From 981413039f3673f08bb73d26afc38bb195b5f815 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 6 Feb 2020 17:15:32 +0100 Subject: [PATCH] 4.19-stable patches added patches: irqdomain-fix-a-memory-leak-in-irq_domain_push_irq.patch lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch media-v4l2-core-compat-ignore-native-command-codes.patch media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch mm-memory_hotplug-fix-remove_memory-lockdep-splat.patch mm-move_pages-report-the-number-of-non-attempted-pages.patch platform-x86-intel_scu_ipc-fix-interrupt-support.patch --- ...a-memory-leak-in-irq_domain_push_irq.patch | 54 +++ ...ry-leak-in-kmalloc_oob_krealloc_more.patch | 39 +++ ...e-compat-ignore-native-command-codes.patch | 328 ++++++++++++++++++ ...ges-dirty-upon-releasing-dma-buffers.patch | 64 ++++ ...rect_map_inside-top-left-adjustments.patch | 78 +++++ ...plug-fix-remove_memory-lockdep-splat.patch | 163 +++++++++ ...rt-the-number-of-non-attempted-pages.patch | 100 ++++++ ...-intel_scu_ipc-fix-interrupt-support.patch | 98 ++++++ queue-4.19/series | 8 + 9 files changed, 932 insertions(+) create mode 100644 queue-4.19/irqdomain-fix-a-memory-leak-in-irq_domain_push_irq.patch create mode 100644 queue-4.19/lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch create mode 100644 queue-4.19/media-v4l2-core-compat-ignore-native-command-codes.patch create mode 100644 queue-4.19/media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch create mode 100644 queue-4.19/media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch create mode 100644 queue-4.19/mm-memory_hotplug-fix-remove_memory-lockdep-splat.patch create mode 100644 queue-4.19/mm-move_pages-report-the-number-of-non-attempted-pages.patch create mode 100644 queue-4.19/platform-x86-intel_scu_ipc-fix-interrupt-support.patch diff --git a/queue-4.19/irqdomain-fix-a-memory-leak-in-irq_domain_push_irq.patch b/queue-4.19/irqdomain-fix-a-memory-leak-in-irq_domain_push_irq.patch new file mode 100644 index 00000000000..a78e9b9be2e --- /dev/null +++ b/queue-4.19/irqdomain-fix-a-memory-leak-in-irq_domain_push_irq.patch @@ -0,0 +1,54 @@ +From 0f394daef89b38d58c91118a2b08b8a1b316703b Mon Sep 17 00:00:00 2001 +From: Kevin Hao +Date: Mon, 20 Jan 2020 12:35:47 +0800 +Subject: irqdomain: Fix a memory leak in irq_domain_push_irq() + +From: Kevin Hao + +commit 0f394daef89b38d58c91118a2b08b8a1b316703b upstream. + +Fix a memory leak reported by kmemleak: +unreferenced object 0xffff000bc6f50e80 (size 128): + comm "kworker/23:2", pid 201, jiffies 4294894947 (age 942.132s) + hex dump (first 32 bytes): + 00 00 00 00 41 00 00 00 86 c0 03 00 00 00 00 00 ....A........... + 00 a0 b2 c6 0b 00 ff ff 40 51 fd 10 00 80 ff ff ........@Q...... + backtrace: + [<00000000e62d2240>] kmem_cache_alloc_trace+0x1a4/0x320 + [<00000000279143c9>] irq_domain_push_irq+0x7c/0x188 + [<00000000d9f4c154>] thunderx_gpio_probe+0x3ac/0x438 + [<00000000fd09ec22>] pci_device_probe+0xe4/0x198 + [<00000000d43eca75>] really_probe+0xdc/0x320 + [<00000000d3ebab09>] driver_probe_device+0x5c/0xf0 + [<000000005b3ecaa0>] __device_attach_driver+0x88/0xc0 + [<000000004e5915f5>] bus_for_each_drv+0x7c/0xc8 + [<0000000079d4db41>] __device_attach+0xe4/0x140 + [<00000000883bbda9>] device_initial_probe+0x18/0x20 + [<000000003be59ef6>] bus_probe_device+0x98/0xa0 + [<0000000039b03d3f>] deferred_probe_work_func+0x74/0xa8 + [<00000000870934ce>] process_one_work+0x1c8/0x470 + [<00000000e3cce570>] worker_thread+0x1f8/0x428 + [<000000005d64975e>] kthread+0xfc/0x128 + [<00000000f0eaa764>] ret_from_fork+0x10/0x18 + +Fixes: 495c38d3001f ("irqdomain: Add irq_domain_{push,pop}_irq() functions") +Signed-off-by: Kevin Hao +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200120043547.22271-1-haokexin@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/irqdomain.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/irq/irqdomain.c ++++ b/kernel/irq/irqdomain.c +@@ -1421,6 +1421,7 @@ int irq_domain_push_irq(struct irq_domai + if (rv) { + /* Restore the original irq_data. */ + *root_irq_data = *child_irq_data; ++ kfree(child_irq_data); + goto error; + } + diff --git a/queue-4.19/lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch b/queue-4.19/lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch new file mode 100644 index 00000000000..ef42faadadd --- /dev/null +++ b/queue-4.19/lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch @@ -0,0 +1,39 @@ +From 3e21d9a501bf99aee2e5835d7f34d8c823f115b5 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 30 Jan 2020 22:13:51 -0800 +Subject: lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() + +From: Gustavo A. R. Silva + +commit 3e21d9a501bf99aee2e5835d7f34d8c823f115b5 upstream. + +In case memory resources for _ptr2_ were allocated, release them before +return. + +Notice that in case _ptr1_ happens to be NULL, krealloc() behaves +exactly like kmalloc(). + +Addresses-Coverity-ID: 1490594 ("Resource leak") +Link: http://lkml.kernel.org/r/20200123160115.GA4202@embeddedor +Fixes: 3f15801cdc23 ("lib: add kasan test module") +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Dmitry Vyukov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/test_kasan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/lib/test_kasan.c ++++ b/lib/test_kasan.c +@@ -157,6 +157,7 @@ static noinline void __init kmalloc_oob_ + if (!ptr1 || !ptr2) { + pr_err("Allocation failed\n"); + kfree(ptr1); ++ kfree(ptr2); + return; + } + diff --git a/queue-4.19/media-v4l2-core-compat-ignore-native-command-codes.patch b/queue-4.19/media-v4l2-core-compat-ignore-native-command-codes.patch new file mode 100644 index 00000000000..baeffbdbb19 --- /dev/null +++ b/queue-4.19/media-v4l2-core-compat-ignore-native-command-codes.patch @@ -0,0 +1,328 @@ +From 4a873f3fa5d6ca52e446d306dd7194dd86a09422 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 16 Dec 2019 15:15:01 +0100 +Subject: media: v4l2-core: compat: ignore native command codes + +From: Arnd Bergmann + +commit 4a873f3fa5d6ca52e446d306dd7194dd86a09422 upstream. + +The do_video_ioctl() compat handler converts the compat command +codes into the native ones before processing further, but this +causes problems for 32-bit user applications that pass a command +code that matches a 64-bit native number, which will then be +handled the same way. + +Specifically, this breaks VIDIOC_DQEVENT_TIME from user space +applications with 64-bit time_t, as the structure layout is +the same as the native 64-bit layout on many architectures +(x86 being the notable exception). + +Change the handler to use the converted command code only for +passing into the native ioctl handler, not for deciding on the +conversion, in order to make the compat behavior match the +native behavior. + +Actual support for the 64-bit time_t version of VIDIOC_DQEVENT_TIME +and other commands still needs to be added in a separate patch. + +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 148 +++++++++++++------------- + 1 file changed, 75 insertions(+), 73 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -1171,36 +1171,38 @@ static long do_video_ioctl(struct file * + u32 aux_space; + int compatible_arg = 1; + long err = 0; ++ unsigned int ncmd; + + /* + * 1. When struct size is different, converts the command. + */ + switch (cmd) { +- case VIDIOC_G_FMT32: cmd = VIDIOC_G_FMT; break; +- case VIDIOC_S_FMT32: cmd = VIDIOC_S_FMT; break; +- case VIDIOC_QUERYBUF32: cmd = VIDIOC_QUERYBUF; break; +- case VIDIOC_G_FBUF32: cmd = VIDIOC_G_FBUF; break; +- case VIDIOC_S_FBUF32: cmd = VIDIOC_S_FBUF; break; +- case VIDIOC_QBUF32: cmd = VIDIOC_QBUF; break; +- case VIDIOC_DQBUF32: cmd = VIDIOC_DQBUF; break; +- case VIDIOC_ENUMSTD32: cmd = VIDIOC_ENUMSTD; break; +- case VIDIOC_ENUMINPUT32: cmd = VIDIOC_ENUMINPUT; break; +- case VIDIOC_TRY_FMT32: cmd = VIDIOC_TRY_FMT; break; +- case VIDIOC_G_EXT_CTRLS32: cmd = VIDIOC_G_EXT_CTRLS; break; +- case VIDIOC_S_EXT_CTRLS32: cmd = VIDIOC_S_EXT_CTRLS; break; +- case VIDIOC_TRY_EXT_CTRLS32: cmd = VIDIOC_TRY_EXT_CTRLS; break; +- case VIDIOC_DQEVENT32: cmd = VIDIOC_DQEVENT; break; +- case VIDIOC_OVERLAY32: cmd = VIDIOC_OVERLAY; break; +- case VIDIOC_STREAMON32: cmd = VIDIOC_STREAMON; break; +- case VIDIOC_STREAMOFF32: cmd = VIDIOC_STREAMOFF; break; +- case VIDIOC_G_INPUT32: cmd = VIDIOC_G_INPUT; break; +- case VIDIOC_S_INPUT32: cmd = VIDIOC_S_INPUT; break; +- case VIDIOC_G_OUTPUT32: cmd = VIDIOC_G_OUTPUT; break; +- case VIDIOC_S_OUTPUT32: cmd = VIDIOC_S_OUTPUT; break; +- case VIDIOC_CREATE_BUFS32: cmd = VIDIOC_CREATE_BUFS; break; +- case VIDIOC_PREPARE_BUF32: cmd = VIDIOC_PREPARE_BUF; break; +- case VIDIOC_G_EDID32: cmd = VIDIOC_G_EDID; break; +- case VIDIOC_S_EDID32: cmd = VIDIOC_S_EDID; break; ++ case VIDIOC_G_FMT32: ncmd = VIDIOC_G_FMT; break; ++ case VIDIOC_S_FMT32: ncmd = VIDIOC_S_FMT; break; ++ case VIDIOC_QUERYBUF32: ncmd = VIDIOC_QUERYBUF; break; ++ case VIDIOC_G_FBUF32: ncmd = VIDIOC_G_FBUF; break; ++ case VIDIOC_S_FBUF32: ncmd = VIDIOC_S_FBUF; break; ++ case VIDIOC_QBUF32: ncmd = VIDIOC_QBUF; break; ++ case VIDIOC_DQBUF32: ncmd = VIDIOC_DQBUF; break; ++ case VIDIOC_ENUMSTD32: ncmd = VIDIOC_ENUMSTD; break; ++ case VIDIOC_ENUMINPUT32: ncmd = VIDIOC_ENUMINPUT; break; ++ case VIDIOC_TRY_FMT32: ncmd = VIDIOC_TRY_FMT; break; ++ case VIDIOC_G_EXT_CTRLS32: ncmd = VIDIOC_G_EXT_CTRLS; break; ++ case VIDIOC_S_EXT_CTRLS32: ncmd = VIDIOC_S_EXT_CTRLS; break; ++ case VIDIOC_TRY_EXT_CTRLS32: ncmd = VIDIOC_TRY_EXT_CTRLS; break; ++ case VIDIOC_DQEVENT32: ncmd = VIDIOC_DQEVENT; break; ++ case VIDIOC_OVERLAY32: ncmd = VIDIOC_OVERLAY; break; ++ case VIDIOC_STREAMON32: ncmd = VIDIOC_STREAMON; break; ++ case VIDIOC_STREAMOFF32: ncmd = VIDIOC_STREAMOFF; break; ++ case VIDIOC_G_INPUT32: ncmd = VIDIOC_G_INPUT; break; ++ case VIDIOC_S_INPUT32: ncmd = VIDIOC_S_INPUT; break; ++ case VIDIOC_G_OUTPUT32: ncmd = VIDIOC_G_OUTPUT; break; ++ case VIDIOC_S_OUTPUT32: ncmd = VIDIOC_S_OUTPUT; break; ++ case VIDIOC_CREATE_BUFS32: ncmd = VIDIOC_CREATE_BUFS; break; ++ case VIDIOC_PREPARE_BUF32: ncmd = VIDIOC_PREPARE_BUF; break; ++ case VIDIOC_G_EDID32: ncmd = VIDIOC_G_EDID; break; ++ case VIDIOC_S_EDID32: ncmd = VIDIOC_S_EDID; break; ++ default: ncmd = cmd; break; + } + + /* +@@ -1209,11 +1211,11 @@ static long do_video_ioctl(struct file * + * argument into it. + */ + switch (cmd) { +- case VIDIOC_OVERLAY: +- case VIDIOC_STREAMON: +- case VIDIOC_STREAMOFF: +- case VIDIOC_S_INPUT: +- case VIDIOC_S_OUTPUT: ++ case VIDIOC_OVERLAY32: ++ case VIDIOC_STREAMON32: ++ case VIDIOC_STREAMOFF32: ++ case VIDIOC_S_INPUT32: ++ case VIDIOC_S_OUTPUT32: + err = alloc_userspace(sizeof(unsigned int), 0, &new_p64); + if (!err && assign_in_user((unsigned int __user *)new_p64, + (compat_uint_t __user *)p32)) +@@ -1221,23 +1223,23 @@ static long do_video_ioctl(struct file * + compatible_arg = 0; + break; + +- case VIDIOC_G_INPUT: +- case VIDIOC_G_OUTPUT: ++ case VIDIOC_G_INPUT32: ++ case VIDIOC_G_OUTPUT32: + err = alloc_userspace(sizeof(unsigned int), 0, &new_p64); + compatible_arg = 0; + break; + +- case VIDIOC_G_EDID: +- case VIDIOC_S_EDID: ++ case VIDIOC_G_EDID32: ++ case VIDIOC_S_EDID32: + err = alloc_userspace(sizeof(struct v4l2_edid), 0, &new_p64); + if (!err) + err = get_v4l2_edid32(new_p64, p32); + compatible_arg = 0; + break; + +- case VIDIOC_G_FMT: +- case VIDIOC_S_FMT: +- case VIDIOC_TRY_FMT: ++ case VIDIOC_G_FMT32: ++ case VIDIOC_S_FMT32: ++ case VIDIOC_TRY_FMT32: + err = bufsize_v4l2_format(p32, &aux_space); + if (!err) + err = alloc_userspace(sizeof(struct v4l2_format), +@@ -1250,7 +1252,7 @@ static long do_video_ioctl(struct file * + compatible_arg = 0; + break; + +- case VIDIOC_CREATE_BUFS: ++ case VIDIOC_CREATE_BUFS32: + err = bufsize_v4l2_create(p32, &aux_space); + if (!err) + err = alloc_userspace(sizeof(struct v4l2_create_buffers), +@@ -1263,10 +1265,10 @@ static long do_video_ioctl(struct file * + compatible_arg = 0; + break; + +- case VIDIOC_PREPARE_BUF: +- case VIDIOC_QUERYBUF: +- case VIDIOC_QBUF: +- case VIDIOC_DQBUF: ++ case VIDIOC_PREPARE_BUF32: ++ case VIDIOC_QUERYBUF32: ++ case VIDIOC_QBUF32: ++ case VIDIOC_DQBUF32: + err = bufsize_v4l2_buffer(p32, &aux_space); + if (!err) + err = alloc_userspace(sizeof(struct v4l2_buffer), +@@ -1279,7 +1281,7 @@ static long do_video_ioctl(struct file * + compatible_arg = 0; + break; + +- case VIDIOC_S_FBUF: ++ case VIDIOC_S_FBUF32: + err = alloc_userspace(sizeof(struct v4l2_framebuffer), 0, + &new_p64); + if (!err) +@@ -1287,13 +1289,13 @@ static long do_video_ioctl(struct file * + compatible_arg = 0; + break; + +- case VIDIOC_G_FBUF: ++ case VIDIOC_G_FBUF32: + err = alloc_userspace(sizeof(struct v4l2_framebuffer), 0, + &new_p64); + compatible_arg = 0; + break; + +- case VIDIOC_ENUMSTD: ++ case VIDIOC_ENUMSTD32: + err = alloc_userspace(sizeof(struct v4l2_standard), 0, + &new_p64); + if (!err) +@@ -1301,16 +1303,16 @@ static long do_video_ioctl(struct file * + compatible_arg = 0; + break; + +- case VIDIOC_ENUMINPUT: ++ case VIDIOC_ENUMINPUT32: + err = alloc_userspace(sizeof(struct v4l2_input), 0, &new_p64); + if (!err) + err = get_v4l2_input32(new_p64, p32); + compatible_arg = 0; + break; + +- case VIDIOC_G_EXT_CTRLS: +- case VIDIOC_S_EXT_CTRLS: +- case VIDIOC_TRY_EXT_CTRLS: ++ case VIDIOC_G_EXT_CTRLS32: ++ case VIDIOC_S_EXT_CTRLS32: ++ case VIDIOC_TRY_EXT_CTRLS32: + err = bufsize_v4l2_ext_controls(p32, &aux_space); + if (!err) + err = alloc_userspace(sizeof(struct v4l2_ext_controls), +@@ -1322,7 +1324,7 @@ static long do_video_ioctl(struct file * + } + compatible_arg = 0; + break; +- case VIDIOC_DQEVENT: ++ case VIDIOC_DQEVENT32: + err = alloc_userspace(sizeof(struct v4l2_event), 0, &new_p64); + compatible_arg = 0; + break; +@@ -1340,9 +1342,9 @@ static long do_video_ioctl(struct file * + * Otherwise, it will pass the newly allocated @new_p64 argument. + */ + if (compatible_arg) +- err = native_ioctl(file, cmd, (unsigned long)p32); ++ err = native_ioctl(file, ncmd, (unsigned long)p32); + else +- err = native_ioctl(file, cmd, (unsigned long)new_p64); ++ err = native_ioctl(file, ncmd, (unsigned long)new_p64); + + if (err == -ENOTTY) + return err; +@@ -1358,13 +1360,13 @@ static long do_video_ioctl(struct file * + * the blocks to maximum allowed value. + */ + switch (cmd) { +- case VIDIOC_G_EXT_CTRLS: +- case VIDIOC_S_EXT_CTRLS: +- case VIDIOC_TRY_EXT_CTRLS: ++ case VIDIOC_G_EXT_CTRLS32: ++ case VIDIOC_S_EXT_CTRLS32: ++ case VIDIOC_TRY_EXT_CTRLS32: + if (put_v4l2_ext_controls32(file, new_p64, p32)) + err = -EFAULT; + break; +- case VIDIOC_S_EDID: ++ case VIDIOC_S_EDID32: + if (put_v4l2_edid32(new_p64, p32)) + err = -EFAULT; + break; +@@ -1377,49 +1379,49 @@ static long do_video_ioctl(struct file * + * the original 32 bits structure. + */ + switch (cmd) { +- case VIDIOC_S_INPUT: +- case VIDIOC_S_OUTPUT: +- case VIDIOC_G_INPUT: +- case VIDIOC_G_OUTPUT: ++ case VIDIOC_S_INPUT32: ++ case VIDIOC_S_OUTPUT32: ++ case VIDIOC_G_INPUT32: ++ case VIDIOC_G_OUTPUT32: + if (assign_in_user((compat_uint_t __user *)p32, + ((unsigned int __user *)new_p64))) + err = -EFAULT; + break; + +- case VIDIOC_G_FBUF: ++ case VIDIOC_G_FBUF32: + err = put_v4l2_framebuffer32(new_p64, p32); + break; + +- case VIDIOC_DQEVENT: ++ case VIDIOC_DQEVENT32: + err = put_v4l2_event32(new_p64, p32); + break; + +- case VIDIOC_G_EDID: ++ case VIDIOC_G_EDID32: + err = put_v4l2_edid32(new_p64, p32); + break; + +- case VIDIOC_G_FMT: +- case VIDIOC_S_FMT: +- case VIDIOC_TRY_FMT: ++ case VIDIOC_G_FMT32: ++ case VIDIOC_S_FMT32: ++ case VIDIOC_TRY_FMT32: + err = put_v4l2_format32(new_p64, p32); + break; + +- case VIDIOC_CREATE_BUFS: ++ case VIDIOC_CREATE_BUFS32: + err = put_v4l2_create32(new_p64, p32); + break; + +- case VIDIOC_PREPARE_BUF: +- case VIDIOC_QUERYBUF: +- case VIDIOC_QBUF: +- case VIDIOC_DQBUF: ++ case VIDIOC_PREPARE_BUF32: ++ case VIDIOC_QUERYBUF32: ++ case VIDIOC_QBUF32: ++ case VIDIOC_DQBUF32: + err = put_v4l2_buffer32(new_p64, p32); + break; + +- case VIDIOC_ENUMSTD: ++ case VIDIOC_ENUMSTD32: + err = put_v4l2_standard32(new_p64, p32); + break; + +- case VIDIOC_ENUMINPUT: ++ case VIDIOC_ENUMINPUT32: + err = put_v4l2_input32(new_p64, p32); + break; + } diff --git a/queue-4.19/media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch b/queue-4.19/media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch new file mode 100644 index 00000000000..64ddf10bea9 --- /dev/null +++ b/queue-4.19/media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch @@ -0,0 +1,64 @@ +From 3c7470b6f68434acae459482ab920d1e3fabd1c7 Mon Sep 17 00:00:00 2001 +From: John Hubbard +Date: Thu, 30 Jan 2020 22:12:50 -0800 +Subject: media/v4l2-core: set pages dirty upon releasing DMA buffers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John Hubbard + +commit 3c7470b6f68434acae459482ab920d1e3fabd1c7 upstream. + +After DMA is complete, and the device and CPU caches are synchronized, +it's still required to mark the CPU pages as dirty, if the data was +coming from the device. However, this driver was just issuing a bare +put_page() call, without any set_page_dirty*() call. + +Fix the problem, by calling set_page_dirty_lock() if the CPU pages were +potentially receiving data from the device. + +Link: http://lkml.kernel.org/r/20200107224558.2362728-11-jhubbard@nvidia.com +Signed-off-by: John Hubbard +Reviewed-by: Christoph Hellwig +Acked-by: Hans Verkuil +Cc: Mauro Carvalho Chehab +Cc: +Cc: Alex Williamson +Cc: Aneesh Kumar K.V +Cc: Björn Töpel +Cc: Daniel Vetter +Cc: Dan Williams +Cc: Ira Weiny +Cc: Jan Kara +Cc: Jason Gunthorpe +Cc: Jason Gunthorpe +Cc: Jens Axboe +Cc: Jerome Glisse +Cc: Jonathan Corbet +Cc: Kirill A. Shutemov +Cc: Leon Romanovsky +Cc: Mike Rapoport +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf-dma-sg.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/media/v4l2-core/videobuf-dma-sg.c ++++ b/drivers/media/v4l2-core/videobuf-dma-sg.c +@@ -352,8 +352,11 @@ int videobuf_dma_free(struct videobuf_dm + BUG_ON(dma->sglen); + + if (dma->pages) { +- for (i = 0; i < dma->nr_pages; i++) ++ for (i = 0; i < dma->nr_pages; i++) { ++ if (dma->direction == DMA_FROM_DEVICE) ++ set_page_dirty_lock(dma->pages[i]); + put_page(dma->pages[i]); ++ } + kfree(dma->pages); + dma->pages = NULL; + } diff --git a/queue-4.19/media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch b/queue-4.19/media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch new file mode 100644 index 00000000000..c74c4daed1c --- /dev/null +++ b/queue-4.19/media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch @@ -0,0 +1,78 @@ +From f51e50db4c20d46930b33be3f208851265694f3e Mon Sep 17 00:00:00 2001 +From: Helen Koike +Date: Tue, 17 Dec 2019 21:00:22 +0100 +Subject: media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments + +From: Helen Koike + +commit f51e50db4c20d46930b33be3f208851265694f3e upstream. + +boundary->width and boundary->height are sizes relative to +boundary->left and boundary->top coordinates, but they were not being +taken into consideration to adjust r->left and r->top, leading to the +following error: + +Consider the follow as initial values for boundary and r: + +struct v4l2_rect boundary = { + .left = 100, + .top = 100, + .width = 800, + .height = 600, +} + +struct v4l2_rect r = { + .left = 0, + .top = 0, + .width = 1920, + .height = 960, +} + +calling v4l2_rect_map_inside(&r, &boundary) was modifying r to: + +r = { + .left = 0, + .top = 0, + .width = 800, + .height = 600, +} + +Which is wrongly outside the boundary rectangle, because: + + v4l2_rect_set_max_size(r, boundary); // r->width = 800, r->height = 600 + ... + if (r->left + r->width > boundary->width) // true + r->left = boundary->width - r->width; // r->left = 800 - 800 + if (r->top + r->height > boundary->height) // true + r->top = boundary->height - r->height; // r->height = 600 - 600 + +Fix this by considering top/left coordinates from boundary. + +Fixes: ac49de8c49d7 ("[media] v4l2-rect.h: new header with struct v4l2_rect helper functions") +Signed-off-by: Helen Koike +Cc: # for v4.7 and up +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + include/media/v4l2-rect.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/include/media/v4l2-rect.h ++++ b/include/media/v4l2-rect.h +@@ -63,10 +63,10 @@ static inline void v4l2_rect_map_inside( + r->left = boundary->left; + if (r->top < boundary->top) + r->top = boundary->top; +- if (r->left + r->width > boundary->width) +- r->left = boundary->width - r->width; +- if (r->top + r->height > boundary->height) +- r->top = boundary->height - r->height; ++ if (r->left + r->width > boundary->left + boundary->width) ++ r->left = boundary->left + boundary->width - r->width; ++ if (r->top + r->height > boundary->top + boundary->height) ++ r->top = boundary->top + boundary->height - r->height; + } + + /** diff --git a/queue-4.19/mm-memory_hotplug-fix-remove_memory-lockdep-splat.patch b/queue-4.19/mm-memory_hotplug-fix-remove_memory-lockdep-splat.patch new file mode 100644 index 00000000000..f16cc25955e --- /dev/null +++ b/queue-4.19/mm-memory_hotplug-fix-remove_memory-lockdep-splat.patch @@ -0,0 +1,163 @@ +From f1037ec0cc8ac1a450974ad9754e991f72884f48 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Thu, 30 Jan 2020 22:11:17 -0800 +Subject: mm/memory_hotplug: fix remove_memory() lockdep splat + +From: Dan Williams + +commit f1037ec0cc8ac1a450974ad9754e991f72884f48 upstream. + +The daxctl unit test for the dax_kmem driver currently triggers the +(false positive) lockdep splat below. It results from the fact that +remove_memory_block_devices() is invoked under the mem_hotplug_lock() +causing lockdep entanglements with cpu_hotplug_lock() and sysfs (kernfs +active state tracking). It is a false positive because the sysfs +attribute path triggering the memory remove is not the same attribute +path associated with memory-block device. + +sysfs_break_active_protection() is not applicable since there is no real +deadlock conflict, instead move memory-block device removal outside the +lock. The mem_hotplug_lock() is not needed to synchronize the +memory-block device removal vs the page online state, that is already +handled by lock_device_hotplug(). Specifically, lock_device_hotplug() +is sufficient to allow try_remove_memory() to check the offline state of +the memblocks and be assured that any in progress online attempts are +flushed / blocked by kernfs_drain() / attribute removal. + +The add_memory() path safely creates memblock devices under the +mem_hotplug_lock(). There is no kernfs active state synchronization in +the memblock device_register() path, so nothing to fix there. + +This change is only possible thanks to the recent change that refactored +memory block device removal out of arch_remove_memory() (commit +4c4b7f9ba948 "mm/memory_hotplug: remove memory block devices before +arch_remove_memory()"), and David's due diligence tracking down the +guarantees afforded by kernfs_drain(). Not flagged for -stable since +this only impacts ongoing development and lockdep validation, not a +runtime issue. + + ====================================================== + WARNING: possible circular locking dependency detected + 5.5.0-rc3+ #230 Tainted: G OE + ------------------------------------------------------ + lt-daxctl/6459 is trying to acquire lock: + ffff99c7f0003510 (kn->count#241){++++}, at: kernfs_remove_by_name_ns+0x41/0x80 + + but task is already holding lock: + ffffffffa76a5450 (mem_hotplug_lock.rw_sem){++++}, at: percpu_down_write+0x20/0xe0 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #2 (mem_hotplug_lock.rw_sem){++++}: + __lock_acquire+0x39c/0x790 + lock_acquire+0xa2/0x1b0 + get_online_mems+0x3e/0xb0 + kmem_cache_create_usercopy+0x2e/0x260 + kmem_cache_create+0x12/0x20 + ptlock_cache_init+0x20/0x28 + start_kernel+0x243/0x547 + secondary_startup_64+0xb6/0xc0 + + -> #1 (cpu_hotplug_lock.rw_sem){++++}: + __lock_acquire+0x39c/0x790 + lock_acquire+0xa2/0x1b0 + cpus_read_lock+0x3e/0xb0 + online_pages+0x37/0x300 + memory_subsys_online+0x17d/0x1c0 + device_online+0x60/0x80 + state_store+0x65/0xd0 + kernfs_fop_write+0xcf/0x1c0 + vfs_write+0xdb/0x1d0 + ksys_write+0x65/0xe0 + do_syscall_64+0x5c/0xa0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + -> #0 (kn->count#241){++++}: + check_prev_add+0x98/0xa40 + validate_chain+0x576/0x860 + __lock_acquire+0x39c/0x790 + lock_acquire+0xa2/0x1b0 + __kernfs_remove+0x25f/0x2e0 + kernfs_remove_by_name_ns+0x41/0x80 + remove_files.isra.0+0x30/0x70 + sysfs_remove_group+0x3d/0x80 + sysfs_remove_groups+0x29/0x40 + device_remove_attrs+0x39/0x70 + device_del+0x16a/0x3f0 + device_unregister+0x16/0x60 + remove_memory_block_devices+0x82/0xb0 + try_remove_memory+0xb5/0x130 + remove_memory+0x26/0x40 + dev_dax_kmem_remove+0x44/0x6a [kmem] + device_release_driver_internal+0xe4/0x1c0 + unbind_store+0xef/0x120 + kernfs_fop_write+0xcf/0x1c0 + vfs_write+0xdb/0x1d0 + ksys_write+0x65/0xe0 + do_syscall_64+0x5c/0xa0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + other info that might help us debug this: + + Chain exists of: + kn->count#241 --> cpu_hotplug_lock.rw_sem --> mem_hotplug_lock.rw_sem + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(mem_hotplug_lock.rw_sem); + lock(cpu_hotplug_lock.rw_sem); + lock(mem_hotplug_lock.rw_sem); + lock(kn->count#241); + + *** DEADLOCK *** + +No fixes tag as this has been a long standing issue that predated the +addition of kernfs lockdep annotations. + +Link: http://lkml.kernel.org/r/157991441887.2763922.4770790047389427325.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Dan Williams +Acked-by: Michal Hocko +Reviewed-by: David Hildenbrand +Cc: Vishal Verma +Cc: Pavel Tatashin +Cc: Dave Hansen +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory_hotplug.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1902,8 +1902,6 @@ void __ref __remove_memory(int nid, u64 + + BUG_ON(check_hotplug_memory_range(start, size)); + +- mem_hotplug_begin(); +- + /* + * All memory blocks must be offlined before removing memory. Check + * whether all memory blocks in question are offline and trigger a BUG() +@@ -1919,9 +1917,14 @@ void __ref __remove_memory(int nid, u64 + memblock_free(start, size); + memblock_remove(start, size); + +- /* remove memory block devices before removing memory */ ++ /* ++ * Memory block device removal under the device_hotplug_lock is ++ * a barrier against racing online attempts. ++ */ + remove_memory_block_devices(start, size); + ++ mem_hotplug_begin(); ++ + arch_remove_memory(nid, start, size, NULL); + __release_memory_resource(start, size); + diff --git a/queue-4.19/mm-move_pages-report-the-number-of-non-attempted-pages.patch b/queue-4.19/mm-move_pages-report-the-number-of-non-attempted-pages.patch new file mode 100644 index 00000000000..31bca958abf --- /dev/null +++ b/queue-4.19/mm-move_pages-report-the-number-of-non-attempted-pages.patch @@ -0,0 +1,100 @@ +From 5984fabb6e82d9ab4e6305cb99694c85d46de8ae Mon Sep 17 00:00:00 2001 +From: Yang Shi +Date: Thu, 30 Jan 2020 22:11:24 -0800 +Subject: mm: move_pages: report the number of non-attempted pages + +From: Yang Shi + +commit 5984fabb6e82d9ab4e6305cb99694c85d46de8ae upstream. + +Since commit a49bd4d71637 ("mm, numa: rework do_pages_move"), the +semantic of move_pages() has changed to return the number of +non-migrated pages if they were result of a non-fatal reasons (usually a +busy page). + +This was an unintentional change that hasn't been noticed except for LTP +tests which checked for the documented behavior. + +There are two ways to go around this change. We can even get back to +the original behavior and return -EAGAIN whenever migrate_pages is not +able to migrate pages due to non-fatal reasons. Another option would be +to simply continue with the changed semantic and extend move_pages +documentation to clarify that -errno is returned on an invalid input or +when migration simply cannot succeed (e.g. -ENOMEM, -EBUSY) or the +number of pages that couldn't have been migrated due to ephemeral +reasons (e.g. page is pinned or locked for other reasons). + +This patch implements the second option because this behavior is in +place for some time without anybody complaining and possibly new users +depending on it. Also it allows to have a slightly easier error +handling as the caller knows that it is worth to retry when err > 0. + +But since the new semantic would be aborted immediately if migration is +failed due to ephemeral reasons, need include the number of +non-attempted pages in the return value too. + +Link: http://lkml.kernel.org/r/1580160527-109104-1-git-send-email-yang.shi@linux.alibaba.com +Fixes: a49bd4d71637 ("mm, numa: rework do_pages_move") +Signed-off-by: Yang Shi +Suggested-by: Michal Hocko +Acked-by: Michal Hocko +Reviewed-by: Wei Yang +Cc: [4.17+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/migrate.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -1623,8 +1623,19 @@ static int do_pages_move(struct mm_struc + start = i; + } else if (node != current_node) { + err = do_move_pages_to_node(mm, &pagelist, current_node); +- if (err) ++ if (err) { ++ /* ++ * Positive err means the number of failed ++ * pages to migrate. Since we are going to ++ * abort and return the number of non-migrated ++ * pages, so need to incude the rest of the ++ * nr_pages that have not been attempted as ++ * well. ++ */ ++ if (err > 0) ++ err += nr_pages - i - 1; + goto out; ++ } + err = store_status(status, start, current_node, i - start); + if (err) + goto out; +@@ -1655,8 +1666,11 @@ static int do_pages_move(struct mm_struc + goto out_flush; + + err = do_move_pages_to_node(mm, &pagelist, current_node); +- if (err) ++ if (err) { ++ if (err > 0) ++ err += nr_pages - i - 1; + goto out; ++ } + if (i > start) { + err = store_status(status, start, current_node, i - start); + if (err) +@@ -1670,6 +1684,13 @@ out_flush: + + /* Make sure we do not overwrite the existing error */ + err1 = do_move_pages_to_node(mm, &pagelist, current_node); ++ /* ++ * Don't have to report non-attempted pages here since: ++ * - If the above loop is done gracefully all pages have been ++ * attempted. ++ * - If the above loop is aborted it means a fatal error ++ * happened, should return ret. ++ */ + if (!err1) + err1 = store_status(status, start, current_node, i - start); + if (err >= 0) diff --git a/queue-4.19/platform-x86-intel_scu_ipc-fix-interrupt-support.patch b/queue-4.19/platform-x86-intel_scu_ipc-fix-interrupt-support.patch new file mode 100644 index 00000000000..3d73c9fb164 --- /dev/null +++ b/queue-4.19/platform-x86-intel_scu_ipc-fix-interrupt-support.patch @@ -0,0 +1,98 @@ +From e48b72a568bbd641c91dad354138d3c17d03ee6f Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 22 Jan 2020 19:28:04 +0300 +Subject: platform/x86: intel_scu_ipc: Fix interrupt support + +From: Mika Westerberg + +commit e48b72a568bbd641c91dad354138d3c17d03ee6f upstream. + +Currently the driver has disabled interrupt support for Tangier but +actually interrupt works just fine if the command is not written twice +in a row. Also we need to ack the interrupt in the handler. + +Signed-off-by: Mika Westerberg +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/intel_scu_ipc.c | 21 ++++++++------------- + 1 file changed, 8 insertions(+), 13 deletions(-) + +--- a/drivers/platform/x86/intel_scu_ipc.c ++++ b/drivers/platform/x86/intel_scu_ipc.c +@@ -69,26 +69,22 @@ + struct intel_scu_ipc_pdata_t { + u32 i2c_base; + u32 i2c_len; +- u8 irq_mode; + }; + + static const struct intel_scu_ipc_pdata_t intel_scu_ipc_lincroft_pdata = { + .i2c_base = 0xff12b000, + .i2c_len = 0x10, +- .irq_mode = 0, + }; + + /* Penwell and Cloverview */ + static const struct intel_scu_ipc_pdata_t intel_scu_ipc_penwell_pdata = { + .i2c_base = 0xff12b000, + .i2c_len = 0x10, +- .irq_mode = 1, + }; + + static const struct intel_scu_ipc_pdata_t intel_scu_ipc_tangier_pdata = { + .i2c_base = 0xff00d000, + .i2c_len = 0x10, +- .irq_mode = 0, + }; + + struct intel_scu_ipc_dev { +@@ -101,6 +97,9 @@ struct intel_scu_ipc_dev { + + static struct intel_scu_ipc_dev ipcdev; /* Only one for now */ + ++#define IPC_STATUS 0x04 ++#define IPC_STATUS_IRQ BIT(2) ++ + /* + * IPC Read Buffer (Read Only): + * 16 byte buffer for receiving data from SCU, if IPC command +@@ -122,11 +121,8 @@ static DEFINE_MUTEX(ipclock); /* lock us + */ + static inline void ipc_command(struct intel_scu_ipc_dev *scu, u32 cmd) + { +- if (scu->irq_mode) { +- reinit_completion(&scu->cmd_complete); +- writel(cmd | IPC_IOC, scu->ipc_base); +- } +- writel(cmd, scu->ipc_base); ++ reinit_completion(&scu->cmd_complete); ++ writel(cmd | IPC_IOC, scu->ipc_base); + } + + /* +@@ -612,9 +608,10 @@ EXPORT_SYMBOL(intel_scu_ipc_i2c_cntrl); + static irqreturn_t ioc(int irq, void *dev_id) + { + struct intel_scu_ipc_dev *scu = dev_id; ++ int status = ipc_read_status(scu); + +- if (scu->irq_mode) +- complete(&scu->cmd_complete); ++ writel(status | IPC_STATUS_IRQ, scu->ipc_base + IPC_STATUS); ++ complete(&scu->cmd_complete); + + return IRQ_HANDLED; + } +@@ -640,8 +637,6 @@ static int ipc_probe(struct pci_dev *pde + if (!pdata) + return -ENODEV; + +- scu->irq_mode = pdata->irq_mode; +- + err = pcim_enable_device(pdev); + if (err) + return err; diff --git a/queue-4.19/series b/queue-4.19/series index 2689f664baa..8ac719bc014 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -35,3 +35,11 @@ usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch alsa-usb-audio-fix-endianess-in-descriptor-validation.patch alsa-dummy-fix-pcm-format-loop-in-proc-output.patch +mm-memory_hotplug-fix-remove_memory-lockdep-splat.patch +mm-move_pages-report-the-number-of-non-attempted-pages.patch +media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch +media-v4l2-core-compat-ignore-native-command-codes.patch +media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch +lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch +irqdomain-fix-a-memory-leak-in-irq_domain_push_irq.patch +platform-x86-intel_scu_ipc-fix-interrupt-support.patch -- 2.47.3