlxsw/core.c:1831 + mlxsw_sp_sb_pm_occ_clear drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c:260 [inline] + mlxsw_sp_sb_occ_max_clear+0xbff/0x10a0 drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c:1365 + mlxsw_devlink_sb_occ_max_clear+0x76/0xb0 drivers/net/ethernet/mellanox/mlxsw/core.c:1037 + devlink_nl_cmd_sb_occ_max_clear_doit+0x1ec/0x280 net/core/devlink.c:1765 + genl_family_rcv_msg_doit net/netlink/genetlink.c:669 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:714 [inline] + genl_rcv_msg+0x617/0x980 net/netlink/genetlink.c:731 + netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2470 + genl_rcv+0x24/0x40 net/netlink/genetlink.c:742 + netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] + netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1330 + netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg+0x150/0x190 net/socket.c:671 + ____sys_sendmsg+0x6d8/0x840 net/socket.c:2359 + ___sys_sendmsg+0xff/0x170 net/socket.c:2413 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2446 + do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:384 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 73: + save_stack+0x1b/0x40 mm/kasan/common.c:48 + set_track mm/kasan/common.c:56 [inline] + kasan_set_free_info mm/kasan/common.c:316 [inline] + __kasan_slab_free+0x12c/0x170 mm/kasan/common.c:455 + slab_free_hook mm/slub.c:1474 [inline] + slab_free_freelist_hook mm/slub.c:1507 [inline] + slab_free mm/slub.c:3072 [inline] + kmem_cache_free+0xbe/0x380 mm/slub.c:3088 + kfree_skbmem net/core/skbuff.c:622 [inline] + kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:616 + __kfree_skb net/core/skbuff.c:679 [inline] + consume_skb net/core/skbuff.c:837 [inline] + consume_skb+0xe1/0x370 net/core/skbuff.c:831 + mlxsw_emad_trans_finish+0x64/0x1c0 drivers/net/ethernet/mellanox/mlxsw/core.c:592 + mlxsw_emad_transmit_retry.isra.0+0x9d/0xc0 drivers/net/ethernet/mellanox/mlxsw/core.c:613 + mlxsw_emad_trans_timeout_work+0x43/0x50 drivers/net/ethernet/mellanox/mlxsw/core.c:625 + process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269 + worker_thread+0x9e/0x1050 kernel/workqueue.c:2415 + kthread+0x355/0x470 kernel/kthread.c:291 + ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293 + +The buggy address belongs to the object at ffff88804f5703c0 + which belongs to the cache skbuff_head_cache of size 224 +The buggy address is located 212 bytes inside of + 224-byte region [ffff88804f5703c0, ffff88804f5704a0) +The buggy address belongs to the page: +page:ffffea00013d5c00 refcount:1 mapcount:0 mapping:0000000000000000 +index:0x0 +flags: 0x100000000000200(slab) +raw: 0100000000000200 dead000000000100 dead000000000122 ffff88806c625400 +raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88804f570380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ffff88804f570400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88804f570480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88804f570500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88804f570580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc + +Fixes: caf7297e7ab5f ("mlxsw: core: Introduce support for asynchronous EMAD register access") +Signed-off-by: Amit Cohen +Reviewed-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c +index 7277706847b18..8f0eec9fb17bd 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -493,6 +493,9 @@ static void mlxsw_emad_transmit_retry(struct mlxsw_core *mlxsw_core, + err = mlxsw_emad_transmit(trans->core, trans); + if (err == 0) + return; ++ ++ if (!atomic_dec_and_test(&trans->active)) ++ return; + } else { + err = -EIO; + } +-- +2.27.0 + diff --git a/queue-5.4/mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tl.patch b/queue-5.4/mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tl.patch new file mode 100644 index 00000000000..56988e027f9 --- /dev/null +++ b/queue-5.4/mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tl.patch @@ -0,0 +1,116 @@ +From 338d4aedaa113ee7f9b72ad805244316ba3b96a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:52:16 +1000 +Subject: mm: fix exec activate_mm vs TLB shootdown and lazy tlb switching race + +From: Nicholas Piggin + +[ Upstream commit d53c3dfb23c45f7d4f910c3a3ca84bf0a99c6143 ] + +Reading and modifying current->mm and current->active_mm and switching +mm should be done with irqs off, to prevent races seeing an intermediate +state. + +This is similar to commit 38cf307c1f20 ("mm: fix kthread_use_mm() vs TLB +invalidate"). At exec-time when the new mm is activated, the old one +should usually be single-threaded and no longer used, unless something +else is holding an mm_users reference (which may be possible). + +Absent other mm_users, there is also a race with preemption and lazy tlb +switching. Consider the kernel_execve case where the current thread is +using a lazy tlb active mm: + + call_usermodehelper() + kernel_execve() + old_mm = current->mm; + active_mm = current->active_mm; + *** preempt *** --------------------> schedule() + prev->active_mm = NULL; + mmdrop(prev active_mm); + ... + <-------------------- schedule() + current->mm = mm; + current->active_mm = mm; + if (!old_mm) + mmdrop(active_mm); + +If we switch back to the kernel thread from a different mm, there is a +double free of the old active_mm, and a missing free of the new one. + +Closing this race only requires interrupts to be disabled while ->mm +and ->active_mm are being switched, but the TLB problem requires also +holding interrupts off over activate_mm. Unfortunately not all archs +can do that yet, e.g., arm defers the switch if irqs are disabled and +expects finish_arch_post_lock_switch() to be called to complete the +flush; um takes a blocking lock in activate_mm(). + +So as a first step, disable interrupts across the mm/active_mm updates +to close the lazy tlb preempt race, and provide an arch option to +extend that to activate_mm which allows architectures doing IPI based +TLB shootdowns to close the second race. + +This is a bit ugly, but in the interest of fixing the bug and backporting +before all architectures are converted this is a compromise. + +Signed-off-by: Nicholas Piggin +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200914045219.3736466-2-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/Kconfig | 7 +++++++ + fs/exec.c | 17 +++++++++++++++-- + 2 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/arch/Kconfig b/arch/Kconfig +index 238dccfa76910..84653a823d3b0 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -405,6 +405,13 @@ config MMU_GATHER_NO_RANGE + config HAVE_MMU_GATHER_NO_GATHER + bool + ++config ARCH_WANT_IRQS_OFF_ACTIVATE_MM ++ bool ++ help ++ Temporary select until all architectures can be converted to have ++ irqs disabled over activate_mm. Architectures that do IPI based TLB ++ shootdowns should enable this. ++ + config ARCH_HAVE_NMI_SAFE_CMPXCHG + bool + +diff --git a/fs/exec.c b/fs/exec.c +index de833553ae27d..2441eb1a1e2d0 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1044,11 +1044,24 @@ static int exec_mmap(struct mm_struct *mm) + } + + task_lock(tsk); +- active_mm = tsk->active_mm; + membarrier_exec_mmap(mm); +- tsk->mm = mm; ++ ++ local_irq_disable(); ++ active_mm = tsk->active_mm; + tsk->active_mm = mm; ++ tsk->mm = mm; ++ /* ++ * This prevents preemption while active_mm is being loaded and ++ * it and mm are being updated, which could cause problems for ++ * lazy tlb mm refcounting when these are updated by context ++ * switches. Not all architectures can handle irqs off over ++ * activate_mm yet. ++ */ ++ if (!IS_ENABLED(CONFIG_ARCH_WANT_IRQS_OFF_ACTIVATE_MM)) ++ local_irq_enable(); + activate_mm(active_mm, mm); ++ if (IS_ENABLED(CONFIG_ARCH_WANT_IRQS_OFF_ACTIVATE_MM)) ++ local_irq_enable(); + tsk->mm->vmacache_seqnum = 0; + vmacache_flush(tsk); + task_unlock(tsk); +-- +2.27.0 + diff --git a/queue-5.4/mmc-via-sdmmc-fix-data-race-bug.patch b/queue-5.4/mmc-via-sdmmc-fix-data-race-bug.patch new file mode 100644 index 00000000000..2793094ed46 --- /dev/null +++ b/queue-5.4/mmc-via-sdmmc-fix-data-race-bug.patch @@ -0,0 +1,48 @@ +From a7d21b9957db2cadea53998f930b7d214c4f83d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Aug 2020 11:45:28 +0530 +Subject: mmc: via-sdmmc: Fix data race bug + +From: Madhuparna Bhowmik + +[ Upstream commit 87d7ad089b318b4f319bf57f1daa64eb6d1d10ad ] + +via_save_pcictrlreg() should be called with host->lock held +as it writes to pm_pcictrl_reg, otherwise there can be a race +condition between via_sd_suspend() and via_sdc_card_detect(). +The same pattern is used in the function via_reset_pcictrl() +as well, where via_save_pcictrlreg() is called with host->lock +held. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Madhuparna Bhowmik +Link: https://lore.kernel.org/r/20200822061528.7035-1-madhuparnabhowmik10@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/via-sdmmc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c +index 8d96ecba1b553..d12a068b0f9ed 100644 +--- a/drivers/mmc/host/via-sdmmc.c ++++ b/drivers/mmc/host/via-sdmmc.c +@@ -1259,11 +1259,14 @@ static void via_init_sdc_pm(struct via_crdr_mmc_host *host) + static int via_sd_suspend(struct pci_dev *pcidev, pm_message_t state) + { + struct via_crdr_mmc_host *host; ++ unsigned long flags; + + host = pci_get_drvdata(pcidev); + ++ spin_lock_irqsave(&host->lock, flags); + via_save_pcictrlreg(host); + via_save_sdcreg(host); ++ spin_unlock_irqrestore(&host->lock, flags); + + pci_save_state(pcidev); + pci_enable_wake(pcidev, pci_choose_state(pcidev, state), 0); +-- +2.27.0 + diff --git a/queue-5.4/nbd-make-the-config-put-is-called-before-the-notifyi.patch b/queue-5.4/nbd-make-the-config-put-is-called-before-the-notifyi.patch new file mode 100644 index 00000000000..58d1c21539b --- /dev/null +++ b/queue-5.4/nbd-make-the-config-put-is-called-before-the-notifyi.patch @@ -0,0 +1,43 @@ +From f5587f44cff02fc4f90aa7397ba7ede3a193de71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 22:45:14 -0400 +Subject: nbd: make the config put is called before the notifying the waiter + +From: Xiubo Li + +[ Upstream commit 87aac3a80af5cbad93e63250e8a1e19095ba0d30 ] + +There has one race case for ceph's rbd-nbd tool. When do mapping +it may fail with EBUSY from ioctl(nbd, NBD_DO_IT), but actually +the nbd device has already unmaped. + +It dues to if just after the wake_up(), the recv_work() is scheduled +out and defers calling the nbd_config_put(), though the map process +has exited the "nbd->recv_task" is not cleared. + +Signed-off-by: Xiubo Li +Reviewed-by: Josef Bacik +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 7c577cabb9c3b..742f8160b6e28 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -787,9 +787,9 @@ static void recv_work(struct work_struct *work) + + blk_mq_complete_request(blk_mq_rq_from_pdu(cmd)); + } ++ nbd_config_put(nbd); + atomic_dec(&config->recv_threads); + wake_up(&config->recv_wq); +- nbd_config_put(nbd); + kfree(args); + } + +-- +2.27.0 + diff --git a/queue-5.4/net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch b/queue-5.4/net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch new file mode 100644 index 00000000000..8de0e15f7ae --- /dev/null +++ b/queue-5.4/net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch @@ -0,0 +1,45 @@ +From e86af9de58f8c51b18f097cb2aca877cea272264 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 09:54:04 +0530 +Subject: net: 9p: initialize sun_server.sun_path to have addr's value only + when addr is valid + +From: Anant Thazhemadam + +[ Upstream commit 7ca1db21ef8e0e6725b4d25deed1ca196f7efb28 ] + +In p9_fd_create_unix, checking is performed to see if the addr (passed +as an argument) is NULL or not. +However, no check is performed to see if addr is a valid address, i.e., +it doesn't entirely consist of only 0's. +The initialization of sun_server.sun_path to be equal to this faulty +addr value leads to an uninitialized variable, as detected by KMSAN. +Checking for this (faulty addr) and returning a negative error number +appropriately, resolves this issue. + +Link: http://lkml.kernel.org/r/20201012042404.2508-1-anant.thazhemadam@gmail.com +Reported-by: syzbot+75d51fe5bf4ebe988518@syzkaller.appspotmail.com +Tested-by: syzbot+75d51fe5bf4ebe988518@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index 12ecacf0c55fb..60eb9a2b209be 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -1023,7 +1023,7 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args) + + csocket = NULL; + +- if (addr == NULL) ++ if (!addr || !strlen(addr)) + return -EINVAL; + + if (strlen(addr) >= UNIX_PATH_MAX) { +-- +2.27.0 + diff --git a/queue-5.4/nfs4-fix-oops-when-copy_file_range-is-attempted-with.patch b/queue-5.4/nfs4-fix-oops-when-copy_file_range-is-attempted-with.patch new file mode 100644 index 00000000000..2aadea6a8b8 --- /dev/null +++ b/queue-5.4/nfs4-fix-oops-when-copy_file_range-is-attempted-with.patch @@ -0,0 +1,62 @@ +From 9cfdc54049f082fd2b2d3a4b7f5c1315884c3f14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Aug 2020 12:11:47 -0400 +Subject: NFS4: Fix oops when copy_file_range is attempted with NFS4.0 source + +From: Dave Wysochanski + +[ Upstream commit d8a6ad913c286d4763ae20b14c02fe6f39d7cd9f ] + +The following oops is seen during xfstest/565 when the 'test' +(source of the copy) is NFS4.0 and 'scratch' (destination) is NFS4.2 +[ 59.692458] run fstests generic/565 at 2020-08-01 05:50:35 +[ 60.613588] BUG: kernel NULL pointer dereference, address: 0000000000000008 +[ 60.624970] #PF: supervisor read access in kernel mode +[ 60.627671] #PF: error_code(0x0000) - not-present page +[ 60.630347] PGD 0 P4D 0 +[ 60.631853] Oops: 0000 [#1] SMP PTI +[ 60.634086] CPU: 6 PID: 2828 Comm: xfs_io Kdump: loaded Not tainted 5.8.0-rc3 #1 +[ 60.637676] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 +[ 60.639901] RIP: 0010:nfs4_check_serverowner_major_id+0x5/0x30 [nfsv4] +[ 60.642719] Code: 89 ff e8 3e b3 b8 e1 e9 71 fe ff ff 41 bc da d8 ff ff e9 c3 fe ff ff e8 e9 9d 08 e2 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 <8b> 57 08 31 c0 3b 56 08 75 12 48 83 c6 0c 48 83 c7 0c e8 c4 97 bb +[ 60.652629] RSP: 0018:ffffc265417f7e10 EFLAGS: 00010287 +[ 60.655379] RAX: ffffa0664b066400 RBX: 0000000000000000 RCX: 0000000000000001 +[ 60.658754] RDX: ffffa066725fb000 RSI: ffffa066725fd000 RDI: 0000000000000000 +[ 60.662292] RBP: 0000000000020000 R08: 0000000000020000 R09: 0000000000000000 +[ 60.666189] R10: 0000000000000003 R11: 0000000000000000 R12: ffffa06648258d00 +[ 60.669914] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa06648258100 +[ 60.673645] FS: 00007faa9fb35800(0000) GS:ffffa06677d80000(0000) knlGS:0000000000000000 +[ 60.677698] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 60.680773] CR2: 0000000000000008 CR3: 0000000203f14000 CR4: 00000000000406e0 +[ 60.684476] Call Trace: +[ 60.685809] nfs4_copy_file_range+0xfc/0x230 [nfsv4] +[ 60.688704] vfs_copy_file_range+0x2ee/0x310 +[ 60.691104] __x64_sys_copy_file_range+0xd6/0x210 +[ 60.693527] do_syscall_64+0x4d/0x90 +[ 60.695512] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 60.698006] RIP: 0033:0x7faa9febc1bd + +Signed-off-by: Dave Wysochanski +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4file.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c +index 534b6fd70ffdb..6b31cb5f9c9db 100644 +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -138,7 +138,8 @@ static ssize_t __nfs4_copy_file_range(struct file *file_in, loff_t pos_in, + /* Only offload copy if superblock is the same */ + if (file_inode(file_in)->i_sb != file_inode(file_out)->i_sb) + return -EXDEV; +- if (!nfs_server_capable(file_inode(file_out), NFS_CAP_COPY)) ++ if (!nfs_server_capable(file_inode(file_out), NFS_CAP_COPY) || ++ !nfs_server_capable(file_inode(file_in), NFS_CAP_COPY)) + return -EOPNOTSUPP; + if (file_inode(file_in) == file_inode(file_out)) + return -EOPNOTSUPP; +-- +2.27.0 + diff --git a/queue-5.4/nvme-rdma-fix-crash-when-connect-rejected.patch b/queue-5.4/nvme-rdma-fix-crash-when-connect-rejected.patch new file mode 100644 index 00000000000..0727f666955 --- /dev/null +++ b/queue-5.4/nvme-rdma-fix-crash-when-connect-rejected.patch @@ -0,0 +1,47 @@ +From 3d60426ae20f5f0021c4c50b6227ea684807445b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 16:10:40 +0800 +Subject: nvme-rdma: fix crash when connect rejected + +From: Chao Leng + +[ Upstream commit 43efdb8e870ee0f58633fd579aa5b5185bf5d39e ] + +A crash can happened when a connect is rejected. The host establishes +the connection after received ConnectReply, and then continues to send +the fabrics Connect command. If the controller does not receive the +ReadyToUse capsule, host may receive a ConnectReject reply. + +Call nvme_rdma_destroy_queue_ib after the host received the +RDMA_CM_EVENT_REJECTED event. Then when the fabrics Connect command +times out, nvme_rdma_timeout calls nvme_rdma_complete_rq to fail the +request. A crash happenes due to use after free in +nvme_rdma_complete_rq. + +nvme_rdma_destroy_queue_ib is redundant when handling the +RDMA_CM_EVENT_REJECTED event as nvme_rdma_destroy_queue_ib is already +called in connection failure handler. + +Signed-off-by: Chao Leng +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index abe4fe496d05c..a41ee9feab8e7 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -1679,7 +1679,6 @@ static int nvme_rdma_cm_handler(struct rdma_cm_id *cm_id, + complete(&queue->cm_done); + return 0; + case RDMA_CM_EVENT_REJECTED: +- nvme_rdma_destroy_queue_ib(queue); + cm_error = nvme_rdma_conn_rejected(queue, ev); + break; + case RDMA_CM_EVENT_ROUTE_ERROR: +-- +2.27.0 + diff --git a/queue-5.4/power-supply-bq27xxx-report-not-charging-on-all-type.patch b/queue-5.4/power-supply-bq27xxx-report-not-charging-on-all-type.patch new file mode 100644 index 00000000000..30ebd8f0ef5 --- /dev/null +++ b/queue-5.4/power-supply-bq27xxx-report-not-charging-on-all-type.patch @@ -0,0 +1,55 @@ +From 0444b609ef1f5449df15a5818d4dfa5794495379 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 16:04:14 +0200 +Subject: power: supply: bq27xxx: report "not charging" on all types + +From: Krzysztof Kozlowski + +[ Upstream commit 7bf738ba110722b63e9dc8af760d3fb2aef25593 ] + +Commit 6f24ff97e323 ("power: supply: bq27xxx_battery: Add the +BQ27Z561 Battery monitor") and commit d74534c27775 ("power: +bq27xxx_battery: Add support for additional bq27xxx family devices") +added support for new device types by copying most of the code and +adding necessary quirks. + +However they did not copy the code in bq27xxx_battery_status() +responsible for returning POWER_SUPPLY_STATUS_NOT_CHARGING. + +Unify the bq27xxx_battery_status() so for all types when charger is +supplied, it will return "not charging" status. + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c +index 664e50103eaaf..aff0a0a5e7f8c 100644 +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1678,8 +1678,6 @@ static int bq27xxx_battery_status(struct bq27xxx_device_info *di, + status = POWER_SUPPLY_STATUS_FULL; + else if (di->cache.flags & BQ27000_FLAG_CHGS) + status = POWER_SUPPLY_STATUS_CHARGING; +- else if (power_supply_am_i_supplied(di->bat) > 0) +- status = POWER_SUPPLY_STATUS_NOT_CHARGING; + else + status = POWER_SUPPLY_STATUS_DISCHARGING; + } else { +@@ -1691,6 +1689,10 @@ static int bq27xxx_battery_status(struct bq27xxx_device_info *di, + status = POWER_SUPPLY_STATUS_CHARGING; + } + ++ if ((status == POWER_SUPPLY_STATUS_DISCHARGING) && ++ (power_supply_am_i_supplied(di->bat) > 0)) ++ status = POWER_SUPPLY_STATUS_NOT_CHARGING; ++ + val->intval = status; + + return 0; +-- +2.27.0 + diff --git a/queue-5.4/power-supply-test_power-add-missing-newlines-when-pr.patch b/queue-5.4/power-supply-test_power-add-missing-newlines-when-pr.patch new file mode 100644 index 00000000000..d98dd182b8d --- /dev/null +++ b/queue-5.4/power-supply-test_power-add-missing-newlines-when-pr.patch @@ -0,0 +1,84 @@ +From 167eb4c7e1f197f41cd334ea5bd81cf70f9992b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 14:09:58 +0800 +Subject: power: supply: test_power: add missing newlines when printing + parameters by sysfs + +From: Xiongfeng Wang + +[ Upstream commit c07fa6c1631333f02750cf59f22b615d768b4d8f ] + +When I cat some module parameters by sysfs, it displays as follows. +It's better to add a newline for easy reading. + +root@syzkaller:~# cd /sys/module/test_power/parameters/ +root@syzkaller:/sys/module/test_power/parameters# cat ac_online +onroot@syzkaller:/sys/module/test_power/parameters# cat battery_present +trueroot@syzkaller:/sys/module/test_power/parameters# cat battery_health +goodroot@syzkaller:/sys/module/test_power/parameters# cat battery_status +dischargingroot@syzkaller:/sys/module/test_power/parameters# cat battery_technology +LIONroot@syzkaller:/sys/module/test_power/parameters# cat usb_online +onroot@syzkaller:/sys/module/test_power/parameters# + +Signed-off-by: Xiongfeng Wang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/test_power.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/power/supply/test_power.c b/drivers/power/supply/test_power.c +index c3cad2b6dabae..1139ca7251952 100644 +--- a/drivers/power/supply/test_power.c ++++ b/drivers/power/supply/test_power.c +@@ -341,6 +341,7 @@ static int param_set_ac_online(const char *key, const struct kernel_param *kp) + static int param_get_ac_online(char *buffer, const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_ac_online, ac_online, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -354,6 +355,7 @@ static int param_set_usb_online(const char *key, const struct kernel_param *kp) + static int param_get_usb_online(char *buffer, const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_ac_online, usb_online, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -368,6 +370,7 @@ static int param_set_battery_status(const char *key, + static int param_get_battery_status(char *buffer, const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_status, battery_status, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -382,6 +385,7 @@ static int param_set_battery_health(const char *key, + static int param_get_battery_health(char *buffer, const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_health, battery_health, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -397,6 +401,7 @@ static int param_get_battery_present(char *buffer, + const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_present, battery_present, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -414,6 +419,7 @@ static int param_get_battery_technology(char *buffer, + { + strcpy(buffer, + map_get_key(map_technology, battery_technology, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +-- +2.27.0 + diff --git a/queue-5.4/powerpc-powernv-smp-fix-spurious-dbg-warning.patch b/queue-5.4/powerpc-powernv-smp-fix-spurious-dbg-warning.patch new file mode 100644 index 00000000000..fa0d74088d2 --- /dev/null +++ b/queue-5.4/powerpc-powernv-smp-fix-spurious-dbg-warning.patch @@ -0,0 +1,55 @@ +From 0c8971ccc674e879e36c5880945e64103628d573 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Aug 2020 10:54:05 +1000 +Subject: powerpc/powernv/smp: Fix spurious DBG() warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oliver O'Halloran + +[ Upstream commit f6bac19cf65c5be21d14a0c9684c8f560f2096dd ] + +When building with W=1 we get the following warning: + + arch/powerpc/platforms/powernv/smp.c: In function ‘pnv_smp_cpu_kill_self’: + arch/powerpc/platforms/powernv/smp.c:276:16: error: suggest braces around + empty body in an ‘if’ statement [-Werror=empty-body] + 276 | cpu, srr1); + | ^ + cc1: all warnings being treated as errors + +The full context is this block: + + if (srr1 && !generic_check_cpu_restart(cpu)) + DBG("CPU%d Unexpected exit while offline srr1=%lx!\n", + cpu, srr1); + +When building with DEBUG undefined DBG() expands to nothing and GCC emits +the warning due to the lack of braces around an empty statement. + +Signed-off-by: Oliver O'Halloran +Reviewed-by: Joel Stanley +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200804005410.146094-2-oohall@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/powernv/smp.c b/arch/powerpc/platforms/powernv/smp.c +index b2ba3e95bda73..bbf361f23ae86 100644 +--- a/arch/powerpc/platforms/powernv/smp.c ++++ b/arch/powerpc/platforms/powernv/smp.c +@@ -43,7 +43,7 @@ + #include + #define DBG(fmt...) udbg_printf(fmt) + #else +-#define DBG(fmt...) ++#define DBG(fmt...) do { } while (0) + #endif + + static void pnv_smp_setup_cpu(int cpu) +-- +2.27.0 + diff --git a/queue-5.4/powerpc-select-arch_want_irqs_off_activate_mm.patch b/queue-5.4/powerpc-select-arch_want_irqs_off_activate_mm.patch new file mode 100644 index 00000000000..5ba0ac7e198 --- /dev/null +++ b/queue-5.4/powerpc-select-arch_want_irqs_off_activate_mm.patch @@ -0,0 +1,50 @@ +From 172fe229ab013c00c725c5c1fc0caaeb4c7dad7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:52:17 +1000 +Subject: powerpc: select ARCH_WANT_IRQS_OFF_ACTIVATE_MM + +From: Nicholas Piggin + +[ Upstream commit 66acd46080bd9e5ad2be4b0eb1d498d5145d058e ] + +powerpc uses IPIs in some situations to switch a kernel thread away +from a lazy tlb mm, which is subject to the TLB flushing race +described in the changelog introducing ARCH_WANT_IRQS_OFF_ACTIVATE_MM. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200914045219.3736466-3-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig | 1 + + arch/powerpc/include/asm/mmu_context.h | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index ad620637cbd11..27ef333e96f6d 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -147,6 +147,7 @@ config PPC + select ARCH_USE_BUILTIN_BSWAP + select ARCH_USE_CMPXCHG_LOCKREF if PPC64 + select ARCH_WANT_IPC_PARSE_VERSION ++ select ARCH_WANT_IRQS_OFF_ACTIVATE_MM + select ARCH_WEAK_RELEASE_ACQUIRE + select BINFMT_ELF + select BUILDTIME_EXTABLE_SORT +diff --git a/arch/powerpc/include/asm/mmu_context.h b/arch/powerpc/include/asm/mmu_context.h +index 58efca9343113..f132b418a8c7a 100644 +--- a/arch/powerpc/include/asm/mmu_context.h ++++ b/arch/powerpc/include/asm/mmu_context.h +@@ -216,7 +216,7 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + */ + static inline void activate_mm(struct mm_struct *prev, struct mm_struct *next) + { +- switch_mm(prev, next, current); ++ switch_mm_irqs_off(prev, next, current); + } + + /* We don't currently use enter_lazy_tlb() for anything */ +-- +2.27.0 + diff --git a/queue-5.4/printk-reduce-log_buf_shift-range-for-h8300.patch b/queue-5.4/printk-reduce-log_buf_shift-range-for-h8300.patch new file mode 100644 index 00000000000..288aad8e511 --- /dev/null +++ b/queue-5.4/printk-reduce-log_buf_shift-range-for-h8300.patch @@ -0,0 +1,42 @@ +From fc792056b46b4b9562c20c6f98e6a75efcdb811f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Aug 2020 09:37:22 +0206 +Subject: printk: reduce LOG_BUF_SHIFT range for H8300 + +From: John Ogness + +[ Upstream commit 550c10d28d21bd82a8bb48debbb27e6ed53262f6 ] + +The .bss section for the h8300 is relatively small. A value of +CONFIG_LOG_BUF_SHIFT that is larger than 19 will create a static +printk ringbuffer that is too large. Limit the range appropriately +for the H8300. + +Reported-by: kernel test robot +Signed-off-by: John Ogness +Reviewed-by: Sergey Senozhatsky +Acked-by: Steven Rostedt (VMware) +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20200812073122.25412-1-john.ogness@linutronix.de +Signed-off-by: Sasha Levin +--- + init/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 6db3e310a5e42..96fc45d1b686b 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -594,7 +594,8 @@ config IKHEADERS + + config LOG_BUF_SHIFT + int "Kernel log buffer size (16 => 64KB, 17 => 128KB)" +- range 12 25 ++ range 12 25 if !H8300 ++ range 12 19 if H8300 + default 17 + depends on PRINTK + help +-- +2.27.0 + diff --git a/queue-5.4/rdma-qedr-fix-memory-leak-in-iwarp-cm.patch b/queue-5.4/rdma-qedr-fix-memory-leak-in-iwarp-cm.patch new file mode 100644 index 00000000000..04017200c9c --- /dev/null +++ b/queue-5.4/rdma-qedr-fix-memory-leak-in-iwarp-cm.patch @@ -0,0 +1,37 @@ +From c90b3365c214f12ccff87a2db631db98e8541ccd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Oct 2020 11:50:08 +0000 +Subject: RDMA/qedr: Fix memory leak in iWARP CM + +From: Alok Prasad + +[ Upstream commit a2267f8a52eea9096861affd463f691be0f0e8c9 ] + +Fixes memory leak in iWARP CM + +Fixes: e411e0587e0d ("RDMA/qedr: Add iWARP connection management functions") +Link: https://lore.kernel.org/r/20201021115008.28138-1-palok@marvell.com +Signed-off-by: Michal Kalderon +Signed-off-by: Igor Russkikh +Signed-off-by: Alok Prasad +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/qedr_iw_cm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c +index e521f3c3dbbf1..653ddf30973ec 100644 +--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c ++++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c +@@ -727,6 +727,7 @@ int qedr_iw_destroy_listen(struct iw_cm_id *cm_id) + listener->qed_handle); + + cm_id->rem_ref(cm_id); ++ kfree(listener); + return rc; + } + +-- +2.27.0 + diff --git a/queue-5.4/riscv-define-at_vector_size_arch-for-arch_dlinfo.patch b/queue-5.4/riscv-define-at_vector_size_arch-for-arch_dlinfo.patch new file mode 100644 index 00000000000..a8f3bda8d56 --- /dev/null +++ b/queue-5.4/riscv-define-at_vector_size_arch-for-arch_dlinfo.patch @@ -0,0 +1,38 @@ +From 42e82a0d84d5c849260b27b84624f92b1d933a9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Aug 2020 15:33:49 +0800 +Subject: riscv: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO + +From: Zong Li + +[ Upstream commit b5fca7c55f9fbab5ad732c3bce00f31af6ba5cfa ] + +AT_VECTOR_SIZE_ARCH should be defined with the maximum number of +NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined +for RISC-V at all even though ARCH_DLINFO will contain one NEW_AUX_ENT +for the VDSO address. + +Signed-off-by: Zong Li +Reviewed-by: Palmer Dabbelt +Reviewed-by: Pekka Enberg +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/include/uapi/asm/auxvec.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/riscv/include/uapi/asm/auxvec.h b/arch/riscv/include/uapi/asm/auxvec.h +index d86cb17bbabe6..22e0ae8884061 100644 +--- a/arch/riscv/include/uapi/asm/auxvec.h ++++ b/arch/riscv/include/uapi/asm/auxvec.h +@@ -10,4 +10,7 @@ + /* vDSO location */ + #define AT_SYSINFO_EHDR 33 + ++/* entries in ARCH_DLINFO */ ++#define AT_VECTOR_SIZE_ARCH 1 ++ + #endif /* _UAPI_ASM_RISCV_AUXVEC_H */ +-- +2.27.0 + diff --git a/queue-5.4/rpmsg-glink-use-complete_all-for-open-states.patch b/queue-5.4/rpmsg-glink-use-complete_all-for-open-states.patch new file mode 100644 index 00000000000..258a430d05f --- /dev/null +++ b/queue-5.4/rpmsg-glink-use-complete_all-for-open-states.patch @@ -0,0 +1,57 @@ +From a5a63f94b352eb8c77494cf072c82986d15114d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jun 2020 22:15:18 +0530 +Subject: rpmsg: glink: Use complete_all for open states + +From: Chris Lew + +[ Upstream commit 4fcdaf6e28d11e2f3820d54dd23cd12a47ddd44e ] + +The open_req and open_ack completion variables are the state variables +to represet a remote channel as open. Use complete_all so there are no +races with waiters and using completion_done. + +Signed-off-by: Chris Lew +Signed-off-by: Arun Kumar Neelakantam +Signed-off-by: Deepak Kumar Singh +Link: https://lore.kernel.org/r/1593017121-7953-2-git-send-email-deesin@codeaurora.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_glink_native.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c +index 1995f5b3ea677..d5114abcde197 100644 +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -970,7 +970,7 @@ static int qcom_glink_rx_open_ack(struct qcom_glink *glink, unsigned int lcid) + return -EINVAL; + } + +- complete(&channel->open_ack); ++ complete_all(&channel->open_ack); + + return 0; + } +@@ -1178,7 +1178,7 @@ static int qcom_glink_announce_create(struct rpmsg_device *rpdev) + __be32 *val = defaults; + int size; + +- if (glink->intentless) ++ if (glink->intentless || !completion_done(&channel->open_ack)) + return 0; + + prop = of_find_property(np, "qcom,intents", NULL); +@@ -1413,7 +1413,7 @@ static int qcom_glink_rx_open(struct qcom_glink *glink, unsigned int rcid, + channel->rcid = ret; + spin_unlock_irqrestore(&glink->idr_lock, flags); + +- complete(&channel->open_req); ++ complete_all(&channel->open_req); + + if (create_device) { + rpdev = kzalloc(sizeof(*rpdev), GFP_KERNEL); +-- +2.27.0 + diff --git a/queue-5.4/s390-startup-avoid-save_area_sync-overflow.patch b/queue-5.4/s390-startup-avoid-save_area_sync-overflow.patch new file mode 100644 index 00000000000..0a65f814b15 --- /dev/null +++ b/queue-5.4/s390-startup-avoid-save_area_sync-overflow.patch @@ -0,0 +1,62 @@ +From 33ff34e5fb4aa0ec0fd4d13f36dd502fad814b44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 19:07:04 +0200 +Subject: s390/startup: avoid save_area_sync overflow + +From: Vasily Gorbik + +[ Upstream commit 2835c2ea95d50625108e47a459e1a47f6be836ce ] + +Currently we overflow save_area_sync and write over +save_area_async. Although this is not a real problem make +startup_pgm_check_handler consistent with late pgm check handler and +store [%r0,%r7] directly into gpregs_save_area. + +Reviewed-by: Sven Schnelle +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/boot/head.S | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/arch/s390/boot/head.S b/arch/s390/boot/head.S +index 4b86a8d3c1219..e6bf5f40bff34 100644 +--- a/arch/s390/boot/head.S ++++ b/arch/s390/boot/head.S +@@ -360,22 +360,23 @@ ENTRY(startup_kdump) + # the save area and does disabled wait with a faulty address. + # + ENTRY(startup_pgm_check_handler) +- stmg %r0,%r15,__LC_SAVE_AREA_SYNC +- la %r1,4095 +- stctg %c0,%c15,__LC_CREGS_SAVE_AREA-4095(%r1) +- mvc __LC_GPREGS_SAVE_AREA-4095(128,%r1),__LC_SAVE_AREA_SYNC +- mvc __LC_PSW_SAVE_AREA-4095(16,%r1),__LC_PGM_OLD_PSW ++ stmg %r8,%r15,__LC_SAVE_AREA_SYNC ++ la %r8,4095 ++ stctg %c0,%c15,__LC_CREGS_SAVE_AREA-4095(%r8) ++ stmg %r0,%r7,__LC_GPREGS_SAVE_AREA-4095(%r8) ++ mvc __LC_GPREGS_SAVE_AREA-4095+64(64,%r8),__LC_SAVE_AREA_SYNC ++ mvc __LC_PSW_SAVE_AREA-4095(16,%r8),__LC_PGM_OLD_PSW + mvc __LC_RETURN_PSW(16),__LC_PGM_OLD_PSW + ni __LC_RETURN_PSW,0xfc # remove IO and EX bits + ni __LC_RETURN_PSW+1,0xfb # remove MCHK bit + oi __LC_RETURN_PSW+1,0x2 # set wait state bit +- larl %r2,.Lold_psw_disabled_wait +- stg %r2,__LC_PGM_NEW_PSW+8 +- l %r15,.Ldump_info_stack-.Lold_psw_disabled_wait(%r2) ++ larl %r9,.Lold_psw_disabled_wait ++ stg %r9,__LC_PGM_NEW_PSW+8 ++ l %r15,.Ldump_info_stack-.Lold_psw_disabled_wait(%r9) + brasl %r14,print_pgm_check_info + .Lold_psw_disabled_wait: +- la %r1,4095 +- lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r1) ++ la %r8,4095 ++ lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r8) + lpswe __LC_RETURN_PSW # disabled wait + .Ldump_info_stack: + .long 0x5000 + PAGE_SIZE - STACK_FRAME_OVERHEAD +-- +2.27.0 + diff --git a/queue-5.4/samples-bpf-fix-possible-deadlock-in-xdpsock.patch b/queue-5.4/samples-bpf-fix-possible-deadlock-in-xdpsock.patch new file mode 100644 index 00000000000..b947ffdb0c7 --- /dev/null +++ b/queue-5.4/samples-bpf-fix-possible-deadlock-in-xdpsock.patch @@ -0,0 +1,41 @@ +From d6075304b875d161c1db7fbde8c5ffc4a1aa18a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 10:31:05 +0200 +Subject: samples/bpf: Fix possible deadlock in xdpsock + +From: Magnus Karlsson + +[ Upstream commit 5a2a0dd88f0f267ac5953acd81050ae43a82201f ] + +Fix a possible deadlock in the l2fwd application in xdpsock that can +occur when there is no space in the Tx ring. There are two ways to get +the kernel to consume entries in the Tx ring: calling sendto() to make +it send packets and freeing entries from the completion ring, as the +kernel will not send a packet if there is no space for it to add a +completion entry in the completion ring. The Tx loop in l2fwd only +used to call sendto(). This patches adds cleaning the completion ring +in that loop. + +Signed-off-by: Magnus Karlsson +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/1599726666-8431-3-git-send-email-magnus.karlsson@gmail.com +Signed-off-by: Sasha Levin +--- + samples/bpf/xdpsock_user.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/samples/bpf/xdpsock_user.c b/samples/bpf/xdpsock_user.c +index df011ac334022..79d1005ff2ee3 100644 +--- a/samples/bpf/xdpsock_user.c ++++ b/samples/bpf/xdpsock_user.c +@@ -677,6 +677,7 @@ static void l2fwd(struct xsk_socket_info *xsk, struct pollfd *fds) + while (ret != rcvd) { + if (ret < 0) + exit_with_error(-ret); ++ complete_tx_l2fwd(xsk, fds); + if (xsk_ring_prod__needs_wakeup(&xsk->tx)) + kick_tx(xsk); + ret = xsk_ring_prod__reserve(&xsk->tx, rcvd, &idx_tx); +-- +2.27.0 + diff --git a/queue-5.4/selftests-bpf-define-string-const-as-global-for-test.patch b/queue-5.4/selftests-bpf-define-string-const-as-global-for-test.patch new file mode 100644 index 00000000000..51bb053e291 --- /dev/null +++ b/queue-5.4/selftests-bpf-define-string-const-as-global-for-test.patch @@ -0,0 +1,57 @@ +From dc1a85eb9d5fa054ca0799750012ccdfdd86ed51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 13:27:18 -0700 +Subject: selftests/bpf: Define string const as global for test_sysctl_prog.c + +From: Yonghong Song + +[ Upstream commit 6e057fc15a2da4ee03eb1fa6889cf687e690106e ] + +When tweaking llvm optimizations, I found that selftest build failed +with the following error: + libbpf: elf: skipping unrecognized data section(6) .rodata.str1.1 + libbpf: prog 'sysctl_tcp_mem': bad map relo against '.L__const.is_tcp_mem.tcp_mem_name' + in section '.rodata.str1.1' + Error: failed to open BPF object file: Relocation failed + make: *** [/work/net-next/tools/testing/selftests/bpf/test_sysctl_prog.skel.h] Error 255 + make: *** Deleting file `/work/net-next/tools/testing/selftests/bpf/test_sysctl_prog.skel.h' + +The local string constant "tcp_mem_name" is put into '.rodata.str1.1' section +which libbpf cannot handle. Using untweaked upstream llvm, "tcp_mem_name" +is completely inlined after loop unrolling. + +Commit 7fb5eefd7639 ("selftests/bpf: Fix test_sysctl_loop{1, 2} +failure due to clang change") solved a similar problem by defining +the string const as a global. Let us do the same here +for test_sysctl_prog.c so it can weather future potential llvm changes. + +Signed-off-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20200910202718.956042-1-yhs@fb.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/test_sysctl_prog.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/progs/test_sysctl_prog.c b/tools/testing/selftests/bpf/progs/test_sysctl_prog.c +index 5cbbff416998c..4396faf33394a 100644 +--- a/tools/testing/selftests/bpf/progs/test_sysctl_prog.c ++++ b/tools/testing/selftests/bpf/progs/test_sysctl_prog.c +@@ -19,11 +19,11 @@ + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + #endif + ++const char tcp_mem_name[] = "net/ipv4/tcp_mem"; + static __always_inline int is_tcp_mem(struct bpf_sysctl *ctx) + { +- char tcp_mem_name[] = "net/ipv4/tcp_mem"; + unsigned char i; +- char name[64]; ++ char name[sizeof(tcp_mem_name)]; + int ret; + + memset(name, 0, sizeof(name)); +-- +2.27.0 + diff --git a/queue-5.4/selftests-x86-fsgsbase-reap-a-forgotten-child.patch b/queue-5.4/selftests-x86-fsgsbase-reap-a-forgotten-child.patch new file mode 100644 index 00000000000..ca16dec6204 --- /dev/null +++ b/queue-5.4/selftests-x86-fsgsbase-reap-a-forgotten-child.patch @@ -0,0 +1,36 @@ +From 5922d7c6607d088f9deca34ef58a21d92543e96f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 10:00:45 -0700 +Subject: selftests/x86/fsgsbase: Reap a forgotten child + +From: Andy Lutomirski + +[ Upstream commit ab2dd173330a3f07142e68cd65682205036cd00f ] + +The ptrace() test forgot to reap its child. Reap it. + +Signed-off-by: Andy Lutomirski +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/e7700a503f30e79ab35a63103938a19893dbeff2.1598461151.git.luto@kernel.org +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/x86/fsgsbase.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/testing/selftests/x86/fsgsbase.c b/tools/testing/selftests/x86/fsgsbase.c +index 15a329da59fa3..5f3aea210e018 100644 +--- a/tools/testing/selftests/x86/fsgsbase.c ++++ b/tools/testing/selftests/x86/fsgsbase.c +@@ -499,6 +499,9 @@ static void test_ptrace_write_gsbase(void) + + END: + ptrace(PTRACE_CONT, child, NULL, NULL); ++ wait(&status); ++ if (!WIFEXITED(status)) ++ printf("[WARN]\tChild didn't exit cleanly.\n"); + } + + int main() +-- +2.27.0 + diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 00000000000..5db4db6b086 --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,82 @@ +firmware-arm_scmi-fix-arch_cold_reset.patch +firmware-arm_scmi-add-missing-rx-size-re-initialisat.patch +x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch +mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch +rdma-qedr-fix-memory-leak-in-iwarp-cm.patch +ata-sata_nv-fix-retrieving-of-active-qcs.patch +futex-fix-incorrect-should_fail_futex-handling.patch +powerpc-powernv-smp-fix-spurious-dbg-warning.patch +mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tl.patch +powerpc-select-arch_want_irqs_off_activate_mm.patch +sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch +f2fs-add-trace-exit-in-exception-path.patch +f2fs-fix-uninit-value-in-f2fs_lookup.patch +f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch +s390-startup-avoid-save_area_sync-overflow.patch +um-change-sigio_spinlock-to-a-mutex.patch +f2fs-handle-errors-of-f2fs_get_meta_page_nofail.patch +arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch +nfs4-fix-oops-when-copy_file_range-is-attempted-with.patch +power-supply-bq27xxx-report-not-charging-on-all-type.patch +xfs-fix-realtime-bitmap-summary-file-truncation-when.patch +video-fbdev-pvr2fb-initialize-variables.patch +ath10k-start-recovery-process-when-payload-length-ex.patch +ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch +drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch +selftests-x86-fsgsbase-reap-a-forgotten-child.patch +media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch +media-platform-improve-queue-set-up-flow-for-bug-fix.patch +usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch +media-tw5864-check-status-of-tw5864_frameinterval_ge.patch +media-imx274-fix-frame-interval-handling.patch +mmc-via-sdmmc-fix-data-race-bug.patch +drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch +arm64-topology-stop-using-mpidr-for-topology-informa.patch +printk-reduce-log_buf_shift-range-for-h8300.patch +ia64-kprobes-use-generic-kretprobe-trampoline-handle.patch +kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch +bpf-permit-map_ptr-arithmetic-with-opcode-add-and-of.patch +media-uvcvideo-fix-dereference-of-out-of-bound-list-.patch +selftests-bpf-define-string-const-as-global-for-test.patch +samples-bpf-fix-possible-deadlock-in-xdpsock.patch +riscv-define-at_vector_size_arch-for-arch_dlinfo.patch +cpufreq-sti-cpufreq-add-stih418-support.patch +usb-adutux-fix-debugging.patch +uio-free-uio-id-after-uio-file-node-is-freed.patch +coresight-make-sysfs-functional-on-topologies-with-p.patch +usb-xhci-omit-duplicate-actions-when-suspending-a-ru.patch +sunrpc-mitigate-cond_resched-in-xprt_transmit.patch +arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch +can-flexcan-disable-clocks-during-stop-mode.patch +xfs-don-t-free-rt-blocks-when-we-re-doing-a-remap-bu.patch +acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch +brcmfmac-fix-warning-message-after-dongle-setup-fail.patch +drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch +bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch +acpi-hmat-fix-handling-of-changes-from-acpi-6.2-to-a.patch +power-supply-test_power-add-missing-newlines-when-pr.patch +drm-amd-display-hdmi-remote-sink-need-mode-validatio.patch +arc-dts-fix-the-errors-detected-by-dtbs_check.patch +btrfs-fix-replace-of-seed-device.patch +md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch +bnxt_en-log-unknown-link-speed-appropriately.patch +rpmsg-glink-use-complete_all-for-open-states.patch +clk-ti-clockdomain-fix-static-checker-warning.patch +asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch +net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch +drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch +ext4-detect-already-used-quota-file-early.patch +kvm-ppc-book3s-hv-do-not-allocate-hpt-for-a-nested-g.patch +gfs2-use-after-free-in-sysfs-deregistration.patch +gfs2-add-validation-checks-for-size-of-superblock.patch +cifs-handle-eintr-in-cifs_setattr.patch +arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch +arm-dts-omap4-fix-sgx-clock-rate-for-4430.patch +memory-emif-remove-bogus-debugfs-error-handling.patch +arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch +arm-dts-s5pv210-move-fixed-clocks-under-root-node.patch +arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch +arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch +nbd-make-the-config-put-is-called-before-the-notifyi.patch +sgl_alloc_order-fix-memory-leak.patch +nvme-rdma-fix-crash-when-connect-rejected.patch diff --git a/queue-5.4/sgl_alloc_order-fix-memory-leak.patch b/queue-5.4/sgl_alloc_order-fix-memory-leak.patch new file mode 100644 index 00000000000..c588861ef97 --- /dev/null +++ b/queue-5.4/sgl_alloc_order-fix-memory-leak.patch @@ -0,0 +1,42 @@ +From c68b7ef5029a928870763d90a94bcc82ffabfbfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 14:57:35 -0400 +Subject: sgl_alloc_order: fix memory leak + +From: Douglas Gilbert + +[ Upstream commit b2a182a40278bc5849730e66bca01a762188ed86 ] + +sgl_alloc_order() can fail when 'length' is large on a memory +constrained system. When order > 0 it will potentially be +making several multi-page allocations with the later ones more +likely to fail than the earlier one. So it is important that +sgl_alloc_order() frees up any pages it has obtained before +returning NULL. In the case when order > 0 it calls the wrong +free page function and leaks. In testing the leak was +sufficient to bring down my 8 GiB laptop with OOM. + +Reviewed-by: Bart Van Assche +Signed-off-by: Douglas Gilbert +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + lib/scatterlist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/scatterlist.c b/lib/scatterlist.c +index 5813072bc5895..29346184fcf2e 100644 +--- a/lib/scatterlist.c ++++ b/lib/scatterlist.c +@@ -514,7 +514,7 @@ struct scatterlist *sgl_alloc_order(unsigned long long length, + elem_len = min_t(u64, length, PAGE_SIZE << order); + page = alloc_pages(gfp, order); + if (!page) { +- sgl_free(sgl); ++ sgl_free_order(sgl, order); + return NULL; + } + +-- +2.27.0 + diff --git a/queue-5.4/sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch b/queue-5.4/sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch new file mode 100644 index 00000000000..dd33de0c7e2 --- /dev/null +++ b/queue-5.4/sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch @@ -0,0 +1,179 @@ +From 426ee692c5fd2b7310ea522a3b30a4bb66016357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:52:18 +1000 +Subject: sparc64: remove mm_cpumask clearing to fix kthread_use_mm race + +From: Nicholas Piggin + +[ Upstream commit bafb056ce27940c9994ea905336aa8f27b4f7275 ] + +The de facto (and apparently uncommented) standard for using an mm had, +thanks to this code in sparc if nothing else, been that you must have a +reference on mm_users *and that reference must have been obtained with +mmget()*, i.e., from a thread with a reference to mm_users that had used +the mm. + +The introduction of mmget_not_zero() in commit d2005e3f41d4 +("userfaultfd: don't pin the user memory in userfaultfd_file_create()") +allowed mm_count holders to aoperate on user mappings asynchronously +from the actual threads using the mm, but they were not to load those +mappings into their TLB (i.e., walking vmas and page tables is okay, +kthread_use_mm() is not). + +io_uring 2b188cc1bb857 ("Add io_uring IO interface") added code which +does a kthread_use_mm() from a mmget_not_zero() refcount. + +The problem with this is code which previously assumed mm == current->mm +and mm->mm_users == 1 implies the mm will remain single-threaded at +least until this thread creates another mm_users reference, has now +broken. + +arch/sparc/kernel/smp_64.c: + + if (atomic_read(&mm->mm_users) == 1) { + cpumask_copy(mm_cpumask(mm), cpumask_of(cpu)); + goto local_flush_and_out; + } + +vs fs/io_uring.c + + if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL) || + !mmget_not_zero(ctx->sqo_mm))) + return -EFAULT; + kthread_use_mm(ctx->sqo_mm); + +mmget_not_zero() could come in right after the mm_users == 1 test, then +kthread_use_mm() which sets its CPU in the mm_cpumask. That update could +be lost if cpumask_copy() occurs afterward. + +I propose we fix this by allowing mmget_not_zero() to be a first-class +reference, and not have this obscure undocumented and unchecked +restriction. + +The basic fix for sparc64 is to remove its mm_cpumask clearing code. The +optimisation could be effectively restored by sending IPIs to mm_cpumask +members and having them remove themselves from mm_cpumask. This is more +tricky so I leave it as an exercise for someone with a sparc64 SMP. +powerpc has a (currently similarly broken) example. + +Signed-off-by: Nicholas Piggin +Acked-by: David S. Miller +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200914045219.3736466-4-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/smp_64.c | 65 ++++++++------------------------------ + 1 file changed, 14 insertions(+), 51 deletions(-) + +diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c +index a8275fea4b70c..aa81c25b44cf3 100644 +--- a/arch/sparc/kernel/smp_64.c ++++ b/arch/sparc/kernel/smp_64.c +@@ -1039,38 +1039,9 @@ void smp_fetch_global_pmu(void) + * are flush_tlb_*() routines, and these run after flush_cache_*() + * which performs the flushw. + * +- * The SMP TLB coherency scheme we use works as follows: +- * +- * 1) mm->cpu_vm_mask is a bit mask of which cpus an address +- * space has (potentially) executed on, this is the heuristic +- * we use to avoid doing cross calls. +- * +- * Also, for flushing from kswapd and also for clones, we +- * use cpu_vm_mask as the list of cpus to make run the TLB. +- * +- * 2) TLB context numbers are shared globally across all processors +- * in the system, this allows us to play several games to avoid +- * cross calls. +- * +- * One invariant is that when a cpu switches to a process, and +- * that processes tsk->active_mm->cpu_vm_mask does not have the +- * current cpu's bit set, that tlb context is flushed locally. +- * +- * If the address space is non-shared (ie. mm->count == 1) we avoid +- * cross calls when we want to flush the currently running process's +- * tlb state. This is done by clearing all cpu bits except the current +- * processor's in current->mm->cpu_vm_mask and performing the +- * flush locally only. This will force any subsequent cpus which run +- * this task to flush the context from the local tlb if the process +- * migrates to another cpu (again). +- * +- * 3) For shared address spaces (threads) and swapping we bite the +- * bullet for most cases and perform the cross call (but only to +- * the cpus listed in cpu_vm_mask). +- * +- * The performance gain from "optimizing" away the cross call for threads is +- * questionable (in theory the big win for threads is the massive sharing of +- * address space state across processors). ++ * mm->cpu_vm_mask is a bit mask of which cpus an address ++ * space has (potentially) executed on, this is the heuristic ++ * we use to limit cross calls. + */ + + /* This currently is only used by the hugetlb arch pre-fault +@@ -1080,18 +1051,13 @@ void smp_fetch_global_pmu(void) + void smp_flush_tlb_mm(struct mm_struct *mm) + { + u32 ctx = CTX_HWBITS(mm->context); +- int cpu = get_cpu(); + +- if (atomic_read(&mm->mm_users) == 1) { +- cpumask_copy(mm_cpumask(mm), cpumask_of(cpu)); +- goto local_flush_and_out; +- } ++ get_cpu(); + + smp_cross_call_masked(&xcall_flush_tlb_mm, + ctx, 0, 0, + mm_cpumask(mm)); + +-local_flush_and_out: + __flush_tlb_mm(ctx, SECONDARY_CONTEXT); + + put_cpu(); +@@ -1114,17 +1080,15 @@ void smp_flush_tlb_pending(struct mm_struct *mm, unsigned long nr, unsigned long + { + u32 ctx = CTX_HWBITS(mm->context); + struct tlb_pending_info info; +- int cpu = get_cpu(); ++ ++ get_cpu(); + + info.ctx = ctx; + info.nr = nr; + info.vaddrs = vaddrs; + +- if (mm == current->mm && atomic_read(&mm->mm_users) == 1) +- cpumask_copy(mm_cpumask(mm), cpumask_of(cpu)); +- else +- smp_call_function_many(mm_cpumask(mm), tlb_pending_func, +- &info, 1); ++ smp_call_function_many(mm_cpumask(mm), tlb_pending_func, ++ &info, 1); + + __flush_tlb_pending(ctx, nr, vaddrs); + +@@ -1134,14 +1098,13 @@ void smp_flush_tlb_pending(struct mm_struct *mm, unsigned long nr, unsigned long + void smp_flush_tlb_page(struct mm_struct *mm, unsigned long vaddr) + { + unsigned long context = CTX_HWBITS(mm->context); +- int cpu = get_cpu(); + +- if (mm == current->mm && atomic_read(&mm->mm_users) == 1) +- cpumask_copy(mm_cpumask(mm), cpumask_of(cpu)); +- else +- smp_cross_call_masked(&xcall_flush_tlb_page, +- context, vaddr, 0, +- mm_cpumask(mm)); ++ get_cpu(); ++ ++ smp_cross_call_masked(&xcall_flush_tlb_page, ++ context, vaddr, 0, ++ mm_cpumask(mm)); ++ + __flush_tlb_page(context, vaddr); + + put_cpu(); +-- +2.27.0 + diff --git a/queue-5.4/sunrpc-mitigate-cond_resched-in-xprt_transmit.patch b/queue-5.4/sunrpc-mitigate-cond_resched-in-xprt_transmit.patch new file mode 100644 index 00000000000..56aa2e5817e --- /dev/null +++ b/queue-5.4/sunrpc-mitigate-cond_resched-in-xprt_transmit.patch @@ -0,0 +1,55 @@ +From 1bbc77e87c7b67f737df541ec6d5ca3bc4fcf065 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 16:09:53 -0400 +Subject: SUNRPC: Mitigate cond_resched() in xprt_transmit() + +From: Chuck Lever + +[ Upstream commit 6f9f17287e78e5049931af2037b15b26d134a32a ] + +The original purpose of this expensive call is to prevent a long +queue of requests from blocking other work. + +The cond_resched() call is unnecessary after just a single send +operation. + +For longer queues, instead of invoking the kernel scheduler, simply +release the transport send lock and return to the RPC scheduler. + +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprt.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c +index 41df4c507193b..a6fee86f400ec 100644 +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -1503,10 +1503,13 @@ xprt_transmit(struct rpc_task *task) + { + struct rpc_rqst *next, *req = task->tk_rqstp; + struct rpc_xprt *xprt = req->rq_xprt; +- int status; ++ int counter, status; + + spin_lock(&xprt->queue_lock); ++ counter = 0; + while (!list_empty(&xprt->xmit_queue)) { ++ if (++counter == 20) ++ break; + next = list_first_entry(&xprt->xmit_queue, + struct rpc_rqst, rq_xmit); + xprt_pin_rqst(next); +@@ -1514,7 +1517,6 @@ xprt_transmit(struct rpc_task *task) + status = xprt_request_transmit(next, task); + if (status == -EBADMSG && next != req) + status = 0; +- cond_resched(); + spin_lock(&xprt->queue_lock); + xprt_unpin_rqst(next); + if (status == 0) { +-- +2.27.0 + diff --git a/queue-5.4/uio-free-uio-id-after-uio-file-node-is-freed.patch b/queue-5.4/uio-free-uio-id-after-uio-file-node-is-freed.patch new file mode 100644 index 00000000000..262e730dfcb --- /dev/null +++ b/queue-5.4/uio-free-uio-id-after-uio-file-node-is-freed.patch @@ -0,0 +1,85 @@ +From 7a6aa307a01f67627bf3d3c37e7c98250dbc383d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 11:26:41 +0800 +Subject: uio: free uio id after uio file node is freed + +From: Lang Dai + +[ Upstream commit 8fd0e2a6df262539eaa28b0a2364cca10d1dc662 ] + +uio_register_device() do two things. +1) get an uio id from a global pool, e.g. the id is +2) create file nodes like /sys/class/uio/uio + +uio_unregister_device() do two things. +1) free the uio id and return it to the global pool +2) free the file node /sys/class/uio/uio + +There is a situation is that one worker is calling uio_unregister_device(), +and another worker is calling uio_register_device(). +If the two workers are X and Y, they go as below sequence, +1) X free the uio id +2) Y get an uio id +3) Y create file node /sys/class/uio/uio +4) X free the file note /sys/class/uio/uio +Then it will failed at the 3rd step and cause the phenomenon we saw as it +is creating a duplicated file node. + +Failure reports as follows: +sysfs: cannot create duplicate filename '/class/uio/uio10' +Call Trace: + sysfs_do_create_link_sd.isra.2+0x9e/0xb0 + sysfs_create_link+0x25/0x40 + device_add+0x2c4/0x640 + __uio_register_device+0x1c5/0x576 [uio] + adf_uio_init_bundle_dev+0x231/0x280 [intel_qat] + adf_uio_register+0x1c0/0x340 [intel_qat] + adf_dev_start+0x202/0x370 [intel_qat] + adf_dev_start_async+0x40/0xa0 [intel_qat] + process_one_work+0x14d/0x410 + worker_thread+0x4b/0x460 + kthread+0x105/0x140 + ? process_one_work+0x410/0x410 + ? kthread_bind+0x40/0x40 + ret_from_fork+0x1f/0x40 + Code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef + e8 ec c4 ff ff 4c 89 e2 48 89 de 48 c7 c7 e8 b4 ee b4 e8 6a d4 d7 + ff <0f> 0b 48 89 df e8 20 fa f3 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84 +---[ end trace a7531c1ed5269e84 ]--- + c6xxvf b002:00:00.0: Failed to register UIO devices + c6xxvf b002:00:00.0: Failed to register UIO devices + +Signed-off-by: Lang Dai + +Link: https://lore.kernel.org/r/1600054002-17722-1-git-send-email-lang.dai@intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/uio/uio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c +index a57698985f9c4..8313f81968d51 100644 +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -1010,8 +1010,6 @@ void uio_unregister_device(struct uio_info *info) + + idev = info->uio_dev; + +- uio_free_minor(idev); +- + mutex_lock(&idev->info_lock); + uio_dev_del_attributes(idev); + +@@ -1026,6 +1024,8 @@ void uio_unregister_device(struct uio_info *info) + + device_unregister(&idev->dev); + ++ uio_free_minor(idev); ++ + return; + } + EXPORT_SYMBOL_GPL(uio_unregister_device); +-- +2.27.0 + diff --git a/queue-5.4/um-change-sigio_spinlock-to-a-mutex.patch b/queue-5.4/um-change-sigio_spinlock-to-a-mutex.patch new file mode 100644 index 00000000000..41ef2377d27 --- /dev/null +++ b/queue-5.4/um-change-sigio_spinlock-to-a-mutex.patch @@ -0,0 +1,78 @@ +From da9b3738ec54c44c618db6261831f7b87a25383d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 13:23:17 +0200 +Subject: um: change sigio_spinlock to a mutex + +From: Johannes Berg + +[ Upstream commit f2d05059e15af3f70502074f4e3a504530af504a ] + +Lockdep complains at boot: + +============================= +[ BUG: Invalid wait context ] +5.7.0-05093-g46d91ecd597b #98 Not tainted +----------------------------- +swapper/1 is trying to lock: +0000000060931b98 (&desc[i].request_mutex){+.+.}-{3:3}, at: __setup_irq+0x11d/0x623 +other info that might help us debug this: +context-{4:4} +1 lock held by swapper/1: + #0: 000000006074fed8 (sigio_spinlock){+.+.}-{2:2}, at: sigio_lock+0x1a/0x1c +stack backtrace: +CPU: 0 PID: 1 Comm: swapper Not tainted 5.7.0-05093-g46d91ecd597b #98 +Stack: + 7fa4fab0 6028dfd1 0000002a 6008bea5 + 7fa50700 7fa50040 7fa4fac0 6028e016 + 7fa4fb50 6007f6da 60959c18 00000000 +Call Trace: + [<60023a0e>] show_stack+0x13b/0x155 + [<6028e016>] dump_stack+0x2a/0x2c + [<6007f6da>] __lock_acquire+0x515/0x15f2 + [<6007eb50>] lock_acquire+0x245/0x273 + [<6050d9f1>] __mutex_lock+0xbd/0x325 + [<6050dc76>] mutex_lock_nested+0x1d/0x1f + [<6008e27e>] __setup_irq+0x11d/0x623 + [<6008e8ed>] request_threaded_irq+0x169/0x1a6 + [<60021eb0>] um_request_irq+0x1ee/0x24b + [<600234ee>] write_sigio_irq+0x3b/0x76 + [<600383ca>] sigio_broken+0x146/0x2e4 + [<60020bd8>] do_one_initcall+0xde/0x281 + +Because we hold sigio_spinlock and then get into requesting +an interrupt with a mutex. + +Change the spinlock to a mutex to avoid that. + +Signed-off-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/kernel/sigio.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/um/kernel/sigio.c b/arch/um/kernel/sigio.c +index 10c99e058fcae..d1cffc2a7f212 100644 +--- a/arch/um/kernel/sigio.c ++++ b/arch/um/kernel/sigio.c +@@ -35,14 +35,14 @@ int write_sigio_irq(int fd) + } + + /* These are called from os-Linux/sigio.c to protect its pollfds arrays. */ +-static DEFINE_SPINLOCK(sigio_spinlock); ++static DEFINE_MUTEX(sigio_mutex); + + void sigio_lock(void) + { +- spin_lock(&sigio_spinlock); ++ mutex_lock(&sigio_mutex); + } + + void sigio_unlock(void) + { +- spin_unlock(&sigio_spinlock); ++ mutex_unlock(&sigio_mutex); + } +-- +2.27.0 + diff --git a/queue-5.4/usb-adutux-fix-debugging.patch b/queue-5.4/usb-adutux-fix-debugging.patch new file mode 100644 index 00000000000..f6980a43003 --- /dev/null +++ b/queue-5.4/usb-adutux-fix-debugging.patch @@ -0,0 +1,35 @@ +From 104be76618f4ae0558e593ffcd45b0cabb4ba913 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 13:26:00 +0200 +Subject: USB: adutux: fix debugging + +From: Oliver Neukum + +[ Upstream commit c56150c1bc8da5524831b1dac2eec3c67b89f587 ] + +Handling for removal of the controller was missing at one place. +Add it. + +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20200917112600.26508-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/adutux.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/misc/adutux.c b/drivers/usb/misc/adutux.c +index d8d157c4c271d..96495fcd952aa 100644 +--- a/drivers/usb/misc/adutux.c ++++ b/drivers/usb/misc/adutux.c +@@ -209,6 +209,7 @@ static void adu_interrupt_out_callback(struct urb *urb) + + if (status != 0) { + if ((status != -ENOENT) && ++ (status != -ESHUTDOWN) && + (status != -ECONNRESET)) { + dev_dbg(&dev->udev->dev, + "%s :nonzero status received: %d\n", __func__, +-- +2.27.0 + diff --git a/queue-5.4/usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch b/queue-5.4/usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch new file mode 100644 index 00000000000..2d4ace6e704 --- /dev/null +++ b/queue-5.4/usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch @@ -0,0 +1,80 @@ +From c60669fe73f0db6aed1957509d4682bf4abbae4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:38:27 -0700 +Subject: usb: typec: tcpm: During PR_SWAP, source caps should be sent only + after tSwapSourceStart + +From: Badhri Jagan Sridharan + +[ Upstream commit 6bbe2a90a0bb4af8dd99c3565e907fe9b5e7fd88 ] + +The patch addresses the compliance test failures while running +TD.PD.CP.E3, TD.PD.CP.E4, TD.PD.CP.E5 of the "Deterministic PD +Compliance MOI" test plan published in https://www.usb.org/usbc. +For a product to be Type-C compliant, it's expected that these tests +are run on usb.org certified Type-C compliance tester as mentioned in +https://www.usb.org/usbc. + +The purpose of the tests TD.PD.CP.E3, TD.PD.CP.E4, TD.PD.CP.E5 is to +verify the PR_SWAP response of the device. While doing so, the test +asserts that Source Capabilities message is NOT received from the test +device within tSwapSourceStart min (20 ms) from the time the last bit +of GoodCRC corresponding to the RS_RDY message sent by the UUT was +sent. If it does then the test fails. + +This is in line with the requirements from the USB Power Delivery +Specification Revision 3.0, Version 1.2: +"6.6.8.1 SwapSourceStartTimer +The SwapSourceStartTimer Shall be used by the new Source, after a +Power Role Swap or Fast Role Swap, to ensure that it does not send +Source_Capabilities Message before the new Sink is ready to receive +the +Source_Capabilities Message. The new Source Shall Not send the +Source_Capabilities Message earlier than tSwapSourceStart after the +last bit of the EOP of GoodCRC Message sent in response to the PS_RDY +Message sent by the new Source indicating that its power supply is +ready." + +The patch makes sure that TCPM does not send the Source_Capabilities +Message within tSwapSourceStart(20ms) by transitioning into +SRC_STARTUP only after tSwapSourceStart(20ms). + +Signed-off-by: Badhri Jagan Sridharan +Reviewed-by: Guenter Roeck +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20200817183828.1895015-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/tcpm/tcpm.c | 2 +- + include/linux/usb/pd.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c +index 355a2c7fac0b4..16e124753df72 100644 +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -3482,7 +3482,7 @@ static void run_state_machine(struct tcpm_port *port) + */ + tcpm_set_pwr_role(port, TYPEC_SOURCE); + tcpm_pd_send_control(port, PD_CTRL_PS_RDY); +- tcpm_set_state(port, SRC_STARTUP, 0); ++ tcpm_set_state(port, SRC_STARTUP, PD_T_SWAP_SRC_START); + break; + + case VCONN_SWAP_ACCEPT: +diff --git a/include/linux/usb/pd.h b/include/linux/usb/pd.h +index 145c38e351c25..6655ce32feff1 100644 +--- a/include/linux/usb/pd.h ++++ b/include/linux/usb/pd.h +@@ -442,6 +442,7 @@ static inline unsigned int rdo_max_power(u32 rdo) + #define PD_T_ERROR_RECOVERY 100 /* minimum 25 is insufficient */ + #define PD_T_SRCSWAPSTDBY 625 /* Maximum of 650ms */ + #define PD_T_NEWSRC 250 /* Maximum of 275ms */ ++#define PD_T_SWAP_SRC_START 20 /* Minimum of 20ms */ + + #define PD_T_DRP_TRY 100 /* 75 - 150 ms */ + #define PD_T_DRP_TRYWAIT 600 /* 400 - 800 ms */ +-- +2.27.0 + diff --git a/queue-5.4/usb-xhci-omit-duplicate-actions-when-suspending-a-ru.patch b/queue-5.4/usb-xhci-omit-duplicate-actions-when-suspending-a-ru.patch new file mode 100644 index 00000000000..f17377fce56 --- /dev/null +++ b/queue-5.4/usb-xhci-omit-duplicate-actions-when-suspending-a-ru.patch @@ -0,0 +1,58 @@ +From 3d40f60975b7d71789a988ac49bdb5f863949773 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 16:17:49 +0300 +Subject: usb: xhci: omit duplicate actions when suspending a runtime suspended + host. + +From: Peter Chen + +[ Upstream commit 18a367e8947d72dd91b6fc401e88a2952c6363f7 ] + +If the xhci-plat.c is the platform driver, after the runtime pm is +enabled, the xhci_suspend is called if nothing is connected on +the port. When the system goes to suspend, it will call xhci_suspend again +if USB wakeup is enabled. + +Since the runtime suspend wakeup setting is not always the same as +system suspend wakeup setting, eg, at runtime suspend we always need +wakeup if the controller is in low power mode; but at system suspend, +we may not need wakeup. So, we move the judgement after changing +wakeup setting. + +[commit message rewording -Mathias] + +Reviewed-by: Jun Li +Signed-off-by: Peter Chen +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20200918131752.16488-8-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 0d10ede581cbd..7123ab44671b2 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -982,12 +982,15 @@ int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup) + xhci->shared_hcd->state != HC_STATE_SUSPENDED) + return -EINVAL; + +- xhci_dbc_suspend(xhci); +- + /* Clear root port wake on bits if wakeup not allowed. */ + if (!do_wakeup) + xhci_disable_port_wake_on_bits(xhci); + ++ if (!HCD_HW_ACCESSIBLE(hcd)) ++ return 0; ++ ++ xhci_dbc_suspend(xhci); ++ + /* Don't poll the roothubs on bus suspend. */ + xhci_dbg(xhci, "%s: stopping port polling.\n", __func__); + clear_bit(HCD_FLAG_POLL_RH, &hcd->flags); +-- +2.27.0 + diff --git a/queue-5.4/video-fbdev-pvr2fb-initialize-variables.patch b/queue-5.4/video-fbdev-pvr2fb-initialize-variables.patch new file mode 100644 index 00000000000..f8b478d9ea1 --- /dev/null +++ b/queue-5.4/video-fbdev-pvr2fb-initialize-variables.patch @@ -0,0 +1,49 @@ +From 1a33d2083fcb81d74944628fbbd6c1e1b931a9e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 12:18:45 -0700 +Subject: video: fbdev: pvr2fb: initialize variables + +From: Tom Rix + +[ Upstream commit 8e1ba47c60bcd325fdd097cd76054639155e5d2e ] + +clang static analysis reports this repesentative error + +pvr2fb.c:1049:2: warning: 1st function call argument + is an uninitialized value [core.CallAndMessage] + if (*cable_arg) + ^~~~~~~~~~~~~~~ + +Problem is that cable_arg depends on the input loop to +set the cable_arg[0]. If it does not, then some random +value from the stack is used. + +A similar problem exists for output_arg. + +So initialize cable_arg and output_arg. + +Signed-off-by: Tom Rix +Acked-by: Arnd Bergmann +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200720191845.20115-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pvr2fb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/pvr2fb.c b/drivers/video/fbdev/pvr2fb.c +index 0a3b2b7c78912..c916e91614436 100644 +--- a/drivers/video/fbdev/pvr2fb.c ++++ b/drivers/video/fbdev/pvr2fb.c +@@ -1016,6 +1016,8 @@ static int __init pvr2fb_setup(char *options) + if (!options || !*options) + return 0; + ++ cable_arg[0] = output_arg[0] = 0; ++ + while ((this_opt = strsep(&options, ","))) { + if (!*this_opt) + continue; +-- +2.27.0 + diff --git a/queue-5.4/x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch b/queue-5.4/x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch new file mode 100644 index 00000000000..74b2501dc99 --- /dev/null +++ b/queue-5.4/x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch @@ -0,0 +1,145 @@ +From bd645b5d73d9576c8e95e83ca787941b195654cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 07:30:51 +0200 +Subject: x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC + 10 compiled kernels + +From: Jiri Slaby + +[ Upstream commit f2ac57a4c49d40409c21c82d23b5706df9b438af ] + +GCC 10 optimizes the scheduler code differently than its predecessors. + +When CONFIG_DEBUG_SECTION_MISMATCH=y, the Makefile forces GCC not +to inline some functions (-fno-inline-functions-called-once). Before GCC +10, "no-inlined" __schedule() starts with the usual prologue: + + push %bp + mov %sp, %bp + +So the ORC unwinder simply picks stack pointer from %bp and +unwinds from __schedule() just perfectly: + + $ cat /proc/1/stack + [<0>] ep_poll+0x3e9/0x450 + [<0>] do_epoll_wait+0xaa/0xc0 + [<0>] __x64_sys_epoll_wait+0x1a/0x20 + [<0>] do_syscall_64+0x33/0x40 + [<0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +But now, with GCC 10, there is no %bp prologue in __schedule(): + + $ cat /proc/1/stack + + +The ORC entry of the point in __schedule() is: + + sp:sp+88 bp:last_sp-48 type:call end:0 + +In this case, nobody subtracts sizeof "struct inactive_task_frame" in +__unwind_start(). The struct is put on the stack by __switch_to_asm() and +only then __switch_to_asm() stores %sp to task->thread.sp. But we start +unwinding from a point in __schedule() (stored in frame->ret_addr by +'call') and not in __switch_to_asm(). + +So for these example values in __unwind_start(): + + sp=ffff94b50001fdc8 bp=ffff8e1f41d29340 ip=__schedule+0x1f0 + +The stack is: + + ffff94b50001fdc8: ffff8e1f41578000 # struct inactive_task_frame + ffff94b50001fdd0: 0000000000000000 + ffff94b50001fdd8: ffff8e1f41d29340 + ffff94b50001fde0: ffff8e1f41611d40 # ... + ffff94b50001fde8: ffffffff93c41920 # bx + ffff94b50001fdf0: ffff8e1f41d29340 # bp + ffff94b50001fdf8: ffffffff9376cad0 # ret_addr (and end of the struct) + +0xffffffff9376cad0 is __schedule+0x1f0 (after the call to +__switch_to_asm). Now follow those 88 bytes from the ORC entry (sp+88). +The entry is correct, __schedule() really pushes 48 bytes (8*7) + 32 bytes +via subq to store some local values (like 4U below). So to unwind, look +at the offset 88-sizeof(long) = 0x50 from here: + + ffff94b50001fe00: ffff8e1f41578618 + ffff94b50001fe08: 00000cc000000255 + ffff94b50001fe10: 0000000500000004 + ffff94b50001fe18: 7793fab6956b2d00 # NOTE (see below) + ffff94b50001fe20: ffff8e1f41578000 + ffff94b50001fe28: ffff8e1f41578000 + ffff94b50001fe30: ffff8e1f41578000 + ffff94b50001fe38: ffff8e1f41578000 + ffff94b50001fe40: ffff94b50001fed8 + ffff94b50001fe48: ffff8e1f41577ff0 + ffff94b50001fe50: ffffffff9376cf12 + +Here ^^^^^^^^^^^^^^^^ is the correct ret addr from +__schedule(). It translates to schedule+0x42 (insn after a call to +__schedule()). + +BUT, unwind_next_frame() tries to take the address starting from +0xffff94b50001fdc8. That is exactly from thread.sp+88-sizeof(long) = +0xffff94b50001fdc8+88-8 = 0xffff94b50001fe18, which is garbage marked as +NOTE above. So this quits the unwinding as 7793fab6956b2d00 is obviously +not a kernel address. + +There was a fix to skip 'struct inactive_task_frame' in +unwind_get_return_address_ptr in the following commit: + + 187b96db5ca7 ("x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks") + +But we need to skip the struct already in the unwinder proper. So +subtract the size (increase the stack pointer) of the structure in +__unwind_start() directly. This allows for removal of the code added by +commit 187b96db5ca7 completely, as the address is now at +'(unsigned long *)state->sp - 1', the same as in the generic case. + +[ mingo: Cleaned up the changelog a bit, for better readability. ] + +Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder") +Bug: https://bugzilla.suse.com/show_bug.cgi?id=1176907 +Signed-off-by: Jiri Slaby +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20201014053051.24199-1-jslaby@suse.cz +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/unwind_orc.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c +index 187a86e0e7531..f29f015a5e7f3 100644 +--- a/arch/x86/kernel/unwind_orc.c ++++ b/arch/x86/kernel/unwind_orc.c +@@ -311,19 +311,12 @@ EXPORT_SYMBOL_GPL(unwind_get_return_address); + + unsigned long *unwind_get_return_address_ptr(struct unwind_state *state) + { +- struct task_struct *task = state->task; +- + if (unwind_done(state)) + return NULL; + + if (state->regs) + return &state->regs->ip; + +- if (task != current && state->sp == task->thread.sp) { +- struct inactive_task_frame *frame = (void *)task->thread.sp; +- return &frame->ret_addr; +- } +- + if (state->sp) + return (unsigned long *)state->sp - 1; + +@@ -653,7 +646,7 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task, + } else { + struct inactive_task_frame *frame = (void *)task->thread.sp; + +- state->sp = task->thread.sp; ++ state->sp = task->thread.sp + sizeof(*frame); + state->bp = READ_ONCE_NOCHECK(frame->bp); + state->ip = READ_ONCE_NOCHECK(frame->ret_addr); + state->signal = (void *)state->ip == ret_from_fork; +-- +2.27.0 + diff --git a/queue-5.4/xfs-don-t-free-rt-blocks-when-we-re-doing-a-remap-bu.patch b/queue-5.4/xfs-don-t-free-rt-blocks-when-we-re-doing-a-remap-bu.patch new file mode 100644 index 00000000000..dd73d276432 --- /dev/null +++ b/queue-5.4/xfs-don-t-free-rt-blocks-when-we-re-doing-a-remap-bu.patch @@ -0,0 +1,63 @@ +From 4ab3addac0b735ff54a698a82fc97ce1d5520d69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 09:15:08 -0700 +Subject: xfs: don't free rt blocks when we're doing a REMAP bunmapi call + +From: Darrick J. Wong + +[ Upstream commit 8df0fa39bdd86ca81a8d706a6ed9d33cc65ca625 ] + +When callers pass XFS_BMAPI_REMAP into xfs_bunmapi, they want the extent +to be unmapped from the given file fork without the extent being freed. +We do this for non-rt files, but we forgot to do this for realtime +files. So far this isn't a big deal since nobody makes a bunmapi call +to a rt file with the REMAP flag set, but don't leave a logic bomb. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Reviewed-by: Dave Chinner +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_bmap.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c +index f8db3fe616df9..c114d24be6193 100644 +--- a/fs/xfs/libxfs/xfs_bmap.c ++++ b/fs/xfs/libxfs/xfs_bmap.c +@@ -4985,20 +4985,25 @@ xfs_bmap_del_extent_real( + + flags = XFS_ILOG_CORE; + if (whichfork == XFS_DATA_FORK && XFS_IS_REALTIME_INODE(ip)) { +- xfs_fsblock_t bno; + xfs_filblks_t len; + xfs_extlen_t mod; + +- bno = div_u64_rem(del->br_startblock, mp->m_sb.sb_rextsize, +- &mod); +- ASSERT(mod == 0); + len = div_u64_rem(del->br_blockcount, mp->m_sb.sb_rextsize, + &mod); + ASSERT(mod == 0); + +- error = xfs_rtfree_extent(tp, bno, (xfs_extlen_t)len); +- if (error) +- goto done; ++ if (!(bflags & XFS_BMAPI_REMAP)) { ++ xfs_fsblock_t bno; ++ ++ bno = div_u64_rem(del->br_startblock, ++ mp->m_sb.sb_rextsize, &mod); ++ ASSERT(mod == 0); ++ ++ error = xfs_rtfree_extent(tp, bno, (xfs_extlen_t)len); ++ if (error) ++ goto done; ++ } ++ + do_fx = 0; + nblks = len * mp->m_sb.sb_rextsize; + qfield = XFS_TRANS_DQ_RTBCOUNT; +-- +2.27.0 + diff --git a/queue-5.4/xfs-fix-realtime-bitmap-summary-file-truncation-when.patch b/queue-5.4/xfs-fix-realtime-bitmap-summary-file-truncation-when.patch new file mode 100644 index 00000000000..b9c1e674227 --- /dev/null +++ b/queue-5.4/xfs-fix-realtime-bitmap-summary-file-truncation-when.patch @@ -0,0 +1,70 @@ +From 37dddca19d7c96d2a729abab2f8562f1b134b9ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2020 13:55:16 -0700 +Subject: xfs: fix realtime bitmap/summary file truncation when growing rt + volume + +From: Darrick J. Wong + +[ Upstream commit f4c32e87de7d66074d5612567c5eac7325024428 ] + +The realtime bitmap and summary files are regular files that are hidden +away from the directory tree. Since they're regular files, inode +inactivation will try to purge what it thinks are speculative +preallocations beyond the incore size of the file. Unfortunately, +xfs_growfs_rt forgets to update the incore size when it resizes the +inodes, with the result that inactivating the rt inodes at unmount time +will cause their contents to be truncated. + +Fix this by updating the incore size when we change the ondisk size as +part of updating the superblock. Note that we don't do this when we're +allocating blocks to the rt inodes because we actually want those blocks +to get purged if the growfs fails. + +This fixes corruption complaints from the online rtsummary checker when +running xfs/233. Since that test requires rmap, one can also trigger +this by growing an rt volume, cycling the mount, and creating rt files. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Chandan Babu R +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_rtalloc.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c +index b583669370825..6d5ddc4e5135a 100644 +--- a/fs/xfs/xfs_rtalloc.c ++++ b/fs/xfs/xfs_rtalloc.c +@@ -1021,10 +1021,13 @@ xfs_growfs_rt( + xfs_ilock(mp->m_rbmip, XFS_ILOCK_EXCL); + xfs_trans_ijoin(tp, mp->m_rbmip, XFS_ILOCK_EXCL); + /* +- * Update the bitmap inode's size. ++ * Update the bitmap inode's size ondisk and incore. We need ++ * to update the incore size so that inode inactivation won't ++ * punch what it thinks are "posteof" blocks. + */ + mp->m_rbmip->i_d.di_size = + nsbp->sb_rbmblocks * nsbp->sb_blocksize; ++ i_size_write(VFS_I(mp->m_rbmip), mp->m_rbmip->i_d.di_size); + xfs_trans_log_inode(tp, mp->m_rbmip, XFS_ILOG_CORE); + /* + * Get the summary inode into the transaction. +@@ -1032,9 +1035,12 @@ xfs_growfs_rt( + xfs_ilock(mp->m_rsumip, XFS_ILOCK_EXCL); + xfs_trans_ijoin(tp, mp->m_rsumip, XFS_ILOCK_EXCL); + /* +- * Update the summary inode's size. ++ * Update the summary inode's size. We need to update the ++ * incore size so that inode inactivation won't punch what it ++ * thinks are "posteof" blocks. + */ + mp->m_rsumip->i_d.di_size = nmp->m_rsumsize; ++ i_size_write(VFS_I(mp->m_rsumip), mp->m_rsumip->i_d.di_size); + xfs_trans_log_inode(tp, mp->m_rsumip, XFS_ILOG_CORE); + /* + * Copy summary data from old to new sizes. +-- +2.27.0 + -- 2.47.3