From d74ac9226f3fbacbfdcf8717794e709bee118523 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 2 Nov 2020 00:20:06 -0500 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...bounds-and-numa_off-protections-to-p.patch | 42 ++++ ...eakpoint-handle-inexact-watchpoint-a.patch | 188 ++++++++++++++++++ ...move-pmu-node-out-of-clock-controlle.patch | 57 ++++++ ...remove-dedicated-audio-subsystem-nod.patch | 106 ++++++++++ ...remove-dma-controller-bus-node-name-.patch | 87 ++++++++ ...s-ulcb-add-full-pwr-cycle-in-suspend.patch | 36 ++++ ...cpu_all_mask-when-node-is-numa_no_no.patch | 61 ++++++ ...-fix-config_generic_iomap-pci_iounma.patch | 114 +++++++++++ ...nss-calculation-when-stbc-is-enabled.patch | 58 ++++++ ...overy-process-when-payload-length-ex.patch | 85 ++++++++ ...log-unknown-link-speed-appropriately.patch | 51 +++++ ...t-rely-on-caller-to-provide-non-null.patch | 43 ++++ ...ockdomain-fix-static-checker-warning.patch | 40 ++++ ...freq-sti-cpufreq-add-stih418-support.patch | 46 +++++ ...hdlc_fr-correctly-handle-special-skb.patch | 188 ++++++++++++++++++ ...-rdc321x_wdt-fix-race-condition-bugs.patch | 62 ++++++ ...sys-dsi-add-support-for-non-continuo.patch | 67 +++++++ ...ips-add-checking-if-ge_b850v3_lvds_i.patch | 60 ++++++ ...detect-already-used-quota-file-early.patch | 48 +++++ ...2fs-add-trace-exit-in-exception-path.patch | 40 ++++ ...k-segment-boundary-during-sit-page-r.patch | 60 ++++++ ...incorrect-should_fail_futex-handling.patch | 49 +++++ ...dation-checks-for-size-of-superblock.patch | 62 ++++++ ...con-work-properly-with-kgdb_earlycon.patch | 70 +++++++ ...map_get_counter-returns-wrong-blocks.patch | 53 +++++ ...mprove-queue-set-up-flow-for-bug-fix.patch | 41 ++++ ...ck-status-of-tw5864_frameinterval_ge.patch | 63 ++++++ ...h-rgb-bt2020-and-hsv-are-always-full.patch | 117 +++++++++++ ...-remove-bogus-debugfs-error-handling.patch | 75 +++++++ ...se-after-free-in-mlxsw_emad_trans_fi.patch | 166 ++++++++++++++++ .../mmc-via-sdmmc-fix-data-race-bug.patch | 48 +++++ ...fig-put-is-called-before-the-notifyi.patch | 43 ++++ ...e-sun_server.sun_path-to-have-addr-s.patch | 45 +++++ ...rdma-fix-crash-when-connect-rejected.patch | 47 +++++ ...t_power-add-missing-newlines-when-pr.patch | 84 ++++++++ ...powernv-smp-fix-spurious-dbg-warning.patch | 55 +++++ ...elect-arch_want_irqs_off_activate_mm.patch | 50 +++++ ...reduce-log_buf_shift-range-for-h8300.patch | 42 ++++ queue-4.14/series | 47 +++++ .../sgl_alloc_order-fix-memory-leak.patch | 42 ++++ ...m_cpumask-clearing-to-fix-kthread_us.patch | 179 +++++++++++++++++ ...-uio-id-after-uio-file-node-is-freed.patch | 85 ++++++++ .../um-change-sigio_spinlock-to-a-mutex.patch | 78 ++++++++ queue-4.14/usb-adutux-fix-debugging.patch | 35 ++++ ...uring-pr_swap-source-caps-should-be-.patch | 80 ++++++++ ...eo-fbdev-pvr2fb-initialize-variables.patch | 49 +++++ ...ix-inactive-tasks-with-stack-pointer.patch | 145 ++++++++++++++ ...-bitmap-summary-file-truncation-when.patch | 70 +++++++ 48 files changed, 3459 insertions(+) create mode 100644 queue-4.14/acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch create mode 100644 queue-4.14/arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch create mode 100644 queue-4.14/arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch create mode 100644 queue-4.14/arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch create mode 100644 queue-4.14/arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch create mode 100644 queue-4.14/arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch create mode 100644 queue-4.14/arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch create mode 100644 queue-4.14/asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch create mode 100644 queue-4.14/ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch create mode 100644 queue-4.14/ath10k-start-recovery-process-when-payload-length-ex.patch create mode 100644 queue-4.14/bnxt_en-log-unknown-link-speed-appropriately.patch create mode 100644 queue-4.14/bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch create mode 100644 queue-4.14/clk-ti-clockdomain-fix-static-checker-warning.patch create mode 100644 queue-4.14/cpufreq-sti-cpufreq-add-stih418-support.patch create mode 100644 queue-4.14/drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch create mode 100644 queue-4.14/drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch create mode 100644 queue-4.14/drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch create mode 100644 queue-4.14/drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch create mode 100644 queue-4.14/ext4-detect-already-used-quota-file-early.patch create mode 100644 queue-4.14/f2fs-add-trace-exit-in-exception-path.patch create mode 100644 queue-4.14/f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch create mode 100644 queue-4.14/futex-fix-incorrect-should_fail_futex-handling.patch create mode 100644 queue-4.14/gfs2-add-validation-checks-for-size-of-superblock.patch create mode 100644 queue-4.14/kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch create mode 100644 queue-4.14/md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch create mode 100644 queue-4.14/media-platform-improve-queue-set-up-flow-for-bug-fix.patch create mode 100644 queue-4.14/media-tw5864-check-status-of-tw5864_frameinterval_ge.patch create mode 100644 queue-4.14/media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch create mode 100644 queue-4.14/memory-emif-remove-bogus-debugfs-error-handling.patch create mode 100644 queue-4.14/mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch create mode 100644 queue-4.14/mmc-via-sdmmc-fix-data-race-bug.patch create mode 100644 queue-4.14/nbd-make-the-config-put-is-called-before-the-notifyi.patch create mode 100644 queue-4.14/net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch create mode 100644 queue-4.14/nvme-rdma-fix-crash-when-connect-rejected.patch create mode 100644 queue-4.14/power-supply-test_power-add-missing-newlines-when-pr.patch create mode 100644 queue-4.14/powerpc-powernv-smp-fix-spurious-dbg-warning.patch create mode 100644 queue-4.14/powerpc-select-arch_want_irqs_off_activate_mm.patch create mode 100644 queue-4.14/printk-reduce-log_buf_shift-range-for-h8300.patch create mode 100644 queue-4.14/sgl_alloc_order-fix-memory-leak.patch create mode 100644 queue-4.14/sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch create mode 100644 queue-4.14/uio-free-uio-id-after-uio-file-node-is-freed.patch create mode 100644 queue-4.14/um-change-sigio_spinlock-to-a-mutex.patch create mode 100644 queue-4.14/usb-adutux-fix-debugging.patch create mode 100644 queue-4.14/usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch create mode 100644 queue-4.14/video-fbdev-pvr2fb-initialize-variables.patch create mode 100644 queue-4.14/x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch create mode 100644 queue-4.14/xfs-fix-realtime-bitmap-summary-file-truncation-when.patch diff --git a/queue-4.14/acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch b/queue-4.14/acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch new file mode 100644 index 00000000000..ad067b15e30 --- /dev/null +++ b/queue-4.14/acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch @@ -0,0 +1,42 @@ +From c7ac3a3527e96d105e68faf73daea34139345008 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 22:24:25 +0800 +Subject: ACPI: Add out of bounds and numa_off protections to pxm_to_node() + +From: Jonathan Cameron + +[ Upstream commit 8a3decac087aa897df5af04358c2089e52e70ac4 ] + +The function should check the validity of the pxm value before using +it to index the pxm_to_node_map[] array. + +Whilst hardening this code may be good in general, the main intent +here is to enable following patches that use this function to replace +acpi_map_pxm_to_node() for non SRAT usecases which should return +NO_NUMA_NODE for PXM entries not matching with those in SRAT. + +Signed-off-by: Jonathan Cameron +Reviewed-by: Barry Song +Reviewed-by: Hanjun Guo +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/numa.c b/drivers/acpi/numa.c +index a7907b58562a7..986712fe2a71c 100644 +--- a/drivers/acpi/numa.c ++++ b/drivers/acpi/numa.c +@@ -46,7 +46,7 @@ int acpi_numa __initdata; + + int pxm_to_node(int pxm) + { +- if (pxm < 0) ++ if (pxm < 0 || pxm >= MAX_PXM_DOMAINS || numa_off) + return NUMA_NO_NODE; + return pxm_to_node_map[pxm]; + } +-- +2.27.0 + diff --git a/queue-4.14/arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch b/queue-4.14/arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch new file mode 100644 index 00000000000..927e1fb580a --- /dev/null +++ b/queue-4.14/arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch @@ -0,0 +1,188 @@ +From 5d9e6e927a5844093c8757212a2ba87f9aaab1cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 23:24:35 +0100 +Subject: ARM: 8997/2: hw_breakpoint: Handle inexact watchpoint addresses + +From: Douglas Anderson + +[ Upstream commit 22c9e58299e5f18274788ce54c03d4fb761e3c5d ] + +This is commit fdfeff0f9e3d ("arm64: hw_breakpoint: Handle inexact +watchpoint addresses") but ported to arm32, which has the same +problem. + +This problem was found by Android CTS tests, notably the +"watchpoint_imprecise" test [1]. I tested locally against a copycat +(simplified) version of the test though. + +[1] https://android.googlesource.com/platform/bionic/+/master/tests/sys_ptrace_test.cpp + +Link: https://lkml.kernel.org/r/20191019111216.1.I82eae759ca6dc28a245b043f485ca490e3015321@changeid + +Signed-off-by: Douglas Anderson +Reviewed-by: Matthias Kaehlcke +Acked-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/hw_breakpoint.c | 100 +++++++++++++++++++++++--------- + 1 file changed, 72 insertions(+), 28 deletions(-) + +diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c +index a30f656f791f3..e61697fb7efea 100644 +--- a/arch/arm/kernel/hw_breakpoint.c ++++ b/arch/arm/kernel/hw_breakpoint.c +@@ -688,6 +688,40 @@ static void disable_single_step(struct perf_event *bp) + arch_install_hw_breakpoint(bp); + } + ++/* ++ * Arm32 hardware does not always report a watchpoint hit address that matches ++ * one of the watchpoints set. It can also report an address "near" the ++ * watchpoint if a single instruction access both watched and unwatched ++ * addresses. There is no straight-forward way, short of disassembling the ++ * offending instruction, to map that address back to the watchpoint. This ++ * function computes the distance of the memory access from the watchpoint as a ++ * heuristic for the likelyhood that a given access triggered the watchpoint. ++ * ++ * See this same function in the arm64 platform code, which has the same ++ * problem. ++ * ++ * The function returns the distance of the address from the bytes watched by ++ * the watchpoint. In case of an exact match, it returns 0. ++ */ ++static u32 get_distance_from_watchpoint(unsigned long addr, u32 val, ++ struct arch_hw_breakpoint_ctrl *ctrl) ++{ ++ u32 wp_low, wp_high; ++ u32 lens, lene; ++ ++ lens = __ffs(ctrl->len); ++ lene = __fls(ctrl->len); ++ ++ wp_low = val + lens; ++ wp_high = val + lene; ++ if (addr < wp_low) ++ return wp_low - addr; ++ else if (addr > wp_high) ++ return addr - wp_high; ++ else ++ return 0; ++} ++ + static int watchpoint_fault_on_uaccess(struct pt_regs *regs, + struct arch_hw_breakpoint *info) + { +@@ -697,23 +731,25 @@ static int watchpoint_fault_on_uaccess(struct pt_regs *regs, + static void watchpoint_handler(unsigned long addr, unsigned int fsr, + struct pt_regs *regs) + { +- int i, access; +- u32 val, ctrl_reg, alignment_mask; ++ int i, access, closest_match = 0; ++ u32 min_dist = -1, dist; ++ u32 val, ctrl_reg; + struct perf_event *wp, **slots; + struct arch_hw_breakpoint *info; + struct arch_hw_breakpoint_ctrl ctrl; + + slots = this_cpu_ptr(wp_on_reg); + ++ /* ++ * Find all watchpoints that match the reported address. If no exact ++ * match is found. Attribute the hit to the closest watchpoint. ++ */ ++ rcu_read_lock(); + for (i = 0; i < core_num_wrps; ++i) { +- rcu_read_lock(); +- + wp = slots[i]; +- + if (wp == NULL) +- goto unlock; ++ continue; + +- info = counter_arch_bp(wp); + /* + * The DFAR is an unknown value on debug architectures prior + * to 7.1. Since we only allow a single watchpoint on these +@@ -722,33 +758,31 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr, + */ + if (debug_arch < ARM_DEBUG_ARCH_V7_1) { + BUG_ON(i > 0); ++ info = counter_arch_bp(wp); + info->trigger = wp->attr.bp_addr; + } else { +- if (info->ctrl.len == ARM_BREAKPOINT_LEN_8) +- alignment_mask = 0x7; +- else +- alignment_mask = 0x3; +- +- /* Check if the watchpoint value matches. */ +- val = read_wb_reg(ARM_BASE_WVR + i); +- if (val != (addr & ~alignment_mask)) +- goto unlock; +- +- /* Possible match, check the byte address select. */ +- ctrl_reg = read_wb_reg(ARM_BASE_WCR + i); +- decode_ctrl_reg(ctrl_reg, &ctrl); +- if (!((1 << (addr & alignment_mask)) & ctrl.len)) +- goto unlock; +- + /* Check that the access type matches. */ + if (debug_exception_updates_fsr()) { + access = (fsr & ARM_FSR_ACCESS_MASK) ? + HW_BREAKPOINT_W : HW_BREAKPOINT_R; + if (!(access & hw_breakpoint_type(wp))) +- goto unlock; ++ continue; + } + ++ val = read_wb_reg(ARM_BASE_WVR + i); ++ ctrl_reg = read_wb_reg(ARM_BASE_WCR + i); ++ decode_ctrl_reg(ctrl_reg, &ctrl); ++ dist = get_distance_from_watchpoint(addr, val, &ctrl); ++ if (dist < min_dist) { ++ min_dist = dist; ++ closest_match = i; ++ } ++ /* Is this an exact match? */ ++ if (dist != 0) ++ continue; ++ + /* We have a winner. */ ++ info = counter_arch_bp(wp); + info->trigger = addr; + } + +@@ -770,13 +804,23 @@ static void watchpoint_handler(unsigned long addr, unsigned int fsr, + * we can single-step over the watchpoint trigger. + */ + if (!is_default_overflow_handler(wp)) +- goto unlock; +- ++ continue; + step: + enable_single_step(wp, instruction_pointer(regs)); +-unlock: +- rcu_read_unlock(); + } ++ ++ if (min_dist > 0 && min_dist != -1) { ++ /* No exact match found. */ ++ wp = slots[closest_match]; ++ info = counter_arch_bp(wp); ++ info->trigger = addr; ++ pr_debug("watchpoint fired: address = 0x%x\n", info->trigger); ++ perf_bp_event(wp, regs); ++ if (is_default_overflow_handler(wp)) ++ enable_single_step(wp, instruction_pointer(regs)); ++ } ++ ++ rcu_read_unlock(); + } + + static void watchpoint_single_step_handler(unsigned long pc) +-- +2.27.0 + diff --git a/queue-4.14/arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch b/queue-4.14/arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch new file mode 100644 index 00000000000..841b1943562 --- /dev/null +++ b/queue-4.14/arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch @@ -0,0 +1,57 @@ +From 2e62b76b83a6281201a16cc78bd20c5efb4efd15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 18:11:23 +0200 +Subject: ARM: dts: s5pv210: move PMU node out of clock controller + +From: Krzysztof Kozlowski + +[ Upstream commit bb98fff84ad1ea321823759edaba573a16fa02bd ] + +The Power Management Unit (PMU) is a separate device which has little +common with clock controller. Moving it to one level up (from clock +controller child to SoC) allows to remove fake simple-bus compatible and +dtbs_check warnings like: + + clock-controller@e0100000: $nodename:0: + 'clock-controller@e0100000' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$' + +Signed-off-by: Krzysztof Kozlowski +Tested-by: Jonathan Bakker +Link: https://lore.kernel.org/r/20200907161141.31034-8-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210.dtsi | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi +index c13d888e69628..b72ca89beac98 100644 +--- a/arch/arm/boot/dts/s5pv210.dtsi ++++ b/arch/arm/boot/dts/s5pv210.dtsi +@@ -101,19 +101,16 @@ + }; + + clocks: clock-controller@e0100000 { +- compatible = "samsung,s5pv210-clock", "simple-bus"; ++ compatible = "samsung,s5pv210-clock"; + reg = <0xe0100000 0x10000>; + clock-names = "xxti", "xusbxti"; + clocks = <&xxti>, <&xusbxti>; + #clock-cells = <1>; +- #address-cells = <1>; +- #size-cells = <1>; +- ranges; ++ }; + +- pmu_syscon: syscon@e0108000 { +- compatible = "samsung-s5pv210-pmu", "syscon"; +- reg = <0xe0108000 0x8000>; +- }; ++ pmu_syscon: syscon@e0108000 { ++ compatible = "samsung-s5pv210-pmu", "syscon"; ++ reg = <0xe0108000 0x8000>; + }; + + pinctrl0: pinctrl@e0200000 { +-- +2.27.0 + diff --git a/queue-4.14/arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch b/queue-4.14/arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch new file mode 100644 index 00000000000..b407611dcb1 --- /dev/null +++ b/queue-4.14/arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch @@ -0,0 +1,106 @@ +From 777920cc3b8e7bc32d8cea09179dd6bbdb2f2622 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 18:11:24 +0200 +Subject: ARM: dts: s5pv210: remove dedicated 'audio-subsystem' node + +From: Krzysztof Kozlowski + +[ Upstream commit 6c17a2974abf68a58517f75741b15c4aba42b4b8 ] + +The 'audio-subsystem' node is an artificial creation, not representing +real hardware. The hardware is described by its nodes - AUDSS clock +controller and I2S0. + +Remove the 'audio-subsystem' node along with its undocumented compatible +to fix dtbs_check warnings like: + + audio-subsystem: $nodename:0: 'audio-subsystem' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$' + +Signed-off-by: Krzysztof Kozlowski +Tested-by: Jonathan Bakker +Link: https://lore.kernel.org/r/20200907161141.31034-9-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210.dtsi | 65 +++++++++++++++------------------- + 1 file changed, 29 insertions(+), 36 deletions(-) + +diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi +index b72ca89beac98..a215218237a60 100644 +--- a/arch/arm/boot/dts/s5pv210.dtsi ++++ b/arch/arm/boot/dts/s5pv210.dtsi +@@ -220,43 +220,36 @@ + status = "disabled"; + }; + +- audio-subsystem { +- compatible = "samsung,s5pv210-audss", "simple-bus"; +- #address-cells = <1>; +- #size-cells = <1>; +- ranges; +- +- clk_audss: clock-controller@eee10000 { +- compatible = "samsung,s5pv210-audss-clock"; +- reg = <0xeee10000 0x1000>; +- clock-names = "hclk", "xxti", +- "fout_epll", +- "sclk_audio0"; +- clocks = <&clocks DOUT_HCLKP>, <&xxti>, +- <&clocks FOUT_EPLL>, +- <&clocks SCLK_AUDIO0>; +- #clock-cells = <1>; +- }; ++ clk_audss: clock-controller@eee10000 { ++ compatible = "samsung,s5pv210-audss-clock"; ++ reg = <0xeee10000 0x1000>; ++ clock-names = "hclk", "xxti", ++ "fout_epll", ++ "sclk_audio0"; ++ clocks = <&clocks DOUT_HCLKP>, <&xxti>, ++ <&clocks FOUT_EPLL>, ++ <&clocks SCLK_AUDIO0>; ++ #clock-cells = <1>; ++ }; + +- i2s0: i2s@eee30000 { +- compatible = "samsung,s5pv210-i2s"; +- reg = <0xeee30000 0x1000>; +- interrupt-parent = <&vic2>; +- interrupts = <16>; +- dma-names = "rx", "tx", "tx-sec"; +- dmas = <&pdma1 9>, <&pdma1 10>, <&pdma1 11>; +- clock-names = "iis", +- "i2s_opclk0", +- "i2s_opclk1"; +- clocks = <&clk_audss CLK_I2S>, +- <&clk_audss CLK_I2S>, +- <&clk_audss CLK_DOUT_AUD_BUS>; +- samsung,idma-addr = <0xc0010000>; +- pinctrl-names = "default"; +- pinctrl-0 = <&i2s0_bus>; +- #sound-dai-cells = <0>; +- status = "disabled"; +- }; ++ i2s0: i2s@eee30000 { ++ compatible = "samsung,s5pv210-i2s"; ++ reg = <0xeee30000 0x1000>; ++ interrupt-parent = <&vic2>; ++ interrupts = <16>; ++ dma-names = "rx", "tx", "tx-sec"; ++ dmas = <&pdma1 9>, <&pdma1 10>, <&pdma1 11>; ++ clock-names = "iis", ++ "i2s_opclk0", ++ "i2s_opclk1"; ++ clocks = <&clk_audss CLK_I2S>, ++ <&clk_audss CLK_I2S>, ++ <&clk_audss CLK_DOUT_AUD_BUS>; ++ samsung,idma-addr = <0xc0010000>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&i2s0_bus>; ++ #sound-dai-cells = <0>; ++ status = "disabled"; + }; + + i2s1: i2s@e2100000 { +-- +2.27.0 + diff --git a/queue-4.14/arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch b/queue-4.14/arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch new file mode 100644 index 00000000000..7d4c4c2d884 --- /dev/null +++ b/queue-4.14/arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch @@ -0,0 +1,87 @@ +From eca61774df0b9c035063243aef5943d384dd8c8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 18:11:21 +0200 +Subject: ARM: dts: s5pv210: remove DMA controller bus node name to fix + dtschema warnings + +From: Krzysztof Kozlowski + +[ Upstream commit ea4e792f3c8931fffec4d700cf6197d84e9f35a6 ] + +There is no need to keep DMA controller nodes under AMBA bus node. +Remove the "amba" node to fix dtschema warnings like: + + amba: $nodename:0: 'amba' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$' + +Signed-off-by: Krzysztof Kozlowski +Tested-by: Jonathan Bakker +Link: https://lore.kernel.org/r/20200907161141.31034-6-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/s5pv210.dtsi | 49 +++++++++++++++------------------- + 1 file changed, 21 insertions(+), 28 deletions(-) + +diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi +index b290a5abb9016..c13d888e69628 100644 +--- a/arch/arm/boot/dts/s5pv210.dtsi ++++ b/arch/arm/boot/dts/s5pv210.dtsi +@@ -129,35 +129,28 @@ + }; + }; + +- amba { +- #address-cells = <1>; +- #size-cells = <1>; +- compatible = "simple-bus"; +- ranges; +- +- pdma0: dma@e0900000 { +- compatible = "arm,pl330", "arm,primecell"; +- reg = <0xe0900000 0x1000>; +- interrupt-parent = <&vic0>; +- interrupts = <19>; +- clocks = <&clocks CLK_PDMA0>; +- clock-names = "apb_pclk"; +- #dma-cells = <1>; +- #dma-channels = <8>; +- #dma-requests = <32>; +- }; ++ pdma0: dma@e0900000 { ++ compatible = "arm,pl330", "arm,primecell"; ++ reg = <0xe0900000 0x1000>; ++ interrupt-parent = <&vic0>; ++ interrupts = <19>; ++ clocks = <&clocks CLK_PDMA0>; ++ clock-names = "apb_pclk"; ++ #dma-cells = <1>; ++ #dma-channels = <8>; ++ #dma-requests = <32>; ++ }; + +- pdma1: dma@e0a00000 { +- compatible = "arm,pl330", "arm,primecell"; +- reg = <0xe0a00000 0x1000>; +- interrupt-parent = <&vic0>; +- interrupts = <20>; +- clocks = <&clocks CLK_PDMA1>; +- clock-names = "apb_pclk"; +- #dma-cells = <1>; +- #dma-channels = <8>; +- #dma-requests = <32>; +- }; ++ pdma1: dma@e0a00000 { ++ compatible = "arm,pl330", "arm,primecell"; ++ reg = <0xe0a00000 0x1000>; ++ interrupt-parent = <&vic0>; ++ interrupts = <20>; ++ clocks = <&clocks CLK_PDMA1>; ++ clock-names = "apb_pclk"; ++ #dma-cells = <1>; ++ #dma-channels = <8>; ++ #dma-requests = <32>; + }; + + spi0: spi@e1300000 { +-- +2.27.0 + diff --git a/queue-4.14/arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch b/queue-4.14/arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch new file mode 100644 index 00000000000..ecb12b1ef1e --- /dev/null +++ b/queue-4.14/arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch @@ -0,0 +1,36 @@ +From ac728b88402621c394cddac8d54955b85cb45275 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 21:33:21 +0900 +Subject: arm64: dts: renesas: ulcb: add full-pwr-cycle-in-suspend into eMMC + nodes + +From: Yoshihiro Shimoda + +[ Upstream commit 992d7a8b88c83c05664b649fc54501ce58e19132 ] + +Add full-pwr-cycle-in-suspend property to do a graceful shutdown of +the eMMC device in system suspend. + +Signed-off-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/1594989201-24228-1-git-send-email-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/ulcb.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/renesas/ulcb.dtsi b/arch/arm64/boot/dts/renesas/ulcb.dtsi +index e95d99265af9d..38f846530fcde 100644 +--- a/arch/arm64/boot/dts/renesas/ulcb.dtsi ++++ b/arch/arm64/boot/dts/renesas/ulcb.dtsi +@@ -397,6 +397,7 @@ + bus-width = <8>; + mmc-hs200-1_8v; + non-removable; ++ full-pwr-cycle-in-suspend; + status = "okay"; + }; + +-- +2.27.0 + diff --git a/queue-4.14/arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch b/queue-4.14/arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch new file mode 100644 index 00000000000..dd7ebf2370c --- /dev/null +++ b/queue-4.14/arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch @@ -0,0 +1,61 @@ +From 6a9eab3e81b4cf4441c44627532f7098124fa524 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 10:39:36 +0800 +Subject: arm64/mm: return cpu_all_mask when node is NUMA_NO_NODE + +From: Zhengyuan Liu + +[ Upstream commit a194c5f2d2b3a05428805146afcabe5140b5d378 ] + +The @node passed to cpumask_of_node() can be NUMA_NO_NODE, in that +case it will trigger the following WARN_ON(node >= nr_node_ids) due to +mismatched data types of @node and @nr_node_ids. Actually we should +return cpu_all_mask just like most other architectures do if passed +NUMA_NO_NODE. + +Also add a similar check to the inline cpumask_of_node() in numa.h. + +Signed-off-by: Zhengyuan Liu +Reviewed-by: Gavin Shan +Link: https://lore.kernel.org/r/20200921023936.21846-1-liuzhengyuan@tj.kylinos.cn +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/numa.h | 3 +++ + arch/arm64/mm/numa.c | 6 +++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/numa.h b/arch/arm64/include/asm/numa.h +index 01bc46d5b43ac..9bde636027670 100644 +--- a/arch/arm64/include/asm/numa.h ++++ b/arch/arm64/include/asm/numa.h +@@ -25,6 +25,9 @@ const struct cpumask *cpumask_of_node(int node); + /* Returns a pointer to the cpumask of CPUs on Node 'node'. */ + static inline const struct cpumask *cpumask_of_node(int node) + { ++ if (node == NUMA_NO_NODE) ++ return cpu_all_mask; ++ + return node_to_cpumask_map[node]; + } + #endif +diff --git a/arch/arm64/mm/numa.c b/arch/arm64/mm/numa.c +index e9c843e0c1727..6b42af182aa74 100644 +--- a/arch/arm64/mm/numa.c ++++ b/arch/arm64/mm/numa.c +@@ -58,7 +58,11 @@ EXPORT_SYMBOL(node_to_cpumask_map); + */ + const struct cpumask *cpumask_of_node(int node) + { +- if (WARN_ON(node >= nr_node_ids)) ++ ++ if (node == NUMA_NO_NODE) ++ return cpu_all_mask; ++ ++ if (WARN_ON(node < 0 || node >= nr_node_ids)) + return cpu_none_mask; + + if (WARN_ON(node_to_cpumask_map[node] == NULL)) +-- +2.27.0 + diff --git a/queue-4.14/asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch b/queue-4.14/asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch new file mode 100644 index 00000000000..2ad0c8ade18 --- /dev/null +++ b/queue-4.14/asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch @@ -0,0 +1,114 @@ +From 546e9d3d72b1c65b1aa2910571d3842596bcbf1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 12:06:58 +0100 +Subject: asm-generic/io.h: Fix !CONFIG_GENERIC_IOMAP pci_iounmap() + implementation + +From: Lorenzo Pieralisi + +[ Upstream commit f5810e5c329238b8553ebd98b914bdbefd8e6737 ] + +For arches that do not select CONFIG_GENERIC_IOMAP, the current +pci_iounmap() function does nothing causing obvious memory leaks +for mapped regions that are backed by MMIO physical space. + +In order to detect if a mapped pointer is IO vs MMIO, a check must made +available to the pci_iounmap() function so that it can actually detect +whether the pointer has to be unmapped. + +In configurations where CONFIG_HAS_IOPORT_MAP && !CONFIG_GENERIC_IOMAP, +a mapped port is detected using an ioport_map() stub defined in +asm-generic/io.h. + +Use the same logic to implement a stub (ie __pci_ioport_unmap()) that +detects if the passed in pointer in pci_iounmap() is IO vs MMIO to +iounmap conditionally and call it in pci_iounmap() fixing the issue. + +Leave __pci_ioport_unmap() as a NOP for all other config options. + +Tested-by: George Cherian +Link: https://lore.kernel.org/lkml/20200905024811.74701-1-yangyingliang@huawei.com +Link: https://lore.kernel.org/lkml/20200824132046.3114383-1-george.cherian@marvell.com +Link: https://lore.kernel.org/r/a9daf8d8444d0ebd00bc6d64e336ec49dbb50784.1600254147.git.lorenzo.pieralisi@arm.com +Reported-by: George Cherian +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Catalin Marinas +Cc: Arnd Bergmann +Cc: George Cherian +Cc: Will Deacon +Cc: Bjorn Helgaas +Cc: Catalin Marinas +Cc: Yang Yingliang +Signed-off-by: Sasha Levin +--- + include/asm-generic/io.h | 39 +++++++++++++++++++++++++++------------ + 1 file changed, 27 insertions(+), 12 deletions(-) + +diff --git a/include/asm-generic/io.h b/include/asm-generic/io.h +index b4531e3b21209..1eafea2bf3ac2 100644 +--- a/include/asm-generic/io.h ++++ b/include/asm-generic/io.h +@@ -767,18 +767,6 @@ static inline void iowrite64_rep(volatile void __iomem *addr, + #include + #define __io_virt(x) ((void __force *)(x)) + +-#ifndef CONFIG_GENERIC_IOMAP +-struct pci_dev; +-extern void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long max); +- +-#ifndef pci_iounmap +-#define pci_iounmap pci_iounmap +-static inline void pci_iounmap(struct pci_dev *dev, void __iomem *p) +-{ +-} +-#endif +-#endif /* CONFIG_GENERIC_IOMAP */ +- + /* + * Change virtual addresses to physical addresses and vv. + * These are pretty trivial +@@ -901,6 +889,16 @@ static inline void __iomem *ioport_map(unsigned long port, unsigned int nr) + { + return PCI_IOBASE + (port & IO_SPACE_LIMIT); + } ++#define __pci_ioport_unmap __pci_ioport_unmap ++static inline void __pci_ioport_unmap(void __iomem *p) ++{ ++ uintptr_t start = (uintptr_t) PCI_IOBASE; ++ uintptr_t addr = (uintptr_t) p; ++ ++ if (addr >= start && addr < start + IO_SPACE_LIMIT) ++ return; ++ iounmap(p); ++} + #endif + + #ifndef ioport_unmap +@@ -915,6 +913,23 @@ extern void ioport_unmap(void __iomem *p); + #endif /* CONFIG_GENERIC_IOMAP */ + #endif /* CONFIG_HAS_IOPORT_MAP */ + ++#ifndef CONFIG_GENERIC_IOMAP ++struct pci_dev; ++extern void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long max); ++ ++#ifndef __pci_ioport_unmap ++static inline void __pci_ioport_unmap(void __iomem *p) {} ++#endif ++ ++#ifndef pci_iounmap ++#define pci_iounmap pci_iounmap ++static inline void pci_iounmap(struct pci_dev *dev, void __iomem *p) ++{ ++ __pci_ioport_unmap(p); ++} ++#endif ++#endif /* CONFIG_GENERIC_IOMAP */ ++ + /* + * Convert a virtual cached pointer to an uncached pointer + */ +-- +2.27.0 + diff --git a/queue-4.14/ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch b/queue-4.14/ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch new file mode 100644 index 00000000000..9bc24f26d16 --- /dev/null +++ b/queue-4.14/ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch @@ -0,0 +1,58 @@ +From 26bfc6ffaa5b2d42ed2e1f55e3dc1195a34c3382 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 13:46:11 +0530 +Subject: ath10k: fix VHT NSS calculation when STBC is enabled + +From: Sathishkumar Muruganandam + +[ Upstream commit 99f41b8e43b8b4b31262adb8ac3e69088fff1289 ] + +When STBC is enabled, NSTS_SU value need to be accounted for VHT NSS +calculation for SU case. + +Without this fix, 1SS + STBC enabled case was reported wrongly as 2SS +in radiotap header on monitor mode capture. + +Tested-on: QCA9984 10.4-3.10-00047 + +Signed-off-by: Sathishkumar Muruganandam +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1597392971-3897-1-git-send-email-murugana@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index fd276e54bb7c2..4358d175f954b 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -622,6 +622,7 @@ static void ath10k_htt_rx_h_rates(struct ath10k *ar, + u8 preamble = 0; + u8 group_id; + u32 info1, info2, info3; ++ u32 stbc, nsts_su; + + info1 = __le32_to_cpu(rxd->ppdu_start.info1); + info2 = __le32_to_cpu(rxd->ppdu_start.info2); +@@ -666,11 +667,16 @@ static void ath10k_htt_rx_h_rates(struct ath10k *ar, + */ + bw = info2 & 3; + sgi = info3 & 1; ++ stbc = (info2 >> 3) & 1; + group_id = (info2 >> 4) & 0x3F; + + if (GROUP_ID_IS_SU_MIMO(group_id)) { + mcs = (info3 >> 4) & 0x0F; +- nss = ((info2 >> 10) & 0x07) + 1; ++ nsts_su = ((info2 >> 10) & 0x07); ++ if (stbc) ++ nss = (nsts_su >> 2) + 1; ++ else ++ nss = (nsts_su + 1); + } else { + /* Hardware doesn't decode VHT-SIG-B into Rx descriptor + * so it's impossible to decode MCS. Also since +-- +2.27.0 + diff --git a/queue-4.14/ath10k-start-recovery-process-when-payload-length-ex.patch b/queue-4.14/ath10k-start-recovery-process-when-payload-length-ex.patch new file mode 100644 index 00000000000..6c98079f581 --- /dev/null +++ b/queue-4.14/ath10k-start-recovery-process-when-payload-length-ex.patch @@ -0,0 +1,85 @@ +From 08bd35a005e7a54b3f9e04ad7ec2c7812442c79a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 18:17:08 +0300 +Subject: ath10k: start recovery process when payload length exceeds max htc + length for sdio + +From: Wen Gong + +[ Upstream commit 2fd3c8f34d08af0a6236085f9961866ad92ef9ec ] + +When simulate random transfer fail for sdio write and read, it happened +"payload length exceeds max htc length" and recovery later sometimes. + +Test steps: +1. Add config and update kernel: +CONFIG_FAIL_MMC_REQUEST=y +CONFIG_FAULT_INJECTION=y +CONFIG_FAULT_INJECTION_DEBUG_FS=y + +2. Run simulate fail: +cd /sys/kernel/debug/mmc1/fail_mmc_request +echo 10 > probability +echo 10 > times # repeat until hitting issues + +3. It happened payload length exceeds max htc length. +[ 199.935506] ath10k_sdio mmc1:0001:1: payload length 57005 exceeds max htc length: 4088 +.... +[ 264.990191] ath10k_sdio mmc1:0001:1: payload length 57005 exceeds max htc length: 4088 + +4. after some time, such as 60 seconds, it start recovery which triggered +by wmi command timeout for periodic scan. +[ 269.229232] ieee80211 phy0: Hardware restart was requested +[ 269.734693] ath10k_sdio mmc1:0001:1: device successfully recovered + +The simulate fail of sdio is not a real sdio transter fail, it only +set an error status in mmc_should_fail_request after the transfer end, +actually the transfer is success, then sdio_io_rw_ext_helper will +return error status and stop transfer the left data. For example, +the really RX len is 286 bytes, then it will split to 2 blocks in +sdio_io_rw_ext_helper, one is 256 bytes, left is 30 bytes, if the +first 256 bytes get an error status by mmc_should_fail_request,then +the left 30 bytes will not read in this RX operation. Then when the +next RX arrive, the left 30 bytes will be considered as the header +of the read, the top 4 bytes of the 30 bytes will be considered as +lookaheads, but actually the 4 bytes is not the lookaheads, so the len +from this lookaheads is not correct, it exceeds max htc length 4088 +sometimes. When happened exceeds, the buffer chain is not matched between +firmware and ath10k, then it need to start recovery ASAP. Recently then +recovery will be started by wmi command timeout, but it will be long time +later, for example, it is 60+ seconds later from the periodic scan, if +it does not have periodic scan, it will be longer. + +Start recovery when it happened "payload length exceeds max htc length" +will be reasonable. + +This patch only effect sdio chips. + +Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00029. + +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200108031957.22308-3-wgong@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/sdio.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c +index fef313099e08a..34e8b4344f40a 100644 +--- a/drivers/net/wireless/ath/ath10k/sdio.c ++++ b/drivers/net/wireless/ath/ath10k/sdio.c +@@ -561,6 +561,10 @@ static int ath10k_sdio_mbox_rx_alloc(struct ath10k *ar, + le16_to_cpu(htc_hdr->len), + ATH10K_HTC_MBOX_MAX_PAYLOAD_LENGTH); + ret = -ENOMEM; ++ ++ queue_work(ar->workqueue, &ar->restart_work); ++ ath10k_warn(ar, "exceeds length, start recovery\n"); ++ + goto err; + } + +-- +2.27.0 + diff --git a/queue-4.14/bnxt_en-log-unknown-link-speed-appropriately.patch b/queue-4.14/bnxt_en-log-unknown-link-speed-appropriately.patch new file mode 100644 index 00000000000..6fa69d724ac --- /dev/null +++ b/queue-4.14/bnxt_en-log-unknown-link-speed-appropriately.patch @@ -0,0 +1,51 @@ +From 533ce94f8ec23f610203f6b42b03c599cf04c74a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 05:10:51 -0400 +Subject: bnxt_en: Log unknown link speed appropriately. + +From: Michael Chan + +[ Upstream commit 8eddb3e7ce124dd6375d3664f1aae13873318b0f ] + +If the VF virtual link is set to always enabled, the speed may be +unknown when the physical link is down. The driver currently logs +the link speed as 4294967295 Mbps which is SPEED_UNKNOWN. Modify +the link up log message as "speed unknown" which makes more sense. + +Reviewed-by: Vasundhara Volam +Reviewed-by: Edwin Peer +Signed-off-by: Michael Chan +Link: https://lore.kernel.org/r/1602493854-29283-7-git-send-email-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index a03239ba1a323..e146f6a1fa80d 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -5780,6 +5780,11 @@ static void bnxt_report_link(struct bnxt *bp) + u16 fec; + + netif_carrier_on(bp->dev); ++ speed = bnxt_fw_to_ethtool_speed(bp->link_info.link_speed); ++ if (speed == SPEED_UNKNOWN) { ++ netdev_info(bp->dev, "NIC Link is Up, speed unknown\n"); ++ return; ++ } + if (bp->link_info.duplex == BNXT_LINK_DUPLEX_FULL) + duplex = "full"; + else +@@ -5792,7 +5797,6 @@ static void bnxt_report_link(struct bnxt *bp) + flow_ctrl = "ON - receive"; + else + flow_ctrl = "none"; +- speed = bnxt_fw_to_ethtool_speed(bp->link_info.link_speed); + netdev_info(bp->dev, "NIC Link is Up, %u Mbps %s duplex, Flow control: %s\n", + speed, duplex, flow_ctrl); + if (bp->flags & BNXT_FLAG_EEE_CAP) +-- +2.27.0 + diff --git a/queue-4.14/bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch b/queue-4.14/bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch new file mode 100644 index 00000000000..41f1687b7db --- /dev/null +++ b/queue-4.14/bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch @@ -0,0 +1,43 @@ +From 4b80bcc3845184cc8a7e9be41d899c5969c04d27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 11:54:38 +0300 +Subject: bus/fsl_mc: Do not rely on caller to provide non NULL mc_io + +From: Diana Craciun + +[ Upstream commit 5026cf605143e764e1785bbf9158559d17f8d260 ] + +Before destroying the mc_io, check first that it was +allocated. + +Reviewed-by: Laurentiu Tudor +Acked-by: Laurentiu Tudor +Signed-off-by: Diana Craciun +Link: https://lore.kernel.org/r/20200929085441.17448-11-diana.craciun@oss.nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/fsl-mc/bus/mc-io.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/fsl-mc/bus/mc-io.c b/drivers/staging/fsl-mc/bus/mc-io.c +index f65c23ce83f16..deec2d04c2dd9 100644 +--- a/drivers/staging/fsl-mc/bus/mc-io.c ++++ b/drivers/staging/fsl-mc/bus/mc-io.c +@@ -166,7 +166,12 @@ error_destroy_mc_io: + */ + void fsl_destroy_mc_io(struct fsl_mc_io *mc_io) + { +- struct fsl_mc_device *dpmcp_dev = mc_io->dpmcp_dev; ++ struct fsl_mc_device *dpmcp_dev; ++ ++ if (!mc_io) ++ return; ++ ++ dpmcp_dev = mc_io->dpmcp_dev; + + if (dpmcp_dev) + fsl_mc_io_unset_dpmcp(mc_io); +-- +2.27.0 + diff --git a/queue-4.14/clk-ti-clockdomain-fix-static-checker-warning.patch b/queue-4.14/clk-ti-clockdomain-fix-static-checker-warning.patch new file mode 100644 index 00000000000..65937c51367 --- /dev/null +++ b/queue-4.14/clk-ti-clockdomain-fix-static-checker-warning.patch @@ -0,0 +1,40 @@ +From af6e3f058c3a868d0aaabe14081aeb4116064b65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 11:25:59 +0300 +Subject: clk: ti: clockdomain: fix static checker warning + +From: Tero Kristo + +[ Upstream commit b7a7943fe291b983b104bcbd2f16e8e896f56590 ] + +Fix a memory leak induced by not calling clk_put after doing of_clk_get. + +Reported-by: Dan Murphy +Signed-off-by: Tero Kristo +Link: https://lore.kernel.org/r/20200907082600.454-3-t-kristo@ti.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/clockdomain.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/ti/clockdomain.c b/drivers/clk/ti/clockdomain.c +index 07a805125e98c..11d92311e162f 100644 +--- a/drivers/clk/ti/clockdomain.c ++++ b/drivers/clk/ti/clockdomain.c +@@ -146,10 +146,12 @@ static void __init of_ti_clockdomain_setup(struct device_node *node) + if (clk_hw_get_flags(clk_hw) & CLK_IS_BASIC) { + pr_warn("can't setup clkdm for basic clk %s\n", + __clk_get_name(clk)); ++ clk_put(clk); + continue; + } + to_clk_hw_omap(clk_hw)->clkdm_name = clkdm_name; + omap2_init_clk_clkdm(clk_hw); ++ clk_put(clk); + } + } + +-- +2.27.0 + diff --git a/queue-4.14/cpufreq-sti-cpufreq-add-stih418-support.patch b/queue-4.14/cpufreq-sti-cpufreq-add-stih418-support.patch new file mode 100644 index 00000000000..07f6bcd2d3c --- /dev/null +++ b/queue-4.14/cpufreq-sti-cpufreq-add-stih418-support.patch @@ -0,0 +1,46 @@ +From c3d8867cc669dd16acbc15365d14a63a39a52c56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Aug 2020 08:10:11 +0200 +Subject: cpufreq: sti-cpufreq: add stih418 support + +From: Alain Volmat + +[ Upstream commit 01a163c52039e9426c7d3d3ab16ca261ad622597 ] + +The STiH418 can be controlled the same way as STiH407 & +STiH410 regarding cpufreq. + +Signed-off-by: Alain Volmat +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/sti-cpufreq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/sti-cpufreq.c b/drivers/cpufreq/sti-cpufreq.c +index 47105735df126..6b5d241c30b70 100644 +--- a/drivers/cpufreq/sti-cpufreq.c ++++ b/drivers/cpufreq/sti-cpufreq.c +@@ -144,7 +144,8 @@ static const struct reg_field sti_stih407_dvfs_regfields[DVFS_MAX_REGFIELDS] = { + static const struct reg_field *sti_cpufreq_match(void) + { + if (of_machine_is_compatible("st,stih407") || +- of_machine_is_compatible("st,stih410")) ++ of_machine_is_compatible("st,stih410") || ++ of_machine_is_compatible("st,stih418")) + return sti_stih407_dvfs_regfields; + + return NULL; +@@ -261,7 +262,8 @@ static int sti_cpufreq_init(void) + int ret; + + if ((!of_machine_is_compatible("st,stih407")) && +- (!of_machine_is_compatible("st,stih410"))) ++ (!of_machine_is_compatible("st,stih410")) && ++ (!of_machine_is_compatible("st,stih418"))) + return -ENODEV; + + ddata.cpu = get_cpu_device(0); +-- +2.27.0 + diff --git a/queue-4.14/drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch b/queue-4.14/drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch new file mode 100644 index 00000000000..5dcfb32dc87 --- /dev/null +++ b/queue-4.14/drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch @@ -0,0 +1,188 @@ +From 8214d1028da8a6a379c33220f338602e1f98138a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 05:56:43 -0700 +Subject: drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol + values + +From: Xie He + +[ Upstream commit 8306266c1d51aac9aa7aa907fe99032a58c6382c ] + +The fr_hard_header function is used to prepend the header to skbs before +transmission. It is used in 3 situations: +1) When a control packet is generated internally in this driver; +2) When a user sends an skb on an Ethernet-emulating PVC device; +3) When a user sends an skb on a normal PVC device. + +These 3 situations need to be handled differently by fr_hard_header. +Different headers should be prepended to the skb in different situations. + +Currently fr_hard_header distinguishes these 3 situations using +skb->protocol. For situation 1 and 2, a special skb->protocol value +will be assigned before calling fr_hard_header, so that it can recognize +these 2 situations. All skb->protocol values other than these special ones +are treated by fr_hard_header as situation 3. + +However, it is possible that in situation 3, the user sends an skb with +one of the special skb->protocol values. In this case, fr_hard_header +would incorrectly treat it as situation 1 or 2. + +This patch tries to solve this issue by using skb->dev instead of +skb->protocol to distinguish between these 3 situations. For situation +1, skb->dev would be NULL; for situation 2, skb->dev->type would be +ARPHRD_ETHER; and for situation 3, skb->dev->type would be ARPHRD_DLCI. + +This way fr_hard_header would be able to distinguish these 3 situations +correctly regardless what skb->protocol value the user tries to use in +situation 3. + +Cc: Krzysztof Halasa +Signed-off-by: Xie He +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wan/hdlc_fr.c | 98 ++++++++++++++++++++------------------- + 1 file changed, 51 insertions(+), 47 deletions(-) + +diff --git a/drivers/net/wan/hdlc_fr.c b/drivers/net/wan/hdlc_fr.c +index 5a8dbeaf1a427..d3b5532180585 100644 +--- a/drivers/net/wan/hdlc_fr.c ++++ b/drivers/net/wan/hdlc_fr.c +@@ -275,63 +275,69 @@ static inline struct net_device **get_dev_p(struct pvc_device *pvc, + + static int fr_hard_header(struct sk_buff **skb_p, u16 dlci) + { +- u16 head_len; + struct sk_buff *skb = *skb_p; + +- switch (skb->protocol) { +- case cpu_to_be16(NLPID_CCITT_ANSI_LMI): +- head_len = 4; +- skb_push(skb, head_len); +- skb->data[3] = NLPID_CCITT_ANSI_LMI; +- break; +- +- case cpu_to_be16(NLPID_CISCO_LMI): +- head_len = 4; +- skb_push(skb, head_len); +- skb->data[3] = NLPID_CISCO_LMI; +- break; +- +- case cpu_to_be16(ETH_P_IP): +- head_len = 4; +- skb_push(skb, head_len); +- skb->data[3] = NLPID_IP; +- break; +- +- case cpu_to_be16(ETH_P_IPV6): +- head_len = 4; +- skb_push(skb, head_len); +- skb->data[3] = NLPID_IPV6; +- break; +- +- case cpu_to_be16(ETH_P_802_3): +- head_len = 10; +- if (skb_headroom(skb) < head_len) { +- struct sk_buff *skb2 = skb_realloc_headroom(skb, +- head_len); ++ if (!skb->dev) { /* Control packets */ ++ switch (dlci) { ++ case LMI_CCITT_ANSI_DLCI: ++ skb_push(skb, 4); ++ skb->data[3] = NLPID_CCITT_ANSI_LMI; ++ break; ++ ++ case LMI_CISCO_DLCI: ++ skb_push(skb, 4); ++ skb->data[3] = NLPID_CISCO_LMI; ++ break; ++ ++ default: ++ return -EINVAL; ++ } ++ ++ } else if (skb->dev->type == ARPHRD_DLCI) { ++ switch (skb->protocol) { ++ case htons(ETH_P_IP): ++ skb_push(skb, 4); ++ skb->data[3] = NLPID_IP; ++ break; ++ ++ case htons(ETH_P_IPV6): ++ skb_push(skb, 4); ++ skb->data[3] = NLPID_IPV6; ++ break; ++ ++ default: ++ skb_push(skb, 10); ++ skb->data[3] = FR_PAD; ++ skb->data[4] = NLPID_SNAP; ++ /* OUI 00-00-00 indicates an Ethertype follows */ ++ skb->data[5] = 0x00; ++ skb->data[6] = 0x00; ++ skb->data[7] = 0x00; ++ /* This should be an Ethertype: */ ++ *(__be16 *)(skb->data + 8) = skb->protocol; ++ } ++ ++ } else if (skb->dev->type == ARPHRD_ETHER) { ++ if (skb_headroom(skb) < 10) { ++ struct sk_buff *skb2 = skb_realloc_headroom(skb, 10); + if (!skb2) + return -ENOBUFS; + dev_kfree_skb(skb); + skb = *skb_p = skb2; + } +- skb_push(skb, head_len); ++ skb_push(skb, 10); + skb->data[3] = FR_PAD; + skb->data[4] = NLPID_SNAP; +- skb->data[5] = FR_PAD; ++ /* OUI 00-80-C2 stands for the 802.1 organization */ ++ skb->data[5] = 0x00; + skb->data[6] = 0x80; + skb->data[7] = 0xC2; ++ /* PID 00-07 stands for Ethernet frames without FCS */ + skb->data[8] = 0x00; +- skb->data[9] = 0x07; /* bridged Ethernet frame w/out FCS */ +- break; ++ skb->data[9] = 0x07; + +- default: +- head_len = 10; +- skb_push(skb, head_len); +- skb->data[3] = FR_PAD; +- skb->data[4] = NLPID_SNAP; +- skb->data[5] = FR_PAD; +- skb->data[6] = FR_PAD; +- skb->data[7] = FR_PAD; +- *(__be16*)(skb->data + 8) = skb->protocol; ++ } else { ++ return -EINVAL; + } + + dlci_to_q922(skb->data, dlci); +@@ -427,8 +433,8 @@ static netdev_tx_t pvc_xmit(struct sk_buff *skb, struct net_device *dev) + skb_put(skb, pad); + memset(skb->data + len, 0, pad); + } +- skb->protocol = cpu_to_be16(ETH_P_802_3); + } ++ skb->dev = dev; + if (!fr_hard_header(&skb, pvc->dlci)) { + dev->stats.tx_bytes += skb->len; + dev->stats.tx_packets++; +@@ -496,10 +502,8 @@ static void fr_lmi_send(struct net_device *dev, int fullrep) + memset(skb->data, 0, len); + skb_reserve(skb, 4); + if (lmi == LMI_CISCO) { +- skb->protocol = cpu_to_be16(NLPID_CISCO_LMI); + fr_hard_header(&skb, LMI_CISCO_DLCI); + } else { +- skb->protocol = cpu_to_be16(NLPID_CCITT_ANSI_LMI); + fr_hard_header(&skb, LMI_CCITT_ANSI_DLCI); + } + data = skb_tail_pointer(skb); +-- +2.27.0 + diff --git a/queue-4.14/drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch b/queue-4.14/drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch new file mode 100644 index 00000000000..1a279a81a12 --- /dev/null +++ b/queue-4.14/drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch @@ -0,0 +1,62 @@ +From 60f2ba5ffa9979e06e0c95c7fcd323c86ad33ea8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Aug 2020 16:59:02 +0530 +Subject: drivers: watchdog: rdc321x_wdt: Fix race condition bugs + +From: Madhuparna Bhowmik + +[ Upstream commit 4b2e7f99cdd314263c9d172bc17193b8b6bba463 ] + +In rdc321x_wdt_probe(), rdc321x_wdt_device.queue is initialized +after misc_register(), hence if ioctl is called before its +initialization which can call rdc321x_wdt_start() function, +it will see an uninitialized value of rdc321x_wdt_device.queue, +hence initialize it before misc_register(). +Also, rdc321x_wdt_device.default_ticks is accessed in reset() +function called from write callback, thus initialize it before +misc_register(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Madhuparna Bhowmik +Reviewed-by: Guenter Roeck +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20200807112902.28764-1-madhuparnabhowmik10@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/rdc321x_wdt.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/watchdog/rdc321x_wdt.c b/drivers/watchdog/rdc321x_wdt.c +index 47a8f1b1087d4..4568af9a165be 100644 +--- a/drivers/watchdog/rdc321x_wdt.c ++++ b/drivers/watchdog/rdc321x_wdt.c +@@ -244,6 +244,8 @@ static int rdc321x_wdt_probe(struct platform_device *pdev) + + rdc321x_wdt_device.sb_pdev = pdata->sb_pdev; + rdc321x_wdt_device.base_reg = r->start; ++ rdc321x_wdt_device.queue = 0; ++ rdc321x_wdt_device.default_ticks = ticks; + + err = misc_register(&rdc321x_wdt_misc); + if (err < 0) { +@@ -258,14 +260,11 @@ static int rdc321x_wdt_probe(struct platform_device *pdev) + rdc321x_wdt_device.base_reg, RDC_WDT_RST); + + init_completion(&rdc321x_wdt_device.stop); +- rdc321x_wdt_device.queue = 0; + + clear_bit(0, &rdc321x_wdt_device.inuse); + + setup_timer(&rdc321x_wdt_device.timer, rdc321x_wdt_trigger, 0); + +- rdc321x_wdt_device.default_ticks = ticks; +- + dev_info(&pdev->dev, "watchdog init success\n"); + + return 0; +-- +2.27.0 + diff --git a/queue-4.14/drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch b/queue-4.14/drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch new file mode 100644 index 00000000000..37523874f06 --- /dev/null +++ b/queue-4.14/drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch @@ -0,0 +1,67 @@ +From cf0bbd679e81c0476cfd28288b13d8c7a133d0a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jul 2020 21:42:34 +0200 +Subject: drm/bridge/synopsys: dsi: add support for non-continuous HS clock + +From: Antonio Borneo + +[ Upstream commit c6d94e37bdbb6dfe7e581e937a915ab58399b8a5 ] + +Current code enables the HS clock when video mode is started or to +send out a HS command, and disables the HS clock to send out a LP +command. This is not what DSI spec specify. + +Enable HS clock either in command and in video mode. +Set automatic HS clock management for panels and devices that +support non-continuous HS clock. + +Signed-off-by: Antonio Borneo +Tested-by: Philippe Cornu +Reviewed-by: Philippe Cornu +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20200701194234.18123-1-yannick.fertre@st.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c b/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c +index 63c7a01b7053e..d95b0703d0255 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c +@@ -311,7 +311,6 @@ static void dw_mipi_message_config(struct dw_mipi_dsi *dsi, + if (lpm) + val |= CMD_MODE_ALL_LP; + +- dsi_write(dsi, DSI_LPCLK_CTRL, lpm ? 0 : PHY_TXREQUESTCLKHS); + dsi_write(dsi, DSI_CMD_MODE_CFG, val); + } + +@@ -468,16 +467,22 @@ static void dw_mipi_dsi_video_mode_config(struct dw_mipi_dsi *dsi) + static void dw_mipi_dsi_set_mode(struct dw_mipi_dsi *dsi, + unsigned long mode_flags) + { ++ u32 val; ++ + dsi_write(dsi, DSI_PWR_UP, RESET); + + if (mode_flags & MIPI_DSI_MODE_VIDEO) { + dsi_write(dsi, DSI_MODE_CFG, ENABLE_VIDEO_MODE); + dw_mipi_dsi_video_mode_config(dsi); +- dsi_write(dsi, DSI_LPCLK_CTRL, PHY_TXREQUESTCLKHS); + } else { + dsi_write(dsi, DSI_MODE_CFG, ENABLE_CMD_MODE); + } + ++ val = PHY_TXREQUESTCLKHS; ++ if (dsi->mode_flags & MIPI_DSI_CLOCK_NON_CONTINUOUS) ++ val |= AUTO_CLKLANE_CTRL; ++ dsi_write(dsi, DSI_LPCLK_CTRL, val); ++ + dsi_write(dsi, DSI_PWR_UP, POWERUP); + } + +-- +2.27.0 + diff --git a/queue-4.14/drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch b/queue-4.14/drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch new file mode 100644 index 00000000000..d527a51cd00 --- /dev/null +++ b/queue-4.14/drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch @@ -0,0 +1,60 @@ +From 0d09a62e2256f8832bf60f80a90e27f1c0910cc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 17:37:56 +0300 +Subject: drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working + correctly + +From: Nadezda Lutovinova + +[ Upstream commit f688a345f0d7a6df4dd2aeca8e4f3c05e123a0ee ] + +If ge_b850v3_lvds_init() does not allocate memory for ge_b850v3_lvds_ptr, +then a null pointer dereference is accessed. + +The patch adds checking of the return value of ge_b850v3_lvds_init(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Nadezda Lutovinova +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200819143756.30626-1-lutovinova@ispras.ru +Signed-off-by: Sasha Levin +--- + .../gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +index 7ccadba7c98cd..9f522372a4884 100644 +--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c ++++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +@@ -306,8 +306,12 @@ static int stdp4028_ge_b850v3_fw_probe(struct i2c_client *stdp4028_i2c, + const struct i2c_device_id *id) + { + struct device *dev = &stdp4028_i2c->dev; ++ int ret; ++ ++ ret = ge_b850v3_lvds_init(dev); + +- ge_b850v3_lvds_init(dev); ++ if (ret) ++ return ret; + + ge_b850v3_lvds_ptr->stdp4028_i2c = stdp4028_i2c; + i2c_set_clientdata(stdp4028_i2c, ge_b850v3_lvds_ptr); +@@ -365,8 +369,12 @@ static int stdp2690_ge_b850v3_fw_probe(struct i2c_client *stdp2690_i2c, + const struct i2c_device_id *id) + { + struct device *dev = &stdp2690_i2c->dev; ++ int ret; ++ ++ ret = ge_b850v3_lvds_init(dev); + +- ge_b850v3_lvds_init(dev); ++ if (ret) ++ return ret; + + ge_b850v3_lvds_ptr->stdp2690_i2c = stdp2690_i2c; + i2c_set_clientdata(stdp2690_i2c, ge_b850v3_lvds_ptr); +-- +2.27.0 + diff --git a/queue-4.14/ext4-detect-already-used-quota-file-early.patch b/queue-4.14/ext4-detect-already-used-quota-file-early.patch new file mode 100644 index 00000000000..1e954ef98c8 --- /dev/null +++ b/queue-4.14/ext4-detect-already-used-quota-file-early.patch @@ -0,0 +1,48 @@ +From b6e3a67ac986fb429250325ce7a71ac2dce11e7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 13:03:30 +0200 +Subject: ext4: Detect already used quota file early + +From: Jan Kara + +[ Upstream commit e0770e91424f694b461141cbc99adf6b23006b60 ] + +When we try to use file already used as a quota file again (for the same +or different quota type), strange things can happen. At the very least +lockdep annotations may be wrong but also inode flags may be wrongly set +/ reset. When the file is used for two quota types at once we can even +corrupt the file and likely crash the kernel. Catch all these cases by +checking whether passed file is already used as quota file and bail +early in that case. + +This fixes occasional generic/219 failure due to lockdep complaint. + +Reviewed-by: Andreas Dilger +Reported-by: Ritesh Harjani +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20201015110330.28716-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 634c822d1dc98..d941b0cee5f8e 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5626,6 +5626,11 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id, + /* Quotafile not on the same filesystem? */ + if (path->dentry->d_sb != sb) + return -EXDEV; ++ ++ /* Quota already enabled for this file? */ ++ if (IS_NOQUOTA(d_inode(path->dentry))) ++ return -EBUSY; ++ + /* Journaling quota? */ + if (EXT4_SB(sb)->s_qf_names[type]) { + /* Quotafile not in fs root? */ +-- +2.27.0 + diff --git a/queue-4.14/f2fs-add-trace-exit-in-exception-path.patch b/queue-4.14/f2fs-add-trace-exit-in-exception-path.patch new file mode 100644 index 00000000000..f0ebe500291 --- /dev/null +++ b/queue-4.14/f2fs-add-trace-exit-in-exception-path.patch @@ -0,0 +1,40 @@ +From aeeb68cb4b0a906acb2f09a7c19f14f9f97f9dcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 20:45:44 +0800 +Subject: f2fs: add trace exit in exception path + +From: Zhang Qilong + +[ Upstream commit 9b66482282888d02832b7d90239e1cdb18e4b431 ] + +Missing the trace exit in f2fs_sync_dirty_inodes + +Signed-off-by: Zhang Qilong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index 170423ff27210..eab37a7dca5f5 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -942,8 +942,12 @@ int sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type) + get_pages(sbi, is_dir ? + F2FS_DIRTY_DENTS : F2FS_DIRTY_DATA)); + retry: +- if (unlikely(f2fs_cp_error(sbi))) ++ if (unlikely(f2fs_cp_error(sbi))) { ++ trace_f2fs_sync_dirty_inodes_exit(sbi->sb, is_dir, ++ get_pages(sbi, is_dir ? ++ F2FS_DIRTY_DENTS : F2FS_DIRTY_DATA)); + return -EIO; ++ } + + spin_lock(&sbi->inode_lock[type]); + +-- +2.27.0 + diff --git a/queue-4.14/f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch b/queue-4.14/f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch new file mode 100644 index 00000000000..80a129fe0be --- /dev/null +++ b/queue-4.14/f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch @@ -0,0 +1,60 @@ +From 579ea2a08a099dc94e7dc5c90bf122ad50785ace Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 09:23:12 +0800 +Subject: f2fs: fix to check segment boundary during SIT page readahead + +From: Chao Yu + +[ Upstream commit 6a257471fa42c8c9c04a875cd3a2a22db148e0f0 ] + +As syzbot reported: + +kernel BUG at fs/f2fs/segment.h:657! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 PID: 16220 Comm: syz-executor.0 Not tainted 5.9.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:f2fs_ra_meta_pages+0xa51/0xdc0 fs/f2fs/segment.h:657 +Call Trace: + build_sit_entries fs/f2fs/segment.c:4195 [inline] + f2fs_build_segment_manager+0x4b8a/0xa3c0 fs/f2fs/segment.c:4779 + f2fs_fill_super+0x377d/0x6b80 fs/f2fs/super.c:3633 + mount_bdev+0x32e/0x3f0 fs/super.c:1417 + legacy_get_tree+0x105/0x220 fs/fs_context.c:592 + vfs_get_tree+0x89/0x2f0 fs/super.c:1547 + do_new_mount fs/namespace.c:2875 [inline] + path_mount+0x1387/0x2070 fs/namespace.c:3192 + do_mount fs/namespace.c:3205 [inline] + __do_sys_mount fs/namespace.c:3413 [inline] + __se_sys_mount fs/namespace.c:3390 [inline] + __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +@blkno in f2fs_ra_meta_pages could exceed max segment count, causing panic +in following sanity check in current_sit_addr(), add check condition to +avoid this issue. + +Reported-by: syzbot+3698081bcf0bb2d12174@syzkaller.appspotmail.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index eab37a7dca5f5..0f2286e57907c 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -202,6 +202,8 @@ int ra_meta_pages(struct f2fs_sb_info *sbi, block_t start, int nrpages, + blkno * NAT_ENTRY_PER_BLOCK); + break; + case META_SIT: ++ if (unlikely(blkno >= TOTAL_SEGS(sbi))) ++ goto out; + /* get sit block addr */ + fio.new_blkaddr = current_sit_addr(sbi, + blkno * SIT_ENTRY_PER_BLOCK); +-- +2.27.0 + diff --git a/queue-4.14/futex-fix-incorrect-should_fail_futex-handling.patch b/queue-4.14/futex-fix-incorrect-should_fail_futex-handling.patch new file mode 100644 index 00000000000..37baab36e11 --- /dev/null +++ b/queue-4.14/futex-fix-incorrect-should_fail_futex-handling.patch @@ -0,0 +1,49 @@ +From 375373ad6818e4a8f851a7d7ec2a17257183ed0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Sep 2020 02:08:58 +0200 +Subject: futex: Fix incorrect should_fail_futex() handling + +From: Mateusz Nosek + +[ Upstream commit 921c7ebd1337d1a46783d7e15a850e12aed2eaa0 ] + +If should_futex_fail() returns true in futex_wake_pi(), then the 'ret' +variable is set to -EFAULT and then immediately overwritten. So the failure +injection is non-functional. + +Fix it by actually leaving the function and returning -EFAULT. + +The Fixes tag is kinda blury because the initial commit which introduced +failure injection was already sloppy, but the below mentioned commit broke +it completely. + +[ tglx: Massaged changelog ] + +Fixes: 6b4f4bc9cb22 ("locking/futex: Allow low-level atomic operations to return -EAGAIN") +Signed-off-by: Mateusz Nosek +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20200927000858.24219-1-mateusznosek0@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/futex.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/futex.c b/kernel/futex.c +index 2921ebaa14676..8f0e62c59a55b 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1595,8 +1595,10 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_pi_state *pi_ + */ + newval = FUTEX_WAITERS | task_pid_vnr(new_owner); + +- if (unlikely(should_fail_futex(true))) ++ if (unlikely(should_fail_futex(true))) { + ret = -EFAULT; ++ goto out_unlock; ++ } + + ret = cmpxchg_futex_value_locked(&curval, uaddr, uval, newval); + if (!ret && (curval != uval)) { +-- +2.27.0 + diff --git a/queue-4.14/gfs2-add-validation-checks-for-size-of-superblock.patch b/queue-4.14/gfs2-add-validation-checks-for-size-of-superblock.patch new file mode 100644 index 00000000000..ff18b586fec --- /dev/null +++ b/queue-4.14/gfs2-add-validation-checks-for-size-of-superblock.patch @@ -0,0 +1,62 @@ +From ba74506201581bdee13489212604663f95961edd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 22:01:09 +0530 +Subject: gfs2: add validation checks for size of superblock + +From: Anant Thazhemadam + +[ Upstream commit 0ddc5154b24c96f20e94d653b0a814438de6032b ] + +In gfs2_check_sb(), no validation checks are performed with regards to +the size of the superblock. +syzkaller detected a slab-out-of-bounds bug that was primarily caused +because the block size for a superblock was set to zero. +A valid size for a superblock is a power of 2 between 512 and PAGE_SIZE. +Performing validation checks and ensuring that the size of the superblock +is valid fixes this bug. + +Reported-by: syzbot+af90d47a37376844e731@syzkaller.appspotmail.com +Tested-by: syzbot+af90d47a37376844e731@syzkaller.appspotmail.com +Suggested-by: Andrew Price +Signed-off-by: Anant Thazhemadam +[Minor code reordering.] +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/ops_fstype.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c +index 2de67588ac2d8..0b5c37ceb3ed3 100644 +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -161,15 +161,19 @@ static int gfs2_check_sb(struct gfs2_sbd *sdp, int silent) + return -EINVAL; + } + +- /* If format numbers match exactly, we're done. */ +- +- if (sb->sb_fs_format == GFS2_FORMAT_FS && +- sb->sb_multihost_format == GFS2_FORMAT_MULTI) +- return 0; ++ if (sb->sb_fs_format != GFS2_FORMAT_FS || ++ sb->sb_multihost_format != GFS2_FORMAT_MULTI) { ++ fs_warn(sdp, "Unknown on-disk format, unable to mount\n"); ++ return -EINVAL; ++ } + +- fs_warn(sdp, "Unknown on-disk format, unable to mount\n"); ++ if (sb->sb_bsize < 512 || sb->sb_bsize > PAGE_SIZE || ++ (sb->sb_bsize & (sb->sb_bsize - 1))) { ++ pr_warn("Invalid superblock size\n"); ++ return -EINVAL; ++ } + +- return -EINVAL; ++ return 0; + } + + static void end_bio_io_page(struct bio *bio) +-- +2.27.0 + diff --git a/queue-4.14/kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch b/queue-4.14/kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch new file mode 100644 index 00000000000..72fdc7dc32c --- /dev/null +++ b/queue-4.14/kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch @@ -0,0 +1,70 @@ +From f7d54ddfb0006fdccc2468c882f1b448bcaea1f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 15:14:38 -0700 +Subject: kgdb: Make "kgdbcon" work properly with "kgdb_earlycon" + +From: Douglas Anderson + +[ Upstream commit b18b099e04f450cdc77bec72acefcde7042bd1f3 ] + +On my system the kernel processes the "kgdb_earlycon" parameter before +the "kgdbcon" parameter. When we setup "kgdb_earlycon" we'll end up +in kgdb_register_callbacks() and "kgdb_use_con" won't have been set +yet so we'll never get around to starting "kgdbcon". Let's remedy +this by detecting that the IO module was already registered when +setting "kgdb_use_con" and registering the console then. + +As part of this, to avoid pre-declaring things, move the handling of +the "kgdbcon" further down in the file. + +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20200630151422.1.I4aa062751ff5e281f5116655c976dff545c09a46@changeid +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/debug_core.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c +index 694fcd0492827..4cf5697e72b18 100644 +--- a/kernel/debug/debug_core.c ++++ b/kernel/debug/debug_core.c +@@ -95,14 +95,6 @@ int dbg_switch_cpu; + /* Use kdb or gdbserver mode */ + int dbg_kdb_mode = 1; + +-static int __init opt_kgdb_con(char *str) +-{ +- kgdb_use_con = 1; +- return 0; +-} +- +-early_param("kgdbcon", opt_kgdb_con); +- + module_param(kgdb_use_con, int, 0644); + module_param(kgdbreboot, int, 0644); + +@@ -816,6 +808,20 @@ static struct console kgdbcons = { + .index = -1, + }; + ++static int __init opt_kgdb_con(char *str) ++{ ++ kgdb_use_con = 1; ++ ++ if (kgdb_io_module_registered && !kgdb_con_registered) { ++ register_console(&kgdbcons); ++ kgdb_con_registered = 1; ++ } ++ ++ return 0; ++} ++ ++early_param("kgdbcon", opt_kgdb_con); ++ + #ifdef CONFIG_MAGIC_SYSRQ + static void sysrq_handle_dbg(int key) + { +-- +2.27.0 + diff --git a/queue-4.14/md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch b/queue-4.14/md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch new file mode 100644 index 00000000000..7ce5f8712b3 --- /dev/null +++ b/queue-4.14/md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch @@ -0,0 +1,53 @@ +From f541d6d4d4078f7e2e7a5451cfaca5e9b603a7e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Oct 2020 00:00:24 +0800 +Subject: md/bitmap: md_bitmap_get_counter returns wrong blocks + +From: Zhao Heming + +[ Upstream commit d837f7277f56e70d82b3a4a037d744854e62f387 ] + +md_bitmap_get_counter() has code: + +``` + if (bitmap->bp[page].hijacked || + bitmap->bp[page].map == NULL) + csize = ((sector_t)1) << (bitmap->chunkshift + + PAGE_COUNTER_SHIFT - 1); +``` + +The minus 1 is wrong, this branch should report 2048 bits of space. +With "-1" action, this only report 1024 bit of space. + +This bug code returns wrong blocks, but it doesn't inflence bitmap logic: +1. Most callers focus this function return value (the counter of offset), + not the parameter blocks. +2. The bug is only triggered when hijacked is true or map is NULL. + the hijacked true condition is very rare. + the "map == null" only true when array is creating or resizing. +3. Even the caller gets wrong blocks, current code makes caller just to + call md_bitmap_get_counter() one more time. + +Signed-off-by: Zhao Heming +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/bitmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c +index 7eb76a1a25053..521c13f7929c8 100644 +--- a/drivers/md/bitmap.c ++++ b/drivers/md/bitmap.c +@@ -1369,7 +1369,7 @@ __acquires(bitmap->lock) + if (bitmap->bp[page].hijacked || + bitmap->bp[page].map == NULL) + csize = ((sector_t)1) << (bitmap->chunkshift + +- PAGE_COUNTER_SHIFT - 1); ++ PAGE_COUNTER_SHIFT); + else + csize = ((sector_t)1) << bitmap->chunkshift; + *blocks = csize - (offset & (csize - 1)); +-- +2.27.0 + diff --git a/queue-4.14/media-platform-improve-queue-set-up-flow-for-bug-fix.patch b/queue-4.14/media-platform-improve-queue-set-up-flow-for-bug-fix.patch new file mode 100644 index 00000000000..71b18c2fadd --- /dev/null +++ b/queue-4.14/media-platform-improve-queue-set-up-flow-for-bug-fix.patch @@ -0,0 +1,41 @@ +From 16f91ab91f34ff10ab43c4cf5f4b944e784f05f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 09:11:35 +0200 +Subject: media: platform: Improve queue set up flow for bug fixing + +From: Xia Jiang + +[ Upstream commit 5095a6413a0cf896ab468009b6142cb0fe617e66 ] + +Add checking created buffer size follow in mtk_jpeg_queue_setup(). + +Reviewed-by: Tomasz Figa +Signed-off-by: Xia Jiang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +index 46c996936798a..fd9e13500fe7f 100644 +--- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c ++++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c +@@ -579,6 +579,13 @@ static int mtk_jpeg_queue_setup(struct vb2_queue *q, + if (!q_data) + return -EINVAL; + ++ if (*num_planes) { ++ for (i = 0; i < *num_planes; i++) ++ if (sizes[i] < q_data->sizeimage[i]) ++ return -EINVAL; ++ return 0; ++ } ++ + *num_planes = q_data->fmt->colplanes; + for (i = 0; i < q_data->fmt->colplanes; i++) { + sizes[i] = q_data->sizeimage[i]; +-- +2.27.0 + diff --git a/queue-4.14/media-tw5864-check-status-of-tw5864_frameinterval_ge.patch b/queue-4.14/media-tw5864-check-status-of-tw5864_frameinterval_ge.patch new file mode 100644 index 00000000000..ec3d3763190 --- /dev/null +++ b/queue-4.14/media-tw5864-check-status-of-tw5864_frameinterval_ge.patch @@ -0,0 +1,63 @@ +From 6339826e9b771e7cbd0e4ffa58eafb9bbe5f35e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 21:25:18 +0200 +Subject: media: tw5864: check status of tw5864_frameinterval_get + +From: Tom Rix + +[ Upstream commit 780d815dcc9b34d93ae69385a8465c38d423ff0f ] + +clang static analysis reports this problem + +tw5864-video.c:773:32: warning: The left expression of the compound + assignment is an uninitialized value. + The computed value will also be garbage + fintv->stepwise.max.numerator *= std_max_fps; + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ + +stepwise.max is set with frameinterval, which comes from + + ret = tw5864_frameinterval_get(input, &frameinterval); + fintv->stepwise.step = frameinterval; + fintv->stepwise.min = frameinterval; + fintv->stepwise.max = frameinterval; + fintv->stepwise.max.numerator *= std_max_fps; + +When tw5864_frameinterval_get() fails, frameinterval is not +set. So check the status and fix another similar problem. + +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/tw5864/tw5864-video.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/media/pci/tw5864/tw5864-video.c b/drivers/media/pci/tw5864/tw5864-video.c +index ee1230440b397..02258685800a7 100644 +--- a/drivers/media/pci/tw5864/tw5864-video.c ++++ b/drivers/media/pci/tw5864/tw5864-video.c +@@ -776,6 +776,9 @@ static int tw5864_enum_frameintervals(struct file *file, void *priv, + fintv->type = V4L2_FRMIVAL_TYPE_STEPWISE; + + ret = tw5864_frameinterval_get(input, &frameinterval); ++ if (ret) ++ return ret; ++ + fintv->stepwise.step = frameinterval; + fintv->stepwise.min = frameinterval; + fintv->stepwise.max = frameinterval; +@@ -794,6 +797,9 @@ static int tw5864_g_parm(struct file *file, void *priv, + cp->capability = V4L2_CAP_TIMEPERFRAME; + + ret = tw5864_frameinterval_get(input, &cp->timeperframe); ++ if (ret) ++ return ret; ++ + cp->timeperframe.numerator *= input->frame_interval; + cp->capturemode = 0; + cp->readbuffers = 2; +-- +2.27.0 + diff --git a/queue-4.14/media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch b/queue-4.14/media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch new file mode 100644 index 00000000000..452f022b230 --- /dev/null +++ b/queue-4.14/media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch @@ -0,0 +1,117 @@ +From cf7738d07e6364f91cd78d466f380936be42c8b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 12:47:16 +0200 +Subject: media: videodev2.h: RGB BT2020 and HSV are always full range + +From: Hans Verkuil + +[ Upstream commit b305dfe2e93434b12d438434461b709641f62af4 ] + +The default RGB quantization range for BT.2020 is full range (just as for +all the other RGB pixel encodings), not limited range. + +Update the V4L2_MAP_QUANTIZATION_DEFAULT macro and documentation +accordingly. + +Also mention that HSV is always full range and cannot be limited range. + +When RGB BT2020 was introduced in V4L2 it was not clear whether it should +be limited or full range, but full range is the right (and consistent) +choice. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../media/uapi/v4l/colorspaces-defs.rst | 9 ++++----- + .../media/uapi/v4l/colorspaces-details.rst | 5 ++--- + include/uapi/linux/videodev2.h | 17 ++++++++--------- + 3 files changed, 14 insertions(+), 17 deletions(-) + +diff --git a/Documentation/media/uapi/v4l/colorspaces-defs.rst b/Documentation/media/uapi/v4l/colorspaces-defs.rst +index f24615544792b..16e46bec80934 100644 +--- a/Documentation/media/uapi/v4l/colorspaces-defs.rst ++++ b/Documentation/media/uapi/v4l/colorspaces-defs.rst +@@ -29,8 +29,7 @@ whole range, 0-255, dividing the angular value by 1.41. The enum + :c:type:`v4l2_hsv_encoding` specifies which encoding is used. + + .. note:: The default R'G'B' quantization is full range for all +- colorspaces except for BT.2020 which uses limited range R'G'B' +- quantization. ++ colorspaces. HSV formats are always full range. + + .. tabularcolumns:: |p{6.0cm}|p{11.5cm}| + +@@ -162,8 +161,8 @@ whole range, 0-255, dividing the angular value by 1.41. The enum + - Details + * - ``V4L2_QUANTIZATION_DEFAULT`` + - Use the default quantization encoding as defined by the +- colorspace. This is always full range for R'G'B' (except for the +- BT.2020 colorspace) and HSV. It is usually limited range for Y'CbCr. ++ colorspace. This is always full range for R'G'B' and HSV. ++ It is usually limited range for Y'CbCr. + * - ``V4L2_QUANTIZATION_FULL_RANGE`` + - Use the full range quantization encoding. I.e. the range [0…1] is + mapped to [0…255] (with possible clipping to [1…254] to avoid the +@@ -173,4 +172,4 @@ whole range, 0-255, dividing the angular value by 1.41. The enum + * - ``V4L2_QUANTIZATION_LIM_RANGE`` + - Use the limited range quantization encoding. I.e. the range [0…1] + is mapped to [16…235]. Cb and Cr are mapped from [-0.5…0.5] to +- [16…240]. ++ [16…240]. Limited Range cannot be used with HSV. +diff --git a/Documentation/media/uapi/v4l/colorspaces-details.rst b/Documentation/media/uapi/v4l/colorspaces-details.rst +index 09fabf4cd4126..ca7176cae8dd8 100644 +--- a/Documentation/media/uapi/v4l/colorspaces-details.rst ++++ b/Documentation/media/uapi/v4l/colorspaces-details.rst +@@ -370,9 +370,8 @@ Colorspace BT.2020 (V4L2_COLORSPACE_BT2020) + The :ref:`itu2020` standard defines the colorspace used by Ultra-high + definition television (UHDTV). The default transfer function is + ``V4L2_XFER_FUNC_709``. The default Y'CbCr encoding is +-``V4L2_YCBCR_ENC_BT2020``. The default R'G'B' quantization is limited +-range (!), and so is the default Y'CbCr quantization. The chromaticities +-of the primary colors and the white reference are: ++``V4L2_YCBCR_ENC_BT2020``. The default Y'CbCr quantization is limited range. ++The chromaticities of the primary colors and the white reference are: + + + +diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h +index 1c095b5a99c58..b773e96b4a286 100644 +--- a/include/uapi/linux/videodev2.h ++++ b/include/uapi/linux/videodev2.h +@@ -362,9 +362,9 @@ enum v4l2_hsv_encoding { + + enum v4l2_quantization { + /* +- * The default for R'G'B' quantization is always full range, except +- * for the BT2020 colorspace. For Y'CbCr the quantization is always +- * limited range, except for COLORSPACE_JPEG: this is full range. ++ * The default for R'G'B' quantization is always full range. ++ * For Y'CbCr the quantization is always limited range, except ++ * for COLORSPACE_JPEG: this is full range. + */ + V4L2_QUANTIZATION_DEFAULT = 0, + V4L2_QUANTIZATION_FULL_RANGE = 1, +@@ -373,14 +373,13 @@ enum v4l2_quantization { + + /* + * Determine how QUANTIZATION_DEFAULT should map to a proper quantization. +- * This depends on whether the image is RGB or not, the colorspace and the +- * Y'CbCr encoding. ++ * This depends on whether the image is RGB or not, the colorspace. ++ * The Y'CbCr encoding is not used anymore, but is still there for backwards ++ * compatibility. + */ + #define V4L2_MAP_QUANTIZATION_DEFAULT(is_rgb_or_hsv, colsp, ycbcr_enc) \ +- (((is_rgb_or_hsv) && (colsp) == V4L2_COLORSPACE_BT2020) ? \ +- V4L2_QUANTIZATION_LIM_RANGE : \ +- (((is_rgb_or_hsv) || (colsp) == V4L2_COLORSPACE_JPEG) ? \ +- V4L2_QUANTIZATION_FULL_RANGE : V4L2_QUANTIZATION_LIM_RANGE)) ++ (((is_rgb_or_hsv) || (colsp) == V4L2_COLORSPACE_JPEG) ? \ ++ V4L2_QUANTIZATION_FULL_RANGE : V4L2_QUANTIZATION_LIM_RANGE) + + enum v4l2_priority { + V4L2_PRIORITY_UNSET = 0, /* not initialized */ +-- +2.27.0 + diff --git a/queue-4.14/memory-emif-remove-bogus-debugfs-error-handling.patch b/queue-4.14/memory-emif-remove-bogus-debugfs-error-handling.patch new file mode 100644 index 00000000000..57721cff6e8 --- /dev/null +++ b/queue-4.14/memory-emif-remove-bogus-debugfs-error-handling.patch @@ -0,0 +1,75 @@ +From e22622cbbe4900d03adda6137d794e3b331a0236 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 14:37:59 +0300 +Subject: memory: emif: Remove bogus debugfs error handling + +From: Dan Carpenter + +[ Upstream commit fd22781648080cc400772b3c68aa6b059d2d5420 ] + +Callers are generally not supposed to check the return values from +debugfs functions. Debugfs functions never return NULL so this error +handling will never trigger. (Historically debugfs functions used to +return a mix of NULL and error pointers but it was eventually deemed too +complicated for something which wasn't intended to be used in normal +situations). + +Delete all the error handling. + +Signed-off-by: Dan Carpenter +Acked-by: Santosh Shilimkar +Link: https://lore.kernel.org/r/20200826113759.GF393664@mwanda +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/emif.c | 33 +++++---------------------------- + 1 file changed, 5 insertions(+), 28 deletions(-) + +diff --git a/drivers/memory/emif.c b/drivers/memory/emif.c +index 04644e7b42b12..88c32b8dc88a1 100644 +--- a/drivers/memory/emif.c ++++ b/drivers/memory/emif.c +@@ -165,35 +165,12 @@ static const struct file_operations emif_mr4_fops = { + + static int __init_or_module emif_debugfs_init(struct emif_data *emif) + { +- struct dentry *dentry; +- int ret; +- +- dentry = debugfs_create_dir(dev_name(emif->dev), NULL); +- if (!dentry) { +- ret = -ENOMEM; +- goto err0; +- } +- emif->debugfs_root = dentry; +- +- dentry = debugfs_create_file("regcache_dump", S_IRUGO, +- emif->debugfs_root, emif, &emif_regdump_fops); +- if (!dentry) { +- ret = -ENOMEM; +- goto err1; +- } +- +- dentry = debugfs_create_file("mr4", S_IRUGO, +- emif->debugfs_root, emif, &emif_mr4_fops); +- if (!dentry) { +- ret = -ENOMEM; +- goto err1; +- } +- ++ emif->debugfs_root = debugfs_create_dir(dev_name(emif->dev), NULL); ++ debugfs_create_file("regcache_dump", S_IRUGO, emif->debugfs_root, emif, ++ &emif_regdump_fops); ++ debugfs_create_file("mr4", S_IRUGO, emif->debugfs_root, emif, ++ &emif_mr4_fops); + return 0; +-err1: +- debugfs_remove_recursive(emif->debugfs_root); +-err0: +- return ret; + } + + static void __exit emif_debugfs_exit(struct emif_data *emif) +-- +2.27.0 + diff --git a/queue-4.14/mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch b/queue-4.14/mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch new file mode 100644 index 00000000000..cb12ba3a987 --- /dev/null +++ b/queue-4.14/mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch @@ -0,0 +1,166 @@ +From 33a7d56f8c5e4e78ef7b3008017ebee815e68aa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Oct 2020 16:37:33 +0300 +Subject: mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() + +From: Amit Cohen + +[ Upstream commit 0daf2bf5a2dcf33d446b76360908f109816e2e21 ] + +Each EMAD transaction stores the skb used to issue the EMAD request +('trans->tx_skb') so that the request could be retried in case of a +timeout. The skb can be freed when a corresponding response is received +or as part of the retry logic (e.g., failed retransmit, exceeded maximum +number of retries). + +The two tasks (i.e., response processing and retransmits) are +synchronized by the atomic 'trans->active' field which ensures that +responses to inactive transactions are ignored. + +In case of a failed retransmit the transaction is finished and all of +its resources are freed. However, the current code does not mark it as +inactive. Syzkaller was able to hit a race condition in which a +concurrent response is processed while the transaction's resources are +being freed, resulting in a use-after-free [1]. + +Fix the issue by making sure to mark the transaction as inactive after a +failed retransmit and free its resources only if a concurrent task did +not already do that. + +[1] +BUG: KASAN: use-after-free in consume_skb+0x30/0x370 +net/core/skbuff.c:833 +Read of size 4 at addr ffff88804f570494 by task syz-executor.0/1004 + +CPU: 0 PID: 1004 Comm: syz-executor.0 Not tainted 5.8.0-rc7+ #68 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xf6/0x16e lib/dump_stack.c:118 + print_address_description.constprop.0+0x1c/0x250 +mm/kasan/report.c:383 + __kasan_report mm/kasan/report.c:513 [inline] + kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 + check_memory_region_inline mm/kasan/generic.c:186 [inline] + check_memory_region+0x14e/0x1b0 mm/kasan/generic.c:192 + instrument_atomic_read include/linux/instrumented.h:56 [inline] + atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] + refcount_read include/linux/refcount.h:147 [inline] + skb_unref include/linux/skbuff.h:1044 [inline] + consume_skb+0x30/0x370 net/core/skbuff.c:833 + mlxsw_emad_trans_finish+0x64/0x1c0 drivers/net/ethernet/mellanox/mlxsw/core.c:592 + mlxsw_emad_process_response drivers/net/ethernet/mellanox/mlxsw/core.c:651 [inline] + mlxsw_emad_rx_listener_func+0x5c9/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:672 + mlxsw_core_skb_receive+0x4df/0x770 drivers/net/ethernet/mellanox/mlxsw/core.c:2063 + mlxsw_pci_cqe_rdq_handle drivers/net/ethernet/mellanox/mlxsw/pci.c:595 [inline] + mlxsw_pci_cq_tasklet+0x12a6/0x2520 drivers/net/ethernet/mellanox/mlxsw/pci.c:651 + tasklet_action_common.isra.0+0x13f/0x3e0 kernel/softirq.c:550 + __do_softirq+0x223/0x964 kernel/softirq.c:292 + asm_call_on_stack+0x12/0x20 arch/x86/entry/entry_64.S:711 + +Allocated by task 1006: + save_stack+0x1b/0x40 mm/kasan/common.c:48 + set_track mm/kasan/common.c:56 [inline] + __kasan_kmalloc mm/kasan/common.c:494 [inline] + __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:467 + slab_post_alloc_hook mm/slab.h:586 [inline] + slab_alloc_node mm/slub.c:2824 [inline] + slab_alloc mm/slub.c:2832 [inline] + kmem_cache_alloc+0xcd/0x2e0 mm/slub.c:2837 + __build_skb+0x21/0x60 net/core/skbuff.c:311 + __netdev_alloc_skb+0x1e2/0x360 net/core/skbuff.c:464 + netdev_alloc_skb include/linux/skbuff.h:2810 [inline] + mlxsw_emad_alloc drivers/net/ethernet/mellanox/mlxsw/core.c:756 [inline] + mlxsw_emad_reg_access drivers/net/ethernet/mellanox/mlxsw/core.c:787 [inline] + mlxsw_core_reg_access_emad+0x1ab/0x1420 drivers/net/ethernet/mellanox/mlxsw/core.c:1817 + mlxsw_reg_trans_query+0x39/0x50 drivers/net/ethernet/mellanox/mlxsw/core.c:1831 + mlxsw_sp_sb_pm_occ_clear drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c:260 [inline] + mlxsw_sp_sb_occ_max_clear+0xbff/0x10a0 drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c:1365 + mlxsw_devlink_sb_occ_max_clear+0x76/0xb0 drivers/net/ethernet/mellanox/mlxsw/core.c:1037 + devlink_nl_cmd_sb_occ_max_clear_doit+0x1ec/0x280 net/core/devlink.c:1765 + genl_family_rcv_msg_doit net/netlink/genetlink.c:669 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:714 [inline] + genl_rcv_msg+0x617/0x980 net/netlink/genetlink.c:731 + netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2470 + genl_rcv+0x24/0x40 net/netlink/genetlink.c:742 + netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] + netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1330 + netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg+0x150/0x190 net/socket.c:671 + ____sys_sendmsg+0x6d8/0x840 net/socket.c:2359 + ___sys_sendmsg+0xff/0x170 net/socket.c:2413 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2446 + do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:384 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 73: + save_stack+0x1b/0x40 mm/kasan/common.c:48 + set_track mm/kasan/common.c:56 [inline] + kasan_set_free_info mm/kasan/common.c:316 [inline] + __kasan_slab_free+0x12c/0x170 mm/kasan/common.c:455 + slab_free_hook mm/slub.c:1474 [inline] + slab_free_freelist_hook mm/slub.c:1507 [inline] + slab_free mm/slub.c:3072 [inline] + kmem_cache_free+0xbe/0x380 mm/slub.c:3088 + kfree_skbmem net/core/skbuff.c:622 [inline] + kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:616 + __kfree_skb net/core/skbuff.c:679 [inline] + consume_skb net/core/skbuff.c:837 [inline] + consume_skb+0xe1/0x370 net/core/skbuff.c:831 + mlxsw_emad_trans_finish+0x64/0x1c0 drivers/net/ethernet/mellanox/mlxsw/core.c:592 + mlxsw_emad_transmit_retry.isra.0+0x9d/0xc0 drivers/net/ethernet/mellanox/mlxsw/core.c:613 + mlxsw_emad_trans_timeout_work+0x43/0x50 drivers/net/ethernet/mellanox/mlxsw/core.c:625 + process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269 + worker_thread+0x9e/0x1050 kernel/workqueue.c:2415 + kthread+0x355/0x470 kernel/kthread.c:291 + ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293 + +The buggy address belongs to the object at ffff88804f5703c0 + which belongs to the cache skbuff_head_cache of size 224 +The buggy address is located 212 bytes inside of + 224-byte region [ffff88804f5703c0, ffff88804f5704a0) +The buggy address belongs to the page: +page:ffffea00013d5c00 refcount:1 mapcount:0 mapping:0000000000000000 +index:0x0 +flags: 0x100000000000200(slab) +raw: 0100000000000200 dead000000000100 dead000000000122 ffff88806c625400 +raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88804f570380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ffff88804f570400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88804f570480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88804f570500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88804f570580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc + +Fixes: caf7297e7ab5f ("mlxsw: core: Introduce support for asynchronous EMAD register access") +Signed-off-by: Amit Cohen +Reviewed-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c +index dc12ab33afffb..bda615614af5d 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c +@@ -520,6 +520,9 @@ static void mlxsw_emad_transmit_retry(struct mlxsw_core *mlxsw_core, + err = mlxsw_emad_transmit(trans->core, trans); + if (err == 0) + return; ++ ++ if (!atomic_dec_and_test(&trans->active)) ++ return; + } else { + err = -EIO; + } +-- +2.27.0 + diff --git a/queue-4.14/mmc-via-sdmmc-fix-data-race-bug.patch b/queue-4.14/mmc-via-sdmmc-fix-data-race-bug.patch new file mode 100644 index 00000000000..fdc65d66e36 --- /dev/null +++ b/queue-4.14/mmc-via-sdmmc-fix-data-race-bug.patch @@ -0,0 +1,48 @@ +From 6107d1f85aba1ccbad170811d88ebfde6f26f1e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Aug 2020 11:45:28 +0530 +Subject: mmc: via-sdmmc: Fix data race bug + +From: Madhuparna Bhowmik + +[ Upstream commit 87d7ad089b318b4f319bf57f1daa64eb6d1d10ad ] + +via_save_pcictrlreg() should be called with host->lock held +as it writes to pm_pcictrl_reg, otherwise there can be a race +condition between via_sd_suspend() and via_sdc_card_detect(). +The same pattern is used in the function via_reset_pcictrl() +as well, where via_save_pcictrlreg() is called with host->lock +held. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Madhuparna Bhowmik +Link: https://lore.kernel.org/r/20200822061528.7035-1-madhuparnabhowmik10@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/via-sdmmc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c +index a863a345fc59b..8c0e348c6053c 100644 +--- a/drivers/mmc/host/via-sdmmc.c ++++ b/drivers/mmc/host/via-sdmmc.c +@@ -1275,11 +1275,14 @@ static void via_init_sdc_pm(struct via_crdr_mmc_host *host) + static int via_sd_suspend(struct pci_dev *pcidev, pm_message_t state) + { + struct via_crdr_mmc_host *host; ++ unsigned long flags; + + host = pci_get_drvdata(pcidev); + ++ spin_lock_irqsave(&host->lock, flags); + via_save_pcictrlreg(host); + via_save_sdcreg(host); ++ spin_unlock_irqrestore(&host->lock, flags); + + pci_save_state(pcidev); + pci_enable_wake(pcidev, pci_choose_state(pcidev, state), 0); +-- +2.27.0 + diff --git a/queue-4.14/nbd-make-the-config-put-is-called-before-the-notifyi.patch b/queue-4.14/nbd-make-the-config-put-is-called-before-the-notifyi.patch new file mode 100644 index 00000000000..2893000013a --- /dev/null +++ b/queue-4.14/nbd-make-the-config-put-is-called-before-the-notifyi.patch @@ -0,0 +1,43 @@ +From 68bb63daff69f3eae841674dcafd74d791a56583 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 22:45:14 -0400 +Subject: nbd: make the config put is called before the notifying the waiter + +From: Xiubo Li + +[ Upstream commit 87aac3a80af5cbad93e63250e8a1e19095ba0d30 ] + +There has one race case for ceph's rbd-nbd tool. When do mapping +it may fail with EBUSY from ioctl(nbd, NBD_DO_IT), but actually +the nbd device has already unmaped. + +It dues to if just after the wake_up(), the recv_work() is scheduled +out and defers calling the nbd_config_put(), though the map process +has exited the "nbd->recv_task" is not cleared. + +Signed-off-by: Xiubo Li +Reviewed-by: Josef Bacik +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index f22fad977c913..cdf62fb94fb15 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -725,9 +725,9 @@ static void recv_work(struct work_struct *work) + + blk_mq_complete_request(blk_mq_rq_from_pdu(cmd)); + } ++ nbd_config_put(nbd); + atomic_dec(&config->recv_threads); + wake_up(&config->recv_wq); +- nbd_config_put(nbd); + kfree(args); + } + +-- +2.27.0 + diff --git a/queue-4.14/net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch b/queue-4.14/net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch new file mode 100644 index 00000000000..90cbe089df0 --- /dev/null +++ b/queue-4.14/net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch @@ -0,0 +1,45 @@ +From f3d936115e8eeffcb97fe60cada6948f18f2c7c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 09:54:04 +0530 +Subject: net: 9p: initialize sun_server.sun_path to have addr's value only + when addr is valid + +From: Anant Thazhemadam + +[ Upstream commit 7ca1db21ef8e0e6725b4d25deed1ca196f7efb28 ] + +In p9_fd_create_unix, checking is performed to see if the addr (passed +as an argument) is NULL or not. +However, no check is performed to see if addr is a valid address, i.e., +it doesn't entirely consist of only 0's. +The initialization of sun_server.sun_path to be equal to this faulty +addr value leads to an uninitialized variable, as detected by KMSAN. +Checking for this (faulty addr) and returning a negative error number +appropriately, resolves this issue. + +Link: http://lkml.kernel.org/r/20201012042404.2508-1-anant.thazhemadam@gmail.com +Reported-by: syzbot+75d51fe5bf4ebe988518@syzkaller.appspotmail.com +Tested-by: syzbot+75d51fe5bf4ebe988518@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index 9f020559c1928..1b56b22c5c5d7 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -1029,7 +1029,7 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args) + + csocket = NULL; + +- if (addr == NULL) ++ if (!addr || !strlen(addr)) + return -EINVAL; + + if (strlen(addr) >= UNIX_PATH_MAX) { +-- +2.27.0 + diff --git a/queue-4.14/nvme-rdma-fix-crash-when-connect-rejected.patch b/queue-4.14/nvme-rdma-fix-crash-when-connect-rejected.patch new file mode 100644 index 00000000000..b7c32a9e9a4 --- /dev/null +++ b/queue-4.14/nvme-rdma-fix-crash-when-connect-rejected.patch @@ -0,0 +1,47 @@ +From c821eee859877a19e659c684bc651437081098bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 16:10:40 +0800 +Subject: nvme-rdma: fix crash when connect rejected + +From: Chao Leng + +[ Upstream commit 43efdb8e870ee0f58633fd579aa5b5185bf5d39e ] + +A crash can happened when a connect is rejected. The host establishes +the connection after received ConnectReply, and then continues to send +the fabrics Connect command. If the controller does not receive the +ReadyToUse capsule, host may receive a ConnectReject reply. + +Call nvme_rdma_destroy_queue_ib after the host received the +RDMA_CM_EVENT_REJECTED event. Then when the fabrics Connect command +times out, nvme_rdma_timeout calls nvme_rdma_complete_rq to fail the +request. A crash happenes due to use after free in +nvme_rdma_complete_rq. + +nvme_rdma_destroy_queue_ib is redundant when handling the +RDMA_CM_EVENT_REJECTED event as nvme_rdma_destroy_queue_ib is already +called in connection failure handler. + +Signed-off-by: Chao Leng +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index c91bfd839cabe..564e457f1345e 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -1545,7 +1545,6 @@ static int nvme_rdma_cm_handler(struct rdma_cm_id *cm_id, + complete(&queue->cm_done); + return 0; + case RDMA_CM_EVENT_REJECTED: +- nvme_rdma_destroy_queue_ib(queue); + cm_error = nvme_rdma_conn_rejected(queue, ev); + break; + case RDMA_CM_EVENT_ROUTE_ERROR: +-- +2.27.0 + diff --git a/queue-4.14/power-supply-test_power-add-missing-newlines-when-pr.patch b/queue-4.14/power-supply-test_power-add-missing-newlines-when-pr.patch new file mode 100644 index 00000000000..ed2a937224c --- /dev/null +++ b/queue-4.14/power-supply-test_power-add-missing-newlines-when-pr.patch @@ -0,0 +1,84 @@ +From 03e189e134b9005b86b66451189539de88dade89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 14:09:58 +0800 +Subject: power: supply: test_power: add missing newlines when printing + parameters by sysfs + +From: Xiongfeng Wang + +[ Upstream commit c07fa6c1631333f02750cf59f22b615d768b4d8f ] + +When I cat some module parameters by sysfs, it displays as follows. +It's better to add a newline for easy reading. + +root@syzkaller:~# cd /sys/module/test_power/parameters/ +root@syzkaller:/sys/module/test_power/parameters# cat ac_online +onroot@syzkaller:/sys/module/test_power/parameters# cat battery_present +trueroot@syzkaller:/sys/module/test_power/parameters# cat battery_health +goodroot@syzkaller:/sys/module/test_power/parameters# cat battery_status +dischargingroot@syzkaller:/sys/module/test_power/parameters# cat battery_technology +LIONroot@syzkaller:/sys/module/test_power/parameters# cat usb_online +onroot@syzkaller:/sys/module/test_power/parameters# + +Signed-off-by: Xiongfeng Wang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/test_power.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/power/supply/test_power.c b/drivers/power/supply/test_power.c +index 57246cdbd0426..925abec45380f 100644 +--- a/drivers/power/supply/test_power.c ++++ b/drivers/power/supply/test_power.c +@@ -344,6 +344,7 @@ static int param_set_ac_online(const char *key, const struct kernel_param *kp) + static int param_get_ac_online(char *buffer, const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_ac_online, ac_online, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -357,6 +358,7 @@ static int param_set_usb_online(const char *key, const struct kernel_param *kp) + static int param_get_usb_online(char *buffer, const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_ac_online, usb_online, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -371,6 +373,7 @@ static int param_set_battery_status(const char *key, + static int param_get_battery_status(char *buffer, const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_status, battery_status, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -385,6 +388,7 @@ static int param_set_battery_health(const char *key, + static int param_get_battery_health(char *buffer, const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_health, battery_health, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -400,6 +404,7 @@ static int param_get_battery_present(char *buffer, + const struct kernel_param *kp) + { + strcpy(buffer, map_get_key(map_present, battery_present, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +@@ -417,6 +422,7 @@ static int param_get_battery_technology(char *buffer, + { + strcpy(buffer, + map_get_key(map_technology, battery_technology, "unknown")); ++ strcat(buffer, "\n"); + return strlen(buffer); + } + +-- +2.27.0 + diff --git a/queue-4.14/powerpc-powernv-smp-fix-spurious-dbg-warning.patch b/queue-4.14/powerpc-powernv-smp-fix-spurious-dbg-warning.patch new file mode 100644 index 00000000000..f92267884bb --- /dev/null +++ b/queue-4.14/powerpc-powernv-smp-fix-spurious-dbg-warning.patch @@ -0,0 +1,55 @@ +From 43b4d19569e3dd2b8e2e4cadfda1c6b69784f13d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Aug 2020 10:54:05 +1000 +Subject: powerpc/powernv/smp: Fix spurious DBG() warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oliver O'Halloran + +[ Upstream commit f6bac19cf65c5be21d14a0c9684c8f560f2096dd ] + +When building with W=1 we get the following warning: + + arch/powerpc/platforms/powernv/smp.c: In function ‘pnv_smp_cpu_kill_self’: + arch/powerpc/platforms/powernv/smp.c:276:16: error: suggest braces around + empty body in an ‘if’ statement [-Werror=empty-body] + 276 | cpu, srr1); + | ^ + cc1: all warnings being treated as errors + +The full context is this block: + + if (srr1 && !generic_check_cpu_restart(cpu)) + DBG("CPU%d Unexpected exit while offline srr1=%lx!\n", + cpu, srr1); + +When building with DEBUG undefined DBG() expands to nothing and GCC emits +the warning due to the lack of braces around an empty statement. + +Signed-off-by: Oliver O'Halloran +Reviewed-by: Joel Stanley +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200804005410.146094-2-oohall@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/powernv/smp.c b/arch/powerpc/platforms/powernv/smp.c +index c17f81e433f7d..11d8fde770c38 100644 +--- a/arch/powerpc/platforms/powernv/smp.c ++++ b/arch/powerpc/platforms/powernv/smp.c +@@ -44,7 +44,7 @@ + #include + #define DBG(fmt...) udbg_printf(fmt) + #else +-#define DBG(fmt...) ++#define DBG(fmt...) do { } while (0) + #endif + + static void pnv_smp_setup_cpu(int cpu) +-- +2.27.0 + diff --git a/queue-4.14/powerpc-select-arch_want_irqs_off_activate_mm.patch b/queue-4.14/powerpc-select-arch_want_irqs_off_activate_mm.patch new file mode 100644 index 00000000000..114731b944d --- /dev/null +++ b/queue-4.14/powerpc-select-arch_want_irqs_off_activate_mm.patch @@ -0,0 +1,50 @@ +From db9974286aaabb12230d8b9eae3bc7b691608c5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:52:17 +1000 +Subject: powerpc: select ARCH_WANT_IRQS_OFF_ACTIVATE_MM + +From: Nicholas Piggin + +[ Upstream commit 66acd46080bd9e5ad2be4b0eb1d498d5145d058e ] + +powerpc uses IPIs in some situations to switch a kernel thread away +from a lazy tlb mm, which is subject to the TLB flushing race +described in the changelog introducing ARCH_WANT_IRQS_OFF_ACTIVATE_MM. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200914045219.3736466-3-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig | 1 + + arch/powerpc/include/asm/mmu_context.h | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index 679e1e3c16953..7cc91d7f893cf 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -154,6 +154,7 @@ config PPC + select ARCH_USE_BUILTIN_BSWAP + select ARCH_USE_CMPXCHG_LOCKREF if PPC64 + select ARCH_WANT_IPC_PARSE_VERSION ++ select ARCH_WANT_IRQS_OFF_ACTIVATE_MM + select ARCH_WEAK_RELEASE_ACQUIRE + select BINFMT_ELF + select BUILDTIME_EXTABLE_SORT +diff --git a/arch/powerpc/include/asm/mmu_context.h b/arch/powerpc/include/asm/mmu_context.h +index 6f67ff5a52672..5f9ad4f4b9c0f 100644 +--- a/arch/powerpc/include/asm/mmu_context.h ++++ b/arch/powerpc/include/asm/mmu_context.h +@@ -101,7 +101,7 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + */ + static inline void activate_mm(struct mm_struct *prev, struct mm_struct *next) + { +- switch_mm(prev, next, current); ++ switch_mm_irqs_off(prev, next, current); + } + + /* We don't currently use enter_lazy_tlb() for anything */ +-- +2.27.0 + diff --git a/queue-4.14/printk-reduce-log_buf_shift-range-for-h8300.patch b/queue-4.14/printk-reduce-log_buf_shift-range-for-h8300.patch new file mode 100644 index 00000000000..e0134928e4f --- /dev/null +++ b/queue-4.14/printk-reduce-log_buf_shift-range-for-h8300.patch @@ -0,0 +1,42 @@ +From e94c25d879faaceef69919bd8c841657723cc1c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Aug 2020 09:37:22 +0206 +Subject: printk: reduce LOG_BUF_SHIFT range for H8300 + +From: John Ogness + +[ Upstream commit 550c10d28d21bd82a8bb48debbb27e6ed53262f6 ] + +The .bss section for the h8300 is relatively small. A value of +CONFIG_LOG_BUF_SHIFT that is larger than 19 will create a static +printk ringbuffer that is too large. Limit the range appropriately +for the H8300. + +Reported-by: kernel test robot +Signed-off-by: John Ogness +Reviewed-by: Sergey Senozhatsky +Acked-by: Steven Rostedt (VMware) +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20200812073122.25412-1-john.ogness@linutronix.de +Signed-off-by: Sasha Levin +--- + init/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 46075327c165d..20f709ea1eb38 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -500,7 +500,8 @@ config IKCONFIG_PROC + + config LOG_BUF_SHIFT + int "Kernel log buffer size (16 => 64KB, 17 => 128KB)" +- range 12 25 ++ range 12 25 if !H8300 ++ range 12 19 if H8300 + default 17 + depends on PRINTK + help +-- +2.27.0 + diff --git a/queue-4.14/series b/queue-4.14/series index 00187ceef4f..13ec6897df9 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -11,3 +11,50 @@ p54-avoid-accessing-the-data-mapped-to-streaming-dma.patch mtd-lpddr-fix-bad-logic-in-print_drs_error.patch ata-sata_rcar-fix-dma-boundary-mask.patch fscrypt-return-exdev-for-incompatible-rename-or-link-into-encrypted-dir.patch +x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch +mlxsw-core-fix-use-after-free-in-mlxsw_emad_trans_fi.patch +futex-fix-incorrect-should_fail_futex-handling.patch +powerpc-powernv-smp-fix-spurious-dbg-warning.patch +powerpc-select-arch_want_irqs_off_activate_mm.patch +sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch +f2fs-add-trace-exit-in-exception-path.patch +f2fs-fix-to-check-segment-boundary-during-sit-page-r.patch +um-change-sigio_spinlock-to-a-mutex.patch +arm-8997-2-hw_breakpoint-handle-inexact-watchpoint-a.patch +xfs-fix-realtime-bitmap-summary-file-truncation-when.patch +video-fbdev-pvr2fb-initialize-variables.patch +ath10k-start-recovery-process-when-payload-length-ex.patch +ath10k-fix-vht-nss-calculation-when-stbc-is-enabled.patch +drm-brige-megachips-add-checking-if-ge_b850v3_lvds_i.patch +media-videodev2.h-rgb-bt2020-and-hsv-are-always-full.patch +media-platform-improve-queue-set-up-flow-for-bug-fix.patch +usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch +media-tw5864-check-status-of-tw5864_frameinterval_ge.patch +mmc-via-sdmmc-fix-data-race-bug.patch +drm-bridge-synopsys-dsi-add-support-for-non-continuo.patch +printk-reduce-log_buf_shift-range-for-h8300.patch +kgdb-make-kgdbcon-work-properly-with-kgdb_earlycon.patch +cpufreq-sti-cpufreq-add-stih418-support.patch +usb-adutux-fix-debugging.patch +uio-free-uio-id-after-uio-file-node-is-freed.patch +arm64-mm-return-cpu_all_mask-when-node-is-numa_no_no.patch +acpi-add-out-of-bounds-and-numa_off-protections-to-p.patch +drivers-net-wan-hdlc_fr-correctly-handle-special-skb.patch +bus-fsl_mc-do-not-rely-on-caller-to-provide-non-null.patch +power-supply-test_power-add-missing-newlines-when-pr.patch +md-bitmap-md_bitmap_get_counter-returns-wrong-blocks.patch +bnxt_en-log-unknown-link-speed-appropriately.patch +clk-ti-clockdomain-fix-static-checker-warning.patch +asm-generic-io.h-fix-config_generic_iomap-pci_iounma.patch +net-9p-initialize-sun_server.sun_path-to-have-addr-s.patch +drivers-watchdog-rdc321x_wdt-fix-race-condition-bugs.patch +ext4-detect-already-used-quota-file-early.patch +gfs2-add-validation-checks-for-size-of-superblock.patch +arm64-dts-renesas-ulcb-add-full-pwr-cycle-in-suspend.patch +memory-emif-remove-bogus-debugfs-error-handling.patch +arm-dts-s5pv210-remove-dma-controller-bus-node-name-.patch +arm-dts-s5pv210-move-pmu-node-out-of-clock-controlle.patch +arm-dts-s5pv210-remove-dedicated-audio-subsystem-nod.patch +nbd-make-the-config-put-is-called-before-the-notifyi.patch +sgl_alloc_order-fix-memory-leak.patch +nvme-rdma-fix-crash-when-connect-rejected.patch diff --git a/queue-4.14/sgl_alloc_order-fix-memory-leak.patch b/queue-4.14/sgl_alloc_order-fix-memory-leak.patch new file mode 100644 index 00000000000..e3c7878f8e8 --- /dev/null +++ b/queue-4.14/sgl_alloc_order-fix-memory-leak.patch @@ -0,0 +1,42 @@ +From 0c5109a1d9025dfb636027ed5b422cd8e961a5cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 14:57:35 -0400 +Subject: sgl_alloc_order: fix memory leak + +From: Douglas Gilbert + +[ Upstream commit b2a182a40278bc5849730e66bca01a762188ed86 ] + +sgl_alloc_order() can fail when 'length' is large on a memory +constrained system. When order > 0 it will potentially be +making several multi-page allocations with the later ones more +likely to fail than the earlier one. So it is important that +sgl_alloc_order() frees up any pages it has obtained before +returning NULL. In the case when order > 0 it calls the wrong +free page function and leaks. In testing the leak was +sufficient to bring down my 8 GiB laptop with OOM. + +Reviewed-by: Bart Van Assche +Signed-off-by: Douglas Gilbert +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + lib/scatterlist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/scatterlist.c b/lib/scatterlist.c +index 834c846c5af84..2cf02a82d502b 100644 +--- a/lib/scatterlist.c ++++ b/lib/scatterlist.c +@@ -477,7 +477,7 @@ struct scatterlist *sgl_alloc_order(unsigned long long length, + elem_len = min_t(u64, length, PAGE_SIZE << order); + page = alloc_pages(gfp, order); + if (!page) { +- sgl_free(sgl); ++ sgl_free_order(sgl, order); + return NULL; + } + +-- +2.27.0 + diff --git a/queue-4.14/sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch b/queue-4.14/sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch new file mode 100644 index 00000000000..a8f175bc307 --- /dev/null +++ b/queue-4.14/sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch @@ -0,0 +1,179 @@ +From 77ce3e4b7117aaf6d3388a462a70b4980170e13c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:52:18 +1000 +Subject: sparc64: remove mm_cpumask clearing to fix kthread_use_mm race + +From: Nicholas Piggin + +[ Upstream commit bafb056ce27940c9994ea905336aa8f27b4f7275 ] + +The de facto (and apparently uncommented) standard for using an mm had, +thanks to this code in sparc if nothing else, been that you must have a +reference on mm_users *and that reference must have been obtained with +mmget()*, i.e., from a thread with a reference to mm_users that had used +the mm. + +The introduction of mmget_not_zero() in commit d2005e3f41d4 +("userfaultfd: don't pin the user memory in userfaultfd_file_create()") +allowed mm_count holders to aoperate on user mappings asynchronously +from the actual threads using the mm, but they were not to load those +mappings into their TLB (i.e., walking vmas and page tables is okay, +kthread_use_mm() is not). + +io_uring 2b188cc1bb857 ("Add io_uring IO interface") added code which +does a kthread_use_mm() from a mmget_not_zero() refcount. + +The problem with this is code which previously assumed mm == current->mm +and mm->mm_users == 1 implies the mm will remain single-threaded at +least until this thread creates another mm_users reference, has now +broken. + +arch/sparc/kernel/smp_64.c: + + if (atomic_read(&mm->mm_users) == 1) { + cpumask_copy(mm_cpumask(mm), cpumask_of(cpu)); + goto local_flush_and_out; + } + +vs fs/io_uring.c + + if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL) || + !mmget_not_zero(ctx->sqo_mm))) + return -EFAULT; + kthread_use_mm(ctx->sqo_mm); + +mmget_not_zero() could come in right after the mm_users == 1 test, then +kthread_use_mm() which sets its CPU in the mm_cpumask. That update could +be lost if cpumask_copy() occurs afterward. + +I propose we fix this by allowing mmget_not_zero() to be a first-class +reference, and not have this obscure undocumented and unchecked +restriction. + +The basic fix for sparc64 is to remove its mm_cpumask clearing code. The +optimisation could be effectively restored by sending IPIs to mm_cpumask +members and having them remove themselves from mm_cpumask. This is more +tricky so I leave it as an exercise for someone with a sparc64 SMP. +powerpc has a (currently similarly broken) example. + +Signed-off-by: Nicholas Piggin +Acked-by: David S. Miller +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200914045219.3736466-4-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/smp_64.c | 65 ++++++++------------------------------ + 1 file changed, 14 insertions(+), 51 deletions(-) + +diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c +index c50182cd2f646..98825058e1df0 100644 +--- a/arch/sparc/kernel/smp_64.c ++++ b/arch/sparc/kernel/smp_64.c +@@ -1039,38 +1039,9 @@ void smp_fetch_global_pmu(void) + * are flush_tlb_*() routines, and these run after flush_cache_*() + * which performs the flushw. + * +- * The SMP TLB coherency scheme we use works as follows: +- * +- * 1) mm->cpu_vm_mask is a bit mask of which cpus an address +- * space has (potentially) executed on, this is the heuristic +- * we use to avoid doing cross calls. +- * +- * Also, for flushing from kswapd and also for clones, we +- * use cpu_vm_mask as the list of cpus to make run the TLB. +- * +- * 2) TLB context numbers are shared globally across all processors +- * in the system, this allows us to play several games to avoid +- * cross calls. +- * +- * One invariant is that when a cpu switches to a process, and +- * that processes tsk->active_mm->cpu_vm_mask does not have the +- * current cpu's bit set, that tlb context is flushed locally. +- * +- * If the address space is non-shared (ie. mm->count == 1) we avoid +- * cross calls when we want to flush the currently running process's +- * tlb state. This is done by clearing all cpu bits except the current +- * processor's in current->mm->cpu_vm_mask and performing the +- * flush locally only. This will force any subsequent cpus which run +- * this task to flush the context from the local tlb if the process +- * migrates to another cpu (again). +- * +- * 3) For shared address spaces (threads) and swapping we bite the +- * bullet for most cases and perform the cross call (but only to +- * the cpus listed in cpu_vm_mask). +- * +- * The performance gain from "optimizing" away the cross call for threads is +- * questionable (in theory the big win for threads is the massive sharing of +- * address space state across processors). ++ * mm->cpu_vm_mask is a bit mask of which cpus an address ++ * space has (potentially) executed on, this is the heuristic ++ * we use to limit cross calls. + */ + + /* This currently is only used by the hugetlb arch pre-fault +@@ -1080,18 +1051,13 @@ void smp_fetch_global_pmu(void) + void smp_flush_tlb_mm(struct mm_struct *mm) + { + u32 ctx = CTX_HWBITS(mm->context); +- int cpu = get_cpu(); + +- if (atomic_read(&mm->mm_users) == 1) { +- cpumask_copy(mm_cpumask(mm), cpumask_of(cpu)); +- goto local_flush_and_out; +- } ++ get_cpu(); + + smp_cross_call_masked(&xcall_flush_tlb_mm, + ctx, 0, 0, + mm_cpumask(mm)); + +-local_flush_and_out: + __flush_tlb_mm(ctx, SECONDARY_CONTEXT); + + put_cpu(); +@@ -1114,17 +1080,15 @@ void smp_flush_tlb_pending(struct mm_struct *mm, unsigned long nr, unsigned long + { + u32 ctx = CTX_HWBITS(mm->context); + struct tlb_pending_info info; +- int cpu = get_cpu(); ++ ++ get_cpu(); + + info.ctx = ctx; + info.nr = nr; + info.vaddrs = vaddrs; + +- if (mm == current->mm && atomic_read(&mm->mm_users) == 1) +- cpumask_copy(mm_cpumask(mm), cpumask_of(cpu)); +- else +- smp_call_function_many(mm_cpumask(mm), tlb_pending_func, +- &info, 1); ++ smp_call_function_many(mm_cpumask(mm), tlb_pending_func, ++ &info, 1); + + __flush_tlb_pending(ctx, nr, vaddrs); + +@@ -1134,14 +1098,13 @@ void smp_flush_tlb_pending(struct mm_struct *mm, unsigned long nr, unsigned long + void smp_flush_tlb_page(struct mm_struct *mm, unsigned long vaddr) + { + unsigned long context = CTX_HWBITS(mm->context); +- int cpu = get_cpu(); + +- if (mm == current->mm && atomic_read(&mm->mm_users) == 1) +- cpumask_copy(mm_cpumask(mm), cpumask_of(cpu)); +- else +- smp_cross_call_masked(&xcall_flush_tlb_page, +- context, vaddr, 0, +- mm_cpumask(mm)); ++ get_cpu(); ++ ++ smp_cross_call_masked(&xcall_flush_tlb_page, ++ context, vaddr, 0, ++ mm_cpumask(mm)); ++ + __flush_tlb_page(context, vaddr); + + put_cpu(); +-- +2.27.0 + diff --git a/queue-4.14/uio-free-uio-id-after-uio-file-node-is-freed.patch b/queue-4.14/uio-free-uio-id-after-uio-file-node-is-freed.patch new file mode 100644 index 00000000000..e4e0f2d4972 --- /dev/null +++ b/queue-4.14/uio-free-uio-id-after-uio-file-node-is-freed.patch @@ -0,0 +1,85 @@ +From cae44afc9bf45133ba000079b0947b98b9fe1047 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 11:26:41 +0800 +Subject: uio: free uio id after uio file node is freed + +From: Lang Dai + +[ Upstream commit 8fd0e2a6df262539eaa28b0a2364cca10d1dc662 ] + +uio_register_device() do two things. +1) get an uio id from a global pool, e.g. the id is +2) create file nodes like /sys/class/uio/uio + +uio_unregister_device() do two things. +1) free the uio id and return it to the global pool +2) free the file node /sys/class/uio/uio + +There is a situation is that one worker is calling uio_unregister_device(), +and another worker is calling uio_register_device(). +If the two workers are X and Y, they go as below sequence, +1) X free the uio id +2) Y get an uio id +3) Y create file node /sys/class/uio/uio +4) X free the file note /sys/class/uio/uio +Then it will failed at the 3rd step and cause the phenomenon we saw as it +is creating a duplicated file node. + +Failure reports as follows: +sysfs: cannot create duplicate filename '/class/uio/uio10' +Call Trace: + sysfs_do_create_link_sd.isra.2+0x9e/0xb0 + sysfs_create_link+0x25/0x40 + device_add+0x2c4/0x640 + __uio_register_device+0x1c5/0x576 [uio] + adf_uio_init_bundle_dev+0x231/0x280 [intel_qat] + adf_uio_register+0x1c0/0x340 [intel_qat] + adf_dev_start+0x202/0x370 [intel_qat] + adf_dev_start_async+0x40/0xa0 [intel_qat] + process_one_work+0x14d/0x410 + worker_thread+0x4b/0x460 + kthread+0x105/0x140 + ? process_one_work+0x410/0x410 + ? kthread_bind+0x40/0x40 + ret_from_fork+0x1f/0x40 + Code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef + e8 ec c4 ff ff 4c 89 e2 48 89 de 48 c7 c7 e8 b4 ee b4 e8 6a d4 d7 + ff <0f> 0b 48 89 df e8 20 fa f3 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84 +---[ end trace a7531c1ed5269e84 ]--- + c6xxvf b002:00:00.0: Failed to register UIO devices + c6xxvf b002:00:00.0: Failed to register UIO devices + +Signed-off-by: Lang Dai + +Link: https://lore.kernel.org/r/1600054002-17722-1-git-send-email-lang.dai@intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/uio/uio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c +index 7c18536a3742a..4fc94b5e15ef4 100644 +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -1009,8 +1009,6 @@ void uio_unregister_device(struct uio_info *info) + + idev = info->uio_dev; + +- uio_free_minor(idev); +- + mutex_lock(&idev->info_lock); + uio_dev_del_attributes(idev); + +@@ -1022,6 +1020,8 @@ void uio_unregister_device(struct uio_info *info) + + device_unregister(&idev->dev); + ++ uio_free_minor(idev); ++ + return; + } + EXPORT_SYMBOL_GPL(uio_unregister_device); +-- +2.27.0 + diff --git a/queue-4.14/um-change-sigio_spinlock-to-a-mutex.patch b/queue-4.14/um-change-sigio_spinlock-to-a-mutex.patch new file mode 100644 index 00000000000..6718a6408ce --- /dev/null +++ b/queue-4.14/um-change-sigio_spinlock-to-a-mutex.patch @@ -0,0 +1,78 @@ +From ec2210c429c12c0fe36414480cacdeaa6037a10b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 13:23:17 +0200 +Subject: um: change sigio_spinlock to a mutex + +From: Johannes Berg + +[ Upstream commit f2d05059e15af3f70502074f4e3a504530af504a ] + +Lockdep complains at boot: + +============================= +[ BUG: Invalid wait context ] +5.7.0-05093-g46d91ecd597b #98 Not tainted +----------------------------- +swapper/1 is trying to lock: +0000000060931b98 (&desc[i].request_mutex){+.+.}-{3:3}, at: __setup_irq+0x11d/0x623 +other info that might help us debug this: +context-{4:4} +1 lock held by swapper/1: + #0: 000000006074fed8 (sigio_spinlock){+.+.}-{2:2}, at: sigio_lock+0x1a/0x1c +stack backtrace: +CPU: 0 PID: 1 Comm: swapper Not tainted 5.7.0-05093-g46d91ecd597b #98 +Stack: + 7fa4fab0 6028dfd1 0000002a 6008bea5 + 7fa50700 7fa50040 7fa4fac0 6028e016 + 7fa4fb50 6007f6da 60959c18 00000000 +Call Trace: + [<60023a0e>] show_stack+0x13b/0x155 + [<6028e016>] dump_stack+0x2a/0x2c + [<6007f6da>] __lock_acquire+0x515/0x15f2 + [<6007eb50>] lock_acquire+0x245/0x273 + [<6050d9f1>] __mutex_lock+0xbd/0x325 + [<6050dc76>] mutex_lock_nested+0x1d/0x1f + [<6008e27e>] __setup_irq+0x11d/0x623 + [<6008e8ed>] request_threaded_irq+0x169/0x1a6 + [<60021eb0>] um_request_irq+0x1ee/0x24b + [<600234ee>] write_sigio_irq+0x3b/0x76 + [<600383ca>] sigio_broken+0x146/0x2e4 + [<60020bd8>] do_one_initcall+0xde/0x281 + +Because we hold sigio_spinlock and then get into requesting +an interrupt with a mutex. + +Change the spinlock to a mutex to avoid that. + +Signed-off-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/kernel/sigio.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/um/kernel/sigio.c b/arch/um/kernel/sigio.c +index b5e0cbb343828..476ded92affac 100644 +--- a/arch/um/kernel/sigio.c ++++ b/arch/um/kernel/sigio.c +@@ -36,14 +36,14 @@ int write_sigio_irq(int fd) + } + + /* These are called from os-Linux/sigio.c to protect its pollfds arrays. */ +-static DEFINE_SPINLOCK(sigio_spinlock); ++static DEFINE_MUTEX(sigio_mutex); + + void sigio_lock(void) + { +- spin_lock(&sigio_spinlock); ++ mutex_lock(&sigio_mutex); + } + + void sigio_unlock(void) + { +- spin_unlock(&sigio_spinlock); ++ mutex_unlock(&sigio_mutex); + } +-- +2.27.0 + diff --git a/queue-4.14/usb-adutux-fix-debugging.patch b/queue-4.14/usb-adutux-fix-debugging.patch new file mode 100644 index 00000000000..e6b221402f5 --- /dev/null +++ b/queue-4.14/usb-adutux-fix-debugging.patch @@ -0,0 +1,35 @@ +From af5c5c41d83d5e41d40e371e3b920b6f985e74ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 13:26:00 +0200 +Subject: USB: adutux: fix debugging + +From: Oliver Neukum + +[ Upstream commit c56150c1bc8da5524831b1dac2eec3c67b89f587 ] + +Handling for removal of the controller was missing at one place. +Add it. + +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20200917112600.26508-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/adutux.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/misc/adutux.c b/drivers/usb/misc/adutux.c +index 45390045c75dc..852f768ef77b2 100644 +--- a/drivers/usb/misc/adutux.c ++++ b/drivers/usb/misc/adutux.c +@@ -209,6 +209,7 @@ static void adu_interrupt_out_callback(struct urb *urb) + + if (status != 0) { + if ((status != -ENOENT) && ++ (status != -ESHUTDOWN) && + (status != -ECONNRESET)) { + dev_dbg(&dev->udev->dev, + "%s :nonzero status received: %d\n", __func__, +-- +2.27.0 + diff --git a/queue-4.14/usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch b/queue-4.14/usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch new file mode 100644 index 00000000000..8f231d64f7d --- /dev/null +++ b/queue-4.14/usb-typec-tcpm-during-pr_swap-source-caps-should-be-.patch @@ -0,0 +1,80 @@ +From 07724cbff2f67d52c3bf5ca5fea6667e0e2d1153 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 11:38:27 -0700 +Subject: usb: typec: tcpm: During PR_SWAP, source caps should be sent only + after tSwapSourceStart + +From: Badhri Jagan Sridharan + +[ Upstream commit 6bbe2a90a0bb4af8dd99c3565e907fe9b5e7fd88 ] + +The patch addresses the compliance test failures while running +TD.PD.CP.E3, TD.PD.CP.E4, TD.PD.CP.E5 of the "Deterministic PD +Compliance MOI" test plan published in https://www.usb.org/usbc. +For a product to be Type-C compliant, it's expected that these tests +are run on usb.org certified Type-C compliance tester as mentioned in +https://www.usb.org/usbc. + +The purpose of the tests TD.PD.CP.E3, TD.PD.CP.E4, TD.PD.CP.E5 is to +verify the PR_SWAP response of the device. While doing so, the test +asserts that Source Capabilities message is NOT received from the test +device within tSwapSourceStart min (20 ms) from the time the last bit +of GoodCRC corresponding to the RS_RDY message sent by the UUT was +sent. If it does then the test fails. + +This is in line with the requirements from the USB Power Delivery +Specification Revision 3.0, Version 1.2: +"6.6.8.1 SwapSourceStartTimer +The SwapSourceStartTimer Shall be used by the new Source, after a +Power Role Swap or Fast Role Swap, to ensure that it does not send +Source_Capabilities Message before the new Sink is ready to receive +the +Source_Capabilities Message. The new Source Shall Not send the +Source_Capabilities Message earlier than tSwapSourceStart after the +last bit of the EOP of GoodCRC Message sent in response to the PS_RDY +Message sent by the new Source indicating that its power supply is +ready." + +The patch makes sure that TCPM does not send the Source_Capabilities +Message within tSwapSourceStart(20ms) by transitioning into +SRC_STARTUP only after tSwapSourceStart(20ms). + +Signed-off-by: Badhri Jagan Sridharan +Reviewed-by: Guenter Roeck +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20200817183828.1895015-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/typec/pd.h | 1 + + drivers/staging/typec/tcpm.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/typec/pd.h b/drivers/staging/typec/pd.h +index 30b32ad72acd7..a18ab898fa668 100644 +--- a/drivers/staging/typec/pd.h ++++ b/drivers/staging/typec/pd.h +@@ -280,6 +280,7 @@ static inline unsigned int rdo_max_power(u32 rdo) + #define PD_T_ERROR_RECOVERY 100 /* minimum 25 is insufficient */ + #define PD_T_SRCSWAPSTDBY 625 /* Maximum of 650ms */ + #define PD_T_NEWSRC 250 /* Maximum of 275ms */ ++#define PD_T_SWAP_SRC_START 20 /* Minimum of 20ms */ + + #define PD_T_DRP_TRY 100 /* 75 - 150 ms */ + #define PD_T_DRP_TRYWAIT 600 /* 400 - 800 ms */ +diff --git a/drivers/staging/typec/tcpm.c b/drivers/staging/typec/tcpm.c +index f237e31926f4c..686037a498c19 100644 +--- a/drivers/staging/typec/tcpm.c ++++ b/drivers/staging/typec/tcpm.c +@@ -2741,7 +2741,7 @@ static void run_state_machine(struct tcpm_port *port) + */ + tcpm_set_pwr_role(port, TYPEC_SOURCE); + tcpm_pd_send_control(port, PD_CTRL_PS_RDY); +- tcpm_set_state(port, SRC_STARTUP, 0); ++ tcpm_set_state(port, SRC_STARTUP, PD_T_SWAP_SRC_START); + break; + + case VCONN_SWAP_ACCEPT: +-- +2.27.0 + diff --git a/queue-4.14/video-fbdev-pvr2fb-initialize-variables.patch b/queue-4.14/video-fbdev-pvr2fb-initialize-variables.patch new file mode 100644 index 00000000000..0af2699237c --- /dev/null +++ b/queue-4.14/video-fbdev-pvr2fb-initialize-variables.patch @@ -0,0 +1,49 @@ +From 0ae2cc0c790e9d34f33cf29655f73f6a5b9cfbc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 12:18:45 -0700 +Subject: video: fbdev: pvr2fb: initialize variables + +From: Tom Rix + +[ Upstream commit 8e1ba47c60bcd325fdd097cd76054639155e5d2e ] + +clang static analysis reports this repesentative error + +pvr2fb.c:1049:2: warning: 1st function call argument + is an uninitialized value [core.CallAndMessage] + if (*cable_arg) + ^~~~~~~~~~~~~~~ + +Problem is that cable_arg depends on the input loop to +set the cable_arg[0]. If it does not, then some random +value from the stack is used. + +A similar problem exists for output_arg. + +So initialize cable_arg and output_arg. + +Signed-off-by: Tom Rix +Acked-by: Arnd Bergmann +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200720191845.20115-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pvr2fb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/pvr2fb.c b/drivers/video/fbdev/pvr2fb.c +index 867c5218968f7..426e79061bc88 100644 +--- a/drivers/video/fbdev/pvr2fb.c ++++ b/drivers/video/fbdev/pvr2fb.c +@@ -1029,6 +1029,8 @@ static int __init pvr2fb_setup(char *options) + if (!options || !*options) + return 0; + ++ cable_arg[0] = output_arg[0] = 0; ++ + while ((this_opt = strsep(&options, ","))) { + if (!*this_opt) + continue; +-- +2.27.0 + diff --git a/queue-4.14/x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch b/queue-4.14/x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch new file mode 100644 index 00000000000..6c25b7a5c06 --- /dev/null +++ b/queue-4.14/x86-unwind-orc-fix-inactive-tasks-with-stack-pointer.patch @@ -0,0 +1,145 @@ +From e956125fbaa6985f4b193e4d274703828ea05d6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 07:30:51 +0200 +Subject: x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC + 10 compiled kernels + +From: Jiri Slaby + +[ Upstream commit f2ac57a4c49d40409c21c82d23b5706df9b438af ] + +GCC 10 optimizes the scheduler code differently than its predecessors. + +When CONFIG_DEBUG_SECTION_MISMATCH=y, the Makefile forces GCC not +to inline some functions (-fno-inline-functions-called-once). Before GCC +10, "no-inlined" __schedule() starts with the usual prologue: + + push %bp + mov %sp, %bp + +So the ORC unwinder simply picks stack pointer from %bp and +unwinds from __schedule() just perfectly: + + $ cat /proc/1/stack + [<0>] ep_poll+0x3e9/0x450 + [<0>] do_epoll_wait+0xaa/0xc0 + [<0>] __x64_sys_epoll_wait+0x1a/0x20 + [<0>] do_syscall_64+0x33/0x40 + [<0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +But now, with GCC 10, there is no %bp prologue in __schedule(): + + $ cat /proc/1/stack + + +The ORC entry of the point in __schedule() is: + + sp:sp+88 bp:last_sp-48 type:call end:0 + +In this case, nobody subtracts sizeof "struct inactive_task_frame" in +__unwind_start(). The struct is put on the stack by __switch_to_asm() and +only then __switch_to_asm() stores %sp to task->thread.sp. But we start +unwinding from a point in __schedule() (stored in frame->ret_addr by +'call') and not in __switch_to_asm(). + +So for these example values in __unwind_start(): + + sp=ffff94b50001fdc8 bp=ffff8e1f41d29340 ip=__schedule+0x1f0 + +The stack is: + + ffff94b50001fdc8: ffff8e1f41578000 # struct inactive_task_frame + ffff94b50001fdd0: 0000000000000000 + ffff94b50001fdd8: ffff8e1f41d29340 + ffff94b50001fde0: ffff8e1f41611d40 # ... + ffff94b50001fde8: ffffffff93c41920 # bx + ffff94b50001fdf0: ffff8e1f41d29340 # bp + ffff94b50001fdf8: ffffffff9376cad0 # ret_addr (and end of the struct) + +0xffffffff9376cad0 is __schedule+0x1f0 (after the call to +__switch_to_asm). Now follow those 88 bytes from the ORC entry (sp+88). +The entry is correct, __schedule() really pushes 48 bytes (8*7) + 32 bytes +via subq to store some local values (like 4U below). So to unwind, look +at the offset 88-sizeof(long) = 0x50 from here: + + ffff94b50001fe00: ffff8e1f41578618 + ffff94b50001fe08: 00000cc000000255 + ffff94b50001fe10: 0000000500000004 + ffff94b50001fe18: 7793fab6956b2d00 # NOTE (see below) + ffff94b50001fe20: ffff8e1f41578000 + ffff94b50001fe28: ffff8e1f41578000 + ffff94b50001fe30: ffff8e1f41578000 + ffff94b50001fe38: ffff8e1f41578000 + ffff94b50001fe40: ffff94b50001fed8 + ffff94b50001fe48: ffff8e1f41577ff0 + ffff94b50001fe50: ffffffff9376cf12 + +Here ^^^^^^^^^^^^^^^^ is the correct ret addr from +__schedule(). It translates to schedule+0x42 (insn after a call to +__schedule()). + +BUT, unwind_next_frame() tries to take the address starting from +0xffff94b50001fdc8. That is exactly from thread.sp+88-sizeof(long) = +0xffff94b50001fdc8+88-8 = 0xffff94b50001fe18, which is garbage marked as +NOTE above. So this quits the unwinding as 7793fab6956b2d00 is obviously +not a kernel address. + +There was a fix to skip 'struct inactive_task_frame' in +unwind_get_return_address_ptr in the following commit: + + 187b96db5ca7 ("x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks") + +But we need to skip the struct already in the unwinder proper. So +subtract the size (increase the stack pointer) of the structure in +__unwind_start() directly. This allows for removal of the code added by +commit 187b96db5ca7 completely, as the address is now at +'(unsigned long *)state->sp - 1', the same as in the generic case. + +[ mingo: Cleaned up the changelog a bit, for better readability. ] + +Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder") +Bug: https://bugzilla.suse.com/show_bug.cgi?id=1176907 +Signed-off-by: Jiri Slaby +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20201014053051.24199-1-jslaby@suse.cz +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/unwind_orc.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c +index a5e2ce931f692..e64c5b78fbfd3 100644 +--- a/arch/x86/kernel/unwind_orc.c ++++ b/arch/x86/kernel/unwind_orc.c +@@ -255,19 +255,12 @@ EXPORT_SYMBOL_GPL(unwind_get_return_address); + + unsigned long *unwind_get_return_address_ptr(struct unwind_state *state) + { +- struct task_struct *task = state->task; +- + if (unwind_done(state)) + return NULL; + + if (state->regs) + return &state->regs->ip; + +- if (task != current && state->sp == task->thread.sp) { +- struct inactive_task_frame *frame = (void *)task->thread.sp; +- return &frame->ret_addr; +- } +- + if (state->sp) + return (unsigned long *)state->sp - 1; + +@@ -550,7 +543,7 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task, + } else { + struct inactive_task_frame *frame = (void *)task->thread.sp; + +- state->sp = task->thread.sp; ++ state->sp = task->thread.sp + sizeof(*frame); + state->bp = READ_ONCE_NOCHECK(frame->bp); + state->ip = READ_ONCE_NOCHECK(frame->ret_addr); + state->signal = (void *)state->ip == ret_from_fork; +-- +2.27.0 + diff --git a/queue-4.14/xfs-fix-realtime-bitmap-summary-file-truncation-when.patch b/queue-4.14/xfs-fix-realtime-bitmap-summary-file-truncation-when.patch new file mode 100644 index 00000000000..bf589989e36 --- /dev/null +++ b/queue-4.14/xfs-fix-realtime-bitmap-summary-file-truncation-when.patch @@ -0,0 +1,70 @@ +From d4cb22d7cdd76cc1f5932ac0441a76f515e1c54c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2020 13:55:16 -0700 +Subject: xfs: fix realtime bitmap/summary file truncation when growing rt + volume + +From: Darrick J. Wong + +[ Upstream commit f4c32e87de7d66074d5612567c5eac7325024428 ] + +The realtime bitmap and summary files are regular files that are hidden +away from the directory tree. Since they're regular files, inode +inactivation will try to purge what it thinks are speculative +preallocations beyond the incore size of the file. Unfortunately, +xfs_growfs_rt forgets to update the incore size when it resizes the +inodes, with the result that inactivating the rt inodes at unmount time +will cause their contents to be truncated. + +Fix this by updating the incore size when we change the ondisk size as +part of updating the superblock. Note that we don't do this when we're +allocating blocks to the rt inodes because we actually want those blocks +to get purged if the growfs fails. + +This fixes corruption complaints from the online rtsummary checker when +running xfs/233. Since that test requires rmap, one can also trigger +this by growing an rt volume, cycling the mount, and creating rt files. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Chandan Babu R +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_rtalloc.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c +index 7d3b56872e563..f1cf832837104 100644 +--- a/fs/xfs/xfs_rtalloc.c ++++ b/fs/xfs/xfs_rtalloc.c +@@ -1014,10 +1014,13 @@ xfs_growfs_rt( + xfs_ilock(mp->m_rbmip, XFS_ILOCK_EXCL); + xfs_trans_ijoin(tp, mp->m_rbmip, XFS_ILOCK_EXCL); + /* +- * Update the bitmap inode's size. ++ * Update the bitmap inode's size ondisk and incore. We need ++ * to update the incore size so that inode inactivation won't ++ * punch what it thinks are "posteof" blocks. + */ + mp->m_rbmip->i_d.di_size = + nsbp->sb_rbmblocks * nsbp->sb_blocksize; ++ i_size_write(VFS_I(mp->m_rbmip), mp->m_rbmip->i_d.di_size); + xfs_trans_log_inode(tp, mp->m_rbmip, XFS_ILOG_CORE); + /* + * Get the summary inode into the transaction. +@@ -1025,9 +1028,12 @@ xfs_growfs_rt( + xfs_ilock(mp->m_rsumip, XFS_ILOCK_EXCL); + xfs_trans_ijoin(tp, mp->m_rsumip, XFS_ILOCK_EXCL); + /* +- * Update the summary inode's size. ++ * Update the summary inode's size. We need to update the ++ * incore size so that inode inactivation won't punch what it ++ * thinks are "posteof" blocks. + */ + mp->m_rsumip->i_d.di_size = nmp->m_rsumsize; ++ i_size_write(VFS_I(mp->m_rsumip), mp->m_rsumip->i_d.di_size); + xfs_trans_log_inode(tp, mp->m_rsumip, XFS_ILOG_CORE); + /* + * Copy summary data from old to new sizes. +-- +2.27.0 + -- 2.47.3